Re: [WIRELESS-LAN] Force Windows to send UPN
Correct. -Neil -- Neil Johnson Network Engineer The University of Iowa Phone: +1 319 384-0938tel:+13193840938 Fax: +1 319 335-2951tel:+13193352951 E-Mail: neil-john...@uiowa.edumailto:neil-john...@uiowa.edu Lync: neil-john...@uiowa.edusip:neil-john...@uiowa.edu From: Tim Cappalli cappa...@brandeis.edumailto:cappa...@brandeis.edu Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Date: Monday, November 18, 2013 5:40 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Force Windows to send UPN So you are using the single sign on feature, not machine auth? Thanks Tim Cappalli, Network Engineer LTS | Brandeis University x67149 | (617) 701-7149 cappa...@brandeis.edumailto:cappa...@brandeis.edu On Nov 15, 2013 10:42 AM, Johnson, Neil M neil-john...@uiowa.edumailto:neil-john...@uiowa.edu wrote: Here is what we ended up doing. Quoted from our Enterprise Client Team e-mail….. We have had some reported issues with the Eduroam single sign on GPO. The GPO, called _PUBLIC-Eduroam Wireless Config, allows laptops to connect to Eduroam before logon as long as the UPN is used as the username – haw...@uiowa.edumailto:haw...@uiowa.edu. The issue occurs after the computer connects and logs in fine. Then while it is being used it disconnects from Eduroam and never reconnects. It tries to reconnect with iowa\HawkID, which causes the failure. I have created a fix for this by adding a second wireless profile to the GPO called Eduroam Reconnect. The original profile is still there, so single sign on works as expected. If during regular use the machine disconnects from Eduroam and fails to reconnect, it falls back to Eduroam Reconnect which prompts for a user ID. This allows the user to type haw...@uiowa.edumailto:haw...@uiowa.edu and reconnect to the Wireless network again. If they are disconnected again, it will reconnect using this profile without prompting. We have this implemented in a few places around campus, and I’d like to add it to the public GPO. Let me know if you have any issues or concerns. Otherwise, I’ll make the change at the end of the day. It's not elegant, but it does work… -Neil -- Neil Johnson Network Engineer The University of Iowa Phone: +1 319 384-0938tel:+13193840938 Fax: +1 319 335-2951tel:+13193352951 E-Mail: neil-john...@uiowa.edumailto:neil-john...@uiowa.edu Lync: neil-john...@uiowa.edu From: Walter Reynolds wa...@umich.edumailto:wa...@umich.edu Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Date: Thursday, November 14, 2013 10:25 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Force Windows to send UPN I would be interested in the answer as well. Walter Reynolds Principal Systems Security Development Engineer Information and Technology Services University of Michigan (734) 615-9438tel:%28734%29%20615-9438 On Thu, Nov 14, 2013 at 10:01 AM, Tim Cappalli cappa...@brandeis.edumailto:cappa...@brandeis.edu wrote: Morning, Does anyone know of a way to force Windows to pass credentials in the UPN format instead of NETBIOS when using the “Automatically use Windows credentials” option for user authentication? Is there a group policy option to disable legacy NETBIOS use for authentication? For example, my user account: NETBIOS:USERS\cappalli UPN: cappa...@brandeis.edumailto:cappa...@brandeis.edu Thanks for the help Tim Tim Cappalli, Network Engineer LTS | Brandeis University x67149 | (617) 701-7149tel:%28617%29%20701-7149 cappa...@brandeis.edumailto:cappa...@brandeis.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
802.1x vs web-portal
Just wondering what people's thoughts are here regarding using the Web Portal authentication vs 802.1x auth in your wifi networks. Obviously one big pro for 802.1x is dynamic vlan assignment based on the users's credentials, but certainly for web-portal the big pro is simplicity for the user. We currently use ExpressConnect to configure student devices for our 802.1x wifi network using certbased authentication, and while it works great 90% of the time, we have 10% where it's tough to get the user on for a variety of reasons on student owned devices. Since we provide guest access via a portal authentication, we inevitably get the question as to why don't we do all wifi auth with that? I know when I first started out, there were limitations with the # of users a portal auth system could support, but I don't think that's a major concern anymore (we are using Cisco 5508 controllers here). Just wondering what the thoughts are on this list. Always good input. Thanks Matt ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: 802.1x vs web-portal
Portal net is unencrypted, or encrypted? -Lee Badman From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Ashfield, Matt (NBCC) Sent: Tuesday, November 19, 2013 3:29 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] 802.1x vs web-portal Just wondering what people's thoughts are here regarding using the Web Portal authentication vs 802.1x auth in your wifi networks. Obviously one big pro for 802.1x is dynamic vlan assignment based on the users's credentials, but certainly for web-portal the big pro is simplicity for the user. We currently use ExpressConnect to configure student devices for our 802.1x wifi network using certbased authentication, and while it works great 90% of the time, we have 10% where it's tough to get the user on for a variety of reasons on student owned devices. Since we provide guest access via a portal authentication, we inevitably get the question as to why don't we do all wifi auth with that? I know when I first started out, there were limitations with the # of users a portal auth system could support, but I don't think that's a major concern anymore (we are using Cisco 5508 controllers here). Just wondering what the thoughts are on this list. Always good input. Thanks Matt ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 802.1x vs web-portal
One major consideration is that the use of https for more and more webpages is resulting in more confused users not getting redirected to captive portal login pages. There is also the more obvious issue that client data is not encrypted over the air, although you could argue that more and more applications are using TLS/SSL. I do think that you are correct that captive portal robustness has been dramatically increased with products like the 5508, which handles a great deal more simultaneous connections than other products before it. I also feel like captive portal security is kinder to backend authentication servers since the authentication is typically done once with a decent length session timeout, whereas many supplicants do tons of reauths. Thanks. Ken -- Ken LeCompte - Manager of Information Technology Central Systems and Services Office of Information Technology Rutgers, The State University of New Jersey Office ~ (848) 445-4823 Facebook: http://fb.me/RUWireless On Nov 19, 2013, at 3:28 PM, Ashfield, Matt (NBCC) matt.ashfi...@nbcc.ca wrote: Just wondering what people’s thoughts are here regarding using the Web Portal authentication vs 802.1x auth in your wifi networks. Obviously one big “pro” for 802.1x is dynamic vlan assignment based on the users’s credentials, but certainly for web-portal the big “pro” is simplicity for the user. We currently use ExpressConnect to configure student devices for our 802.1x wifi network using certbased authentication, and while it works great 90% of the time, we have 10% where it’s tough to get the user on for a variety of reasons on student owned devices. Since we provide guest access via a portal authentication, we inevitably get the question as to why don’t we do all wifi auth with that? I know when I first started out, there were limitations with the # of users a portal auth system could support, but I don’t think that’s a major concern anymore (we are using Cisco 5508 controllers here). Just wondering what the thoughts are on this list. Always good input. Thanks Matt ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] 802.1x vs web-portal
Can anyone name an application that does not have strong encryption? I'm not arguing against 802.1x, because it works very well for us as users don't have to authenticate constantly on a portal, and we seem to do a very good job getting them on initially, but I am having a hard time understanding the encryption benefits lately. Pete Morrissey -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Ken LeCompte Sent: Tuesday, November 19, 2013 4:00 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x vs web-portal One major consideration is that the use of https for more and more webpages is resulting in more confused users not getting redirected to captive portal login pages. There is also the more obvious issue that client data is not encrypted over the air, although you could argue that more and more applications are using TLS/SSL. I do think that you are correct that captive portal robustness has been dramatically increased with products like the 5508, which handles a great deal more simultaneous connections than other products before it. I also feel like captive portal security is kinder to backend authentication servers since the authentication is typically done once with a decent length session timeout, whereas many supplicants do tons of reauths. Thanks. Ken -- Ken LeCompte - Manager of Information Technology Central Systems and Services Office of Information Technology Rutgers, The State University of New Jersey Office ~ (848) 445-4823 Facebook: http://fb.me/RUWireless On Nov 19, 2013, at 3:28 PM, Ashfield, Matt (NBCC) matt.ashfi...@nbcc.ca wrote: Just wondering what people's thoughts are here regarding using the Web Portal authentication vs 802.1x auth in your wifi networks. Obviously one big pro for 802.1x is dynamic vlan assignment based on the users's credentials, but certainly for web-portal the big pro is simplicity for the user. We currently use ExpressConnect to configure student devices for our 802.1x wifi network using certbased authentication, and while it works great 90% of the time, we have 10% where it's tough to get the user on for a variety of reasons on student owned devices. Since we provide guest access via a portal authentication, we inevitably get the question as to why don't we do all wifi auth with that? I know when I first started out, there were limitations with the # of users a portal auth system could support, but I don't think that's a major concern anymore (we are using Cisco 5508 controllers here). Just wondering what the thoughts are on this list. Always good input. Thanks Matt ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 802.1x vs web-portal
On 11/19/2013 4:05 PM, Peter P Morrissey wrote: Can anyone name an application that does not have strong encryption? I'm not arguing against 802.1x, because it works very well for us as users don't have to authenticate constantly on a portal, and we seem to do a very good job getting them on initially, but I am having a hard time understanding the encryption benefits lately. Does FireSheep or Ettercap ring any bells? Jeff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] 802.1x vs web-portal
I've been very surprised to find applications on campus that don't encrypt data. We've found recently even in credit card processing devices that were not properly configured, and sent information in the clear. Given the vast amount of applications out there, and the absolute zero control over how they are written, you can't assume anything. And sometimes you don't need to be able to decrypt the payload to get useful information. Ryan H Turner Senior Network Engineer The University of North Carolina at Chapel Hill CB 1150 Chapel Hill, NC 27599 +1 919 445 0113 Office +1 919 274 7926 Mobile -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Peter P Morrissey Sent: Tuesday, November 19, 2013 4:06 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x vs web-portal Can anyone name an application that does not have strong encryption? I'm not arguing against 802.1x, because it works very well for us as users don't have to authenticate constantly on a portal, and we seem to do a very good job getting them on initially, but I am having a hard time understanding the encryption benefits lately. Pete Morrissey -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Ken LeCompte Sent: Tuesday, November 19, 2013 4:00 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x vs web-portal One major consideration is that the use of https for more and more webpages is resulting in more confused users not getting redirected to captive portal login pages. There is also the more obvious issue that client data is not encrypted over the air, although you could argue that more and more applications are using TLS/SSL. I do think that you are correct that captive portal robustness has been dramatically increased with products like the 5508, which handles a great deal more simultaneous connections than other products before it. I also feel like captive portal security is kinder to backend authentication servers since the authentication is typically done once with a decent length session timeout, whereas many supplicants do tons of reauths. Thanks. Ken -- Ken LeCompte - Manager of Information Technology Central Systems and Services Office of Information Technology Rutgers, The State University of New Jersey Office ~ (848) 445-4823 Facebook: http://fb.me/RUWireless On Nov 19, 2013, at 3:28 PM, Ashfield, Matt (NBCC) matt.ashfi...@nbcc.ca wrote: Just wondering what people's thoughts are here regarding using the Web Portal authentication vs 802.1x auth in your wifi networks. Obviously one big pro for 802.1x is dynamic vlan assignment based on the users's credentials, but certainly for web-portal the big pro is simplicity for the user. We currently use ExpressConnect to configure student devices for our 802.1x wifi network using certbased authentication, and while it works great 90% of the time, we have 10% where it's tough to get the user on for a variety of reasons on student owned devices. Since we provide guest access via a portal authentication, we inevitably get the question as to why don't we do all wifi auth with that? I know when I first started out, there were limitations with the # of users a portal auth system could support, but I don't think that's a major concern anymore (we are using Cisco 5508 controllers here). Just wondering what the thoughts are on this list. Always good input. Thanks Matt ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 802.1x vs web-portal
On Nov 19, 2013, at 15:05 , Peter P Morrissey ppmor...@syr.edu wrote: Can anyone name an application that does not have strong encryption? Does not have strong encryption != Strong encryption is in use by default DNS springs to mind. Heck, just leave tcpdump running when you wake a machine up from sleep and see all the things it tries to do on the network. -- Julian Y. Koh Acting Associate Director, Telecommunications and Network Services Northwestern University Information Technology (NUIT) 2001 Sheridan Road #G-166 Evanston, IL 60208 847-467-5780 NUIT Web Site: http://www.it.northwestern.edu/ PGP Public Key:http://bt.ittns.northwestern.edu/julian/pgppubkey.html ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 802.1x vs web-portal
On Nov 19, 2013, at 3:05 PM, Peter P Morrissey ppmor...@syr.edu wrote: Can anyone name an application that does not have strong encryption? Search engines such as Google and Bing only encrypt data if you log into the service. Even when logged into YouTube the video stream does not appear to be encrypted. In addition to security there is also a privacy component. On an unencrypted wireless that uses a web portal a person’s data exchanged with a Bank’s website will be encrypted with TLS/SSL. However anyone watching the wireless packets can see that the person connected to the Bank’s web site since they can see the IP numbers of the TLS session. But on a wireless session protected with WPA2 a snooper can not see what sites a person visits because the IP numbers are encrypted as well. I'm not arguing against 802.1x, because it works very well for us as users don't have to authenticate constantly on a portal, and we seem to do a very good job getting them on initially, but I am having a hard time understanding the encryption benefits lately. Pete Morrissey -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Ken LeCompte Sent: Tuesday, November 19, 2013 4:00 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x vs web-portal One major consideration is that the use of https for more and more webpages is resulting in more confused users not getting redirected to captive portal login pages. There is also the more obvious issue that client data is not encrypted over the air, although you could argue that more and more applications are using TLS/SSL. I do think that you are correct that captive portal robustness has been dramatically increased with products like the 5508, which handles a great deal more simultaneous connections than other products before it. I also feel like captive portal security is kinder to backend authentication servers since the authentication is typically done once with a decent length session timeout, whereas many supplicants do tons of reauths. Thanks. Ken -- Ken LeCompte - Manager of Information Technology Central Systems and Services Office of Information Technology Rutgers, The State University of New Jersey Office ~ (848) 445-4823 Facebook: http://fb.me/RUWireless On Nov 19, 2013, at 3:28 PM, Ashfield, Matt (NBCC) matt.ashfi...@nbcc.ca wrote: Just wondering what people's thoughts are here regarding using the Web Portal authentication vs 802.1x auth in your wifi networks. Obviously one big pro for 802.1x is dynamic vlan assignment based on the users's credentials, but certainly for web-portal the big pro is simplicity for the user. We currently use ExpressConnect to configure student devices for our 802.1x wifi network using certbased authentication, and while it works great 90% of the time, we have 10% where it's tough to get the user on for a variety of reasons on student owned devices. Since we provide guest access via a portal authentication, we inevitably get the question as to why don't we do all wifi auth with that? I know when I first started out, there were limitations with the # of users a portal auth system could support, but I don't think that's a major concern anymore (we are using Cisco 5508 controllers here). Just wondering what the thoughts are on this list. Always good input. Thanks Matt ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. --- Bruce Curtis bruce.cur...@ndsu.edu Certified NetAnalyst II701-231-8527 North Dakota State University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 802.1x vs web-portal
from the top of my head... ###What's bad for the user: -Captive portal: no encryption over the air, pesky re-authentication and timeouts, no authentication of the infrastructure (yes, when you accept that SSL Cert from RADIUS you actually authenticate the infrastructure) -802.1X: finicky supplicants, and, without a good installer, long config instructions. Strongly authenticated (can't escape the system ;-) ###What's bad for the network engineer (and user stuff as well...): -Captive portal: CPU capacity of portal (802.11ac!!!), clients taking IP addresses and air time even if not authenticated, authentication can be defeated -802.1X: bugs from various vendors. A pain the troubleshoot when not working. Certificate Expiration and help desk calls resulting from it add yours! Philippe Philippe Hanset www.eduroam.us On Nov 19, 2013, at 2:10 PM, Jeff Kell jeff-k...@utc.edu wrote: On 11/19/2013 4:05 PM, Peter P Morrissey wrote: Can anyone name an application that does not have strong encryption? I'm not arguing against 802.1x, because it works very well for us as users don't have to authenticate constantly on a portal, and we seem to do a very good job getting them on initially, but I am having a hard time understanding the encryption benefits lately. Does FireSheep or Ettercap ring any bells? Jeff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
802.11k
Curious if others have enabled 802.11k and if doing so has resulted in any client connectivity issues for clients that do not support it. Also, for the Cisco shops, the same question for "non-802.11k assisted roaming"ie"config wlan assisted-roaming prediction {enable | disable} wlan-id"Mike AlbanoNetwork EngineerUNLV** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 802.1x vs web-portal
We use 802.1x to do machine auth on equipment that we own and that is in the domain. We use Group Policy to push all of the settings. We have auth type set to 'user or computer' once the user logs on it flips to user auth. Its really cool because NAC will give the computer a 'Computer' policy when nobody is logged in and we can push updates or get statictics on the machine when nobody is logged in. At the point when someone logs on the computer is already on the network and connected to AD. Logins are smooth and then the user gets whatever policy is appropriate for them. Your question was most likely meant for student owned computers but college owned 802.1x has huge advantages. On Nov 19, 2013 6:26 PM, Hanset, Philippe C phan...@utk.edu wrote: from the top of my head... ###What's bad for the user: -Captive portal: no encryption over the air, pesky re-authentication and timeouts, no authentication of the infrastructure (yes, when you accept that SSL Cert from RADIUS you actually authenticate the infrastructure) -802.1X: finicky supplicants, and, without a good installer, long config instructions. Strongly authenticated (can't escape the system ;-) ###What's bad for the network engineer (and user stuff as well...): -Captive portal: CPU capacity of portal (802.11ac!!!), clients taking IP addresses and air time even if not authenticated, authentication can be defeated -802.1X: bugs from various vendors. A pain the troubleshoot when not working. Certificate Expiration and help desk calls resulting from it add yours! Philippe Philippe Hanset www.eduroam.us On Nov 19, 2013, at 2:10 PM, Jeff Kell jeff-k...@utc.edu wrote: On 11/19/2013 4:05 PM, Peter P Morrissey wrote: Can anyone name an application that does not have strong encryption? I'm not arguing against 802.1x, because it works very well for us as users don't have to authenticate constantly on a portal, and we seem to do a very good job getting them on initially, but I am having a hard time understanding the encryption benefits lately. Does FireSheep or Ettercap ring any bells? Jeff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] 802.1x vs web-portal
List seems to sum it up pretty well. I think user wise dot1x is better ... once setup. So while it may be more of a pain to configure for some users, once configured the experience is much better as they walk on to campus and are connected. Having a captive portal is probably a good option for those that can't get dot1x working . I'm interested in the 10% though, do you get them all connected in the end? 10% seems quite a high percentage -- Jason Cook Technology Services The University of Adelaide, AUSTRALIA 5005 Ph : +61 8 8313 4800 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hanset, Philippe C Sent: Wednesday, 20 November 2013 9:56 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x vs web-portal from the top of my head... ###What's bad for the user: -Captive portal: no encryption over the air, pesky re-authentication and timeouts, no authentication of the infrastructure (yes, when you accept that SSL Cert from RADIUS you actually authenticate the infrastructure) -802.1X: finicky supplicants, and, without a good installer, long config instructions. Strongly authenticated (can't escape the system ;-) ###What's bad for the network engineer (and user stuff as well...): -Captive portal: CPU capacity of portal (802.11ac!!!), clients taking IP addresses and air time even if not authenticated, authentication can be defeated -802.1X: bugs from various vendors. A pain the troubleshoot when not working. Certificate Expiration and help desk calls resulting from it add yours! Philippe Philippe Hanset www.eduroam.us On Nov 19, 2013, at 2:10 PM, Jeff Kell jeff-k...@utc.edu wrote: On 11/19/2013 4:05 PM, Peter P Morrissey wrote: Can anyone name an application that does not have strong encryption? I'm not arguing against 802.1x, because it works very well for us as users don't have to authenticate constantly on a portal, and we seem to do a very good job getting them on initially, but I am having a hard time understanding the encryption benefits lately. Does FireSheep or Ettercap ring any bells? Jeff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.