RE: Weak Security

[Michael Holden]

+1 Kill WEP and TKIP
Please beware of enabling WPA3 or OWE!
Can’t wait to be able to use them, but there are still some serious driver 
issues out there.
For instance, the Google Pixel 3 used to (may still) kernel panic and reboot 
the phone when connecting to a WPA3-Personal SSID. No error, no warning, just 
reboots the device, it’s a really sweet denial of service actually.
We also have many reports of various device types requesting passwords when 
connecting to OWE SSID’s.
Can’t wait to be able to use them, it’ll just take a while before we can deploy 
without worry; Or be able to blame the device manufacturers for not updating 
their drivers for years.

For those of you using Aruba and Aruba ClearPass, if you are looking at the 
SSID name in the service, OWE SSID’s will prepend OWE_ to the SSID, so make 
sure you’re using Contains or a RegEx if possible rather than Equals 

A friendly PSA:
While you’re at it, you may want to take 1 and 2 mbps rates off your 2.4 GHz; 
Unless you have specific devices that require it (scan guns, emergency pull 
strings, and industrial / HVAC devices come to mind).
They travel quite a ways, and user experience is poor at best when connected at 
1/2 mbps.
If you support printers in your RESNET beware of all 1-11 rates off, we’ve seen 
some printers with g/n 2.4 radios will still require to connect at 6 mbps then 
negotiate up.


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jennifer Minella
Sent: Wednesday, December 2, 2020 5:35 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Weak Security

+1 on removing TKIP as an option and staying with AES as a minimum. TKIP has 
been deprecated for years and even in a BYOD/high ed environment, it is 
exceptionally unlikely any devices won’t support the AES/CCMP suite; if they 
*don’t* support it, you may not wan them on that network anyway  With the new 
Wi-Fi security standards out, including WPA3 (in addition to Open 
Enhanced/OWE), even our current AES will be at the low end of the security 
totem pole (down the road).

___
Jennifer Minella, CISSP, HP MASE
VP of Engineering & Security
Carolina Advanced Digital, Inc.
www.cadinc.com
j...@cadinc.com
919.460.1313 Main Office
919.539.2726 Mobile/text
[CAD LOGO EMAIL SIG]

From: Entwistle, Bruce 
mailto:bruce_entwis...@redlands.edu>>
Sent: Tuesday, December 1, 2020 7:14 PM
Subject: Weak Security

Apple devices that are updating to IOS 14 are now reporting that wireless 
security is weak.   We are currently using a combination of WPA/TKIP and 
WPA2/AES for security, but are considering the move to WPA2/AES only.  I was 
looking to see what others have done and what challenges you faced in making 
these changes.

https://discussions.apple.com/thread/251805737

Thank you
Bruce Entwistle
Network Manager
University of Redlands


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

Visit 
https://cadinc.com/blog
 for tech articles and news.

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: Weak Security

[Jason Cook]

Same here, can’t remember when we removed TKIP… a few years back now.

No calls /complaints/issues…

--
Jason Cook
Information Technology and Digital Services
The University of Adelaide, AUSTRALIA 5005
---
This email message is intended only for the addressee(s) and contains 
information which may be confidential and/or copyright.  If you are not the 
intended recipient please do not read, save, forward, disclose, or copy the 
contents of this email. If this email has been sent to you in error, please 
notify the sender by reply email and delete this email and any copies or links 
to this email completely and immediately from your system.  No representation 
is made that this email is free of viruses.  Virus scanning is recommended and 
is the responsibility of the recipient.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Floyd, Brad
Sent: Wednesday, 2 December 2020 11:05 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Weak Security

Bruce,
We removed TKIP (and WPA) in favor of AES (CCMP) (and WPA2) from all of our 
configs a little over 7 years ago. We faced zero challenges and gained the 
increased connection rates (HT). The IEEE 802.11n standard prohibited using 
high-throuhput if WEP or TKIP is configured. This limited connection rates to 
54 Mbps. The URL is correct, TKIP is weak (and broken).
Thanks,
Brad

From: The EDUCAUSE Wireless Issues Community Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Entwistle, Bruce
Sent: Tuesday, December 01, 2020 6:14 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Weak Security


[EXTERNAL SENDER]

Apple devices that are updating to IOS 14 are now reporting that wireless 
security is weak.   We are currently using a combination of WPA/TKIP and 
WPA2/AES for security, but are considering the move to WPA2/AES only.  I was 
looking to see what others have done and what challenges you faced in making 
these changes.

https://discussions.apple.com/thread/251805737

Thank you
Bruce Entwistle
Network Manager
University of Redlands


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: Weak Security

[Jennifer Minella]

+1 on removing TKIP as an option and staying with AES as a minimum. TKIP has 
been deprecated for years and even in a BYOD/high ed environment, it is 
exceptionally unlikely any devices won’t support the AES/CCMP suite; if they 
*don’t* support it, you may not wan them on that network anyway  With the new 
Wi-Fi security standards out, including WPA3 (in addition to Open 
Enhanced/OWE), even our current AES will be at the low end of the security 
totem pole (down the road).

___
Jennifer Minella, CISSP, HP MASE
VP of Engineering & Security
Carolina Advanced Digital, Inc.
www.cadinc.com
j...@cadinc.com
919.460.1313 Main Office
919.539.2726 Mobile/text
[CAD LOGO EMAIL SIG]

From: Entwistle, Bruce 
Sent: Tuesday, December 1, 2020 7:14 PM
Subject: Weak Security

Apple devices that are updating to IOS 14 are now reporting that wireless 
security is weak.   We are currently using a combination of WPA/TKIP and 
WPA2/AES for security, but are considering the move to WPA2/AES only.  I was 
looking to see what others have done and what challenges you faced in making 
these changes.

https://discussions.apple.com/thread/251805737

Thank you
Bruce Entwistle
Network Manager
University of Redlands


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community
Visit https://cadinc.com/blog for tech articles and news.

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: Fast transition roaming

[Dennis Xu]

Hi Eric,

Please see my answers below:


  1.  Do you use 802.11r?

Yes

  1.  How about .11k?

Yes

  1.  If you do, did you notice improvements in device roaming, whether they 
are stationary or moving?

We noticed the overall number of RADIUS requests/sec dropped by half after 
802.11r was enabled. It was a big improvement from that perspective.

  1.  Were there any implementation pains?

No. No complains. 11k was enabled several years back, and 11r was just enabled 
end of last year.

  1.  Would you mind sharing exactly which settings you use; in Cisco terms, 
Fast Transition enabled or adaptive; over the DS checked or not; FT 802.1x/FT 
psk or no; 11k neighbor list enabled or not

Fast Transition adaptive, Over the DS not checked(this is recommended by 
Cisco), 802.1X for AKM, 11K neighbor list enabled, 11k dual band not enabled.

For that blog, I don't know why he did not test the 802.1X AKM, but that works.

Dennis

Dennis Xu | Analyst III, Network Infrastructure, MAsc, CCIE(#13056), CISSP
Computing and Communications Services (CCS) | University of Guelph
University Centre | 50 Stone Rd E | Guelph, ON | N1G 2W1
519-824-4120 Ext. 56217 | d...@uoguelph.ca
www.uoguelph.ca/ccs | twitter.com/ccsnews | facebook.com/CCSUofG
[1503076355327_PastedImage]

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Glinsky, Eric
Sent: Wednesday, December 2, 2020 3:57 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Fast transition roaming

CAUTION: This email originated from outside of the University of Guelph. Do not 
click links or open attachments unless you recognize the sender and know the 
content is safe. If in doubt, forward suspicious emails to 
ith...@uoguelph.ca

Hi everyone,

We are reviewing our WLAN-level settings and are curious about what others 
institutions are doing for fast transition.


  1.  Do you use 802.11r?
  2.  How about .11k?
  3.  If you do, did you notice improvements in device roaming, whether they 
are stationary or moving?
  4.  Were there any implementation pains?
  5.  Would you mind sharing exactly which settings you use; in Cisco terms, 
Fast Transition enabled or adaptive; over the DS checked or not; FT 802.1x/FT 
psk or no; 11k neighbor list enabled or not
  6.  If you do not use 802.11k and/or 802.11r, why not?

We don't have 801.11r or 802.11k enabled at this point and are leery of 
enabling it due to potential compatibility issues, though it could certainly 
improve the client experience if it works.

I looked through the archives and this hasn't been discussed for at least a 
couple years, and it seemed like more of a Cisco code issue at that time, so 
looking forward to hearing about your experiences now with the last code, 
drivers, devices, etc.

I found an interesting blog on various FT settings with Cisco, which leads me 
to believe that if we were to enable 802.11r on our Cisco controller, we would 
set it to Enabled, and check off both 802.1x and FT 802.1x for compatibility. 
Interestingly, the Adaptive setting is specific to Cisco-Apple.

https://mac-wifi.com/ciscos-802-11r-ft-settings-adaptive-mode-explained/

Also the Cisco Best Practices for iOS Devices guide has a couple sections on 
802.11r and Adaptive 802.11r. One takeaway from that is it's best for 
high-density, enterprise environments to use over-the-air FT (i.e. over the 
over-the-distribution system unchecked).
https://www.cisco.com/c/dam/en/us/td/docs/wireless/controller/technotes/8-6/Enterprise_Best_Practices_for_iOS_devices_and_Mac_computers_on_Cisco_Wireless_LAN.pdf#%5B%7B%22num%22%3A40%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2C105%2C570%2C0%5D

Thanks,
Eric Glinsky
Network Administrator
University of Connecticut
ITS - Network Operations
Temporary Administration Building
25 Gampel Service Drive | Storrs, CT 06269-1138
(860) 486-9199
e...@uconn.edu


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Fast transition roaming

[Glinsky, Eric]

Hi everyone,

We are reviewing our WLAN-level settings and are curious about what others 
institutions are doing for fast transition.


1.  Do you use 802.11r?

2.  How about .11k?

3.  If you do, did you notice improvements in device roaming, whether they 
are stationary or moving?

4.  Were there any implementation pains?

5.  Would you mind sharing exactly which settings you use; in Cisco terms, 
Fast Transition enabled or adaptive; over the DS checked or not; FT 802.1x/FT 
psk or no; 11k neighbor list enabled or not

6.  If you do not use 802.11k and/or 802.11r, why not?

We don't have 801.11r or 802.11k enabled at this point and are leery of 
enabling it due to potential compatibility issues, though it could certainly 
improve the client experience if it works.
I looked through the archives and this hasn't been discussed for at least a 
couple years, and it seemed like more of a Cisco code issue at that time, so 
looking forward to hearing about your experiences now with the last code, 
drivers, devices, etc.

I found an interesting blog on various FT settings with Cisco, which leads me 
to believe that if we were to enable 802.11r on our Cisco controller, we would 
set it to Enabled, and check off both 802.1x and FT 802.1x for compatibility. 
Interestingly, the Adaptive setting is specific to Cisco-Apple.

https://mac-wifi.com/ciscos-802-11r-ft-settings-adaptive-mode-explained/

Also the Cisco Best Practices for iOS Devices guide has a couple sections on 
802.11r and Adaptive 802.11r. One takeaway from that is it's best for 
high-density, enterprise environments to use over-the-air FT (i.e. over the 
over-the-distribution system unchecked).
https://www.cisco.com/c/dam/en/us/td/docs/wireless/controller/technotes/8-6/Enterprise_Best_Practices_for_iOS_devices_and_Mac_computers_on_Cisco_Wireless_LAN.pdf#%5B%7B%22num%22%3A40%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2C105%2C570%2C0%5D

Thanks,
Eric Glinsky
Network Administrator
University of Connecticut
ITS - Network Operations
Temporary Administration Building
25 Gampel Service Drive | Storrs, CT 06269-1138
(860) 486-9199
e...@uconn.edu


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] Weak Security

[Jonathan Waldrep]

 It is worth noting that WPA2 requires AES/CCMP support, where TKIP is
optional. To give an idea of clients that support it, WPA2 support was
added in Windows XP SP3 (2008), possibly with a hotfix before that.

On 02/12/2020 10:39, James Helzerman wrote:

Hi.  Our first roll out for 802.1x used WPA2 AES and we have had zero
issues.  All clients these days (and for many years) support it.

-Jimmy

--
James Helzerman
Wireless Network Engineer
University of Michigan - ITS

On Tue, Dec 1, 2020 at 9:56 PM Entwistle, Bruce <
0139f1156e70-dmarc-requ...@listserv.educause.edu> wrote:

> Apple devices that are updating to IOS 14 are now reporting that wireless
> security is weak.   We are currently using a combination of WPA/TKIP and
> WPA2/AES for security, but are considering the move to WPA2/AES only.  I
> was looking to see what others have done and what challenges you faced in
> making these changes.
>
>
>
> https://discussions.apple.com/thread/251805737
>
>
>
> Thank you
>
> Bruce Entwistle
>
> Network Manager
>
> University of Redlands
>
>
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
>


-- 
James Helzerman
Wireless Network Engineer
University of Michigan - ITS
Phone: 734-615-9541

**
Replies to EDUCAUSE Community Group emails are sent to the entire community
list. If you want to reply only to the person who sent the message, copy
and paste their email address and forward the email reply. Additional
participation and subscription information can be found at
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] Weak Security

[James Helzerman]

Hi.  Our first roll out for 802.1x used WPA2 AES and we have had zero
issues.  All clients these days (and for many years) support it.

-Jimmy

--
James Helzerman
Wireless Network Engineer
University of Michigan - ITS

On Tue, Dec 1, 2020 at 9:56 PM Entwistle, Bruce <
0139f1156e70-dmarc-requ...@listserv.educause.edu> wrote:

> Apple devices that are updating to IOS 14 are now reporting that wireless
> security is weak.   We are currently using a combination of WPA/TKIP and
> WPA2/AES for security, but are considering the move to WPA2/AES only.  I
> was looking to see what others have done and what challenges you faced in
> making these changes.
>
>
>
> https://discussions.apple.com/thread/251805737
>
>
>
> Thank you
>
> Bruce Entwistle
>
> Network Manager
>
> University of Redlands
>
>
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
>


-- 
James Helzerman
Wireless Network Engineer
University of Michigan - ITS
Phone: 734-615-9541

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community