If you're entering the Wi-Fi world and concerned about security or session accounting, take a good look at the ORiNOCO AS-2000. This platform overcomes wireless administration, security, and accounting issues by leveraging existing elements of your network.
Wi-Fi 802.11b and public Internet access appears to be a strong marriage of business opportunity and enabling technology. Today, corporate road warriors passing through airports, convention centers, and hotels wrestle with public PCs, cramped Internet kiosks, and painfully slow cellular uplinks. Wi-Fi promises convenient, high-speed, pay-as-you-go Internet access from your own seat, your own laptop.
However, today's standard Wi-Fi recipe lacks a key ingredient: the ability to reliably control and meter access. ORiNOCO AS-2000 satisfies that need by letting WISPs apply traditional dial authentication and accounting to Wi-Fi network access.
Getting On The Air
The AS-2000 story really begins with Agere ORiNOCO wireless network interface cards (NICs). These WECA-certified radio cards operate in the 2.4 GHz band, supporting the IEEE 802.11b High Rate standard. Auto-rate selection enables transmission at 11, 5.5, 2 and 1 Mbps.
We installed a half dozen ORiNOCO PC cards in our lab, evaluating compatibility with a variety of platforms. We inserted PC cards into a pair of laptops with PCMCIA Type II slots. We outfitted four desktops by slipping PC cards into ORiNOCO ISA and PCI adapters. Desktop users should consider ORiNOCO's new USB card (not tested).
Installing ORiNOCO cards went well on plug and play operating systems (Windows 95, ME, 2000 Pro). When prompted by discovery, just locate the driver for your OS on the supplied CD. For ISA and PCI adapters, PCMCIA services must be installed first. On each desktop, we had to overcome at least one PCMCIA hiccup. Our advice: follow instructions precisely. For example, ISA adapters must be installed with PC card insertedPCI adapters with PC card absent.
Installing ORiNOCO cards under Windows NT proved to be painful. It took several re-installs to achieve success on an NT4 SP5 Workstation laptop. We eventually gave up on an NT4 SP4 Server desktop. With PCI adapter installed, this Server threw a bluescreen exception at boot. With ISA adapter, we got furtherbut not much. NT crankiness was no big surprise, but we'd like to see better troubleshooting help, FAQs, and tech support for this platform.
ORiNOCO setup covers physical installation, but not network addressing. In fact, network settings for the ORiNOCO NIC are ignored by the AS-2000. Configuring a static IP can avoid startup delay due to DHCP. Drivers are also available for MacOS (untested).
Before, Not After
ORiNOCO Client Manager software must be installed separately, before card installation. Client Manager launches at startup, indicating signal strength with a system tray icon. It is responsible for two functions: configuration and testing/monitoring.
Client Manager is used to create and edit profiles that define network name (SSID) and mode of operation. In peer-to-peer mode, wireless NICs communicate directlyfor example, PCs that share a printer. In infrastructure mode, wireless NICs join a basic service set, communicating through a base station. The base station can be a residential gateway like the ORiNOCO RG-1000, enabling shared Internet access over DSL or cable. Or it can be an access point like the ORiNOCO AP-500, bridging enterprise wireless and wired LANs. Or it can be a server like the ORiNOCO AS-2000, enabling authenticated wired network access by wireless NICs.
In Infrastructure mode, several options can be customized. Distance, power level, interference robustness, and RTS/CTS reservation can be tweaked to improve performance. Like any NIC, ORiNOCO cards ship with a factory-burned MAC addresses. But this universal address can be superceded by local address, configured with the Client Manager. If you're planning to apply MAC-level access control, use bit 2 to differentiate configured local addresses from factory-assigned universal addresses.
Radio transmissions are easily sniffed. To reduce this risk, ORiNOCO Silver cards provide RC4 encryption with 64-bit keys. Gold cards raise the bar with 128-bit keys. In peer-to-peer mode, encryption is off by default. To enable, configure matching five-character keys into each NIC. (Click on image to enlarge.)
The 802.11b Wired Equivalent Privacy (WEP) has been widely criticizedthe IEEE is working on WEP2 to address known flaws. Most of the ruckus relates to encryption keys. WEP uses a per-frame initialization vector (IV) that is too short to prevent key-cracking. Furthermore, WEP does not define a method for key distribution. When keys are configured manually as described above, the same transmit key tends to be used by many NICs for a long time, creating a large window of opportunity for analysis and exploitation.
Agere argues WEP is a sufficient deterrent in some environments, and that SSL or IPsec can be applied at a higher layer when strong encryption required. Agere will support more robust 802.11 encryption standards when available. In the meantime, Agere has taken proprietary steps to support enhanced security in Infrastructure mode.
Whenever an ORiNOCO card "associates" with an AS-2000, the Diffie-Hellman algorithm is used to generate a unique pair of session keys, known only to these two parties. Keys are used to initialize a stateful RC4 engine, avoiding per-frame re-initialization. Even if a key were compromised, the breach would be limited to one direction of just one session. Agere's approach circumvents the biggest WEP pitfall and eliminates the administrative hassle of manual key management.
For public Internet access, this proves to be a double-edged sword. On one hand, users are now limited to ORiNOCO NICs. One the other hand, an important barrier has been lifted. Students casually surfing the web at the local cafe might not care about encryptioncleartext or WEP may be fine. But imagine the potential value of data gathered by eavesdropping on a Silicon Valley hotel WLAN. The AS-2000 is a good fit where stronger protection is required.
Wi-Fi is a broadcast medium. To join in, a wireless NIC must be within range of the access point or peer station. This brings us to the other function of the ORiNOCO Client Manager: monitoring and testing. (Click on image to enlarge.)
A Card Check panel verifies hardware/firmware compatibility and integrity. A Link Test panel evaluates quality of communication between this NIC and a test partner. Other NICs broadcasting with the same network name are automatically discoveredpotential test partners are identified by computer name and MAC. A Site Monitor panel displays base station availability. All results are presented graphically and can be logged on-demand or intervals.
When problems are detected, the Client Manager offers advice. In many cases, advice is specific and helpful.For example, configure matching keys, reduce transmit rate. In other situations, advice amounts to a virtual shrug of the shoulderscheck IRQ, move NIC, add range extender antenna.
Earlier this year, we had a disappointing experience with another vendor's residential gateway, where communication was poor just one wall and ten feet away from the base. With ORiNOCO, we had much better luck. According to specs, 11 Mbps should be possible up to 525 feet in an open office or 80 feet in a closed office. 1 Mbps ranges are 1750 and 165 feet, respectively. So, how did we fare?
On a green-yellow-red scale, quality was green 50 feet and two floors away, dropping to yellow when shielded by enclosed desk, steel beam, or air duct. Strength, measured on a five bar scale, dropped from 5 to 3 at that distance. Because rates were adjusted automatically and Internet bandwidth was our constraint, signal degradation was not that noticeable to the user.
Of course, we only had a handful of NICs competing for attention from our base station. According to specs, the AS-2000 can handle 250 clients per AS radio card. That is, 500 clients when both AS-2000 slots are filled. In the field, Agere technical support typically sees 30-40 clients per AS radio card.
Installing ORiNOCO cards, drivers, and Client Manager software creates your WLAN. The WLAN is then bridged to a wired network to route traffic to the public Internet. The AS-2000 does this by layering PPP on top of Wi-Fi, communicating with an AS Client.
AS Client software essentially binds Windows dial-up networking or RRAS to the ORiNOCO NIC. The AS Client associates with an AS-2000, creating an unauthenticated cleartext channel. (ORiNOCO uses null "Open System" authentication at the link level.) To initiate PPP-over-802.11b, the user launches the AS Client, entering his username and password. (Click on image to enlarge.)
The AS Client uses the cleartext channel to send a PPP connection request. The AS-2000 responds, and the two parties use Diffie-Hellman to generate session keys. The AS Client uses this now-encrypted channel to send a PPP LCP configure request, eliciting a CHAP challenge from the AS-2000.
The AS-2000 wraps the AS Client challenge response inside a RADIUS Access Request message and relays it to a RADIUS server on the wired network. The RADIUS server accepts or rejects access by this client, based on the supplied username and password. The AS-2000 relays the outcome to the AS Client, completing CHAP authentication. If successful, the AS Client gains authenticated, encrypted access to the wired network.
RADIUS servers record session accounting information and can enforce concurrency limits or session timeouts. By integrating RADIUS, the AS-2000 gives a wireless ISP a familiar infrastructure to meter and charge for service. One might configure prepaid accountsfor example, a hotel guest purchases a 5-hour login, and uses it to access the Internet during his stay. Universities might create student accounts for use in dorms or classrooms. Private enterprise network access can also be supported by the AS-2000, using RADIUS accounting for chargeback or audit.
This article was originally published on Thursday Aug 23rd 2001
Not Quite Plug 'N Play
The promise of wireless public access cannot be fully realized without plug and play. An enterprise or university can widely install ORiNOCO NICs and AS Client software, creating a ubiquitous platform. But hotel, conference, or airport visitors may resist installing a "rental NIC". Perhaps if the associated software installed and uninstalled cleanly, with the click of a button. But ORiNOCO isn't there quite yet.
PC card, PCMCIA, Client Manager, and AS Client software are now installed separately. Agere plans to integrate these ordered steps under an umbrella setup program in a future release, simplifying installation. Agere also hopes to have the AS Client recognize and work with other-vendor NICs when standard object identifiers enable this.
On Windows 95 and ME, AS Client 2.00 installation was almost trouble-free. The AS Client played nicely with our ZoneAlarm desktop firewall and Ashley-Laurent VPN client. It co-existed with our IRE SafeNet VPN client, but we could not initiate a VPN tunnel over the ORiNOCO interface.
On NT, RRAS and SP4 are pre-requisites. We had trouble getting ORiNOCO's "RasShim" software installed properly, with symptoms ranging from bluescreen to inability to associate with the AS-2000. A RasMsg file offers brief error messages, but debugging consisted largely of removing and reinstalling software in the prescribed order until the AS Client worked (Workstation laptop) or we gave up (Server desktop). The new Windows 2000 Professional AS Client 2.03 installed cleanly.
But at login, the AS Client insisted "WaveLAN Card not present." Tech support quickly recognized the problem and suggested the fix: disable all other network interfaces. We found this workable, but look forward to a permanent fix in the next release.
Part 2 of this review will deal with the installation nitty-gritty.