Changing passwords regularly would be difficult-- we don't do that
(we have stringent requirements instead). We have our own system
that manages them, and if the user changes it through that web
application, then they have to enter the new password in the
supplicant when it prompts them. It has not been a big issue for our
help desk.
If one had a tightly managed Microsoft environment, I could see
tieing 802.1x creds into the user login to the machine -- but that
requires machine auth to be working (we haven't researched but certs
might work for XP SP2). We have ~25% Mac and ~2% other unix, so
can't assume a Microsoft environment. In the future we hope to get
the user auth being used for the 802.1x creds.
Regarding 802.1x in general, I gave a short talk about our
implementation process the other week if anyone is interested (not
technical):
https://webspace.utexas.edu/greenwc/restricted.utexas%202-14-08.ppt
It is a success for us, and we'd do it again for our own reasons
(environments differ). We do have some problems with 802.1x in areas
with weak coverage or heavy congestion. And while we get
complaints, users like the convenience (90% compliance). Since most
users don't encrypt their disk and secure their laptops, the binding
of users is less strong than web systems. But other security is
greater (no man in the middle).
Vendors I have spoken to assert the 802.1x problems we see are
related to drivers/supplicants and will get better as they mature.
I'd be interested in what others have learned. Note, however, that
we use WPA not WPA2. We may offer WPA2 in the future which could
help (PMK caching, and pre-roam auth). When we started there were no
good installers (since then we have purchased idEngines), and had
problems with supplicants that would select WPA2 even though their
hardware didn't support AES (so they'd fail and we decided WPA only
for now). With the installers, we think that may not be as much of
an issue (perhaps we'll see this summer and offer WPA and WPA2).
--
William C. Green e-mail: [EMAIL PROTECTED]
Director, Networking phone: +1 512-475-9295
ITS (Information Technology Services) fax: +1 512-471-2449
University of Texas
1 University Station Stop C3800
Austin, TX 78712
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
