Educause Security Discussion mailing list archives
Re: WPA2/Enterprise startup/rollout headaches...
From: Josh Richard <jrichar4 () D UMN EDU>
Date: Wed, 13 Jul 2011 10:59:12 -0500
Hi Jeff, WPA2 enterprise is flexible and you have a number of options. I am sure most would agree that living with it from a desktop support perspective is much harder than getting it working (which is hard). Are you supporting TTLS and PEAP at the same time? If you use TTLS, you need a certificate in the RADIUS server. My questions implicate your RADIUS server as it may not be looking into the inner or outer (PEAP or EAP) tunnels at the correct time during the process. I ran into this with FreeRADIUS. Also check the windows login settings. Our first working test client was an andriod phone...:) you may want to initially test with MAC or Linux if you have any around. We just set this up last spring and are hoping things continue to go well this fall. Using WPA2 Enterprise EAP/TTLS with PAP inside the tunnel in our experience worked the most reliably. Since PAP is involved, we can have the RADIUS server make decisions along the authentication process (post-auth) to determine which VLAN to drop the clients into in the event of a sanction or other operational need. I ended up writing a small amount of Perl. We use FreeRADIUS, but Radiator can do all this as well. Saying that, MS clients do not have native support for TTLS (tunneled TLS). To address that, we decided to engage cloudpath's XpressConnect utility (http://www.cloudpath.net/products/products.php) to automate the client side configuration of the 802.1x supplicant, installation of a MS windows TTLS supplicant (secureW2) and the demotion of the non-crypto SSIDs so the users stay on the Secure SSID. This way the same TTLS client is on every windows machine. We have coverage for Windows, MAC, ubuntu, iphone/ipad. If your institutional policies dictate AD, you can likely get most of this working through policy, but we have a lot of walk in's and students around... Regards, Josh Richard University of Minnesota Duluth On Wed, Jul 13, 2011 at 8:50 AM, Jeff Kell <jeff-kell () utc edu> wrote:
One of our summer projects is to bring WPA2/Enterprise to our wireless network, which is currently either plaintext or using pre-shared keys, simply terminating on the controller. We have assembled the pieces of the puzzle we know about: Aruba controllers configured for AAA via Radius, Bradford Campus Manager is proxying the Radius requests (was doing mac-authentication before), Radiator has been setup for "AuthBy NTLM" against our Active Directory domain controllers. With these bits done, we can successfully authenticate at the Radiator command line (ntlm_auth works). We can successfully authenticate from the Bradford Radius test page. We can successfully authenticate from the Aruba AAA test page. However, we cannot seem to get any clients to successfully authenticate to wireless. Win7 seems to get the farthest (out-of-the-box, no supplicants or certificates), prompting once for credentials when it tries PEAP, and failing that (perhaps due to the unknown certificate?), it prompts again in a pop-up window for "EAP-TTLS credentials" asking for domain\userID and password. We then see Radiator trying the request/challenge several times before eventually rejecting, and there is no connection. Is there another whole piece of the puzzle we are missing to carry over to the clients? I know at times in the past that various supplicants, shims, or some "connectivity add-ons" (e.g., XpressConnect) were required to complete the picture, but I thought most of this could be done "out of the box" by now? It seems that we are so close but missing this final leap out to the client. I had expected issues with bizarre devices (iThings, game consoles, etc), but not a wholesale failure of everything... Any suggestions, pointers, recipes, how-tos, "WPA2 for Dummies", magical incantations, war stories, drinking games, wishes, holy grails, etc., would be most welcome :) Thanks in advance, Jeff
-- Josh Richard Information Technology Systems & Services University of Minnesota Duluth
Current thread:
- WPA2/Enterprise startup/rollout headaches... Jeff Kell (Jul 13)
- Re: WPA2/Enterprise startup/rollout headaches... Randall C Grimshaw (Jul 13)
- Re: WPA2/Enterprise startup/rollout headaches... Justin Azoff (Jul 13)
- Re: WPA2/Enterprise startup/rollout headaches... Maloney, Michael (Jul 13)
- Re: WPA2/Enterprise startup/rollout headaches... Josh Richard (Jul 13)
- Re: WPA2/Enterprise startup/rollout headaches... Jeff Kell (Jul 14)
- Re: WPA2/Enterprise startup/rollout headaches... Lang, Matthew (Jul 15)
- Re: WPA2/Enterprise startup/rollout headaches... Josh Richard (Jul 15)
- Re: WPA2/Enterprise startup/rollout headaches... Rich Graves (Jul 15)
- Re: WPA2/Enterprise startup/rollout headaches... Randall C Grimshaw (Jul 15)
- Re: WPA2/Enterprise startup/rollout headaches... Josh Richard (Jul 15)
- Re: WPA2/Enterprise startup/rollout headaches... Whitlow, Michael (Jul 26)