Using PPPoE to secure Wireless LANs?

Hello,

I'm not sure if anyone on this list is aware of a recent Slashdot post:

http://ask.slashdot.org/askslashdot/02/12/01/2333218.shtml?tid=172

It was intriguing enough for me to start pursuing the same solution, and I believe to have pieced together most of what is necessary (and share mostly the same doubts).

For those of you not able to follow the link, the original poster is considering securing a WLAN using PPPoE, and had come across the following issues (annotated by myself between []):

---begin quote---

Advantages:
- Totally platform, NIC and AP independent - you can use any NIC, any
OS, any access points.
- No IP addresses required on the PPPoE server or the APs - no DHCP, no
nothing, so there is no easy way to have access without establishing a PPPoE session.
- Built-in crypto per session - using CHAP for auth and MPPE for data
encryption.

[This is where I start having doubts. I understand CHAP is still relatively secure, but MPPE seems to have a number of serious detractors - who, however, make a lot of loud noises and fail to present hard evidence of it having ever been broken. Is there any proof that MPPE is insecure? I can deal with the crypto - I guess. Been a long time since school...]

• No client/proprietary auth software required on Windows XP (around 40 of my users, and the ones that will actually use this)

Do you need help?
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related ipsec.org Links pppoe Request more information about Pantek

[I have around twice this number of users, and if managing WEP for them
- changing keys every month - is a nightmare, 802.1x and a bunch of new
stuff is daunting, to say the least...]

• Full session control (IP address assignments, traffic accounting, sessions only allowed during office hours, etc.), same as any remote access server.

[I like this bit. I have to manage a number of dial-up accesses, and integrating the lot would be great.]

• Cheap (server packages available for Linux and FreeBSD, any box can take the load)

[I've read through this mailing list's archives and seen the numerous "look at our products" replies. Please refrain from saying anything of the sort just yet - I'd like some unbiased discussion first :)]

• No proprietary IPSec tricks required - yes, I've considered it as an option, but remember, my users are Windows users, and PPPoE has the advantage of removing all IP addresses from the WLAN segment.

[I'm considering VPN/PPTP myself, but IPSec seems to be the standard offer from most vendors]

Disadvantages:

• No PPPoE clients for PDAs (yet)
• No published HOWTOs on PPPoE server setup under Linux (plenty of DSL/PPPoE client info and at least one HOWTO for FreeBSD, but since PPPoE servers are mostly commercial products, no one wants to give away info for free)

[I share this guy's lack of general info, if only for testing. There is not a single comprehensive HOWTO in sight that an overworked sysadmin can step through on a pair of spare boxes over lunch...]

• MPPE encryption has some religious detractors (but it works fine for 98% of my users - the 49- strong Windows laptop crowd - and totally removes the need for WEP key management)

[Again, no strong evidence _for_ MPPE, but none of the replies on Slashdot was really useful _against_ it - just the usual 'google for it' replies...]

• Rogue PPPoE Servers - not really an issue if you can filter PPPoE frames on the radio interface - and I can, so you need wired access to set up one - but I'd like to know people's opinions on whether this is more than an urban myth fanned by 802.1x proponents.

[Now this is the interesting bit. Cisco access points seem (at least on paper) to be able to do this - i.e., filter out PPPoE server replies on ingress upon the radio interface, so I'm guessing this guy has Cisco equipment]

• Freeloaders can still use the WLAN (even though there are no IP addresses) as a bridged segment (but I can sniff on the PPPoE server interface and/or poll every AP and kick out/ban any MAC addresses without an established PPPoE session - so MAC spoofing is of very limited use).

Do you need more help?
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related ipsec.org Links pppoe Request more information about Pantek

[A nice, even if somewhat fallible and hardware-dependent way to kick out freeloaders]

---end quote---

Now, the more I think about it, the only real issues here seem to be related to MPPE security (assuming filtering out rogue PPPoE servers works, something I might actually be able to test on a spare Cisco 350 AP. But then, this is the PPPoE list, and you guys are the experts, and that's why I came here.

Can anyone point me to any sort of discussion regarding PPPoE security issues? Surely the vendors on this list have done some work on this (and this is where replies like "we do it this way because"... are vastly more useful than "come look at our stuff")?

Thanks for any pointers,

Rui Carmo Received on Mon Dec 2 17:58:12 2002