Re: [WIRELESS-LAN] 802.1x vs web-portal
Many places have problems with OSCP... they don't let users that join the portal check for the OCSP validity (forget to allow for this in firewall) of the portal's certificate. That will make some OSes that don't automatically switch to CRL fail. Or worse, certificate providers change the IP address of their OCSP servers, and portals and firewall were configured with a static IP address of the OCSP servers... that can make portals fail as well. It would be nice to allow to check everything by name, but some firewalls are still finicky about that! Philippe Hanset www.eduroam.us On Dec 2, 2013, at 1:02 PM, Osborne, Bruce W (Network Services) bosbo...@liberty.edu wrote: Why do you say there are portal issues with https? Other than certificate error messages, http https redirects work fine with Aruba wireless. I know I had issues with https portals a few years ago when I tried portals with Cisco LWAP APs. Bruce Osborne Network Engineer IT Network Services (434) 592-4229 Liberty University | Training Champions for Christ since 1971 -Original Message- From: Arran Cudbard-Bell [mailto:a.cudba...@freeradius.org] Sent: Friday, November 29, 2013 2:25 PM Subject: Re: 802.1x vs web-portal On 19 Nov 2013, at 21:00, Ken LeCompte lecom...@oit.rutgers.edu wrote: One major consideration is that the use of https for more and more webpages is resulting in more confused users not getting redirected to captive portal login pages. A workaround for some devices would be to to add a WISPr responder to the portal. It will work will all recent iOS and OSX devices, some Windows Phones, and Windows 8/8.1. http://msdn.microsoft.com/en-us/library/windows/hardware/dn408675.aspx There is no perfect solution to portal redirection, but WISPr does seem a good way forward. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 802.1x vs web-portal
On our captive portal we just run a cron job once a day to pull the latest OCSP IP addresses to be whitelisted, and never have had a problem with SSL. Dale Thus spake Hanset, Philippe C (phan...@utk.edu) on Mon, Dec 02, 2013 at 06:58:24PM +: Many places have problems with OSCP... they don't let users that join the portal check for the OCSP validity (forget to allow for this in firewall) of the portal's certificate. That will make some OSes that don't automatically switch to CRL fail. Or worse, certificate providers change the IP address of their OCSP servers, and portals and firewall were configured with a static IP address of the OCSP servers... that can make portals fail as well. It would be nice to allow to check everything by name, but some firewalls are still finicky about that! Philippe Hanset www.eduroam.us On Dec 2, 2013, at 1:02 PM, Osborne, Bruce W (Network Services) bosbo...@liberty.edu wrote: Why do you say there are portal issues with https? Other than certificate error messages, http https redirects work fine with Aruba wireless. I know I had issues with https portals a few years ago when I tried portals with Cisco LWAP APs. Bruce Osborne Network Engineer IT Network Services (434) 592-4229 Liberty University | Training Champions for Christ since 1971 -Original Message- From: Arran Cudbard-Bell [mailto:a.cudba...@freeradius.org] Sent: Friday, November 29, 2013 2:25 PM Subject: Re: 802.1x vs web-portal On 19 Nov 2013, at 21:00, Ken LeCompte lecom...@oit.rutgers.edu wrote: One major consideration is that the use of https for more and more webpages is resulting in more confused users not getting redirected to captive portal login pages. A workaround for some devices would be to to add a WISPr responder to the portal. It will work will all recent iOS and OSX devices, some Windows Phones, and Windows 8/8.1. http://msdn.microsoft.com/en-us/library/windows/hardware/dn408675.aspx There is no perfect solution to portal redirection, but WISPr does seem a good way forward. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 802.1x vs web-portal
On 19 Nov 2013, at 21:00, Ken LeCompte lecom...@oit.rutgers.edu wrote: One major consideration is that the use of https for more and more webpages is resulting in more confused users not getting redirected to captive portal login pages. A workaround for some devices would be to to add a WISPr responder to the portal. It will work will all recent iOS and OSX devices, some Windows Phones, and Windows 8/8.1. http://msdn.microsoft.com/en-us/library/windows/hardware/dn408675.aspx There is no perfect solution to portal redirection, but WISPr does seem a good way forward. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] 802.1x vs web-portal
I can tell you we use dot1x here with AD credentials and it doesn't lend itself to a good end-user experience. Our security policy requires password expiration after 60 days. When a student's password expires we see an increase of wireless related complaints (typically blaming the performance/signal of the wireless network) not realizing their password has expired and new credentials need to be applied in their wireless profile. The other AD credential issue we have is related to lock-out. If a student mistypes his/her password to lock-out their account all of their devices stop connecting to the wireless network. Having said that, we are eyeing certificate based 802.1x. Not having a lot of experience with PKI we are trying to gauge the effort level of deployment. Not trying to highjack the thread here - but I am curious if anyone has some real world experience spinning-up a PKI (from scratch) using CloudPath with certificates. What is the effort level? Tony -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jason Cook Sent: Wednesday, November 20, 2013 1:30 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x vs web-portal List seems to sum it up pretty well. I think user wise dot1x is better ... once setup. So while it may be more of a pain to configure for some users, once configured the experience is much better as they walk on to campus and are connected. Having a captive portal is probably a good option for those that can't get dot1x working . I'm interested in the 10% though, do you get them all connected in the end? 10% seems quite a high percentage -- Jason Cook Technology Services The University of Adelaide, AUSTRALIA 5005 Ph : +61 8 8313 4800 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hanset, Philippe C Sent: Wednesday, 20 November 2013 9:56 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x vs web-portal from the top of my head... ###What's bad for the user: -Captive portal: no encryption over the air, pesky re-authentication and timeouts, no authentication of the infrastructure (yes, when you accept that SSL Cert from RADIUS you actually authenticate the infrastructure) -802.1X: finicky supplicants, and, without a good installer, long config instructions. Strongly authenticated (can't escape the system ;-) ###What's bad for the network engineer (and user stuff as well...): -Captive portal: CPU capacity of portal (802.11ac!!!), clients taking IP addresses and air time even if not authenticated, authentication can be defeated -802.1X: bugs from various vendors. A pain the troubleshoot when not working. Certificate Expiration and help desk calls resulting from it add yours! Philippe Philippe Hanset www.eduroam.us On Nov 19, 2013, at 2:10 PM, Jeff Kell jeff-k...@utc.edu wrote: On 11/19/2013 4:05 PM, Peter P Morrissey wrote: Can anyone name an application that does not have strong encryption? I'm not arguing against 802.1x, because it works very well for us as users don't have to authenticate constantly on a portal, and we seem to do a very good job getting them on initially, but I am having a hard time understanding the encryption benefits lately. Does FireSheep or Ettercap ring any bells? Jeff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] 802.1x vs web-portal
We have done a complete TLS deployment using both onboard cloudpath CA (for guest access) and Microsoft CA (for standard access). It takes some work, but it is well worth the effort. Feel free to contact me. We would be happy to help. Ryan H Turner Senior Network Engineer The University of North Carolina at Chapel Hill CB 1150 Chapel Hill, NC 27599 +1 919 445 0113 Office +1 919 274 7926 Mobile -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Fleming, Tony Sent: Wednesday, November 20, 2013 9:22 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x vs web-portal I can tell you we use dot1x here with AD credentials and it doesn't lend itself to a good end-user experience. Our security policy requires password expiration after 60 days. When a student's password expires we see an increase of wireless related complaints (typically blaming the performance/signal of the wireless network) not realizing their password has expired and new credentials need to be applied in their wireless profile. The other AD credential issue we have is related to lock-out. If a student mistypes his/her password to lock-out their account all of their devices stop connecting to the wireless network. Having said that, we are eyeing certificate based 802.1x. Not having a lot of experience with PKI we are trying to gauge the effort level of deployment. Not trying to highjack the thread here - but I am curious if anyone has some real world experience spinning-up a PKI (from scratch) using CloudPath with certificates. What is the effort level? Tony -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jason Cook Sent: Wednesday, November 20, 2013 1:30 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x vs web-portal List seems to sum it up pretty well. I think user wise dot1x is better ... once setup. So while it may be more of a pain to configure for some users, once configured the experience is much better as they walk on to campus and are connected. Having a captive portal is probably a good option for those that can't get dot1x working . I'm interested in the 10% though, do you get them all connected in the end? 10% seems quite a high percentage -- Jason Cook Technology Services The University of Adelaide, AUSTRALIA 5005 Ph : +61 8 8313 4800 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hanset, Philippe C Sent: Wednesday, 20 November 2013 9:56 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x vs web-portal from the top of my head... ###What's bad for the user: -Captive portal: no encryption over the air, pesky re-authentication and timeouts, no authentication of the infrastructure (yes, when you accept that SSL Cert from RADIUS you actually authenticate the infrastructure) -802.1X: finicky supplicants, and, without a good installer, long config instructions. Strongly authenticated (can't escape the system ;-) ###What's bad for the network engineer (and user stuff as well...): -Captive portal: CPU capacity of portal (802.11ac!!!), clients taking IP addresses and air time even if not authenticated, authentication can be defeated -802.1X: bugs from various vendors. A pain the troubleshoot when not working. Certificate Expiration and help desk calls resulting from it add yours! Philippe Philippe Hanset www.eduroam.us On Nov 19, 2013, at 2:10 PM, Jeff Kell jeff-k...@utc.edu wrote: On 11/19/2013 4:05 PM, Peter P Morrissey wrote: Can anyone name an application that does not have strong encryption? I'm not arguing against 802.1x, because it works very well for us as users don't have to authenticate constantly on a portal, and we seem to do a very good job getting them on initially, but I am having a hard time understanding the encryption benefits lately. Does FireSheep or Ettercap ring any bells? Jeff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] 802.1x vs web-portal
Isn't that really a client supplicant issue though? You can send back a reason for authfailure, and then the client could prompt for a replacement password. -- ian -Original Message- From: Fleming, Tony Sent: 20-11-2013, 14:22 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x vs web-portal I can tell you we use dot1x here with AD credentials and it doesn't lend itself to a good end-user experience. Our security policy requires password expiration after 60 days. When a student's password expires we see an increase of wireless related complaints (typically blaming the performance/signal of the wireless network) not realizing their password has expired and new credentials need to be applied in their wireless profile. The other AD credential issue we have is related to lock-out. If a student mistypes his/her password to lock-out their account all of their devices stop connecting to the wireless network. Having said that, we are eyeing certificate based 802.1x. Not having a lot of experience with PKI we are trying to gauge the effort level of deployment. Not trying to highjack the thread here - but I am curious if anyone has some real world experience spinning-up a PKI (from scratch) using CloudPath with certificates. What is the effort level? Tony -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jason Cook Sent: Wednesday, November 20, 2013 1:30 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x vs web-portal List seems to sum it up pretty well. I think user wise dot1x is better ... once setup. So while it may be more of a pain to configure for some users, once configured the experience is much better as they walk on to campus and are connected. Having a captive portal is probably a good option for those that can't get dot1x working . I'm interested in the 10% though, do you get them all connected in the end? 10% seems quite a high percentage -- Jason Cook Technology Services The University of Adelaide, AUSTRALIA 5005 Ph: +61 8 8313 4800 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hanset, Philippe C Sent: Wednesday, 20 November 2013 9:56 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x vs web-portal from the top of my head... ###What's bad for the user: -Captive portal: no encryption over the air, pesky re-authentication and timeouts, no authentication of the infrastructure (yes, when you accept that SSL Cert from RADIUS you actually authenticate the infrastructure) -802.1X: finicky supplicants, and, without a good installer, long config instructions. Strongly authenticated (can't escape the system ;-) ###What's bad for the network engineer (and user stuff as well...): -Captive portal: CPU capacity of portal (802.11ac!!!), clients taking IP addresses and air time even if not authenticated, authentication can be defeated -802.1X: bugs from various vendors. A pain the troubleshoot when not working. Certificate Expiration and help desk calls resulting from it add yours! Philippe Philippe Hanset www.eduroam.us On Nov 19, 2013, at 2:10 PM, Jeff Kell jeff-k...@utc.edu wrote: On 11/19/2013 4:05 PM, Peter P Morrissey wrote: Can anyone name an application that does not have strong encryption? I'm not arguing against 802.1x, because it works very well for us as users don't have to authenticate constantly on a portal, and we seem to do a very good job getting them on initially, but I am having a hard time understanding the encryption benefits lately. Does FireSheep or Ettercap ring any bells? Jeff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 802.1x vs web-portal
rantWhat I really want to provide is an HTTPS-like experience for my users that just works: an SSL layer that doesn't care who you are, but still provides meaningful encryption for the last 50 meters where your traffic is moving through the air for anyone nearby to snoop. I'm annoyed that so many encryption solutions are coupled to authentication. The two don't need to be linked. You don't have to log into an https site to get encrypted traffic, and you shouldn't have to log into a wifi network to get encryption either. My ideal scenario is that someday I'll be able to install the same wildcard ssl certificate that we purchase for our web sites to each access point or at a controller, change a setting for an SSID to use this certificate for encryption, and as long the certificate is from a well-known/reputable vendor, user devices will just work. I include guest devices in this category. I want someone -- anyone, but especially visiting admissions candidates --- to be able to turn on their device for the first time and have the experience be easy: no capture, no guest registration, no prompt to agree to terms of service, just choose the SSID and they're online. Sure, I could use a shared key scenario and just publish the key, but that's not the same thing. If anyone knows the key, anyone can decrypt the traffic, and it still requires an extra step to get online. I honestly couldn't care less about the authentication part of this. I don't need to know right away that it was Jane Smith's computer committing whatever nefarious deed. The immediate reaction to that kind of thing is the same regardless of the name of the person behind it. As long as I can target a MAC address or have reasonably static IP addresses (I do), I'm happy enough using a captive portal rule on a specific machine after the fact to identify a user for those times when enforcement issues come up. College-owned machines here do log user names all the time, so it's just student-owned devices where this is necessary. Sadly, I don't believe this kind of wifi exists today. Certificate-based 1x comes close, but the need to install/configure devices with a supplicant breaks it. I would settle for 1x, if I could count on it working for my students. Personally, I place blame on the WiFi Alliance, certifying devices that don't work for this feature as well as they should. Currently, we're working to provide two WiFi options: one that's completely open (and I mean completely), and one that uses 1x and prompts for a user's Active Directory login. Anyone can walk on campus and get online at a basic level. Really. I don't care. Guest (and even neighbor) use is a drop in the bucket compared to what our regular students demand. But if you need encryption you'd better hope the site or service supports https. We encourage students to use the 1x SSID whenever they can, and try to educate about the importance of encryption. *Most don't care*, and choose the open network, but at least the option is open to them./rant Joel Coehoorn Director of Information Technology York College, Nebraska 402.363.5603 jcoeho...@york.edu *The mission of York College is to transform lives through Christ-centered education and to equip students for lifelong service to God, family, and society* On Wed, Nov 20, 2013 at 8:54 AM, Ian McDonald i...@st-andrews.ac.uk wrote: Isn't that really a client supplicant issue though? You can send back a reason for authfailure, and then the client could prompt for a replacement password. -- ian -Original Message- From: Fleming, Tony Sent: 20-11-2013, 14:22 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x vs web-portal I can tell you we use dot1x here with AD credentials and it doesn't lend itself to a good end-user experience. Our security policy requires password expiration after 60 days. When a student's password expires we see an increase of wireless related complaints (typically blaming the performance/signal of the wireless network) not realizing their password has expired and new credentials need to be applied in their wireless profile. The other AD credential issue we have is related to lock-out. If a student mistypes his/her password to lock-out their account all of their devices stop connecting to the wireless network. Having said that, we are eyeing certificate based 802.1x. Not having a lot of experience with PKI we are trying to gauge the effort level of deployment. Not trying to highjack the thread here - but I am curious if anyone has some real world experience spinning-up a PKI (from scratch) using CloudPath with certificates. What is the effort level? Tony -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jason Cook Sent: Wednesday, November 20, 2013 1:30 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x vs web-portal
RE: [WIRELESS-LAN] 802.1x vs web-portal
I wonder if this might be closer to what you are looking for: http://theruckusroom.typepad.com/files/dynamic-psk-fs.pdf It definitely looks interesting. -Curtis Larsen From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Coehoorn, Joel [jcoeho...@york.edu] Sent: Wednesday, November 20, 2013 9:24 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x vs web-portal rantWhat I really want to provide is an HTTPS-like experience for my users that just works: an SSL layer that doesn't care who you are, but still provides meaningful encryption for the last 50 meters where your traffic is moving through the air for anyone nearby to snoop. I'm annoyed that so many encryption solutions are coupled to authentication. The two don't need to be linked. You don't have to log into an https site to get encrypted traffic, and you shouldn't have to log into a wifi network to get encryption either. My ideal scenario is that someday I'll be able to install the same wildcard ssl certificate that we purchase for our web sites to each access point or at a controller, change a setting for an SSID to use this certificate for encryption, and as long the certificate is from a well-known/reputable vendor, user devices will just work. I include guest devices in this category. I want someone -- anyone, but especially visiting admissions candidates --- to be able to turn on their device for the first time and have the experience be easy: no capture, no guest registration, no prompt to agree to terms of service, just choose the SSID and they're online. Sure, I could use a shared key scenario and just publish the key, but that's not the same thing. If anyone knows the key, anyone can decrypt the traffic, and it still requires an extra step to get online. I honestly couldn't care less about the authentication part of this. I don't need to know right away that it was Jane Smith's computer committing whatever nefarious deed. The immediate reaction to that kind of thing is the same regardless of the name of the person behind it. As long as I can target a MAC address or have reasonably static IP addresses (I do), I'm happy enough using a captive portal rule on a specific machine after the fact to identify a user for those times when enforcement issues come up. College-owned machines here do log user names all the time, so it's just student-owned devices where this is necessary. Sadly, I don't believe this kind of wifi exists today. Certificate-based 1x comes close, but the need to install/configure devices with a supplicant breaks it. I would settle for 1x, if I could count on it working for my students. Personally, I place blame on the WiFi Alliance, certifying devices that don't work for this feature as well as they should. Currently, we're working to provide two WiFi options: one that's completely open (and I mean completely), and one that uses 1x and prompts for a user's Active Directory login. Anyone can walk on campus and get online at a basic level. Really. I don't care. Guest (and even neighbor) use is a drop in the bucket compared to what our regular students demand. But if you need encryption you'd better hope the site or service supports https. We encourage students to use the 1x SSID whenever they can, and try to educate about the importance of encryption. Most don't care, and choose the open network, but at least the option is open to them./rant [X] Joel Coehoorn Director of Information Technology York College, Nebraska 402.363.5603 jcoeho...@york.edumailto:jcoeho...@york.edu [X] The mission of York College is to transform lives through Christ-centered education and to equip students for lifelong service to God, family, and society On Wed, Nov 20, 2013 at 8:54 AM, Ian McDonald i...@st-andrews.ac.ukmailto:i...@st-andrews.ac.uk wrote: Isn't that really a client supplicant issue though? You can send back a reason for authfailure, and then the client could prompt for a replacement password. -- ian -Original Message- From: Fleming, Tony Sent: 20-11-2013, 14:22 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x vs web-portal I can tell you we use dot1x here with AD credentials and it doesn't lend itself to a good end-user experience. Our security policy requires password expiration after 60 days. When a student's password expires we see an increase of wireless related complaints (typically blaming the performance/signal of the wireless network) not realizing their password has expired and new credentials need to be applied in their wireless profile. The other AD credential issue we have is related to lock-out. If a student mistypes his/her password to lock-out their account all of their devices stop connecting to the wireless network. Having said that, we are eyeing
Re: [WIRELESS-LAN] 802.1x vs web-portal
I have been to hotels that use WPA2 for their wifi. You get an id and password at checkin, sometimes the id and password is tied to the room and not unique for every customer over time. While you can’t quite get the eduroam experience without a valid userid and password you could implement something in between a web portal and WPA2 with certs or valid IDs. You could set up an SSID with WPA2 with PEAP and something like freeradius at the back end and then set RADIUS to just accept any userid and password. That also then supports IPv6, many web portals don’t have good support for IPv6 yet. On Nov 20, 2013, at 10:24 AM, Coehoorn, Joel jcoeho...@york.edu wrote: rantWhat I really want to provide is an HTTPS-like experience for my users that just works: an SSL layer that doesn't care who you are, but still provides meaningful encryption for the last 50 meters where your traffic is moving through the air for anyone nearby to snoop. I'm annoyed that so many encryption solutions are coupled to authentication. The two don't need to be linked. You don't have to log into an https site to get encrypted traffic, and you shouldn't have to log into a wifi network to get encryption either. My ideal scenario is that someday I'll be able to install the same wildcard ssl certificate that we purchase for our web sites to each access point or at a controller, change a setting for an SSID to use this certificate for encryption, and as long the certificate is from a well-known/reputable vendor, user devices will just work. I include guest devices in this category. I want someone -- anyone, but especially visiting admissions candidates --- to be able to turn on their device for the first time and have the experience be easy: no capture, no guest registration, no prompt to agree to terms of service, just choose the SSID and they're online. Sure, I could use a shared key scenario and just publish the key, but that's not the same thing. If anyone knows the key, anyone can decrypt the traffic, and it still requires an extra step to get online. I honestly couldn't care less about the authentication part of this. I don't need to know right away that it was Jane Smith's computer committing whatever nefarious deed. The immediate reaction to that kind of thing is the same regardless of the name of the person behind it. As long as I can target a MAC address or have reasonably static IP addresses (I do), I'm happy enough using a captive portal rule on a specific machine after the fact to identify a user for those times when enforcement issues come up. College-owned machines here do log user names all the time, so it's just student-owned devices where this is necessary. Sadly, I don't believe this kind of wifi exists today. Certificate-based 1x comes close, but the need to install/configure devices with a supplicant breaks it. I would settle for 1x, if I could count on it working for my students. Personally, I place blame on the WiFi Alliance, certifying devices that don't work for this feature as well as they should. Currently, we're working to provide two WiFi options: one that's completely open (and I mean completely), and one that uses 1x and prompts for a user's Active Directory login. Anyone can walk on campus and get online at a basic level. Really. I don't care. Guest (and even neighbor) use is a drop in the bucket compared to what our regular students demand. But if you need encryption you'd better hope the site or service supports https. We encourage students to use the 1x SSID whenever they can, and try to educate about the importance of encryption. Most don't care, and choose the open network, but at least the option is open to them./rant Joel Coehoorn Director of Information Technology York College, Nebraska 402.363.5603 jcoeho...@york.edu The mission of York College is to transform lives through Christ-centered education and to equip students for lifelong service to God, family, and society On Wed, Nov 20, 2013 at 8:54 AM, Ian McDonald i...@st-andrews.ac.uk wrote: Isn't that really a client supplicant issue though? You can send back a reason for authfailure, and then the client could prompt for a replacement password. -- ian -Original Message- From: Fleming, Tony Sent: 20-11-2013, 14:22 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x vs web-portal I can tell you we use dot1x here with AD credentials and it doesn't lend itself to a good end-user experience. Our security policy requires password expiration after 60 days. When a student's password expires we see an increase of wireless related complaints (typically blaming the performance/signal of the wireless network) not realizing their password has expired and new credentials need to be applied in their wireless profile. The other AD credential issue we have is related
RE: [WIRELESS-LAN] 802.1x vs web-portal
I agree with a lot you said. Philippe Hanset had mentioned 'unathenticated TLS', which appears to do what you want to do, but it appears it isn't very well supported yet.I haven't found much on it. Ryan H Turner Senior Network Engineer The University of North Carolina at Chapel Hill CB 1150 Chapel Hill, NC 27599 +1 919 445 0113 Office +1 919 274 7926 Mobile From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Coehoorn, Joel Sent: Wednesday, November 20, 2013 11:25 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x vs web-portal rantWhat I really want to provide is an HTTPS-like experience for my users that just works: an SSL layer that doesn't care who you are, but still provides meaningful encryption for the last 50 meters where your traffic is moving through the air for anyone nearby to snoop. I'm annoyed that so many encryption solutions are coupled to authentication. The two don't need to be linked. You don't have to log into an https site to get encrypted traffic, and you shouldn't have to log into a wifi network to get encryption either. My ideal scenario is that someday I'll be able to install the same wildcard ssl certificate that we purchase for our web sites to each access point or at a controller, change a setting for an SSID to use this certificate for encryption, and as long the certificate is from a well-known/reputable vendor, user devices will just work. I include guest devices in this category. I want someone -- anyone, but especially visiting admissions candidates --- to be able to turn on their device for the first time and have the experience be easy: no capture, no guest registration, no prompt to agree to terms of service, just choose the SSID and they're online. Sure, I could use a shared key scenario and just publish the key, but that's not the same thing. If anyone knows the key, anyone can decrypt the traffic, and it still requires an extra step to get online. I honestly couldn't care less about the authentication part of this. I don't need to know right away that it was Jane Smith's computer committing whatever nefarious deed. The immediate reaction to that kind of thing is the same regardless of the name of the person behind it. As long as I can target a MAC address or have reasonably static IP addresses (I do), I'm happy enough using a captive portal rule on a specific machine after the fact to identify a user for those times when enforcement issues come up. College-owned machines here do log user names all the time, so it's just student-owned devices where this is necessary. Sadly, I don't believe this kind of wifi exists today. Certificate-based 1x comes close, but the need to install/configure devices with a supplicant breaks it. I would settle for 1x, if I could count on it working for my students. Personally, I place blame on the WiFi Alliance, certifying devices that don't work for this feature as well as they should. Currently, we're working to provide two WiFi options: one that's completely open (and I mean completely), and one that uses 1x and prompts for a user's Active Directory login. Anyone can walk on campus and get online at a basic level. Really. I don't care. Guest (and even neighbor) use is a drop in the bucket compared to what our regular students demand. But if you need encryption you'd better hope the site or service supports https. We encourage students to use the 1x SSID whenever they can, and try to educate about the importance of encryption. Most don't care, and choose the open network, but at least the option is open to them./rant [Image removed by sender.] Joel Coehoorn Director of Information Technology York College, Nebraska 402.363.5603 jcoeho...@york.edumailto:jcoeho...@york.edu [Image removed by sender.] The mission of York College is to transform lives through Christ-centered education and to equip students for lifelong service to God, family, and society On Wed, Nov 20, 2013 at 8:54 AM, Ian McDonald i...@st-andrews.ac.ukmailto:i...@st-andrews.ac.uk wrote: Isn't that really a client supplicant issue though? You can send back a reason for authfailure, and then the client could prompt for a replacement password. -- ian -Original Message- From: Fleming, Tony Sent: 20-11-2013, 14:22 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x vs web-portal I can tell you we use dot1x here with AD credentials and it doesn't lend itself to a good end-user experience. Our security policy requires password expiration after 60 days. When a student's password expires we see an increase of wireless related complaints (typically blaming the performance/signal of the wireless network) not realizing their password has expired and new credentials need to be applied in their wireless profile. The other AD credential issue we
Re: [WIRELESS-LAN] 802.1x vs web-portal
On Nov 20, 2013, at 10:46 AM, Curtis K. Larsen (UIT-Network) curtis.k.lar...@utah.edu wrote: I wonder if this might be closer to what you are looking for: http://theruckusroom.typepad.com/files/dynamic-psk-fs.pdf It definitely looks interesting. -Curtis Larsen Aerohive also has something that does not require an 802.1x supplicant but allows a unique password on each device. http://www.aerohive.com/solutions/technology-behind-solution/simplified-strong-authentication From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Coehoorn, Joel [jcoeho...@york.edu] Sent: Wednesday, November 20, 2013 9:24 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x vs web-portal rantWhat I really want to provide is an HTTPS-like experience for my users that just works: an SSL layer that doesn't care who you are, but still provides meaningful encryption for the last 50 meters where your traffic is moving through the air for anyone nearby to snoop. I'm annoyed that so many encryption solutions are coupled to authentication. The two don't need to be linked. You don't have to log into an https site to get encrypted traffic, and you shouldn't have to log into a wifi network to get encryption either. My ideal scenario is that someday I'll be able to install the same wildcard ssl certificate that we purchase for our web sites to each access point or at a controller, change a setting for an SSID to use this certificate for encryption, and as long the certificate is from a well-known/reputable vendor, user devices will just work. I include guest devices in this category. I want someone -- anyone, but especially visiting admissions candidates --- to be able to turn on their device for the first time and have the experience be easy: no capture, no guest registration, no prompt to agree to terms of service, just choose the SSID and they're online. Sure, I could use a shared key scenario and just publish the key, but that's not the same thing. If anyone knows the key, anyone can decrypt the traffic, and it still requires an extra step to get online. I honestly couldn't care less about the authentication part of this. I don't need to know right away that it was Jane Smith's computer committing whatever nefarious deed. The immediate reaction to that kind of thing is the same regardless of the name of the person behind it. As long as I can target a MAC address or have reasonably static IP addresses (I do), I'm happy enough using a captive portal rule on a specific machine after the fact to identify a user for those times when enforcement issues come up. College-owned machines here do log user names all the time, so it's just student-owned devices where this is necessary. Sadly, I don't believe this kind of wifi exists today. Certificate-based 1x comes close, but the need to install/configure devices with a supplicant breaks it. I would settle for 1x, if I could count on it working for my students. Personally, I place blame on the WiFi Alliance, certifying devices that don't work for this feature as well as they should. Currently, we're working to provide two WiFi options: one that's completely open (and I mean completely), and one that uses 1x and prompts for a user's Active Directory login. Anyone can walk on campus and get online at a basic level. Really. I don't care. Guest (and even neighbor) use is a drop in the bucket compared to what our regular students demand. But if you need encryption you'd better hope the site or service supports https. We encourage students to use the 1x SSID whenever they can, and try to educate about the importance of encryption. Most don't care, and choose the open network, but at least the option is open to them./rant Joel Coehoorn Director of Information Technology York College, Nebraska 402.363.5603 jcoeho...@york.edu The mission of York College is to transform lives through Christ-centered education and to equip students for lifelong service to God, family, and society On Wed, Nov 20, 2013 at 8:54 AM, Ian McDonald i...@st-andrews.ac.uk wrote: Isn't that really a client supplicant issue though? You can send back a reason for authfailure, and then the client could prompt for a replacement password. -- ian -Original Message- From: Fleming, Tony Sent: 20-11-2013, 14:22 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x vs web-portal I can tell you we use dot1x here with AD credentials and it doesn't lend itself to a good end-user experience. Our security policy requires password expiration after 60 days. When a student's password expires we see an increase of wireless related complaints (typically blaming the performance/signal of the wireless network) not realizing their password has expired and new credentials need
RE: [WIRELESS-LAN] 802.1x vs web-portal
My problem with these approaches is their proprietary nature. I wonder how this has been addressed/discussed in the IEEE groups... Ryan H Turner Senior Network Engineer The University of North Carolina at Chapel Hill CB 1150 Chapel Hill, NC 27599 +1 919 445 0113 Office +1 919 274 7926 Mobile -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Curtis, Bruce Sent: Wednesday, November 20, 2013 3:05 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x vs web-portal On Nov 20, 2013, at 10:46 AM, Curtis K. Larsen (UIT-Network) curtis.k.lar...@utah.edu wrote: I wonder if this might be closer to what you are looking for: http://theruckusroom.typepad.com/files/dynamic-psk-fs.pdf It definitely looks interesting. -Curtis Larsen Aerohive also has something that does not require an 802.1x supplicant but allows a unique password on each device. http://www.aerohive.com/solutions/technology-behind-solution/simplified-strong-authentication From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Coehoorn, Joel [jcoeho...@york.edu] Sent: Wednesday, November 20, 2013 9:24 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x vs web-portal rantWhat I really want to provide is an HTTPS-like experience for my users that just works: an SSL layer that doesn't care who you are, but still provides meaningful encryption for the last 50 meters where your traffic is moving through the air for anyone nearby to snoop. I'm annoyed that so many encryption solutions are coupled to authentication. The two don't need to be linked. You don't have to log into an https site to get encrypted traffic, and you shouldn't have to log into a wifi network to get encryption either. My ideal scenario is that someday I'll be able to install the same wildcard ssl certificate that we purchase for our web sites to each access point or at a controller, change a setting for an SSID to use this certificate for encryption, and as long the certificate is from a well-known/reputable vendor, user devices will just work. I include guest devices in this category. I want someone -- anyone, but especially visiting admissions candidates --- to be able to turn on their device for the first time and have the experience be easy: no capture, no guest registration, no prompt to agree to terms of service, just choose the SSID and they're online. Sure, I could use a shared key scenario and just publish the key, but that's not the same thing. If anyone knows the key, anyone can decrypt the traffic, and it still requires an extra step to get online. I honestly couldn't care less about the authentication part of this. I don't need to know right away that it was Jane Smith's computer committing whatever nefarious deed. The immediate reaction to that kind of thing is the same regardless of the name of the person behind it. As long as I can target a MAC address or have reasonably static IP addresses (I do), I'm happy enough using a captive portal rule on a specific machine after the fact to identify a user for those times when enforcement issues come up. College-owned machines here do log user names all the time, so it's just student-owned devices where this is necessary. Sadly, I don't believe this kind of wifi exists today. Certificate-based 1x comes close, but the need to install/configure devices with a supplicant breaks it. I would settle for 1x, if I could count on it working for my students. Personally, I place blame on the WiFi Alliance, certifying devices that don't work for this feature as well as they should. Currently, we're working to provide two WiFi options: one that's completely open (and I mean completely), and one that uses 1x and prompts for a user's Active Directory login. Anyone can walk on campus and get online at a basic level. Really. I don't care. Guest (and even neighbor) use is a drop in the bucket compared to what our regular students demand. But if you need encryption you'd better hope the site or service supports https. We encourage students to use the 1x SSID whenever they can, and try to educate about the importance of encryption. Most don't care, and choose the open network, but at least the option is open to them./rant Joel Coehoorn Director of Information Technology York College, Nebraska 402.363.5603 jcoeho...@york.edu The mission of York College is to transform lives through Christ-centered education and to equip students for lifelong service to God, family, and society On Wed, Nov 20, 2013 at 8:54 AM, Ian McDonald i...@st-andrews.ac.uk wrote: Isn't that really a client supplicant issue though? You can send back a reason for authfailure, and then the client could prompt for a replacement
RE: [WIRELESS-LAN] 802.1x vs web-portal
Not to mention, these are still authentication AND encryption mechanisms, not just encryption. I think the original poster was wanting just an encryption method without the authentication. This doesn't really solve that. Ryan H Turner Senior Network Engineer The University of North Carolina at Chapel Hill CB 1150 Chapel Hill, NC 27599 +1 919 445 0113 Office +1 919 274 7926 Mobile -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Turner, Ryan H Sent: Wednesday, November 20, 2013 3:16 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x vs web-portal My problem with these approaches is their proprietary nature. I wonder how this has been addressed/discussed in the IEEE groups... Ryan H Turner Senior Network Engineer The University of North Carolina at Chapel Hill CB 1150 Chapel Hill, NC 27599 +1 919 445 0113 Office +1 919 274 7926 Mobile -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Curtis, Bruce Sent: Wednesday, November 20, 2013 3:05 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x vs web-portal On Nov 20, 2013, at 10:46 AM, Curtis K. Larsen (UIT-Network) curtis.k.lar...@utah.edu wrote: I wonder if this might be closer to what you are looking for: http://theruckusroom.typepad.com/files/dynamic-psk-fs.pdf It definitely looks interesting. -Curtis Larsen Aerohive also has something that does not require an 802.1x supplicant but allows a unique password on each device. http://www.aerohive.com/solutions/technology-behind-solution/simplified-strong-authentication From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Coehoorn, Joel [jcoeho...@york.edu] Sent: Wednesday, November 20, 2013 9:24 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x vs web-portal rantWhat I really want to provide is an HTTPS-like experience for my users that just works: an SSL layer that doesn't care who you are, but still provides meaningful encryption for the last 50 meters where your traffic is moving through the air for anyone nearby to snoop. I'm annoyed that so many encryption solutions are coupled to authentication. The two don't need to be linked. You don't have to log into an https site to get encrypted traffic, and you shouldn't have to log into a wifi network to get encryption either. My ideal scenario is that someday I'll be able to install the same wildcard ssl certificate that we purchase for our web sites to each access point or at a controller, change a setting for an SSID to use this certificate for encryption, and as long the certificate is from a well-known/reputable vendor, user devices will just work. I include guest devices in this category. I want someone -- anyone, but especially visiting admissions candidates --- to be able to turn on their device for the first time and have the experience be easy: no capture, no guest registration, no prompt to agree to terms of service, just choose the SSID and they're online. Sure, I could use a shared key scenario and just publish the key, but that's not the same thing. If anyone knows the key, anyone can decrypt the traffic, and it still requires an extra step to get online. I honestly couldn't care less about the authentication part of this. I don't need to know right away that it was Jane Smith's computer committing whatever nefarious deed. The immediate reaction to that kind of thing is the same regardless of the name of the person behind it. As long as I can target a MAC address or have reasonably static IP addresses (I do), I'm happy enough using a captive portal rule on a specific machine after the fact to identify a user for those times when enforcement issues come up. College-owned machines here do log user names all the time, so it's just student-owned devices where this is necessary. Sadly, I don't believe this kind of wifi exists today. Certificate-based 1x comes close, but the need to install/configure devices with a supplicant breaks it. I would settle for 1x, if I could count on it working for my students. Personally, I place blame on the WiFi Alliance, certifying devices that don't work for this feature as well as they should. Currently, we're working to provide two WiFi options: one that's completely open (and I mean completely), and one that uses 1x and prompts for a user's Active Directory login. Anyone can walk on campus and get online at a basic level. Really. I don't care. Guest (and even neighbor) use is a drop in the bucket compared to what our regular students demand. But if you need encryption you'd better hope the site or service supports https. We encourage students to use the 1x SSID
Re: [WIRELESS-LAN] 802.1x vs web-portal
My Bad. I guess the Wi-FI alliance branded it Hotspot 2.0 http://en.wikipedia.org/wiki/Hotspot_(Wi-Fi)#Hotspot_2.0 On Wed, Nov 20, 2013 at 9:00 PM, Mike King m...@mpking.com wrote: You mean, something like 802.11u? http://en.wikipedia.org/wiki/IEEE_802.11u On Wed, Nov 20, 2013 at 3:18 PM, Turner, Ryan H rhtur...@email.unc.eduwrote: Not to mention, these are still authentication AND encryption mechanisms, not just encryption. I think the original poster was wanting just an encryption method without the authentication. This doesn't really solve that. Ryan H Turner Senior Network Engineer The University of North Carolina at Chapel Hill CB 1150 Chapel Hill, NC 27599 +1 919 445 0113 Office +1 919 274 7926 Mobile -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Turner, Ryan H Sent: Wednesday, November 20, 2013 3:16 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x vs web-portal My problem with these approaches is their proprietary nature. I wonder how this has been addressed/discussed in the IEEE groups... Ryan H Turner Senior Network Engineer The University of North Carolina at Chapel Hill CB 1150 Chapel Hill, NC 27599 +1 919 445 0113 Office +1 919 274 7926 Mobile -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Curtis, Bruce Sent: Wednesday, November 20, 2013 3:05 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x vs web-portal On Nov 20, 2013, at 10:46 AM, Curtis K. Larsen (UIT-Network) curtis.k.lar...@utah.edu wrote: I wonder if this might be closer to what you are looking for: http://theruckusroom.typepad.com/files/dynamic-psk-fs.pdf It definitely looks interesting. -Curtis Larsen Aerohive also has something that does not require an 802.1x supplicant but allows a unique password on each device. http://www.aerohive.com/solutions/technology-behind-solution/simplified-strong-authentication From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Coehoorn, Joel [jcoeho...@york.edu] Sent: Wednesday, November 20, 2013 9:24 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x vs web-portal rantWhat I really want to provide is an HTTPS-like experience for my users that just works: an SSL layer that doesn't care who you are, but still provides meaningful encryption for the last 50 meters where your traffic is moving through the air for anyone nearby to snoop. I'm annoyed that so many encryption solutions are coupled to authentication. The two don't need to be linked. You don't have to log into an https site to get encrypted traffic, and you shouldn't have to log into a wifi network to get encryption either. My ideal scenario is that someday I'll be able to install the same wildcard ssl certificate that we purchase for our web sites to each access point or at a controller, change a setting for an SSID to use this certificate for encryption, and as long the certificate is from a well-known/reputable vendor, user devices will just work. I include guest devices in this category. I want someone -- anyone, but especially visiting admissions candidates --- to be able to turn on their device for the first time and have the experience be easy: no capture, no guest registration, no prompt to agree to terms of service, just choose the SSID and they're online. Sure, I could use a shared key scenario and just publish the key, but that's not the same thing. If anyone knows the key, anyone can decrypt the traffic, and it still requires an extra step to get online. I honestly couldn't care less about the authentication part of this. I don't need to know right away that it was Jane Smith's computer committing whatever nefarious deed. The immediate reaction to that kind of thing is the same regardless of the name of the person behind it. As long as I can target a MAC address or have reasonably static IP addresses (I do), I'm happy enough using a captive portal rule on a specific machine after the fact to identify a user for those times when enforcement issues come up. College-owned machines here do log user names all the time, so it's just student-owned devices where this is necessary. Sadly, I don't believe this kind of wifi exists today. Certificate-based 1x comes close, but the need to install/configure devices with a supplicant breaks it. I would settle for 1x, if I could count on it working for my students. Personally, I place blame on the WiFi Alliance, certifying devices that don't work for this feature as well as they should. Currently, we're working to provide two WiFi options: one that's completely open (and I mean completely), and one that uses 1x
Re: [WIRELESS-LAN] 802.1x vs web-portal
You mean, something like 802.11u? http://en.wikipedia.org/wiki/IEEE_802.11u On Wed, Nov 20, 2013 at 3:18 PM, Turner, Ryan H rhtur...@email.unc.eduwrote: Not to mention, these are still authentication AND encryption mechanisms, not just encryption. I think the original poster was wanting just an encryption method without the authentication. This doesn't really solve that. Ryan H Turner Senior Network Engineer The University of North Carolina at Chapel Hill CB 1150 Chapel Hill, NC 27599 +1 919 445 0113 Office +1 919 274 7926 Mobile -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Turner, Ryan H Sent: Wednesday, November 20, 2013 3:16 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x vs web-portal My problem with these approaches is their proprietary nature. I wonder how this has been addressed/discussed in the IEEE groups... Ryan H Turner Senior Network Engineer The University of North Carolina at Chapel Hill CB 1150 Chapel Hill, NC 27599 +1 919 445 0113 Office +1 919 274 7926 Mobile -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Curtis, Bruce Sent: Wednesday, November 20, 2013 3:05 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x vs web-portal On Nov 20, 2013, at 10:46 AM, Curtis K. Larsen (UIT-Network) curtis.k.lar...@utah.edu wrote: I wonder if this might be closer to what you are looking for: http://theruckusroom.typepad.com/files/dynamic-psk-fs.pdf It definitely looks interesting. -Curtis Larsen Aerohive also has something that does not require an 802.1x supplicant but allows a unique password on each device. http://www.aerohive.com/solutions/technology-behind-solution/simplified-strong-authentication From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Coehoorn, Joel [jcoeho...@york.edu] Sent: Wednesday, November 20, 2013 9:24 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x vs web-portal rantWhat I really want to provide is an HTTPS-like experience for my users that just works: an SSL layer that doesn't care who you are, but still provides meaningful encryption for the last 50 meters where your traffic is moving through the air for anyone nearby to snoop. I'm annoyed that so many encryption solutions are coupled to authentication. The two don't need to be linked. You don't have to log into an https site to get encrypted traffic, and you shouldn't have to log into a wifi network to get encryption either. My ideal scenario is that someday I'll be able to install the same wildcard ssl certificate that we purchase for our web sites to each access point or at a controller, change a setting for an SSID to use this certificate for encryption, and as long the certificate is from a well-known/reputable vendor, user devices will just work. I include guest devices in this category. I want someone -- anyone, but especially visiting admissions candidates --- to be able to turn on their device for the first time and have the experience be easy: no capture, no guest registration, no prompt to agree to terms of service, just choose the SSID and they're online. Sure, I could use a shared key scenario and just publish the key, but that's not the same thing. If anyone knows the key, anyone can decrypt the traffic, and it still requires an extra step to get online. I honestly couldn't care less about the authentication part of this. I don't need to know right away that it was Jane Smith's computer committing whatever nefarious deed. The immediate reaction to that kind of thing is the same regardless of the name of the person behind it. As long as I can target a MAC address or have reasonably static IP addresses (I do), I'm happy enough using a captive portal rule on a specific machine after the fact to identify a user for those times when enforcement issues come up. College-owned machines here do log user names all the time, so it's just student-owned devices where this is necessary. Sadly, I don't believe this kind of wifi exists today. Certificate-based 1x comes close, but the need to install/configure devices with a supplicant breaks it. I would settle for 1x, if I could count on it working for my students. Personally, I place blame on the WiFi Alliance, certifying devices that don't work for this feature as well as they should. Currently, we're working to provide two WiFi options: one that's completely open (and I mean completely), and one that uses 1x and prompts for a user's Active Directory login. Anyone can walk on campus and get online at a basic level. Really. I don't care. Guest (and even neighbor) use is a drop in the bucket
Re: [WIRELESS-LAN] 802.1x vs web-portal
One major consideration is that the use of https for more and more webpages is resulting in more confused users not getting redirected to captive portal login pages. There is also the more obvious issue that client data is not encrypted over the air, although you could argue that more and more applications are using TLS/SSL. I do think that you are correct that captive portal robustness has been dramatically increased with products like the 5508, which handles a great deal more simultaneous connections than other products before it. I also feel like captive portal security is kinder to backend authentication servers since the authentication is typically done once with a decent length session timeout, whereas many supplicants do tons of reauths. Thanks. Ken -- Ken LeCompte - Manager of Information Technology Central Systems and Services Office of Information Technology Rutgers, The State University of New Jersey Office ~ (848) 445-4823 Facebook: http://fb.me/RUWireless On Nov 19, 2013, at 3:28 PM, Ashfield, Matt (NBCC) matt.ashfi...@nbcc.ca wrote: Just wondering what people’s thoughts are here regarding using the Web Portal authentication vs 802.1x auth in your wifi networks. Obviously one big “pro” for 802.1x is dynamic vlan assignment based on the users’s credentials, but certainly for web-portal the big “pro” is simplicity for the user. We currently use ExpressConnect to configure student devices for our 802.1x wifi network using certbased authentication, and while it works great 90% of the time, we have 10% where it’s tough to get the user on for a variety of reasons on student owned devices. Since we provide guest access via a portal authentication, we inevitably get the question as to why don’t we do all wifi auth with that? I know when I first started out, there were limitations with the # of users a portal auth system could support, but I don’t think that’s a major concern anymore (we are using Cisco 5508 controllers here). Just wondering what the thoughts are on this list. Always good input. Thanks Matt ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] 802.1x vs web-portal
Can anyone name an application that does not have strong encryption? I'm not arguing against 802.1x, because it works very well for us as users don't have to authenticate constantly on a portal, and we seem to do a very good job getting them on initially, but I am having a hard time understanding the encryption benefits lately. Pete Morrissey -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Ken LeCompte Sent: Tuesday, November 19, 2013 4:00 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x vs web-portal One major consideration is that the use of https for more and more webpages is resulting in more confused users not getting redirected to captive portal login pages. There is also the more obvious issue that client data is not encrypted over the air, although you could argue that more and more applications are using TLS/SSL. I do think that you are correct that captive portal robustness has been dramatically increased with products like the 5508, which handles a great deal more simultaneous connections than other products before it. I also feel like captive portal security is kinder to backend authentication servers since the authentication is typically done once with a decent length session timeout, whereas many supplicants do tons of reauths. Thanks. Ken -- Ken LeCompte - Manager of Information Technology Central Systems and Services Office of Information Technology Rutgers, The State University of New Jersey Office ~ (848) 445-4823 Facebook: http://fb.me/RUWireless On Nov 19, 2013, at 3:28 PM, Ashfield, Matt (NBCC) matt.ashfi...@nbcc.ca wrote: Just wondering what people's thoughts are here regarding using the Web Portal authentication vs 802.1x auth in your wifi networks. Obviously one big pro for 802.1x is dynamic vlan assignment based on the users's credentials, but certainly for web-portal the big pro is simplicity for the user. We currently use ExpressConnect to configure student devices for our 802.1x wifi network using certbased authentication, and while it works great 90% of the time, we have 10% where it's tough to get the user on for a variety of reasons on student owned devices. Since we provide guest access via a portal authentication, we inevitably get the question as to why don't we do all wifi auth with that? I know when I first started out, there were limitations with the # of users a portal auth system could support, but I don't think that's a major concern anymore (we are using Cisco 5508 controllers here). Just wondering what the thoughts are on this list. Always good input. Thanks Matt ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 802.1x vs web-portal
On 11/19/2013 4:05 PM, Peter P Morrissey wrote: Can anyone name an application that does not have strong encryption? I'm not arguing against 802.1x, because it works very well for us as users don't have to authenticate constantly on a portal, and we seem to do a very good job getting them on initially, but I am having a hard time understanding the encryption benefits lately. Does FireSheep or Ettercap ring any bells? Jeff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] 802.1x vs web-portal
I've been very surprised to find applications on campus that don't encrypt data. We've found recently even in credit card processing devices that were not properly configured, and sent information in the clear. Given the vast amount of applications out there, and the absolute zero control over how they are written, you can't assume anything. And sometimes you don't need to be able to decrypt the payload to get useful information. Ryan H Turner Senior Network Engineer The University of North Carolina at Chapel Hill CB 1150 Chapel Hill, NC 27599 +1 919 445 0113 Office +1 919 274 7926 Mobile -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Peter P Morrissey Sent: Tuesday, November 19, 2013 4:06 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x vs web-portal Can anyone name an application that does not have strong encryption? I'm not arguing against 802.1x, because it works very well for us as users don't have to authenticate constantly on a portal, and we seem to do a very good job getting them on initially, but I am having a hard time understanding the encryption benefits lately. Pete Morrissey -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Ken LeCompte Sent: Tuesday, November 19, 2013 4:00 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x vs web-portal One major consideration is that the use of https for more and more webpages is resulting in more confused users not getting redirected to captive portal login pages. There is also the more obvious issue that client data is not encrypted over the air, although you could argue that more and more applications are using TLS/SSL. I do think that you are correct that captive portal robustness has been dramatically increased with products like the 5508, which handles a great deal more simultaneous connections than other products before it. I also feel like captive portal security is kinder to backend authentication servers since the authentication is typically done once with a decent length session timeout, whereas many supplicants do tons of reauths. Thanks. Ken -- Ken LeCompte - Manager of Information Technology Central Systems and Services Office of Information Technology Rutgers, The State University of New Jersey Office ~ (848) 445-4823 Facebook: http://fb.me/RUWireless On Nov 19, 2013, at 3:28 PM, Ashfield, Matt (NBCC) matt.ashfi...@nbcc.ca wrote: Just wondering what people's thoughts are here regarding using the Web Portal authentication vs 802.1x auth in your wifi networks. Obviously one big pro for 802.1x is dynamic vlan assignment based on the users's credentials, but certainly for web-portal the big pro is simplicity for the user. We currently use ExpressConnect to configure student devices for our 802.1x wifi network using certbased authentication, and while it works great 90% of the time, we have 10% where it's tough to get the user on for a variety of reasons on student owned devices. Since we provide guest access via a portal authentication, we inevitably get the question as to why don't we do all wifi auth with that? I know when I first started out, there were limitations with the # of users a portal auth system could support, but I don't think that's a major concern anymore (we are using Cisco 5508 controllers here). Just wondering what the thoughts are on this list. Always good input. Thanks Matt ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 802.1x vs web-portal
On Nov 19, 2013, at 15:05 , Peter P Morrissey ppmor...@syr.edu wrote: Can anyone name an application that does not have strong encryption? Does not have strong encryption != Strong encryption is in use by default DNS springs to mind. Heck, just leave tcpdump running when you wake a machine up from sleep and see all the things it tries to do on the network. -- Julian Y. Koh Acting Associate Director, Telecommunications and Network Services Northwestern University Information Technology (NUIT) 2001 Sheridan Road #G-166 Evanston, IL 60208 847-467-5780 NUIT Web Site: http://www.it.northwestern.edu/ PGP Public Key:http://bt.ittns.northwestern.edu/julian/pgppubkey.html ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 802.1x vs web-portal
On Nov 19, 2013, at 3:05 PM, Peter P Morrissey ppmor...@syr.edu wrote: Can anyone name an application that does not have strong encryption? Search engines such as Google and Bing only encrypt data if you log into the service. Even when logged into YouTube the video stream does not appear to be encrypted. In addition to security there is also a privacy component. On an unencrypted wireless that uses a web portal a person’s data exchanged with a Bank’s website will be encrypted with TLS/SSL. However anyone watching the wireless packets can see that the person connected to the Bank’s web site since they can see the IP numbers of the TLS session. But on a wireless session protected with WPA2 a snooper can not see what sites a person visits because the IP numbers are encrypted as well. I'm not arguing against 802.1x, because it works very well for us as users don't have to authenticate constantly on a portal, and we seem to do a very good job getting them on initially, but I am having a hard time understanding the encryption benefits lately. Pete Morrissey -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Ken LeCompte Sent: Tuesday, November 19, 2013 4:00 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x vs web-portal One major consideration is that the use of https for more and more webpages is resulting in more confused users not getting redirected to captive portal login pages. There is also the more obvious issue that client data is not encrypted over the air, although you could argue that more and more applications are using TLS/SSL. I do think that you are correct that captive portal robustness has been dramatically increased with products like the 5508, which handles a great deal more simultaneous connections than other products before it. I also feel like captive portal security is kinder to backend authentication servers since the authentication is typically done once with a decent length session timeout, whereas many supplicants do tons of reauths. Thanks. Ken -- Ken LeCompte - Manager of Information Technology Central Systems and Services Office of Information Technology Rutgers, The State University of New Jersey Office ~ (848) 445-4823 Facebook: http://fb.me/RUWireless On Nov 19, 2013, at 3:28 PM, Ashfield, Matt (NBCC) matt.ashfi...@nbcc.ca wrote: Just wondering what people's thoughts are here regarding using the Web Portal authentication vs 802.1x auth in your wifi networks. Obviously one big pro for 802.1x is dynamic vlan assignment based on the users's credentials, but certainly for web-portal the big pro is simplicity for the user. We currently use ExpressConnect to configure student devices for our 802.1x wifi network using certbased authentication, and while it works great 90% of the time, we have 10% where it's tough to get the user on for a variety of reasons on student owned devices. Since we provide guest access via a portal authentication, we inevitably get the question as to why don't we do all wifi auth with that? I know when I first started out, there were limitations with the # of users a portal auth system could support, but I don't think that's a major concern anymore (we are using Cisco 5508 controllers here). Just wondering what the thoughts are on this list. Always good input. Thanks Matt ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. --- Bruce Curtis bruce.cur...@ndsu.edu Certified NetAnalyst II701-231-8527 North Dakota State University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 802.1x vs web-portal
from the top of my head... ###What's bad for the user: -Captive portal: no encryption over the air, pesky re-authentication and timeouts, no authentication of the infrastructure (yes, when you accept that SSL Cert from RADIUS you actually authenticate the infrastructure) -802.1X: finicky supplicants, and, without a good installer, long config instructions. Strongly authenticated (can't escape the system ;-) ###What's bad for the network engineer (and user stuff as well...): -Captive portal: CPU capacity of portal (802.11ac!!!), clients taking IP addresses and air time even if not authenticated, authentication can be defeated -802.1X: bugs from various vendors. A pain the troubleshoot when not working. Certificate Expiration and help desk calls resulting from it add yours! Philippe Philippe Hanset www.eduroam.us On Nov 19, 2013, at 2:10 PM, Jeff Kell jeff-k...@utc.edu wrote: On 11/19/2013 4:05 PM, Peter P Morrissey wrote: Can anyone name an application that does not have strong encryption? I'm not arguing against 802.1x, because it works very well for us as users don't have to authenticate constantly on a portal, and we seem to do a very good job getting them on initially, but I am having a hard time understanding the encryption benefits lately. Does FireSheep or Ettercap ring any bells? Jeff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 802.1x vs web-portal
We use 802.1x to do machine auth on equipment that we own and that is in the domain. We use Group Policy to push all of the settings. We have auth type set to 'user or computer' once the user logs on it flips to user auth. Its really cool because NAC will give the computer a 'Computer' policy when nobody is logged in and we can push updates or get statictics on the machine when nobody is logged in. At the point when someone logs on the computer is already on the network and connected to AD. Logins are smooth and then the user gets whatever policy is appropriate for them. Your question was most likely meant for student owned computers but college owned 802.1x has huge advantages. On Nov 19, 2013 6:26 PM, Hanset, Philippe C phan...@utk.edu wrote: from the top of my head... ###What's bad for the user: -Captive portal: no encryption over the air, pesky re-authentication and timeouts, no authentication of the infrastructure (yes, when you accept that SSL Cert from RADIUS you actually authenticate the infrastructure) -802.1X: finicky supplicants, and, without a good installer, long config instructions. Strongly authenticated (can't escape the system ;-) ###What's bad for the network engineer (and user stuff as well...): -Captive portal: CPU capacity of portal (802.11ac!!!), clients taking IP addresses and air time even if not authenticated, authentication can be defeated -802.1X: bugs from various vendors. A pain the troubleshoot when not working. Certificate Expiration and help desk calls resulting from it add yours! Philippe Philippe Hanset www.eduroam.us On Nov 19, 2013, at 2:10 PM, Jeff Kell jeff-k...@utc.edu wrote: On 11/19/2013 4:05 PM, Peter P Morrissey wrote: Can anyone name an application that does not have strong encryption? I'm not arguing against 802.1x, because it works very well for us as users don't have to authenticate constantly on a portal, and we seem to do a very good job getting them on initially, but I am having a hard time understanding the encryption benefits lately. Does FireSheep or Ettercap ring any bells? Jeff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] 802.1x vs web-portal
List seems to sum it up pretty well. I think user wise dot1x is better ... once setup. So while it may be more of a pain to configure for some users, once configured the experience is much better as they walk on to campus and are connected. Having a captive portal is probably a good option for those that can't get dot1x working . I'm interested in the 10% though, do you get them all connected in the end? 10% seems quite a high percentage -- Jason Cook Technology Services The University of Adelaide, AUSTRALIA 5005 Ph : +61 8 8313 4800 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hanset, Philippe C Sent: Wednesday, 20 November 2013 9:56 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x vs web-portal from the top of my head... ###What's bad for the user: -Captive portal: no encryption over the air, pesky re-authentication and timeouts, no authentication of the infrastructure (yes, when you accept that SSL Cert from RADIUS you actually authenticate the infrastructure) -802.1X: finicky supplicants, and, without a good installer, long config instructions. Strongly authenticated (can't escape the system ;-) ###What's bad for the network engineer (and user stuff as well...): -Captive portal: CPU capacity of portal (802.11ac!!!), clients taking IP addresses and air time even if not authenticated, authentication can be defeated -802.1X: bugs from various vendors. A pain the troubleshoot when not working. Certificate Expiration and help desk calls resulting from it add yours! Philippe Philippe Hanset www.eduroam.us On Nov 19, 2013, at 2:10 PM, Jeff Kell jeff-k...@utc.edu wrote: On 11/19/2013 4:05 PM, Peter P Morrissey wrote: Can anyone name an application that does not have strong encryption? I'm not arguing against 802.1x, because it works very well for us as users don't have to authenticate constantly on a portal, and we seem to do a very good job getting them on initially, but I am having a hard time understanding the encryption benefits lately. Does FireSheep or Ettercap ring any bells? Jeff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.