Thanks Charles, Didn't know Odyssey supported this. We can't control what's on every laptop, and cost is an issue on those we can. WPA2 is something we can require since its available via WZC, and supports fast if not logical roaming. Hard to tease these values out of the vendors. Hopefully the 802.11k standard will help with this. Its not as clear what aspects of the Aironet Extensions (transmit power control, AP neighbor list) apply to the driver vs the supplicant.
Bruce T. Johnson | Network Engineer | Partners Healthcare Network Engineering | 617.726.9662 | Pager: 31633 | bjohns...@partners.org | 149 13th Street, 10th Floor, Mailstop 10055B, Charlestown, Ma 02129 ________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Charles Bisel Sent: Thursday, February 19, 2009 11:53 AM supplicant. To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x Juniper's Odyssey supports PEAP machine authentication, however you'll typically only see Odyssey in an enterprise environment. The only thing that I like about WZC is that its settings can be configured and enforced via Group Policy. Well, two things... it's also free. ________________________________ Charles Bisel WLAN Architect Bayer Corporation 100 Bayer Road Pittsburgh, PA 15205 EMAIL charles.bi...@bayerbbs.com <mailto:charles.bi...@bayerbbs.com> WEB http://www.bayerus.com <http://www.bayerus.com/> ________________________________ "Johnson, Bruce T" <bjohns...@partners.org> Sent by: The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 02/19/2009 11:41 AM Please respond to The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> To WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU cc Subject Re: [WIRELESS-LAN] Transitioning to dot1x One useful application with WZC-based PEAP is machine authentication for unattended devices that need to stay connected. I'm not sure any non-native supplicant supports this. Bruce T. Johnson | Network Engineer | Partners Healthcare Network Engineering | 617.726.9662 | Pager: 31633 | bjohns...@partners.org | 149 13th Street, 10th Floor, Mailstop 10055B, Charlestown, Ma 02129 ________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Charles Bisel Sent: Thursday, February 19, 2009 11:35 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x True, WZC doesn't support CCKM, however unless I missed something, I don't recall Bob mentioning a specific supplicant. Clients who use WZC (why anyone would is beyond me) will still be able to connect without issue, as it is considered "optional" on the WLAN. ________________________________ Charles Bisel IT Operations Bayer Business and Technology Services LLC 100 Bayer Road Pittsburgh, PA 15205 PHONE 412.778.1268 FAX 412.778.1299 EMAIL charles.bi...@bayerbbs.com <mailto:charles.bi...@bayerbbs.com> WEB http://www.bayerus.com <http://www.bayerus.com/> ________________________________ "Johnson, Bruce T" <bjohns...@partners.org> Sent by: The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 02/19/2009 11:20 AM Please respond to The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> To WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU cc Subject Re: [WIRELESS-LAN] Transitioning to dot1x Charles, CCKM is supplicant-dependent (via Intel PROSet or other hardware client utility). Native Windows WZC won't support this. You'll need WPA2. Bruce T. Johnson | Network Engineer | Partners Healthcare Network Engineering | 617.726.9662 | Pager: 31633 | bjohns...@partners.org | 149 13th Street, 10th Floor, Mailstop 10055B, Charlestown, Ma 02129 ________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Charles Bisel Sent: Thursday, February 19, 2009 11:18 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x If you are using WPA/TKIP, change your Auth Key Mgmt to "802.1X + CCKM" on your WLAN in order to activate Fast Secure Roaming. ________________________________ Charles Bisel WLAN Architect Bayer Corporation 100 Bayer Road Pittsburgh, PA 15205 EMAIL charles.bi...@bayerbbs.com <mailto:charles.bi...@bayerbbs.com> WEB http://www.bayerus.com <http://www.bayerus.com/> ________________________________ "Johnson, Bruce T" <bjohns...@partners.org> Sent by: The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 02/19/2009 11:08 AM Please respond to The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> To WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU cc Subject Re: [WIRELESS-LAN] Transitioning to dot1x Check your WLAN Session timeout - this forces a full re-auth at the specified interval. The default for dot1x is every 30 minutes. You may want to make this value larger. The User Idle Timeout will do the same thing, but most laptops generate enough incidental traffic to keep the idle timer open. Smaller form factors may not be as chatty. If its due to roaming, you may want to use WPA2/AES rather than TKIP, as this supports Proactive Key Caching. Do a "sh pmk-cache all" on the controllers to verify. Bruce T. Johnson | Network Engineer | Partners Healthcare Network Engineering | 617.726.9662 | Pager: 31633 | bjohns...@partners.org | 149 13th Street, 10th Floor, Mailstop 10055B, Charlestown, Ma 02129 ________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Bob Richman Sent: Thursday, February 19, 2009 10:38 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x We are using MS IAS for radius with PEAP. We don't have trouble getting folks configured and connected. Just after that we get complaints of 'getting kicked off' and was wondering if anyone else sees this sort of behavior. I suspect this mostly occurs during roams, but don't really have any hard data to back that up. Thanks, Bob Richman Network Engineer University of Notre Dame rrichma...@nd.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Daniel Bennett Sent: Thursday, February 19, 2009 8:20 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x We have a separate PDA network with MAC filtering and restricted ACLs to make up for MAC filtering being weak. Daniel Bennett IT Security Analyst Security+ PA College of Technology One College Ave Williamsport PA 17701 (P) 570.329.4989 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lelio Fulgenzi Sent: Thursday, February 19, 2009 8:15 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x Last time I checked, Windows mobile didnt come with a dot1x supplicant (that worked). Do you require users to purchase their own supplicant or do you have a site license? Lelio Fulgenzi, Senior Analyst Computing & Communications University of Guelph 519-824-4120 x56354 ...sent from my iPod - please pardon my fat fingers ;) [XKJ2000] On Feb 19, 2009, at 8:09 AM, Lee H Badman <lhbad...@syr.edu <mailto:lhbad...@syr.edu> > wrote: Hi Bob- We've been doing dot1x now for a few years, and in my opinion people tend to struggle with: - What EAP type to use - What RADIUS server to use - How to get supplicants configured, and whether or not to support a variety of supplicants - What about AD machines over wireless We chose PEAP w/ MS-CHAPv2 because it's well supported natively in both Windows and Mac machines. That being said- we had to say no more support for Windows 2000, 98, Me, etc. Same on Mac- a minimum OS was required. We avoided other EAP types that require a per-device cert, and officially only support the native Windows supplicant and native Mac supplicants for ease of support. We also chose to stick with our "classic" Cisco ACS 3.3.3 boxes- simply because we already had them, and they do a rock-solid job as well as provide decent logs (important). They also talk well with our AD credential store for user credential verification. We have found the ID Engines- now Cloudpath- supplicant configuration tool to be key to our success in that we can point users to a "help SSID" for initial client config, or self-remediation later if they hose their settings. Very powerful- but again, requires that users use Windows and Mac native supplicants and disable all of the ProSet, Broadcom, Toshiba, etc wireless utilities. We also provide basic settings in document form for advanced users that won't give up their third party utilities, and for Linux/handheld users that we can't auto-configure. Driver issues will manifest themselves more on a dot1x network- the rule of thumb is to keep them updated, or as a minimum, update before going to 1x. This often helps windows machines when nothing else will. On the Macintosh side, unfortunately it seems that even minor code updates can wreak havoc on the wireless driver and 1x utility- but once you get past whatever new curve ball Apple throws you, they work very reliably. As for AD machines on wireless- is a whole different ballgame. Officially, we do not support AD machines over our wireless networks, but if the machine name is the same as the userID, it will work in our environment. Then there's loaner laptops... and NAC integration... and how to handle visitors on the network. All have solutions, but you may have to get creative. We have 2000+ APs, 12 WiSMs, and typically see 5,500-6,000 users at peak on our wireless networks daily. In the dorms (100% covered) wired usage has fallen to less than 20% of what it was 2 years ago, and has become mostly an "entertainment" network. -Lee Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 ________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> ] On Behalf Of Bob Richman Sent: Thursday, February 19, 2009 7:26 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [WIRELESS-LAN] Transitioning to dot1x We are in the process of trying to move all of our users to our wpa/wpa2 dot1x wireless. We hope to shut down the wide open non-authenticated ssid this summer. We've had numerous communications sent out and we always seem to get responses that the new dot1x network is slower than the old and that people have trouble maintaining a connection. I am curious as to how other schools approach this. Is it possible that a dot1x only network magnifies trouble areas of wireless coverage? Or is it that the dot1x network is more sensitive to client issues. Or could it be something I had not mentioned. BTW, we are a Cisco WISM/LWAPP shop. Thanks! Bob Richman Network Engineer University of Notre Dame Rich ma...@nd.edu <mailto:ma...@nd.edu> ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ <http://www.educause.edu/groups/> . ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ <http://www.educause.edu/groups/> . The information in this e-mail is intended only for the person to whom it is addressed. If you believe this e-mail was sent to you in error and the e-mail contains patient information, please contact the Partners Compliance HelpLine at http://www.partners.org/complianceline . If the e-mail was sent to you in error but does not contain patient information, please contact the sender and properly dispose of the e-mail. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ________________________________ The information contained in this e-mail is for the exclusive use of the intended recipient(s) and may be confidential, proprietary, and/or legally privileged. Inadvertent disclosure of this message does not constitute a waiver of any privilege. If you receive this message in error, please do not directly or indirectly use, print, copy, forward, or disclose any part of this message. Please also delete this e-mail and all copies and notify the sender. Thank you. For alternate languages please go to http://bayerdisclaimer.bayerweb.com <http://bayerdisclaimer.bayerweb.com/> ________________________________ ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.