Re: WPA2/Enterprise startup/rollout headaches...

["Lang, Matthew" <mlang8 () UNCC EDU>]

Jeff,

Thanks for the lessons learned write up.  We will be expanding our wireless on campus here so I will forward your 
headache on to my counter parts.

Sincerely

Matthew

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jeff Kell
Sent: Thursday, July 14, 2011 10:24 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] WPA2/Enterprise startup/rollout headaches...

Many thanks for all of the responses, and a little follow-up is in order after finally getting this to work :)

We were making our attempt using CentOS 5.6 / samba3x package (3.5.4) / latest Radiator package / Active Directory 
(Win2K8).

Everything worked up to EAPOL, then things fell apart.  Googling suggested a Samba issue on CentOS.  So we tried 
Ubuntu, with no success.  Downloaded source for 3.5.9 from samba.org, but it was shared-library dependent, and we had 
difficulties getting it linked properly and/or launched/invoked from Radiator.  Many other annoyances.

Yanked out CentOS 5.6 samba3x packages, and reinstalled older "samba" packages (3.0.33) instead.  kinit works, 
ntlm_auth works, winbindd happy, net ads join works, Radiator works, laptop associates and pulls an IP via WPA2, 
success!

Initial testing let us do WPA2/Enterprise with Win7, MacOS, and an iPhone without any special troubles.  Which makes me 
wonder now, is there enough fuss left over to look at some "setup" tool like XpressConnect?  I haven't tried an XP or 
Vista wireless yet, but it appears the "current" majority of devices connect just fine.

Jeff

On 7/13/2011 9:50 AM, Jeff Kell wrote:
One of our summer projects is to bring WPA2/Enterprise to our wireless network, which is currently either plaintext or 
using pre-shared keys, simply terminating on the controller.

We have assembled the pieces of the puzzle we know about:

  *   Aruba controllers configured for AAA via Radius,
  *   Bradford Campus Manager is proxying the Radius requests (was doing mac-authentication before),
  *   Radiator has been setup for "AuthBy NTLM" against our Active Directory domain controllers.
With these bits done, we can successfully authenticate at the Radiator command line (ntlm_auth works).
We can successfully authenticate from the Bradford Radius test page.
We can successfully authenticate from the Aruba AAA test page.

However, we cannot seem to get any clients to successfully authenticate to wireless.  Win7 seems to get the farthest 
(out-of-the-box, no supplicants or certificates), prompting once for credentials when it tries PEAP, and failing that 
(perhaps due to the unknown certificate?), it prompts again in a pop-up window for "EAP-TTLS credentials" asking for 
domain\userID and password.  We then see Radiator trying the request/challenge several times before eventually 
rejecting, and there is no connection.

Is there another whole piece of the puzzle we are missing to carry over to the clients?  I know at times in the past 
that various supplicants, shims, or some "connectivity add-ons" (e.g., XpressConnect) were required to complete the 
picture, but I thought most of this could be done "out of the box" by now?

It seems that we are so close but missing this final leap out to the client.  I had expected issues with bizarre 
devices (iThings, game consoles, etc), but not a wholesale failure of everything...

Any suggestions, pointers, recipes, how-tos, "WPA2 for Dummies", magical incantations, war stories, drinking games, 
wishes, holy grails, etc., would be most welcome :)

Thanks in advance,

Jeff