Re:University of Utah - 802.1x Campus Standard
on
Are You Using 802.1X?
·
· Score: 1
No more information is available, other than that I am one of the lead developers, and it is something we've talked about doing.;)
1.0 Will be out soon. We're finishing up all of the features (they're pretty much done) and we'll be making a request for bug reports so we can fix them all before releaseing 1.0.
After that we will be looking at adding WPA and other goodies.
Please don't hesitate to join the open1x list and give us feedback.
Re:University of Utah - 802.1x Campus Standard
on
Are You Using 802.1X?
·
· Score: 1
Key rotation is a function of 802.1x. The paper is not referring to WPA, but rather to the inherent key rotation that 802.1x provides.
The Linux support does work, and with the right hardware users get per-user keys. This works today, and we use it often.
As for your question, no Linux does not support WPA yet, but yes, it is on the roadmap for the open1x project.
We're planning a 1.0 release that will come out Real Soon Now(TM), but that won't include WPA.
Look for WPA support in the next development branch.
Re:802.1x is very secure here-no one is able to lo
on
Are You Using 802.1X?
·
· Score: 1
That was the point I was trying to make... not saying that it *SHOULD*;)
Re:We just finished rolling out EAP-TLS on a Win2k
on
Are You Using 802.1X?
·
· Score: 1
Err... If they support EAP-TLS they should be able to support EAP-Antyhingyouwant.
The access point authenticator doesn't do anything other than convert the 802.1x frames into radius packets...
The access point is essentially dumb, except that it does have a hand in passing the keys back to a client. It doesn't need specifics for each EAP type.. only the supplicant and authentication server should have to worry about that.
You might want to try something other than TLS just to see if it works. (I suggest against EAP-MD5, for wireless, as you can't get keys with it)
LEAP is very similar to 802.1x. The only big difference that I know about is that LEAP does a 2-way authentication to the Network... (Something similar could be done with TLS)
LEAP is Cisco-proprietary, while 802.1x is an IEEE standard...
The security of my students is more important than the one or two people that can not access the network.
We are supporting Mac OS X users. We are supporting Windows users. We don't support Linux, but we are writing the client.:P
We have gone out of our way to make this work as best possible for our students, and we would rather them be secure than have them using an unsecure wireless network.
Take a look at our list of supported cards before you start badmouthing our efforts:
Like I said in another post... if the vendor doesn't support their card, why should we?
802.1x not working on a standard WIFI card means that they are doing something wrong.
802.1x functionality does *NOT* need anything special in the driver. It simply needs the driver writers to not do stupid things, like disallow currently undefined ethertypes.
The client takes care of the 802.1x authentication.
You don't like the client, tough... don't use the network.
We want you to be secure, because we *DO* actually care.
Re:University of Utah - 802.1x Campus Standard
on
Are You Using 802.1X?
·
· Score: 1
What's the problem with getting a campus site license? The meetinghouse guys have been pretty good in working with us.
We're using TTLS for our authentication, which only requires a server cert. It works on Mac OS X, Windows, and Linux. We've been using it for a month and a half, we haven't had any problems.
Linux users should also check out the open1x project. (http://open1x.sourceforge.net) as it has support for most of the major EAP types, and it's free.
To people supporting 802.1x:
If certain vendors aren't supporting 802.1x, don't buy their cards.
If they don't support their card, why should you?
Make a recommendation to your users that they should stay away from certain cards.
Both myself and my boss have been using 802.1x at home for quite some time now. It's rather solid, I would have to say. In the couple of weeks I have been using it I have not had ANY problems.
My suggestion is not to use Win2003 server. Certainly Windows is unstable.:P
Use the perl-based radius solution called Radiator. It runs on Windows, Mac OS X, Mac OS 9, Linux, Solaris, name your os. Sure, it costs money, but so does Win2003 server, right? (And more, I might add).
Re:802.1x is very secure here-no one is able to lo
on
Are You Using 802.1X?
·
· Score: 1
This is not true... 802.1x has its flaws. Some vendor APs don't support per user keys. Have you done exhaustive sniffing to make sure your users are actually getting a different key than anyone else?
Viruses usually come in E-mail... 802.1x doesn't do anything to protect your users from viruses.
Highest possible level of security... maybe... I think I'd agree that it's currently the highest possible STANDARD security available today for 802.11 networks that has been ratified by the IEEE.
WPA includes portions of 802.11i. Specifically WPA has the TKIP stuff... (Temporal keys) basically gives you per-packet encryption, and a few other things. WPA is a precursor to 802.11i that a lot of vendors are implementing as the next step. It's good stuff.
Slashdot Mirror
No more information is available, other than that I am one of the lead developers, and it is something we've talked about doing. ;)
1.0 Will be out soon. We're finishing up all of the features (they're pretty much done) and we'll be making a request for bug reports so we can fix them all before releaseing 1.0.
After that we will be looking at adding WPA and other goodies.
Please don't hesitate to join the open1x list and give us feedback.
Key rotation is a function of 802.1x. The paper is not referring to WPA, but rather to the inherent key rotation that 802.1x provides.
The Linux support does work, and with the right hardware users get per-user keys. This works today, and we use it often.
As for your question, no Linux does not support WPA yet, but yes, it is on the roadmap for the open1x project.
We're planning a 1.0 release that will come out Real Soon Now(TM), but that won't include WPA.
Look for WPA support in the next development branch.
That was the point I was trying to make... not saying that it *SHOULD* ;)
Err... If they support EAP-TLS they should be able to support EAP-Antyhingyouwant.
The access point authenticator doesn't do anything other than convert the 802.1x frames into radius packets...
The access point is essentially dumb, except that it does have a hand in passing the keys back to a client. It doesn't need specifics for each EAP type.. only the supplicant and authentication server should have to worry about that.
You might want to try something other than TLS just to see if it works. (I suggest against EAP-MD5, for wireless, as you can't get keys with it)
LEAP is very similar to 802.1x. The only big difference that I know about is that LEAP does a 2-way authentication to the Network... (Something similar could be done with TLS)
LEAP is Cisco-proprietary, while 802.1x is an IEEE standard...
Don't politics just suck?
It's still not related to speed.
;)
It's an authentication mechanism.
FreeRadius does NOT work well with 802.1x. Last I checked they didn't support TTLS, and they have poor EAP type support beyond that.
;)
They do support TLS, but that's only useful if you want to issue a certificate to everyone, which I know some places do want to do.
Radiator is good, and you can get it for a pretty good deal. You also get the source and unlimited maintenance...
No, that isn't true...
802.11x is a yet to be defined IEEE standard.
Please don't refer to 802.11a/b/g as 802.11x... that is completely false.
To get a better perspective people should go to the IEEE website and read about their versioning schema.
PEAP and TTLS are very similar.
PEAP has problems... Microsoft and Cisco, who wrote the RFC, don't follow the RFC, and they don't follow each other either.
PEAP and TTLS are both using a TLS tunnel for auth.
They're very similar.
I recommend TTLS... that's what we're using. It works.
The security of my students is more important than the one or two people that can not access the network.
:P
t 1x Compatibility.pl
We are supporting Mac OS X users.
We are supporting Windows users.
We don't support Linux, but we are writing the client.
We have gone out of our way to make this work as best possible for our students, and we would rather them be secure than have them using an unsecure wireless network.
Take a look at our list of supported cards before you start badmouthing our efforts:
http://www.laptop.lib.utah.edu/cgi-bin/dot1x/do
Like I said in another post... if the vendor doesn't support their card, why should we?
802.1x not working on a standard WIFI card means that they are doing something wrong.
802.1x functionality does *NOT* need anything special in the driver. It simply needs the driver writers to not do stupid things, like disallow currently undefined ethertypes.
The client takes care of the 802.1x authentication.
You don't like the client, tough... don't use the network.
We want you to be secure, because we *DO* actually care.
That just proves that people can't read.
802.1 is not the same as 802.11 people.
Help the open1x project finish the port to *BSD.
http://open1x.sf.net
What's the problem with getting a campus site license? The meetinghouse guys have been pretty good in working with us.
We're using TTLS for our authentication, which only requires a server cert. It works on Mac OS X, Windows, and Linux. We've been using it for a month and a half, we haven't had any problems.
It's still 40/128bit WEP, but the keys rotate, so it's still the same thing, only harder to crack because of the rotation.
The open1x has some *BSD support. (http://open1x.sourceforge.net). It also supports Linux.
IPSec is good stuff, but use it on TOP of 802.1x.
802.1x isn't hard to use... if you do it right.
The 900AP+ does have it's problems, howerver, it is NOT hard to set up using Radiator.
Windows' radius just sucks, IMO.
I mean standard ethernet networks... not wireless.. :)
802.1x is not related to speed... it's an authentication mechanism.
802.1x works with 802.11a, 802.11b, 802.11g, and standard wireless networks.
802.1x does not replace wireless, it complements it.
Linux users should also check out the open1x project. (http://open1x.sourceforge.net) as it has support for most of the major EAP types, and it's free.
To people supporting 802.1x:
If certain vendors aren't supporting 802.1x, don't buy their cards.
If they don't support their card, why should you?
Make a recommendation to your users that they should stay away from certain cards.
Check out the open1x project.
;)
http://open1x.sourceforge.net
I'm not only a client, I'm also a developer.
Um... 802.1x *IS* an IEEE standard... people just need to start implementing it correctly... ;)
;)
Also, not only is there a TLS open source standard... the open1x project (http://www.open1x.org) has a TTLS release, and PEAP in CVS.
PEAP is a horrid ripoff of TTLS in my opinion.
P.S. The FUNK guys wrote the TTLS RFC.
M$ and Cisco wrote the PEAP RFC, but neither of them follow it, or each other.
Both myself and my boss have been using 802.1x at home for quite some time now. It's rather solid, I would have to say. In the couple of weeks I have been using it I have not had ANY problems.
:P
My suggestion is not to use Win2003 server. Certainly Windows is unstable.
Use the perl-based radius solution called Radiator. It runs on Windows, Mac OS X, Mac OS 9, Linux, Solaris, name your os. Sure, it costs money, but so does Win2003 server, right? (And more, I might add).
This is not true... 802.1x has its flaws. Some vendor APs don't support per user keys. Have you done exhaustive sniffing to make sure your users are actually getting a different key than anyone else?
Viruses usually come in E-mail... 802.1x doesn't do anything to protect your users from viruses.
Highest possible level of security... maybe... I think I'd agree that it's currently the highest possible STANDARD security available today for 802.11 networks that has been ratified by the IEEE.
WPA includes portions of 802.11i. Specifically WPA has the TKIP stuff... (Temporal keys) basically gives you per-packet encryption, and a few other things. WPA is a precursor to 802.11i that a lot of vendors are implementing as the next step. It's good stuff.