I agree with most responses so far with respect to SSL VPNs. At Emory,
we started out using PPTP VPNs for authentication and encryption. Last
fall, we started offering WPA/WPA2 (802.1x using PEAP) in addition to
VPN authentication. We've been working hard at migrating users from VPN
access to WPA access since the start of Spring semester.
From a user perspective, WPA/WPA2 is a MUCH nicer user experience,
especially with Win XP and MACs. Once the user's laptop is set up for
WPA, their credentials are cached and they automatically associate &
authenticate when they are within network range. It's like connecting
to an open wireless system, but with authentication and much better
encryption than WEP offers.
In contrast, VPN access users need to associate to the wireless network,
then start their VPN client to gain network access. Hitting a coverage
hole or high levels interference can (and does) cause their VPN
connection to drop, necessitating the user to reconnect. I'm not sure
how SSL VPNs handle network connection loss, but would recommend you add
that test to your evaluation plan.
VoIP phones are coming as well, but currently all the models I've seen
at best only support WPA-PSK (Pre-Shared Key), not WPA-Enterprise
(802.1x), and at worst support WEP or no encryption. Because of the
security issues, we've created a special virtual WLAN and SSID to
segment and lock down network access for the VoIP phones on our network.
Game consoles and other wireless devices can't access our wireless
network because they don't support WPA/8092.1x or login via our guest
captive portal. This is not necessarily a bad thing (so far).
In summary, I would recommend enduring the pain (?) of deploying
WPA/WPA2 (80.21x) because of the much stronger security it gives over
WEP or an open system and the user ease of use over VPN solutions. Of
course, VPN is a "lowest common denominator" for wireless users that
can't do WPA, and I see a place for it, as well.
FWIW - Emory is running an Aruba system with 1100+ APs (and growing).
>>-> Stan Brooks - CWNA/CWSP
Emory University
Network Communications Division
404.727.0226
[EMAIL PROTECTED]
AIM: WLANstan Yahoo!: WLANstan MSN: [EMAIL PROTECTED]
-------- Original Message --------
From: Stephen Holland
Date: 6/13/2006 5:00 PM
I would like to know if anybody is using SSL vpn as an
authentication/encryption mechanism for wireless and how successful they
have been deploying it.
Also, I would be curious to know what other folks think about implementing
802.1x. Specifically do you believe this is something that will be
required in the next couple of years to support evolving technology like
VoIP phones?.
I'm trying to decide if I should deploy an SSL vpn solution without
deploying 802.1x. My instinct tells me to plan for 802.1x but I would be
curious to hear what others think.
Thanks
Stephen Holland
Network Engineer
Northeastern University
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
