Re: [WIRELESS-LAN] PEAP/MS-CHAPv2 and LDAP problems
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 17:00 -0400 7/22/2008, John York wrote: I'm sure someone has gotten this to work before. Does authenticating to an ldap server mean we are forced to use EAP-TLS with client certs, install some client on the student machines, or is there another way? Authenticating to LDAP is totally possible with EAP-PEAP and MS-CHAPv2, but you need to add the correct format of password hash to your LDAP directory entries. -BEGIN PGP SIGNATURE- Version: 9.8.3.4028 wj8DBQFIhxsjDlQHnMkeAWMRAv1cAJ9z0sSdxnDCv2cQJjQeHUTcWkErswCgvGhb OkNFSxNbAWQZuNXWfqUsGBs= =Y+R7 -END PGP SIGNATURE- -- Julian Y. Koh mailto:[EMAIL PROTECTED] Network Engineer phone:847-467-5780 Telecommunications and Network Services Northwestern University PGP Public Key:http://bt.ittns.northwestern.edu/julian/pgppubkey.html ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] iPhone 2.0 news
Is anyone else still seeing erratic behavior with any iPhones/iPod Touches running 2.0? I have had some strange problems with mine and some others here. When trying to connect to my WPA2 PEAP-MSCHAPv2 network, for a while it wouldn't prompt me to accept our self-signed cert. After resetting the network settings (Settings - General - Reset) it prompted me and connected just fine. Then I go home and can no longer connect to my WPA2-PSK network there after putting the password in. A day later, it worked fine! Other people here have seen some similar strange issues. Sometimes turning the WiFi adapter off and back on is enough to take care of it, sometimes not. Sometimes resetting all the network stuff helps, but again, sometimes not. Matt Barber Network Analyst / PC Support Morrisville State College 315-684-6053 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Lee H Badman Sent: Tuesday, July 22, 2008 6:12 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] iPhone 2.0 news yessir- is fairly straight forward. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of David [EMAIL PROTECTED] of G Sent: Tue 7/22/2008 5:54 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] iPhone 2.0 news Lee, are you able to get iPhone 2.0 with WPA/WPA2 Enterprise working? thanks. On Thu, Jul 10, 2008 at 3:29 PM, Lee H Badman [EMAIL PROTECTED] wrote: http://www.pcmag.com/article2/0,2817,2325284,00.asp So far, very erratic on the secure wireless networks between a couple of ours that have tried it, though the settings are all there for WPA/WPA2 enterprise. Lee ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- David Wang, Networking Services, CCS www.uoguelph.ca 519-824-4120 x52046 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Idengines AutoConnect
Branden, We are using Autoconnect here with LDAP/ACS 3.3. We are not using the Idengies Ignition Server. We didn't have to make any modifications. We were able to drop Autoconnect into our existing deployment without incident. Regards, J. Bart Casey Network Engineer Wofford College -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Branden Kirk Sent: Tuesday, July 22, 2008 5:01 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Idengines AutoConnect For those that are using this product, how many of you are using it with LDAP? For those that started out with an LDAP/ACS setup, what changes were made to use AutoConnect? I'm wondering if anyone is using AutoConnect with an LDAP/ACS setup without the purchase of the Idengines Ignition Server. My understanding is that using AutoConnect with LDAP requires a modified RADIUS server and am wondering about the benefits/costs vs. buying the out-of-box solution. Thanks in advance to those that respond. Branden Kirk Biola University Network Administrator (562) 903-4740 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] PEAP/MS-CHAPv2 and LDAP problems
If you're using ACS with an external LDAP database then you're limited to EAP-FAST, PEAP-GTC, or EAP-TLS according to the ACS documentation. We did run into a similar problem but decided to access the user database via RADIUS instead (we have a proprietary, home-grown system which is accessible via RADIUS or LDAP), and ACS does allow the use of PEAP-MSCHAPv2 in that setup. If you're set on using ACS then your options are configuring the external user database as a LEAP Proxy RADIUS Server or having all the accounts locally on the ACS box. Reference information here: http://tinyurl.com/5umk8l -- Brandon Case, CCNA Network Engineer, ITaP Purdue University [EMAIL PROTECTED] Office: (765)49-67096 Mobile: (765)479-7597 Fax:(765)49-46620 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of John York Sent: Tuesday, July 22, 2008 5:01 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] PEAP/MS-CHAPv2 and LDAP problems We have a Cisco WLC-4402 and ACS v4.1. Until recently we've been running our wireless wide open and using VPN for encryption, but want to move to WPA/WPA2 for all our clients. We will use the idEngines AutoConnect product to configure the clients (student machines) but I've run into problems just getting the wireless configured. Since we want to use WPA, that means some flavor of EAP. The student data is on an ldap server, so that means WPA/2-enterprise, no WPA-PSK. The Windows clients support EAP-TLS and EAP-PEAP(MSCHAPv2), but we don't want to bother with certificates on the client so EAP-TLS is out. It looks like EAP-PEAP(MSCHAPv2) is the way to go, but the Cisco WLC and ACS only support EAP-TLS, EAP-FAST or EAP-GTC. Cisco TAC's answer was, more or less, Just install clients that have the Cisco Compatible Extensions (CCX). The SecureW2 client does support EAP-GTC. It also supports EAP-TTLS--the ACS supports PEAP/TLS, PEAP with TLS as an inner method. Don't know if those two are the same or not. I'm sure someone has gotten this to work before. Does authenticating to an ldap server mean we are forced to use EAP-TLS with client certs, install some client on the student machines, or is there another way? John York Network Engineer Blue Ridge Community College ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] iPhone 2.0 news
We have seen a few things so far, I consider these circumstantial but very consistent: - some users want to simply point at the secure SSID without setting up the profile. In the iPhone, I see no prompting at all for any certs, etc., just spins it's obnoxious little wheel until it times out and jumps over to a non-secure WLAN - even when setting the right profile settings, rebooting the iPhone usually needs a reboot to find the WPA network - if you use the pre-configure tool as opposed to manually setting it up, the user experience is a lot quicker and more consistent - regardless of how you get set up, there is a lot of variability in the smoothness of transitioning between WLANs, especially secure and non-secure. My other hand-helds (iPaq, Palm TX) have no such issues on same networks from same places - You'll note that there seems to be no place in the settings to enter a specific auth server, leaving a potential vector for man-in-the-middle fun. All this being said- the fact that you can point the iPhone to the secure WLAN and connect is in itself a huge gain for those who have been demanding it. We'll keep on watching and observing as this product and it's processes mature. I will say that I find the fee for iPod Touch upgrades to get the 2.0 software somewhat disgusting, given the laundry list of security fixes that are included. Seems like it should have been a free patch. Ah well:-) Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Barber, Matt Sent: Wednesday, July 23, 2008 8:17 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] iPhone 2.0 news Is anyone else still seeing erratic behavior with any iPhones/iPod Touches running 2.0? I have had some strange problems with mine and some others here. When trying to connect to my WPA2 PEAP-MSCHAPv2 network, for a while it wouldn't prompt me to accept our self-signed cert. After resetting the network settings (Settings - General - Reset) it prompted me and connected just fine. Then I go home and can no longer connect to my WPA2-PSK network there after putting the password in. A day later, it worked fine! Other people here have seen some similar strange issues. Sometimes turning the WiFi adapter off and back on is enough to take care of it, sometimes not. Sometimes resetting all the network stuff helps, but again, sometimes not. Matt Barber Network Analyst / PC Support Morrisville State College 315-684-6053 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Lee H Badman Sent: Tuesday, July 22, 2008 6:12 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] iPhone 2.0 news yessir- is fairly straight forward. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of David [EMAIL PROTECTED] of G Sent: Tue 7/22/2008 5:54 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] iPhone 2.0 news Lee, are you able to get iPhone 2.0 with WPA/WPA2 Enterprise working? thanks. On Thu, Jul 10, 2008 at 3:29 PM, Lee H Badman [EMAIL PROTECTED] wrote: http://www.pcmag.com/article2/0,2817,2325284,00.asp So far, very erratic on the secure wireless networks between a couple of ours that have tried it, though the settings are all there for WPA/WPA2 enterprise. Lee ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- David Wang, Networking Services, CCS www.uoguelph.ca 519-824-4120 x52046 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] iPhone 2.0 news
Wireless has been smooth for those using it with WPA2 enterprise. But it was installed with the iphone config tool. Added cert trust settings there. -Original Message- From: Barber, Matt [EMAIL PROTECTED] Subj: Re: [WIRELESS-LAN] iPhone 2.0 news Date: Wed Jul 23, 2008 7:17 am Size: 2K To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Is anyone else still seeing “erratic” behavior with any iPhones/iPod Touches running 2.0? I have had some strange problems with mine and some others here. When trying to connect to my WPA2 PEAP-MSCHAPv2 network, for a while it wouldn’t prompt me to accept our self-signed cert. After resetting the network settings (Settings - General - Reset) it prompted me and connected just fine. Then I go home and can no longer connect to my WPA2-PSK network there after putting the password in. A day later, it worked fine! Other people here have seen some similar strange issues. Sometimes turning the WiFi adapter off and back on is enough to take care of it, sometimes not. Sometimes resetting all the network stuff helps, but again, sometimes not. Matt Barber Network Analyst / PC Support Morrisville State College 315-684-6053 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Lee H Badman Sent: Tuesday, July 22, 2008 6:12 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] iPhone 2.0 news yessir- is fairly straight forward. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of David [EMAIL PROTECTED] of G Sent: Tue 7/22/2008 5:54 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] iPhone 2.0 news Lee, are you able to get iPhone 2.0 with WPA/WPA2 Enterprise working? thanks. On Thu, Jul 10, 2008 at 3:29 PM, Lee H Badman [EMAIL PROTECTED] wrote: http://www.pcmag.com/article2/0,2817,2325284,00.asp So far, very erratic on the secure wireless networks between a couple of ours that have tried it, though the settings are all there for WPA/WPA2 enterprise. Lee ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- David Wang, Networking Services, CCS www.uoguelph.ca 519-824-4120 x52046 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] iPhone 2.0 news
Thanks for the summary Lee. I am totally on-board with the ability to do WPA Enterprise at all being great. I just wanted to make sure I wasn't the only one seeing some strangeness. I was going to take a look at the config tool anyway, but I will give that a shot and then see what issues remain. The charge for 2.0 for Touch users is totally ridiculous. It will stink that there a bunch of Touches on campus that are missing those security fixes and the ability to use the configuration profiles, just because there is a 10 dollar charge for it. Thanks, Matt Barber Network Analyst / PC Support Morrisville State College 315-684-6053 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Lee H Badman Sent: Wednesday, July 23, 2008 9:01 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] iPhone 2.0 news We have seen a few things so far, I consider these circumstantial but very consistent: - some users want to simply point at the secure SSID without setting up the profile. In the iPhone, I see no prompting at all for any certs, etc., just spins it's obnoxious little wheel until it times out and jumps over to a non-secure WLAN - even when setting the right profile settings, rebooting the iPhone usually needs a reboot to find the WPA network - if you use the pre-configure tool as opposed to manually setting it up, the user experience is a lot quicker and more consistent - regardless of how you get set up, there is a lot of variability in the smoothness of transitioning between WLANs, especially secure and non-secure. My other hand-helds (iPaq, Palm TX) have no such issues on same networks from same places - You'll note that there seems to be no place in the settings to enter a specific auth server, leaving a potential vector for man-in-the-middle fun. All this being said- the fact that you can point the iPhone to the secure WLAN and connect is in itself a huge gain for those who have been demanding it. We'll keep on watching and observing as this product and it's processes mature. I will say that I find the fee for iPod Touch upgrades to get the 2.0 software somewhat disgusting, given the laundry list of security fixes that are included. Seems like it should have been a free patch. Ah wellJ Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Barber, Matt Sent: Wednesday, July 23, 2008 8:17 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] iPhone 2.0 news Is anyone else still seeing erratic behavior with any iPhones/iPod Touches running 2.0? I have had some strange problems with mine and some others here. When trying to connect to my WPA2 PEAP-MSCHAPv2 network, for a while it wouldn't prompt me to accept our self-signed cert. After resetting the network settings (Settings - General - Reset) it prompted me and connected just fine. Then I go home and can no longer connect to my WPA2-PSK network there after putting the password in. A day later, it worked fine! Other people here have seen some similar strange issues. Sometimes turning the WiFi adapter off and back on is enough to take care of it, sometimes not. Sometimes resetting all the network stuff helps, but again, sometimes not. Matt Barber Network Analyst / PC Support Morrisville State College 315-684-6053 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Lee H Badman Sent: Tuesday, July 22, 2008 6:12 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] iPhone 2.0 news yessir- is fairly straight forward. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of David [EMAIL PROTECTED] of G Sent: Tue 7/22/2008 5:54 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] iPhone 2.0 news Lee, are you able to get iPhone 2.0 with WPA/WPA2 Enterprise working? thanks. On Thu, Jul 10, 2008 at 3:29 PM, Lee H Badman [EMAIL PROTECTED] wrote: http://www.pcmag.com/article2/0,2817,2325284,00.asp So far, very erratic on the secure wireless networks between a couple of ours that have tried it, though the settings are all there for WPA/WPA2 enterprise. Lee ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- David Wang, Networking Services, CCS www.uoguelph.ca 519-824-4120 x52046 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list
Certificate validation...
We are a Cisco LWAPP shop and have a PEAP/WPA secure wireless network. For our certificates we have a PKI which is trusted through GTE Cyber Trust Global Root. When a first time user connects to the wireless they are prompted with a window that tells them that the certificate is not trusted. So they verify the certificate, make sure it comes from us, accept it and go on to connect. This is mostly an issue in MACs So I know the problem is caused because the computer is unable to correctly chase down the root issuing CA. Is anyone else in this same situation? If so, have you done anything to get a around it? Does anybody know if there is anything that can be done to get around this problem? I'm only asking because once in a while we get users that complain about this issue. Thanks, Hector Rios Telecommunications Analyst, NI LSU Information Technology Services [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] PEAP/MS-CHAPv2 and LDAP problems
You could try a different Radius server... we use Radiator (http://www.open.com.au/radiator/) but eg FreeRADIUS (http://freeradius.org/) is also a good choice. Both support a wide variety of EAP methods, including PEAP and EAP-TTLS. Actually, we support both on our wireless network (but prefer EAP-TTLS). Our Radius servers authenticate clients using PEAP against an LDAP server and clients using EAP-TTLS against a UNIX password file, but EAP-TTLS is also possible against LDAP. Also worth browsing: www.eduroam.org. Even if your institution does not join the eduroam federation, the cookbook on the site contains useful information about Radius setups. Best regards, Jeroen van Ingen ICT Service Centre University of Twente, P.O.Box 217, 7500 AE Enschede, The Netherlands Original Message From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of John York Sent: woensdag 23 juli 2008 15:56 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] PEAP/MS-CHAPv2 and LDAP problems That's pretty much what I've run into. Do you know of something else I could use in place of ACS to query ldap? We're part of the Virginia Community College System, and they own the student database and only provide ldap, so I'm stuck there. If we don't install stuff on the student machines (SecureW2) and don't build a PKI for the students we're stuck with PEAP-MSCHAPv2--there's a collision in the middle at the ACS. I'm going to try SecureW2 with TTLS. It says it supports PAP, and the ACS PEAP-GTC says it supports PAP, maybe I'll get lucky. That still means installing SecureW2, tho. Thanks John -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Case, Brandon J Sent: Wednesday, July 23, 2008 8:42 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] PEAP/MS-CHAPv2 and LDAP problems If you're using ACS with an external LDAP database then you're limited to EAP-FAST, PEAP-GTC, or EAP-TLS according to the ACS documentation. We did run into a similar problem but decided to access the user database via RADIUS instead (we have a proprietary, home-grown system which is accessible via RADIUS or LDAP), and ACS does allow the use of PEAP-MSCHAPv2 in that setup. If you're set on using ACS then your options are configuring the external user database as a LEAP Proxy RADIUS Server or having all the accounts locally on the ACS box. Reference information here: http://tinyurl.com/5umk8l ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] PEAP/MS-CHAPv2 and LDAP problems
I highly recommend Freeradius.org. But if Linux is not your thing, I think IDengines might be able to pull this off. On Wed, Jul 23, 2008 at 10:27 AM, Jeroen van Ingen [EMAIL PROTECTED] wrote: You could try a different Radius server... we use Radiator (http://www.open.com.au/radiator/) but eg FreeRADIUS (http://freeradius.org/) is also a good choice. Both support a wide variety of EAP methods, including PEAP and EAP-TTLS. Actually, we support both on our wireless network (but prefer EAP-TTLS). Our Radius servers authenticate clients using PEAP against an LDAP server and clients using EAP-TTLS against a UNIX password file, but EAP-TTLS is also possible against LDAP. Also worth browsing: www.eduroam.org. Even if your institution does not join the eduroam federation, the cookbook on the site contains useful information about Radius setups. Best regards, Jeroen van Ingen ICT Service Centre University of Twente, P.O.Box 217, 7500 AE Enschede, The Netherlands Original Message From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of John York Sent: woensdag 23 juli 2008 15:56 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] PEAP/MS-CHAPv2 and LDAP problems That's pretty much what I've run into. Do you know of something else I could use in place of ACS to query ldap? We're part of the Virginia Community College System, and they own the student database and only provide ldap, so I'm stuck there. If we don't install stuff on the student machines (SecureW2) and don't build a PKI for the students we're stuck with PEAP-MSCHAPv2--there's a collision in the middle at the ACS. I'm going to try SecureW2 with TTLS. It says it supports PAP, and the ACS PEAP-GTC says it supports PAP, maybe I'll get lucky. That still means installing SecureW2, tho. Thanks John -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Case, Brandon J Sent: Wednesday, July 23, 2008 8:42 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] PEAP/MS-CHAPv2 and LDAP problems If you're using ACS with an external LDAP database then you're limited to EAP-FAST, PEAP-GTC, or EAP-TLS according to the ACS documentation. We did run into a similar problem but decided to access the user database via RADIUS instead (we have a proprietary, home-grown system which is accessible via RADIUS or LDAP), and ACS does allow the use of PEAP-MSCHAPv2 in that setup. If you're set on using ACS then your options are configuring the external user database as a LEAP Proxy RADIUS Server or having all the accounts locally on the ACS box. Reference information here: http://tinyurl.com/5umk8l ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Certificate validation...
I am not aware of a way to automatically set the trust settings within OS X 10.4 (Mac said this was a security feature so user had to validate the trust of EAP certificates). Leopard however has been changed so that is something that can somehow be set automatically. On the windows supplicant I am not sure as we use the third party SecureW2, even though I know there is a setting under the PEAP settings. -- Walt Reynolds Principle Systems Security Development Engineer Information Technology Central Services University of Michigan (734) 615-9438 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Hector J Rios Sent: Wednesday, July 23, 2008 10:37 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Certificate validation... We are a Cisco LWAPP shop and have a PEAP/WPA secure wireless network. For our certificates we have a PKI which is trusted through GTE Cyber Trust Global Root. When a first time user connects to the wireless they are prompted with a window that tells them that the certificate is not trusted. So they verify the certificate, make sure it comes from us, accept it and go on to connect. This is mostly an issue in MACs So I know the problem is caused because the computer is unable to correctly chase down the root issuing CA. Is anyone else in this same situation? If so, have you done anything to get a around it? Does anybody know if there is anything that can be done to get around this problem? I'm only asking because once in a while we get users that complain about this issue. Thanks, Hector Rios Telecommunications Analyst, NI LSU Information Technology Services [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.