John,
This is very easy if you are already running a PKI on campus - but I am
assuming from your post that perhaps this is not the case... (sorry - I
just joined the list so have not seen any messages that may give me
context).
At Dartmouth we secured the wireless with EAP-TLS, we turned on the
secure SSIDs about 3 months (maybe it was 6 months) before we turned off
the legacy unsecured channels. But of course, as can be predicted, 90%
of folks waited until the one or 2 days before the cut over date before
doing anything about it... ;-)
So we ended up issuing a few thousand certs each day for about a week as
the main body of wireless subscribers configured their systems.
We had very few issues, in fact, its probably fair to say that we had
zero certificate issues - we ramped up help desk support in anticipation
of a glut of support requests all to no avail - it was a complete non
event from a support perspective - it was refreshing calm and quiet. We
did get the odd "how to figure my supplicant" question - we had
documented that very well for those supplicants needing manual tuning
(e.g. XP and Leopard - NOTE: Vista & Tiger were automated via profiles)
- so that was just an exercise in hand-holding folks as they read
instructions ;-)
Now I should point out that Dartmouth has a mature PKI which has been in
production operation for over 5 years. So issuing wireless certs was as
simple as adding a new profile to the CA. Our regular issuance process
already allows students/faculty/staff/affiliates to authenticate to the
central IdM system and be issued a certificate right into their
browser/OS of choice.
The platform we are using for PKI is available free-to-higher-education,
and in fact I believe Internet2 will shortly host a version for download
(if I can ever get around to packaging it up with appropriate
instructions). If you were interested in using it, all it would require
you to do is modify the piece that provides the authentication into what
ever central authentication infrastructure you have (assuming you do
have one) and you would be good to go (well you do have to have some
hardware to run it on and some to secure your Campus Root also). I'd be
happy to speak with you off list if you are interested.
One other option is to use OpenCA 1.0 - it has just been released
(Massimiliano Pala - the OpenCA Project Manager sits just down the hall
from me) - it's new interface makes it relatively simple to configure
and you could be up and running with a campus PKI in relatively short order.
If you have a Microsoft infrastructure on campus - you can also use
their CA product. There are a number of options open to you in terms of
how you want to manufacture certificates.
Our experience with EAP-TLS was it was almost totally painless (we have
to pre-register some wireless headless device that cannot do EAP-TLS),
but any issues we ran into were not with the certs - it was primarily
with configuring the supplicants to use them.
Regards,
_Scott
*---- Previous message ------
Date:* Thu, 24 Jul 2008 17:33:29 -0400 *Reply-To:* The EDUCAUSE Wireless
Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
*Sender:* The EDUCAUSE Wireless Issues Constituent Group Listserv
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *From:* John York <[EMAIL PROTECTED]>
*Subject:* Giving certs to students *In-Reply-To:*
A<[EMAIL PROTECTED]>
*Content-Type:* text/plain; charset="us-ascii"
This is a follow on to my thread and the others trying to figure out
which method to use in the encryption alphabet soup. We may be driven to
go to EAP-TLS, which means student certs. Are there products out there
that make the cert-issuing process easy? The last thing we need is for
every student to come to the helpdesk to get a cert installed on their
laptop. Thanks John
--
Scott Rea
Director, HEBCA|USHER Operating Authority
Dartmouth Senior PKI Architect
Peter Kiewit Computing Services
Dartmouth College
HB 6238, #058 Sudikoff
Hanover, NH 03755
Em: [EMAIL PROTECTED]
Ph#(603) 646-0968
Ot#(603) 646-9181
Ce#(603) 252-7339
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
