UBC rolled out our WPA network this summer on 802.1x PEAP. Our next
milestone is fast-roaming support by caching the PMKs - not too sure if
we really have to wait for WPA2 or not....
We expect 20000 unique users this year... We are actively encouraging
users to move from the standard campus wireless network to the WPA
network. With the WPA network, we can start sending back various VLAN
assignments which is the best way to continue to scale.
1. Not using Kerberos
2. Not using Active Directory (it's used mostly for Exchange Admin email)
3. Using native supplicants at all cost :-) . Maintaining 3rd party
software on Windows works on a small scale but can be a disaster on a
large scale. All that's required is a new service pack from Microsoft
(not that Microsoft would actively try to break other supplicants; it's
just not a priority for them). The trick to supporting PEAP is to store
the MSCHAPv2 hashes in your backend. Using RADIATOR as it provides a
commercial supported source option (best of both worlds).
It would have been better to see native support for TTLS but Microsoft
IEEE 802.11 members confirmed that MS had no plans for it (surprise,
surprise). With students bring all types of laptops on campus, starting
to support a "network client" bring us back to late 80's-early 90's.
Been there done that... Good way to kill your HelpDesk :-)
We see no problems with PEAP MSCHAPv2 with long passwords. We
implemented it to prepare for native Windows 802.1x support and to
support PPTP VPN (also native). This was very beneficial for the
"Version 1" wireless network because PPTP ended up being supported on
most non-windows platform as native VPN client (Mac, Linux, Palms
etc).... Although we support both IPSec (for higher security) and PPTP
(for simplicity), most people felt ok with PPTP.
... Jonn Martell, Manager - UBC Wireless
on 9/15/2005 11:46 AM Wyman Miles said the following:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
We're about to pilot an 802.1x project for one of the larger departments on
campus and I had a few questions for the universities who've gone before:
- - is anyone using Kerberos as an authentication resource for your wireless
clients. Any pitfalls? Did you have to distribute a 3rd party supplicant
for the Windows clients?
- - is anyone using ActiveDirectory as an authentication resource?
- - who's using native 802.1x supplicants versus who is distributing
additional software? Of the latter group, any recommendations? (my
personal leanings are Funk's 802.1x supplicant mated with the Open.com
Radiator RADIUS server).
Thanks for the feedback!
Wyman Miles
Senior Security Engineer
Cornell University, Ithaca, NY
(607) 255-8421
-----BEGIN PGP SIGNATURE-----
Version: Mulberry PGP Plugin v3.0
Comment: processed by Mulberry PGP Plugin
iQA/AwUBQynBasRE6QfTb3V0EQJHKACeOvnuJeBfY3tzU9IyDnMHNzvcIkwAn3fj
ujGVkElKhJx1/6nFnhBR1r9o
=eEo2
-----END PGP SIGNATURE-----
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
