Without a doubt, any 802.1X requirement, when done properly, requires additional user workload and additional support hours. That is why picking the correct onboarding platform and onboarding architecture (exactly how those folks will make it to the onboarding platform in the first place) is critical. It took us a couple years to get it right. This weekend we will onboard probably 50,000 devices for TLS, and for the most part, it is no longer a huge support issue. The biggest issues are around Android. Just about every other operating system works very easily (OSX can be a pain, but that revolves around entering a local admin account password multiple times). So I would say how big of a problem you will have will be impacted, to some degree, by predominant client count. Android is less than 10% of our wireless user base, but is over half the support calls. When we switched to SecureW2, this got much better, however.
Our documents should be public access. You can visit http://wifi.unc.edu and there are links to the large amount of onboarding material we have created. This page contains screen shots of the process for every supported operating system: https://help.unc.edu/help/connecting-to-the-unc-wireless-network/ To your point of 'someone high up will have a problem and complain'. It does happen. There is one individual, high up in the food chain within a TECHNICAL DEPARTMENT, that simply just doesn't understand how to get onboarded. He will complain that it doesn't work, and every time I visit him, we breeze through it with no problems. So it does happen. But then thanks to the SecureW2 onboarding statistics page, I can easily show others that thousands onboard without any issue. Ryan Turner Manager of Network Operations ITS Communication Technologies The University of North Carolina at Chapel Hill [email protected] +1 919 445 0113 Office +1 919 274 7926 Mobile -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Lee H Badman Sent: Monday, August 14, 2017 1:29 PM To: [email protected] Subject: Re: [WIRELESS-LAN] EAP-TLS One interesting trade-off: if I have good AD credentials and pop up a new Mac or Windows machine without any kind of onboarding in play, I will get on the network quickly one way or the other with PEAP/MS-CHAPv2. . Maybe I'm prompted to accept the server, but I'll get on. This is good and bad. I got on, but not the way that the Security and Network folks might have wanted me to get on- because the cert stuff is optional with PEAP/MS-CHAPv2 on non-AD machines that you don't control. That's arguably bad. But... I got on. And I got authentication and encryption, without IT intervention. From the user perspective, this is good. I didn't have to onboard, I didn't need IT help. I wasn't stranded if I didn't understand what the onboarding SSID is all about, etc. With TLS- you get properly onboarded, or you're sucking wind until you do. But once you do, TLS' advantages kick in as described in this thread. But that "easy on" thing is gone... no matter how simple you make TLS onboarding, it still requires end users to comprehend it. So, to me, part of going to TLS is with the understanding that occasionally someone will be stranded by their own lack of understanding the process, that somebody may be someone important and/or vocal, the stranding will occur at the worst time of day and in the worst circumstance in accordance with Murphey's Law, and there will be some increase in related trouble calls. None of this negates TLS' value, but at the same time you have to go into it with your eyes open to the perspective of the BYOD crowd on campus versus what they are currently accustomed to. One man's o-pinion. -Lee Lee Badman | Network Architect Certified Wireless Network Expert (#200) Information Technology Services 206 Machinery Hall 120 Smith Drive Syracuse, New York 13244 t 315.443.3003 f 315.443.4325 e [email protected] w its.syr.edu SYRACUSE UNIVERSITY syr.edu -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Curtis K. Larsen Sent: Monday, August 14, 2017 1:11 PM To: [email protected] Subject: Re: [WIRELESS-LAN] EAP-TLS Excellent Point. We did some testing with LDAP group lookups, etc. vs. checking for an attribute in a user certificate for authorization and found the performance to be significantly better for the same number of authentications when *not* having to wait for LDAP. Another benefit is not having to worry about users that have trouble typing passwords/getting their account locked out for failed attempts. -- Curtis K. Larsen Senior Network Engineer University of Utah IT/CIS ________________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv <[email protected]> on behalf of Curtis, Bruce <[email protected]> Sent: Monday, August 14, 2017 10:56 AM To: [email protected] Subject: Re: [WIRELESS-LAN] EAP-TLS > On Aug 11, 2017, at 7:45 AM, Bucklaew, Jerry <[email protected]> wrote: > > To ALL: > > > > > > I am going to amend my initial request to "does anyone have any other > reasons to switch to eap-tls besides the ones I list below"? I am trying to > build a case for switching and want to gather all the benefits. One other benefit that I haven't seen mentioned in the thread yet is that EAP-TLS removes dependency on Active Directory or other identity box. So an outage or slowdown of Active Directory (or other external box) does not affect RADIUS and wireless logins. > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:[email protected]] On Behalf Of Bucklaew, > Jerry > Sent: Thursday, August 10, 2017 3:36 PM > To: [email protected] > Subject: Re: [WIRELESS-LAN] EAP-TLS > > > > Lee, > > > > I want to state first that I am not, by any means, an expert on all of the > authentication standards and protocols. I was hoping someone would have a > document that would help better articulate the goals and benefits. > > > > We have been a eap-peap shop for years and I have always been told that > eap-tls (cert based authentication) is more secure and you should do that. I > never had the time to deal with it and putting up a cert based infrastructure > just seemed daunting. I finally have some time and have started to play > with it. We are an Aruba shop and the clearpass Onboard system seems pretty > simple to implement and get EAP-TLS working. > > > > Now to the why. It seems that the ability to separate username/password > from network authentication has some benefits. If a user changes his > username/password it no longer affects his network connectivity. If we want > to blacklist a device it will be easy as each device will have its own cert. > So we can blacklist one device and let the rest still on. We could do those > things today but it is just a little harder to do with eap-peap. We can > also get users out of storing their usernames and passwords, because everyone > does it with eap-peap. The thought process went, if you are going to run an > on-board process anyway, why not onboard with eap-tls. On the wireless side > that is really all I have. I have always been told it is more secure so have > always thought I should try and get there. > > > > Now, we are also moving to wired authentication on every port. We are > supporting both mac auth and 802.1x (eap-peap). We did this to get the > project moving and get all ports to some type of authentication. Now 802.1x > on the wired side is just plain difficult. Nothing except macs are setup for > it out of the box. You need admin rights on the machine to set it up (which > many people on the wired side don't have) and you almost have to run through > some type of onboard process to do it in mass. You have to deal with stuff > like network logons and mounting drives before authentication. We also don't > want the users storing usernames and password and everyone will because no > one wants to type it in every time. I am back to the if you are going to > run through an onboard process anyway, will certs make it a little easier. > It gives you the username/password separation. The ability to revoke per > device, and once onboarded, never have to be bothered again (until the cert > expires). > > > > I am not really concerned about peap being deprecated, it will be around > forever. I am not really concerned about usernames and passwords being > stolen because of eap-peap, there are so many easier ways to do that. It > guess it is really the username/password separation and the "thought" that it > is the most secure method. > > > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:[email protected]] On Behalf Of Lee H Badman > Sent: Thursday, August 10, 2017 3:00 PM > To: [email protected] > Subject: Re: [WIRELESS-LAN] EAP-TLS > > > > Jerry, > > Am curious your reasons for TLS, like if anything beyond "it's better". > Concern for PEAP being deprecated, etc? > > Lee > > -----Original Message----- > From: Bucklaew, Jerry [[email protected]] > Received: Thursday, 10 Aug 2017, 14:42 > To: [email protected] > [[email protected]] > Subject: Re: [WIRELESS-LAN] EAP-TLS > > To ALL: > > > > > > We currently do mac auth and EAP-PEAP authentication on our wireless > network. I am trying to put together a proposal to move to cert based > authentication and I was wondering if anyone has a proposal or justification > already written as to why you should move to cert based auth? Just trying to > save myself some typing. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > --- Bruce Curtis [email protected] Certified NetAnalyst II 701-231-8527 North Dakota State University ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
