Slashdot Mirror
Are You Using 802.1X?
"Here's our story: we're using Windows 2003 servers (for IAS) and PEAP/MSCHAPv2. We're not offering support for Windows clients prior to 2000 (even though clients do exist for 98/ME,etc). Windows 2000 supposedly has builtin support after SP3, but on June 10, Microsoft released a WEP patch that breaks 1x! (At least for our implementation...) Windows XP SP1 works in most cases, but certain onboard-wireless chipsets (Intel) don't work, regardless of OS. I heard that staff struggled with and finally successfully installed a 3rd party client for RedHat 9, and I'm told there's also a client for Mac OS 10.2.
As far as I can tell, the network guys did their homework--I promise--but this deployment is beginning to look like a disaster! Do you have any wisdom to share about how to pull victory from the clutches of shameful defeat? I realize my question is rather broad and vague ... but I'm really interested to see what discussion comes up. Thanks!"
No.
Next question please.
Personally I doubt why you would go with a system that makes you scrounge for clients on different OS's just to implement at a university. In the corporate workd you have the luxury of saying "If you want to use out network you will use "n" hardware and nothing else."
At the university level you have people using about 300 different configurations and OS's. If seems like you are making if just that more difficult for those users that get use out of the network that they pay for through their tuition.
First post
But yes, we use it, have been for quite some time - about November of last year - works great, and is pretty good - requires RADIUS or Active Directory/IAS.
Get SP4 which gets the .1x support back.
ah, the humiliation and agony of losing by 2 FREAKIN' MINUTES!! NOOOOOOoooo. come on man.
This post was brought to you by the number 584811 and the characters / and .
the left nav bar of slashdot has been redesigned!!!
Did "homework" include a reasonable test implementation? Anything that affects your infrastructure in such a drastic way should probably be banged on for several weeks with at least a dozen guinea pigs (assuming you don't have a test lab in these days of cost cutting).
Help save the critically endangered Blue Iguana
Take a look at what Purdue University does. They use a Cisco VPN client that is available on win/mac/linux/sun, and ties in with the student accounts to verify access. If you aren't using the VPN client, you are redirected to download it automagically. http://www.itap.purdue.edu/airlink/ This is the best solution I have seen.
I'm in a similar environment, 802.1x, PEAP/MSCHAPv2 (and DHCP)... Now I have to bring along UTP wires for my laptop running Linux... There is this "Aegis" client, but it doesn't seem to be working too well.. Anyone knows any other solutions out there?
not using even WEP is simply asking for trouble, using basic WEP (pre-shared keys) is a little better, but its still vulnerable and has the hassles of key management (each time you change the keys you need to update all clients). 802.1x is the way to go.
There is some support on OSes for 802.1x (Windows XP has it built it for some authentication methods, for Windows 2000 you can download it from the Microsoft website, for Linux and BSD use xsupplicant (http://www.open1x.org).
One important consideration is what 'EAP method' you use for security. 802.1x is a framework for security and you can tie-in different methods within this framework for doing the actual authentication and key generation.
If you use EAP-TLS then there is can be a problem of configuring certificates on client machines, though its pretty secure once setup. You can use the cisco proprietary LEAP with Cisco AP's and clients or go for a solution based on PEAP or EAP-TTLS.
LEAP only requires you to have a user-name/password type of setup and can be easily tied to existing authentication infrastructure (Eg: the windows network in your LAB). PEAP and EAP-TTLS need only a username and password if you use MS-CHAPV2 or some such method, though you still need valid server-side certificates.
Puneet
I know a lot of people rag on 1x because it isn't supported by every POS WiFi card out there but the security enhancement you get is really indispensible espeically when you consider that your average corporate WEP network is no safer than my linksys AP at home.
A really great client for getting multiple cards to work on 1x networks is the Aegis client from Meetinghouse Their supplicant will take many standard WiFi cards and allow them to use 1x.
Our IT dept doesn't support it (most probably won't) but if you're a frustrated user who doesn't want to buy a new card for a 1x network they've got a 15 day demo which should give you enough time to figure out if it works for you.
I used it on my last contract. 802.1x with WindowsXP SP1 works just fine. We used PEAP and Microsoft's IIS server for RADIUS authentication.
We wanted PEAP since it doesn't require manual certificates.
It took a lot of tweaking on the server, a small bit on the AP, but the client settings were just what you'd expect them to be.
I didn't try it with OS X (even though I used a Powerbook on the job). Take a look at http://www.mtghouse.com/
Per the message boards I've read, their client should work just fine.
Failure is not an option. It comes bundled with your Microsoft product. -- Ferenc Mantfeld
I'm recently went from wired to 802.11g. However, it wasn't without a struggle. I did a good deal of research but still got suckered into buying a Broadcom-based card only supported in Windows. As it turns out, Broadcom doesn't support Linux well (Or at all, in this case). To add to the confusion, most of the cards that I checked out that had once boasted Linux compatibility had been 'upgraded' to use a Broadcom chip. Even 802.11b hardware that used the supported Prism2 chipset is damn near impossible to find these days as much of it has been changed over to use cheaper hardware (Not necessarily Broadcom, but other non-supported brands as well). Model names / numbers are virtually the same as they were before. It's basically like searching for a PCI non-Winmodem these days.
My advice: Go with a nice ethernet bridge and don't get burned by bad / non-existent drivers. I ended up with a Linksys WET54G, which just so happened to be reviewed by THG earlier. It works flawlessly after I plugged it into my NIC under Linux. It also leaves my options open for other OSes that don't even have as much support as Linux. So long as your network card works (And interconnects via RJ45), you'll have a reliable wireless connection using the bridge. Not only that, but it has a configurator accessable through any web browser, much like their routers. This means configuring the bridge for use with encryption and such will work the same on Windows, Linux, MacOS, etc.
Only problem is they're a bit expensive (Roughly $130). if you don't use Windows full time, it's worth every penny.
i alway thought that 802.1x was a set of protocols - i always thoughs the x was a varaible... i know better now. :(
You are confusing me with someone who cares.
using dlink's new firmware for the 900ap+ which supposedly supports 1x and funk softwares radius server and winxp sp1 i thought i would give it all a try...lets just say its not as easy as i would have expected. and in my experience, if its not easy to impliment then people wont use it. let alone how picky you have to be with OS's,clients,hardware that will actually support it.
Isn't IPSec a possible solution?
We just rolled out 802.1x at Baylor University this week. Where are you located? I know they are also rolling out at Memphis.edu and Kstate.edu in the fall. E-mail me if I can be of any help...
Well, I work for a large company. We're just getting 802.11b with Cisco's LEAP authentication fully deployed throughout the country. I doubt they will move forward (unless Cisco tells them to).
*sigh*
auburn university is using a cisco vpn solution to secure the node-to-access-point communications. the vpn client is available for windows, macos, and linux.
Outside of the Access-points we used all pre-existing equipment. We already had a Enterprise Root Cert Authority setup on our Root Win2k DC. We then created a cert for wireless access. We deployed the cert by using policies and used IAS to authenticate the users against a remote access policy that verified users group memberships.
For Hardware we used Cisco 1100's and Zyair B1000's (Http://www.zyxel.com). The B1000's have a beta firmware to support EAP-TLS and cost less than $100 bucks!
We only allow Win2k and Windows XP clients to use wireless, setting up the few win98 clients we have is too much of a pain!
With Windows XP Service Pack1 the user will get a prompt that says there is a wireless network available. Included in that is a check box to use 802.1x authentication and since the default is Certificates all the user does is click connect and they are on!
If you have clients other than windows clients you can still use the win2k cert server, just have then download the cert via the web manager. IT will be http://certservername/certsrv. Works great.
We are a school going through the same question - should we setup 802.1x on everything or should we just put a firewall in place that you have to register you NIC with to do anything?
:)
For the FW solution, it is possible to falsify a MAC, but not something your average user would do (though VMWare makes it trivial).
For the 802.1x solution, you have the issues of different cards, drivers, implentations, and then the question of people who wanna run Linux, *BSD, etc... can't just cut them/me off
I work at a community college. We are going with the 802.1x w/ MS PEAP for our initial WLAN rollouts. Currently this is for employee (mostly execs) only. Management made the decision to be a MS shop years ago so 802.1x PEAP turned out to be the solution for us right now.
However, we are still researching WLAN solutions for when the decision is made to provide wireless access for the student VLANs.
Ideally an enterprise solution would
* be as transparent as possible to the users
* NOT involve installing a client to avoid support issues.
* be OS agnostic
Then again maybe I'm dreaming.
Keep the Classic Slashdot.
My impression is that this is a much needed, but still nubile technology. I wouldn't be surprised to see stronger support flourish in the 'alternate' (non-MSFT) OSes within the next year or so. Microsoft seems to be a bit ahead of the game on this one.
I don't know about you who use WEP, but please STOP.
It is BROKEN.
Use IPSec. There are many tutorials for using IPSec in tunnel mode as a replacement for WEP. Google it. I wrote the 3rd or 4th one down - it isn't that hard, guys. Please don't use WEP, it really isn't smart.
802.1x authentication is not a new concept. It was developed many years ago for incorporation into the HP ProCurve product line for port based authentication. The good thing about 802.1x is that at least it does provide some encryption from the authenticator to the radius server. So its either this of captive portal, which is implemented into hotspot controllers to provide authentication via redirection of http requests to a website that requests user/password pairs authenticated off a radius server. Pick your tool, something needs to be done.
I'd drop the encryption for a time, restrict access to web browsing...Allow e-mail but only through the universities secure https webmail server (You do have one?) and the same with any important university interfaces both staff and student based (Class registration and purchasing for example). This will allow the installed infrastructure to be used, but allow you to rollout secure technology at some point it the future... It's really all common sense...
-------------------------------------------------
At our University we deployed 802.1x and in this
way we reached the highest possible level of security - nobody, even the authorized personel can not log-in. This means that users have complete
protection from hackers, viruses and similar.
What's the difference between WPA (Wireless Protected Access) and 802.1x? I've heard that WPA includes/uses/requires 802.1x. But is WPA something MORE? Or are the two equivilent?
try going to a college that still uses 802.11 as the only network connection in the dorms. (raylink, 2mbit/s shared)
Did not.
Hi,
s Whitepaper.pdf
e x.html
;)
I work at the University of Utah. We're currently rolling out 802.1x.
My building has already rolled out 802.1x on about 36 access points. We've been running for over a month and a half.
We've got a lot of people interested in what we're doing. We're using a decentralized model that allows us to let various departments use their user accounts everywhere else on campus (that is using 802.1x).
Check out our whitepaper for more information:
http://utahgeeks.sourceforge.net/projects/Wireles
The paper covers various issues. Keep in mind that the paper is not quite done yet, but it does have a lot of useful information.
We're officially supporting Mac OS X, Windows 98, Windows 2k, and Windows XP. We're not officially supporting Linux, but my boss and I are lead developers on the open1x project (http://open1x.sourceforge.net).
It has Linux and Mac OS X support. We support TTLS, TLS, PEAP (in CVS), MD5, and we're going to be implementing EAP_AKA pretty soon.
If you're interested in the specifics please check out some of our support pages:
http://www.laptop.lib.utah.edu/global/support/ind
The biggest problem has been support for various cards on Windows. The support link above lists the cards we've tested.
We're currently only supporting Airport on Mac OS X due to the lack of a public API from Apple. (Please let apple know that you want a public wireless API so we can support more cards...
We're using a campus site license of the Meetinghouse supplicant for Mac OS X, and Windows. We're using Radiator, a perl based (VERY NICE!) radius server. It's 802.1x implementation rocks.
More info on Radiator: http://www.open.com.au
802.1x is becoming the University of Utah campus standard. All future wireless purchases made with student task force moneys will be required to be 802.1x compatible.
Please let us know if you have any questions regarding our setup.
I'm running a public WI-FI access point and I've had several people tell me that I should look into one of these encryption methods. Personally, I don't get it. If you're using WI-FI for your internal network then I understand, smb passwords flying around, people dropping into your NFS system, but for simple, public internet access does it really matter?
It seems to me that this type of encryption may not even belong at the connection level. Any type of encryption is going to add significant overhead so shouldn't be up to the application to use make secure connections as needed? For most web browsing, who cares if the signal is intercepted, if you're sending passwords or credit info you should be using https anyway. Likewise IMAP, POP3, FTP and SMTP, use the SSL wrapped alternatives.
Is there something I'm missing here? Shouldn't it generally be up to the app to determine if the overhead of encryption is required.
This is not true... 802.1x has its flaws. Some vendor APs don't support per user keys. Have you done exhaustive sniffing to make sure your users are actually getting a different key than anyone else?
Viruses usually come in E-mail... 802.1x doesn't do anything to protect your users from viruses.
Highest possible level of security... maybe... I think I'd agree that it's currently the highest possible STANDARD security available today for 802.11 networks that has been ratified by the IEEE.
At NU the IT department has deployed hotspots at a variety of locations. The campus cafe, parts of the student center, certain locations in the dorms, libraries, as well as other locations provide wireless access.
WEP is not used to secure the network. Instead they're using VPN to provide authentication as well as secure/encrypted connections. Nothing beyond the VPN server and other clients of the AP are accessible without connecting to VPN. As an added benefit VPN allows off-campus users to use the NU mail relays, and other things that are restricted the university subnets.
Check it out:
http://www.tss.northwestern.edu/wireless/
http://www.tss.northwestern.edu/vpn/
Someone actually researched something before submitting their question to Slashdot.......so now we don't have to deal with "ever hear of Google" comments.
Speaking of 802.1x (no, we don't use it yet), I read reports that MacOS X 10.3 "supports" it, but can anyone confirm that and give some details of the support?
Thanks.
so long as x==1b
taken! (by Davidleeroth) Thanks Bingo Foo!
It's basically like searching for a PCI non-Winmodem these days.
some order in a world of chaos.. i work in a repair/retail store and we have pci non-winmodems aplenty(and they sell). We even have legacy isa modems, in case ya wanna get that 486 goin.
At the other end of the spectrum, we try to research everything and stock the most compatible h/w available.
-d
for my blender... it's contents are the only thing I'm willing to broadcast over the airwaves.
When I glanced at the headline, I thought it was about 1X "high-speed" internet access for CDMA cell phones :)
I have had plenty of experience with 802.1x installed at a major american university (which may be the same university the article submitter works at).
Thanks to the 802.1x deployment, I have zero wireless networking capability under FreeBSD. Ah, that takes me back to my freshmen year of 1996.
One future, two choices. Oppose them or let them destroy us.
I have a BSD box on my network, and I could do IPSec tunneling if I wasn't so lazy.
But what's the best option for people who don't want to run a windows server, or a unix box, or any flavor of radius? Are there any consumer priced access points that support reasonably secure wireless networking, without an expensive server on the back end?
Most of what I'm seeing here says that you either have to run a unix-like OS, w2k, or xp (ie., not win 9x) on the client, that you need the professional version of xp, some sort of server infrastructure, etc.
Is there anything at all the typical schmo with a linksys access point and a windows 98 client can do?
There's a good piece in the June NetworkWorldFusion talking about MSFT, Cisco and few other large installations.
Not the most secure thing in the world....but I am lazy like you (prob. moreso) and just plugged my access point into my firewall and then limited connections at the router to only allow 3 computers to connect. (I have 3 computers that are always on....), and then I set the access point to not allow anything more than 1 wireless connection....since I only have 1 laptop and 1 wireless card. As an added bonus -- I took my laptop out in the street and realized that the connection goes dead before I hit the sidewalk on the other side of the road....So I feel pretty safe that unless I see a pinto or chevette with geeky looking kids pulled onto my lawn....that things are fairly safe. (I live in the sticks.)
(+1 Funny) only if I laugh out loud.
Protect the upper layers not below 3
Hack layer two... yippee! yippee!
Since WEP 40/128 provide NO security at the high layer... people feel they're getting something
with WPA (most won't run the required auth/radius server though.. so it's even worse).
Layer 2 is still open. You'll have to wait until next year when the 11i crew comes out with something.
As for a resource, use Dr. Arbaugh's new book on the subject.
http://www.amasin.com/-/0321136209/Real
Does anyone else think that .1x was bad considering people have been using x to be a wildcard for 802.11[abg] for some time?
Just attended a Microsoft seminar and they are using this in conjunction with a certificate server to authenticate users this addition will work with the certificate server. There are some good documents put out by Microsoft on how to deploy this. Works very well compared to WEP, which is weak encryption.
This is an example of the axiom that there is always a tradeoff between usability and security. In this case, the security is almost infinite, thus the usability is (necessarily) roughly zero.
Free Software: Like love, it grows best when given away.
"No" is the right answer.
But I think the cause results from the fact that he was able to use "Microsoft" and "breaks" in the same sentence to describe his situation.
mod the fuckhead bush supporter down to the weeds where he should be.
Did too.
802.11x is little more than Cisco's LEAP technology that has been turned into an industry standard.
Trying to secure a network at layer two is extremely dificult. You're not dealing with enough intelligence and flexibility. Taking it up another layer to layer three (network layer) gives you much greater flexability.
You need to look into the wireless gateway technologies. Its easiest to think of these as being a firewall and VPN concentrator combined into one box.
Just as an internet firewall is designed to secure internal corporate networks from external internet communications, the wireless gateway once again segments your network with wired and wireless.
Encryption takes place at layer 3 using IPSec when required. Using a wireless gateway, you can have a guest user log into your network as a guest, and the gateway will allow them to access the internet, and only the internet -- and you can throttle their bandwidth down to 56kbps or whatever you'd like. However, if I were to login to the network as an internal user, the gateway would build a 3DES IPSec tunnel out to my PC before it would allow me to access ANY internal network resources.
It allows you the flexibility to give different users various levels of security based upon their login. The best part is that it does not require a client to be loaded on any end user device, and because it operates at layer 3, it is layer 2 agnostic - meaning it doesn't matter what kind of Access Point or radio card you're using.
I've deployed these solutions in hospitals, universities, even classified government facilities. (WEP is not FIPS certified, 3DES is)
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
gwbush.com isnt in support of bush reject
wtf...mod parents up recursively please...
This is the only post answering the OP's plea! Mod parent up!
Bluesocket makes 802.1x all better. Well worth the price.
WEP in any form is security through obscurity. Nothing in it is going to keep anyone out of your system. If they can crack the WEP key, they can sniff the entire AP (or better, make themselves the AP!!!)
The only way you can "Securely" connect to a 802.11 anything network is via some kind of user authentication. The best I've seen is VPN with a RADIUS backend, but PPPoe works as well.
In either case, the wireless encryption shouldn't matter, because the core layer 3 stuff is happening over VPN or PPP.
Err... If they support EAP-TLS they should be able to support EAP-Antyhingyouwant.
The access point authenticator doesn't do anything other than convert the 802.1x frames into radius packets...
The access point is essentially dumb, except that it does have a hand in passing the keys back to a client. It doesn't need specifics for each EAP type.. only the supplicant and authentication server should have to worry about that.
You might want to try something other than TLS just to see if it works. (I suggest against EAP-MD5, for wireless, as you can't get keys with it)
mod the fuckhead bush supporter down to the weeds where he should be.
Down boy down!
Eeeasssyy boy. Good boy.
No, but thanks for asking anyways...
802.1X, TKIP, WPA and so on are all nice methods to control WLAN access, but even they cannot correct a louzy WLAN architecture.
The problem is that in several, even most places, people are connecting their access points directly to their intranet and then rely only on the WEP key, MAC address lists, 802.1X and the WiFi security standard of your choice. In this kind of architecture when a standard is broken or the access point is compromised or just mis-configured, the attacker is able to gain access instantly to the protected network.
In our university this was the starting situation. Every department had their own WLAN with own WEP keys and MAC lists and some didn't even have those, just completely open network without any kind of access control. Not to mention about radio channel allocation or planning. Instead of the seamless, combined radio coverage there were several separate networks often disturbing each other.
A project was then started to define a common architecture for building wireless network securely and to provide that seamless combined radio coverage instead of all these kind of wild networks. What we decided was that WLAN networks are hostile networks and they should be treated as such. In the new architecture the organisation wide WLAN network is separated outside protected networks so that even if the access control of the wireless networks is breached, the only access the attacker directly gains is the access to the Internet, not to organisation's protected networks.
We didn't choose to use WEP key and MAC access control lists because they were useless. We didn't yet integrate 802.1X as a access control, because the terminals aren't yet ready for it. Instead we chose to build our WLAN network by using a captive portal to control the traffic demanding less security and VPNs to protect the traffic demanding more. By providing several means to authenticate we achieved the better interoperability and usability of the WLAN network than before.
With this architecture we are now able to server several different terminals, utilise old access points not capable of WEP encryption and support the customised solutions the different departments want to use. The architecture supports even Radius-based WLAN roaming so that people between organisations may use their home user accounts for authentication in the roaming partner's public access network. The same roaming architecture can be then used even if the WLAN network is in the future migrated to the 802.1X.
-- Karri Huhtanen http://www.iki.fi/khuhtanen/
Your comments are spiteful and immature.
Forget 802.1x. It was cracked over a year ago. Here's an article reporting on the vulnerability. WEP (any bit length) is even worse; cracks have been out for it for ages.
Your best bet is to deploy IPSec. Yes, as an earlier poster points out, there are some vulnerabilities that IPSec doesn't address, but if you build your network properly (keep all APs on a spur in the DMZ; make sure the spur router(s) refuse all hostile Ethernet frames), you can mitigate or eliminate those problems.
Schwab
Editor, A1-AAA AmeriCaptions
Our remote access policy requires the cert and will deny any connections without it. Win2k's IAS does not seem to support PEAP, while Win2k3's does. I will never use EAP-MD5, would YOU trut your companies critical info to MS-CHAP?! ;)
We went with seperate networks and an authenticated gateway instead and have no regrets. Someone has mentioned reefedge, but there is a free software solution in nocat.net which we are quite happy with. The difference? No clients to install on the user end, no configuration required either. All our hardware remains useful too. Disadvantage? Users are not protected against themselves (have to be trained in using secure protocols). Network can only be used casually (ie. none of our staff are allowed to use it for offical purposes).
No Unix or Linux support?
This Blows.
I would never go to NorthWestern University.
Cisco's VPN is also Penn State's solution to the (limited) rollout of campus VPN. It is working fairly well in my building, now they just need to throw more access points up around campus.
Finkployd
Take a look at the Zyair product line from Zyxel. They have built in radius servers and can be found for under 100 dollars.
So... how about enlightening the rest of us who would like ot know who makes these things?
finding access-points:t tp://www.netstumbler.com/
a proc.pdf h p/ 1368661
r ge.net/projects/wepcrack
:)
http://www.kismetwireless.net/
h
why WEP sucks:
http://www.drizzle.com/~aboba/IEEE/rc4_ks
http://www.80211-planet.com/tutorials/article.p
breaking WEP:
http://airsnort.shmoo.com/
http://sourcefo
"war-walking" in offices etc.
http://www.pocketwarrior.org/
(of course, the 13yr old sc^H^H überhacker may not have a driving licence, so warwalking is coolerthan wardriving)
after reading the documents above, I suggest you take down you WLAN, dissconnect from the internet and lock in your computer in a safe
[note that I didn't use the world "SNIFFER", I dont want to get sued by NAI].
We are running Funk Software's Steel Belted RADIUS (SBR) on Solaris for 1x authentication requests using TTLS. SBR verifies user credentials on the back end against our OpenLDAP server. We also return the group membership of the validated user with each login so the RAS can implement individual firewalls (at the user's point of access!) based on each users' credentials (aka User Personalized Networking). This is essential for supporting large numbers of open-access ports (i.e. dorms, Library, Student Center, labs...)
We use Enterasys equipment exclusively, including their R2 access points for wireless. We use their Netsight Atlas Policy Manager software to enforce UPN policies.
We have an academic site license for the Meeting House Aegis 1x client. This has worked brilliantly with 2000/XP and MacOS. Linux support has been shaky (it's beta) but we have had success with Open1x in that application. The problem with the Mac is that it doesn't come preconfigured with any certificate authorities under OpenSSL, so we have had to add one manually to each station.
The only problems we have had is a small bug in SBR that caused it to periodically lose contact with LDAP (fixed in SBR 4.0.4) and some quirky early versions of the Aegis clients (fixed). Meeting House has also just released (beta) an enterprise-deployment option that allows us to distribute a preconfigured client. Funk's client is worth looking at also, but it is very pricey.
My sugestions: plan well, test a LOT, and stay the HECK away from any of the MS garbage -- your life will be MUCH simpler!
Why not use IPsec instead?
:>
It's more standardized, it's available on more clients, and if you have a large number of connections through hosts you can use crypto accelerator boards on your routers (running BSD or Linux).
The main issue would be distributing public-key certificates. This could be automated though: have a web page where the netops staff fill in fields for the user infromation (including a valid email address), generate the certificate witha Perl script/CGI and enter all the information in a database. The generated certificate is then emailed (in clear-text, I know) to the user with a link to a PDF on how to setup their client.
For student accounts you could have the certificates expire on a yearly basis so you don't have old ones lining about. I don't know about the expiration of staff/faculty certificates though. You could perhaps generate a certifacte-revocation list (CRL) and transfer that to your routers using something like scp/scp/rsync.
1x is not widely deployed so people are still trying to figure things out. You're basically a beta tester for the rest of us.
Please mod up this post's entire family tree and stop unfair downmodding.
I've deployed 802.1x here in an enterprise setting using Cisco APs and Funk Odyssey. The thing I like about Odyssey is it supports just about every .1x authentication type. We are using a mix of EAP-TTLS and EAP-LEAP and plan to begin testing using EAP-TLS and client side certs soon.
We can also support just about any client nic out there which makes our users happy. I get encryption keys that are unique to each user and change every 9 minutes or so.
I tested several of the commercial VPN solutions prior to going with 802.1x, but in general I found them to be too finicky for our user base, more complicated to administer, and quite expensive to boot...
That was the point I was trying to make... not saying that it *SHOULD* ;)
Thanks... that's very helpful.
I work for a University and within the last 6 months have implemented a wireless network using 802.1x and TKIP. When I started researching, there wasnt much out there in terms of ap's, RADIUS servers and clients that support PEAP, and mainstream wireless card that supported all of the above. Over the last several months, companies have been incorporating WPA features into their ap's and cards. We finally settled on Cisco ap's, but since we are a University, we cannot mandate a particular card. Something about academic freedom... blah blah blah.
In terms of RADIUS servers, we checked out the major players, Funk and Meetinghouse. (Sorry, open source was not an option) Meetinghouse had a great server solution that allows us to PEAP and LDAP auth. We chose Meetinghouse's AEGIS client and server because the price point and feature set were way beyond what Funk was offering at the time. They also have clients for Linux, Mac OS 10.2, Windows, Solaris, and PocketPC which allows us to be flexible and provide a large scale solution.
At least I can almost sleep at night knowing that part of my network is almost secure.
here is what i found out. it works great, once configured correctly. but only if those laptops, and desktops are as clients. as servers distributing the wifi, there are pains with it still.
a more imporntant note: make sure you enable security if you have any access points or wifi Peer to peer. and password protect any and all shares.
taking my laptop for a grive using net stumbler, i found 70 802.11 access points. UNSECURED points were 67. 3 were secured.
all the unsecured points, were wide open to me. i was able to scan ips, views shared folders, obtain files from the exposed machines. and i had access to thier internet.
and they apparantly are still cluless that i gained access to thier systems.
of all the exposed systems 4 were T1 lines. the rest were broadban access points. now, im not including coffee shops that provide free 802.11 access. that is nice too. but secure your connections, unless you dont mind people accessing your personal information.
my rating of wifi at this point in time is 4. out of 5 stars. and it is stable. in most cases.
To err is human, to really screw things up, you need a robot.
See this
This sounds very similar to what Microsoft was recommending at their Technet events a couple of months ago:
1 -6 6_Clean.ppt
http://www.connect-ms.com/technet/Resources/TNT
It's supposedly what they use on their corporate network (along with smart cards).
Our Technet guy plainly stated that the MS-branded wireless APs don't support 1x. So he whipped out a D-Link AP that does.
And if you feel you are having trouble, you should see how *my* homework looked like when I went after 802.1x for ethernet.
:)
(and, for those who are curious, there are many, many applications -- if you can't think of any, you don't have meeting rooms with network points in your workplace...
(8-DCS)
About six months ago I tried top get 802.1x to work with FreeRadius and Xsupplicant using and Orinoco Ap500 and and Orinico Gold PCMCIA card under Linux. I couldn't get it to work, though I think it was due to misconfiguation of the Ap500. No attempt to contact the RADIUS server was ever made.
I gave up and went with IPsec, which worked for my needs.
The Cisco VPN client isn't available on Linux unless you are using x86-compatible CPUs. All other architectures are left in the dust, as usual, with the naive Linux-x86 users boasting that it supports Linux.
FYI, the University of Utah has a .1x environment implemented and functioning. As a lackey, I don't know much about the Radius Mesh, but this sourceforge info may be useful:
http://utahgeeks.sourceforge.net/
To communicate and educate you must give in and use closed source, it is the only safe way to compute.
Give in let yourself spend money there are people starving in Redmond. We will be doing the world of communication a favor if no other means of digital communication other than MS servers can access knowledge!
OH THE SHAME I fell off the wagon and use sigs again!