Hi Bruce, I am curious about your statement "We have been a CloudPath Wizard customer for years. Since this product has been deprecated, we are evaluating onboarding vendors." Is Ruckus not going to support it anymore?
Best, Sapna Misra | Senior Network Engineer | Information Technology | Vanderbilt University Medical Center sapna.tripa...@vanderbilt.edu | Phone 615-875-8876 -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Curtis, Bruce Sent: Monday, August 14, 2017 11:49 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] EAP-TLS > On Aug 11, 2017, at 6:45 AM, Osborne, Bruce W (Network Operations) > <bosbo...@liberty.edu> wrote: > > Jerry, > > > > I find some of your comments interesting. We have many things in common. We > are also an Aruba wireless / ClearPass customer using PEAP-MSCHAPv2 & MAC > Auth. Although we initially designed for full Cisco wired 802.1X we have been > running a strange Cisco config that uses it somewhat but does not restrict > unauthenticated devices. > > > > We have been a CloudPath Wizard customer for years. Since this product has > been deprecated, we are evaluating onboarding vendors. We have an engineer > from a former government contractor who wants us to move to EAP-TLS. So far, > we have found ClearPass Onboard licensing costs to be much higher than the > other vendors. > > > > I have been having a big challenge on how to configure 802.1x (likely > PEAP-MSCHAPv2 or EAP-TLS) for Computer Lab computers that can have many new > users. We are currently doing User auth for MacOS but that requires an > initial logon on wired to get the user profile stored locally. I have tried > using MacOS Logon profile but I find if a user typoes their password that > although they are prompted for a new password, the system still tries to use > the old one during that time and locks the user account ☹ > > > > What are people here doing for 802.1X and MacOS Labs? We are seeing a trend > for wireless Labs with dedicated APs & SSID for the machines because the cost > is much less than having a network drop per machine. Our current wireless > MacOS Lab was implemented last summer with a PSK as a temporary workaround. > We definitely need to move away from that. Windows handles 802.1X much > better, IMHO. We have had MacOS Labs use EAP-TLS in the past. I haven’t checked with our cluster folks to see if we have an instance of that right now with current MacOS X versions. With the config we used the Macs were connected to the wireless network whenever they were powered on. These links seem similar to what I remember we did. https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.afp548.com%2F2012%2F11%2F20%2F802-1x-eaptls-machine-auth-mtlion-adcerts%2F&data=02%7C01%7Csapna.tripathi%40VANDERBILT.EDU%7C16298ed1b63b42cb7f3008d4e3346f0c%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C0%7C636383261754402659&sdata=4pQ1zfJ6W19Pwwo3%2B5NjpyICXIefw2thgK6RGOL5wf8%3D&reserved=0 https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fntsystems.it%2Fpost%2Fjoining-wifi-before-login-on-mac-os-x-108&data=02%7C01%7Csapna.tripathi%40VANDERBILT.EDU%7C16298ed1b63b42cb7f3008d4e3346f0c%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C0%7C636383261754402659&sdata=YSfAxEw8gU%2FrD6%2B%2Fs1jOYRj0qmU%2BZQngjTsMUw4wN3I%3D&reserved=0 https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdiscussions.apple.com%2Fthread%2F6763950%3Fstart%3D0&data=02%7C01%7Csapna.tripathi%40VANDERBILT.EDU%7C16298ed1b63b42cb7f3008d4e3346f0c%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C0%7C636383261754402659&sdata=IkakfmYPXS5W9qIh0FVj7Gd%2Fcl2M3T3fWFCHm22JDbc%3D&reserved=0 This link is about a different problem but one of the posts mentions "No issues here. We have profile-based Wifi logon to accomplish a machine-auth type deal on our Macs, so nothing with certs (we're an AD shop). Upgraded from 10.12.4 to 10.12.5 on test machine” So it sounds like it is still doable although the quote above doesn’t use EAP-TLS. This info might be helpful https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fkevinbecker.org%2Fblog%2F2015%2F03%2F26%2Fmac-os-x-wpa2-enterprise-authentication-using-a-microsoft-ca-part-2-2&data=02%7C01%7Csapna.tripathi%40VANDERBILT.EDU%7C16298ed1b63b42cb7f3008d4e3346f0c%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C0%7C636383261754558908&sdata=3eNw04iDPy60exbATbHU1eHlpQUJaZovczh2Qm5jLSg%3D&reserved=0 https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhelp.apple.com%2Fprofilemanager%2Fmac%2F2.1%2F%23apd073333AA-30C6-4FD2-B2E0-E0C95658A2C4&data=02%7C01%7Csapna.tripathi%40VANDERBILT.EDU%7C16298ed1b63b42cb7f3008d4e3346f0c%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C0%7C636383261754558908&sdata=d%2BDxaEYv52Mc%2F21NkDMmTwngnRc8MIOCLAa3LyI7QQU%3D&reserved=0 > Bruce Osborne > > Senior Network Engineer > > Network Operations - Wireless > > (434) 592-4229 > > LIBERTY UNIVERSITY > > Training Champions for Christ since 1971 > > > > From: Bucklaew, Jerry [mailto:j...@buffalo.edu] > Sent: Thursday, August 10, 2017 3:36 PM > Subject: Re: EAP-TLS > > > > Lee, > > > > I want to state first that I am not, by any means, an expert on all of the > authentication standards and protocols. I was hoping someone would have a > document that would help better articulate the goals and benefits. > > > > We have been a eap-peap shop for years and I have always been told that > eap-tls (cert based authentication) is more secure and you should do that. I > never had the time to deal with it and putting up a cert based infrastructure > just seemed daunting. I finally have some time and have started to play > with it. We are an Aruba shop and the clearpass Onboard system seems pretty > simple to implement and get EAP-TLS working. > > > > Now to the why. It seems that the ability to separate username/password > from network authentication has some benefits. If a user changes his > username/password it no longer affects his network connectivity. If we want > to blacklist a device it will be easy as each device will have its own cert. > So we can blacklist one device and let the rest still on. We could do those > things today but it is just a little harder to do with eap-peap. We can > also get users out of storing their usernames and passwords, because everyone > does it with eap-peap. The thought process went, if you are going to run an > on-board process anyway, why not onboard with eap-tls. On the wireless side > that is really all I have. I have always been told it is more secure so have > always thought I should try and get there. > > > > Now, we are also moving to wired authentication on every port. We are > supporting both mac auth and 802.1x (eap-peap). We did this to get the > project moving and get all ports to some type of authentication. Now 802.1x > on the wired side is just plain difficult. Nothing except macs are setup for > it out of the box. You need admin rights on the machine to set it up (which > many people on the wired side don’t have) and you almost have to run through > some type of onboard process to do it in mass. You have to deal with stuff > like network logons and mounting drives before authentication. We also don’t > want the users storing usernames and password and everyone will because no > one wants to type it in every time. I am back to the if you are going to > run through an onboard process anyway, will certs make it a little easier. > It gives you the username/password separation. The ability to revoke per > device, and once onboarded, never have to be bothered again (until the cert > expires). > > > > I am not really concerned about peap being deprecated, it will be around > forever. I am not really concerned about usernames and passwords being > stolen because of eap-peap, there are so many easier ways to do that. It > guess it is really the username/password separation and the “thought” that it > is the most secure method. > > > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman > Sent: Thursday, August 10, 2017 3:00 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] EAP-TLS > > > > Jerry, > > Am curious your reasons for TLS, like if anything beyond "it's better". > Concern for PEAP being deprecated, etc? > > Lee > > -----Original Message----- > From: Bucklaew, Jerry [j...@buffalo.edu] > Received: Thursday, 10 Aug 2017, 14:42 > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] > Subject: Re: [WIRELESS-LAN] EAP-TLS > > To ALL: > > > > > > We currently do mac auth and EAP-PEAP authentication on our wireless > network. I am trying to put together a proposal to move to cert based > authentication and I was wondering if anyone has a proposal or justification > already written as to why you should move to cert based auth? Just trying to > save myself some typing. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fdiscuss&data=02%7C01%7Csapna.tripathi%40VANDERBILT.EDU%7C16298ed1b63b42cb7f3008d4e3346f0c%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C0%7C636383261754558908&sdata=hzbDcXTl4X2vOq4uUDs51OhxpCvhtW0tILuubymCUI8%3D&reserved=0. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fdiscuss&data=02%7C01%7Csapna.tripathi%40VANDERBILT.EDU%7C16298ed1b63b42cb7f3008d4e3346f0c%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C0%7C636383261754558908&sdata=hzbDcXTl4X2vOq4uUDs51OhxpCvhtW0tILuubymCUI8%3D&reserved=0. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fdiscuss&data=02%7C01%7Csapna.tripathi%40VANDERBILT.EDU%7C16298ed1b63b42cb7f3008d4e3346f0c%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C0%7C636383261754558908&sdata=hzbDcXTl4X2vOq4uUDs51OhxpCvhtW0tILuubymCUI8%3D&reserved=0. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fdiscuss&data=02%7C01%7Csapna.tripathi%40VANDERBILT.EDU%7C16298ed1b63b42cb7f3008d4e3346f0c%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C0%7C636383261754558908&sdata=hzbDcXTl4X2vOq4uUDs51OhxpCvhtW0tILuubymCUI8%3D&reserved=0. > --- Bruce Curtis bruce.cur...@ndsu.edu Certified NetAnalyst II 701-231-8527 North Dakota State University ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fdiscuss&data=02%7C01%7Csapna.tripathi%40VANDERBILT.EDU%7C16298ed1b63b42cb7f3008d4e3346f0c%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C0%7C636383261754558908&sdata=hzbDcXTl4X2vOq4uUDs51OhxpCvhtW0tILuubymCUI8%3D&reserved=0. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
