Agreed. The problem is, there's no way to "enforce" it- one of the weaknesses with the setup. We push people towards our autoconnect tool to ensure we configure specific auth servers and to make sure they are being verified. But if someone configures their supplicant manually and chooses not to verify the auth server, there is nothing you can do.
Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Brooks, Stan Sent: Thursday, March 12, 2009 2:27 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] IDEngines and Autoconnect Josh Wright and Brad Antoniewicz did a great presentation on the issues with PEAP at Shmoocon last year. His presentation is posted on his website and makes for interesting (and scary) reading. http://www.willhackforsushi.com/presentations/PEAP_Shmoocon2008_Wright_Antoniewicz.pdf He also lists the "correct' way to set up PEAP clients to verify the RADIUS server and its cert (slide 37). The "correct" way drastically reduces the potential for Man-in-the-Middle attacks. If you decide to create instructions or automatic tools for setting up wireless clients, setting up verification of both the certificate and RADIUS server names is crucial to preventing MitM attacks and maintaining WLAN security. Just my 2 cents. >>-> Stan Brooks - CWNA/CWSP Emory University University Technology Services 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: wlans...@hotmail.com GoogleTalk: wlans...@gmail.com -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman Sent: Wednesday, March 11, 2009 12:30 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] IDEngines and Autoconnect One personal observation... but first I need to agree with Randy. This utility and it's ease of use has been very helpful in configuring our 802.1x supplicants, and the ID Engines folks were great to work with. That being said- the latest Mac versions and now Windows 7 (and Ubuntu) seem to be much better at autoconfiguring all on their own- at least for PEAP/MS-CHAPv2. The drawback- they won't get set up correctly for trusting only your Auth servers. But then again, most iPhones and such probably aren't trusting the server cert either. I don't recommend not trusting the cert, but this is one area that is probably wildly inconsistent among and across PEAP/MS-CHAPv2 environments. Also- the use of the XPressConnect tool requires use of Windows supplicant- no more Intel ProSet/Broadcom/Toshiba/Linksys, etc wireless utility. These third party utilities are often far more functional than the native Windows wireless clients, but it can be very hard to support a variety of supplicants so you need to be restrictive to just Windows client for the Cloudpath tool to be effective. Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Randall C Grimshaw Sent: Wednesday, March 11, 2009 12:12 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] IDEngines and Autoconnect The IdEngines company closed and was in part acquired by ... but the Autoconnect product is also marketed as Cloudpath.net XPressConnect And yes, we are also a satisfied customer. Randy -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Dennis Xu Sent: Wednesday, March 11, 2009 12:08 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] IDEngines and Autoconnect We have heard many positive feedback about IDEngines and Autoconnect. We are just trying to evaluate this product and I cannot find this company anymore. Is this product completely replaced by XpressConnect? For the folks using this product, do you still get good support? will you stay with this product or look for other alternatives? Any suggestions are appreciated. Thanks, Dennis Xu Network Analyst Computing and Communication Services University of Guelph 5198244120 x 56217 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.