We have done a complete TLS deployment using both onboard cloudpath CA (for guest access) and Microsoft CA (for standard access). It takes some work, but it is well worth the effort. Feel free to contact me. We would be happy to help.
Ryan H Turner Senior Network Engineer The University of North Carolina at Chapel Hill CB 1150 Chapel Hill, NC 27599 +1 919 445 0113 Office +1 919 274 7926 Mobile -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Fleming, Tony Sent: Wednesday, November 20, 2013 9:22 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x vs web-portal I can tell you we use dot1x here with AD credentials and it doesn't lend itself to a good end-user experience. Our security policy requires password expiration after 60 days. When a student's password expires we see an increase of wireless related complaints (typically blaming the performance/signal of the wireless network) not realizing their password has expired and new credentials need to be applied in their wireless profile. The other AD credential issue we have is related to lock-out. If a student mistypes his/her password to lock-out their account all of their devices stop connecting to the wireless network. Having said that, we are eyeing certificate based 802.1x. Not having a lot of experience with PKI we are trying to gauge the effort level of deployment. Not trying to highjack the thread here - but I am curious if anyone has some real world experience spinning-up a PKI (from scratch) using CloudPath with certificates. What is the effort level? Tony -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jason Cook Sent: Wednesday, November 20, 2013 1:30 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x vs web-portal List seems to sum it up pretty well. I think user wise dot1x is better ....... "once setup". So while it may be more of a pain to configure for some users, once configured the experience is much better as they walk on to campus and are connected. Having a captive portal is probably a good option for those that can't get dot1x working . I'm interested in the 10% though, do you get them all connected in the end? 10% seems quite a high percentage -- Jason Cook Technology Services The University of Adelaide, AUSTRALIA 5005 Ph : +61 8 8313 4800 -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hanset, Philippe C Sent: Wednesday, 20 November 2013 9:56 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x vs web-portal from the top of my head... ###What's bad for the user: -Captive portal: no encryption over the air, pesky re-authentication and timeouts, no authentication of the infrastructure (yes, when you accept that SSL Cert from RADIUS you actually authenticate the infrastructure) -802.1X: finicky supplicants, and, without a good installer, long config instructions. Strongly authenticated (can't escape the system ;-) ###What's bad for the network engineer (and user stuff as well...): -Captive portal: CPU capacity of portal (802.11ac!!!), clients taking IP addresses and air time even if not authenticated, authentication can be defeated -802.1X: bugs from various vendors. A pain the troubleshoot when not working. Certificate Expiration and help desk calls resulting from it add yours! Philippe Philippe Hanset www.eduroam.us On Nov 19, 2013, at 2:10 PM, Jeff Kell <jeff-k...@utc.edu> wrote: > On 11/19/2013 4:05 PM, Peter P Morrissey wrote: >> Can anyone name an application that does not have strong encryption? >> >> I'm not arguing against 802.1x, because it works very well for us as users >> don't have to authenticate constantly on a portal, and we seem to do a very >> good job getting them on initially, but I am having a hard time >> understanding the encryption benefits lately. > > Does FireSheep or Ettercap ring any bells? > > Jeff > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
