Re: [External] [WIRELESS-LAN] Aruba - Going from PEAP to TLS
Hey Ryan - If you have some time over the next couple weeks would like to speak to you more about this off line. All about blending security and user experience. T.J. Norton Wireless Network Architect Network Operations (434) 592-6552 [http://www.liberty.edu/media/1616/40themail/wordmark-for-email.jpg] Liberty University | Training Champions for Christ since From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Turner, Ryan H Sent: Wednesday, September 25, 2019 2:40 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] [External] [WIRELESS-LAN] Aruba - Going from PEAP to TLS We don’t use CRLs or OCSP. If we have a trouble client, we drop the MAC and not the certificate. I don’t like delays in the authentication process, and found the gains not worth what I would gain. However, every institution is different. From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Norton, Thomas (Network Operations) Sent: Wednesday, September 25, 2019 11:14 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] [External] [WIRELESS-LAN] Aruba - Going from PEAP to TLS We’re currently going through this process as well, would love to get feedback as well. We’re going to be using their windows (WSTEP integration) as well for internal clients. Interesting to see everyone else take. CRL so far has been the biggest caveat on the CPPM side. Aruba really likes to push OCSP, so making sure the update times are setup accordingly are important CRL wise. T.J. Norton Wireless Network Architect Network Operations (434) 592-6552 [cid:image001.jpg@01D573AF.3BF0B740] Liberty University | Training Champions for Christ since From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Christopher Brizzell <0113a07d9d59-dmarc-requ...@listserv.educause.edu<mailto:0113a07d9d59-dmarc-requ...@listserv.educause.edu>> Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Date: Wednesday, September 25, 2019 at 8:57 AM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: [External] [WIRELESS-LAN] Aruba - Going from PEAP to TLS [ EXTERNAL EMAIL: Do not click any links or open attachments unless you know the sender and trust the content. ] In what should have been done long ago, we would like to move off of our EAP-PEAP and onto EAP-TLS. Most likely we will be going with SecureW2 to help with that process. I’d like to hear from anyone who may have done this with Aruba OS and Clearpass, so as to avoid any pitfalls and look for advice on the best way to proceed. Thank You. Chris Brizzell Assistant Director of Network and Technical Services and Network Administrator Skidmore College cbriz...@skidmore.edu<mailto:cbriz...@skidmore.edu> 518-580-5994 ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=02%7C01%7Ctnorton7%40LIBERTY.EDU%7C9b2930de18d04f7392af08d741e7f64c%7Cbaf8218eb3024465a9934a39c97251b2%7C0%7C0%7C637050336836215416=mkiLLqcu4aItodpvIjR%2BGpPIXlZ5BCOurh2Oalbv3%2Bw%3D=0> ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=02%7C01%7Ctnorton7%40LIBERTY.EDU%7C9b2930de18d04f7392af08d741e7f64c%7Cbaf8218eb3024465a9934a39c97251b2%7C0%7C0%7C637050336836225404=ZxdsAdyOvVEk7vbWU5TJZaFNCtibCew7XYuvmFQqHjI%3D=0> ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=02%7C01%7Ctnorton7%40LIBERTY.EDU%7C9b2930de18d04f7392af08d741e7f64c%7Cbaf8218eb3024465a9934a39c97251b2%7C0%7C0%7C637050336836225404=ZxdsAdyOvVEk7vbWU5TJZaFNCtibCew7XYuvmFQqHjI%3D
RE: [External] [WIRELESS-LAN] Aruba - Going from PEAP to TLS
We don’t use CRLs or OCSP. If we have a trouble client, we drop the MAC and not the certificate. I don’t like delays in the authentication process, and found the gains not worth what I would gain. However, every institution is different. From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Norton, Thomas (Network Operations) Sent: Wednesday, September 25, 2019 11:14 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] [External] [WIRELESS-LAN] Aruba - Going from PEAP to TLS We’re currently going through this process as well, would love to get feedback as well. We’re going to be using their windows (WSTEP integration) as well for internal clients. Interesting to see everyone else take. CRL so far has been the biggest caveat on the CPPM side. Aruba really likes to push OCSP, so making sure the update times are setup accordingly are important CRL wise. T.J. Norton Wireless Network Architect Network Operations (434) 592-6552 [cid:image001.jpg@01D573AF.3BF0B740] Liberty University | Training Champions for Christ since From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Christopher Brizzell <0113a07d9d59-dmarc-requ...@listserv.educause.edu<mailto:0113a07d9d59-dmarc-requ...@listserv.educause.edu>> Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Date: Wednesday, September 25, 2019 at 8:57 AM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: [External] [WIRELESS-LAN] Aruba - Going from PEAP to TLS [ EXTERNAL EMAIL: Do not click any links or open attachments unless you know the sender and trust the content. ] In what should have been done long ago, we would like to move off of our EAP-PEAP and onto EAP-TLS. Most likely we will be going with SecureW2 to help with that process. I’d like to hear from anyone who may have done this with Aruba OS and Clearpass, so as to avoid any pitfalls and look for advice on the best way to proceed. Thank You. Chris Brizzell Assistant Director of Network and Technical Services and Network Administrator Skidmore College cbriz...@skidmore.edu<mailto:cbriz...@skidmore.edu> 518-580-5994 ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=02%7C01%7Ctnorton7%40LIBERTY.EDU%7C179ff545520044daff5a08d741b7e03a%7Cbaf8218eb3024465a9934a39c97251b2%7C0%7C0%7C637050130305852443=wdXhYCri1qOT28a%2Fn%2B0XqsH%2FgkzofBT49Gn4LodrVOw%3D=0> ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Re: [External] Re: [WIRELESS-LAN] Aruba - Going from PEAP to TLS
They don’t care about DHCPv6 either :P T.J. Norton Wireless Network Architect Network Operations (434) 592-6552 Liberty University | Training Champions for Christ since On 9/25/19, 11:02 AM, "The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Hunter Fuller" wrote: [ EXTERNAL EMAIL: Do not click any links or open attachments unless you know the sender and trust the content. ] It's not just TLS. At this point it's clear that the Android developers don't care at all about wireless security, whether via TLS, PEAP, or anything except PSK. There has been minimal improvement in Android 9 and above, 5+ years after everyone else got it right. But by and large, Google fights you the entire time you are trying to provide a secure wireless experience to their users. -- Hunter Fuller Router Jockey VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering On Wed, Sep 25, 2019 at 9:56 AM Jonathan Oakden wrote: > > All great advice from Ryan. > > We use Ruckus Cloudpath for our onboarding. > > When TLS works it’s great. It’s mostly shoddy implementations on OS’s that give problems. That’s why Android forms the bulk of the issues. If Google ever get that sorted it will be an enormous help. Windows became a lot easier and more reliable from the launch of W10. > > > > Jonathan Oakden > > Loughborough University > > > > From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of "Turner, Ryan H" > Reply to: The EDUCAUSE Wireless Issues Community Group Listserv > Date: Wednesday, 25 September 2019 at 14:58 > To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" > Subject: Re: [WIRELESS-LAN] Aruba - Going from PEAP to TLS > > > > I can’t speak to the Clearpass, but you should spend more time validating the onboarding process so that it is smooth. That is going to be your issue. The setup won’t take long, but a poorly designed user experience will hurt you. I am going to assume you will use SecureW2s cloud PKI. We are going to be switching that that from an AD private PKI. Don’t be silly with certificate lengths or hashes. 2048 length with SHA256 works fine. No need to do anything more and risk client support issues (in my opinion). > > > > You should stand up a test onboarding SSID (if you are going to have one) and get people to go through the process before production and get feedback. Utilize the documentation other schools have built (wifi.unc.edu). If you haven’t used an onboarding SSID to date, then you have a lot of work just to make that work well. Realize that Android devices are going to be 75% of your issues. The other operating systems are pretty easy and straightforward (OSX is the second runner for issues). iOS and windows are a breeze. > > > > Good luck and welcome to the TLS club > > > > > > Ryan Turner > > Head of Networking > > The University of North Carolina at Chapel Hill > > +1 919 445 0113 Office > > +1 919 274 7926 Mobile > > r...@unc.edu > > > > > > > > From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Christopher Brizzell > Sent: Wednesday, September 25, 2019 8:57 AM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: [WIRELESS-LAN] Aruba - Going from PEAP to TLS > > > > In what should have been done long ago, we would like to move off of our EAP-PEAP and onto EAP-TLS. > > > > Most likely we will be going with SecureW2 to help with that process. > > > > I’d like to hear from anyone who may have done this with Aruba OS and Clearpass, so as to avoid any pitfalls and look for advice on the best way to proceed. > > > > Thank You. > > > > Chris Brizzell > > Assistant Director of Network and Technical Services and Network Administrator > > Skidmore College > > cbriz...@skidmore.edu > > 518-580-5994 > > > > ** > Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can b
Re: [External] [WIRELESS-LAN] Aruba - Going from PEAP to TLS
We’re currently going through this process as well, would love to get feedback as well. We’re going to be using their windows (WSTEP integration) as well for internal clients. Interesting to see everyone else take. CRL so far has been the biggest caveat on the CPPM side. Aruba really likes to push OCSP, so making sure the update times are setup accordingly are important CRL wise. T.J. Norton Wireless Network Architect Network Operations (434) 592-6552 [cid:image001.jpg@01D57392.4EE704C0] Liberty University | Training Champions for Christ since From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Christopher Brizzell <0113a07d9d59-dmarc-requ...@listserv.educause.edu> Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv Date: Wednesday, September 25, 2019 at 8:57 AM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" Subject: [External] [WIRELESS-LAN] Aruba - Going from PEAP to TLS [ EXTERNAL EMAIL: Do not click any links or open attachments unless you know the sender and trust the content. ] In what should have been done long ago, we would like to move off of our EAP-PEAP and onto EAP-TLS. Most likely we will be going with SecureW2 to help with that process. I’d like to hear from anyone who may have done this with Aruba OS and Clearpass, so as to avoid any pitfalls and look for advice on the best way to proceed. Thank You. Chris Brizzell Assistant Director of Network and Technical Services and Network Administrator Skidmore College cbriz...@skidmore.edu<mailto:cbriz...@skidmore.edu> 518-580-5994 ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=02%7C01%7Ctnorton7%40LIBERTY.EDU%7C179ff545520044daff5a08d741b7e03a%7Cbaf8218eb3024465a9934a39c97251b2%7C0%7C0%7C637050130305852443=wdXhYCri1qOT28a%2Fn%2B0XqsH%2FgkzofBT49Gn4LodrVOw%3D=0> ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Re: [WIRELESS-LAN] Aruba - Going from PEAP to TLS
It's not just TLS. At this point it's clear that the Android developers don't care at all about wireless security, whether via TLS, PEAP, or anything except PSK. There has been minimal improvement in Android 9 and above, 5+ years after everyone else got it right. But by and large, Google fights you the entire time you are trying to provide a secure wireless experience to their users. -- Hunter Fuller Router Jockey VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering On Wed, Sep 25, 2019 at 9:56 AM Jonathan Oakden wrote: > > All great advice from Ryan. > > We use Ruckus Cloudpath for our onboarding. > > When TLS works it’s great. It’s mostly shoddy implementations on OS’s that > give problems. That’s why Android forms the bulk of the issues. If Google > ever get that sorted it will be an enormous help. Windows became a lot easier > and more reliable from the launch of W10. > > > > Jonathan Oakden > > Loughborough University > > > > From: The EDUCAUSE Wireless Issues Community Group Listserv > on behalf of "Turner, Ryan H" > > Reply to: The EDUCAUSE Wireless Issues Community Group Listserv > > Date: Wednesday, 25 September 2019 at 14:58 > To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" > Subject: Re: [WIRELESS-LAN] Aruba - Going from PEAP to TLS > > > > I can’t speak to the Clearpass, but you should spend more time validating the > onboarding process so that it is smooth. That is going to be your issue. > The setup won’t take long, but a poorly designed user experience will hurt > you. I am going to assume you will use SecureW2s cloud PKI. We are going to > be switching that that from an AD private PKI. Don’t be silly with > certificate lengths or hashes. 2048 length with SHA256 works fine. No need > to do anything more and risk client support issues (in my opinion). > > > > You should stand up a test onboarding SSID (if you are going to have one) and > get people to go through the process before production and get feedback. > Utilize the documentation other schools have built (wifi.unc.edu). If you > haven’t used an onboarding SSID to date, then you have a lot of work just to > make that work well. Realize that Android devices are going to be 75% of > your issues. The other operating systems are pretty easy and straightforward > (OSX is the second runner for issues). iOS and windows are a breeze. > > > > Good luck and welcome to the TLS club > > > > > > Ryan Turner > > Head of Networking > > The University of North Carolina at Chapel Hill > > +1 919 445 0113 Office > > +1 919 274 7926 Mobile > > r...@unc.edu > > > > > > > > From: The EDUCAUSE Wireless Issues Community Group Listserv > On Behalf Of Christopher Brizzell > Sent: Wednesday, September 25, 2019 8:57 AM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: [WIRELESS-LAN] Aruba - Going from PEAP to TLS > > > > In what should have been done long ago, we would like to move off of our > EAP-PEAP and onto EAP-TLS. > > > > Most likely we will be going with SecureW2 to help with that process. > > > > I’d like to hear from anyone who may have done this with Aruba OS and > Clearpass, so as to avoid any pitfalls and look for advice on the best way to > proceed. > > > > Thank You. > > > > Chris Brizzell > > Assistant Director of Network and Technical Services and Network Administrator > > Skidmore College > > cbriz...@skidmore.edu > > 518-580-5994 > > > > ** > Replies to EDUCAUSE Community Group emails are sent to the entire community > list. If you want to reply only to the person who sent the message, copy and > paste their email address and forward the email reply. Additional > participation and subscription information can be found at > https://www.educause.edu/community > > ** > Replies to EDUCAUSE Community Group emails are sent to the entire community > list. If you want to reply only to the person who sent the message, copy and > paste their email address and forward the email reply. Additional > participation and subscription information can be found at > https://www.educause.edu/community > > ** > Replies to EDUCAUSE Community Group emails are sent to the entire community > list. If you want to reply only to the person who sent the message, copy and > paste their email address and forward the email reply. Additional > participation and subscription information can be found at > https://www.educause.edu/community ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Re: [WIRELESS-LAN] Aruba - Going from PEAP to TLS
All great advice from Ryan. We use Ruckus Cloudpath for our onboarding. When TLS works it’s great. It’s mostly shoddy implementations on OS’s that give problems. That’s why Android forms the bulk of the issues. If Google ever get that sorted it will be an enormous help. Windows became a lot easier and more reliable from the launch of W10. Jonathan Oakden Loughborough University From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of "Turner, Ryan H" Reply to: The EDUCAUSE Wireless Issues Community Group Listserv Date: Wednesday, 25 September 2019 at 14:58 To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" Subject: Re: [WIRELESS-LAN] Aruba - Going from PEAP to TLS I can’t speak to the Clearpass, but you should spend more time validating the onboarding process so that it is smooth. That is going to be your issue. The setup won’t take long, but a poorly designed user experience will hurt you. I am going to assume you will use SecureW2s cloud PKI. We are going to be switching that that from an AD private PKI. Don’t be silly with certificate lengths or hashes. 2048 length with SHA256 works fine. No need to do anything more and risk client support issues (in my opinion). You should stand up a test onboarding SSID (if you are going to have one) and get people to go through the process before production and get feedback. Utilize the documentation other schools have built (wifi.unc.edu). If you haven’t used an onboarding SSID to date, then you have a lot of work just to make that work well. Realize that Android devices are going to be 75% of your issues. The other operating systems are pretty easy and straightforward (OSX is the second runner for issues). iOS and windows are a breeze. Good luck and welcome to the TLS club Ryan Turner Head of Networking The University of North Carolina at Chapel Hill +1 919 445 0113 Office +1 919 274 7926 Mobile r...@unc.edu<mailto:r...@unc.edu> From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Christopher Brizzell Sent: Wednesday, September 25, 2019 8:57 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Aruba - Going from PEAP to TLS In what should have been done long ago, we would like to move off of our EAP-PEAP and onto EAP-TLS. Most likely we will be going with SecureW2 to help with that process. I’d like to hear from anyone who may have done this with Aruba OS and Clearpass, so as to avoid any pitfalls and look for advice on the best way to proceed. Thank You. Chris Brizzell Assistant Director of Network and Technical Services and Network Administrator Skidmore College cbriz...@skidmore.edu<mailto:cbriz...@skidmore.edu> 518-580-5994 ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community