Ditto. SecureW2 is the TTLS supplicant of choice. Frank
-----Original Message----- From: King, Michael [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 01, 2006 8:45 AM To: [email protected] Subject: Re: [WIRELESS-LAN] Few more 802.1X questions Several. Securew2 seems the best supported and most popular http://www.securew2.com/ It supports batch configuration. Unfortunately the website seems a bit slow right this second. Wire1x is an Open1x port to windows. (Hasn't had any activity since 2004) http://wire.cs.nthu.edu.tw/wire1x/ > -----Original Message----- > From: Lee Badman [mailto:[EMAIL PROTECTED] > Sent: Wednesday, March 01, 2006 9:32 AM > To: [email protected] > Subject: Re: [WIRELESS-LAN] Few more 802.1X questions > > Thanks, Frank- > > I realize LDAP is hamstringing us, but AD may not be ready > for primetime for our environment from a timing > perspective... Given that Cisco ACS is in house, LDAP MAY > have to be used initially, and say we have to start with TTLS > before we can run with PEAP- is there a known, PREFERRED, > FREE!!!, Windows-friendly TTLS supplicant? I've seen > Xsupplicant recommended, but it doesn't appear to have a > Windows version. > > Again- thanks. > > Lee > > > > >>> Frank Bulk <[EMAIL PROTECTED]> 2/28/2006 4:35 PM >>> > Lee: > > If you're using LDAP that limits many of your choices, > unfortunately. > == > If your directory server is based on LDAP, your options are > limited based on how your passwords are stored. > > Cisco's Secure ACS LDAP integration supports EAP-TLS and > PEAPv1/EAP-GTC. In the first type, LDAP is used to retrieve > the user's public-key certificate for comparison with both > the client and the user's private-key certificate. In the > second type, the environment must support one-time keys, as > with token cards. > > If your passwords are stored in MSCHAPv2 format, as is the > case with Windows Domains and Active Directory, you can use > the LDAP features of other RADIUS vendors to take advantages > of EAP-TTLS and PEAP. > > If your passwords are stored in your LDAP directory in the > clear, you can use EAP-TLS/PAP and EAP-TTLS/PAP as well as a > few others, depending on the RADIUS vendor. > > http://www.networkcomputing.com/mobile/archives/mobile_archive > _011106.html > == > In other words, you should be able to front end your LDAP > infrastructure with a 3rd-party RADIUS server. > > As for roaming, Cisco's CCKM (proprietary standard!) does > support fast secure roaming with PEAP. Go here: > http://www.cisco.com/univercd/cc/td/doc/product/wireless/cb21a > g/acau02/au_pr > of.htm#wp1094945 > And scroll down to CCKM to see some background and caveats. > > Regards, > > Frank > > -----Original Message----- > From: Lee Badman [mailto:[EMAIL PROTECTED] > Sent: Tuesday, February 28, 2006 12:53 PM > To: [email protected] > Subject: [WIRELESS-LAN] Few more 802.1X questions > > Given these specific resources: > > - Cisco ACS 3.3 > - LDAP (moving to AD, but not at first) > - Cisco 1130/1200s running latest 12.3(7) JA2 IOS code > - Up-to-date Windows XP users native supplicants > - Macintosh 10.4 users (latest) native supplicants > > And looking at piloting an 802.1x environment using PEAP... > > Looking for comments on- > > - Roaming (I believe fast secure roaming doesn't work with > PEAP) satisfaction > - Users that may have used 802.1X migration as a juncture to > give up the typical wireless DMZ and make wireless an > extension of the wired network (for authorized users) > - Luck with WPA with a broad range of client hardware likely > found in a "bring what you have" laptop/handheld environment > - Success with Windows Mobile > - General satisfaction > - Horrors experienced > - Anything else relevent to the exercise with the resources > described above. > > As usual- thanks for the great input this list tends to provide! > > Lee Badman > > Lee Badman > Network Engineer > CWNA, CWSP > Information Technology and Services > (Formerly Computing and Media Services) > Syracuse University > (315) 443-3003 > [EMAIL PROTECTED] > > ********** > Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ********** > Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ********** > Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
