On Fri, 22 Sep 2006, David Spindler wrote:
I would not suggest WPA/WPA2 mixed mode. We've found that older macs that
don't support WPA2 would not work with mixed mode either. Windows boxes
Maybe I am the only one, but the use of the phrase 'mixed mode' is leading
to confusion. Are we talking mixed mode = WEP and TKIP, or are we talking
mixed mode = WPA (TKIP) and WPA2 (AES).
As far as I am aware, there was an issue with WEP/TKIP on the macs, but
there is no issues I have seen so far with TKIP/AES.
mostly worked fine with mixed mode, but if the hardware only supported WPA,
then WZC would try to use WPA/AES (a valid but mostly unsupported option).
You could force it to use WPA/TKIP but if you ever connect/reconnect it would
revert to WPA/AES.
Actually, this is a bug with, it appears, Microsoft. I have a case open
with them. But the problem where is reverts back to WPA/AES only seems to
happen if you have connected successfully to a WPA/AES network. If you
have not, your machine will connect, and remain at, WPA/TKIP.
I don't have a whole of experience with the VPN side of things. It probably
wouldn't work well for guest users and depends a lot on the client. We use
the Cisco VPN client and it is very poor over wireless. We would notice that
if their are any wireless issues at all the VPN client would disconnect,
while TCP applications that were not using the VPN would continue to work
fine. I've heard other VPN vendors (maybe Nortel) have much more stable
clients, to the point that some of them will let you change IP addresses
underneath the connection without losing any sessions.
We use the cisco VPN client, and it has been pretty stable (at least with
the newer versions).
--David
UT Austin
Phone:
512-475-9299(w)
512-775-8033(c)
Public Key at : http://webspace.utexas.edu/~spindler/pubkey.txt
On Fri, 22 Sep 2006, Crawford, Tim M. wrote:
We're doing something a little different from the main Stanford campus.
The main campus AP's do not use encryption. However, we're currently
using WEP. We're in the process of looking at the alternatives too (WPA
vs. VPN). The main campus is looking to require VPN whenever secure
communications are required...but not requiring VPN by default for AP
access.
Here at the Stanford Graduate School of Business, we're looking to move
from WEP to WPA. There are really two arguments that come to mind...and
they're from the user experience perspective.
Argument for WPA:
Regardless if you use a laptop with wired connection in your office vs.
wireless, the experience is the same. If you're off campus, the
experience is completely different. This appears to be a more widely
acceptable solution in terms of how users think of the experience
relationships (on campus/ off campus, wired/ wireless).
Argument for VPN:
Regardless if you are on campus or off campus, the experience to access
applications is identical. However, this creates a different experience
for users between wired and wireless connections...even in their office.
This also seems to be a more challenging experience for users to keep
track of.
I'm sure others may have other recommendations.
Regards,
Tim
______________________________________
Tim M. Crawford
Associate Director, IT Operations
Stanford Graduate School of Business
650.724.2447
[EMAIL PROTECTED]
-----Original Message-----
From: Robinson, Ronald [mailto:[EMAIL PROTECTED]
Sent: Friday, September 22, 2006 12:00 PM
To: [email protected]
Subject: [WIRELESS-LAN] WPA or VPN
We are in the process of re-evaluating the security on our wireless
network. Currently we support Dynamic WEP/802.1x and WPA with PEAP
authentication. What I would like to know from this group is the pros
and cons to using WPA/2 or VPN, especially with regards to end user
support and, if you are migrating from one to the other, your reasons
for doing so.
------------------------------------------------------
Ron Robinson, Network Architect, Bradley University
1501 West Bradley Ave. | E-Mail: [EMAIL PROTECTED]
Morgan Hall Room 205F | Phone: (309) 677-3350
Peoria, Illinois 61625 | FAX: (309) 677-3460
**********
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.
-- Walter Reynolds
Principle Systems Security Development Engineer
Information Technology Central Services
University of Michigan
(734)615-9438
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
