Re: [External] [WIRELESS-LAN] Aruba - Going from PEAP to TLS

[Norton, Thomas (Network Operations)]

Hey Ryan - If you have some time over the next couple weeks would like to speak 
to you more about this off line. All about blending security and user 
experience.


T.J. Norton
Wireless Network Architect
Network Operations

(434) 592-6552

[http://www.liberty.edu/media/1616/40themail/wordmark-for-email.jpg]

Liberty University  |  Training Champions for Christ since



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Turner, Ryan H 

Sent: Wednesday, September 25, 2019 2:40 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] [External] [WIRELESS-LAN] Aruba - Going from PEAP 
to TLS


We don’t use CRLs or OCSP.  If we have a trouble client, we drop the MAC and 
not the certificate.  I don’t like delays in the authentication process, and 
found the gains not worth what I would gain.  However, every institution is 
different.



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Norton, Thomas (Network 
Operations)
Sent: Wednesday, September 25, 2019 11:14 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [External] [WIRELESS-LAN] Aruba - Going from PEAP 
to TLS



We’re currently going through this process as well, would love to get feedback 
as well. We’re going to be using their windows (WSTEP integration) as well for 
internal clients.



Interesting to see everyone else take. CRL so far has been the biggest caveat 
on the CPPM side.  Aruba really likes to push OCSP, so making sure the update 
times are setup accordingly are important CRL wise.



T.J. Norton
Wireless Network Architect
Network Operations

(434) 592-6552

[cid:image001.jpg@01D573AF.3BF0B740]

Liberty University  |  Training Champions for Christ since







From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Christopher Brizzell 
<0113a07d9d59-dmarc-requ...@listserv.educause.edu>
Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Wednesday, September 25, 2019 at 8:57 AM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [External] [WIRELESS-LAN] Aruba - Going from PEAP to TLS





[ EXTERNAL EMAIL: Do not click any links or open attachments unless you know 
the sender and trust the content. ]



In what should have been done long ago, we would like to move off of our 
EAP-PEAP and onto EAP-TLS.



Most likely we will be going with SecureW2 to help with that process.



I’d like to hear from anyone who may have done this with Aruba OS and 
Clearpass, so as to avoid any pitfalls and look for advice on the best way to 
proceed.



Thank You.



Chris Brizzell

Assistant Director of Network and Technical Services and Network Administrator

Skidmore College

cbriz...@skidmore.edu

518-580-5994



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the 

Network Engineer Position available in Baltimore, MD

[Laury, LaVern]

Hello Everyone,

Are you or someone you know looking for great employee benefits, tuition 
remission and a work-life balance?  Look no further...The University of 
Maryland, Baltimore has the job for you!

Please click 
here
 to apply online.  This position will remain open until filled.


Lead Network Control Specialist - (19R6)

The Center for Information Technology Services (CITS) has an opening available 
for a Lead Network Control Specialist. This position oversees and administers 
all aspects (maintenance, implementation, upgrade, test, and troubleshooting) 
of network & telecommunications equipment pertaining to LAN, Centrex, or VoIP. 
The Lead Network Control Specialist is primarily responsible for recommending 
and scheduling repairs; providing advanced end user support for all LAN based, 
Centrex, or VoIP applications; installation, maintenance, and configuration of 
network devices and workstations; serving as resource or liaison to Network 
Support Analysts and Specialists, campus LAN administrators and Facilities 
Management for network integration.

This is an exempt, regular position and offers a generous benefits package that 
includes 22 vacation days, 14 floating and observed holidays, 15 sick days; 
comprehensive health insurance and retirement options; and tuition remission 
for employees and their dependents at any of the University System of Maryland 
schools.

Essential Functions:

  *   Independently coordinates, configures, and installs network and 
communication systems devices & equipment, services, and related hardware and 
software, i.e. routers, switches, call managers, emergency responders, etc.
  *   Interface with senior networking staff, network vendors, LAN 
administrators, and network technicians in keeping network up-to-date and fully 
integrated and functioning.
  *   Develops, documents and implements complex policies and procedures 
relating to telecommunications systems and network security utilizing best 
practices in given field.
  *   Lead support of e-mail, list servers and independently maintained domain 
services.
  *   Provide expert technical project support for various technology 
implementations and upgrades.
  *   Performs other duties as assigned.

Qualifications

Education: Associates or Bachelors Information Technology, Computer Science, 
Systems Administration, Computer Engineering or a related field.

Experience: Bachelor's degree in Computer Science or Engineering, with five (5) 
years large network installation, or complex network experience.

OR: Associate's degree and seven (7) of experience in a large network 
installation or complex network experience.

Licensure/Certification: CCNA Certification is preferred.

Knowledge, Skills, and Abilities:

  *   Possess knowledge of network protocols, topologies, and network operating 
systems.  Able to perform position in compliance with all requirements, 
regulations, and laws.  Skill in the installation and configuration of Cisco 
core networking equipment, i.e. switches, routers, firewalls, VoIP, etc. 
Ability to maintain high standards with the work being performed and maintain 
awareness with trends and influences.  Skill in the installation of 
communication systems, devices, and services such as fiber optic and twisted 
pair cabling, interface equipment such as routers, switches, UPS's and related 
software.  Assumes personal responsibility for all outcomes; makes effective 
and timely decisions; and learns how to effectively use technology.  Possess 
skill in analytical problem solving.
  *   Ability to effectively communicate both verbal and written thoughts, 
ideas, and facts.  Writes and presents information in a clear and concise way.  
Interprets and understands written information and is able to listen 
attentively to verbal and non-verbal cues that lead to a deeper understanding.
  *   Ability to work cooperatively with others and demonstrates professional, 
ethical, respectful, and courteous behavior when interacting with others.  
Capable of interacting pleasantly and positively with other to meet customer 
expectations, and provide follow up with customers.

Hiring Range: $85,627 - $115,000 (commensurate with education and experience)

If accommodations are needed, contact Staffing & Career Services at 
410-706-2606, Monday - Friday, 8:30am - 4:30pm EST. Maryland Relay can be 
accessed by dialing 711 (in-state) or 1-800-735-2258.

Equal Opportunity/Affirmative Action Employer. Minorities, women, protected 
veterans and individuals with disabilities are encouraged to apply.



Thank you,



LaVern Laury
Manager, Networking Services
Center for Information Technology Services (CITS)
University of Maryland, Baltimore
410-706-8386
website:  www.umaryland.edu


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply 

Re: [WIRELESS-LAN] Azure AD and RADIUS - anyone moved this direction?

[Jeffrey D. Sessler]

Minimal DC footprint, mostly security related.  Almost all of our services are 
now SaaS, so with the exception of security-related items and DHCP, there isn’t 
anything else left.

I was concerned with RTT, but our primary Azure DC is about 30ms roundtrip.

Jeff

From: "wireless-lan@listserv.educause.edu"  
on behalf of "Turner, Ryan H" 
Reply-To: "wireless-lan@listserv.educause.edu" 

Date: Wednesday, September 25, 2019 at 11:43 AM
To: "wireless-lan@listserv.educause.edu" 
Subject: Re: [WIRELESS-LAN] Azure AD and RADIUS - anyone moved this direction?

I know that most times RTT between campus and cloud is low, but I just think 
its something to be fearful of when authentication times matter.  You really 
are going to have no data center footprint to host local services?

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jeffrey D. Sessler
Sent: Wednesday, September 25, 2019 2:10 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Azure AD and RADIUS - anyone moved this direction?

Curious if anyone has moved their RAIDUS to authenticating againstAzure AD, and 
if so, what path did you take? There doesn’t seem to be a clear MS solution 
other than standing up domain services for azure AD and running a NPS VM, and 
I’ve also found a couple of RaaS (radius as a service) offering such as 
Jumpcloud.

Would welcome feedback. We’re just about out of our datacenter for most 
operations, and radius has been one of those important but low-handing items 
that I’m now focused on.

Jeff

--
Jeff Sessler
Executive Director, Information Technology
Scripps College

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] Azure AD and RADIUS - anyone moved this direction?

[Jake Snyder]

I am not an expert in radius or azureAD.  But my understanding is that you 
cannot have an machine “joined” to AzureAD.  This prevents most of the common 
deployment models like AD integrated ISE or ClearPass where you rely on 
Kerberos and NTLM by joining the node to the domain.

The solution has been to move to a Hybrid deployment and have a local AD box 
you can integrate to.  Or just running a regular DC in Azure and integrating 
radius there.

In a perfect world, you would move to EAP-TLS to remove the need for ntlm and 
Kerberos which needs an AD joined machine.  I believe you can do LDAP for 
attribute lookup against AzureAD.  Alas I don’t think they have the equivalent 
of AD certificate services in AzureAD to get certs for all your devices

I would love to hear if anyone is doing something that works well.


Sent from my iPhone

>> On Sep 25, 2019, at 12:43 PM, Turner, Ryan H  wrote:
> 
> I know that most times RTT between campus and cloud is low, but I just think 
> its something to be fearful of when authentication times matter.  You really 
> are going to have no data center footprint to host local services?
>  
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  On Behalf Of Jeffrey D. Sessler
> Sent: Wednesday, September 25, 2019 2:10 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] Azure AD and RADIUS - anyone moved this direction?
>  
> Curious if anyone has moved their RAIDUS to authenticating againstAzure AD, 
> and if so, what path did you take? There doesn’t seem to be a clear MS 
> solution other than standing up domain services for azure AD and running a 
> NPS VM, and I’ve also found a couple of RaaS (radius as a service) offering 
> such as Jumpcloud.
>  
> Would welcome feedback. We’re just about out of our datacenter for most 
> operations, and radius has been one of those important but low-handing items 
> that I’m now focused on.
>  
> Jeff
>  
> -- 
> Jeff Sessler
> Executive Director, Information Technology
> Scripps College
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community
> 
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: Azure AD and RADIUS - anyone moved this direction?

[Turner, Ryan H]

I know that most times RTT between campus and cloud is low, but I just think 
its something to be fearful of when authentication times matter.  You really 
are going to have no data center footprint to host local services?

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jeffrey D. Sessler
Sent: Wednesday, September 25, 2019 2:10 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Azure AD and RADIUS - anyone moved this direction?

Curious if anyone has moved their RAIDUS to authenticating againstAzure AD, and 
if so, what path did you take? There doesn’t seem to be a clear MS solution 
other than standing up domain services for azure AD and running a NPS VM, and 
I’ve also found a couple of RaaS (radius as a service) offering such as 
Jumpcloud.

Would welcome feedback. We’re just about out of our datacenter for most 
operations, and radius has been one of those important but low-handing items 
that I’m now focused on.

Jeff

--
Jeff Sessler
Executive Director, Information Technology
Scripps College

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [External] [WIRELESS-LAN] Aruba - Going from PEAP to TLS

[Turner, Ryan H]

We don’t use CRLs or OCSP.  If we have a trouble client, we drop the MAC and 
not the certificate.  I don’t like delays in the authentication process, and 
found the gains not worth what I would gain.  However, every institution is 
different.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Norton, Thomas (Network 
Operations)
Sent: Wednesday, September 25, 2019 11:14 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [External] [WIRELESS-LAN] Aruba - Going from PEAP 
to TLS

We’re currently going through this process as well, would love to get feedback 
as well. We’re going to be using their windows (WSTEP integration) as well for 
internal clients.

Interesting to see everyone else take. CRL so far has been the biggest caveat 
on the CPPM side.  Aruba really likes to push OCSP, so making sure the update 
times are setup accordingly are important CRL wise.

T.J. Norton
Wireless Network Architect
Network Operations

(434) 592-6552
[cid:image001.jpg@01D573AF.3BF0B740]

Liberty University  |  Training Champions for Christ since



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Christopher Brizzell 
<0113a07d9d59-dmarc-requ...@listserv.educause.edu>
Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Wednesday, September 25, 2019 at 8:57 AM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [External] [WIRELESS-LAN] Aruba - Going from PEAP to TLS



[ EXTERNAL EMAIL: Do not click any links or open attachments unless you know 
the sender and trust the content. ]


In what should have been done long ago, we would like to move off of our 
EAP-PEAP and onto EAP-TLS.

Most likely we will be going with SecureW2 to help with that process.

I’d like to hear from anyone who may have done this with Aruba OS and 
Clearpass, so as to avoid any pitfalls and look for advice on the best way to 
proceed.

Thank You.

Chris Brizzell
Assistant Director of Network and Technical Services and Network Administrator
Skidmore College
cbriz...@skidmore.edu
518-580-5994


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Azure AD and RADIUS - anyone moved this direction?

[Jeffrey D. Sessler]

Curious if anyone has moved their RAIDUS to authenticating againstAzure AD, and 
if so, what path did you take? There doesn’t seem to be a clear MS solution 
other than standing up domain services for azure AD and running a NPS VM, and 
I’ve also found a couple of RaaS (radius as a service) offering such as 
Jumpcloud.

Would welcome feedback. We’re just about out of our datacenter for most 
operations, and radius has been one of those important but low-handing items 
that I’m now focused on.

Jeff

--
Jeff Sessler
Executive Director, Information Technology
Scripps College

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [External] Re: [WIRELESS-LAN] Aruba - Going from PEAP to TLS

[Norton, Thomas (Network Operations)]

They don’t care about DHCPv6 either :P

T.J. Norton 
Wireless Network Architect
Network Operations

(434) 592-6552


Liberty University  |  Training Champions for Christ since
 
 

On 9/25/19, 11:02 AM, "The EDUCAUSE Wireless Issues Community Group Listserv 
on behalf of Hunter Fuller"  wrote:



[ EXTERNAL EMAIL: Do not click any links or open attachments unless you 
know the sender and trust the content. ]



It's not just TLS. At this point it's clear that the Android
developers don't care at all about wireless security, whether via TLS,
PEAP, or anything except PSK.
There has been minimal improvement in Android 9 and above, 5+ years
after everyone else got it right. But by and large, Google fights you
the entire time you are trying to provide a secure wireless experience
to their users.

--
Hunter Fuller
Router Jockey
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering

On Wed, Sep 25, 2019 at 9:56 AM Jonathan Oakden  
wrote:
>
> All great advice from Ryan.
>
> We use Ruckus Cloudpath for our onboarding.
>
> When TLS works it’s great. It’s mostly shoddy implementations on OS’s 
that give problems. That’s why Android forms the bulk of the issues. If Google 
ever get that sorted it will be an enormous help. Windows became a lot easier 
and more reliable from the launch of W10.
>
>
>
> Jonathan Oakden
>
> Loughborough University
>
>
>
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of "Turner, Ryan H" 

> Reply to: The EDUCAUSE Wireless Issues Community Group Listserv 

> Date: Wednesday, 25 September 2019 at 14:58
> To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 

> Subject: Re: [WIRELESS-LAN] Aruba - Going from PEAP to TLS
>
>
>
> I can’t speak to the Clearpass, but you should spend more time validating 
the onboarding process so that it is smooth.  That is going to be your issue.  
The setup won’t take long, but a poorly designed user experience will hurt you. 
 I am going to assume you will use SecureW2s cloud PKI.  We are going to be 
switching that that from an AD private PKI.  Don’t be silly with certificate 
lengths or hashes.  2048 length with SHA256 works fine.  No need to do anything 
more and risk client support issues (in my opinion).
>
>
>
> You should stand up a test onboarding SSID (if you are going to have one) 
and get people to go through the process before production and get feedback.  
Utilize the documentation other schools have built (wifi.unc.edu).  If you 
haven’t used an onboarding SSID to date, then you have a lot of work just to 
make that work well.  Realize that Android devices are going to be 75% of your 
issues.  The other operating systems are pretty easy and straightforward (OSX 
is the second runner for issues).  iOS and windows are a breeze.
>
>
>
> Good luck and welcome to the TLS club
>
>
>
>
>
> Ryan Turner
>
> Head of Networking
>
> The University of North Carolina at Chapel Hill
>
> +1 919 445 0113 Office
>
> +1 919 274 7926 Mobile
>
> r...@unc.edu
>
>
>
>
>
>
>
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Christopher Brizzell
> Sent: Wednesday, September 25, 2019 8:57 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] Aruba - Going from PEAP to TLS
>
>
>
> In what should have been done long ago, we would like to move off of our 
EAP-PEAP and onto EAP-TLS.
>
>
>
> Most likely we will be going with SecureW2 to help with that process.
>
>
>
> I’d like to hear from anyone who may have done this with Aruba OS and 
Clearpass, so as to avoid any pitfalls and look for advice on the best way to 
proceed.
>
>
>
> Thank You.
>
>
>
> Chris Brizzell
>
> Assistant Director of Network and Technical Services and Network 
Administrator
>
> Skidmore College
>
> cbriz...@skidmore.edu
>
> 518-580-5994
>
>
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire 
community list. If you want to reply only to the person who sent the message, 
copy and paste their email address and forward the email reply. Additional 
participation and subscription information can be found at 
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunitydata=02%7C01%7Ctnorton7%40LIBERTY.EDU%7C7dc691e1197f4785e2dc08d741c96e5c%7Cbaf8218eb3024465a9934a39c97251b2%7C0%7C0%7C637050205704628537sdata=yEcdLicMsdPKd4d%2F5r30Z7Rdmg5tE9kDQ6onDhJPdSE%3Dreserved=0
>
> **
> 

Re: [External] [WIRELESS-LAN] Aruba - Going from PEAP to TLS

[Norton, Thomas (Network Operations)]

We’re currently going through this process as well, would love to get feedback 
as well. We’re going to be using their windows (WSTEP integration) as well for 
internal clients.

Interesting to see everyone else take. CRL so far has been the biggest caveat 
on the CPPM side.  Aruba really likes to push OCSP, so making sure the update 
times are setup accordingly are important CRL wise.

T.J. Norton
Wireless Network Architect
Network Operations

(434) 592-6552
[cid:image001.jpg@01D57392.4EE704C0]

Liberty University  |  Training Champions for Christ since



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Christopher Brizzell 
<0113a07d9d59-dmarc-requ...@listserv.educause.edu>
Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Wednesday, September 25, 2019 at 8:57 AM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: [External] [WIRELESS-LAN] Aruba - Going from PEAP to TLS



[ EXTERNAL EMAIL: Do not click any links or open attachments unless you know 
the sender and trust the content. ]


In what should have been done long ago, we would like to move off of our 
EAP-PEAP and onto EAP-TLS.

Most likely we will be going with SecureW2 to help with that process.

I’d like to hear from anyone who may have done this with Aruba OS and 
Clearpass, so as to avoid any pitfalls and look for advice on the best way to 
proceed.

Thank You.

Chris Brizzell
Assistant Director of Network and Technical Services and Network Administrator
Skidmore College
cbriz...@skidmore.edu
518-580-5994


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] Aruba - Going from PEAP to TLS

[Hunter Fuller]

It's not just TLS. At this point it's clear that the Android
developers don't care at all about wireless security, whether via TLS,
PEAP, or anything except PSK.
There has been minimal improvement in Android 9 and above, 5+ years
after everyone else got it right. But by and large, Google fights you
the entire time you are trying to provide a secure wireless experience
to their users.

--
Hunter Fuller
Router Jockey
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering

On Wed, Sep 25, 2019 at 9:56 AM Jonathan Oakden  wrote:
>
> All great advice from Ryan.
>
> We use Ruckus Cloudpath for our onboarding.
>
> When TLS works it’s great. It’s mostly shoddy implementations on OS’s that 
> give problems. That’s why Android forms the bulk of the issues. If Google 
> ever get that sorted it will be an enormous help. Windows became a lot easier 
> and more reliable from the launch of W10.
>
>
>
> Jonathan Oakden
>
> Loughborough University
>
>
>
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  on behalf of "Turner, Ryan H" 
> 
> Reply to: The EDUCAUSE Wireless Issues Community Group Listserv 
> 
> Date: Wednesday, 25 September 2019 at 14:58
> To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
> Subject: Re: [WIRELESS-LAN] Aruba - Going from PEAP to TLS
>
>
>
> I can’t speak to the Clearpass, but you should spend more time validating the 
> onboarding process so that it is smooth.  That is going to be your issue.  
> The setup won’t take long, but a poorly designed user experience will hurt 
> you.  I am going to assume you will use SecureW2s cloud PKI.  We are going to 
> be switching that that from an AD private PKI.  Don’t be silly with 
> certificate lengths or hashes.  2048 length with SHA256 works fine.  No need 
> to do anything more and risk client support issues (in my opinion).
>
>
>
> You should stand up a test onboarding SSID (if you are going to have one) and 
> get people to go through the process before production and get feedback.  
> Utilize the documentation other schools have built (wifi.unc.edu).  If you 
> haven’t used an onboarding SSID to date, then you have a lot of work just to 
> make that work well.  Realize that Android devices are going to be 75% of 
> your issues.  The other operating systems are pretty easy and straightforward 
> (OSX is the second runner for issues).  iOS and windows are a breeze.
>
>
>
> Good luck and welcome to the TLS club
>
>
>
>
>
> Ryan Turner
>
> Head of Networking
>
> The University of North Carolina at Chapel Hill
>
> +1 919 445 0113 Office
>
> +1 919 274 7926 Mobile
>
> r...@unc.edu
>
>
>
>
>
>
>
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  On Behalf Of Christopher Brizzell
> Sent: Wednesday, September 25, 2019 8:57 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] Aruba - Going from PEAP to TLS
>
>
>
> In what should have been done long ago, we would like to move off of our 
> EAP-PEAP and onto EAP-TLS.
>
>
>
> Most likely we will be going with SecureW2 to help with that process.
>
>
>
> I’d like to hear from anyone who may have done this with Aruba OS and 
> Clearpass, so as to avoid any pitfalls and look for advice on the best way to 
> proceed.
>
>
>
> Thank You.
>
>
>
> Chris Brizzell
>
> Assistant Director of Network and Technical Services and Network Administrator
>
> Skidmore College
>
> cbriz...@skidmore.edu
>
> 518-580-5994
>
>
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] Aruba - Going from PEAP to TLS

[Jonathan Oakden]

All great advice from Ryan.
We use Ruckus Cloudpath for our onboarding.
When TLS works it’s great. It’s mostly shoddy implementations on OS’s that give 
problems. That’s why Android forms the bulk of the issues. If Google ever get 
that sorted it will be an enormous help. Windows became a lot easier and more 
reliable from the launch of W10.

Jonathan Oakden
Loughborough University

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of "Turner, Ryan H" 

Reply to: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Wednesday, 25 September 2019 at 14:58
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] Aruba - Going from PEAP to TLS

I can’t speak to the Clearpass, but you should spend more time validating the 
onboarding process so that it is smooth.  That is going to be your issue.  The 
setup won’t take long, but a poorly designed user experience will hurt you.  I 
am going to assume you will use SecureW2s cloud PKI.  We are going to be 
switching that that from an AD private PKI.  Don’t be silly with certificate 
lengths or hashes.  2048 length with SHA256 works fine.  No need to do anything 
more and risk client support issues (in my opinion).

You should stand up a test onboarding SSID (if you are going to have one) and 
get people to go through the process before production and get feedback.  
Utilize the documentation other schools have built (wifi.unc.edu).  If you 
haven’t used an onboarding SSID to date, then you have a lot of work just to 
make that work well.  Realize that Android devices are going to be 75% of your 
issues.  The other operating systems are pretty easy and straightforward (OSX 
is the second runner for issues).  iOS and windows are a breeze.

Good luck and welcome to the TLS club 


Ryan Turner
Head of Networking
The University of North Carolina at Chapel Hill
+1 919 445 0113 Office
+1 919 274 7926 Mobile
r...@unc.edu



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Christopher Brizzell
Sent: Wednesday, September 25, 2019 8:57 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Aruba - Going from PEAP to TLS

In what should have been done long ago, we would like to move off of our 
EAP-PEAP and onto EAP-TLS.

Most likely we will be going with SecureW2 to help with that process.

I’d like to hear from anyone who may have done this with Aruba OS and 
Clearpass, so as to avoid any pitfalls and look for advice on the best way to 
proceed.

Thank You.

Chris Brizzell
Assistant Director of Network and Technical Services and Network Administrator
Skidmore College
cbriz...@skidmore.edu
518-580-5994


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: Aruba - Going from PEAP to TLS

[Christopher Brizzell]

Perfect – thanks Ryan.

We will be creating an onboarding SSID, I may pick your brain about that if I 
run into any challenges.


Chris Brizzell
Assistant Director of Network and Technical Services and Network Administrator
Skidmore College
cbriz...@skidmore.edu
518-580-5994



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Turner, Ryan H
Sent: Wednesday, September 25, 2019 9:58 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Aruba - Going from PEAP to TLS

I can’t speak to the Clearpass, but you should spend more time validating the 
onboarding process so that it is smooth.  That is going to be your issue.  The 
setup won’t take long, but a poorly designed user experience will hurt you.  I 
am going to assume you will use SecureW2s cloud PKI.  We are going to be 
switching that that from an AD private PKI.  Don’t be silly with certificate 
lengths or hashes.  2048 length with SHA256 works fine.  No need to do anything 
more and risk client support issues (in my opinion).

You should stand up a test onboarding SSID (if you are going to have one) and 
get people to go through the process before production and get feedback.  
Utilize the documentation other schools have built (wifi.unc.edu).  If you 
haven’t used an onboarding SSID to date, then you have a lot of work just to 
make that work well.  Realize that Android devices are going to be 75% of your 
issues.  The other operating systems are pretty easy and straightforward (OSX 
is the second runner for issues).  iOS and windows are a breeze.

Good luck and welcome to the TLS club 


Ryan Turner
Head of Networking
The University of North Carolina at Chapel Hill
+1 919 445 0113 Office
+1 919 274 7926 Mobile
r...@unc.edu



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Christopher Brizzell
Sent: Wednesday, September 25, 2019 8:57 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Aruba - Going from PEAP to TLS

In what should have been done long ago, we would like to move off of our 
EAP-PEAP and onto EAP-TLS.

Most likely we will be going with SecureW2 to help with that process.

I’d like to hear from anyone who may have done this with Aruba OS and 
Clearpass, so as to avoid any pitfalls and look for advice on the best way to 
proceed.

Thank You.

Chris Brizzell
Assistant Director of Network and Technical Services and Network Administrator
Skidmore College
cbriz...@skidmore.edu
518-580-5994


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: Aruba - Going from PEAP to TLS

[Turner, Ryan H]

I can’t speak to the Clearpass, but you should spend more time validating the 
onboarding process so that it is smooth.  That is going to be your issue.  The 
setup won’t take long, but a poorly designed user experience will hurt you.  I 
am going to assume you will use SecureW2s cloud PKI.  We are going to be 
switching that that from an AD private PKI.  Don’t be silly with certificate 
lengths or hashes.  2048 length with SHA256 works fine.  No need to do anything 
more and risk client support issues (in my opinion).

You should stand up a test onboarding SSID (if you are going to have one) and 
get people to go through the process before production and get feedback.  
Utilize the documentation other schools have built (wifi.unc.edu).  If you 
haven’t used an onboarding SSID to date, then you have a lot of work just to 
make that work well.  Realize that Android devices are going to be 75% of your 
issues.  The other operating systems are pretty easy and straightforward (OSX 
is the second runner for issues).  iOS and windows are a breeze.

Good luck and welcome to the TLS club 


Ryan Turner
Head of Networking
The University of North Carolina at Chapel Hill
+1 919 445 0113 Office
+1 919 274 7926 Mobile
r...@unc.edu



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Christopher Brizzell
Sent: Wednesday, September 25, 2019 8:57 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Aruba - Going from PEAP to TLS

In what should have been done long ago, we would like to move off of our 
EAP-PEAP and onto EAP-TLS.

Most likely we will be going with SecureW2 to help with that process.

I’d like to hear from anyone who may have done this with Aruba OS and 
Clearpass, so as to avoid any pitfalls and look for advice on the best way to 
proceed.

Thank You.

Chris Brizzell
Assistant Director of Network and Technical Services and Network Administrator
Skidmore College
cbriz...@skidmore.edu
518-580-5994


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Aruba - Going from PEAP to TLS

[Christopher Brizzell]

In what should have been done long ago, we would like to move off of our 
EAP-PEAP and onto EAP-TLS.

Most likely we will be going with SecureW2 to help with that process.

I'd like to hear from anyone who may have done this with Aruba OS and 
Clearpass, so as to avoid any pitfalls and look for advice on the best way to 
proceed.

Thank You.

Chris Brizzell
Assistant Director of Network and Technical Services and Network Administrator
Skidmore College
cbriz...@skidmore.edu
518-580-5994


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community