802.1X EAP/TLS with Leopard
Our wireless environment consists of strictly Windows XP laptops connecting wirelessly via 802.1X EAP/TLS with an HP Wireless (WESM) infrastructure. We have a Microsoft Certification Authority which issues out client/computer based certificates to the XP laptops via Auto Enrollment in Group Policy. Recently we received a batch of Macbooks running Leopard. For the life of me, I cannot figure out how to get client side certificate (computer certs) installed on the Macs. Has anyone done this successfully? I am not a Mac-person so my knowledge is limited, but I don't even see a way to request certificates on the Mac that are computer/client-based from my Microsoft Certification Authority. If anyone has experience with this, let me know, thanks. JR myhosting.com - Premium Microsoft® Windows® and Linux web and application hosting - http://link.myhosting.com/myhosting ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: iPhone 2.0 news
Lee, are you able to get iPhone 2.0 with WPA/WPA2 Enterprise working? thanks. On Thu, Jul 10, 2008 at 3:29 PM, Lee H Badman [EMAIL PROTECTED] wrote: http://www.pcmag.com/article2/0,2817,2325284,00.asp So far, very erratic on the secure wireless networks between a couple of ours that have tried it, though the settings are all there for WPA/WPA2 enterprise. Lee ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- David Wang, Networking Services, CCS www.uoguelph.ca 519-824-4120 x52046 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: NAT in large scale wireless networks
We tested NAT on cisco firewall module, and found that outside can not initiate connections to inside, which mean P2P/file share by MSN/Remote Desktop all broken. So for people who already doing NAT, how you solve this issue? thanks. On Fri, Jul 4, 2008 at 2:04 PM, Ken Connell [EMAIL PROTECTED] wrote: Stan... Since we've touched on Aruba and SyslogI have a question... We too are an Aruba shop, and do push info to a syslog server. In previous code 2.x, as you mentioned, an authentication log would include username, mac, IP, and APbut since we've upgraded to 3.x, it seems the username and mac/IP have been separated and are no longer tied together. I do get username authentications, and mac/IP info, but I have no way of tying them together... What ver code are you running and/or do you have the same issue ? Ken Connell Intermediate Network Engineer Computer Communication Services Ryerson University 350 Victoria St RM AB50 Toronto, Ont M5B 2K3 416-979-5000 x6709 - Original Message - From: Brooks, Stan [EMAIL PROTECTED] Date: Thursday, July 3, 2008 5:39 pm Subject: Re: [WIRELESS-LAN] NAT in large scale wireless networks To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Greg, Depending on the code version, you can set the logging levels to capture user associations and authentications to a syslog server. The data logged includes the location name/group of the AP the user connected to, the SSID, along with the user's MAC, IP and user ID. - Stan Brooks - CWNA/CWSP Emory University Network Communications Division 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: [EMAIL PROTECTED] GoogleTalk: [EMAIL PROTECTED] -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Scholz, Greg Sent: Thursday, July 03, 2008 8:55 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] NAT in large scale wireless networks Stan, Can you tell me what type of location information you get and from what log? 802.1x/WPA-Enterprise, so we have usernames and locations in our logs We are trying to figure out if there is a way to determine what APs user are/have been on but all we have seen in the radius logs is the controller as the NAS. Thanks, Greg -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Brooks, Stan Sent: Wednesday, July 02, 2008 6:34 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] NAT in large scale wireless networks Mike, We, too, are an Aruba shop, and have been doing NAT on our academic and ResNet wireless networks for about a year now. Two years ago, we ran out of IP addresses on our wireless network on Move-In Weekend and had to scramble to add additional subnets - a scarce commodity here at Emory. To prevent that from happening last year, we implemented NAT for our wireless clients and now have plenty of address space for our growing user base. We let the Aruba controllers perform the NAT function (very easy to set up - just a firewall rule in the user role in the Aruba config). We've not had any complaints from users regarding NAT issues; we were concerned that it might break some apps, but no problems have been observed or reported. We've even got our homegrown NAC (NetReg/CAT) working over the wireless, too - NetReg DHCP traffic is not NAT'ed, but all other traffic is. This all works great, thanks to the Aruba capabilities. The only issue we've had with NAT have been voiced by Philippe - DCMA notices are hard to isolate. Our wired network has some protection in place to identify and reduce peer-to-peer traffic (Tipping Points), so we don't generally get a lot of notices. User tracking and RF location still works well as those are functions of the radio and authentication subsystems. Our academic users log on using 802.1x/WPA-Enterprise, so we have usernames and locations in our logs. Connecting those usernames to the NAT pool IP addresses is the hard part. I'd be happy to share some basic configuration tips and tricks regarding NAT with you off-list, or on-list if other s are interested. BTW - We've been NAT'ing our guest access users since day one on the Aruba equipment. Guests log in through the captive portal and are given limited access - bandwidth limited web access and VPN access back to their home organizations. - Stan Brooks - CWNA/CWSP Emory University Network Communications Division 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: [EMAIL PROTECTED] GoogleTalk: [EMAIL PROTECTED] -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto
Re: Using Private IP addresses for wireless users.
Anyone using Cisco Firewall module implementing NAT/PAT? and how the performance/capacity? thanks. David Wang, Networking Services,CCS www.uoguelph.ca 519-824-4120 x52046 - Original Message - From: Jason Appah [EMAIL PROTECTED] To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Sent: Thursday, May 29, 2008 4:17:44 PM GMT -05:00 US/Canada Eastern Subject: Re: Using Private IP addresses for wireless users. We do the same, it's an extra step, but our Network Engineer scripted the lookup for the DMCA notices allowing an almost instantaneous response. Its quite nice once you have it setup. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Tom Klimek Sent: Thursday, May 29, 2008 12:11 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Using Private IP addresses for wireless users. At ND we've been NAT'ing our wireless network for a couple years. We NAT 1:1 at the border router and log all translations giving us the ability to identify end users. We are fortunate to have ample Public address space and this allows more efficient utilization. Tom Klimek University of Notre Dame -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Johnson, Neil M Sent: Thursday, May 29, 2008 2:49 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Using Private IP addresses for wireless users. Identifying users is a big concern for us. We need to be able to identify users for DMCA purposes, for example. -- Neil Johnson Network Engineer The University of Iowa W: 319 384-0938 M: 319 540-2081 http://www.uiowa.edu -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Brooks, Stan Sent: Thursday, May 29, 2008 10:52 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Using Private IP addresses for wireless users. Neil, At Emory, we've been NAT'ing wireless users since last fall - ResNet users since before move in weekend, and regular academic users since last fall break. We've not had any issues from the users that have been NAT'ed. By far the more complicated NAT was ResNet as we use NetReg and CAT for network access control and scanning. We end up internally routing the NAT addresses for NetReg - it hands out the DHCP addresses. Once a ResNet client gets an IP address, the NAT function is handled by our Aruba controllers. On the academic side, the controllers themselves handle DHCP for the wireless users along with NAT'ing the traffic. We have 4 class C non-routeable subnets per controller (4 ResNet controllers and 6 Academic controllers). The Aruba gear will load-balance users across those subnets for us. The Aruba gear also NATs the traffic though a pool of (routeable) addresses. IDS is handled by Tipping Points on the (routeable) network, just like any wired device. We don't have any way of easily tying a user/session on the non-routeable subnets to an IP on the routeable network. We can see the session as it happens, but there is not good way to go back through the logs and determine that this user hit a particular IP address on the Internet. To date, we haven't needed to. We originally moved to NAT because of scarce IP resources, and the number of wireless users was increasing at alarming rates. With NAT'ed IP addresses, we can support huge numbers of wireless users and ease some of the pressure on our allocated IP addresses. We felt and still feel that the benefits outweigh the problems with tracking individual users. - Stan Brooks - CWNA/CWSP Emory University Network Communications Division 404.727.0226 [EMAIL PROTECTED] AIM: WLANstan Yahoo!: WLANstan MSN: [EMAIL PROTECTED] From: The EDUCAUSE Wireless Issues Constituent Group Listserv [EMAIL PROTECTED] On Behalf Of Johnson, Neil M [EMAIL PROTECTED] Sent: Thursday, May 29, 2008 9:55 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Using Private IP addresses for wireless users. We will be out of address space for one of our wireless nets (currently a /21) in the fall. We do not have a larger block available, and attempts to obtain additional address space by fall are not looking promising, so there is a distinct possibility that will have to move our wireless users to private address space. So I'm looking for information from other institutions who use private address space for their wireless networks. We are primarily a Meru shop, although we have about 86 Cisco LWAPP AP's in production. We use 802.1X (WPA2 Enterprise) for authentication. Here are the questions I have: - How do you implement NAT ? - How do you provide DHCP addresses to your clients ? - How do you handle IDS and Flow data collection ? - What
Re: Wireless Tip: Mac OS 10.5
Thanks for sharing. I am still looking for a way to change the preference of a or b/g network the card connecting to first. No help by calling the apple help line. -- David Wang, Networking Services, CCS www.uoguelph.ca 519-824-4120 x52046 On Tue, Mar 4, 2008 at 11:06 AM, Philippe Hanset [EMAIL PROTECTED] wrote: This might be old news, but it had a pleasant discovery this morning when I decided to hold the option key on a Mac with Leopard and click on the Wireless Menu Icon (4 arcs). It shows: -Mac address of AP joined -Channel -RSSI -Transmit Rate It's going to our helpdesk folks right now! Best, Philippe -- Philippe Hanset University of Tennessee, Knoxville Office of Information Technology Network Services 108 James D Hoskins Library 1400 Cumberland Ave Knoxville, TN 37996 Tel: 1-865-9746555 -- On Wed, 27 Feb 2008, Frank Bulk - iNAME wrote: Philippe: The most relevant stuff seems to start here: http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind0507L=WIRELESS-LANP=R273 3D=0I=-3 Search for 5429 in the archives to get all relevant messages. From a previous posting: Basically your authentication server has to send back the proper EAP failure message in order to get Windows to re-prompt for the password. Frank -Original Message- From: Philippe Hanset [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 27, 2008 7:55 AM To: Frank Bulk Cc: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x and Password issues! Yes! We use secureW2, Radiator and LDAP, but have not seen any report of IIRC for that case. During spring break we plan to switch to PEAP, built-in Windows Client, and AD (we already have that running for our Exchange install.). Philippe PS: our 802.1x is optional. We still don't know if it's not successful because our implementation is cumbersome, or just because users want ultimate convenience ;-) -- Philippe Hanset University of Tennessee, Knoxville Office of Information Technology Network Services 108 James D Hoskins Library 1400 Cumberland Ave Knoxville, TN 37996 Tel: 1-865-9746555 -- On Tue, 26 Feb 2008, Frank Bulk wrote: Philippe: IIRC, there was an issue with some RADIUS servers that was causing the supplicant not to prompt the user to enter their new password. Is that your concern? Regards, Frank -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Philippe Hanset Sent: Tuesday, February 26, 2008 1:30 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] 802.1x and Password issues! All, How do you deal with 802.1x (eg: WPA2 EAP-PEAP) when: - your campus has a 6 months password change policy and - your email and 802.1x are sharing the same password (AD or LDAP) and - your users are storing the password on the supplicant and - those users don't realize that when they change their password they have to change their supplicant password as well? Experience, thoughts? Do you have a lot of calls in your help desk related to this? If you had this issue how did you solve it? Thanks, Philippe -- Philippe Hanset University of Tennessee, Knoxville Office of Information Technology Network Services -- On Thu, 21 Feb 2008, Jon Freeman wrote: FYI - this configuration does not conform to the 802.11specifications. Regards, Jon 303-808-2666 -Original Message- From: Philippe Hanset [mailto:[EMAIL PROTECTED] Sent: Thursday, February 21, 2008 12:43 PM Pacific Standard Time To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Using 4 channels rather then 3 for the 2.4ghz wifi Nick, We have been doing 1-4-7-11 (but 1-4-8-11 makes more sense) since 2000 and even with 802.11g we still like it. The loss that you get from overlapping is largely regained by having a 4th channel. Other sources advise to play with smaller cell and reducing the milliwatts emitted from the AP instead of using 4 channels! CIROND published a paper about the usage of 4 channels as well, (search for CIROND, 4 channels, 802.11b...) warning that though it is acceptable with CCK, it might create problems with OFDM! Philippe -- Philippe Hanset University of Tennessee, Knoxville Office of Information Technology Network Services 108 James D Hoskins Library 1400 Cumberland Ave Knoxville, TN 37996 Tel: 1-865-9746555
