Stephen John Smoogen wrote:> On 1 March 2018 at 12:26, hw <hw at gc-24.de> wrote: >> Stephen John Smoogen wrote: >>> >>> On 1 March 2018 at 08:42, hw <hw at gc-24.de> wrote: >>> >>>> >>>> I didn?t say I want that, and I don?t know yet what I want. A captive >>>> portal may >>>> be nice, but I haven?t found a way to set one up yet, and I don?t have an >>>> access >>>> point controller which would provide one, so I can?t tell if that?s the >>>> right >>>> solution. >>>> >>> >>> This is the problem with this entire thread in a nutshell. You don't >>> know what you want but what you have articulated at various points is >>> that you do know what you want. You then state something that won't >>> work because of some factor or another. People then correct you on >>> that, and you then get hostile because you were just thinking out loud >>> but no one knew that. Thinking out loud works ok in real life because >>> we give special queues like looking abstractly or being able to say >>> "Oh no I am just thinking out loud" right away. Instead in email none >>> of that happens and people get more and more hostile and angry >>> thinking the other side is trying to make them do completely opposite. >>> >>> Let us try starting over. You may have answered these in other places, >>> but people need to see them in one place at one time versus trying to >>> look through cache of other emails. >>> >>> What do you want? >> >> >> I was asking for documentation telling me how RADIUS can be used, not only >> that it can be used. >> >>> What are your constraints? [AKA what have you been told to do.] >> >> >> The task is to provide wireless coverage for employees and customers on >> company premises. It is desirable to be able to keep track of customers, >> as in knowing where exactly on the premises they currently are (within >> like 3--5 feet, which is apparently tough), and simpler things like knowing >> how long they stay and if they have been on the premises before. To avoid >> legal issues, it is probably advisable that customers need to agree to >> some sort of terms of usage. >> > > Oh yeah. Who ever gave you those marching orders needs to talk with > all kinds of lawyers... even researching for it might be problematic > in some countries due to a multitude of laws. You are walking out of > setting up a wireless environment into full-scale surveillance.That?s not my problem to solve, but think about it: You can get a lot more information using CCTV cameras, and those are everywhere. Unfortunately, nobody cares, and it?s not like you have a choice. So why would there be any legal issues?> That said, what you are looking for is not going to be accomplished > with simple radius without a large amount of development. It is also > going to need a lot of wireless sensors running at different > frequencies through out the building. Most of that is done usually > with special commercial hardware/software and falls outside of scope > of this list by a mile.RADIUS would only be a tool to use for authentication and perhaps accounting. Figuring out where users are is an entirely different problem.> RADIUS may be something that is done with all of this but only far way > back in the chain of tools needed. It might be something that the > specialized hardware, scanners, sensors, etc might tie into if they > don't have their own specialized tool. Worrying about it before those > are researched, etc is to use an English idiom: putting the cart > before the horse.I?m surprised that wireless access point controllers, by default, do not use the strength of the signal received from a device by three or more access points to simply triangulate the position of the device. Of course, you only get the positions of devices relative to access points, but once you have that, you only need to use a map of the place that shows all the access points and the positions of devices relative to them to figure out where everyone is. That?s a rather simple thing to do, isn?t it? Some documentation of HPs MSRs stated that the controller can distribute the wireless devices between access points to even out the bandwidth, and if it can do that, it could as well distribute them for triangulation.>> It is desirable to be able to know where employees currently are, though >> it doesn?t neeed to be as precise. >> >>> When do you need it? >> >> >> There?s no given time frame; it?s as soon as possible and preferably >> this year. >> >> It is necessary to (re-)do the entire network infrastructure before wireless >> coverage can be achieved, one of the reasons being that it is currently >> impossible to use VLANs all over the place. >> >>> What is the environment that it is to run in? >> >> >> a shopping area >> >> Some of the wireless access points may need to take part in what is >> apparently called a mesh to be able to supply remote parts of the premises. >> >>> What research have you done (with references)? >> >> >> I searched for documenation about how to actually use RADIUS and didn?t >> find any. I?ve asked for pointers to such documentation here. >> I?ve read the RADUIS admin guide. I?ve done a test setup by installing >> RADIUS and configuring a switch to use it to authenticate users logging >> into the switch via ssh and found it works fine. I have set up a couple >> access points in a test setup which currently provide wireless access for >> employees and wireless internet access for customers around some points >> of the premises. I found out what a captive portal is. >> >>> Then people will have a better ability to answer: >>> What have others done to meet those needs? >>> How have they implemented it? >>> >>> Then ask >>> What other things do you need for me to help? >>> >>> People can then ask questions about things you didn't fully explain. >>> This is helpful because going from the previous emails your phrasing >>> made it sound like you needed unknown people to not be able to get >>> onto the network until they were authenticated, but authentication >>> requires them to be on a network, but you can't allow them to be on >>> any network until they are authenticated. That may not be what you >>> mean (on the other hand, I have had that conundrum given to me at a >>> job and we had to spend 3 months convincing the boss(es) that was >>> impossible with the tools we had (and probably impossible without)). >> >> >> That is what using RADIUS apparently leads to when you have devices using >> PXE boot. Maybe they need to be considered as a security risk and be >> replaced. >> > > OK I think this is where we are also getting confusion. PXE booting is > a multistep process to get a hardware device onto the network and > running a provided kernel. It is also something which usually only > works on wireless in controlled situations (aka magic).Oh I never thought of using it for wireless devices.> So people aren't sure why you are wanting to PXE boot something a > customer would carry (aka a cell phone/tablet) since that does not PXE > boot at all. You might be meaning DHCP instead but maybe you are > meaning something else.When there?s a RADIUS server on the network, not only wireless devices could/should use it.> So the normal tools are to set up different LANs for different access. > On wired or wireless this is usually done with a dedicated network > which only devices which a) have a proven mac, b) use WPA-Enterprise > with radius to log in. For untrusted devices that might be looking for > any open lan, you have an open net which has a captive portal which > can 'kick' certain devices to a semi-trusted lan. [This is device > dependent so don't expect it to work for everyone.] Then you have a > semi-trusted lan which may have a guest password. It is still a > captive portal so that people on it are only able to get out after > they provided a second allowed password. The captive portals may be > backed by Radius, but it will depend on what software they are using. > > [The above comes from doing this a decade ago.. things have changed so > please follow any new guidance/books on commercial wireless design.]Well, I don?t want to trust MAC addresses because they can be faked.>> Unauthenticated people are easier to handle because people can provide >> credentials for authentication without PXE booting them first and do not >> access the network without a device (unless they mess with the very network >> hardware, using cables to create loops or accidentially cutting them or >> unplugging them or whatever --- people do all kinds of things, with >> authentication and without ...). >> >> Devices with network access are much more dangerous than unauthenticated >> people because such devices could be used by such people to also gain >> network >> access, or they could try to have bad effects on the network. >> >> So everthing is dangerous, authenticated or not. >> > > Everything is always dangerous :). It is good to recognize that > because a lot of times people just assume there is a magical > non-dangerous way and then spend all their time trying to find it. The > best we can do is find how to respond to the danger.hm Is sleeping dangerous?
On 2 March 2018 at 12:07, hw <hw at gc-24.de> wrote:>> >> Oh yeah. Who ever gave you those marching orders needs to talk with >> all kinds of lawyers... even researching for it might be problematic >> in some countries due to a multitude of laws. You are walking out of >> setting up a wireless environment into full-scale surveillance. > > > That?s not my problem to solve, but think about it: You can get a lot more > information using CCTV cameras, and those are everywhere. Unfortunately, > nobody cares, and it?s not like you have a choice. So why would there > be any legal issues? >1) Devices which omit radio frequency wavelength radiation are covered by different laws and agencies than those which emit light based radiation. This means that the agency that says you can put in a cctv may not be the same as the one that allows you to put in a RF sensor. 2) There are laws using where monitoring of the public can happen and where the monitoring devices can be placed and what information can be kept on them. These are covered from everything from local to EU laws. The laws can also be conflicting and need careful consideration. 3) Depending on the location this occurs, it is your problem to bring up if you are aware that it could be a problem. The "I was only following orders" defense has been thrown out for people and the engineers/custodians who put the stuff in were found liable for damages as much as the boss who said to do it. That is all I am going to say on this as it is up to your location and situation. Other people coming into this conversation years later will be on different laws and rules.>> That said, what you are looking for is not going to be accomplished >> with simple radius without a large amount of development. It is also >> going to need a lot of wireless sensors running at different >> frequencies through out the building. Most of that is done usually >> with special commercial hardware/software and falls outside of scope >> of this list by a mile. > > > RADIUS would only be a tool to use for authentication and perhaps > accounting.Depending on the hardware used. If the hardware bought only works with AD, RADIUS isn't going to help at all.> Figuring out where users are is an entirely different problem. > >> RADIUS may be something that is done with all of this but only far way >> back in the chain of tools needed. It might be something that the >> specialized hardware, scanners, sensors, etc might tie into if they >> don't have their own specialized tool. Worrying about it before those >> are researched, etc is to use an English idiom: putting the cart >> before the horse. > > > I?m surprised that wireless access point controllers, by default, do not > use the strength of the signal received from a device by three or more > access > points to simply triangulate the position of the device. Of course, you > only get the positions of devices relative to access points, but once you > have that, you only need to use a map of the place that shows all the access > points and the positions of devices relative to them to figure out where > everyone is. > > That?s a rather simple thing to do, isn?t it? Some documentation of HPs > MSRs > stated that the controller can distribute the wireless devices between > access > points to even out the bandwidth, and if it can do that, it could as well > distribute them for triangulation. >It isn't. Wireless is much noisier and uses longer wavelengths than light. It is like walking through a hall of mirrors with sunglasses on. You are only able to see certain things, lots of things reflect, everything within sensor range which is broadcasting is showing up even if it is a different SSID, and a ton of other items. This means that where you might only need 2 sensors for light, you need dozens to hundreds for radio waves. However the more sensors you have, they also may reflect, rebroadcast, dampen, ghost echo signals. Then you have the fact that RF is absorbed by water and people are giant bags of water. You need to put sensors at different heights, etc etc. This is where the 3rd parts hardware and software comes in. You need to map the empty room, map the room with noise, map the room with people in it without sensors and then map the room with how you want it to work. The software then does a huge data dump and lots of Fourier transforms and trig to figure out where a 'live' feed may look like. You still have to go in and massage it at times because all it takes is some metal object being walked through the room and it is all off for N minutes. In any case, this is a different problem and completely tangential to either CentOS or RADIUS. -- Stephen J Smoogen.
> That?s not my problem to solve, but think about it: You can get a lot more > information using CCTV cameras, and those are everywhere. Unfortunately, > nobody cares, and it?s not like you have a choice. So why would there > be any legal issues?It's called "A Law". Different places have different laws. Different places have different attitudes towards being lawful.> > I?m surprised that wireless access point controllers, by default, do not > use the strength of the signal received from a device by three or more access > points to simply triangulate the position of the device. Of course, you > only get the positions of devices relative to access points, but once you > have that, you only need to use a map of the place that shows all the access > points and the positions of devices relative to them to figure out where > everyone is.I'm surprised you didn't find anything about this on Google - you did try Google didn't you? http://bfy.tw/GtiP top hit https://www.accuware.com/ or this paper https://www.technologyreview.com/s/542561/wi-fi-trick-gives-devices-super-accurate-indoor-location-fixes/ OK. I know I said before it was basically impossible - but I hadn't googled for it then. It just goes to show that asking CentOS admins about cutting edge WiFi issues is not going to get you very far. P.
Stephen John Smoogen wrote:> On 2 March 2018 at 12:07, hw <hw at gc-24.de> wrote: > >>> >>> Oh yeah. Who ever gave you those marching orders needs to talk with >>> all kinds of lawyers... even researching for it might be problematic >>> in some countries due to a multitude of laws. You are walking out of >>> setting up a wireless environment into full-scale surveillance. >> >> >> That?s not my problem to solve, but think about it: You can get a lot more >> information using CCTV cameras, and those are everywhere. Unfortunately, >> nobody cares, and it?s not like you have a choice. So why would there >> be any legal issues? >> > > 1) Devices which omit radio frequency wavelength radiation are covered > by different laws and agencies than those which emit light based > radiation. This means that the agency that says you can put in a cctv > may not be the same as the one that allows you to put in a RF sensor. > 2) There are laws using where monitoring of the public can happen and > where the monitoring devices can be placed and what information can be > kept on them. These are covered from everything from local to EU laws. > The laws can also be conflicting and need careful consideration.Ok, those are considerations for the lawyers. If they can?t figure out that it can be much worse filming someone who doesn?t even have a choice about being filmed than it can be to use wireless access points to determine the whereabouts of someone who has a choice to either use the access points or not, someone needs to do something about those lawyers.> 3) Depending on the location this occurs, it is your problem to bring > up if you are aware that it could be a problem. The "I was only > following orders" defense has been thrown out for people and the > engineers/custodians who put the stuff in were found liable for > damages as much as the boss who said to do it.Prove that I was aware of something and aware that I should bring it up and that I then didn?t bring it up. If someone made a law saying that nobody can say anymore that they were only doing what they were supposed to do, I?d like to know where to find this law. I would also like to know how that law is enforced. "Following orders" has apparently been a problem with the Nazis a long time ago, and when the law suits after WW2 were performed, claiming that one of the intentions was to show how following orders may not always be the right thing to do and that people might be punished for doing so, the outcome was a total failure because nothing has changed. There are still people making decisions without being held responsible for what they are doing, and other people who carry them out, also without being held responsible for what they are doing, and since they control all the powers that are, what they are doing crushes anything and anyone that or who might get into their way, and these people don?t care and don?t even blink when they harm millions. This is called democracy, and noone is responsible because it isn?t called "following orders" anymore. The same principles that did a great deal to make it possible to murder so many people a long time ago are entirely unbroken and still in effect, and thanks to advances in technology, nowadays the means at their disposal are ridiculously more powerful than they were. Unfortunately, we aren?t told this, and I?m afraid almost noone understands this. You can imagine why we aren?t told. What I don?t understand is why they didn?t change anything back then. Perhaps they didn?t understand what the real danger is and where it comes from. Now tell me: Who am I to question the orders and what power could I possibly have to refuse them without it being to my disadvantage? > [...]>> >> I?m surprised that wireless access point controllers, by default, do not >> use the strength of the signal received from a device by three or more >> access >> points to simply triangulate the position of the device. Of course, you >> only get the positions of devices relative to access points, but once you >> have that, you only need to use a map of the place that shows all the access >> points and the positions of devices relative to them to figure out where >> everyone is. >> >> That?s a rather simple thing to do, isn?t it? Some documentation of HPs >> MSRs >> stated that the controller can distribute the wireless devices between >> access >> points to even out the bandwidth, and if it can do that, it could as well >> distribute them for triangulation. >> > > It isn't. Wireless is much noisier and uses longer wavelengths than > light. It is like walking through a hall of mirrors with sunglasses > on. You are only able to see certain things, lots of things reflect, > everything within sensor range which is broadcasting is showing up > even if it is a different SSID, and a ton of other items. This means > that where you might only need 2 sensors for light, you need dozens to > hundreds for radio waves. However the more sensors you have, they also > may reflect, rebroadcast, dampen, ghost echo signals. Then you have > the fact that RF is absorbed by water and people are giant bags of > water. You need to put sensors at different heights, etc etc. > > This is where the 3rd parts hardware and software comes in. You need > to map the empty room, map the room with noise, map the room with > people in it without sensors and then map the room with how you want > it to work. The software then does a huge data dump and lots of > Fourier transforms and trig to figure out where a 'live' feed may look > like. You still have to go in and massage it at times because all it > takes is some metal object being walked through the room and it is all > off for N minutes.You mean the signal strength is way too unrelated to the distance between an access point and a device to give meaningful results when used for triangulations? That makes perfect sense to me.> In any case, this is a different problem and completely tangential to > either CentOS or RADIUS. >
Pete Biggs wrote:> >> That?s not my problem to solve, but think about it: You can get a lot more >> information using CCTV cameras, and those are everywhere. Unfortunately, >> nobody cares, and it?s not like you have a choice. So why would there >> be any legal issues? > > It's called "A Law". Different places have different laws. Different > places have different attitudes towards being lawful. > >> >> I?m surprised that wireless access point controllers, by default, do not >> use the strength of the signal received from a device by three or more access >> points to simply triangulate the position of the device. Of course, you >> only get the positions of devices relative to access points, but once you >> have that, you only need to use a map of the place that shows all the access >> points and the positions of devices relative to them to figure out where >> everyone is. > > I'm surprised you didn't find anything about this on Google - you did > try Google didn't you? > > http://bfy.tw/GtiPYou?ve cheated by using different search terms than I did ...> top hit > > https://www.accuware.com/They use video or bluetooth, not wireless.> or this paper > > https://www.technologyreview.com/s/542561/wi-fi-trick-gives-devices-super-accurate-indoor-location-fixes/They are doing it the other way round by having the device use the signal strengths of access points to triangulate its own position by using specialized hard- and software to solve accuracy problems. Anyway, these are both interesting references.> OK. I know I said before it was basically impossible - but I hadn't > googled for it then. It just goes to show that asking CentOS admins > about cutting edge WiFi issues is not going to get you very far.Well, we asked someone who might know how to do it and they never responded, so asking people who don?t know gets you even farther than asking people who do.