Re: WPA2/Enterprise startup/rollout headaches...

["Maloney, Michael" <mmaloney () MIDDLESEXCC EDU>]

We run into similar problems all the time.  The big one is unless the
laptops are connected to your AD, you'll need to uncheck the box when
configuring the MS wireless client that says "AUTOMATICALLY USE MY
WINDOWS LOGON NAME AND PASSWORD (and domain if any).  Some XP
supplicants can detect this and automatically connect, but the base MS
configurations cannot.

 

Another thing to check is whether the wireless client is set to
authenticate as a computer first.    I've seen that a couple times when
someone has had trouble connecting..

 

********************************************
Mike Maloney
Sr. System Engineer
Middlesex County College
2600 Woodbridge Avenue
Edison, NJ 08818
Phone: 732-906-7754
Cell: 908-217-2086
Fax: 732-906-4266
Email: mmaloney () middlesexcc edu <mailto:mmaloney () middlesexcc edu> 
********************************************

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jeff Kell
Sent: Wednesday, July 13, 2011 9:51 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] WPA2/Enterprise startup/rollout headaches...

 

One of our summer projects is to bring WPA2/Enterprise to our wireless
network, which is currently either plaintext or using pre-shared keys,
simply terminating on the controller.

We have assembled the pieces of the puzzle we know about:

*       Aruba controllers configured for AAA via Radius,
*       Bradford Campus Manager is proxying the Radius requests (was
doing mac-authentication before),
*       Radiator has been setup for "AuthBy NTLM" against our Active
Directory domain controllers.

With these bits done, we can successfully authenticate at the Radiator
command line (ntlm_auth works).

We can successfully authenticate from the Bradford Radius test page.

We can successfully authenticate from the Aruba AAA test page.

However, we cannot seem to get any clients to successfully authenticate
to wireless.  Win7 seems to get the farthest (out-of-the-box, no
supplicants or certificates), prompting once for credentials when it
tries PEAP, and failing that (perhaps due to the unknown certificate?),
it prompts again in a pop-up window for "EAP-TTLS credentials" asking
for domain\userID and password.  We then see Radiator trying the
request/challenge several times before eventually rejecting, and there
is no connection.

Is there another whole piece of the puzzle we are missing to carry over
to the clients?  I know at times in the past that various supplicants,
shims, or some "connectivity add-ons" (e.g., XpressConnect) were
required to complete the picture, but I thought most of this could be
done "out of the box" by now?

It seems that we are so close but missing this final leap out to the
client.  I had expected issues with bizarre devices (iThings, game
consoles, etc), but not a wholesale failure of everything...

Any suggestions, pointers, recipes, how-tos, "WPA2 for Dummies", magical
incantations, war stories, drinking games, wishes, holy grails, etc.,
would be most welcome :)

Thanks in advance,

Jeff