RE: [WIRELESS-LAN] share 802.1x experience? (Eduroam Question)
Phillipe- Good summary. On the topic of Eduroam- any sense of real demand and usage for the service? Thanks- Lee From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Philippe Hanset Sent: Thursday, August 19, 2010 12:15 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] share 802.1x experience? Kay, Just a few heads up: -Definitely do WPA2 -The choice of EAP method is important. EAP-PEAP with AD as the backend makes life easier, though you can create a SAMBA front end to LDAP if you want (there is documentation on eduroamus.orghttp://eduroamus.org) -The choice of the CA seems to matter in how smooth the roll out goes (Verisign works well), self signed certificates can be a pain. -If you decide to support EAP-TTLS, people on this list have been very please with XpressConnect to facilitate the deployment of supplicants for Windows -Educate the community (documentation etc...) on how important the certificate verification is. Man In the Middle with 802.1x over Wireless is not that hard! -Be aware that the RADIUS admin will be able to read clear text passwords going to your authentication backend if you use PAP instead of M -802.1x authenticates users at layer two, you still need to deal with IP management (NetReg etc...) -Look into mechanisms to be able to disconnect a user (802.1x doesn't have a built-in mechanism, you Wireless LAN vendor will provide this function. e.g. Blacklisting) -For eduroam, be aware that the outer identity is essential, include this in your documentation (e.g. make you users type their full identifier from day one; use...@realm). Most supplicants (Mac OSX supplicant, Windows supplicant) will set the outer identity automatically from the userid. -On the eduroam side again: you choice of RADIUS is important (Some versions of RADIUS do not support proxying, e.g: Steel Belted RADIUS if it's not the Global Enterprise edition). -The eduroamus.orghttp://eduroamus.org site has documentation for FreeRADIUS, RADIATOR, Microsoft NPS, Juniper SBR (Same as Steel Belted) Feel free to contact the eduroamus.orghttp://eduroamus.org team even for 802.1x questions, Best, Philippe Hanset University of Tennessee eduroamus.orghttp://eduroamus.org On Aug 19, 2010, at 9:21 AM, Kay Sandacz wrote: Hey Bryn, We're planning on deploying eduroam three days after the 802.1x rollout. Nonetheless, we have communications to prepare for the 802.1x rollout, so I'm looking for end user experience, things that could have been done better, things that worked in that scenario right now. And yes, we're Cisco throughout. Thanks, -kay- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Bryn Jones Sent: Thursday, August 19, 2010 8:17 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] share 802.1x experience? Hi Kay I don't know whether you are aware of 'eduroam' (http://www.eduroamus.org/eduroam_international_map), which is a shared authentication infrastructure in Higher Education? We used the introduction of the 'eduroam' SSID onto campus here in Leeds as a method of introducing 802.1x onto our Cisco WiSM architecture. I'll be quite happy to share information if you have Cisco kit. Thanks Bryn Bryn Jones ISS Network Development Rm 8.01e Computing Block EC Stoner Building University of Leeds LS2 9JT 0113 343 7055 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Kay Sandacz Sent: 19 August 2010 13:56 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] share 802.1x experience? Hey folks. Anyone care to share experience in rolling out 802.1x? We're looking only at wireless just now. Support issues or user experience would be particularly helpful. And did anyone attempt to run 802.1x on a previously existing SSID? Thanks, -kay- Kay Sandacz, Assistant Director Data Networking, IT Services The University of Chicago ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] share 802.1X experience? (Eduroam Question)
Lee, Since the installed base is not big in the US (15 institutions), it's hard to gauge a real demand/usage. I can give number like thousands of authentications but in term of unique users it is not more than 20-30 per week. We did provide eduroam at the last Internet2 member meeting and got 50+ users to join out of 700 participants. No bad for a first time, and no helpdesk call at all (all done with Cisco FAT APs). The highest traffic that we see for the US federation is between LSU and LSU Health. In that particular case eduroam is an attractive way of connecting two different 802.1X domains. As a side note, I wish all our incoming students new about eduroam! Yesterday, first day of class, our visitor network was down due to lack of IP addresses. Most of our incoming students for some strange reason had decided to join the visitor network and the 1000 or so IP addresses were not enough to respond to the demand. With 802.1X (and in this case the eduroam SSID), you don't get an IP address until you really mean to connect! Maybe we need to rename our visitor SSID donotconnect instead of ut-visitor ;-) Philippe On Aug 19, 2010, at 12:45 PM, Lee H Badman wrote: Phillipe- Good summary. On the topic of Eduroam- any sense of real demand and usage for the service? Thanks- Lee From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Philippe Hanset Sent: Thursday, August 19, 2010 12:15 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] share 802.1x experience? Kay, Just a few heads up: -Definitely do WPA2 -The choice of EAP method is important. EAP-PEAP with AD as the backend makes life easier, though you can create a SAMBA front end to LDAP if you want (there is documentation on eduroamus.org) -The choice of the CA seems to matter in how smooth the roll out goes (Verisign works well), self signed certificates can be a pain. -If you decide to support EAP-TTLS, people on this list have been very please with XpressConnect to facilitate the deployment of supplicants for Windows -Educate the community (documentation etc...) on how important the certificate verification is. Man In the Middle with 802.1x over Wireless is not that hard! -Be aware that the RADIUS admin will be able to read clear text passwords going to your authentication backend if you use PAP instead of M -802.1x authenticates users at layer two, you still need to deal with IP management (NetReg etc...) -Look into mechanisms to be able to disconnect a user (802.1x doesn't have a built-in mechanism, you Wireless LAN vendor will provide this function. e.g. Blacklisting) -For eduroam, be aware that the outer identity is essential, include this in your documentation (e.g. make you users type their full identifier from day one; use...@realm). Most supplicants (Mac OSX supplicant, Windows supplicant) will set the outer identity automatically from the userid. -On the eduroam side again: you choice of RADIUS is important (Some versions of RADIUS do not support proxying, e.g: Steel Belted RADIUS if it's not the Global Enterprise edition). -The eduroamus.org site has documentation for FreeRADIUS, RADIATOR, Microsoft NPS, Juniper SBR (Same as Steel Belted) Feel free to contact the eduroamus.org team even for 802.1x questions, Best, Philippe Hanset University of Tennessee eduroamus.org On Aug 19, 2010, at 9:21 AM, Kay Sandacz wrote: Hey Bryn, We’re planning on deploying eduroam three days after the 802.1x rollout. Nonetheless, we have communications to prepare for the 802.1x rollout, so I’m looking for end user experience, things that could have been done better, things that worked in that scenario right now. And yes, we’re Cisco throughout. Thanks, -kay- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Bryn Jones Sent: Thursday, August 19, 2010 8:17 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] share 802.1x experience? Hi Kay I don’t know whether you are aware of ‘eduroam’ (http://www.eduroamus.org/eduroam_international_map), which is a shared authentication infrastructure in Higher Education? We used the introduction of the ‘eduroam’ SSID onto campus here in Leeds as a method of introducing 802.1x onto our Cisco WiSM architecture. I’ll be quite happy to share information if you have Cisco kit. Thanks Bryn Bryn Jones ISS Network Development Rm 8.01e Computing Block EC Stoner Building University of Leeds LS2 9JT 0113 343 7055 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Kay Sandacz Sent: 19 August 2010 13:56 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] share 802.1x experience?
Re: [WIRELESS-LAN] share 802.1x experience? (Eduroam Question)
On 19/08/2010 17:45, Lee H Badman wrote: Phillipe- Good summary. On the topic of Eduroam- any sense of real demand and usage for the service? Thanks- Lee Hi Lee, We are in the UK, but some stats for you: 1) People visiting Bristol in the last month is on the diagram here: http://www.wireless.bris.ac.uk/getconnected/services/eduroam/eduroam-visitors-advice/ 2) Stefan at Restena has put together a prototype system that shows daily usage between a selection of European countries: http://ticker.eduroam.lu/daily.php {So far today: a total of 3251 devices visiting another organisation within their own country, and 379 devices roaming outside their home country.} -James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk/eduroam -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] share 802.1x experience? (Eduroam Question)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 19/08/2010 17:45, Lee H Badman wrote: Good summary. On the topic of Eduroam- any sense of real demand and usage for the service? As a partial answer... we now use Eduroam (and hence 802.1X) as the primary service for members of our institution, with a backup service leveraging VPN for those few not able to get .1X working. So that means we have several hundred concurrent connections every day from local users, and a good number of roaming (visiting) users from other institutions. Some sites combine this with RADIUS based VLAN assignment so local users get more privileged access to the network when at home, but are able to use the same SSID/config when at home or away. HTH, - -- Oliver Gorwits, Network and Telecommunications Group, Oxford University Computing Services -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxtsa4ACgkQ2NPq7pwWBt4IyQCdHZcUQIfywNwZZllWbKFpR7h6 jeAAn2clhvLBUczO9PViyQUgaK3aIFPD =AfZA -END PGP SIGNATURE- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.