Tom, As usual you are right on many accounts. I agree that we are not using the best solution and we have plans to move to 802.11x, but not the resources. I have let my management know that this may be the only way to solve this problem so we will see. Perhaps they will stop or delay some projects so we can make the change.
We tried Puppet, but found it required too many senior system admins and machine resources to make scale it to 4000 machines (as far as we got before we stopped using it) and it was lacking several things we needed (e.g. inventory reports, windows support). We are now using a commercial solution from Kace called the Kbox. In our particular case it works very well and allows us to easily run a script on all the workstations -- I just have to figure out how to write a script that will change the password for the user :). cheers, ski On Wed, 2009-03-25 at 00:25 +0100, Tom Limoncelli wrote: > In addition to systemkeychain, I seem to recall there was some kind of > "master password" you can assign a Mac, possibly at installation. > Though that may have been just a FileVault master password. > > But.... > > The real issue is that (and I say this in the most sage-y, supportive,How am > I suppose to change the password? > loving way I can) you are using the wrong WiFi security solution. > Managing thousands of computers with WPA just doesn't scale. In > theory, you should either keep that single password secret (which > means changing it on all machines every time a sysadmin leaves the > company) or let users set up their own WiFi and change that master > password every time an employee leaves the company. For thousands of > machines, neither scales. > > With that many users it is worthwhile to set up 802.1X which can > authenticate each Mac based on their LDAP username/password. (the > system actually uses RADIUS betwen the WiFi base station and the LDAP > server). Now each person has their own password and they get locked > out when you freeze their account. The only problem now becomes > people sharing their password to let guests on. There are ways to > solve that, just ask. > > A quick search finds articles like > http://www.wi-fiplanet.com/tutorials/article.php/3114511 which give a > lot more info. > > The high-end WiFi base stations can do multiple forms of > authentication at once, letting you transition easily to 802.1X. In > fact, those usually also have the ability to serve multiple "network > names" (SSIDs) at the same time, giving different access to different > SSIDs. (for example, a Guest-Network SSID that only lets people > access the internet) > > -Tom > > P.S. If you are going to touch every machine once to set up new > authentication, you might take the opportunity to set up each machine > with Puppet so that future updates can be automated. Yes, that's a > big heap of scope creep, but I promise you it will help in the future. > Even if your current Puppet config is simply a no-op, eventually > you'll really benefit from being able to add Puppet modules that do > things like verify security settings, install patches, and so on. > > P.P.S. The best of both worlds would be to have users enable Puppet > so it isn't YOU that is touching every machine. I've seen sites that > have distributed a package that all users were required to install > that installed Puppet. It works better if the package also fixes some > annoying (to the users) problem, and even better if something stops > functioning if they haven't installed the package by a certain date... > that way they visit the helpdesk who can help them install the > package. (I'm not saying to break their machines, just offer a new > feature that everyone REALLY wants). > _______________________________________________ > Tech mailing list > [email protected] > http://lopsa.org/cgi-bin/mailman/listinfo/tech > This list provided by the League of Professional System Administrators > http://lopsa.org/ -- "When we try to pick out anything by itself, we find it connected to the entire universe" John Muir Chris "Ski" Kacoroski, [email protected], 206-501-9803 or ski98033 on most IM services _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
