[WIRELESS-LAN] Machine Authentication and IAS 2008
We use NPS (new IAS - 2008 R2) for machine auth on wireless. Our wireless is 802.1x with PEAP. Our domain machines authenticate as the machine with a machine certificate so users can logged into them. It requires that you setup an internal CA and issue computer certificates to all your domain machines. Then setup a rule in NPS/IAS to allow the machines to authenticate. If you want specifics feel free to contact me off list. Daniel Bennett IT Security Analyst Pennsylvania College of Technology P:570.329.4989 E:dbenn...@pct.edu -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jason Appah Sent: Thursday, October 14, 2010 5:11 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Machine Authentication and IAS 2008 We are a complete Aruba shop, and I'll confess I haven't actually ticketed this with Aruba, but... Has anyone else been able to make machine auth work with IAS as the Radius? Each time the authentication comes across as bad username/password on the machine account. We had an IDengines ignition server that worked flawlessly but has now died. IAS was the replacement and machine auth hasn't worked since. So, has anyone else experienced this? Jason Appah Security/Systems Administrator Oregon Institute of Technology Oregon's only Technical Institute. Office 541-885-1719 Fax 541-885-1919 Email jason.ap...@oit.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
FW: Instructions
I have a meeting coming up on how to best inform new students of how to gain access to wireless once they get here. We have instructions in pdf format for all operating systems. I am wondering how your Institutions get that kind of information in hands of new incoming freshman. Especially those living in the dorms. Thanks, Daniel Bennett IT Security Analyst Pennsylvania College of Technology One College Ave Williamsport PA, 17701 570.329.4989 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] WiSM 6.0.182.0
See below... Daniel Bennett IT Security Analyst Pennsylvania College of Technology One College Ave Williamsport PA, 17701 570.329.4989 -Original Message- From: Matt Haile Sent: Wednesday, August 05, 2009 12:30 PM To: Daniel Bennett Subject: RE: [WIRELESS-LAN] WiSM 6.0.182.0 Yes, we have been running it for about a month with minor problems. This is what I've seen so farWhen our Catalyst 6500 shut off without notice almost all of the APs we had powered by inline power injectors had to be manually rebooted. The other ones connected to an inline power needed to be powered cycled as well. We did not lose all of our APs on campus, but at least half of them had to be either manually power cycled or cycled through the command line. I never had this problem before up until the point of the new controller code. Another minor change with version 6.0.182.0 is the WLAN override option has changed. It is now configured under WLANs-Advanced-AP Groups. Other than that it seems to be pretty solid code and from what I heard it is a candidate for the assurewave program. Matt Haile Network Specialist (CCNA,IUWNE) Pennsylvania College of Technology One College Ave. Williamsport, PA 17701 TEL (570) 329-4995 * FAX (570)320-4430 -Original Message- From: Daniel Bennett Sent: Wednesday, August 05, 2009 10:19 AM To: Matt Haile Subject: FW: [WIRELESS-LAN] WiSM 6.0.182.0 ? Dan -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Dennis Xu Sent: Wednesday, August 05, 2009 10:15 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] WiSM 6.0.182.0 Has anybody upgraded to WiSM 6.0.182.0? Any feedback? Thanks! Dennis Xu Network Analyst Computing and Communication Services University of Guelph 5198244120 x 56217 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Transitioning to dot1x
We have a separate PDA network with MAC filtering and restricted ACLs to make up for MAC filtering being weak. Daniel Bennett IT Security Analyst Security+ PA College of Technology One College Ave Williamsport PA 17701 (P) 570.329.4989 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lelio Fulgenzi Sent: Thursday, February 19, 2009 8:15 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x Last time I checked, Windows mobile didnt come with a dot1x supplicant (that worked). Do you require users to purchase their own supplicant or do you have a site license? Lelio Fulgenzi, Senior Analyst Computing Communications University of Guelph 519-824-4120 x56354 ...sent from my iPod - please pardon my fat fingers ;) [XKJ2000] On Feb 19, 2009, at 8:09 AM, Lee H Badman lhbad...@syr.edumailto:lhbad...@syr.edu wrote: Hi Bob- We’ve been doing dot1x now for a few years, and in my opinion people tend to struggle with: - What EAP type to use - What RADIUS server to use - How to get supplicants configured, and whether or not to support a variety of supplicants - What about AD machines over wireless We chose PEAP w/ MS-CHAPv2 because it’s well supported natively in both Windows and Mac machines. That being said- we had to say no more support for Windows 2000, 98, Me, etc. Same on Mac- a minimum OS was required. We avoided other EAP types that require a per-device cert, and officially only support the native Windows supplicant and native Mac supplicants for ease of support. We also chose to stick with our “classic” Cisco ACS 3.3.3 boxes- simply because we already had them, and they do a rock-solid job as well as provide decent logs (important). They also talk well with our AD credential store for user credential verification. We have found the ID Engines- now Cloudpath- supplicant configuration tool to be key to our success in that we can point users to a “help SSID” for initial client config, or self-remediation later if they hose their settings. Very powerful- but again, requires that users use Windows and Mac native supplicants and disable all of the ProSet, Broadcom, Toshiba, etc wireless utilities. We also provide basic settings in document form for advanced users that won’t give up their third party utilities, and for Linux/handheld users that we can’t auto-configure. Driver issues will manifest themselves more on a dot1x network- the rule of thumb is to keep them updated, or as a minimum, update before going to 1x. This often helps windows machines when nothing else will. On the Macintosh side, unfortunately it seems that even minor code updates can wreak havoc on the wireless driver and 1x utility- but once you get past whatever new curve ball Apple throws you, they work very reliably. As for AD machines on wireless- is a whole different ballgame. Officially, we do not support AD machines over our wireless networks, but if the machine name is the same as the userID, it will work in our environment. Then there’s loaner laptops… and NAC integration… and how to handle visitors on the network. All have solutions, but you may have to get creative. We have 2000+ APs, 12 WiSMs, and typically see 5,500-6,000 users at peak on our wireless networks daily. In the dorms (100% covered) wired usage has fallen to less than 20% of what it was 2 years ago, and has become mostly an “entertainment” network. -Lee Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Bob Richman Sent: Thursday, February 19, 2009 7:26 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Transitioning to dot1x We are in the process of trying to move all of our users to our wpa/wpa2 dot1x wireless. We hope to shut down the wide open non-authenticated ssid this summer. We’ve had numerous communications sent out and we always seem to get responses that the new dot1x network is slower than the old and that people have trouble maintaining a connection. I am curious as to how other schools approach this. Is it possible that a dot1x only network magnifies trouble areas of wireless coverage? Or is it that the dot1x network is more sensitive to client issues. Or could it be something I had not mentioned. BTW, we are a Cisco WISM/LWAPP shop. Thanks! Bob Richman Network Engineer University of Notre Dame Rich ma...@nd.edumailto:ma...@nd.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list
RE: [WIRELESS-LAN] Transitioning to dot1x
We use the new Network Policy Server, part of Windows 2008 Server. We found that enabling fast reconnect on the client (For windows) could help to prevent users from loosing connection. There are also other contributing factors: · Do you have the AP saturation to support seamless transitions · I believe you also need to configure something in WCS or WiSM to allow computer to hop between APs without losing connections. Daniel Bennett IT Security Analyst Security+ PA College of Technology One College Ave Williamsport PA 17701 (P) 570.329.4989 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Bob Richman Sent: Thursday, February 19, 2009 10:38 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x We are using MS IAS for radius with PEAP. We don’t have trouble getting folks configured and connected. Just after that we get complaints of ‘getting kicked off’ and was wondering if anyone else sees this sort of behavior. I suspect this mostly occurs during roams, but don’t really have any hard data to back that up. Thanks, Bob Richman Network Engineer University of Notre Dame rrichma...@nd.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Daniel Bennett Sent: Thursday, February 19, 2009 8:20 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x We have a separate PDA network with MAC filtering and restricted ACLs to make up for MAC filtering being weak. Daniel Bennett IT Security Analyst Security+ PA College of Technology One College Ave Williamsport PA 17701 (P) 570.329.4989 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lelio Fulgenzi Sent: Thursday, February 19, 2009 8:15 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x Last time I checked, Windows mobile didnt come with a dot1x supplicant (that worked). Do you require users to purchase their own supplicant or do you have a site license? Lelio Fulgenzi, Senior Analyst Computing Communications University of Guelph 519-824-4120 x56354 ...sent from my iPod - please pardon my fat fingers ;) [XKJ2000] On Feb 19, 2009, at 8:09 AM, Lee H Badman lhbad...@syr.edumailto:lhbad...@syr.edu wrote: Hi Bob- We’ve been doing dot1x now for a few years, and in my opinion people tend to struggle with: - What EAP type to use - What RADIUS server to use - How to get supplicants configured, and whether or not to support a variety of supplicants - What about AD machines over wireless We chose PEAP w/ MS-CHAPv2 because it’s well supported natively in both Windows and Mac machines. That being said- we had to say no more support for Windows 2000, 98, Me, etc. Same on Mac- a minimum OS was required. We avoided other EAP types that require a per-device cert, and officially only support the native Windows supplicant and native Mac supplicants for ease of support. We also chose to stick with our “classic” Cisco ACS 3.3.3 boxes- simply because we already had them, and they do a rock-solid job as well as provide decent logs (important). They also talk well with our AD credential store for user credential verification. We have found the ID Engines- now Cloudpath- supplicant configuration tool to be key to our success in that we can point users to a “help SSID” for initial client config, or self-remediation later if they hose their settings. Very powerful- but again, requires that users use Windows and Mac native supplicants and disable all of the ProSet, Broadcom, Toshiba, etc wireless utilities. We also provide basic settings in document form for advanced users that won’t give up their third party utilities, and for Linux/handheld users that we can’t auto-configure. Driver issues will manifest themselves more on a dot1x network- the rule of thumb is to keep them updated, or as a minimum, update before going to 1x. This often helps windows machines when nothing else will. On the Macintosh side, unfortunately it seems that even minor code updates can wreak havoc on the wireless driver and 1x utility- but once you get past whatever new curve ball Apple throws you, they work very reliably. As for AD machines on wireless- is a whole different ballgame. Officially, we do not support AD machines over our wireless networks, but if the machine name is the same as the userID, it will work in our environment. Then there’s loaner laptops… and NAC integration… and how to handle visitors on the network. All have solutions, but you may have to get creative. We have 2000+ APs, 12 WiSMs, and typically see 5,500-6,000 users at peak on our wireless networks daily. In the dorms (100% covered) wired usage has fallen to less than 20% of what it was 2 years ago
RE: [WIRELESS-LAN] Transitioning to dot1x
What Bob just said is true. We found that less saturated areas had issues that went unnoticed in the days of open wireless. Increasing saturation where we could fixed those areas. Daniel Bennett IT Security Analyst Security+ PA College of Technology One College Ave Williamsport PA 17701 (P) 570.329.4989 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Bob Richman Sent: Thursday, February 19, 2009 11:06 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x The 2nd point Daniel makes is what I am trying to zero in on. We are thinking that in areas where the saturation is not optimal, handoffs worked just fine on a wide open wlan, but then causes problems when using an 802.1x authenticated wlan. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Daniel Bennett Sent: Thursday, February 19, 2009 11:02 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x We use the new Network Policy Server, part of Windows 2008 Server. We found that enabling fast reconnect on the client (For windows) could help to prevent users from loosing connection. There are also other contributing factors: · Do you have the AP saturation to support seamless transitions · I believe you also need to configure something in WCS or WiSM to allow computer to hop between APs without losing connections. Daniel Bennett IT Security Analyst Security+ PA College of Technology One College Ave Williamsport PA 17701 (P) 570.329.4989 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Bob Richman Sent: Thursday, February 19, 2009 10:38 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x We are using MS IAS for radius with PEAP. We don’t have trouble getting folks configured and connected. Just after that we get complaints of ‘getting kicked off’ and was wondering if anyone else sees this sort of behavior. I suspect this mostly occurs during roams, but don’t really have any hard data to back that up. Thanks, Bob Richman Network Engineer University of Notre Dame rrichma...@nd.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Daniel Bennett Sent: Thursday, February 19, 2009 8:20 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x We have a separate PDA network with MAC filtering and restricted ACLs to make up for MAC filtering being weak. Daniel Bennett IT Security Analyst Security+ PA College of Technology One College Ave Williamsport PA 17701 (P) 570.329.4989 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lelio Fulgenzi Sent: Thursday, February 19, 2009 8:15 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x Last time I checked, Windows mobile didnt come with a dot1x supplicant (that worked). Do you require users to purchase their own supplicant or do you have a site license? Lelio Fulgenzi, Senior Analyst Computing Communications University of Guelph 519-824-4120 x56354 ...sent from my iPod - please pardon my fat fingers ;) [XKJ2000] On Feb 19, 2009, at 8:09 AM, Lee H Badman lhbad...@syr.edumailto:lhbad...@syr.edu wrote: Hi Bob- We’ve been doing dot1x now for a few years, and in my opinion people tend to struggle with: - What EAP type to use - What RADIUS server to use - How to get supplicants configured, and whether or not to support a variety of supplicants - What about AD machines over wireless We chose PEAP w/ MS-CHAPv2 because it’s well supported natively in both Windows and Mac machines. That being said- we had to say no more support for Windows 2000, 98, Me, etc. Same on Mac- a minimum OS was required. We avoided other EAP types that require a per-device cert, and officially only support the native Windows supplicant and native Mac supplicants for ease of support. We also chose to stick with our “classic” Cisco ACS 3.3.3 boxes- simply because we already had them, and they do a rock-solid job as well as provide decent logs (important). They also talk well with our AD credential store for user credential verification. We have found the ID Engines- now Cloudpath- supplicant configuration tool to be key to our success in that we can point users to a “help SSID” for initial client config, or self-remediation later if they hose their settings. Very powerful- but again, requires that users use Windows and Mac native supplicants and disable all of the ProSet, Broadcom, Toshiba, etc wireless utilities. We also provide basic settings in document form for advanced users that won’t give up
RE: Question about public access
We currently offer a guest wireless network that used a web form produced by Cisco's WiSMs. We have an in-house app that creates guest accounts for individuals and event accounts for larger events. For specific information contact me off list. Daniel Bennett IT Security Analyst Security+ PA College of Technology One College Ave Williamsport PA 17701 (P) 570.329.4989 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of James R. Pardonek Sent: Friday, February 06, 2009 9:48 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Question about public access I was looking for some information on what other Universities do to provide WLAN access to non-university individuals such as contractors, vendors, candidates for positions, etc. We currently only have a public SSID in our conference center which is located far enough away from the academic buildings that it is inconvenient for many that would like to use it. It uses a hotel page and we provide a password for access. I was also looking for thoughts on how this fits in to CALEA and other regulations. Thank you. James R. Pardonek, CISSP Senior Network Administrator Network Infrastructure Management and Maintenance Computing Technology and Information Systems Purdue University Calumet Hammond, Indiana ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] WPA Cracked (Sorta)
Is it that WPA is cracked or TKIP. If it is only TKIP then WPA/WPA2 with AES is still fine, correct? Also, I have been wondering what the difference between WPA and WPA2 is. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Joshua Wright Sent: Thursday, November 06, 2008 6:55 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WPA Cracked (Sorta) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mike King wrote: The short list of points: 1. Only affects WPA (NOT WPA2) I believe this is not the case. This vulnerabilty affects TKIP, either when used with WPA or WPA2. 2. Only affects TKIP (NOT AES) 3. Only affects traffic from router to PC (NOT PC to router) Can also be used to send bogus info from router to PC Both correct. 4. Takes approx 12-15 minutes to crack key This is incorrect. The attack is not key recovery, but rather plaintext recovery by manipulating a station. This is very similar to the Chopchop attack, except that it works against TKIP. 5. Some of the code used to demonstrate this was added to Aircrack-ng two weeks ago. It looks like there has been at least some semblance of this attack code in Aircrack-ng's SVN since July. Essentially, this attack exploits a TKIP client using QoS, recovering not more than one byte of plaintext data per minute. TKIP rotates keys every 65K packets, so the number of bytes the attacker can recover is variable, depending on how busy the victim is. I think it's reasonable to say the attacker will be able to recover partial content of one encrypted packet during each client key rotation session. I believe this attack is only the beginning, and we'll see more devastating attacks against TKIP soon. People should watch for logging messages indicating Michael MIC failures or excessive Integrity Check Value (ICV) errors from SNMP MIB's as an intrusion detection technique. Client vendors have an opportunity to change client drivers (in violation of the 802.11i specification, but I believe it is warranted to retain the use of TKIP), but that will take a while. Disabling QoS support on the AP or moving to AES-CCMP will fix the flaw. I'm going to deliver a SANS webcast on this TKIP attack on 11/17. I'll be discussing how it works in detail and what system administrators and vendors can do to mitigate this flaw. Keep an eye on www.willhackforsushi.com for details. - -Josh -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) iEYEARECAAYFAkkTg+4ACgkQapC4Te3oxYxuOQCfY6vWP+akpnjxsAN/1fNJ0Wz+ V4QAn3yJo8l0REHmATsfrhmImeunQKHO =fGMv -END PGP SIGNATURE- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Wireless 802.1x Windows 2008 Server Client Configuration
Has anyone out there success fully used SecureW2 with a Windows 2008 NPS Server? If so, I would be interested in hearing about the server config and/or client config. I need an automated way to get our student XP and Vista machines configured for our secure wireless. The only free option I have found is SecureW2 and I keep getting The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server. Right now the only way we can tell students to connect is by manually setting up the connection with 4 or 5 page instructions. Daniel R. Bennett CompTIA Security+ Information Technology Security Analyst Pennsylvania College of Technology One College Ave Williamsport, PA 17701 (P) 570.329.4989 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] PDA 802.1x WPA2 or WPA
Its all working now. :-) I had all our wireless PCs working but PDAs wouldn't. I think the problem was that the default client wasn't requesting properly. I enabled all EAP types on the server and it still didn't work. The Odyssey Client from Juniper Networks is the only solution that seems to work. It is a great product and can connect with all kinds of EAP types. Daniel R. Bennett CompTIA Security+ Information Technology Security Analyst Pennsylvania College of Technology One College Ave Williamsport, PA 17701 (P) 570.329.4989 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Scholz, Greg Sent: Friday, May 30, 2008 1:10 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] PDA 802.1x WPA2 or WPA Based on your description it sounds like a server config issue not a client issue. (we are currently dealing with EAP/802.1x configuration as well). Your event log entry the Extensible Authentication Protocol (EAP) Type cannot be processed by the server indicates it is getting an EAP request, just not of a type you have setup on the server. I am unfamiliar with 2008 policy server but in 2003 IAS you need to click EAP Types and ensure you have EAP configured right and to use a WLan type certificate. Does your config work for EAP for any clients right now? _ Thank you, Gregory R. Scholz Director of Telecommunications Information Technology Group Keene State College (603)358-2070 --Lead, follow, or get out of the way. (author unknown) -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Bennett Sent: Friday, May 30, 2008 12:04 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] PDA 802.1x WPA2 or WPA The Odyssey Client worked great! Does anyone have a reseller they use for this? The list price is $50 per license but I am hoping to get better prices being education. Daniel R. Bennett CompTIA Security+ Information Technology Security Analyst Pennsylvania College of Technology One College Ave Williamsport, PA 17701 (P) 570.329.4989 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Jason Appah Sent: Friday, May 30, 2008 11:24 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] PDA 802.1x WPA2 or WPA I have only used it as a part of windows mobile 5 on Intermec scanners and touch screen devices, so I admit, I've only used it as a pre-installation. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Lee H Badman Sent: Friday, May 30, 2008 8:09 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] PDA 802.1x WPA2 or WPA I have found Odyssey to be great on iPAQs and such that had it packaged as part of the original software build that shipped with the device, but less than 50% effective/reliable as an add-on to other hand-helds. -Lee -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Jason Appah Sent: Friday, May 30, 2008 11:05 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] PDA 802.1x WPA2 or WPA Most Windows Mobile 6 devices do WPA2 and 802.1x but a better client to use would be Funk, (now juniper) odyssey client... http://www.juniper.net/products_and_services/aaa_and_802_1x/odyssey/inde x.html -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Bennett Sent: Friday, May 30, 2008 7:57 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] PDA 802.1x WPA2 or WPA Does anyone know a thirdy party piece of software that will allow me to connect Windows Mobile 5 or 6 to our WPA2 with 802.1x using PEAP wireless network? We don't use personal certificates for authentication, only a username and password. We are using Windows 2008 Network Policy Servers as our radius server. Below is an event log entry. We can get the PDA connected, it transmits the username and password but the EAP isn't working. I have tried enabling all EAP protocols and all encryption options and I still get the EAP error below. Any help? Network Policy Server denied access to a user. Contact the Network Policy Server administrator for more information. User: Security ID:xx\xx Account Name: xx\xx Account Domain: xx Fully Qualified Account Name: xx\xx Client Machine: Security ID:NULL SID Account Name: - Fully Qualified Account Name: - OS-Version: - Called Station Identifier: 00-18-74-F8-4D-F0:ssid Calling
PDA 802.1x WPA2 or WPA
Does anyone know a thirdy party piece of software that will allow me to connect Windows Mobile 5 or 6 to our WPA2 with 802.1x using PEAP wireless network? We don't use personal certificates for authentication, only a username and password. We are using Windows 2008 Network Policy Servers as our radius server. Below is an event log entry. We can get the PDA connected, it transmits the username and password but the EAP isn't working. I have tried enabling all EAP protocols and all encryption options and I still get the EAP error below. Any help? Network Policy Server denied access to a user. Contact the Network Policy Server administrator for more information. User: Security ID:xx\xx Account Name: xx\xx Account Domain: xx Fully Qualified Account Name: xx\xx Client Machine: Security ID:NULL SID Account Name: - Fully Qualified Account Name: - OS-Version: - Called Station Identifier: 00-18-74-F8-4D-F0:ssid Calling Station Identifier: 00-1A-6B-93-62-ED NAS: NAS IPv4 Address: 10.x.x.x NAS IPv6 Address: - NAS Identifier: WiSM-B NAS Port-Type: Wireless - IEEE 802.11 NAS Port: 29 RADIUS Client: Client Friendly Name: WiSM2 Client IP Address: 10.x.x.x Authentication Details: Proxy Policy Name: Authenticate pct.edu Users Network Policy Name:Employee Wireless Policy Authentication Provider:Windows Authentication Server: NPS2.pct.edu Authentication Type:EAP EAP Type: - Account Session Identifier: - Reason Code:22 Reason: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server. Daniel R. Bennett CompTIA Security+ Information Technology Security Analyst Pennsylvania College of Technology One College Ave Williamsport, PA 17701 (P) 570.329.4989 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] PDA 802.1x WPA2 or WPA
The Odyssey Client worked great! Does anyone have a reseller they use for this? The list price is $50 per license but I am hoping to get better prices being education. Daniel R. Bennett CompTIA Security+ Information Technology Security Analyst Pennsylvania College of Technology One College Ave Williamsport, PA 17701 (P) 570.329.4989 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Jason Appah Sent: Friday, May 30, 2008 11:24 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] PDA 802.1x WPA2 or WPA I have only used it as a part of windows mobile 5 on Intermec scanners and touch screen devices, so I admit, I've only used it as a pre-installation. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Lee H Badman Sent: Friday, May 30, 2008 8:09 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] PDA 802.1x WPA2 or WPA I have found Odyssey to be great on iPAQs and such that had it packaged as part of the original software build that shipped with the device, but less than 50% effective/reliable as an add-on to other hand-helds. -Lee -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Jason Appah Sent: Friday, May 30, 2008 11:05 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] PDA 802.1x WPA2 or WPA Most Windows Mobile 6 devices do WPA2 and 802.1x but a better client to use would be Funk, (now juniper) odyssey client... http://www.juniper.net/products_and_services/aaa_and_802_1x/odyssey/inde x.html -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Bennett Sent: Friday, May 30, 2008 7:57 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] PDA 802.1x WPA2 or WPA Does anyone know a thirdy party piece of software that will allow me to connect Windows Mobile 5 or 6 to our WPA2 with 802.1x using PEAP wireless network? We don't use personal certificates for authentication, only a username and password. We are using Windows 2008 Network Policy Servers as our radius server. Below is an event log entry. We can get the PDA connected, it transmits the username and password but the EAP isn't working. I have tried enabling all EAP protocols and all encryption options and I still get the EAP error below. Any help? Network Policy Server denied access to a user. Contact the Network Policy Server administrator for more information. User: Security ID:xx\xx Account Name: xx\xx Account Domain: xx Fully Qualified Account Name: xx\xx Client Machine: Security ID:NULL SID Account Name: - Fully Qualified Account Name: - OS-Version: - Called Station Identifier: 00-18-74-F8-4D-F0:ssid Calling Station Identifier: 00-1A-6B-93-62-ED NAS: NAS IPv4 Address: 10.x.x.x NAS IPv6 Address: - NAS Identifier: WiSM-B NAS Port-Type: Wireless - IEEE 802.11 NAS Port: 29 RADIUS Client: Client Friendly Name: WiSM2 Client IP Address: 10.x.x.x Authentication Details: Proxy Policy Name: Authenticate pct.edu Users Network Policy Name:Employee Wireless Policy Authentication Provider:Windows Authentication Server: NPS2.pct.edu Authentication Type:EAP EAP Type: - Account Session Identifier: - Reason Code:22 Reason: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server. Daniel R. Bennett CompTIA Security+ Information Technology Security Analyst Pennsylvania College of Technology One College Ave Williamsport, PA 17701 (P) 570.329.4989 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. No virus found in this incoming message. Checked by AVG. Version: 8.0.100 / Virus Database: 269.24.4/1474 - Release Date: 5/30/2008 7:44 AM ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information
RE: [WIRELESS-LAN] WiSM, Radius, WPA WPA2
Where is your publicly recognized certificate? On your IAS server? AD Server? I have our certificate servers setup and IAS servers but can't enable the option to check the server's certificate. If I uncheck that option in the wireless configuration settings it works. Also how does everyone handle domain computers? I issued all computers certificates and told the system to authenticate as the computer if possible so they could hit active directory to authenticate. Thanks, Daniel R. Bennett CompTIA Security+ Information Technology Security Analyst Pennsylvania College of Technology One College Ave Williamsport, PA 17701 (P) 570.329.4989 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Lee Weers Sent: Tuesday, April 08, 2008 2:53 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WiSM, Radius, WPA WPA2 I don't run redundant certificate authorities. I also only have 1 IAS server because we are in the beginning stages of our deployment (so far a high of about 90 clients). I am planning to expand to a 2nd IAS server this fall. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Bennett Sent: Tuesday, April 08, 2008 1:42 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WiSM, Radius, WPA WPA2 Do you run redundant Certificate Authorities? Or if your certificate authority goes down is your wireless out until you rebuild and restore? Daniel R. Bennett CompTIA Security+ Information Technology Security Analyst Pennsylvania College of Technology One College Ave Williamsport, PA 17701 (P) 570.329.4989 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Lee Weers Sent: Thursday, April 03, 2008 1:50 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WiSM, Radius, WPA WPA2 I have IAS working with Cisco 4404 controllers, an Aruba 2400, and an HP WESM. We are using Peap and MS-CHAPv2 with a WLAN certificate from Verisign. The documents I used to setup the IAS server is here. http://support.microsoft.com/kb/325725/en-us http://www.microsoft.com/technet/security/guidance/cryptographyetc/peap_ 1.mspx Our wireless setup document is here http://www.central.edu/itservices/Wireless%20Network%20Setup.PDF CAVEATS I have found. You do need to authenticate the computer accounts for domain joined computers' login scripts to run. That was a big gotcha I found. Then on personally owned computers you need to turn off use computer credentials. Also PDA's I have yet to get working. They say they work with PEAP-MS-CHAP-v2, but they still want a personal certificate. I don't know why they still want a personal cert. So if someone wants to help me with that problem or help me dig up the info to enable EAP-TLS on an IAS server I'd be glad to hear from you. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Bennett Sent: Wednesday, April 02, 2008 7:30 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] WiSM, Radius, WPA WPA2 Does anyone have experience setting up a Cisco WiSM with IAS Radius and Encryption. Basically I want to have our WiSM authenticate wireless users to our Active Directory, which we can do directly. I also want the wireless secured through WPA and/or WPA2 encryption without having to email the key to everyone. I know it can be done but can't find out how to do this. The process I want: 1. Computer connects to AP 2. Encryption key is passed to computer and transmission is now secured 3. Internet Browser redirected to login page 4. AD credentials are entered 5. Authenticate 6. Internal IP issued and good to go. We have 1,3,4,5,6 done. Step 2 we have working by putting the key into the computers but that is a pain. Any suggestions? Daniel R. Bennett CompTIA Security+ Information Technology Security Analyst Pennsylvania College of Technology One College Ave Williamsport, PA 17701 (P) 570.329.4989 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] WiSM, Radius, WPA WPA2
How did you deal with Wireless PDAs? Daniel R. Bennett CompTIA Security+ Information Technology Security Analyst Pennsylvania College of Technology One College Ave Williamsport, PA 17701 (P) 570.329.4989 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Lee Weers Sent: Friday, April 11, 2008 4:03 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WiSM, Radius, WPA WPA2 Enabling the check server cert has been very hit and miss for me. It has depended on mostly on the client drivers. Some wouldn't auth until it was checked. For domain computers, I created a group that we add all wireless computer objects too, and that group is then in the IAS policy. The less secure way is to add the group Domain computers. By default all Domain Computers are added to this group. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Bennett Sent: Friday, April 11, 2008 2:43 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WiSM, Radius, WPA WPA2 Where is your publicly recognized certificate? On your IAS server? AD Server? I have our certificate servers setup and IAS servers but can't enable the option to check the server's certificate. If I uncheck that option in the wireless configuration settings it works. Also how does everyone handle domain computers? I issued all computers certificates and told the system to authenticate as the computer if possible so they could hit active directory to authenticate. Thanks, Daniel R. Bennett CompTIA Security+ Information Technology Security Analyst Pennsylvania College of Technology One College Ave Williamsport, PA 17701 (P) 570.329.4989 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Lee Weers Sent: Tuesday, April 08, 2008 2:53 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WiSM, Radius, WPA WPA2 I don't run redundant certificate authorities. I also only have 1 IAS server because we are in the beginning stages of our deployment (so far a high of about 90 clients). I am planning to expand to a 2nd IAS server this fall. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Bennett Sent: Tuesday, April 08, 2008 1:42 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WiSM, Radius, WPA WPA2 Do you run redundant Certificate Authorities? Or if your certificate authority goes down is your wireless out until you rebuild and restore? Daniel R. Bennett CompTIA Security+ Information Technology Security Analyst Pennsylvania College of Technology One College Ave Williamsport, PA 17701 (P) 570.329.4989 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Lee Weers Sent: Thursday, April 03, 2008 1:50 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WiSM, Radius, WPA WPA2 I have IAS working with Cisco 4404 controllers, an Aruba 2400, and an HP WESM. We are using Peap and MS-CHAPv2 with a WLAN certificate from Verisign. The documents I used to setup the IAS server is here. http://support.microsoft.com/kb/325725/en-us http://www.microsoft.com/technet/security/guidance/cryptographyetc/peap_ 1.mspx Our wireless setup document is here http://www.central.edu/itservices/Wireless%20Network%20Setup.PDF CAVEATS I have found. You do need to authenticate the computer accounts for domain joined computers' login scripts to run. That was a big gotcha I found. Then on personally owned computers you need to turn off use computer credentials. Also PDA's I have yet to get working. They say they work with PEAP-MS-CHAP-v2, but they still want a personal certificate. I don't know why they still want a personal cert. So if someone wants to help me with that problem or help me dig up the info to enable EAP-TLS on an IAS server I'd be glad to hear from you. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Bennett Sent: Wednesday, April 02, 2008 7:30 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] WiSM, Radius, WPA WPA2 Does anyone have experience setting up a Cisco WiSM with IAS Radius and Encryption. Basically I want to have our WiSM authenticate wireless users to our Active Directory, which we can do directly. I also want the wireless secured through WPA and/or WPA2 encryption without having to email the key to everyone. I know it can be done but can't find out how to do this. The process I want: 1. Computer connects to AP 2. Encryption key is passed to computer and transmission is now secured 3. Internet Browser redirected to login page 4. AD credentials are entered 5. Authenticate
RE: [WIRELESS-LAN] WiSM, Radius, WPA WPA2
Do you run redundant Certificate Authorities? Or if your certificate authority goes down is your wireless out until you rebuild and restore? Daniel R. Bennett CompTIA Security+ Information Technology Security Analyst Pennsylvania College of Technology One College Ave Williamsport, PA 17701 (P) 570.329.4989 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Lee Weers Sent: Thursday, April 03, 2008 1:50 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WiSM, Radius, WPA WPA2 I have IAS working with Cisco 4404 controllers, an Aruba 2400, and an HP WESM. We are using Peap and MS-CHAPv2 with a WLAN certificate from Verisign. The documents I used to setup the IAS server is here. http://support.microsoft.com/kb/325725/en-us http://www.microsoft.com/technet/security/guidance/cryptographyetc/peap_ 1.mspx Our wireless setup document is here http://www.central.edu/itservices/Wireless%20Network%20Setup.PDF CAVEATS I have found. You do need to authenticate the computer accounts for domain joined computers' login scripts to run. That was a big gotcha I found. Then on personally owned computers you need to turn off use computer credentials. Also PDA's I have yet to get working. They say they work with PEAP-MS-CHAP-v2, but they still want a personal certificate. I don't know why they still want a personal cert. So if someone wants to help me with that problem or help me dig up the info to enable EAP-TLS on an IAS server I'd be glad to hear from you. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Bennett Sent: Wednesday, April 02, 2008 7:30 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] WiSM, Radius, WPA WPA2 Does anyone have experience setting up a Cisco WiSM with IAS Radius and Encryption. Basically I want to have our WiSM authenticate wireless users to our Active Directory, which we can do directly. I also want the wireless secured through WPA and/or WPA2 encryption without having to email the key to everyone. I know it can be done but can't find out how to do this. The process I want: 1. Computer connects to AP 2. Encryption key is passed to computer and transmission is now secured 3. Internet Browser redirected to login page 4. AD credentials are entered 5. Authenticate 6. Internal IP issued and good to go. We have 1,3,4,5,6 done. Step 2 we have working by putting the key into the computers but that is a pain. Any suggestions? Daniel R. Bennett CompTIA Security+ Information Technology Security Analyst Pennsylvania College of Technology One College Ave Williamsport, PA 17701 (P) 570.329.4989 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
WiSM, Radius, WPA WPA2
Does anyone have experience setting up a Cisco WiSM with IAS Radius and Encryption. Basically I want to have our WiSM authenticate wireless users to our Active Directory, which we can do directly. I also want the wireless secured through WPA and/or WPA2 encryption without having to email the key to everyone. I know it can be done but can't find out how to do this. The process I want: 1. Computer connects to AP 2. Encryption key is passed to computer and transmission is now secured 3. Internet Browser redirected to login page 4. AD credentials are entered 5. Authenticate 6. Internal IP issued and good to go. We have 1,3,4,5,6 done. Step 2 we have working by putting the key into the computers but that is a pain. Any suggestions? Daniel R. Bennett CompTIA Security+ Information Technology Security Analyst Pennsylvania College of Technology One College Ave Williamsport, PA 17701 (P) 570.329.4989 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Open Wireless in Higher Ed
We are looking at technologies such as Radius, Cisco Clean Access, etc. to require our wireless client to authenticate to our network. Currently we have an open, unsecured wireless network. What are you Higher Ed institutions implementing to make sure that only valid users are using your wireless networks? If your policy is to do nothing then please indicate that as well. Thanks Daniel R. Bennett CompTIA Security+ Information Technology Security Analyst Pennsylvania College of Technology One College Ave Williamsport, PA 17701 (P) 570.329.4989 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Open Wireless in Higher Ed
How many users do you have? How does the initial cost and maintenance of the Bradford system stack up against other products such as Clean Access? Daniel R. Bennett CompTIA Security+ Information Technology Security Analyst Pennsylvania College of Technology One College Ave Williamsport, PA 17701 (P) 570.329.4989 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Roth, Joe Sent: Wednesday, March 26, 2008 8:13 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Open Wireless in Higher Ed We use Bradford Campus Manager, is it radius MAC authentication based. We pass everyone through validation, requiring AV, updates, etc. We are also working on a WPA2 solution to supplement this with encryption. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Bennett Sent: Wednesday, March 26, 2008 7:44 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Open Wireless in Higher Ed We are looking at technologies such as Radius, Cisco Clean Access, etc. to require our wireless client to authenticate to our network. Currently we have an open, unsecured wireless network. What are you Higher Ed institutions implementing to make sure that only valid users are using your wireless networks? If your policy is to do nothing then please indicate that as well. Thanks Daniel R. Bennett CompTIA Security+ Information Technology Security Analyst Pennsylvania College of Technology One College Ave Williamsport, PA 17701 (P) 570.329.4989 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.