RE: [WIRELESS-LAN] Transitioning to dot1x
Hi Bob- We've been doing dot1x now for a few years, and in my opinion people tend to struggle with: - What EAP type to use - What RADIUS server to use - How to get supplicants configured, and whether or not to support a variety of supplicants - What about AD machines over wireless We chose PEAP w/ MS-CHAPv2 because it's well supported natively in both Windows and Mac machines. That being said- we had to say no more support for Windows 2000, 98, Me, etc. Same on Mac- a minimum OS was required. We avoided other EAP types that require a per-device cert, and officially only support the native Windows supplicant and native Mac supplicants for ease of support. We also chose to stick with our classic Cisco ACS 3.3.3 boxes- simply because we already had them, and they do a rock-solid job as well as provide decent logs (important). They also talk well with our AD credential store for user credential verification. We have found the ID Engines- now Cloudpath- supplicant configuration tool to be key to our success in that we can point users to a help SSID for initial client config, or self-remediation later if they hose their settings. Very powerful- but again, requires that users use Windows and Mac native supplicants and disable all of the ProSet, Broadcom, Toshiba, etc wireless utilities. We also provide basic settings in document form for advanced users that won't give up their third party utilities, and for Linux/handheld users that we can't auto-configure. Driver issues will manifest themselves more on a dot1x network- the rule of thumb is to keep them updated, or as a minimum, update before going to 1x. This often helps windows machines when nothing else will. On the Macintosh side, unfortunately it seems that even minor code updates can wreak havoc on the wireless driver and 1x utility- but once you get past whatever new curve ball Apple throws you, they work very reliably. As for AD machines on wireless- is a whole different ballgame. Officially, we do not support AD machines over our wireless networks, but if the machine name is the same as the userID, it will work in our environment. Then there's loaner laptops... and NAC integration... and how to handle visitors on the network. All have solutions, but you may have to get creative. We have 2000+ APs, 12 WiSMs, and typically see 5,500-6,000 users at peak on our wireless networks daily. In the dorms (100% covered) wired usage has fallen to less than 20% of what it was 2 years ago, and has become mostly an entertainment network. -Lee Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Bob Richman Sent: Thursday, February 19, 2009 7:26 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Transitioning to dot1x We are in the process of trying to move all of our users to our wpa/wpa2 dot1x wireless. We hope to shut down the wide open non-authenticated ssid this summer. We've had numerous communications sent out and we always seem to get responses that the new dot1x network is slower than the old and that people have trouble maintaining a connection. I am curious as to how other schools approach this. Is it possible that a dot1x only network magnifies trouble areas of wireless coverage? Or is it that the dot1x network is more sensitive to client issues. Or could it be something I had not mentioned. BTW, we are a Cisco WISM/LWAPP shop. Thanks! Bob Richman Network Engineer University of Notre Dame Rich ma...@nd.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Transitioning to dot1x
Last time I checked, Windows mobile didnt come with a dot1x supplicant (that worked). Do you require users to purchase their own supplicant or do you have a site license? Lelio Fulgenzi, Senior Analyst Computing Communications University of Guelph 519-824-4120 x56354 ...sent from my iPod - please pardon my fat fingers ;) [XKJ2000] On Feb 19, 2009, at 8:09 AM, Lee H Badman lhbad...@syr.edu wrote: Hi Bob- We’ve been doing dot1x now for a few years, and in my opinion people tend to struggle with: - What EAP type to use - What RADIUS server to use - How to get supplicants configured, and whether or not to support a variety of supplicants - What about AD machines over wireless We chose PEAP w/ MS-CHAPv2 because it’s well supported natively in b oth Windows and Mac machines. That being said- we had to say no more support for Windows 2000, 98, Me, etc. Same on Mac- a minimum OS wa s required. We avoided other EAP types that require a per-device cer t, and officially only support the native Windows supplicant and nat ive Mac supplicants for ease of support. We also chose to stick with our “classic” Cisco ACS 3.3.3 boxes- simply because we already had them, and they do a rock-solid job as well as provide decent logs (important). They also talk well with ou r AD credential store for user credential verification. We have found the ID Engines- now Cloudpath- supplicant configuration tool to be key to our success in that we can point users to a “help SSID” for initial client config, or self- remediation later if they hose their settings. Very powerful- but ag ain, requires that users use Windows and Mac native supplicants and disable all of the ProSet, Broadcom, Toshiba, etc wireless utilities . We also provide basic settings in document form for advanced users that won’t give up their third party utilities, and for Linux/handh eld users that we can’t auto-configure. Driver issues will manifest themselves more on a dot1x network- the rule of thumb is to keep them updated, or as a minimum, update before going to 1x. This often helps windows machines when nothing else will. On the Macintosh side, unfortunately it seems that even minor code updates can wreak havoc on the wireless driver and 1x utility- but once you get past whatever new curve ball Apple throws you, they work very reliably. As for AD machines on wireless- is a whole different ballgame. Officially, we do not support AD machines over our wireless networks, but if the machine name is the same as the userID, it will work in our environment. Then there’s loaner laptops… and NAC integration… and how to handle visitors on the network. All have solutions, but you may have to get creative. We have 2000+ APs, 12 WiSMs, and typically see 5,500-6,000 users at peak on our wireless networks daily. In the dorms (100% covered) wired usage has fallen to less than 20% of what it was 2 years ago, and has become mostly an “entertainment” network. -Lee Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU ] On Behalf Of Bob Richman Sent: Thursday, February 19, 2009 7:26 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Transitioning to dot1x We are in the process of trying to move all of our users to our wpa/ wpa2 dot1x wireless. We hope to shut down the wide open non- authenticated ssid this summer. We’ve had numerous communications se nt out and we always seem to get responses that the new dot1x networ k is slower than the old and that people have trouble maintaining a connection. I am curious as to how other schools approach this. Is it possible that a dot1x only network magnifies trouble areas of wireless coverage? Or is it that the dot1x network is more sensitive to client issues. Or could it be something I had not mentioned. BTW, we are a Cisco WISM/LWAPP shop. Thanks! Bob Richman Network Engineer University of Notre Dame Rich ma...@nd.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ .
RE: [WIRELESS-LAN] Transitioning to dot1x
We have a separate PDA network with MAC filtering and restricted ACLs to make up for MAC filtering being weak. Daniel Bennett IT Security Analyst Security+ PA College of Technology One College Ave Williamsport PA 17701 (P) 570.329.4989 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lelio Fulgenzi Sent: Thursday, February 19, 2009 8:15 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x Last time I checked, Windows mobile didnt come with a dot1x supplicant (that worked). Do you require users to purchase their own supplicant or do you have a site license? Lelio Fulgenzi, Senior Analyst Computing Communications University of Guelph 519-824-4120 x56354 ...sent from my iPod - please pardon my fat fingers ;) [XKJ2000] On Feb 19, 2009, at 8:09 AM, Lee H Badman lhbad...@syr.edumailto:lhbad...@syr.edu wrote: Hi Bob- We’ve been doing dot1x now for a few years, and in my opinion people tend to struggle with: - What EAP type to use - What RADIUS server to use - How to get supplicants configured, and whether or not to support a variety of supplicants - What about AD machines over wireless We chose PEAP w/ MS-CHAPv2 because it’s well supported natively in both Windows and Mac machines. That being said- we had to say no more support for Windows 2000, 98, Me, etc. Same on Mac- a minimum OS was required. We avoided other EAP types that require a per-device cert, and officially only support the native Windows supplicant and native Mac supplicants for ease of support. We also chose to stick with our “classic” Cisco ACS 3.3.3 boxes- simply because we already had them, and they do a rock-solid job as well as provide decent logs (important). They also talk well with our AD credential store for user credential verification. We have found the ID Engines- now Cloudpath- supplicant configuration tool to be key to our success in that we can point users to a “help SSID” for initial client config, or self-remediation later if they hose their settings. Very powerful- but again, requires that users use Windows and Mac native supplicants and disable all of the ProSet, Broadcom, Toshiba, etc wireless utilities. We also provide basic settings in document form for advanced users that won’t give up their third party utilities, and for Linux/handheld users that we can’t auto-configure. Driver issues will manifest themselves more on a dot1x network- the rule of thumb is to keep them updated, or as a minimum, update before going to 1x. This often helps windows machines when nothing else will. On the Macintosh side, unfortunately it seems that even minor code updates can wreak havoc on the wireless driver and 1x utility- but once you get past whatever new curve ball Apple throws you, they work very reliably. As for AD machines on wireless- is a whole different ballgame. Officially, we do not support AD machines over our wireless networks, but if the machine name is the same as the userID, it will work in our environment. Then there’s loaner laptops… and NAC integration… and how to handle visitors on the network. All have solutions, but you may have to get creative. We have 2000+ APs, 12 WiSMs, and typically see 5,500-6,000 users at peak on our wireless networks daily. In the dorms (100% covered) wired usage has fallen to less than 20% of what it was 2 years ago, and has become mostly an “entertainment” network. -Lee Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Bob Richman Sent: Thursday, February 19, 2009 7:26 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Transitioning to dot1x We are in the process of trying to move all of our users to our wpa/wpa2 dot1x wireless. We hope to shut down the wide open non-authenticated ssid this summer. We’ve had numerous communications sent out and we always seem to get responses that the new dot1x network is slower than the old and that people have trouble maintaining a connection. I am curious as to how other schools approach this. Is it possible that a dot1x only network magnifies trouble areas of wireless coverage? Or is it that the dot1x network is more sensitive to client issues. Or could it be something I had not mentioned. BTW, we are a Cisco WISM/LWAPP shop. Thanks! Bob Richman Network Engineer University of Notre Dame Rich ma...@nd.edumailto:ma...@nd.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list
Re: [WIRELESS-LAN] Transitioning to dot1x
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 We've been running a combination of WPA/TKIP and WPA2/AES with 802.1x (PEAP/MS-CHAPv2) for approximately 1.5 years now, WEP with 802.1x for several years prior to that. For about the past 2 years, we've been running on a single WISM with all lightweight APs. Prior to that, we ran all autonomous Cisco APs grouped into WDS domains by building. Our setup: Primary SSID - WPA/TKIP or WPA2/AES with 802.1x (we experienced issues when also enabling WPA/AES and WPA2/TKIP on the WLC). Most clients will usually pick WPA2/AES when auto-configured, which will work in most cases - although some clients think they can support it, but don't, and will still try anyway. PDA SSID - WPA/TKIP only with 802.1x, SSID broadcast disabled. We primarily use this SSID for older PDAs, WinCE embedded devices, and anything else that doesn't cope well with having WPA and WPA2 enabled on a single SSID. Also, we've found that most PDAs claiming to support WPA2 or AES don't (or just don't play well with our environment). OS Notes: Windows XP will not detect or default to PEAP, so for non-domain clients or in an environment without a GPO configuring client wireless, this option will need to be configured manually. Windows Vista appears to default to PEAP as the EAP type, so most clients will be able to auto-configure themselves without any intervention. Windows Mobile =6 appears to have much improved 802.11/WPA/802.1x/etc support over previous versions. The only issue we ran into was the EAP identity request timeout on our WLC being set too low - this caused the PDA to always think it failed to authenticate because it would receive a new request before it was able to send the previous response. You'll probably want to issue the following command on your controller(s): config advanced eap identity-request-timeout 30 The default value is 1 and will cause issues with some clients, especially PDAs. For RADIUS, we are currently using a mix of IAS and ACS, although we will be evaluating other products in the near future. IAS has too many limitations and ACS doesn't play well with our multi-domain/forest one-way trust setup when performing computer account authentication with 802.1x. We take advantage of RADIUS to kick users to a specific VLAN, depending on their user class (student, fac/staff, guest, etc) - this requires that AAA override be enabled on the WLC and the RADIUS server response includes the appropriate TLV to force this change (type 26, vendor ID 14179, vendor type 5). This works well to split users for security, bandwidth restriction, etc, while only having to maintain a single SSID. We also use this option with Campus Manager for registration, quarantine, and dead-end destined users. Overall, we see very few issues that can be directly blamed on using WPA, WPA2 or 802.1x. When we do see issues, it's usually a misconfigured client, bad driver, or old WLAN card. Encryption definitely causes a performance hit, so you may not see quite the performance level of an open network, but the difference shouldn't be significant if the encryption is done in hardware (which most newer WLAN cards should support). If a client is pushing the RF limits of their link, it will increase the chance that they experience issues when running 802.1x, since it requires work between the client and network to negotiate and maintain the connection - authentication, key negotiation, re-keying, etc all require some 2-way communication, if packet loss is high enough, expect to see random failures during these events. - -- :: Doug Hoffman, Network and Systems Administrator :: :: Office of Technology / Network Services :: ::: Bloomsburg University of Pennsylvania ::: ::: +1.570.389.4759 / dhoff...@bloomu.edu ::: Bob Richman wrote: We are in the process of trying to move all of our users to our wpa/wpa2 dot1x wireless. We hope to shut down the wide open non-authenticated ssid this summer. We’ve had numerous communications sent out and we always seem to get responses that the new dot1x network is slower than the old and that people have trouble maintaining a connection. I am curious as to how other schools approach this. Is it possible that a dot1x only network magnifies trouble areas of wireless coverage? Or is it that the dot1x network is more sensitive to client issues. Or could it be something I had not mentioned. BTW, we are a Cisco WISM/LWAPP shop. Thanks! Bob Richman Network Engineer University of Notre Dame Rich ma...@nd.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJJnXmUAAoJELeRhFYdIl1w084H+gI+hJSbZjbtLnHPQBuqvGXS
RE: [WIRELESS-LAN] Transitioning to dot1x
We are using MS IAS for radius with PEAP. We don’t have trouble getting folks configured and connected. Just after that we get complaints of ‘getting kicked off’ and was wondering if anyone else sees this sort of behavior. I suspect this mostly occurs during roams, but don’t really have any hard data to back that up. Thanks, Bob Richman Network Engineer University of Notre Dame rrichma...@nd.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Daniel Bennett Sent: Thursday, February 19, 2009 8:20 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x We have a separate PDA network with MAC filtering and restricted ACLs to make up for MAC filtering being weak. Daniel Bennett IT Security Analyst Security+ PA College of Technology One College Ave Williamsport PA 17701 (P) 570.329.4989 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lelio Fulgenzi Sent: Thursday, February 19, 2009 8:15 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x Last time I checked, Windows mobile didnt come with a dot1x supplicant (that worked). Do you require users to purchase their own supplicant or do you have a site license? Lelio Fulgenzi, Senior Analyst Computing Communications University of Guelph 519-824-4120 x56354 ...sent from my iPod - please pardon my fat fingers ;) [XKJ2000] On Feb 19, 2009, at 8:09 AM, Lee H Badman lhbad...@syr.edumailto:lhbad...@syr.edu wrote: Hi Bob- We’ve been doing dot1x now for a few years, and in my opinion people tend to struggle with: - What EAP type to use - What RADIUS server to use - How to get supplicants configured, and whether or not to support a variety of supplicants - What about AD machines over wireless We chose PEAP w/ MS-CHAPv2 because it’s well supported natively in both Windows and Mac machines. That being said- we had to say no more support for Windows 2000, 98, Me, etc. Same on Mac- a minimum OS was required. We avoided other EAP types that require a per-device cert, and officially only support the native Windows supplicant and native Mac supplicants for ease of support. We also chose to stick with our “classic” Cisco ACS 3.3.3 boxes- simply because we already had them, and they do a rock-solid job as well as provide decent logs (important). They also talk well with our AD credential store for user credential verification. We have found the ID Engines- now Cloudpath- supplicant configuration tool to be key to our success in that we can point users to a “help SSID” for initial client config, or self-remediation later if they hose their settings. Very powerful- but again, requires that users use Windows and Mac native supplicants and disable all of the ProSet, Broadcom, Toshiba, etc wireless utilities. We also provide basic settings in document form for advanced users that won’t give up their third party utilities, and for Linux/handheld users that we can’t auto-configure. Driver issues will manifest themselves more on a dot1x network- the rule of thumb is to keep them updated, or as a minimum, update before going to 1x. This often helps windows machines when nothing else will. On the Macintosh side, unfortunately it seems that even minor code updates can wreak havoc on the wireless driver and 1x utility- but once you get past whatever new curve ball Apple throws you, they work very reliably. As for AD machines on wireless- is a whole different ballgame. Officially, we do not support AD machines over our wireless networks, but if the machine name is the same as the userID, it will work in our environment. Then there’s loaner laptops… and NAC integration… and how to handle visitors on the network. All have solutions, but you may have to get creative. We have 2000+ APs, 12 WiSMs, and typically see 5,500-6,000 users at peak on our wireless networks daily. In the dorms (100% covered) wired usage has fallen to less than 20% of what it was 2 years ago, and has become mostly an “entertainment” network. -Lee Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Bob Richman Sent: Thursday, February 19, 2009 7:26 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Transitioning to dot1x We are in the process of trying to move all of our users to our wpa/wpa2 dot1x wireless. We hope to shut down the wide open non-authenticated ssid this summer. We’ve had numerous communications sent out and we always seem to get responses that the new dot1x network is slower than the old and that people have trouble maintaining
RE: [WIRELESS-LAN] Transitioning to dot1x
We don’t see this but have you checked the “support fast roaming” (or something like that) setting on the IAS and clients? From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Bob Richman Sent: Thursday, February 19, 2009 10:38 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x We are using MS IAS for radius with PEAP. We don’t have trouble getting folks configured and connected. Just after that we get complaints of ‘getting kicked off’ and was wondering if anyone else sees this sort of behavior. I suspect this mostly occurs during roams, but don’t really have any hard data to back that up. Thanks, Bob Richman Network Engineer University of Notre Dame rrichma...@nd.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Daniel Bennett Sent: Thursday, February 19, 2009 8:20 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x We have a separate PDA network with MAC filtering and restricted ACLs to make up for MAC filtering being weak. Daniel Bennett IT Security Analyst Security+ PA College of Technology One College Ave Williamsport PA 17701 (P) 570.329.4989 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lelio Fulgenzi Sent: Thursday, February 19, 2009 8:15 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x Last time I checked, Windows mobile didnt come with a dot1x supplicant (that worked). Do you require users to purchase their own supplicant or do you have a site license? Lelio Fulgenzi, Senior Analyst Computing Communications University of Guelph 519-824-4120 x56354 ...sent from my iPod - please pardon my fat fingers ;) [XKJ2000] On Feb 19, 2009, at 8:09 AM, Lee H Badman lhbad...@syr.edu wrote: Hi Bob- We’ve been doing dot1x now for a few years, and in my opinion people tend to struggle with: - What EAP type to use - What RADIUS server to use - How to get supplicants configured, and whether or not to support a variety of supplicants - What about AD machines over wireless We chose PEAP w/ MS-CHAPv2 because it’s well supported natively in both Windows and Mac machines. That being said- we had to say no more support for Windows 2000, 98, Me, etc. Same on Mac- a minimum OS was required. We avoided other EAP types that require a per-device cert, and officially only support the native Windows supplicant and native Mac supplicants for ease of support. We also chose to stick with our “classic” Cisco ACS 3.3.3 boxes- simply because we already had them, and they do a rock-solid job as well as provide decent logs (important). They also talk well with our AD credential store for user credential verification. We have found the ID Engines- now Cloudpath- supplicant configuration tool to be key to our success in that we can point users to a “help SSID” for initial client config, or self-remediation later if they hose their settings. Very powerful- but again, requires that users use Windows and Mac native supplicants and disable all of the ProSet, Broadcom, Toshiba, etc wireless utilities. We also provide basic settings in document form for advanced users that won’t give up their third party utilities, and for Linux/handheld users that we can’t auto-configure. Driver issues will manifest themselves more on a dot1x network- the rule of thumb is to keep them updated, or as a minimum, update before going to 1x. This often helps windows machines when nothing else will. On the Macintosh side, unfortunately it seems that even minor code updates can wreak havoc on the wireless driver and 1x utility- but once you get past whatever new curve ball Apple throws you, they work very reliably. As for AD machines on wireless- is a whole different ballgame. Officially, we do not support AD machines over our wireless networks, but if the machine name is the same as the userID, it will work in our environment. Then there’s loaner laptops… and NAC integration… and how to handle visitors on the network. All have solutions, but you may have to get creative. We have 2000+ APs, 12 WiSMs, and typically see 5,500-6,000 users at peak on our wireless networks daily. In the dorms (100% covered) wired usage has fallen to less than 20% of what it was 2 years ago, and has become mostly an “entertainment” network. -Lee Lee H. Badman Wireless/Network Engineer Information Technology and Services
RE: [WIRELESS-LAN] Transitioning to dot1x
We use the new Network Policy Server, part of Windows 2008 Server. We found that enabling fast reconnect on the client (For windows) could help to prevent users from loosing connection. There are also other contributing factors: · Do you have the AP saturation to support seamless transitions · I believe you also need to configure something in WCS or WiSM to allow computer to hop between APs without losing connections. Daniel Bennett IT Security Analyst Security+ PA College of Technology One College Ave Williamsport PA 17701 (P) 570.329.4989 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Bob Richman Sent: Thursday, February 19, 2009 10:38 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x We are using MS IAS for radius with PEAP. We don’t have trouble getting folks configured and connected. Just after that we get complaints of ‘getting kicked off’ and was wondering if anyone else sees this sort of behavior. I suspect this mostly occurs during roams, but don’t really have any hard data to back that up. Thanks, Bob Richman Network Engineer University of Notre Dame rrichma...@nd.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Daniel Bennett Sent: Thursday, February 19, 2009 8:20 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x We have a separate PDA network with MAC filtering and restricted ACLs to make up for MAC filtering being weak. Daniel Bennett IT Security Analyst Security+ PA College of Technology One College Ave Williamsport PA 17701 (P) 570.329.4989 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lelio Fulgenzi Sent: Thursday, February 19, 2009 8:15 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x Last time I checked, Windows mobile didnt come with a dot1x supplicant (that worked). Do you require users to purchase their own supplicant or do you have a site license? Lelio Fulgenzi, Senior Analyst Computing Communications University of Guelph 519-824-4120 x56354 ...sent from my iPod - please pardon my fat fingers ;) [XKJ2000] On Feb 19, 2009, at 8:09 AM, Lee H Badman lhbad...@syr.edumailto:lhbad...@syr.edu wrote: Hi Bob- We’ve been doing dot1x now for a few years, and in my opinion people tend to struggle with: - What EAP type to use - What RADIUS server to use - How to get supplicants configured, and whether or not to support a variety of supplicants - What about AD machines over wireless We chose PEAP w/ MS-CHAPv2 because it’s well supported natively in both Windows and Mac machines. That being said- we had to say no more support for Windows 2000, 98, Me, etc. Same on Mac- a minimum OS was required. We avoided other EAP types that require a per-device cert, and officially only support the native Windows supplicant and native Mac supplicants for ease of support. We also chose to stick with our “classic” Cisco ACS 3.3.3 boxes- simply because we already had them, and they do a rock-solid job as well as provide decent logs (important). They also talk well with our AD credential store for user credential verification. We have found the ID Engines- now Cloudpath- supplicant configuration tool to be key to our success in that we can point users to a “help SSID” for initial client config, or self-remediation later if they hose their settings. Very powerful- but again, requires that users use Windows and Mac native supplicants and disable all of the ProSet, Broadcom, Toshiba, etc wireless utilities. We also provide basic settings in document form for advanced users that won’t give up their third party utilities, and for Linux/handheld users that we can’t auto-configure. Driver issues will manifest themselves more on a dot1x network- the rule of thumb is to keep them updated, or as a minimum, update before going to 1x. This often helps windows machines when nothing else will. On the Macintosh side, unfortunately it seems that even minor code updates can wreak havoc on the wireless driver and 1x utility- but once you get past whatever new curve ball Apple throws you, they work very reliably. As for AD machines on wireless- is a whole different ballgame. Officially, we do not support AD machines over our wireless networks, but if the machine name is the same as the userID, it will work in our environment. Then there’s loaner laptops… and NAC integration… and how to handle visitors on the network. All have solutions, but you may have to get creative. We have 2000+ APs, 12 WiSMs, and typically see 5,500-6,000 users at peak on our wireless networks daily. In the dorms (100% covered) wired usage has fallen to less than 20% of what it was 2 years ago
RE: [WIRELESS-LAN] Transitioning to dot1x
The 2nd point Daniel makes is what I am trying to zero in on. We are thinking that in areas where the saturation is not optimal, handoffs worked just fine on a wide open wlan, but then causes problems when using an 802.1x authenticated wlan. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Daniel Bennett Sent: Thursday, February 19, 2009 11:02 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x We use the new Network Policy Server, part of Windows 2008 Server. We found that enabling fast reconnect on the client (For windows) could help to prevent users from loosing connection. There are also other contributing factors: · Do you have the AP saturation to support seamless transitions · I believe you also need to configure something in WCS or WiSM to allow computer to hop between APs without losing connections. Daniel Bennett IT Security Analyst Security+ PA College of Technology One College Ave Williamsport PA 17701 (P) 570.329.4989 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Bob Richman Sent: Thursday, February 19, 2009 10:38 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x We are using MS IAS for radius with PEAP. We don’t have trouble getting folks configured and connected. Just after that we get complaints of ‘getting kicked off’ and was wondering if anyone else sees this sort of behavior. I suspect this mostly occurs during roams, but don’t really have any hard data to back that up. Thanks, Bob Richman Network Engineer University of Notre Dame rrichma...@nd.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Daniel Bennett Sent: Thursday, February 19, 2009 8:20 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x We have a separate PDA network with MAC filtering and restricted ACLs to make up for MAC filtering being weak. Daniel Bennett IT Security Analyst Security+ PA College of Technology One College Ave Williamsport PA 17701 (P) 570.329.4989 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lelio Fulgenzi Sent: Thursday, February 19, 2009 8:15 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x Last time I checked, Windows mobile didnt come with a dot1x supplicant (that worked). Do you require users to purchase their own supplicant or do you have a site license? Lelio Fulgenzi, Senior Analyst Computing Communications University of Guelph 519-824-4120 x56354 ...sent from my iPod - please pardon my fat fingers ;) [XKJ2000] On Feb 19, 2009, at 8:09 AM, Lee H Badman lhbad...@syr.edumailto:lhbad...@syr.edu wrote: Hi Bob- We’ve been doing dot1x now for a few years, and in my opinion people tend to struggle with: - What EAP type to use - What RADIUS server to use - How to get supplicants configured, and whether or not to support a variety of supplicants - What about AD machines over wireless We chose PEAP w/ MS-CHAPv2 because it’s well supported natively in both Windows and Mac machines. That being said- we had to say no more support for Windows 2000, 98, Me, etc. Same on Mac- a minimum OS was required. We avoided other EAP types that require a per-device cert, and officially only support the native Windows supplicant and native Mac supplicants for ease of support. We also chose to stick with our “classic” Cisco ACS 3.3.3 boxes- simply because we already had them, and they do a rock-solid job as well as provide decent logs (important). They also talk well with our AD credential store for user credential verification. We have found the ID Engines- now Cloudpath- supplicant configuration tool to be key to our success in that we can point users to a “help SSID” for initial client config, or self-remediation later if they hose their settings. Very powerful- but again, requires that users use Windows and Mac native supplicants and disable all of the ProSet, Broadcom, Toshiba, etc wireless utilities. We also provide basic settings in document form for advanced users that won’t give up their third party utilities, and for Linux/handheld users that we can’t auto-configure. Driver issues will manifest themselves more on a dot1x network- the rule of thumb is to keep them updated, or as a minimum, update before going to 1x. This often helps windows machines when nothing else will. On the Macintosh side, unfortunately it seems that even minor code updates can wreak havoc on the wireless driver and 1x utility- but once you get past whatever new curve ball Apple throws you, they work very reliably. As for AD machines on wireless- is a whole different
RE: [WIRELESS-LAN] Transitioning to dot1x
Check your WLAN Session timeout - this forces a full re-auth at the specified interval. The default for dot1x is every 30 minutes. You may want to make this value larger. The User Idle Timeout will do the same thing, but most laptops generate enough incidental traffic to keep the idle timer open. Smaller form factors may not be as chatty. If its due to roaming, you may want to use WPA2/AES rather than TKIP, as this supports Proactive Key Caching. Do a sh pmk-cache all on the controllers to verify. Bruce T. Johnson | Network Engineer | Partners Healthcare Network Engineering | 617.726.9662 | Pager: 31633 | bjohns...@partners.org | 149 13th Street, 10th Floor, Mailstop 10055B, Charlestown, Ma 02129 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Bob Richman Sent: Thursday, February 19, 2009 10:38 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x We are using MS IAS for radius with PEAP. We don't have trouble getting folks configured and connected. Just after that we get complaints of 'getting kicked off' and was wondering if anyone else sees this sort of behavior. I suspect this mostly occurs during roams, but don't really have any hard data to back that up. Thanks, Bob Richman Network Engineer University of Notre Dame rrichma...@nd.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Daniel Bennett Sent: Thursday, February 19, 2009 8:20 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x We have a separate PDA network with MAC filtering and restricted ACLs to make up for MAC filtering being weak. Daniel Bennett IT Security Analyst Security+ PA College of Technology One College Ave Williamsport PA 17701 (P) 570.329.4989 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lelio Fulgenzi Sent: Thursday, February 19, 2009 8:15 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x Last time I checked, Windows mobile didnt come with a dot1x supplicant (that worked). Do you require users to purchase their own supplicant or do you have a site license? Lelio Fulgenzi, Senior Analyst Computing Communications University of Guelph 519-824-4120 x56354 ...sent from my iPod - please pardon my fat fingers ;) [XKJ2000] On Feb 19, 2009, at 8:09 AM, Lee H Badman lhbad...@syr.edu wrote: Hi Bob- We've been doing dot1x now for a few years, and in my opinion people tend to struggle with: - What EAP type to use - What RADIUS server to use - How to get supplicants configured, and whether or not to support a variety of supplicants - What about AD machines over wireless We chose PEAP w/ MS-CHAPv2 because it's well supported natively in both Windows and Mac machines. That being said- we had to say no more support for Windows 2000, 98, Me, etc. Same on Mac- a minimum OS was required. We avoided other EAP types that require a per-device cert, and officially only support the native Windows supplicant and native Mac supplicants for ease of support. We also chose to stick with our classic Cisco ACS 3.3.3 boxes- simply because we already had them, and they do a rock-solid job as well as provide decent logs (important). They also talk well with our AD credential store for user credential verification. We have found the ID Engines- now Cloudpath- supplicant configuration tool to be key to our success in that we can point users to a help SSID for initial client config, or self-remediation later if they hose their settings. Very powerful- but again, requires that users use Windows and Mac native supplicants and disable all of the ProSet, Broadcom, Toshiba, etc wireless utilities. We also provide basic settings in document form for advanced users that won't give up their third party utilities, and for Linux/handheld users that we can't auto-configure. Driver issues will manifest themselves more on a dot1x network- the rule of thumb is to keep them updated, or as a minimum, update before going to 1x. This often helps windows machines when nothing else will. On the Macintosh side, unfortunately it seems that even minor code updates can wreak havoc on the wireless driver and 1x utility- but once you get past whatever new curve ball Apple throws you, they work very reliably. As for AD machines on wireless- is a whole different ballgame. Officially, we do not support AD machines over our wireless networks, but if the machine name is the same as the userID, it will work in our environment
RE: [WIRELESS-LAN] Transitioning to dot1x
What Bob just said is true. We found that less saturated areas had issues that went unnoticed in the days of open wireless. Increasing saturation where we could fixed those areas. Daniel Bennett IT Security Analyst Security+ PA College of Technology One College Ave Williamsport PA 17701 (P) 570.329.4989 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Bob Richman Sent: Thursday, February 19, 2009 11:06 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x The 2nd point Daniel makes is what I am trying to zero in on. We are thinking that in areas where the saturation is not optimal, handoffs worked just fine on a wide open wlan, but then causes problems when using an 802.1x authenticated wlan. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Daniel Bennett Sent: Thursday, February 19, 2009 11:02 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x We use the new Network Policy Server, part of Windows 2008 Server. We found that enabling fast reconnect on the client (For windows) could help to prevent users from loosing connection. There are also other contributing factors: · Do you have the AP saturation to support seamless transitions · I believe you also need to configure something in WCS or WiSM to allow computer to hop between APs without losing connections. Daniel Bennett IT Security Analyst Security+ PA College of Technology One College Ave Williamsport PA 17701 (P) 570.329.4989 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Bob Richman Sent: Thursday, February 19, 2009 10:38 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x We are using MS IAS for radius with PEAP. We don’t have trouble getting folks configured and connected. Just after that we get complaints of ‘getting kicked off’ and was wondering if anyone else sees this sort of behavior. I suspect this mostly occurs during roams, but don’t really have any hard data to back that up. Thanks, Bob Richman Network Engineer University of Notre Dame rrichma...@nd.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Daniel Bennett Sent: Thursday, February 19, 2009 8:20 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x We have a separate PDA network with MAC filtering and restricted ACLs to make up for MAC filtering being weak. Daniel Bennett IT Security Analyst Security+ PA College of Technology One College Ave Williamsport PA 17701 (P) 570.329.4989 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lelio Fulgenzi Sent: Thursday, February 19, 2009 8:15 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x Last time I checked, Windows mobile didnt come with a dot1x supplicant (that worked). Do you require users to purchase their own supplicant or do you have a site license? Lelio Fulgenzi, Senior Analyst Computing Communications University of Guelph 519-824-4120 x56354 ...sent from my iPod - please pardon my fat fingers ;) [XKJ2000] On Feb 19, 2009, at 8:09 AM, Lee H Badman lhbad...@syr.edumailto:lhbad...@syr.edu wrote: Hi Bob- We’ve been doing dot1x now for a few years, and in my opinion people tend to struggle with: - What EAP type to use - What RADIUS server to use - How to get supplicants configured, and whether or not to support a variety of supplicants - What about AD machines over wireless We chose PEAP w/ MS-CHAPv2 because it’s well supported natively in both Windows and Mac machines. That being said- we had to say no more support for Windows 2000, 98, Me, etc. Same on Mac- a minimum OS was required. We avoided other EAP types that require a per-device cert, and officially only support the native Windows supplicant and native Mac supplicants for ease of support. We also chose to stick with our “classic” Cisco ACS 3.3.3 boxes- simply because we already had them, and they do a rock-solid job as well as provide decent logs (important). They also talk well with our AD credential store for user credential verification. We have found the ID Engines- now Cloudpath- supplicant configuration tool to be key to our success in that we can point users to a “help SSID” for initial client config, or self-remediation later if they hose their settings. Very powerful- but again, requires that users use Windows and Mac native supplicants and disable all of the ProSet, Broadcom, Toshiba, etc wireless utilities. We also provide basic settings in document form for advanced users that won’t give up
Re: [WIRELESS-LAN] Transitioning to dot1x
If you are using WPA/TKIP, change your Auth Key Mgmt to 802.1X + CCKM on your WLAN in order to activate Fast Secure Roaming. Charles Bisel WLAN Architect Bayer Corporation 100 Bayer Road Pittsburgh, PA 15205 EMAIL charles.bi...@bayerbbs.com WEB http://www.bayerus.com Johnson, Bruce T bjohns...@partners.org Sent by: The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 02/19/2009 11:08 AM Please respond to The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU To WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU cc Subject Re: [WIRELESS-LAN] Transitioning to dot1x Check your WLAN Session timeout - this forces a full re-auth at the specified interval. The default for dot1x is every 30 minutes. You may want to make this value larger. The User Idle Timeout will do the same thing, but most laptops generate enough incidental traffic to keep the idle timer open. Smaller form factors may not be as chatty. If its due to roaming, you may want to use WPA2/AES rather than TKIP, as this supports Proactive Key Caching. Do a sh pmk-cache all on the controllers to verify. Bruce T. Johnson | Network Engineer | Partners Healthcare Network Engineering | 617.726.9662 | Pager: 31633 | bjohns...@partners.org | 149 13th Street, 10th Floor, Mailstop 10055B, Charlestown, Ma 02129 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Bob Richman Sent: Thursday, February 19, 2009 10:38 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x We are using MS IAS for radius with PEAP. We don?t have trouble getting folks configured and connected. Just after that we get complaints of ?getting kicked off? and was wondering if anyone else sees this sort of behavior. I suspect this mostly occurs during roams, but don?t really have any hard data to back that up. Thanks, Bob Richman Network Engineer University of Notre Dame rrichma...@nd.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Daniel Bennett Sent: Thursday, February 19, 2009 8:20 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x We have a separate PDA network with MAC filtering and restricted ACLs to make up for MAC filtering being weak. Daniel Bennett IT Security Analyst Security+ PA College of Technology One College Ave Williamsport PA 17701 (P) 570.329.4989 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lelio Fulgenzi Sent: Thursday, February 19, 2009 8:15 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x Last time I checked, Windows mobile didnt come with a dot1x supplicant (that worked). Do you require users to purchase their own supplicant or do you have a site license? Lelio Fulgenzi, Senior Analyst Computing Communications University of Guelph 519-824-4120 x56354 ...sent from my iPod - please pardon my fat fingers ;) [XKJ2000] On Feb 19, 2009, at 8:09 AM, Lee H Badman lhbad...@syr.edu wrote: Hi Bob- We?ve been doing dot1x now for a few years, and in my opinion people tend to struggle with: - What EAP type to use - What RADIUS server to use - How to get supplicants configured, and whether or not to support a variety of supplicants - What about AD machines over wireless We chose PEAP w/ MS-CHAPv2 because it?s well supported natively in both Windows and Mac machines. That being said- we had to say no more support for Windows 2000, 98, Me, etc. Same on Mac- a minimum OS was required. We avoided other EAP types that require a per-device cert, and officially only support the native Windows supplicant and native Mac supplicants for ease of support. We also chose to stick with our ?classic? Cisco ACS 3.3.3 boxes- simply because we already had them, and they do a rock-solid job as well as provide decent logs (important). They also talk well with our AD credential store for user credential verification. We have found the ID Engines- now Cloudpath- supplicant configuration tool to be key to our success in that we can point users to a ?help SSID? for initial client config, or self-remediation later if they hose their settings. Very powerful- but again, requires that users use Windows and Mac native supplicants and disable all of the ProSet, Broadcom, Toshiba, etc wireless utilities. We also provide basic settings in document form for advanced users that won?t give up their third party utilities, and for Linux/handheld users that we can?t auto-configure. Driver issues will manifest themselves more on a dot1x network- the rule of thumb is to keep them updated, or as a minimum, update before going to 1x. This often helps windows machines when nothing else
Re: [WIRELESS-LAN] Transitioning to dot1x
True, WZC doesn't support CCKM, however unless I missed something, I don't recall Bob mentioning a specific supplicant. Clients who use WZC (why anyone would is beyond me) will still be able to connect without issue, as it is considered optional on the WLAN. Charles Bisel IT Operations Bayer Business and Technology Services LLC 100 Bayer Road Pittsburgh, PA 15205 PHONE 412.778.1268 FAX 412.778.1299 EMAIL charles.bi...@bayerbbs.com WEB http://www.bayerus.com Johnson, Bruce T bjohns...@partners.org Sent by: The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 02/19/2009 11:20 AM Please respond to The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU To WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU cc Subject Re: [WIRELESS-LAN] Transitioning to dot1x Charles, CCKM is supplicant-dependent (via Intel PROSet or other hardware client utility). Native Windows WZC won't support this. You'll need WPA2. Bruce T. Johnson | Network Engineer | Partners Healthcare Network Engineering | 617.726.9662 | Pager: 31633 | bjohns...@partners.org | 149 13th Street, 10th Floor, Mailstop 10055B, Charlestown, Ma 02129 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Charles Bisel Sent: Thursday, February 19, 2009 11:18 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x If you are using WPA/TKIP, change your Auth Key Mgmt to 802.1X + CCKM on your WLAN in order to activate Fast Secure Roaming. Charles Bisel WLAN Architect Bayer Corporation 100 Bayer Road Pittsburgh, PA 15205 EMAIL charles.bi...@bayerbbs.com WEB http://www.bayerus.com Johnson, Bruce T bjohns...@partners.org Sent by: The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 02/19/2009 11:08 AM Please respond to The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU To WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU cc Subject Re: [WIRELESS-LAN] Transitioning to dot1x Check your WLAN Session timeout - this forces a full re-auth at the specified interval. The default for dot1x is every 30 minutes. You may want to make this value larger. The User Idle Timeout will do the same thing, but most laptops generate enough incidental traffic to keep the idle timer open. Smaller form factors may not be as chatty. If its due to roaming, you may want to use WPA2/AES rather than TKIP, as this supports Proactive Key Caching. Do a sh pmk-cache all on the controllers to verify. Bruce T. Johnson | Network Engineer | Partners Healthcare Network Engineering | 617.726.9662 | Pager: 31633 | bjohns...@partners.org | 149 13th Street, 10th Floor, Mailstop 10055B, Charlestown, Ma 02129 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Bob Richman Sent: Thursday, February 19, 2009 10:38 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x We are using MS IAS for radius with PEAP. We don?t have trouble getting folks configured and connected. Just after that we get complaints of ?getting kicked off? and was wondering if anyone else sees this sort of behavior. I suspect this mostly occurs during roams, but don?t really have any hard data to back that up. Thanks, Bob Richman Network Engineer University of Notre Dame rrichma...@nd.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Daniel Bennett Sent: Thursday, February 19, 2009 8:20 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x We have a separate PDA network with MAC filtering and restricted ACLs to make up for MAC filtering being weak. Daniel Bennett IT Security Analyst Security+ PA College of Technology One College Ave Williamsport PA 17701 (P) 570.329.4989 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lelio Fulgenzi Sent: Thursday, February 19, 2009 8:15 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x Last time I checked, Windows mobile didnt come with a dot1x supplicant (that worked). Do you require users to purchase their own supplicant or do you have a site license? Lelio Fulgenzi, Senior Analyst Computing Communications University of Guelph 519-824-4120 x56354 ...sent from my iPod - please pardon my fat fingers ;) [XKJ2000] On Feb 19, 2009, at 8:09 AM, Lee H Badman lhbad...@syr.edu wrote: Hi Bob- We?ve been doing dot1x now for a few years, and in my opinion people tend to struggle with: - What EAP type to use - What RADIUS server to use - How to get supplicants configured
RE: [WIRELESS-LAN] Transitioning to dot1x
One useful application with WZC-based PEAP is machine authentication for unattended devices that need to stay connected. I'm not sure any non-native supplicant supports this. Bruce T. Johnson | Network Engineer | Partners Healthcare Network Engineering | 617.726.9662 | Pager: 31633 | bjohns...@partners.org | 149 13th Street, 10th Floor, Mailstop 10055B, Charlestown, Ma 02129 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Charles Bisel Sent: Thursday, February 19, 2009 11:35 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x True, WZC doesn't support CCKM, however unless I missed something, I don't recall Bob mentioning a specific supplicant. Clients who use WZC (why anyone would is beyond me) will still be able to connect without issue, as it is considered optional on the WLAN. Charles Bisel IT Operations Bayer Business and Technology Services LLC 100 Bayer Road Pittsburgh, PA 15205 PHONE 412.778.1268 FAX 412.778.1299 EMAIL charles.bi...@bayerbbs.com mailto:charles.bi...@bayerbbs.com WEB http://www.bayerus.com http://www.bayerus.com/ Johnson, Bruce T bjohns...@partners.org Sent by: The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 02/19/2009 11:20 AM Please respond to The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU To WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU cc Subject Re: [WIRELESS-LAN] Transitioning to dot1x Charles, CCKM is supplicant-dependent (via Intel PROSet or other hardware client utility). Native Windows WZC won't support this. You'll need WPA2. Bruce T. Johnson | Network Engineer | Partners Healthcare Network Engineering | 617.726.9662 | Pager: 31633 | bjohns...@partners.org | 149 13th Street, 10th Floor, Mailstop 10055B, Charlestown, Ma 02129 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Charles Bisel Sent: Thursday, February 19, 2009 11:18 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x If you are using WPA/TKIP, change your Auth Key Mgmt to 802.1X + CCKM on your WLAN in order to activate Fast Secure Roaming. Charles Bisel WLAN Architect Bayer Corporation 100 Bayer Road Pittsburgh, PA 15205 EMAIL charles.bi...@bayerbbs.com mailto:charles.bi...@bayerbbs.com WEB http://www.bayerus.com http://www.bayerus.com/ Johnson, Bruce T bjohns...@partners.org Sent by: The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 02/19/2009 11:08 AM Please respond to The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU To WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU cc Subject Re: [WIRELESS-LAN] Transitioning to dot1x Check your WLAN Session timeout - this forces a full re-auth at the specified interval. The default for dot1x is every 30 minutes. You may want to make this value larger. The User Idle Timeout will do the same thing, but most laptops generate enough incidental traffic to keep the idle timer open. Smaller form factors may not be as chatty. If its due to roaming, you may want to use WPA2/AES rather than TKIP, as this supports Proactive Key Caching. Do a sh pmk-cache all on the controllers to verify. Bruce T. Johnson | Network Engineer | Partners Healthcare Network Engineering | 617.726.9662 | Pager: 31633 | bjohns...@partners.org | 149 13th Street, 10th Floor, Mailstop 10055B, Charlestown, Ma 02129 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Bob Richman Sent: Thursday, February 19, 2009 10:38 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x We are using MS IAS for radius with PEAP. We don't have trouble getting folks configured and connected. Just after that we get complaints of 'getting kicked off' and was wondering if anyone else sees this sort of behavior. I suspect this mostly occurs during roams, but don't really have any hard data to back that up. Thanks, Bob Richman Network Engineer University of Notre Dame rrichma...@nd.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Daniel Bennett Sent: Thursday, February 19, 2009 8:20 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x We have a separate PDA network with MAC filtering and restricted ACLs to make up for MAC filtering being weak. Daniel Bennett IT Security Analyst
Re: [WIRELESS-LAN] Transitioning to dot1x
There isnt, which is a real bummer, as there are many many drawbacks to the WZC client On 2/19/09 8:41 AM, Johnson, Bruce T bjohns...@partners.org wrote: One useful application with WZC-based PEAP is machine authentication for unattended devices that need to stay connected. I'm not sure any non-native supplicant supports this. Bruce T. Johnson | Network Engineer | Partners Healthcare Network Engineering | 617.726.9662 | Pager: 31633 | bjohns...@partners.org | 149 13th Street, 10th Floor, Mailstop 10055B, Charlestown, Ma 02129 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Charles Bisel Sent: Thursday, February 19, 2009 11:35 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x True, WZC doesn't support CCKM, however unless I missed something, I don't recall Bob mentioning a specific supplicant. Clients who use WZC (why anyone would is beyond me) will still be able to connect without issue, as it is considered optional on the WLAN. Charles Bisel IT Operations Bayer Business and Technology Services LLC 100 Bayer Road Pittsburgh, PA 15205 PHONE 412.778.1268 FAX 412.778.1299 EMAIL charles.bi...@bayerbbs.com mailto:charles.bi...@bayerbbs.com WEB http://www.bayerus.com http://www.bayerus.com/ Johnson, Bruce T bjohns...@partners.org Sent by: The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 02/19/2009 11:20 AM Please respond to The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU To WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU cc Subject Re: [WIRELESS-LAN] Transitioning to dot1x Charles, CCKM is supplicant-dependent (via Intel PROSet or other hardware client utility). Native Windows WZC won't support this. You'll need WPA2. Bruce T. Johnson | Network Engineer | Partners Healthcare Network Engineering | 617.726.9662 | Pager: 31633 | bjohns...@partners.org | 149 13th Street, 10th Floor, Mailstop 10055B, Charlestown, Ma 02129 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Charles Bisel Sent: Thursday, February 19, 2009 11:18 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x If you are using WPA/TKIP, change your Auth Key Mgmt to 802.1X + CCKM on your WLAN in order to activate Fast Secure Roaming. Charles Bisel WLAN Architect Bayer Corporation 100 Bayer Road Pittsburgh, PA 15205 EMAIL charles.bi...@bayerbbs.com mailto:charles.bi...@bayerbbs.com WEB http://www.bayerus.com http://www.bayerus.com/ Johnson, Bruce T bjohns...@partners.org Sent by: The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 02/19/2009 11:08 AM Please respond to The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU To WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU cc Subject Re: [WIRELESS-LAN] Transitioning to dot1x Check your WLAN Session timeout - this forces a full re-auth at the specified interval. The default for dot1x is every 30 minutes. You may want to make this value larger. The User Idle Timeout will do the same thing, but most laptops generate enough incidental traffic to keep the idle timer open. Smaller form factors may not be as chatty. If its due to roaming, you may want to use WPA2/AES rather than TKIP, as this supports Proactive Key Caching. Do a sh pmk-cache all on the controllers to verify. Bruce T. Johnson | Network Engineer | Partners Healthcare Network Engineering | 617.726.9662 | Pager: 31633 | bjohns...@partners.org | 149 13th Street, 10th Floor, Mailstop 10055B, Charlestown, Ma 02129 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Bob Richman Sent: Thursday, February 19, 2009 10:38 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x We are using MS IAS for radius with PEAP. We don¹t have trouble getting folks configured and connected. Just after that we get complaints of getting kicked off¹ and was wondering if anyone else sees this sort of behavior. I suspect this mostly occurs during roams, but don¹t really have any hard data to back that up. Thanks, Bob Richman Network Engineer University of Notre Dame rrichma...@nd.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Daniel Bennett Sent: Thursday, February 19, 2009 8:20 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x We have a separate PDA network with MAC filtering
Re: [WIRELESS-LAN] Transitioning to dot1x
Juniper's Odyssey supports PEAP machine authentication, however you'll typically only see Odyssey in an enterprise environment. The only thing that I like about WZC is that its settings can be configured and enforced via Group Policy. Well, two things... it's also free. Charles Bisel WLAN Architect Bayer Corporation 100 Bayer Road Pittsburgh, PA 15205 EMAIL charles.bi...@bayerbbs.com WEB http://www.bayerus.com Johnson, Bruce T bjohns...@partners.org Sent by: The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 02/19/2009 11:41 AM Please respond to The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU To WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU cc Subject Re: [WIRELESS-LAN] Transitioning to dot1x One useful application with WZC-based PEAP is machine authentication for unattended devices that need to stay connected. I'm not sure any non-native supplicant supports this. Bruce T. Johnson | Network Engineer | Partners Healthcare Network Engineering | 617.726.9662 | Pager: 31633 | bjohns...@partners.org | 149 13th Street, 10th Floor, Mailstop 10055B, Charlestown, Ma 02129 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Charles Bisel Sent: Thursday, February 19, 2009 11:35 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x True, WZC doesn't support CCKM, however unless I missed something, I don't recall Bob mentioning a specific supplicant. Clients who use WZC (why anyone would is beyond me) will still be able to connect without issue, as it is considered optional on the WLAN. Charles Bisel IT Operations Bayer Business and Technology Services LLC 100 Bayer Road Pittsburgh, PA 15205 PHONE 412.778.1268 FAX 412.778.1299 EMAIL charles.bi...@bayerbbs.com WEB http://www.bayerus.com Johnson, Bruce T bjohns...@partners.org Sent by: The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 02/19/2009 11:20 AM Please respond to The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU To WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU cc Subject Re: [WIRELESS-LAN] Transitioning to dot1x Charles, CCKM is supplicant-dependent (via Intel PROSet or other hardware client utility). Native Windows WZC won't support this. You'll need WPA2. Bruce T. Johnson | Network Engineer | Partners Healthcare Network Engineering | 617.726.9662 | Pager: 31633 | bjohns...@partners.org | 149 13th Street, 10th Floor, Mailstop 10055B, Charlestown, Ma 02129 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Charles Bisel Sent: Thursday, February 19, 2009 11:18 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x If you are using WPA/TKIP, change your Auth Key Mgmt to 802.1X + CCKM on your WLAN in order to activate Fast Secure Roaming. Charles Bisel WLAN Architect Bayer Corporation 100 Bayer Road Pittsburgh, PA 15205 EMAIL charles.bi...@bayerbbs.com WEB http://www.bayerus.com Johnson, Bruce T bjohns...@partners.org Sent by: The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 02/19/2009 11:08 AM Please respond to The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU To WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU cc Subject Re: [WIRELESS-LAN] Transitioning to dot1x Check your WLAN Session timeout - this forces a full re-auth at the specified interval. The default for dot1x is every 30 minutes. You may want to make this value larger. The User Idle Timeout will do the same thing, but most laptops generate enough incidental traffic to keep the idle timer open. Smaller form factors may not be as chatty. If its due to roaming, you may want to use WPA2/AES rather than TKIP, as this supports Proactive Key Caching. Do a sh pmk-cache all on the controllers to verify. Bruce T. Johnson | Network Engineer | Partners Healthcare Network Engineering | 617.726.9662 | Pager: 31633 | bjohns...@partners.org | 149 13th Street, 10th Floor, Mailstop 10055B, Charlestown, Ma 02129 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Bob Richman Sent: Thursday, February 19, 2009 10:38 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x We are using MS IAS for radius with PEAP. We don?t have trouble getting folks configured and connected. Just after that we get complaints of ?getting kicked off? and was wondering if anyone else sees this sort of behavior. I suspect this mostly occurs during roams, but don?t really have any hard data to back that up. Thanks, Bob Richman Network Engineer University of Notre Dame
Re: [WIRELESS-LAN] Transitioning to dot1x
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Johnson, Bruce T wrote: One useful application with WZC-based PEAP is machine authentication for unattended devices that need to stay connected. I'm not sure any non-native supplicant supports this. I've not used the software, but the Open1X supplicant now mentions machine authentication as a feature, in their new release: http://open1x.sourceforge.net/ I hear good things about the software, which seems to be under active development. HTH, - -- Oliver Gorwits, Network and Telecommunications Group, Oxford University Computing Services -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJnblj2NPq7pwWBt4RAhEIAKDmCu+BRg0q7Zq0KqAJ1vPdFSWRuACg0ynR q1OegU96m/HNF4+MSdyANh0= =nJrs -END PGP SIGNATURE- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Transitioning to dot1x
One caution I would put out for any product that can do machine authentication is to realize that it means the supplicant is working prior to user interactive login and with access to system level credentials. And then does it change over to the users creds once they login interactively? One experience I had with this was about 5-6 years ago. The Cisco VPN client at the time (don't know if it still does) could be run before login. To accomplish this it replaced the MSGINA (the program that is the login box) so that that it could supersede it to allow the VPN client to interact with the user prior to the user proving credentials to the machine. I can't say that it caused us any issues but raised some concerns... 1) what if multiple things for whatever reason try to do this (replace the MSGina) what is the order of preference 2) potential bug and/or exploit in the process 3) making OS patches and updates and upgrades dependant on yet another piece of software that is probably very sensitive to OS changes FYI - the dell utility does allow a user to logon even if they don't have locally cached credentials as long as they have an AD account. You need to explicitly set it, but when setup properly the machine account does not authenticate but the user's credentials are somehow passed to the Dell utility to bring up the wireless under their credentials before the MSGina tries to log into the machine. Once the wireless is connected under the users creds, then the users credentials are sent through the MSGina like normal. Works pretty slick, but I wanted to use the machine credentials so our sys admins could manage the machine as long as it was on just like wired PCs. This is a case where I have found it simplest to just use the built in functionality and so far really the only problem I have seen is poor reporting to troubleshoot with. Luckily the only troubleshooting necessary was when we first got our 1x setup. Since then it has worked very well with machine credentials. _ Thank you, Gregory R. Scholz Director of Telecommunications Information Technology Group Keene State College (603)358-2070 --If you don't have time to do it right, when will you have time to do it over? --Do not let what you cannot do interfere with what you can do. - John Wooden -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Oliver Gorwits Sent: Thursday, February 19, 2009 2:56 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Johnson, Bruce T wrote: One useful application with WZC-based PEAP is machine authentication for unattended devices that need to stay connected. I'm not sure any non-native supplicant supports this. I've not used the software, but the Open1X supplicant now mentions machine authentication as a feature, in their new release: http://open1x.sourceforge.net/ I hear good things about the software, which seems to be under active development. HTH, - -- Oliver Gorwits, Network and Telecommunications Group, Oxford University Computing Services -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJnblj2NPq7pwWBt4RAhEIAKDmCu+BRg0q7Zq0KqAJ1vPdFSWRuACg0ynR q1OegU96m/HNF4+MSdyANh0= =nJrs -END PGP SIGNATURE- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Transitioning to dot1x
If you don't use WZC, what supplicant is used in your client base? Frank From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Charles Bisel Sent: Thursday, February 19, 2009 10:35 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x True, WZC doesn't support CCKM, however unless I missed something, I don't recall Bob mentioning a specific supplicant. Clients who use WZC (why anyone would is beyond me) will still be able to connect without issue, as it is considered optional on the WLAN. _ Charles Bisel IT Operations Bayer Business and Technology Services LLC 100 Bayer Road Pittsburgh, PA 15205 PHONE 412.778.1268 FAX 412.778.1299 EMAIL mailto:charles.bi...@bayerbbs.com charles.bi...@bayerbbs.com WEBhttp://www.bayerus.com/ http://www.bayerus.com _ Johnson, Bruce T bjohns...@partners.org Sent by: The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 02/19/2009 11:20 AM Please respond to The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU To WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU cc Subject Re: [WIRELESS-LAN] Transitioning to dot1x Charles, CCKM is supplicant-dependent (via Intel PROSet or other hardware client utility). Native Windows WZC won't support this. You'll need WPA2. Bruce T. Johnson | Network Engineer | Partners Healthcare Network Engineering | 617.726.9662 | Pager: 31633 | bjohns...@partners.org | 149 13th Street, 10th Floor, Mailstop 10055B, Charlestown, Ma 02129 _ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Charles Bisel Sent: Thursday, February 19, 2009 11:18 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x If you are using WPA/TKIP, change your Auth Key Mgmt to 802.1X + CCKM on your WLAN in order to activate Fast Secure Roaming. _ Charles Bisel WLAN Architect Bayer Corporation 100 Bayer Road Pittsburgh, PA 15205 EMAIL mailto:charles.bi...@bayerbbs.com charles.bi...@bayerbbs.com WEBhttp://www.bayerus.com/ http://www.bayerus.com _ Johnson, Bruce T bjohns...@partners.org Sent by: The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 02/19/2009 11:08 AM Please respond to The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU To WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU cc Subject Re: [WIRELESS-LAN] Transitioning to dot1x Check your WLAN Session timeout - this forces a full re-auth at the specified interval. The default for dot1x is every 30 minutes. You may want to make this value larger. The User Idle Timeout will do the same thing, but most laptops generate enough incidental traffic to keep the idle timer open. Smaller form factors may not be as chatty. If its due to roaming, you may want to use WPA2/AES rather than TKIP, as this supports Proactive Key Caching. Do a sh pmk-cache all on the controllers to verify. Bruce T. Johnson | Network Engineer | Partners Healthcare Network Engineering | 617.726.9662 | Pager: 31633 | bjohns...@partners.org | 149 13th Street, 10th Floor, Mailstop 10055B, Charlestown, Ma 02129 _ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Bob Richman Sent: Thursday, February 19, 2009 10:38 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x We are using MS IAS for radius with PEAP. We don't have trouble getting folks configured and connected. Just after that we get complaints of 'getting kicked off' and was wondering if anyone else sees this sort of behavior. I suspect this mostly occurs during roams, but don't really have any hard data to back that up. Thanks, Bob Richman Network Engineer University of Notre Dame rrichma...@nd.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Daniel Bennett Sent: Thursday, February 19, 2009 8:20 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x We have a separate PDA network with MAC filtering and restricted ACLs to make up for MAC filtering being weak. Daniel Bennett IT Security Analyst Security+ PA College of Technology One College Ave Williamsport PA 17701 (P) 570.329.4989 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lelio Fulgenzi Sent: Thursday, February 19, 2009 8:15 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x Last time I checked, Windows mobile didnt come