I've been very surprised to find applications on campus that don't encrypt data. We've found recently even in credit card processing devices that were not properly configured, and sent information in the clear. Given the vast amount of applications out there, and the absolute zero control over how they are written, you can't assume anything. And sometimes you don't need to be able to decrypt the payload to get useful information.
Ryan H Turner Senior Network Engineer The University of North Carolina at Chapel Hill CB 1150 Chapel Hill, NC 27599 +1 919 445 0113 Office +1 919 274 7926 Mobile -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Peter P Morrissey Sent: Tuesday, November 19, 2013 4:06 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x vs web-portal Can anyone name an application that does not have strong encryption? I'm not arguing against 802.1x, because it works very well for us as users don't have to authenticate constantly on a portal, and we seem to do a very good job getting them on initially, but I am having a hard time understanding the encryption benefits lately. Pete Morrissey -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Ken LeCompte Sent: Tuesday, November 19, 2013 4:00 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x vs web-portal One major consideration is that the use of https for more and more webpages is resulting in more confused users not getting redirected to captive portal login pages. There is also the more obvious issue that client data is not encrypted over the air, although you could argue that more and more applications are using TLS/SSL. I do think that you are correct that captive portal robustness has been dramatically increased with products like the 5508, which handles a great deal more simultaneous connections than other products before it. I also feel like captive portal security is kinder to backend authentication servers since the authentication is typically done once with a decent length session timeout, whereas many supplicants do tons of reauths. Thanks. Ken -- Ken LeCompte - Manager of Information Technology Central Systems and Services Office of Information Technology Rutgers, The State University of New Jersey Office ~ (848) 445-4823 Facebook: http://fb.me/RUWireless On Nov 19, 2013, at 3:28 PM, "Ashfield, Matt (NBCC)" <matt.ashfi...@nbcc.ca> wrote: > Just wondering what people's thoughts are here regarding using the Web Portal > authentication vs 802.1x auth in your wifi networks. Obviously one big "pro" > for 802.1x is dynamic vlan assignment based on the users's credentials, but > certainly for web-portal the big "pro" is simplicity for the user. > > We currently use ExpressConnect to configure student devices for our 802.1x > wifi network using certbased authentication, and while it works great 90% of > the time, we have 10% where it's tough to get the user on for a variety of > reasons on student owned devices. Since we provide guest access via a portal > authentication, we inevitably get the question as to why don't we do all wifi > auth with that? > > I know when I first started out, there were limitations with the # of users a > portal auth system could support, but I don't think that's a major concern > anymore (we are using Cisco 5508 controllers here). Just wondering what the > thoughts are on this list. Always good input. > > Thanks > > > > Matt > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
