Re: [WIRELESS-LAN] 802.1x rollout
UBC rolled out our WPA network this summer on 802.1x PEAP. Our next milestone is fast-roaming support by caching the PMKs - not too sure if we really have to wait for WPA2 or not We expect 2 unique users this year... We are actively encouraging users to move from the standard campus wireless network to the WPA network. With the WPA network, we can start sending back various VLAN assignments which is the best way to continue to scale. 1. Not using Kerberos 2. Not using Active Directory (it's used mostly for Exchange Admin email) 3. Using native supplicants at all cost :-) . Maintaining 3rd party software on Windows works on a small scale but can be a disaster on a large scale. All that's required is a new service pack from Microsoft (not that Microsoft would actively try to break other supplicants; it's just not a priority for them). The trick to supporting PEAP is to store the MSCHAPv2 hashes in your backend. Using RADIATOR as it provides a commercial supported source option (best of both worlds). It would have been better to see native support for TTLS but Microsoft IEEE 802.11 members confirmed that MS had no plans for it (surprise, surprise). With students bring all types of laptops on campus, starting to support a network client bring us back to late 80's-early 90's. Been there done that... Good way to kill your HelpDesk :-) We see no problems with PEAP MSCHAPv2 with long passwords. We implemented it to prepare for native Windows 802.1x support and to support PPTP VPN (also native). This was very beneficial for the Version 1 wireless network because PPTP ended up being supported on most non-windows platform as native VPN client (Mac, Linux, Palms etc) Although we support both IPSec (for higher security) and PPTP (for simplicity), most people felt ok with PPTP. ... Jonn Martell, Manager - UBC Wireless on 9/15/2005 11:46 AM Wyman Miles said the following: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 We're about to pilot an 802.1x project for one of the larger departments on campus and I had a few questions for the universities who've gone before: - - is anyone using Kerberos as an authentication resource for your wireless clients. Any pitfalls? Did you have to distribute a 3rd party supplicant for the Windows clients? - - is anyone using ActiveDirectory as an authentication resource? - - who's using native 802.1x supplicants versus who is distributing additional software? Of the latter group, any recommendations? (my personal leanings are Funk's 802.1x supplicant mated with the Open.com Radiator RADIUS server). Thanks for the feedback! Wyman Miles Senior Security Engineer Cornell University, Ithaca, NY (607) 255-8421 -BEGIN PGP SIGNATURE- Version: Mulberry PGP Plugin v3.0 Comment: processed by Mulberry PGP Plugin iQA/AwUBQynBasRE6QfTb3V0EQJHKACeOvnuJeBfY3tzU9IyDnMHNzvcIkwAn3fj ujGVkElKhJx1/6nFnhBR1r9o =eEo2 -END PGP SIGNATURE- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] 802.1x rollout
- - is anyone using Active Directory as an authentication resource? We are - - who's using native 802.1x supplicants versus who is distributing additional software? Of the latter group, any recommendations? (my personal leanings are Funk's 802.1x supplicant mated with the Open.com Radiator RADIUS server). We're using WindowsXP/2k native supplicant. It didn't exist at the time we committed to 802.1x, but I would look at the SecureW2's http://www.securew2.com very hard right now. It's open source as well. SecureW2 3.1.0 now supports preconfiguration on Service Pack 2 allowing Administrators to deploy SecureW2 more easily. SecureW2 3.1.0 also contains the first SecureW2 Gina allowing users to authenticate using their interactive logon credentials. We're using FreeRADIUS for a Radius server. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] 802.1x rollout
On a related topic, we hope to find time to answer this tomorrow or Monday, but I thought I would throw it out to the list anyway. We're live with .1x and have a limited pool of users testing it before it becomes defacto next month. One of our heavy Active Directory users complained that the SecureW2 client kicked in too late in the boot process and therefore breaking all the scripts being pushed down by AD. It appears as if the Microsoft supplicant establishes the network layer sooner and doesn't break a PC connected to an AD domain...but we haven't actually verified it yet. Can anyone verify this behavior? -d -Original Message- From: Jon Moore [mailto:[EMAIL PROTECTED] Sent: Thursday, September 15, 2005 2:05 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x rollout -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Here at UPenn we use Kerberos for our backend authentication, using EAP-TTLS-PAP. We also use Radiator as our backend RADIUS server. The built-in Mac OS X supplicant (Internet Connect) works swimmingly. We have been piloting third-party software for Windows clients, since the built-in Windows supplicant doesn't do TTLS. Our experience has been that we have had lots of problems getting the Meetinghouse Aegis supplicant to work, but have found that the open source SecureW2 client (www.securew2.com) seems to work much better. - -- Jon Moore ISC Networking Telecommunications University of Pennsylvania On Sep 15, 2005, at 2:46 PM, Wyman Miles wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 We're about to pilot an 802.1x project for one of the larger departments on campus and I had a few questions for the universities who've gone before: - - is anyone using Kerberos as an authentication resource for your wireless clients. Any pitfalls? Did you have to distribute a 3rd party supplicant for the Windows clients? - - is anyone using ActiveDirectory as an authentication resource? - - who's using native 802.1x supplicants versus who is distributing additional software? Of the latter group, any recommendations? (my personal leanings are Funk's 802.1x supplicant mated with the Open.com Radiator RADIUS server). Thanks for the feedback! Wyman Miles Senior Security Engineer Cornell University, Ithaca, NY (607) 255-8421 -BEGIN PGP SIGNATURE- Version: Mulberry PGP Plugin v3.0 Comment: processed by Mulberry PGP Plugin iQA/AwUBQynBasRE6QfTb3V0EQJHKACeOvnuJeBfY3tzU9IyDnMHNzvcIkwAn3fj ujGVkElKhJx1/6nFnhBR1r9o =eEo2 -END PGP SIGNATURE- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (Darwin) iD8DBQFDKcXVx8TaElR3qMMRAs50AKCAFpdPOk9epcwv3KPWEAHgg0hdggCgkW/2 tPE+yxpENhlpYpSbBtqc4jA= =jBbc -END PGP SIGNATURE- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 802.1x rollout
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 We're using 802.1x here at the University of Northern Iowa, but we're just using PEAP/MSCHAPv2 against Microsoft's IAS against Active Directory. The Windows native 802.1X client works, but it's a bit of a pain to configure if the machine isn't in a domain. I've urged our support staff to consider purchasing the AEGIS or Funk clients instead, but I'm having a hard time leading the horse to water now that they've mastered the native client, though most users will never be able to configure it on their own. Wyman Miles wrote: We're about to pilot an 802.1x project for one of the larger departments on campus and I had a few questions for the universities who've gone before: - is anyone using Kerberos as an authentication resource for your wireless clients. Any pitfalls? Did you have to distribute a 3rd party supplicant for the Windows clients? - is anyone using ActiveDirectory as an authentication resource? - who's using native 802.1x supplicants versus who is distributing additional software? Of the latter group, any recommendations? (my personal leanings are Funk's 802.1x supplicant mated with the Open.com Radiator RADIUS server). Thanks for the feedback! Wyman Miles Senior Security Engineer Cornell University, Ithaca, NY (607) 255-8421 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. - -- Seth H. Bokelman ([EMAIL PROTECTED]) Systems Administrator ITS-Network Services, University of Northern Iowa 15 Curris Business Building, Cedar Falls, Iowa 50614 Phone: (319) 273-7423 http://www.sethb.com/ ICQ#: 6497760 MSN Messenger: [EMAIL PROTECTED] AOL/AIM: sethb2 Yahoo Messenger: sethbokelman -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDKeMNOiUz+Af5BIIRAhEBAKC5ZWCyqPEP14jpbgqNmjQ66daTqwCfWFlV v5CrlTSSFrIJVyo0Ff0vCG0= =kVQP -END PGP SIGNATURE- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 802.1x rollout
Wyman Miles wrote: We're about to pilot an 802.1x project for one of the larger departments on campus and I had a few questions for the universities who've gone before: - is anyone using Kerberos as an authentication resource for your wireless clients. Any pitfalls? Did you have to distribute a 3rd party supplicant for the Windows clients? We use EAP-TTLS with PAP and the SecureW2 supplicant. Backend is Radiator talking to MIT K5. The Funk client has worked well for us, but the cost has prevented us from rolling it out for everyone. We've had mixed success with the card drivers that have packaged TTLS supplicants in them (TruMobile, Centrino, etc). Sometimes it works, sometimes it doesn't. Seems highly related to driver versions. Since the new version of SecureW2 has been available, we've been pushing that as our standard. It has some warts, but now that autoconfig works with XP SP1, we distribute a installer with our config preloaded and things pretty much just work. I'm sure you're aware that to install and configure the supplicant, the mobile users usually need administrator access on their laptops. That can be a problem for visitors. - who's using native 802.1x supplicants versus who is distributing additional software? Of the latter group, any recommendations? (my personal leanings are Funk's 802.1x supplicant mated with the Open.com Radiator RADIUS server). I've had no problems at all with our odyssey and secureW2 clients and Radiator.. It just works. Note that if you're going to use the builtin AuthKrb5 module in Radiator 3.13, There are a couple obscure bugs with null passwords you might run into. I have some patches that I need to forward back to Hugh and the guys, I just keep forgetting to actually send the diffs. I can provide more info on that offline if you want.. -JEff College of Earth and Mineral Sciences -- Penn State ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.