On Wed, Apr 29, 2009 at 5:58 PM, john <[email protected]> wrote: > > >> Computers are on a domain: >> >> - Publish an 802.1x wireless profile via Active Directory. (if you go >> this route, you don't even need to purchase your own Cert) >> >> Can I import an OpenSSL into AD and get it pushed? That would be a great > solution! >
http://wiki.cacert.org/wiki/BrowserClients#ImportintoMicrosoftActiveDirectoryGroupPolicyobject Yes you can (I have no idea who CACERT is, but the directions should hold up for all CA Certs) But the spirit of the question was this, if you have computers joined to an active directory domain, and they are running XP Service Pack 3 or higher (Vista/Windows 7) you can publish a 802.1x profile in Active directory, and apply it via group policy. However, this breaks down when you bump into Macs/Linux/Smartphones/etc. (It works in my administrative environment since we control all aspects of the machine. Users are not even administrator on they're own box. Students are another story) > > >> - >> >> Computers not on a domain, users are administrators of they're machine: >> >> - http://www.cloudpath.net/ They make a utility that will auto >> configure your 802.1x settings (as well as deploy some patches and AV >> software among other things) >> - Write your own script that auto configures the OS. >> >> THis looks interesting. I don't see a pricing structure on the website. I > guess I'd need to contact them to find out? > Yes you will. It's a very mature product, and last I checked supports both Mac and Windows, with a linux client on the way. > >> - >> >> The parting bit of advice I have for you is that you should consider >> getting a real certificate for your Radius server. Check out >> http://certs.ipsca.com/ for free certs for .edu's. (There are >> considerations for using this CA. They're based out of Spain, just so you >> know) >> > > Interesting. Is the reason for this that users browsers will complain less? > Yes and no. The webbrowser won't but the 802.1x supplicant will if it's an untrusted CA cert. 802.1x settings should be configured so that certificate validation is done. It removes the possibility of a Man-in-the-Middle attack. (someone impersonates your AP, and gathers all usernames and passwords) > > > Thanks again! > > John > Keep asking the questions. They're are ways to have painless 802.1x rollouts that are secure. Based on the info you've provided, you should really look in to the cloudpath networks. With the mix of clients (Mac / Linux / Student owned windows machines) you'll definatly remove 80% of the hard work. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
