Diana,
The info on the outer tunnel will always be un-encrypted for tunneled
EAPs
(EAP-TTLS, EAP-PEAP, EAP-TLS, EAP-FAST...).
What you want is to be able to configure the supplicant to send
"anonym...@realm"
as the outer tunnel identifier. 802.1x doesn't need a valid username
for the outer tunnel
to function properly. In most supplicants (whether native OS or not)
you can define the identity
of the outer tunnel.
Has anyone found an easy way to define the outer tunnel identity for
the native Microsoft
supplicant? (we haven't found one so far)
If you plan to use "eduroam" in the near future, be aware that
anonymous will work, but the
realm will be important for eduroam-routing purposes (eg:
anonym...@yourdomain will have
to appear on the outer tunnel)
Best 2010,
Philippe
Univ. of TN
On Dec 30, 2009, at 11:05 AM, Cortes, Diana wrote:
If I am not mistaken, the 802.11n standard requires CCMP/AES if
encryption
is to be used at all. Hence, users are being bumped off the 11n
rates when
they use TKIP.
We are also exploring our options for deploying 802.1X/EAP in our
current
wireless environment and we considered using EAP-PEAP so that
Windows users
could use the native supplicant. The problem with this is that the
Windows
supplicant sends the username in the clear in the outer tunnel
during the
first stages of authentication. Because of this we are now
considering using
EAP-TTLS with a third-party supplicant in order to provide that
extra layer
of security.
Diana Cortes, CISSP, CWNA
University of Miami
IT - Telecommunications
-----Original Message-----
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[email protected]] On Behalf Of Voll, Toivo
Sent: Wednesday, December 23, 2009 6:37 PM
To: [email protected]
Subject: Re: [WIRELESS-LAN] Encryption and Authentication
Your choices may be limited if you plan to run 802.11n. At least
Cisco reads
the specs as mandating that you must do WPA2 / AES on 802.11n, other
types
(TKIP, WPA) will bump you off 802.11n rates.
Also consider what your user population is. XP may need a hotfix
applied to
do WPA2. A lot of older systems, WVoIP phones, barcode scanners,
Crestron-type room controls etc. may be limited to WEP or WPA.
--
Toivo Voll
Network Administrator
Information Technology Communications
University of South Florida
-----Original Message-----
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[email protected]] On Behalf Of David Blahut
Sent: Wednesday, December 23, 2009 14:25
To: [email protected]
Subject: [WIRELESS-LAN] Encryption and Authentication
Greetings,
We are beginning to deploy encrypted wireless and I am looking for
some
words of wisdom. Mainly what method you used and what reasons as to
why
you chose said method or any reason you wish you had not.
We have looked at many of the different flavors of EAP but are
unsure of
any clear advantage of one over the other.
We are a Cisco LWAPP shop with Cisco ACS playing the role of RADIUS
with
open LDAP in the back-end.
Any advice would be helpful; any thing to look out for, any gotchas,
any
show stoppers, and any success stories.
Thanks,
David
**********
Participation and subscription information for this EDUCAUSE
Constituent
Group discussion list can be found at http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE
Constituent
Group discussion list can be found at http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at http://www.educause.edu/groups/
.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
