Hello fellow PackectFence users... We successfully rolled out PacketFence last summer at one of our private school clients where wireless users connect via 802.1x to a freeRadius server with an openLDAP directory as the backend.
"pfcmd version" shows PacketFence 2.2.0 but I think this was reported as a typo and I think this is actually 2.2.2 since the top of the UPGRADE file shows "Upgrading from a version prior to 2.2.1" The method used for auth is 802.1x EAP-TTLS with inner PAP. EAP-TTLS with inner PAP was used since all research done during initial LDAP deployment about 7 years ago showed that this was the most popular/supported method when using 802.1x - along with the fact that the passwords in LDAP were in hashed format and all other methods required that the password be in clear text in teh LDAP directory (I think that was the reason - it has been a long time though) Mostly everything has been fine before and after the PF deployment, but we have run up against some issues with iPads, iPods, MAC OSX 10.7 etc that are causing our client to think that it might be a good idea to set up a special SSID for Apple wireless devices and have them auth with a shared WPA2 passphrase. This of course removes PacketFence from the whole "assign user to VLAN" picture for these devices and actually adds more complexity to the network which makes me bit unhappy/uneasy. Here is the issue in a nutshell as written up by one of the tech guys onsite, with my questions following: --[snip]-- Mac OS X will never choose by default EAP/TTLS with inner PAP. Therefore, for our students to connect to the wireless, we need to physically see every Apple device, as well as Windows since we install the "Secure W2 supplicant." Regarding Macs, we could easily set this up on the device ourselves until Mac OS X 10.7 Lion came out. This required a Lion server with profile manager to create a 802.1x profile using EAP/TTLS with inner PAP which can be imported onto the device. The same profile may be used for every version of iOS (ipads and iphones). The issue is now two fold. For one, since we have very specifically setup the wireless profile on devices before 10.7, and it's not a setup that Mac OS X chooses by default, it will often "forget" the saved network and try and connect via WPA. A username and password prompt is presented to the student, but they will never connect because of the previously mentioned issue with Mac configurations. Second, on devices that have this EAP/TTLS with inner PAP profile created with Profile Manager, Apple thinks it's OK to just delete these profiles anytime when Mac OS X or iOS is updated. This is not always the case, but often times the profile is not even saved by backing up the device. --[snip]-- I guess my questions are: should we, can we, and if yes, how would we go about changing from EAP-TTLS with inner PAP to something else that would be "more supported" such as PEAP-MsCHAPv2? I mention PEAP-MsCHAPv2 since plaxx discussed using this on the #packetfence IRC channel. Hi plaxx :) How would this affect end users (besides having to reconfigure their wireless settings)? Would Apples be "more happy" with this method, and not require a profile to be installed and would they stop forgetting their settings? If not PEAP-MsCHAPv2, what would be recommended and work with WinXP, Win7, Apple MACs and other "iDevices" I would love to hear any recommendations or ideas. I'd really like to keep PacketFence in charge of all VLAN assignments - wired and wireless - and not have to move to the "one-off" WPA2 solution being proposed by our client. Thanks so much! -- Bill Arlofski Reverse Polarity, LLC http://www.revpol.com/ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
