WPA Enterprise security at an actual Enterprise

October 14, 2007 at 3:04 pm 2 comments

I’m happy to announce that ZeroShell, which I’ve blogged about here, is now being used to authenticate WPA Enterprise security for approximately 30 users across about a dozen access points at my workplace. We’ve been using it for about three weeks now and we’re pretty happy with the results.

We were allowed to select ZeroShell for this because we could scrounge up a spare machine to run it on, the software itself was free, and lastly because this particular wireless network is one for consultants, and therefore only allows access to the Internet, not our internal corporate network. Had this been for our internal network, we almost certainly would have used a Windows AD controller, since our company is mainly a Windows shop.

As far as ZeroShell is concerned, there are only a few minor chinks in the armor, related to our implementation:

1. There can be only one! Admin user, that is. Only one person can be logged into the web interface as the Admin user at a time. If someone else signs in as Admin, the previous user is kicked out. This is particularly problematic if you have one department responsible for installing the certificates and setting up the laptops for the end-users (and setting their password at the same time), and another group responsible for general user maintenance. Which brings be to my second issue…

2. Roles and a Dynamic Admin Interface. If ZeroShell did allow multiple Admin users, it should also allow those admin users to have different roles and the web interface should change to reflect the role of the active user. For example, a Security department might be responsible for adding and deleting users, but nothing else, so the web interface should limit someone signed in with that role to those few web pages.

3. No User Expiration – If this were added, I’m sure our security department would love it. As it stands now, once a user is added, they have access, period. If  possible, our security department would like to be able to set an expiration date on a user so that if the user attempts to log in beyond that date, it will fail as if the password is incorrect.

Now, in a small business network, issues #1 and #2 are probably not issues to be concerned with since there may only be one or two technical/security people in the entire company, but in a large corporate environment, I think these issues will make ZeroShell a much less attractive option. Item #2 sounds particularly difficult to add to ZeroShell. But, I know it can be done. I added this very feature to Monowall back about two years ago (when we were looking to add Monowall to our network initially). Now, my addition did not perform locking to make sure that two people weren’t editing the same user, etc. at the same time, but it gets the job done.

Here’s one other issue with ZeroShell:

Captive Portal login page can not be customized via web interface beyond the title of the page, the “powered by” line, and a picture. I didn’t see anywhere to put any sort of TOS language, as required by our legal department. Now, technically, I’ve read on the forum that you can actually go into the raw ISO image and edit the captive portal page, but that’s not practical for most end users. Also makes upgrading to the latest version a major pain since you’d have to reapply your changes and hope you don’t break anything in the process.

In fact, if ZeroShell corrected the above issues, we could use it to replace our Captive Portal for this network (currently, Monowall). Zeroshell has all the other features we need (DHCP, DNS, Firewall). The biggest down side is that the ZeroShell interface isn’t as easy to use as Monowall.


Entry filed under: Networking.

Favorite VM of the week BeyondTV and SageTV on a 2.4 Ghz P4!

2 Comments Add your own

  • 1. ihba33  |  April 18, 2011 at 10:12 am

    there are several documentations by lots of people in ZeroShell website. what is your name?

    • 2. ptaylor  |  April 18, 2011 at 7:04 pm

      My name is Paul Taylor. Mine isn’t the only document showing this now, but the last time I looked, I still thought it was the best. I might be biased, though. 🙂


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed


October 2007
« Sep   Nov »

Most Recent Posts

%d bloggers like this: