We currently use the Cloudpath enrollment service. We switched to EAP-TLS away from EAP-TTLS and given the complexity of certificate generation and installation of CA certs to support those personal certificates, I don’t expect we will be moving away from Cloudpath anytime, soon. It was too easy of a turnkey process. It does track and keep records of every user and associated OS that connects. The granularity of the logging is really good. We have coupled the enrollment server with our Microsoft CA, even though the enrollment server comes with its own CA.
Ryan Turner UNC Chapel Hill -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Peter P Morrissey Sent: Thursday, August 1, 2013 10:50 AM To: [email protected] Subject: Re: [WIRELESS-LAN] XpressConnect... To answer your second question, we do re-evaluate this ourselves periodically. Just about every OS can automatically get 802.1x working nowadays, but not securely. We use xpressconnect to limit the certificates that can be accepted to the valid certificates by name. This enforces the certificate security that we go through all the trouble and expense to create. There are many who just don't even go to our portal to run expressconnect. Unfortunately with xpressconnect, you have no way of knowing how many people actually run it, or even download it. Seems like it would be easy enough to track that by OS, but it doesn't. (Maybe they don't want us to know. :) ). We have actually seriously considered not using it, and for that matter, not even using certs at all as it seems like most just blindly click on any prompt that comes up anyway. In the end though we have come to the conclusion that we have the responsibility to make available the best level of security possible for those who want to operate in a secure wireless environment. Having said that, MacOS and most mobile apps do not have the ability to lock down the certs that can be accepted. The benefit xpressconnect provides for those devices is that it can re-order the SSID that they automatically prefer to connect to (something Windows seems to be able to accomplish on its own much more intuitively). What we find is that Mac laptops and mobile devices connect to other SSID's on our network based upon a past connection or perhaps where the name is alphabetically. So we get calls that people can't connect to our network, and the problem turns out to be that the device keeps insisting that they connect to another network. The tool fixes this when they first configure, and it also can fix it after the fact rather than talk them through the manual steps. We also use it to attempt to turn on firewalls and do some other minimal changes to the security posture of the device. In addition we have it set to turn of IPv6 as well as this option often causes performance issues. Pete Morrissey -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Hector J Rios Sent: Wednesday, July 31, 2013 4:43 PM To: [email protected] Subject: [WIRELESS-LAN] XpressConnect... Has anyone gotten contacted from malware scanning services about the XpressConnect.cab being potentially identified as a virus? It was reported to us by support.clean-mx.de and after looking into it (the signature of /installs/XpressConnect.cab is valid and the md5 sum is also valid) we think it might just be a false positive. After scanning the file with virustotal.com, and 4 out of 47 malware engine reported it as a generic trojan: Commtouch W32/VB.FJ.gen!Eldorado F-Prot W32/VB.FJ.gen!Eldorado K7AntiVirus Riskware TrendMicro-HouseCall TROJ_GEN.F47V1221 While we are on the subject, if you still use XpressConnect, how much longer are you planning to support it? We have seen its usage go down year after year, and at the same time, Operating Systems are getting better at auto-configuring .1X settings. Thanks, Hector Rios, CCNA, CCA Assistant Director, Network Engineering Dept. of Networking and Infrastructure Information Technology Services Louisiana State University Phone: (225) 578-1333 Email: [email protected]
