Re: [WIRELESS-LAN] need help to substantiate an SSID recommendation
A quick response: The reason I posed the question is that up until the last month, our wireless network has not been ideal, but stable. Stability is waning and those that have looked at the issues conclude that the controller was not designed to handle what we are putting through it. We are searching for options to eek every little bit out of the system until we get our funding this summer. I agree with you all concerning authentication and encryption. When WPA2 and AES became practical, we implemented them, knocked off TKIP and were solely there until now experimenting. Regarding 802.1x, When we upgrade, the entire approach will be overhauled though we have not decided on a design yet. It is a consideration. Thank you all for your feedback. Jake Barros | Network Administrator | Office of Information Technology Grace College and Seminary | Winona Lake, IN | 574.372.5100 x6178 On Fri, Jan 25, 2013 at 4:38 AM, Osborne, Bruce W bosbo...@liberty.eduwrote: Jacob, I echo many of the concerns already expressed. For security, you really need to move to WPA2-Enterprise (802.1X) Many schools either have an OPen SSID or a WPA2-Personal (PSK) SSID for devices that cannot handle WPA2-Enterprise. Here at Liberty University we use an open SSID for devices that cannot do 802.1X and to configure devices so they can be moved to the 802.1X network. I know you wanted this to be vendor-neutral, but Cloudpath XpressConnet is an excellent product for configuring 802.1X on devices. Here is some 802.11 Wi-Fi history as I remember from a particular vendor's Wi-Fi class with additions for 802.11n. 1. Wi-Fi 802.11b was originally released with WEP encryption that was soon exposed as inadequate broken. 2. IEEE started work on a more secure standard that would be called WPA. 3. As people waited for the new standard, Wi-Fi sales plummeted due to security concerns. It also became evident that this new standard would use AES encryption and would not work on the current Wi-Fi hardware because they did not have the AES encryption/decryption engine needed. 4. The Wi-Fi Alliance released WPA/TKIP an interim standard that was more secure than WEP and would work on the existing hardware. This was designed to imorive the Wi-Fi sales figures. 5. When IEEE released their standard, it was renamed WPA2 and included TKIP only to provide a smooth migration path from the older WPA.TKIP SSIDs. 6. When the 802.11n standard was first released, the Wi-Fi Alliance specifiied only WPA2-AES and not TKIP. They said they would refuse to certify equipment that allowed the less secure TKIP. 7. The Wi-Fi Alliance later added TKIP due to customer demand, but they have been clear that it is deprecated. I do not know about spaces in SSIDs because none of ours ave used spaces. You really need to move toward AES encryption, at a minimum. Perhaps supporting both AES and TKIP is loading the wireless infrastructure and causing client confusion. I know from my own testing that an older PS3, for example, insists on using TKIP if both TKIP and AES are enabled. We made the move to 802.1X this past summer and the increased insight into who is connecting and the authorization capabilities to limit access where appropriate is very valuable. In a sense, the added security is just an addtional bonus. Bruce Osborne Wireless Network Engineer IT Network Services (434) 592-4229 LIBERTY UNIVERSITY 40 Years of Training Champions for Christ: 1971-2011 -- *From:* Barros, Jacob [jkbar...@grace.edu] *Sent:* Thursday, January 24, 2013 12:43 PM *Subject:* need help to substantiate an SSID recommendation I feel silly asking this question but value your opinions. We recently had some authentication errors that caused me to open a support case. The engineer I was working with eluded to the fact that having a space in my SSID name could be contributing to the problem though not the root. He also inferred that using TKIP instead of AES would cut processing requirements on the controller and therefore grant better performance. I have not been able to confirm his opinions from those I have asked (including other engineers from the same company) nor in print. We are using a single SSID for most of our campus, 'Grace WiFi' WPA2-PSK AES. Theoretically, should I get better performance (or less overhead) from 'Grace-WiFi' WPA2-PSK TKIP? Leaving the vendor/company out of this conversation, will you please comment on whether or not these changes will make a difference? I would love to either substantiate or debunk this theory. Jake Barros | Network Administrator | Office of Information Technology Grace College and Seminary | Winona Lake, IN | 574.372.5100 x6178 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. **
RE: [WIRELESS-LAN] need help to substantiate an SSID recommendation
I can’t speak to other vendors, but with our vendor(Cisco) encryption/decryption is handled by the AP/Client NIC not the controller. According to the 802.11n spec (enforcement varies) devices not using AES will be restricted to 802.11g speeds. Personally we have stayed away from spaces and special characters in SSID’s because the quality of client drivers varies wildly. Joshua Coleman | Network Infrastructure Engineer University of Florida Department of Housing and Residence Education PO Box 112100 | Gainesville, FL 32611-2100 office 352.392.2171 x12053 | fax 352.392.6819 | josh...@housing.ufl.edumailto:josh...@housing.ufl.edu StrengthsQuest Top 5: Ideation, Strategic, Analytical, Adaptability, Intellection - Find Out Morehttp://www.strengthsquest.com/content/141728/index.aspx Please consider the environment before printing this email. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Barros, Jacob Sent: 2013-01-24 10:44 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] need help to substantiate an SSID recommendation I feel silly asking this question but value your opinions. We recently had some authentication errors that caused me to open a support case. The engineer I was working with eluded to the fact that having a space in my SSID name could be contributing to the problem though not the root. He also inferred that using TKIP instead of AES would cut processing requirements on the controller and therefore grant better performance. I have not been able to confirm his opinions from those I have asked (including other engineers from the same company) nor in print. We are using a single SSID for most of our campus, 'Grace WiFi' WPA2-PSK AES. Theoretically, should I get better performance (or less overhead) from 'Grace-WiFi' WPA2-PSK TKIP? Leaving the vendor/company out of this conversation, will you please comment on whether or not these changes will make a difference? I would love to either substantiate or debunk this theory. Jake Barros | Network Administrator | Office of Information Technology Grace College and Seminary | Winona Lake, IN | 574.372.5100 x6178 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] need help to substantiate an SSID recommendation
Jake: Since AES is a higher level of encryption it makes sense that it will require more processing and result in a performance hit versus TKIP. In my mind a more significant issue here is that 802.11n will only support AES as TKIP was deprecated in the n standard. Colin Daniel Senior Network Analyst Montana State University From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Barros, Jacob Sent: 2013-01-24 10:44 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] need help to substantiate an SSID recommendation I feel silly asking this question but value your opinions. We recently had some authentication errors that caused me to open a support case. The engineer I was working with eluded to the fact that having a space in my SSID name could be contributing to the problem though not the root. He also inferred that using TKIP instead of AES would cut processing requirements on the controller and therefore grant better performance. I have not been able to confirm his opinions from those I have asked (including other engineers from the same company) nor in print. We are using a single SSID for most of our campus, 'Grace WiFi' WPA2-PSK AES. Theoretically, should I get better performance (or less overhead) from 'Grace-WiFi' WPA2-PSK TKIP? Leaving the vendor/company out of this conversation, will you please comment on whether or not these changes will make a difference? I would love to either substantiate or debunk this theory. Jake Barros | Network Administrator | Office of Information Technology Grace College and Seminary | Winona Lake, IN | 574.372.5100 x6178 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] need help to substantiate an SSID recommendation
We've got two SSID's - Rice Visitor and Rice Owls. The 802.1x is, obviously, Rice Owls. It allows WPA/TKIP and WPA2/AES. There is a space in each SSID name, and we've had no reported issues with that, nor have we been told of any issues, including results from a WLAN survey via advanced services. The TKIP vs AES makes sense (higher encryption standards would make for more CPU usage), but TKIP is 'broken', meaning that it is cracked. It's available only for some of the legacy devices that do not seem to be able to do WPA2/AES. Respectfully, Danny Eaton Snr. Network Architect Networking, Telecommunications, Operations Rice University, IT Mudd Bldg, RM #205 Jones College Associate Staff Advisory Committee Employee Activities Subcommittee Chair Office - 713-348-5233 Cellular - 832-247-7496 mailto:dannyea...@rice.edu dannyea...@rice.edu Soli Deo Gloria Matt 18:4-6 G.K. Chesterton, Christianity has not been tried and found wanting. It's been found hard and left untried. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Barros, Jacob Sent: Thursday, January 24, 2013 11:44 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] need help to substantiate an SSID recommendation I feel silly asking this question but value your opinions. We recently had some authentication errors that caused me to open a support case. The engineer I was working with eluded to the fact that having a space in my SSID name could be contributing to the problem though not the root. He also inferred that using TKIP instead of AES would cut processing requirements on the controller and therefore grant better performance. I have not been able to confirm his opinions from those I have asked (including other engineers from the same company) nor in print. We are using a single SSID for most of our campus, 'Grace WiFi' WPA2-PSK AES. Theoretically, should I get better performance (or less overhead) from 'Grace-WiFi' WPA2-PSK TKIP? Leaving the vendor/company out of this conversation, will you please comment on whether or not these changes will make a difference? I would love to either substantiate or debunk this theory. Jake Barros | Network Administrator | Office of Information Technology Grace College and Seminary | Winona Lake, IN | 574.372.5100 x6178 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. !DSPAM:911,510172e0257261602818076! ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] need help to substantiate an SSID recommendation
Jake: TKIP has been broken. A long time ago. This article http://wifinetnews.com/archives/2010/06/say_goodbye_to_wep_and_tkip.html talks of it being removed from the WiFi certification,the article was from 2010. We run SSID's with spaces, and have been doing it for years. /daniel/ daniel westacott Networking and Telecommunications University of Minnesota. On Thu, Jan 24, 2013 at 11:43 AM, Barros, Jacob jkbar...@grace.edu wrote: I feel silly asking this question but value your opinions. We recently had some authentication errors that caused me to open a support case. The engineer I was working with eluded to the fact that having a space in my SSID name could be contributing to the problem though not the root. He also inferred that using TKIP instead of AES would cut processing requirements on the controller and therefore grant better performance. I have not been able to confirm his opinions from those I have asked (including other engineers from the same company) nor in print. We are using a single SSID for most of our campus, 'Grace WiFi' WPA2-PSK AES. Theoretically, should I get better performance (or less overhead) from 'Grace-WiFi' WPA2-PSK TKIP? Leaving the vendor/company out of this conversation, will you please comment on whether or not these changes will make a difference? I would love to either substantiate or debunk this theory. Jake Barros | Network Administrator | Office of Information Technology Grace College and Seminary | Winona Lake, IN | 574.372.5100 x6178 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] need help to substantiate an SSID recommendation
Jake, AES is definitely what you want to use, and with modern equipment it will actually be less intensive on your hardware since there is some key-caching advantage with 802.11i/WPA2. But another question is: are you doing PSK for the whole campus? Giving the same passphrase to all your users? (if you do, don't worry too much about TKIP VS AES) I have also heard that some OSes don't deal well with a blank space in the SSID, but I have never seen this for myself. Best, Philippe www.eduroamus.org On Jan 24, 2013, at 12:59 PM, Daniel Westacott dw...@umn.edu wrote: Jake: TKIP has been broken. A long time ago. This article http://wifinetnews.com/archives/2010/06/say_goodbye_to_wep_and_tkip.html talks of it being removed from the WiFi certification,the article was from 2010. We run SSID's with spaces, and have been doing it for years. /daniel/ daniel westacott Networking and Telecommunications University of Minnesota. On Thu, Jan 24, 2013 at 11:43 AM, Barros, Jacob jkbar...@grace.edu wrote: I feel silly asking this question but value your opinions. We recently had some authentication errors that caused me to open a support case. The engineer I was working with eluded to the fact that having a space in my SSID name could be contributing to the problem though not the root. He also inferred that using TKIP instead of AES would cut processing requirements on the controller and therefore grant better performance. I have not been able to confirm his opinions from those I have asked (including other engineers from the same company) nor in print. We are using a single SSID for most of our campus, 'Grace WiFi' WPA2-PSK AES. Theoretically, should I get better performance (or less overhead) from 'Grace-WiFi' WPA2-PSK TKIP? Leaving the vendor/company out of this conversation, will you please comment on whether or not these changes will make a difference? I would love to either substantiate or debunk this theory. Jake Barros | Network Administrator | Office of Information Technology Grace College and Seminary | Winona Lake, IN | 574.372.5100 x6178 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] need help to substantiate an SSID recommendation
Just a point I have from the past. WPA + TKIP was only intended as a workaround until WPA2 was ratified. That being said, here is a paraphrased note I have from a wireless engineer: Only WPA-tkip wpa2-aes are tested certified as part of the Wif-Fi alliance certification. Enabling both mode is not tested as well. Enabling both WPA-tkip wpa2-aes should be avoided on infrastructure device when there is decrypt issues because some clients can't do well on mixed mode(which is not a standard). however, it works well with specific vendor infrastructure and their own clients Ex: cisco phone on cisco wlc, Motorola handhelds with their controllers goes well since this combination is tested in their respective labs. By enabling all possible WPA WPA2 on WLAN would burden the cpu of AP to specifically encrypt decrypt them it should be avoided on high density deployment. Mike ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] need help to substantiate an SSID recommendation
Sorry, I just read that note again, I thought it covered wpa2-tkip and wpa-aes, but I was mistaken. On Thu, Jan 24, 2013 at 2:53 PM, Mike King m...@mpking.com wrote: Just a point I have from the past. WPA + TKIP was only intended as a workaround until WPA2 was ratified. That being said, here is a paraphrased note I have from a wireless engineer: Only WPA-tkip wpa2-aes are tested certified as part of the Wif-Fi alliance certification. Enabling both mode is not tested as well. Enabling both WPA-tkip wpa2-aes should be avoided on infrastructure device when there is decrypt issues because some clients can't do well on mixed mode(which is not a standard). however, it works well with specific vendor infrastructure and their own clients Ex: cisco phone on cisco wlc, Motorola handhelds with their controllers goes well since this combination is tested in their respective labs. By enabling all possible WPA WPA2 on WLAN would burden the cpu of AP to specifically encrypt decrypt them it should be avoided on high density deployment. Mike ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] need help to substantiate an SSID recommendation
I echo Peter's comments. The vendor's system should be able to handle AES, especially as modern WiFi standards (802.11n forward) mandate its use. As for spaces in SSID's, I've only heard rumors of issues in certain devices, but I've we don't have spaces in our SSID's so I've never seen it myself. I would ask for an explanation for why the SSID would be causing an issue and where (in the WLAN equipment or on the client device) the issue would originate from. Guessing from the engineer's comments about their processing capabilities on the controller, it wouldn't surprise me that the problem is in their code somewhere. Heath Barnhart, CCNA ITS Network Administrator Washburn University Topeka, KS On 01/24/2013 12:01 PM, Peter Murphy wrote: Jake, Your contact is correct in stating that using TKIP instead of AES will use less overhead on the AP/controller client, because TKIP is less complex than AES (and less secure). You can extrapolate this to using _no_ encryption will cut overhead dramatically. While our friends at NSA will tell us that no encryption scheme is 100% secure forever, most of us try to stay ahead of the hackers by using the most secure encryption and keys supported by the technology, and helping the technology companies understand our demand that they develop robust support for that security in their products. So I guess that my response to your contact concerning the encryption might have been a query as to (a) if his company's product had problems supporting AES, and under what conditions, and (b) ask when his company's products would be able to handle AES comfortably. Peter On 1/24/2013 12:43 PM, Barros, Jacob wrote: I feel silly asking this question but value your opinions. We recently had some authentication errors that caused me to open a support case. The engineer I was working with eluded to the fact that having a space in my SSID name could be contributing to the problem though not the root. He also inferred that using TKIP instead of AES would cut processing requirements on the controller and therefore grant better performance. I have not been able to confirm his opinions from those I have asked (including other engineers from the same company) nor in print. We are using a single SSID for most of our campus, 'Grace WiFi' WPA2-PSK AES. Theoretically, should I get better performance (or less overhead) from 'Grace-WiFi' WPA2-PSK TKIP? Leaving the vendor/company out of this conversation, will you please comment on whether or not these changes will make a difference? I would love to either substantiate or debunk this theory. Jake Barros | Network Administrator | Office of Information Technology Grace College and Seminary | Winona Lake, IN | 574.372.5100 x6178 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] need help to substantiate an SSID recommendation
We run SSID's with spaces, and have been doing it for years. We have spaces in every authorized SSID but one. That one is for the robotics lab, where they use robot kits whose hard-wired programming is associate to any visible SSID that doesn't contain a space (On our campus, that SSID is RobotsOnly.) David Gillett ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] need help to substantiate an SSID recommendation
I would think a space would at be at best a connection issue. Can't see how that would lead to a performance issue. I too am more concerned about your PSK. We still have a PSK network that I just can't get rid of. The key hasn't changed in more than 6 years. Makes me shudder. Why aren't you using 802.1x? For machines that are in AD you can set all of the settings in an GPO and send it to the clients. Slicker than snot. For non-AD machines Cloudpath will do it for you. It's the way to go. Not that it's any of my business. :) John Kaftan IT Infrastructure Manager Utica College On Jan 24, 2013 5:45 PM, David Gillett gillettda...@fhda.edu wrote: We run SSID's with spaces, and have been doing it for years. We have spaces in every authorized SSID but one. That one is for the robotics lab, where they use robot kits whose hard-wired programming is associate to any visible SSID that doesn't contain a space (On our campus, that SSID is RobotsOnly.) David Gillett ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.