We are using WPA/TKIP with a cert installed on the radius server IAS 2003, the cert is from ipsCA (http://certs.ipsca.com/) which offers free certs (2 year time periods) for .edu domains. Getting the cert is very quick and according to their site the root certificate has been included in Microsoft products since 1999 and now is bundled in a number of others (Firefox for example). I can say from experience that they are included in WinXP, Mac OSX & Vista.
We initially tested them with just our radius controllers and have now moved to using them for some of our web servers. It's a free cert that is a included on most clients and we haven't had any problems since we've been using them (2 years this summer). We have our users use the built in client of the OS and select IPS SERVIDORES under the Trusted Root Certificate Authorities. - Michael Michael McGuire Network Administrator Moravian College Center for Information Technology 610.625.7760 [EMAIL PROTECTED] From: Lelio Fulgenzi [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 04, 2007 1:47 PM To: [email protected] Subject: Re: 802.1x With A One-Way Certificate sorry, http://www.uoguelph.ca/ccs/internet/getting_connected/wireless/securing_ with_wpa.shtml ------------------------------------------------------------------------ -------- Lelio Fulgenzi, B.A. Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1 (519) 824-4120 x56354 (519) 767-1060 FAX (JNHN) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ...there's no such thing as a bad timbit... ----- Original Message ----- From: Lelio Fulgenzi <mailto:[EMAIL PROTECTED]> To: [email protected] Sent: Wednesday, April 04, 2007 1:42 PM Subject: Re: [WIRELESS-LAN] 802.1x With A One-Way Certificate Here are our instructions. We ask users to check off the appropriate CA and it works fine for us. No need to manually download or approve anything. It's worked for us. ------------------------------------------------------------------------ -------- Lelio Fulgenzi, B.A. Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1 (519) 824-4120 x56354 (519) 767-1060 FAX (JNHN) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ...there's no such thing as a bad timbit... ----- Original Message ----- From: ktaillon <mailto:[EMAIL PROTECTED]> To: [email protected] Sent: Wednesday, April 04, 2007 1:39 PM Subject: Re: [WIRELESS-LAN] 802.1x With A One-Way Certificate One of the things that I didn't point out is we are running the new LWAPP AP's and controller setup. After I told Cisco about the one-way cert he said this is ok to run in this setup because the peap tunnel that is created from the client to the AP and to the ACS/Controller could not be interfered with. Not like a web server cert that could be hijacked. If I were to install a Cert(Verisign, GTE.....)on the ACS that is on the XP list of trusted names, can the client just check off that name without having to go to a web server to download and install the cert? I'm just trying to keep the client setup as simple as possible but not in a way that lowers security. Ken -----Original Message----- From: Michael Griego [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 04, 2007 11:27 AM To: [email protected] Subject: Re: [WIRELESS-LAN] 802.1x With A One-Way Certificate Just be aware that not validating the certificate opens you up to fairly easy session hijacking attacks since anyone can come up with a cert and get your clients to connect to their APs instead of yours (since the client is not checking cert validity)... The attacker would then have access to the data stream as it would appear on the LAN, so you potentially lose a lot of the security benefit. --Mike On Apr 4, 2007, at 10:19 AM, Rick Coloccia wrote: > Yes. We aren't using the wpa-tkip with acs, but we do use ias > (windows) for radius, we have our clients uncheck the 'Validate Server > Certificate' option and away they go. > > http://www.geneseo.edu/CMS/display.php?page=5200&dpt=cit > http://www.geneseo.edu/CMS/display.php?page=5198&dpt=cit > http://www.geneseo.edu/CMS/display.php?page=5199&dpt=cit > > We like how it works. We run 4 4404's with 350 1242ag access points. > > -Rick > > > ktaillon wrote: >> We are trying to implement a WPA/TKIP Wireless authentication. We are >> using ACS Solution Engine which backs into AD for Authentication. We >> are currectly using WEP. >> We are looking for the least amount of client setup to make this >> change. Cisco has told us to use the PEAP MSCHAPv2 connection with a >> one-way cert, the cert or CA would only be installed on the ACS >> server and the client would uncheck the 'Validate Server Certificate' >> under the protected EAP properties. They also told us that the PEAP >> tunnel that is created would be comparable to having a cert on the >> client. This seems to be working fine in our tests and is very simple >> setup for the clients. >> Are any of you running your connection setup this way? >> Ken Taillon >> Network Support Specialist >> Information Technology Services >> Wesleyan University >> 860-685-5657 >> ********** Participation and subscription information for this >> EDUCAUSE Constituent Group discussion list can be found at http:// >> www.educause.edu/groups/. > > -- > Rick Coloccia, Jr. > Network Manager > State University of NY College at Geneseo > 1 College Circle, 119 South Hall > Geneseo, NY 14454 > V: 585-245-5577 > F: 585-245-5579 > > ********** > Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at http:// > www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
