Wyman Miles wrote:
We're about to pilot an 802.1x project for one of the larger departments on
campus and I had a few questions for the universities who've gone before:
- is anyone using Kerberos as an authentication resource for your wireless
clients. Any pitfalls? Did you have to distribute a 3rd party supplicant
for the Windows clients?
We use EAP-TTLS with PAP and the SecureW2 supplicant. Backend is
Radiator talking to MIT K5.
The Funk client has worked well for us, but the cost has prevented us
from rolling it out for everyone.
We've had mixed success with the card drivers that have packaged TTLS
supplicants in them (TruMobile, Centrino, etc). Sometimes it works,
sometimes it doesn't. Seems highly related to driver versions.
Since the new version of SecureW2 has been available, we've been pushing
that as our "standard". It has some warts, but now that autoconfig works
with XP SP1, we distribute a installer with our config preloaded and
things pretty much just work.
I'm sure you're aware that to install and configure the supplicant, the
mobile users usually need administrator access on their laptops. That
can be a problem for visitors.
- who's using native 802.1x supplicants versus who is distributing
additional software? Of the latter group, any recommendations? (my
personal leanings are Funk's 802.1x supplicant mated with the Open.com
Radiator RADIUS server).
I've had no problems at all with our odyssey and secureW2 clients and
Radiator.. It "just works".
Note that if you're going to use the builtin AuthKrb5 module in Radiator
3.13, There are a couple obscure bugs with null passwords you might run
into. I have some patches that I need to forward back to Hugh and the
guys, I just keep forgetting to actually send the diffs.
I can provide more info on that offline if you want..
-JEff
--------
College of Earth and Mineral Sciences -- Penn State
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.