Quarter Life Crisis

The world according to Sven-S. Porst

« A trip to the southMainLanguages »

802.1X

1130 words

I’m writing this because I suspect that quite a few of my readers are knowledgeable when it comes to technical stuff and I could do with some technical advice. Need for this advice arises because there are some upcoming changes in our university’s wireless network which will render our current equipment useless. Unfortunately, most of the technically knowledgeable people that I know in person couldn’t help me with this as they (a) don’t know enough or (b) don’t admit they don’t know enough. Particularly the type (b) people are a waste of time as I’ll essentially have to explain all the details, some of which I don’t know precisely, and then learn that they don’t really know anything helpful… To avoid this, I’m trying to put all the relevant things that I know of down here.

Our current network

To begin with, let me describe the current situation: Me and my flatmates use our university’s wireless network from home. To receive its weak signal from a 500m distance we installed an external antenna with a line-of-sight connection to the house where the antenna lives. There’s a hellishly expensive little cable going from it to a Linksys WET-11 wireless network to ethernet bridge – which in turn has its antenna going into a wireless network router that distributes the signal around in our flat.

On the software side we have the router set up to give us a 192.168… network within the flat while the devices have a 10.100… IP address on the university WLAN. Our internal WLAN is also running some level of WEP encryption, while the university’s doesn’t. However, every connection on the university’s WLAN has to be made through a Cisco VPN connection, so this is said to be quite safe as well. In this model every end user runs his own VPN connection on his own account and thus even in our situation it will be completely clear which user initiated which connection (e.g. when people start clogging the wireless network with P2P file sharing apps or viruses, their accounts will simply be deactivated).

The whole thing could be depicted like this:

Diagram of the network connections

where the little operating system CDs are our various computers and I consider everything with a yellow background mostly irrelevant for the problem I have as it’d also exist if I connected my computer directly to the bridge. So I won’t mention those things anymore – it’s just that I’ve had many people ask about them…

Changes

While changes are often good, even in the world of computers, they often cause problems. And that’s exactly what’s happening for us here. The change that is going to happen is that the Cisco VPN solution will be abandoned and instead the 802.1X protocol will be used.

Now, as far as I can tell, the 802.1X thing is essentially a good idea for security. Whenever you want to open a connection to the network, your computer will have to authenticate itself for it. In particular it means that nobody will be allowed to initiate connections on the network with that system wheras everybody was able to connect to the network and open connections to the VPN server so far. That’s probably a good thing. Even better, it means that we don’t have to use the Cisco VPN client anymore which, as everybody who has used it before will confirm, is a good thing.

In particular, when connecting to the network directly with your Mac, you should be able to connect to such networks right away after carefully checking out the many things that the Internet Connect application can do:

Screenshot of Internet Connect's 802.1X tab

[Do you have any idea how to remove network types from the window’s toolbar, btw?]

But while it looks that the new network setup will vastly improve the situation for people who connect their computer directly to the network, it’s quite a problem for us as, when the connection is established directly from the computer, the computer can also handle the necessary bits of authentication. Our wireless-to-wired network bridge, however, can’t do this.

What to do?

In principle I see a number of options which could solve our problem, i.e. connecting a whole network of computers to a 802.1X managed wireless network through a single antenna. The solutions I see are

  1. Upgrade the bridge’s firmware to handle the authentification.
  2. Buy another bridge that can to 802.1X stuff.
  3. Set up a server computer that is connected to the antenna and handles the 802.1X stuff in software.
  4. Order DSL.
Each of the solution has a few remarks I’d like to attach to them.
  1. Upgrade the bridge’s firmware: This bridge is quite crappy, particularly its software which likes crashing. While software in the device can be updated, an update including 802.1X capabilities doesn’t seem to exist and it doesn’t seem likely that it will come into existence.
  2. Buy another bridge: While I’d be annoyed to not be able to use our existing bridge anymore after less than a year, comparing to the cost to that of a DSL connection means that buying another one may be a viable option. But does such a device exist at all? From what I’ve heard, both the standard bridges, i.e. Linksys’ and D-Link’s don’t offer 802.1X support. Does anybody know about a bridge that’s up to the job?
  3. Set up a server computer: This is the solution that all the ‘technical’ people recommend. I am a bit hesitant to go for it. The server computer would have to be some cheap Linux box, i.e. someone’s old computer. Those things tend to be rather ugly, large and loud. And having one of them in our kitchen – where the external antenna is – might be annoying. Assuming we could get such a machine, how likely will it be that I can just throw in a Knoppix (or other) CD and it will ‘just work’. In particular, work with a wireless networking card, have support for the 802.1X stuff without too much effort and be easy enough to set up to do all the necessary things. And, to keep track of the costs, how much power does such a machine typically consume? 50W? [Of course this option would open lots of other time-wasting possibilites such as having an iTunes server for everyone or connecting it to the TV…]
  4. Order DSL: This appears to be the technically least cool solution but it may be the most reliable and stress free one. As far as I can tell, a full blown DSL connection will set us back around €50 per month and be trivial to set up.
In case you know one thing or another about networks and the feasibility of the solutions I mention – or if you know about altogether different ways to tackle this, please let me know.

February 1, 2005, 0:37

Comments

Comment by d.w.: User icon

I don’t know what your budget is, but if you go with option 3, a box like this will be quiet, small, and won’t use a lot of electricity. A Mac mini might be even more fun in that context. :)

I will admit to being completely ignorant of 802.1x. We just use PPTP (hack, ptui!) and ssh tunnels at the office.

February 1, 2005, 22:50

Comment by ssp: User icon

Whatever happens, we’re going to keep this as low budget as possible. Which most likely means taking someone’s old computer or none. There seem to be so many useless old PCs around anyway which should be more than up to the job. As a matter of principle I’d like to not spend any money for the profit of Wintel companies.

I would’ve quite liked to use my SE for this. At least it’s not dead ugly. But there’s neither WLAN hardware nor software for it, so that’s out of question. Judging from what a friend says, his Newton can take 2 PCMCIA cards and people have written WLAN drivers for it… so in theory even that toy might be up for the job and reasonably good looking… but that’d be even more expensive, I suspect, and not exactly a plug and play solution either ;)

I have no idea about power consumption though. My Powerbook doesn’t need a lot and my old LC III didn’t use too much either. But how much do standard DOS systems use? I’ve got no idea. The numbers they give for processors look horrendous but the processor would be idling most of the time. So how much power do these machines use in reality? 50W? 100W?

February 2, 2005, 2:29

Comment by d.w.: User icon

I wish I had actual numbers for you. I can tell you that even this reasonably modern Dell laptop (employer paid for it, I sure wouldn’t have) is an absolute furnace, and only gets 2 hours on a full battery charge (as compared to 4-5 hours from a current model Powerbook.) The minute I start doing anything reasonably compute intensive on it, the CPU heats up over 60C and the fan starts to sound like a WWI biplane starting up. Intel chips are notorious power sucking heat pumps.

February 2, 2005, 21:55

Add your comment

« A trip to the southMainLanguages »

Comments on

Photos

Categories

Me

This page

Out & About

pinboard Links

People

Ego-Linking