RE: [WIRELESS-LAN] securew2 client
Hi All This thread was running last year, but I'm just wondering if anyone has a pre-packaged secureW2 installer (with inf file?) which they could share with those on the list (or at least me! Haha)? Cheers Matt Ashfield [EMAIL PROTECTED] -Original Message- From: Casey, J Bart [mailto:[EMAIL PROTECTED] Sent: July 26, 2006 9:55 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] securew2 client Jorge, We are very interested in the .exe that you have set up. Something like that would be great for our school as we have just implemented 802.1x on our wired network. We have been running it on our wireless network for a couple of years. There are concerns about the lengthy process that students have to go through. A single step install would be very helpful for our helpdesk. Any and all info you could provide would be greatly appreciated. Regards, J. Bart Casey Network Engineer Wofford College -Original Message- From: Jorge Bodden [mailto:[EMAIL PROTECTED] Sent: Friday, July 21, 2006 12:44 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] securew2 client We use the secureW2 client. And it works pretty well. We have even set it up so that we can run a .exe on the PC and it will install the network and the client as well as configure them. The only one thing that we cannot get the file to do is WPA/TKIP. Those have to be done manually. But I am this can be done as well. The only tricky part of the secureW2 install/config process is finding where to configure it. If you are not familiar with the client, the way to go about it is under the authentication tab in the network properties. If you have any further questions please feel free. Thanks. Jorge Bodden Fred Archibald wrote: Matt, We too are investigating this combination with EAP-TTLS using the securew2 client at EECS. We are just getting started with this next week so I don't have anything to report yet. However, I will keep you posted and be happy to hear your results as well. Fred Matt Ashfield wrote: Hi All, We're in the process of evaluating how our clients will connect to our new wireless network. For encryption/authentication, we ended up having to go with EAP-TTLS (users authenticate with username/password). Unfortunately to do this, we need to install the client from www.securew2.com to get this to work properly. I'm just hoping to hear from people on this list who are also using this client and would like to know the support issues that arose from it. Offhand I can think of a few such as: installing and configuring the client, tech support and upgrades for new releases, as well as the ever-bothersome habit of laptops to come equipped with proprietary software to configure the wireless cards as opposed to just using windows. Any feedback is appreciated. Thanks Matt Ashfield [EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. This electronic message is intended to be for the use only of the named recipient, and may contain information that is confidential or privileged. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of the contents of this message is strictly prohibited. If you have received this message in error or are not the named recipient, please notify us immediately by contacting the sender at the electronic mail address noted above, and delete and destroy all copies of this message. Thank you. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
802.1x With A One-Way Certificate
We are trying to implement a WPA/TKIP Wireless authentication. We are using ACS Solution Engine which backs into AD for Authentication. We are currectly using WEP. We are looking for the least amount of client setup to make this change. Cisco has told us to use the PEAP MSCHAPv2 connection with a one-way cert, the cert or CA would only be installed on the ACS server and the client would uncheck the 'Validate Server Certificate' under the protected EAP properties. They also told us that the PEAP tunnel that is created would be comparable to having a cert on the client. This seems to be working fine in our tests and is very simple setup for the clients. Are any of you running your connection setup this way? Ken Taillon Network Support Specialist Information Technology Services Wesleyan University 860-685-5657 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: 802.1x With A One-Way Certificate
Yes. We aren't using the wpa-tkip with acs, but we do use ias (windows) for radius, we have our clients uncheck the 'Validate Server Certificate' option and away they go. http://www.geneseo.edu/CMS/display.php?page=5200dpt=cit http://www.geneseo.edu/CMS/display.php?page=5198dpt=cit http://www.geneseo.edu/CMS/display.php?page=5199dpt=cit We like how it works. We run 4 4404's with 350 1242ag access points. -Rick ktaillon wrote: We are trying to implement a WPA/TKIP Wireless authentication. We are using ACS Solution Engine which backs into AD for Authentication. We are currectly using WEP. We are looking for the least amount of client setup to make this change. Cisco has told us to use the PEAP MSCHAPv2 connection with a one-way cert, the cert or CA would only be installed on the ACS server and the client would uncheck the 'Validate Server Certificate' under the protected EAP properties. They also told us that the PEAP tunnel that is created would be comparable to having a cert on the client. This seems to be working fine in our tests and is very simple setup for the clients. Are any of you running your connection setup this way? Ken Taillon Network Support Specialist Information Technology Services Wesleyan University 860-685-5657 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- Rick Coloccia, Jr. Network Manager State University of NY College at Geneseo 1 College Circle, 119 South Hall Geneseo, NY 14454 V: 585-245-5577 F: 585-245-5579 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 802.1x With A One-Way Certificate
Rick Coloccia wrote: Yes. We aren't using the wpa-tkip with acs, but we do use ias (windows) for radius, we have our clients uncheck the 'Validate Server Certificate' option Why? (i.e. why not ensure that the cert is valid?) ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 802.1x With A One-Way Certificate
Just be aware that not validating the certificate opens you up to fairly easy session hijacking attacks since anyone can come up with a cert and get your clients to connect to their APs instead of yours (since the client is not checking cert validity)... The attacker would then have access to the data stream as it would appear on the LAN, so you potentially lose a lot of the security benefit. --Mike On Apr 4, 2007, at 10:19 AM, Rick Coloccia wrote: Yes. We aren't using the wpa-tkip with acs, but we do use ias (windows) for radius, we have our clients uncheck the 'Validate Server Certificate' option and away they go. http://www.geneseo.edu/CMS/display.php?page=5200dpt=cit http://www.geneseo.edu/CMS/display.php?page=5198dpt=cit http://www.geneseo.edu/CMS/display.php?page=5199dpt=cit We like how it works. We run 4 4404's with 350 1242ag access points. -Rick ktaillon wrote: We are trying to implement a WPA/TKIP Wireless authentication. We are using ACS Solution Engine which backs into AD for Authentication. We are currectly using WEP. We are looking for the least amount of client setup to make this change. Cisco has told us to use the PEAP MSCHAPv2 connection with a one-way cert, the cert or CA would only be installed on the ACS server and the client would uncheck the 'Validate Server Certificate' under the protected EAP properties. They also told us that the PEAP tunnel that is created would be comparable to having a cert on the client. This seems to be working fine in our tests and is very simple setup for the clients. Are any of you running your connection setup this way? Ken Taillon Network Support Specialist Information Technology Services Wesleyan University 860-685-5657 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. -- Rick Coloccia, Jr. Network Manager State University of NY College at Geneseo 1 College Circle, 119 South Hall Geneseo, NY 14454 V: 585-245-5577 F: 585-245-5579 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. smime.p7s Description: S/MIME cryptographic signature
Re: 802.1x With A One-Way Certificate
Well, to ensure the cert is vaild, a trusted root ca cert must be one client. We used a locally generated cert for the ias server. We haven't yet rolled out our local trusted root ca cert. Once it gets out we won't worry about that exact setting. Until we do, we needed a way to get started. -Rick Doug Payne wrote: Rick Coloccia wrote: Yes. We aren't using the wpa-tkip with acs, but we do use ias (windows) for radius, we have our clients uncheck the 'Validate Server Certificate' option Why? (i.e. why not ensure that the cert is valid?) ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- Rick Coloccia, Jr. Network Manager State University of NY College at Geneseo 1 College Circle, 119 South Hall Geneseo, NY 14454 V: 585-245-5577 F: 585-245-5579 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: 802.1x With A One-Way Certificate
Yes, that liability was indeed considered... -Rick Michael Griego wrote: Just be aware that not validating the certificate opens you up to fairly easy session hijacking attacks since anyone can come up with a cert and get your clients to connect to their APs instead of yours (since the client is not checking cert validity)... The attacker would then have access to the data stream as it would appear on the LAN, so you potentially lose a lot of the security benefit. --Mike On Apr 4, 2007, at 10:19 AM, Rick Coloccia wrote: Yes. We aren't using the wpa-tkip with acs, but we do use ias (windows) for radius, we have our clients uncheck the 'Validate Server Certificate' option and away they go. http://www.geneseo.edu/CMS/display.php?page=5200dpt=cit http://www.geneseo.edu/CMS/display.php?page=5198dpt=cit http://www.geneseo.edu/CMS/display.php?page=5199dpt=cit We like how it works. We run 4 4404's with 350 1242ag access points. -Rick ktaillon wrote: We are trying to implement a WPA/TKIP Wireless authentication. We are using ACS Solution Engine which backs into AD for Authentication. We are currectly using WEP. We are looking for the least amount of client setup to make this change. Cisco has told us to use the PEAP MSCHAPv2 connection with a one-way cert, the cert or CA would only be installed on the ACS server and the client would uncheck the 'Validate Server Certificate' under the protected EAP properties. They also told us that the PEAP tunnel that is created would be comparable to having a cert on the client. This seems to be working fine in our tests and is very simple setup for the clients. Are any of you running your connection setup this way? Ken Taillon Network Support Specialist Information Technology Services Wesleyan University 860-685-5657 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. --Rick Coloccia, Jr. Network Manager State University of NY College at Geneseo 1 College Circle, 119 South Hall Geneseo, NY 14454 V: 585-245-5577 F: 585-245-5579 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- Rick Coloccia, Jr. Network Manager State University of NY College at Geneseo 1 College Circle, 119 South Hall Geneseo, NY 14454 V: 585-245-5577 F: 585-245-5579 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] 802.1x With A One-Way Certificate
IF you get a cert from a well know CA, the root cert comes with windows and other OSs so its not a problem to validate it. if you make your own, then you will have issues. -Emerson From: ktaillon [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 04, 2007 11:01 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] 802.1x With A One-Way Certificate We are trying to implement a WPA/TKIP Wireless authentication. We are using ACS Solution Engine which backs into AD for Authentication. We are currectly using WEP. We are looking for the least amount of client setup to make this change. Cisco has told us to use the PEAP MSCHAPv2 connection with a one-way cert, the cert or CA would only be installed on the ACS server and the client would uncheck the 'Validate Server Certificate' under the protected EAP properties. They also told us that the PEAP tunnel that is created would be comparable to having a cert on the client. This seems to be working fine in our tests and is very simple setup for the clients. Are any of you running your connection setup this way? Ken Taillon Network Support Specialist Information Technology Services Wesleyan University 860-685-5657 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] 802.1x With A One-Way Certificate
One of the things that I didn't point out is we are running the new LWAPP AP's and controller setup. After I told Cisco about the one-way cert he said this is ok to run in this setup because the peap tunnel that is created from the client to the AP and to the ACS/Controller could not be interfered with. Not like a web server cert that could be hijacked. If I were to install a Cert(Verisign, GTE.)on the ACS that is on the XP list of trusted names, can the client just check off that name without having to go to a web server to download and install the cert? I'm just trying to keep the client setup as simple as possible but not in a way that lowers security. Ken -Original Message- From: Michael Griego [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 04, 2007 11:27 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x With A One-Way Certificate Just be aware that not validating the certificate opens you up to fairly easy session hijacking attacks since anyone can come up with a cert and get your clients to connect to their APs instead of yours (since the client is not checking cert validity)... The attacker would then have access to the data stream as it would appear on the LAN, so you potentially lose a lot of the security benefit. --Mike On Apr 4, 2007, at 10:19 AM, Rick Coloccia wrote: Yes. We aren't using the wpa-tkip with acs, but we do use ias (windows) for radius, we have our clients uncheck the 'Validate Server Certificate' option and away they go. http://www.geneseo.edu/CMS/display.php?page=5200dpt=cit http://www.geneseo.edu/CMS/display.php?page=5198dpt=cit http://www.geneseo.edu/CMS/display.php?page=5199dpt=cit We like how it works. We run 4 4404's with 350 1242ag access points. -Rick ktaillon wrote: We are trying to implement a WPA/TKIP Wireless authentication. We are using ACS Solution Engine which backs into AD for Authentication. We are currectly using WEP. We are looking for the least amount of client setup to make this change. Cisco has told us to use the PEAP MSCHAPv2 connection with a one-way cert, the cert or CA would only be installed on the ACS server and the client would uncheck the 'Validate Server Certificate' under the protected EAP properties. They also told us that the PEAP tunnel that is created would be comparable to having a cert on the client. This seems to be working fine in our tests and is very simple setup for the clients. Are any of you running your connection setup this way? Ken Taillon Network Support Specialist Information Technology Services Wesleyan University 860-685-5657 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. -- Rick Coloccia, Jr. Network Manager State University of NY College at Geneseo 1 College Circle, 119 South Hall Geneseo, NY 14454 V: 585-245-5577 F: 585-245-5579 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 802.1x With A One-Way Certificate
sorry, http://www.uoguelph.ca/ccs/internet/getting_connected/wireless/securing_with_wpa.shtml Lelio Fulgenzi, B.A. Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1 (519) 824-4120 x56354 (519) 767-1060 FAX (JNHN) ^^ ...there's no such thing as a bad timbit... - Original Message - From: Lelio Fulgenzi To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Sent: Wednesday, April 04, 2007 1:42 PM Subject: Re: [WIRELESS-LAN] 802.1x With A One-Way Certificate Here are our instructions. We ask users to check off the appropriate CA and it works fine for us. No need to manually download or approve anything. It's worked for us. Lelio Fulgenzi, B.A. Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1 (519) 824-4120 x56354 (519) 767-1060 FAX (JNHN) ^^ ...there's no such thing as a bad timbit... - Original Message - From: ktaillon To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Sent: Wednesday, April 04, 2007 1:39 PM Subject: Re: [WIRELESS-LAN] 802.1x With A One-Way Certificate One of the things that I didn't point out is we are running the new LWAPP AP's and controller setup. After I told Cisco about the one-way cert he said this is ok to run in this setup because the peap tunnel that is created from the client to the AP and to the ACS/Controller could not be interfered with. Not like a web server cert that could be hijacked. If I were to install a Cert(Verisign, GTE.)on the ACS that is on the XP list of trusted names, can the client just check off that name without having to go to a web server to download and install the cert? I'm just trying to keep the client setup as simple as possible but not in a way that lowers security. Ken -Original Message- From: Michael Griego [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 04, 2007 11:27 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x With A One-Way Certificate Just be aware that not validating the certificate opens you up to fairly easy session hijacking attacks since anyone can come up with a cert and get your clients to connect to their APs instead of yours (since the client is not checking cert validity)... The attacker would then have access to the data stream as it would appear on the LAN, so you potentially lose a lot of the security benefit. --Mike On Apr 4, 2007, at 10:19 AM, Rick Coloccia wrote: Yes. We aren't using the wpa-tkip with acs, but we do use ias (windows) for radius, we have our clients uncheck the 'Validate Server Certificate' option and away they go. http://www.geneseo.edu/CMS/display.php?page=5200dpt=cit http://www.geneseo.edu/CMS/display.php?page=5198dpt=cit http://www.geneseo.edu/CMS/display.php?page=5199dpt=cit We like how it works. We run 4 4404's with 350 1242ag access points. -Rick ktaillon wrote: We are trying to implement a WPA/TKIP Wireless authentication. We are using ACS Solution Engine which backs into AD for Authentication. We are currectly using WEP. We are looking for the least amount of client setup to make this change. Cisco has told us to use the PEAP MSCHAPv2 connection with a one-way cert, the cert or CA would only be installed on the ACS server and the client would uncheck the 'Validate Server Certificate' under the protected EAP properties. They also told us that the PEAP tunnel that is created would be comparable to having a cert on the client. This seems to be working fine in our tests and is very simple setup for the clients. Are any of you running your connection setup this way? Ken Taillon Network Support Specialist Information Technology Services Wesleyan University 860-685-5657 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. -- Rick Coloccia, Jr. Network Manager State University of NY College at Geneseo 1 College Circle, 119 South Hall Geneseo, NY 14454 V: 585-245-5577 F: 585-245-5579 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. **
Re: [WIRELESS-LAN] 802.1x With A One-Way Certificate
Yes, if you purchase a commercial cert from one of the CAs who's certs are included with the OS, all the user has to do is: a) pick your certificate's CA from the list in the PEAP setup b) enter your certificate's CommonName in the server list The user does not have to download anything. Doing both of these, though, is extremely important to gain the highest level of security and prevent the possibility of session hijacking. In our environment, we purchased a certificate from Verisign and used a bogus hostname of 8021x.utdallas.edu. In our instructions, we tell the users to check the Secure Server CA box *and* enter 8021x.utdallas.edu into the server list field. The only thing the client has to obtain to get configured is the instructions. I'm not quite sure what your Cisco rep was talking about, --Mike On Apr 4, 2007, at 12:39 PM, ktaillon wrote: One of the things that I didn't point out is we are running the new LWAPP AP's and controller setup. After I told Cisco about the one-way cert he said this is ok to run in this setup because the peap tunnel that is created from the client to the AP and to the ACS/Controller could not be interfered with. Not like a web server cert that could be hijacked. If I were to install a Cert(Verisign, GTE.)on the ACS that is on the XP list of trusted names, can the client just check off that name without having to go to a web server to download and install the cert? I'm just trying to keep the client setup as simple as possible but not in a way that lowers security. Ken -Original Message- From: Michael Griego [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 04, 2007 11:27 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x With A One-Way Certificate Just be aware that not validating the certificate opens you up to fairly easy session hijacking attacks since anyone can come up with a cert and get your clients to connect to their APs instead of yours (since the client is not checking cert validity)... The attacker would then have access to the data stream as it would appear on the LAN, so you potentially lose a lot of the security benefit. --Mike On Apr 4, 2007, at 10:19 AM, Rick Coloccia wrote: Yes. We aren't using the wpa-tkip with acs, but we do use ias (windows) for radius, we have our clients uncheck the 'Validate Server Certificate' option and away they go. http://www.geneseo.edu/CMS/display.php?page=5200dpt=cit http://www.geneseo.edu/CMS/display.php?page=5198dpt=cit http://www.geneseo.edu/CMS/display.php?page=5199dpt=cit We like how it works. We run 4 4404's with 350 1242ag access points. -Rick ktaillon wrote: We are trying to implement a WPA/TKIP Wireless authentication. We are using ACS Solution Engine which backs into AD for Authentication. We are currectly using WEP. We are looking for the least amount of client setup to make this change. Cisco has told us to use the PEAP MSCHAPv2 connection with a one-way cert, the cert or CA would only be installed on the ACS server and the client would uncheck the 'Validate Server Certificate' under the protected EAP properties. They also told us that the PEAP tunnel that is created would be comparable to having a cert on the client. This seems to be working fine in our tests and is very simple setup for the clients. Are any of you running your connection setup this way? Ken Taillon Network Support Specialist Information Technology Services Wesleyan University 860-685-5657 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. -- Rick Coloccia, Jr. Network Manager State University of NY College at Geneseo 1 College Circle, 119 South Hall Geneseo, NY 14454 V: 585-245-5577 F: 585-245-5579 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. smime.p7s Description: S/MIME cryptographic signature