RE: [WIRELESS-LAN] Blackberry 8900 on 802.1x w PEAP, MS-CHAPv2
James- Looks like we got it. The Verisign Intermediate Cert was the key, needed tp pull that down from Verisign, and then evidently anything chained to it is OK. Thanks very much for the excellent screenshots as well. -Lee Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of James J J Hooper Sent: Saturday, February 21, 2009 2:31 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Blackberry 8900 on 802.1x w PEAP, MS-CHAPv2 James J J Hooper wrote: Lee H Badman wrote: Wondering if anyone has gone down this road... according to http://na.blackberry.com/eng/deliverables/4133/BB_Ent_Soln_Security_4.1. 6_STO.pdf the Blackberry 8900 should be able to do 802.1x with PEAP and MS-CHAPv2- which does not require a client-side cert. And even though you can tell the device not to verify server cert, this has nothing to do with the fact that the Blackberry seemingly demands a cert or won't even let you go on (certainly not the first handheld to act like this). This is a client device, so I don't have the luxury of playing with it very much, and so looking to glom onto anyone else's success if you may have figured out how to work past this. We have multiple auth servers as well, which may or may not complicate it. I know these EAP types are not standards and device manufacturers have freedom to implement as they see fit. Hi Lee, Not specifically on a 8900, but we did get PEAP/MS-CHAPv2 on a 8120: http://www.wireless.bris.ac.uk/getconnected/services/uobroam/manual-blac kberry/ I had more of a think the certificate mentioned in those instructions is an intermediate certificate. Our radius server sends it to clients along with its server cert, but we couldn't get the blackberry to connect without specifically installing the intermediate cert first. So, if your cert is chained one, you have to install the intermediate certs (but not the final radius server cert) on to the blackberry first. As long as all your auth servers are signed by the same CA, once one works, they all will. The 'UoB-Wireless' SSID mentioned is open (only lets you get to the wireless web site and a VPN server), so we can use it to get certs directly to a device. The blackberry recognises certs with .cer extension, mime type application/x-x509-ca-cert in x509 format. Regards, James -- James J J Hooper University of Bristol http://www.wireless.bris.ac.uk -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Blackberry 8900 on 802.1x w PEAP, MS-CHAPv2
Any good reason why RIM shouldn't have installed the intermediate certificate on its device? Seems like a missing element. Frank From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman Sent: Sunday, February 22, 2009 5:20 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Blackberry 8900 on 802.1x w PEAP, MS-CHAPv2 Thanks very much, James. I was contemplating which level cert this needed- but hopefully you've given me enough to go on to muddle through. Will let you know how I fare. -Lee -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of James J J Hooper Sent: Sat 2/21/2009 2:30 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Blackberry 8900 on 802.1x w PEAP, MS-CHAPv2 James J J Hooper wrote: Lee H Badman wrote: Wondering if anyone has gone down this road. according to http://na.blackberry.com/eng/deliverables/4133/BB_Ent_Soln_Security_4.1.6_ST O.pdf the Blackberry 8900 should be able to do 802.1x with PEAP and MS-CHAPv2- which does not require a client-side cert. And even though you can tell the device not to verify server cert, this has nothing to do with the fact that the Blackberry seemingly demands a cert or won't even let you go on (certainly not the first handheld to act like this). This is a client device, so I don't have the luxury of playing with it very much, and so looking to glom onto anyone else's success if you may have figured out how to work past this. We have multiple auth servers as well, which may or may not complicate it. I know these EAP types are not standards and device manufacturers have freedom to implement as they see fit. Hi Lee, Not specifically on a 8900, but we did get PEAP/MS-CHAPv2 on a 8120: http://www.wireless.bris.ac.uk/getconnected/services/uobroam/manual-blackber ry/ I had more of a think the certificate mentioned in those instructions is an intermediate certificate. Our radius server sends it to clients along with its server cert, but we couldn't get the blackberry to connect without specifically installing the intermediate cert first. So, if your cert is chained one, you have to install the intermediate certs (but not the final radius server cert) on to the blackberry first. As long as all your auth servers are signed by the same CA, once one works, they all will. The 'UoB-Wireless' SSID mentioned is open (only lets you get to the wireless web site and a VPN server), so we can use it to get certs directly to a device. The blackberry recognises certs with .cer extension, mime type application/x-x509-ca-cert in x509 format. Regards, James -- James J J Hooper University of Bristol http://www.wireless.bris.ac.uk -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Blackberry 8900 on 802.1x w PEAP, MS-CHAPv2
Beats me. These little devices are all over the place in cert-friendliness and EAP implementation, sometimes to the point of being self-defeating. Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Frank Bulk Sent: Tuesday, February 24, 2009 7:17 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Blackberry 8900 on 802.1x w PEAP, MS-CHAPv2 Any good reason why RIM shouldn't have installed the intermediate certificate on its device? Seems like a missing element. Frank From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman Sent: Sunday, February 22, 2009 5:20 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Blackberry 8900 on 802.1x w PEAP, MS-CHAPv2 Thanks very much, James. I was contemplating which level cert this needed- but hopefully you've given me enough to go on to muddle through. Will let you know how I fare. -Lee -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of James J J Hooper Sent: Sat 2/21/2009 2:30 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Blackberry 8900 on 802.1x w PEAP, MS-CHAPv2 James J J Hooper wrote: Lee H Badman wrote: Wondering if anyone has gone down this road. according to http://na.blackberry.com/eng/deliverables/4133/BB_Ent_Soln_Security_4.1. 6_STO.pdf the Blackberry 8900 should be able to do 802.1x with PEAP and MS-CHAPv2- which does not require a client-side cert. And even though you can tell the device not to verify server cert, this has nothing to do with the fact that the Blackberry seemingly demands a cert or won't even let you go on (certainly not the first handheld to act like this). This is a client device, so I don't have the luxury of playing with it very much, and so looking to glom onto anyone else's success if you may have figured out how to work past this. We have multiple auth servers as well, which may or may not complicate it. I know these EAP types are not standards and device manufacturers have freedom to implement as they see fit. Hi Lee, Not specifically on a 8900, but we did get PEAP/MS-CHAPv2 on a 8120: http://www.wireless.bris.ac.uk/getconnected/services/uobroam/manual-blac kberry/ I had more of a think the certificate mentioned in those instructions is an intermediate certificate. Our radius server sends it to clients along with its server cert, but we couldn't get the blackberry to connect without specifically installing the intermediate cert first. So, if your cert is chained one, you have to install the intermediate certs (but not the final radius server cert) on to the blackberry first. As long as all your auth servers are signed by the same CA, once one works, they all will. The 'UoB-Wireless' SSID mentioned is open (only lets you get to the wireless web site and a VPN server), so we can use it to get certs directly to a device. The blackberry recognises certs with .cer extension, mime type application/x-x509-ca-cert in x509 format. Regards, James -- James J J Hooper University of Bristol http://www.wireless.bris.ac.uk -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] iPhone / iPod Touch having trouble accessing App store via wifi
I should add, these users don't have any problems connecting to the app store from off campus. On Tue, 24 Feb 2009, Todd M. Hall wrote: Date: Tue, 24 Feb 2009 09:56:26 -0600 From: Todd M. Hall t...@msstate.edu Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] iPhone / iPod Touch having trouble accessing App store via wifi We recently started receiving reports from iPod Touch and iPhone users stating that they are having trouble accessing the App store using our wireless networks. I verified the problem and found that devices can reach the app store some of the time, but not reliably. It appears to be on our entire wireless network (doesn't matter which controller / AP / WLAN they are connected to). Our wireless network consists of Cisco WiSM based controllers running 4.2.61 code. Has anyone else experienced this problem? If so, have you found a solution? -- Todd M. Hall Sr. Network Analyst Information Technology Services Mississippi State University t...@msstate.edu 662-325-9311 (phone) ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
radius reporting
We are using server 2008 network policy server for 802.1x authentication. I was wondering if anyone knows of any good reporting tools that can look at the MS radius logs and generate usage reports and or send notices when specific users sign on to the network? Currently I'm just been opening up the log files in notepad but that is getting a little annoying, especially with large log files. Mike Tupker Systems Administrator Mount Mercy College Office: (319) 363-1323 x1401 Mobile: (319) 538-1644 If you need assistance with an computer issue please contact the helpdesk at x4357 or http://help.mtmercy.edu. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] radius reporting
I've been using IASViewer for our IAS server. I am not sure if it works for 2008 version. I also don't know if it can send notices but it does allow for many report options. http://www.deepsoftware.com/iasviewer/ _ Thank you, Gregory R. Scholz Director of Telecommunications Information Technology Group Keene State College (603)358-2070 --If you don't have time to do it right, when will you have time to do it over? --Do not let what you cannot do interfere with what you can do. - John Wooden From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Tupker, Mike Sent: Tuesday, February 24, 2009 1:09 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] radius reporting We are using server 2008 network policy server for 802.1x authentication. I was wondering if anyone knows of any good reporting tools that can look at the MS radius logs and generate usage reports and or send notices when specific users sign on to the network? Currently I'm just been opening up the log files in notepad but that is getting a little annoying, especially with large log files. Mike Tupker Systems Administrator Mount Mercy College Office: (319) 363-1323 x1401 Mobile: (319) 538-1644 If you need assistance with an computer issue please contact the helpdesk at x4357 or http://help.mtmercy.edu http://help.mtmercy.edu . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] radius reporting
I did see that one but I am still holding out hope of finding something a little more robust or at least open source. :) If I can't find an OSS solution or something better I will probably go with IASviewer. By the way, when I rant the trial version of iasviewer I tried it on 2008 and it seemed to work just fine. Mike Tupker Systems Administrator Mount Mercy College Office: (319) 363-1323 x1401 Mobile: (319) 538-1644 If you need assistance with an computer issue please contact the helpdesk at x4357 or http://help.mtmercy.edu. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Scholz, Greg Sent: Tuesday, February 24, 2009 1:10 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] radius reporting I've been using IASViewer for our IAS server. I am not sure if it works for 2008 version. I also don't know if it can send notices but it does allow for many report options. http://www.deepsoftware.com/iasviewer/ _ Thank you, Gregory R. Scholz Director of Telecommunications Information Technology Group Keene State College (603)358-2070 --If you don't have time to do it right, when will you have time to do it over? --Do not let what you cannot do interfere with what you can do. - John Wooden From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Tupker, Mike Sent: Tuesday, February 24, 2009 1:09 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] radius reporting We are using server 2008 network policy server for 802.1x authentication. I was wondering if anyone knows of any good reporting tools that can look at the MS radius logs and generate usage reports and or send notices when specific users sign on to the network? Currently I'm just been opening up the log files in notepad but that is getting a little annoying, especially with large log files. Mike Tupker Systems Administrator Mount Mercy College Office: (319) 363-1323 x1401 Mobile: (319) 538-1644 If you need assistance with an computer issue please contact the helpdesk at x4357 or http://help.mtmercy.edu. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] radius reporting
Because using SQL for IAS accounting was so convoluted - not to mention badly documented - we experimented with sending auth to IAS and accounting info to freeradius - using daloradius to view stats. It worked, but didn't get enough interest in having the accounting info to complete the project. Mearl From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Tupker, Mike Sent: Tuesday, February 24, 2009 1:22 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] radius reporting I did see that one but I am still holding out hope of finding something a little more robust or at least open source. J If I can't find an OSS solution or something better I will probably go with IASviewer. By the way, when I rant the trial version of iasviewer I tried it on 2008 and it seemed to work just fine. Mike Tupker Systems Administrator Mount Mercy College Office: (319) 363-1323 x1401 Mobile: (319) 538-1644 If you need assistance with an computer issue please contact the helpdesk at x4357 or http://help.mtmercy.edu. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Scholz, Greg Sent: Tuesday, February 24, 2009 1:10 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] radius reporting I've been using IASViewer for our IAS server. I am not sure if it works for 2008 version. I also don't know if it can send notices but it does allow for many report options. http://www.deepsoftware.com/iasviewer/ _ Thank you, Gregory R. Scholz Director of Telecommunications Information Technology Group Keene State College (603)358-2070 --If you don't have time to do it right, when will you have time to do it over? --Do not let what you cannot do interfere with what you can do. - John Wooden From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Tupker, Mike Sent: Tuesday, February 24, 2009 1:09 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] radius reporting We are using server 2008 network policy server for 802.1x authentication. I was wondering if anyone knows of any good reporting tools that can look at the MS radius logs and generate usage reports and or send notices when specific users sign on to the network? Currently I'm just been opening up the log files in notepad but that is getting a little annoying, especially with large log files. Mike Tupker Systems Administrator Mount Mercy College Office: (319) 363-1323 x1401 Mobile: (319) 538-1644 If you need assistance with an computer issue please contact the helpdesk at x4357 or http://help.mtmercy.edu http://help.mtmercy.edu . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Blackberry 8900 on 802.1x w PEAP, MS-CHAPv2
I was handed an 8900 today to see if I could get it working on our WPA/EAP-TTLS/PAP/FreeRadius wireless. I¹m not optimistic, but I let the list know how I make out with that. -- Don Wright Senior Network Engineer Brown University, CIS NTG P Please don't print this e-mail or any other electronic documents unless you really need to. On 2/24/09 7:19 AM, Lee H Badman lhbad...@syr.edu wrote: Beats me. These little devices are all over the place in cert-friendliness and EAP implementation, sometimes to the point of being self-defeating. Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Frank Bulk Sent: Tuesday, February 24, 2009 7:17 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Blackberry 8900 on 802.1x w PEAP, MS-CHAPv2 Any good reason why RIM shouldn¹t have installed the intermediate certificate on its device? Seems like a missing element. Frank From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman Sent: Sunday, February 22, 2009 5:20 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Blackberry 8900 on 802.1x w PEAP, MS-CHAPv2 Thanks very much, James. I was contemplating which level cert this needed- but hopefully you've given me enough to go on to muddle through. Will let you know how I fare. -Lee -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of James J J Hooper Sent: Sat 2/21/2009 2:30 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Blackberry 8900 on 802.1x w PEAP, MS-CHAPv2 James J J Hooper wrote: Lee H Badman wrote: Wondering if anyone has gone down this road. according to http://na.blackberry.com/eng/deliverables/4133/BB_Ent_Soln_Security_4.1.6_ST O.pdf the Blackberry 8900 should be able to do 802.1x with PEAP and MS-CHAPv2- which does not require a client-side cert. And even though you can tell the device not to verify server cert, this has nothing to do with the fact that the Blackberry seemingly demands a cert or won't even let you go on (certainly not the first handheld to act like this). This is a client device, so I don't have the luxury of playing with it very much, and so looking to glom onto anyone else's success if you may have figured out how to work past this. We have multiple auth servers as well, which may or may not complicate it. I know these EAP types are not standards and device manufacturers have freedom to implement as they see fit. Hi Lee, Not specifically on a 8900, but we did get PEAP/MS-CHAPv2 on a 8120: http://www.wireless.bris.ac.uk/getconnected/services/uobroam/manual-blackberr y/ I had more of a think the certificate mentioned in those instructions is an intermediate certificate. Our radius server sends it to clients along with its server cert, but we couldn't get the blackberry to connect without specifically installing the intermediate cert first. So, if your cert is chained one, you have to install the intermediate certs (but not the final radius server cert) on to the blackberry first. As long as all your auth servers are signed by the same CA, once one works, they all will. The 'UoB-Wireless' SSID mentioned is open (only lets you get to the wireless web site and a VPN server), so we can use it to get certs directly to a device. The blackberry recognises certs with .cer extension, mime type application/x-x509-ca-cert in x509 format. Regards, James -- James J J Hooper University of Bristol http://www.wireless.bris.ac.uk -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
