A quick response: The reason I posed the question is that up until the last month, our wireless network has not been ideal, but stable. Stability is waning and those that have looked at the issues conclude that the controller was not designed to handle what we are putting through it. We are searching for options to eek every little bit out of the system until we get our funding this summer.
I agree with you all concerning authentication and encryption. When WPA2 and AES became practical, we implemented them, knocked off TKIP and were solely there until now experimenting. Regarding 802.1x, When we upgrade, the entire approach will be overhauled though we have not decided on a design yet. It is a consideration. Thank you all for your feedback. Jake Barros | Network Administrator | Office of Information Technology Grace College and Seminary | Winona Lake, IN | 574.372.5100 x6178 On Fri, Jan 25, 2013 at 4:38 AM, Osborne, Bruce W <bosbo...@liberty.edu>wrote: > Jacob, > > > > I echo many of the concerns already expressed. For security, you really > need to move to WPA2-Enterprise (802.1X) Many schools either have an OPen > SSID or a WPA2-Personal (PSK) SSID for devices that cannot handle > WPA2-Enterprise. > > Here at Liberty University we use an open SSID for devices that cannot do > 802.1X and to configure devices so they can be moved to the 802.1X network. > I know you wanted this to be vendor-neutral, but Cloudpath XpressConnet is > an excellent product for configuring 802.1X on devices. > > > > Here is some 802.11 Wi-Fi history as I remember from a particular vendor's > Wi-Fi class with additions for 802.11n. > > > > 1. Wi-Fi 802.11b was originally released with WEP encryption that was soon > exposed as inadequate & broken. > > 2. IEEE started work on a more secure standard that would be called WPA. > > 3. As people waited for the new standard, Wi-Fi sales plummeted due to > security concerns. It also became evident that this new standard would use > AES encryption and would not work on the current Wi-Fi hardware because > they did not have the AES encryption/decryption engine needed. > > 4. The Wi-Fi Alliance released WPA/TKIP an interim standard that was more > secure than WEP and would work on the existing hardware. This was designed > to imorive the Wi-Fi sales figures. > > 5. When IEEE released their standard, it was renamed WPA2 and included > TKIP only to provide a smooth migration path from the older WPA.TKIP SSIDs. > > 6. When the 802.11n standard was first released, the Wi-Fi Alliance > specifiied only WPA2-AES and not TKIP. They said they would refuse to > certify equipment that allowed the less secure TKIP. > > 7. The Wi-Fi Alliance later added TKIP due to customer demand, but they > have been clear that it is deprecated. > > > > I do not know about spaces in SSIDs because none of ours ave used spaces. > You really need to move toward AES encryption, at a minimum. Perhaps > supporting both AES and TKIP is loading the wireless infrastructure and > causing client confusion. I know from my own testing that an older PS3, for > example, insists on using TKIP if both TKIP and AES are enabled. > > > > We made the move to 802.1X this past summer and the increased insight into > who is connecting and the authorization capabilities to limit access where > appropriate is very valuable. In a sense, the added security is just an > addtional bonus. > > > > Bruce Osborne > Wireless Network Engineer > IT Network Services > > (434) 592-4229 > > LIBERTY UNIVERSITY > 40 Years of Training Champions for Christ: 1971-2011 > > ------------------------------ > *From:* Barros, Jacob [jkbar...@grace.edu] > *Sent:* Thursday, January 24, 2013 12:43 PM > *Subject:* need help to substantiate an SSID recommendation > > I feel silly asking this question but value your opinions. We recently > had some authentication errors that caused me to open a support case. The > engineer I was working with eluded to the fact that having a space in my > SSID name could be contributing to the problem though not the root. He > also inferred that using TKIP instead of AES would cut processing > requirements on the controller and therefore grant better performance. I > have not been able to confirm his opinions from those I have asked > (including other engineers from the same company) nor in print. > > We are using a single SSID for most of our campus, 'Grace WiFi' > WPA2-PSK AES. Theoretically, should I get better performance (or less > overhead) from 'Grace-WiFi' WPA2-PSK TKIP? > > Leaving the vendor/company out of this conversation, will you please > comment on whether or not these changes will make a difference? I would > love to either substantiate or debunk this theory. > > > > Jake Barros | Network Administrator | Office of Information > Technology > Grace College and Seminary | Winona Lake, IN | 574.372.5100 x6178 > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
