Re: [WIRELESS-LAN] 802.1x rollout
Wyman Miles wrote: We're about to pilot an 802.1x project for one of the larger departments on campus and I had a few questions for the universities who've gone before: - is anyone using Kerberos as an authentication resource for your wireless clients. Any pitfalls? Did you have to distribute a 3rd party supplicant for the Windows clients? We use EAP-TTLS with PAP and the SecureW2 supplicant. Backend is Radiator talking to MIT K5. The Funk client has worked well for us, but the cost has prevented us from rolling it out for everyone. We've had mixed success with the card drivers that have packaged TTLS supplicants in them (TruMobile, Centrino, etc). Sometimes it works, sometimes it doesn't. Seems highly related to driver versions. Since the new version of SecureW2 has been available, we've been pushing that as our "standard". It has some warts, but now that autoconfig works with XP SP1, we distribute a installer with our config preloaded and things pretty much just work. I'm sure you're aware that to install and configure the supplicant, the mobile users usually need administrator access on their laptops. That can be a problem for visitors. - who's using native 802.1x supplicants versus who is distributing additional software? Of the latter group, any recommendations? (my personal leanings are Funk's 802.1x supplicant mated with the Open.com Radiator RADIUS server). I've had no problems at all with our odyssey and secureW2 clients and Radiator.. It "just works". Note that if you're going to use the builtin AuthKrb5 module in Radiator 3.13, There are a couple obscure bugs with null passwords you might run into. I have some patches that I need to forward back to Hugh and the guys, I just keep forgetting to actually send the diffs. I can provide more info on that offline if you want.. -JEff College of Earth and Mineral Sciences -- Penn State ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 802.1x rollout
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 We're using 802.1x here at the University of Northern Iowa, but we're just using PEAP/MSCHAPv2 against Microsoft's IAS against Active Directory. The Windows native 802.1X client works, but it's a bit of a pain to configure if the machine isn't in a domain. I've urged our support staff to consider purchasing the AEGIS or Funk clients instead, but I'm having a hard time leading the horse to water now that they've mastered the native client, though most users will never be able to configure it on their own. Wyman Miles wrote: > We're about to pilot an 802.1x project for one of the larger departments on > campus and I had a few questions for the universities who've gone before: > > - is anyone using Kerberos as an authentication resource for your wireless > clients. Any pitfalls? Did you have to distribute a 3rd party supplicant > for the Windows clients? > > - is anyone using ActiveDirectory as an authentication resource? > > - who's using native 802.1x supplicants versus who is distributing > additional software? Of the latter group, any recommendations? (my > personal leanings are Funk's 802.1x supplicant mated with the Open.com > Radiator RADIUS server). > > Thanks for the feedback! > > > Wyman Miles > Senior Security Engineer > Cornell University, Ithaca, NY > (607) 255-8421 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. - -- Seth H. Bokelman ([EMAIL PROTECTED]) Systems Administrator ITS-Network Services, University of Northern Iowa 15 Curris Business Building, Cedar Falls, Iowa 50614 Phone: (319) 273-7423 http://www.sethb.com/ ICQ#: 6497760 MSN Messenger: [EMAIL PROTECTED] AOL/AIM: sethb2 Yahoo Messenger: sethbokelman -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDKeMNOiUz+Af5BIIRAhEBAKC5ZWCyqPEP14jpbgqNmjQ66daTqwCfWFlV v5CrlTSSFrIJVyo0Ff0vCG0= =kVQP -END PGP SIGNATURE- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Guest access strategy
Mearl Danner wrote: Samford is in the process of establishing policies for wireless access on campus. We have Airespace/Cisco 4100 controllers and are in the process of deploying model 1100 APs in various areas around campus. Using this hardware we are able to establish different default ACL's for each SSID, and have sucessfully applied custom ACL's using Radius (freeradius/eDirectory) reply items. We plan to provide restricted access to campus guests on an open SSID and a higher default level of access on an 802.1x authenticated SSID. We would like to make it a relatively simple process for campus visitors to access the guest SSID, but make it's access restrictive enough to encourage members of the campus community to go the extra steps required to configure for 802.1x. We'd appreciate any information on access strategies any list members have implemented (or are considering). We're doing exactly this (same equipment, 802.1x + open guest); visitors must log in using a web portal using a single-use token. The web pages also provide instructions for connecting to the 802.1x SSID. We built a system here to provide the web login portal; it's tied into the Airespace controllers. If there is sufficient interest this could likely be shared. Some details: http://wireless.duke.edu/noauth/login/more_info http://www.oit.duke.edu/access/duke-secure/token/ -Kevin ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] 802.1x rollout
On a related topic, we hope to find time to answer this tomorrow or Monday, but I thought I would throw it out to the list anyway. We're live with .1x and have a limited pool of users testing it before it becomes defacto next month. One of our heavy Active Directory users complained that the SecureW2 client kicked in too late in the boot process and therefore breaking all the scripts being pushed down by AD. It appears as if the Microsoft supplicant establishes the network layer sooner and doesn't break a PC connected to an AD domain...but we haven't actually verified it yet. Can anyone verify this behavior? -d -Original Message- From: Jon Moore [mailto:[EMAIL PROTECTED] Sent: Thursday, September 15, 2005 2:05 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x rollout -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Here at UPenn we use Kerberos for our backend authentication, using EAP-TTLS-PAP. We also use Radiator as our backend RADIUS server. The built-in Mac OS X supplicant (Internet Connect) works swimmingly. We have been piloting third-party software for Windows clients, since the built-in Windows supplicant doesn't do TTLS. Our experience has been that we have had lots of problems getting the Meetinghouse Aegis supplicant to work, but have found that the open source SecureW2 client (www.securew2.com) seems to work much better. - -- Jon Moore ISC Networking & Telecommunications University of Pennsylvania On Sep 15, 2005, at 2:46 PM, Wyman Miles wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > We're about to pilot an 802.1x project for one of the larger > departments on > campus and I had a few questions for the universities who've gone > before: > > - - is anyone using Kerberos as an authentication resource for your > wireless > clients. Any pitfalls? Did you have to distribute a 3rd party > supplicant > for the Windows clients? > > - - is anyone using ActiveDirectory as an authentication resource? > > - - who's using native 802.1x supplicants versus who is distributing > additional software? Of the latter group, any recommendations? (my > personal leanings are Funk's 802.1x supplicant mated with the Open.com > Radiator RADIUS server). > > Thanks for the feedback! > > > Wyman Miles > Senior Security Engineer > Cornell University, Ithaca, NY > (607) 255-8421 > -BEGIN PGP SIGNATURE- > Version: Mulberry PGP Plugin v3.0 > Comment: processed by Mulberry PGP Plugin > > iQA/AwUBQynBasRE6QfTb3V0EQJHKACeOvnuJeBfY3tzU9IyDnMHNzvcIkwAn3fj > ujGVkElKhJx1/6nFnhBR1r9o > =eEo2 > -END PGP SIGNATURE- > > ** > Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at http:// > www.educause.edu/groups/. > -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (Darwin) iD8DBQFDKcXVx8TaElR3qMMRAs50AKCAFpdPOk9epcwv3KPWEAHgg0hdggCgkW/2 tPE+yxpENhlpYpSbBtqc4jA= =jBbc -END PGP SIGNATURE- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 802.1x rollout
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Here at UPenn we use Kerberos for our backend authentication, using EAP-TTLS-PAP. We also use Radiator as our backend RADIUS server. The built-in Mac OS X supplicant (Internet Connect) works swimmingly. We have been piloting third-party software for Windows clients, since the built-in Windows supplicant doesn't do TTLS. Our experience has been that we have had lots of problems getting the Meetinghouse Aegis supplicant to work, but have found that the open source SecureW2 client (www.securew2.com) seems to work much better. - -- Jon Moore ISC Networking & Telecommunications University of Pennsylvania On Sep 15, 2005, at 2:46 PM, Wyman Miles wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 We're about to pilot an 802.1x project for one of the larger departments on campus and I had a few questions for the universities who've gone before: - - is anyone using Kerberos as an authentication resource for your wireless clients. Any pitfalls? Did you have to distribute a 3rd party supplicant for the Windows clients? - - is anyone using ActiveDirectory as an authentication resource? - - who's using native 802.1x supplicants versus who is distributing additional software? Of the latter group, any recommendations? (my personal leanings are Funk's 802.1x supplicant mated with the Open.com Radiator RADIUS server). Thanks for the feedback! Wyman Miles Senior Security Engineer Cornell University, Ithaca, NY (607) 255-8421 -BEGIN PGP SIGNATURE- Version: Mulberry PGP Plugin v3.0 Comment: processed by Mulberry PGP Plugin iQA/AwUBQynBasRE6QfTb3V0EQJHKACeOvnuJeBfY3tzU9IyDnMHNzvcIkwAn3fj ujGVkElKhJx1/6nFnhBR1r9o =eEo2 -END PGP SIGNATURE- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (Darwin) iD8DBQFDKcXVx8TaElR3qMMRAs50AKCAFpdPOk9epcwv3KPWEAHgg0hdggCgkW/2 tPE+yxpENhlpYpSbBtqc4jA= =jBbc -END PGP SIGNATURE- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] 802.1x rollout
> - - is anyone using Active Directory as an authentication resource? We are > - - who's using native 802.1x supplicants versus who is > distributing additional software? Of the latter group, any > recommendations? (my personal leanings are Funk's 802.1x > supplicant mated with the Open.com Radiator RADIUS server). We're using WindowsXP/2k native supplicant. It didn't exist at the time we committed to 802.1x, but I would look at the SecureW2's http://www.securew2.com very hard right now. It's open source as well. SecureW2 3.1.0 now supports preconfiguration on Service Pack 2 allowing Administrators to deploy SecureW2 more easily. SecureW2 3.1.0 also contains the first SecureW2 Gina allowing users to authenticate using their interactive logon credentials. We're using FreeRADIUS for a Radius server. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
802.1x rollout
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 We're about to pilot an 802.1x project for one of the larger departments on campus and I had a few questions for the universities who've gone before: - - is anyone using Kerberos as an authentication resource for your wireless clients. Any pitfalls? Did you have to distribute a 3rd party supplicant for the Windows clients? - - is anyone using ActiveDirectory as an authentication resource? - - who's using native 802.1x supplicants versus who is distributing additional software? Of the latter group, any recommendations? (my personal leanings are Funk's 802.1x supplicant mated with the Open.com Radiator RADIUS server). Thanks for the feedback! Wyman Miles Senior Security Engineer Cornell University, Ithaca, NY (607) 255-8421 -BEGIN PGP SIGNATURE- Version: Mulberry PGP Plugin v3.0 Comment: processed by Mulberry PGP Plugin iQA/AwUBQynBasRE6QfTb3V0EQJHKACeOvnuJeBfY3tzU9IyDnMHNzvcIkwAn3fj ujGVkElKhJx1/6nFnhBR1r9o =eEo2 -END PGP SIGNATURE- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Future Wireless Design
First let me say I am already enjoying the view into the wireless world from inside the University. I'll try and add some insight when I canlike now. You are correct in that roaming is not an issue for data services. It is the multimedia services like VoWLAN where the fast handoffs are required. And the evolution you allude to is the implementation of 802.11e (QoS), 802.11r (fast roaming), and some others like 802.11k (enabling the management of radio resources better for more efficient WLAN operation) and CAPWAP. Two years is a good time frame. Cisco's use of GRE tunnels was one of the 'issues' with their fat AP architecture. The fact that they are moving to the Airespace model of enabling LWAPP in their AP's might offer some hope that the merged WLAN solution will be better (for those that insist on Cisco...). They are certainly moving towards the centralized architecture. You're imagination is correct in that controllers talk to each other (usually one is identified as the master) to enable L3 roaming. For example, Airespace and others use the concept of "Mobility Groups" to allow users to seamlessly roam from controller to controller. Today the maximum Airespace network is 24 controllers and ~800 AP's, but tomorrow it will increase - vendor dependent. Single controllers will control 100 and more AP's and the overall management size will also increase as well. Building to building won't be an issue (famous last words...) because the capability of performing IP handoffs (L3 subnet roaming) already exists. It will be IP datagrams carrying the traffic with QoS labels. Security credentials will also follow the user without re-authentications. Even QoS configurations will be handed off between layers, but that gets more complicated at the network edge. Management of the network will generally be a single HTTPS interface into the controllers with visibility to the entire network for policy and management. Solving the problem of large, segmented WLAN's is a major focal point of the vendors and IEEE. Ok, that is the pretty side. On the other side will be the hype bumps and vendor interoperability issues and long waits for standards. But the communication between buildings will be IP traffic between controllers and the number of centrally managed AP's will continue to increase. Hope that helps. phil -Original Message- From: Zeller, Tom S [mailto:[EMAIL PROTECTED] Sent: Thursday, September 15, 2005 12:08 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Future Wireless Design Lee's comments about roaming brings up a difficult area I've been grappling with. Our architecture is the same as 4 years ago. Dumb APs, on a single vlan for roaming (actually two now on the largest campus) with vpn-protection. Roaming is not currently a huge issue as laptops sleep between buildings anyway. We also don't have wireless VOIP, and I'm hoping we won't have until b/g/a evolves into something better (higher capacity, faster handoffs). However I do see roaming as becoming important as wireless handheld devices become more common. So I'm interested in a fork-lift architectural change to take place beginning in about two years. I haven't looked at the options in depth, but I'm aware of the obvious vendors in this space. While I don't like the idea of troubleshooting spaghetti GRE tunnels, I suspect this is the future. Hope it "just works". I can imagine that architecture working within the realm of a wireless controller and multiple endpoing radios. I can imagine a small handful of controllers having awareness of the others and it working across controller domains. However, I'm nervous/skeptical/curious about how this architecture scales to 500 buildings and 1800 access points. I don't want to manage 500 controllers. I'm drawn to Cisco core switch blade design and will watch how many endpoints each blade can control. A Colubris rep told me they can do this now. I'm wondering if anyone else has thoughts or experience on this topic. Tom Zeller Indiana University [EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Cellular/WiFi voice devices - a scenario
Tom: This is a lot more complicated for the wireless carriers than it seems at first. It is true that WiFi/Cellular dual mode phones can improve indoor coverage, but it is less clear that the cellular carriers this this is a good idea. With a dual mode phone, it is very easy to set the phone to use 2 different carriers - 1 VoIP, 1 Cellular. The phone can "pick" the VoIP carrier if it has a WiFi signal. This call would be carried at very low cost to the person talking (considering prices from BroadVoice, Vonage or the other "flat rate" operators, not to mention Stanaphone, SIPgate, or Free World Dial Up or your own VoIP PBX that have no fee per month). The phone would only call over cellular when out of range of an AP. This would have the impact of pulling peak minutes off the cellular network - which is where the cellular carriers make their money. There are, of course, alternate approaches with go through the cellular carrier's switch and bill at cellular rates, even if you "bring your own" (WiFi) cell. These are mostly being pushed in Europe where cellular runs on a "calling party pays" basis, so the cellular carrier gets paid for terminating the call - even if they don't need to use their cells to reach the subscriber. Note that this whole topic also relates in a major way to the "guest access" topic. For a WiFi phone, the time it takes to get past most authentication approaches is pretty significant. IF you want to enable this, you can set up a network to allow "guest" access as an open network on a different SSID from the standard WiFi network. Anything linking to that SSID would be outside the fire wall and would need VPN to get back in if desired (a VoIP device would probably not want to get back in). We have seen this set up in many places where visitors want access to "their own" network and not to anything local. DISCLAIMER: We are an equipment manufacturer, not a university Howie Frisch [EMAIL PROTECTED] +1-732-767-6135 Zeller, Tom S wrote: I'd be interested in comments on the following scenario. I've heard it said that cellular carriers make money selling per-byte data services and therefore have no incentive to support and subsidize combo cell/WiFi devices. What if they are eventually forced into a flat-rate data scheme. This may never happen due to lack of competition. But say the third carrier needs a leg up and goes flat-rate and the others follow. Doesn't that change the equation significantly? Wouldn't they then LOVE to have their customer's data flowing over our campus data networks instead of their more limited capacity wireless network? And, assuming appropriate technology, wouldn't they LOVE to have their customer's cell voice call move to VOIP over our campus data network? If the VOIP goes back to the carrier it seems like they would be in a position to effect a handoff. I guess they wouldn't have end-to-end control and couldn't guarantee quality. If this were to come about, wouldn't this solve the problem of poor cell coverage in buildings without us having to do anything different than we are now doing by providing WiFi coverage? Am I dreaming here? And a follow-up question. In discussing this with other university types I've repeatedly received the response of "we'd have to charge the carriers. It would be a revenue stream." That strikes me as unrealistic. The carriers can' negotiate 50,000 contracts with every possible hotspot provider. And besides, it seems to me that this scenario is to our advantage even without a revenue stream. I'm not sure we should WANT to be in the wireless VOIP business if there's a viable alternative that costs us zero. Tom Zeller Indiana University 812-855-6214 [EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Cellular/WiFi voice devices - a scenario
I'd be interested in comments on the following scenario. I've heard it said that cellular carriers make money selling per-byte data services and therefore have no incentive to support and subsidize combo cell/WiFi devices. What if they are eventually forced into a flat-rate data scheme. This may never happen due to lack of competition. But say the third carrier needs a leg up and goes flat-rate and the others follow. Doesn't that change the equation significantly? Wouldn't they then LOVE to have their customer's data flowing over our campus data networks instead of their more limited capacity wireless network? And, assuming appropriate technology, wouldn't they LOVE to have their customer's cell voice call move to VOIP over our campus data network? If the VOIP goes back to the carrier it seems like they would be in a position to effect a handoff. I guess they wouldn't have end-to-end control and couldn't guarantee quality. If this were to come about, wouldn't this solve the problem of poor cell coverage in buildings without us having to do anything different than we are now doing by providing WiFi coverage? Am I dreaming here? And a follow-up question. In discussing this with other university types I've repeatedly received the response of "we'd have to charge the carriers. It would be a revenue stream." That strikes me as unrealistic. The carriers can' negotiate 50,000 contracts with every possible hotspot provider. And besides, it seems to me that this scenario is to our advantage even without a revenue stream. I'm not sure we should WANT to be in the wireless VOIP business if there's a viable alternative that costs us zero. Tom Zeller Indiana University 812-855-6214 [EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Guest access strategy
I forgot: In our still gigantic layer2 domain (about 1000 AP in one subnet with most of the users in it...up to 1600 concurrents these days) we have isolated the management of the AP to another subnet. This reduces a lot of the broadcasting from IAPP. By implementing multiple SSIDs, it helps folks that have large layer 2 domains in the broadcasting management. I call this vertical subnetting as opposed to horizontal subnetting (or geographical subnetting). Our buildings are so close to each other that the horizontal subnetting would be hard to implement (you don't always get signal from the building that you are in, especially if you are close to a window) -PH On Thu, 15 Sep 2005, Philippe Hanset wrote: > Mearl, > > The stage: > > #regular open Wireless > #Netreg (web based), > #automatic patching and distribution of antivirus (22 minutes to > register!) > #802.1x for WLAN > #University people, visitors > > Problems: > #How to distribute material on a closed network? > (first time join...need an open network) > #how to allow visitors and not patch them or give them > AV (we don't pay licenses for visitors!) > #How to allow "special" visitors no patch them but still > give them advanced privileges > #What incentives should we use to move people to 802.1x > considering that the regular wless network works so well > and that 802.1x is such a pain...all this to provide encryption > over the air ONLY and know who is on the network ;-) > > The UT Knoxville Solution: > > (while waiting to implement total Identity based networking... > you could imagine a first 1x authentication with an > anonymous login, then switch to a non-anonymous..all this > while staying on the same SSID, assuming that the client > has the right 802.1x supplicant...in a near future... > If people don't understand 1x, they can use their cell phone > and call our outsourced helpdesk) > > Meanwhile, > > ##One SSID, non broadcasted (if you don't know the SSID ask around > or call the helpdesk...or dial ZERO and ask for the operator) > If Microsoft knew how to configure wireless (maybe that's why > it's called "Wireless Zero Config.") we would broadcast the SSID > > That SSID lets you: > Register yourself (using NetReg and LDAP) if you are from UT > Register friends (up to 5 people per account) > Register more than 5 people if you are an authorized person > (I call it Proxy-trust) > > ##One SSID, non-broadcasted for 802.1x supporting EAP-TTLS > and maybe one day EAP-PEAP if MS understands the weaknesses > of MD-4 and stops the proprietary approach requiring Active Directory or > ugly hacks. Our APs can support multiple encryption types > on one SSID (eg: dynamic WEP, WPA, WPA2) so "theoreticaly, > there is no need for extra SSID in that arena > > On top of that our RADIUS server will be part of EDUROAM/FWNA > to support EDU institutions form around the world > (more info at www.eduroam.org or security.internet2.edu/fwna) > So, that same SSID will be able to authenticate over 802.1x > "trusted" people in the EDU community (visiting scientists, etc...) > > ##One SSID, non-broadcasted, for unkwown visitors, NATed, and higly > restricted. No patching required, lots of ACL etc... > (to be implemented) Use an IP gateway address that is not part of your > big IP domain to be able to switch it in case that network gets blocked > by the rest of the world. It only takes one visitor to be "banned"! > > Our incentives to move people from non1x to 1x are: > NAT all non 1x SSIDs, restrict access to sensitive > apps to 1x only, provide free Napster service on 1x (just kidding!) > > Since neither Netreg, nor 802.1x are good at preventing > IP stealing, we also do an active monitoring of IP addresses > in the background, correlating data from AP/DHCP/RADIUS... > > > Best, > > Philippe Hanset > University of Tennessee > > > > > > On Thu, 15 Sep 2005, Mearl Danner wrote: > > > Samford is in the process of establishing policies for wireless access on > > campus. > > > > We have Airespace/Cisco 4100 controllers and are in the process of > > deploying model 1100 APs in various areas around campus. Using this > > hardware we are able to establish different default ACL's for each SSID, > > and have sucessfully applied custom ACL's using Radius > > (freeradius/eDirectory) reply items. > > > > We plan to provide restricted access to campus guests on an open SSID and a > > higher default level of access on an 802.1x authenticated SSID. > > > > We would like to make it a relatively simple process for campus visitors to > > access the guest SSID, but make it's access restrictive enough to encourage > > members of the campus community to go the extra steps required to configure > > for 802.1x. > > > > We'd appreciate any information on access strategies any list members have > > implemented (or are considering). > > > > Thanks, > > > > > > > > > > > > Mearl Danner > > Systems Programmer > > [EMAIL PROTECTED] > > Samford University > > htt
Future Wireless Design
Lee's comments about roaming brings up a difficult area I've been grappling with. Our architecture is the same as 4 years ago. Dumb APs, on a single vlan for roaming (actually two now on the largest campus) with vpn-protection. Roaming is not currently a huge issue as laptops sleep between buildings anyway. We also don't have wireless VOIP, and I'm hoping we won't have until b/g/a evolves into something better (higher capacity, faster handoffs). However I do see roaming as becoming important as wireless handheld devices become more common. So I'm interested in a fork-lift architectural change to take place beginning in about two years. I haven't looked at the options in depth, but I'm aware of the obvious vendors in this space. While I don't like the idea of troubleshooting spaghetti GRE tunnels, I suspect this is the future. Hope it "just works". I can imagine that architecture working within the realm of a wireless controller and multiple endpoing radios. I can imagine a small handful of controllers having awareness of the others and it working across controller domains. However, I'm nervous/skeptical/curious about how this architecture scales to 500 buildings and 1800 access points. I don't want to manage 500 controllers. I'm drawn to Cisco core switch blade design and will watch how many endpoints each blade can control. A Colubris rep told me they can do this now. I'm wondering if anyone else has thoughts or experience on this topic. Tom Zeller Indiana University [EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Guest access strategy
Mearl, The stage: #regular open Wireless #Netreg (web based), #automatic patching and distribution of antivirus (22 minutes to register!) #802.1x for WLAN #University people, visitors Problems: #How to distribute material on a closed network? (first time join...need an open network) #how to allow visitors and not patch them or give them AV (we don't pay licenses for visitors!) #How to allow "special" visitors no patch them but still give them advanced privileges #What incentives should we use to move people to 802.1x considering that the regular wless network works so well and that 802.1x is such a pain...all this to provide encryption over the air ONLY and know who is on the network ;-) The UT Knoxville Solution: (while waiting to implement total Identity based networking... you could imagine a first 1x authentication with an anonymous login, then switch to a non-anonymous..all this while staying on the same SSID, assuming that the client has the right 802.1x supplicant...in a near future... If people don't understand 1x, they can use their cell phone and call our outsourced helpdesk) Meanwhile, ##One SSID, non broadcasted (if you don't know the SSID ask around or call the helpdesk...or dial ZERO and ask for the operator) If Microsoft knew how to configure wireless (maybe that's why it's called "Wireless Zero Config.") we would broadcast the SSID That SSID lets you: Register yourself (using NetReg and LDAP) if you are from UT Register friends (up to 5 people per account) Register more than 5 people if you are an authorized person (I call it Proxy-trust) ##One SSID, non-broadcasted for 802.1x supporting EAP-TTLS and maybe one day EAP-PEAP if MS understands the weaknesses of MD-4 and stops the proprietary approach requiring Active Directory or ugly hacks. Our APs can support multiple encryption types on one SSID (eg: dynamic WEP, WPA, WPA2) so "theoreticaly, there is no need for extra SSID in that arena On top of that our RADIUS server will be part of EDUROAM/FWNA to support EDU institutions form around the world (more info at www.eduroam.org or security.internet2.edu/fwna) So, that same SSID will be able to authenticate over 802.1x "trusted" people in the EDU community (visiting scientists, etc...) ##One SSID, non-broadcasted, for unkwown visitors, NATed, and higly restricted. No patching required, lots of ACL etc... (to be implemented) Use an IP gateway address that is not part of your big IP domain to be able to switch it in case that network gets blocked by the rest of the world. It only takes one visitor to be "banned"! Our incentives to move people from non1x to 1x are: NAT all non 1x SSIDs, restrict access to sensitive apps to 1x only, provide free Napster service on 1x (just kidding!) Since neither Netreg, nor 802.1x are good at preventing IP stealing, we also do an active monitoring of IP addresses in the background, correlating data from AP/DHCP/RADIUS... Best, Philippe Hanset University of Tennessee On Thu, 15 Sep 2005, Mearl Danner wrote: > Samford is in the process of establishing policies for wireless access on > campus. > > We have Airespace/Cisco 4100 controllers and are in the process of deploying > model 1100 APs in various areas around campus. Using this hardware we are > able to establish different default ACL's for each SSID, and have sucessfully > applied custom ACL's using Radius (freeradius/eDirectory) reply items. > > We plan to provide restricted access to campus guests on an open SSID and a > higher default level of access on an 802.1x authenticated SSID. > > We would like to make it a relatively simple process for campus visitors to > access the guest SSID, but make it's access restrictive enough to encourage > members of the campus community to go the extra steps required to configure > for 802.1x. > > We'd appreciate any information on access strategies any list members have > implemented (or are considering). > > Thanks, > > > > > > Mearl Danner > Systems Programmer > [EMAIL PROTECTED] > Samford University > http://www.samford.edu > > ** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Guest access strategy
Well put, Dave. The big news right now for Syracuse, as Dave mentioned, is the ability to easily sponsor guests and allow Jane Q. Public to access our growing wireless network. It will be interesting to see how our traffic patterns change with wireless being opened up to a larger population, and what specific APs get to be "popular" with non-campus users. Will also be an exercise in seeing how healthy or not anonymous machines are, and whether they cause much trouble for the SU network. A lot to watch, but well worth it for the ease of access that these "other" wireless groups should soon be able to enjoy. But also at Syracuse, with our current topology, we are limited in certain capacities that don't yet impact us. For example- Because we don't have VoIP on either the wired or wireless, the fact that we can't roam across VPN spaces or home-grown gateway spaces isn't an issue-yet. If a wireless user lugging a laptop or PDA traverses one gateway-front-ended network space to another, they'd have to reconnect on that new space. Our home-brew gateways and VPN appliances don't have the intelligent coordination to use the likes of GRE tunnels and such to gracefully move sessions from one space to another (as many commercial solutions provide). But again, not a real concern yet. By the time we're done, we'll likely have as many as 10-12 of these spaces, each with it's own gateway, meaning that many pieces of campus with roaming "boundaries" until we devise an alternate, budget-compliant solution that overcomes the effect. Great group, by the way- lots of good posts being shared. Lee Lee H. Badman Network Engineer CWSP, CWNA (CWNP011288) Computing and Media Services (NSS) 250 Machinery Hall Syracuse University Syracuse, NY 13244 (315) 443-3003 Voice (315) 443-1621 Fax >>> [EMAIL PROTECTED] 09/15/05 11:45 AM >>> At Syracuse, we are close to going live with a new web-based wireless access portal that provides three levels of access: 1. Normal University users authenticate with their campus NetID and have full access. 2. Anyone having a valid NetID can also provision a time-limited sponsored guest account. These sponsored guests get the same level of access as a normal University user. 3. A third level of access is an open, unauthenticated guest access that is restricted to basic web/Internet access and throttled back to about 200kbps. In addition, we also provide secure access through a VPN and plan to eventually add 802.1x services. I'm affiliated with one of the academic schools on campus and I'm not part of the central computing organization (though I did manage the campus network from 1991 to 1998). It took us a long time to develop a strategy that serves the interests of end users and IT staff alike. I think we've done that, though only time will tell. I also think this strategy is consistent with our administration's efforts to engage more effectively with the local community. Lee Badman may want to comment more about this from a central IT perspective. dm > -Original Message- > From: Mearl Danner [mailto:[EMAIL PROTECTED] > Sent: Thursday, September 15, 2005 10:53 AM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: [WIRELESS-LAN] Guest access strategy > > Samford is in the process of establishing policies for wireless access on > campus. > > We have Airespace/Cisco 4100 controllers and are in the process of > deploying model 1100 APs in various areas around campus. Using this > hardware we are able to establish different default ACL's for each SSID, > and have sucessfully applied custom ACL's using Radius > (freeradius/eDirectory) reply items. > > We plan to provide restricted access to campus guests on an open SSID and > a higher default level of access on an 802.1x authenticated SSID. > > We would like to make it a relatively simple process for campus visitors > to access the guest SSID, but make it's access restrictive enough to > encourage members of the campus community to go the extra steps required > to configure for 802.1x. > > We'd appreciate any information on access strategies any list members have > implemented (or are considering). > > Thanks, > > > > > > Mearl Danner > Systems Programmer > [EMAIL PROTECTED] > Samford University > http://www.samford.edu > > ** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Guest access strategy
Some might be interested that the web-based guest wireless portal we are about to deploy is a new HP product. It's a blade (access control module) that goes into an HP 5300 switch. The switch is then configured to pass particular vlans through the blade. There is also a central controller (access control server). It can handle a bunch of the blades. Traffic doesn't go through the central controller. On the controller one defines what traffic is to be allowed for various classes of users (e.g. unauthenticated users, authenticated users, users from blade #1, etc). We do see 802.1x as the ultimate solution. However, despite the fact that more than a few universities are already using 802.1x, personally I would like to see a higher degree of maturity and interoperability by native clients. (Of course, I'm still waiting for that to occur with VPN clients). In the short run I'm not sure I see a huge advantage of 802.1x over our current vpn-protected wireless scheme. However I certainly would like to hear from 802.1x outfits how they have found that experience, both from the backend and the user's perspective, and to hear what the advantages of 802.1x are. Tom Zeller Indiana University [EMAIL PROTECTED] -Original Message- From: Dave Molta [mailto:[EMAIL PROTECTED] Sent: Thursday, September 15, 2005 10:45 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Guest access strategy At Syracuse, we are close to going live with a new web-based wireless access portal that provides three levels of access: 1. Normal University users authenticate with their campus NetID and have full access. 2. Anyone having a valid NetID can also provision a time-limited sponsored guest account. These sponsored guests get the same level of access as a normal University user. 3. A third level of access is an open, unauthenticated guest access that is restricted to basic web/Internet access and throttled back to about 200kbps. In addition, we also provide secure access through a VPN and plan to eventually add 802.1x services. I'm affiliated with one of the academic schools on campus and I'm not part of the central computing organization (though I did manage the campus network from 1991 to 1998). It took us a long time to develop a strategy that serves the interests of end users and IT staff alike. I think we've done that, though only time will tell. I also think this strategy is consistent with our administration's efforts to engage more effectively with the local community. Lee Badman may want to comment more about this from a central IT perspective. dm > -Original Message- > From: Mearl Danner [mailto:[EMAIL PROTECTED] > Sent: Thursday, September 15, 2005 10:53 AM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: [WIRELESS-LAN] Guest access strategy > > Samford is in the process of establishing policies for wireless access on > campus. > > We have Airespace/Cisco 4100 controllers and are in the process of > deploying model 1100 APs in various areas around campus. Using this > hardware we are able to establish different default ACL's for each SSID, > and have sucessfully applied custom ACL's using Radius > (freeradius/eDirectory) reply items. > > We plan to provide restricted access to campus guests on an open SSID and > a higher default level of access on an 802.1x authenticated SSID. > > We would like to make it a relatively simple process for campus visitors > to access the guest SSID, but make it's access restrictive enough to > encourage members of the campus community to go the extra steps required > to configure for 802.1x. > > We'd appreciate any information on access strategies any list members have > implemented (or are considering). > > Thanks, > > > > > > Mearl Danner > Systems Programmer > [EMAIL PROTECTED] > Samford University > http://www.samford.edu > > ** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Guest access strategy
I don't support this, and don't use it. But you should know that it exists WPS Wireless Provisioning Services http://www.microsoft.com/whdc/device/network/wireless/wps.mspx Wireless Provisioning Services (WPS) enable the discovery of and connection to wireless networks. WPS enhancements are included in Microsoft Windows XP Service Pack 2 (SP2) and under consideration for Windows Server(tm) 2003 Service Pack 1 (SP1). WPS extends the wireless client software included with Windows XP and the Internet Authentication Service (IAS) included with Windows Server 2003 to allow for a consistent and automated configuration process when connecting to public wireless hotspots or private wireless networks that provide guest access to the Internet. The WPS APIs allow for the pre-provisioning of network information to connect to these networks and the provisioning of network settings to connect to private wireless networks. > -Original Message- > From: Mearl Danner [mailto:[EMAIL PROTECTED] > Sent: Thursday, September 15, 2005 10:53 AM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: [WIRELESS-LAN] Guest access strategy > > Samford is in the process of establishing policies for > wireless access on campus. > > We have Airespace/Cisco 4100 controllers and are in the > process of deploying model 1100 APs in various areas around > campus. Using this hardware we are able to establish > different default ACL's for each SSID, and have sucessfully > applied custom ACL's using Radius (freeradius/eDirectory) reply items. > > We plan to provide restricted access to campus guests on an > open SSID and a higher default level of access on an 802.1x > authenticated SSID. > > We would like to make it a relatively simple process for > campus visitors to access the guest SSID, but make it's > access restrictive enough to encourage members of the campus > community to go the extra steps required to configure for 802.1x. > > We'd appreciate any information on access strategies any list > members have implemented (or are considering). > > Thanks, > > > > > > Mearl Danner > Systems Programmer > [EMAIL PROTECTED] > Samford University > http://www.samford.edu > > ** > Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Guest access strategy
At Syracuse, we are close to going live with a new web-based wireless access portal that provides three levels of access: 1. Normal University users authenticate with their campus NetID and have full access. 2. Anyone having a valid NetID can also provision a time-limited sponsored guest account. These sponsored guests get the same level of access as a normal University user. 3. A third level of access is an open, unauthenticated guest access that is restricted to basic web/Internet access and throttled back to about 200kbps. In addition, we also provide secure access through a VPN and plan to eventually add 802.1x services. I'm affiliated with one of the academic schools on campus and I'm not part of the central computing organization (though I did manage the campus network from 1991 to 1998). It took us a long time to develop a strategy that serves the interests of end users and IT staff alike. I think we've done that, though only time will tell. I also think this strategy is consistent with our administration's efforts to engage more effectively with the local community. Lee Badman may want to comment more about this from a central IT perspective. dm > -Original Message- > From: Mearl Danner [mailto:[EMAIL PROTECTED] > Sent: Thursday, September 15, 2005 10:53 AM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: [WIRELESS-LAN] Guest access strategy > > Samford is in the process of establishing policies for wireless access on > campus. > > We have Airespace/Cisco 4100 controllers and are in the process of > deploying model 1100 APs in various areas around campus. Using this > hardware we are able to establish different default ACL's for each SSID, > and have sucessfully applied custom ACL's using Radius > (freeradius/eDirectory) reply items. > > We plan to provide restricted access to campus guests on an open SSID and > a higher default level of access on an 802.1x authenticated SSID. > > We would like to make it a relatively simple process for campus visitors > to access the guest SSID, but make it's access restrictive enough to > encourage members of the campus community to go the extra steps required > to configure for 802.1x. > > We'd appreciate any information on access strategies any list members have > implemented (or are considering). > > Thanks, > > > > > > Mearl Danner > Systems Programmer > [EMAIL PROTECTED] > Samford University > http://www.samford.edu > > ** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Guest access strategy
Mearl, At Bradley University we are doing something very similar to what you are looking at. We have configured four different VLANs/SSIDs on our Cisco access points for Guest, Unsecure, Student Secure and Staff Secure. On the Guest VLAN we only allow DNS, DHCP, HTTP and HTTPS On the Unsecure VLAN we allow additional access to the Internet and Academic resources but require the user to register their computer to gain access. In order to register they must have a Bradley user account. This is provided primarily for devices that do not support 802.1x. We broadcast the secure 802.1x SSID and using Cisco's ACS/RADIUS authentication we place the user in one of two secure VLANs depending on whether they are Student or Faculty/Staff. We would like to be able to broadcast the Guest SSID but have not been able to make 802.1x work without it being the broadcast SSID. Hope this helps, if you would like to discuss this further feel free to contact me off-line. -- Ron Robinson, Network Architect, Bradley University 1501 West Bradley Ave. | E-Mail: [EMAIL PROTECTED] Morgan Hall Room 205F | Phone: (309) 677-3350 Peoria, Illinois 61625 | FAX:(309) 677-3460 -Original Message- From: Mearl Danner [mailto:[EMAIL PROTECTED] Sent: Thursday, September 15, 2005 9:53 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Guest access strategy Samford is in the process of establishing policies for wireless access on campus. We have Airespace/Cisco 4100 controllers and are in the process of deploying model 1100 APs in various areas around campus. Using this hardware we are able to establish different default ACL's for each SSID, and have sucessfully applied custom ACL's using Radius (freeradius/eDirectory) reply items. We plan to provide restricted access to campus guests on an open SSID and a higher default level of access on an 802.1x authenticated SSID. We would like to make it a relatively simple process for campus visitors to access the guest SSID, but make it's access restrictive enough to encourage members of the campus community to go the extra steps required to configure for 802.1x. We'd appreciate any information on access strategies any list members have implemented (or are considering). Thanks, Mearl Danner Systems Programmer [EMAIL PROTECTED] Samford University http://www.samford.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Guest access strategy
At Indiana University we allow any faculty or staff to authenticate to a web page to generate a guest account. The accounts are ADS accounts. They accounts are not actually created by this process. We have a large pool of accounts that are initially disabled. When a user "generates" an account, the next available guest account is enabled with a random password. The default life until the account is disabled is three days, but can be changed by the requester to 1-21 days. Certain individuals, such as hotel and conference folks, are given the ability to bulk generate accounts. Guests then use these accounts to authenticate. Currently that's via VPN (which then uses RADIUS) but soon will be a web-based appliance. Currently guests get an encrypted VPN-protected wireless session like IU users. However this has been deemed too onerous a process and we will give guests an unencrypted session while still requiring VPN for IU people. The guest accounts are not part of the group Domain Users, and we plan to move them out of the main domain altogether and into a domain that has a one-way trust to the main domain. This will prevent unintended use of these accounts by creative local support providers. The main VPN servers don't accept these accounts; they can be used only on the guest VPN server that can only be reached locally. Tom Zeller Indiana University 812-855-6214 [EMAIL PROTECTED] -Original Message- From: Mearl Danner [mailto:[EMAIL PROTECTED] Sent: Thursday, September 15, 2005 9:53 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Guest access strategy Samford is in the process of establishing policies for wireless access on campus. We have Airespace/Cisco 4100 controllers and are in the process of deploying model 1100 APs in various areas around campus. Using this hardware we are able to establish different default ACL's for each SSID, and have sucessfully applied custom ACL's using Radius (freeradius/eDirectory) reply items. We plan to provide restricted access to campus guests on an open SSID and a higher default level of access on an 802.1x authenticated SSID. We would like to make it a relatively simple process for campus visitors to access the guest SSID, but make it's access restrictive enough to encourage members of the campus community to go the extra steps required to configure for 802.1x. We'd appreciate any information on access strategies any list members have implemented (or are considering). Thanks, Mearl Danner Systems Programmer [EMAIL PROTECTED] Samford University http://www.samford.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Guest access strategy
Samford is in the process of establishing policies for wireless access on campus. We have Airespace/Cisco 4100 controllers and are in the process of deploying model 1100 APs in various areas around campus. Using this hardware we are able to establish different default ACL's for each SSID, and have sucessfully applied custom ACL's using Radius (freeradius/eDirectory) reply items. We plan to provide restricted access to campus guests on an open SSID and a higher default level of access on an 802.1x authenticated SSID. We would like to make it a relatively simple process for campus visitors to access the guest SSID, but make it's access restrictive enough to encourage members of the campus community to go the extra steps required to configure for 802.1x. We'd appreciate any information on access strategies any list members have implemented (or are considering). Thanks, Mearl Danner Systems Programmer [EMAIL PROTECTED] Samford University http://www.samford.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.