Educause Security Discussion mailing list archives
Re: WPA2/Enterprise startup/rollout headaches...
From: "Whitlow, Michael" <mwhitlow () BUMAIL BRADLEY EDU>
Date: Tue, 26 Jul 2011 11:23:00 -0500
We rolled out WPA2\Enterprise last summer. In addition to client configuration issues and other replies you have already got on this message, we have seen a lot of issues where Windows machines did not trust our root CA because they hadn't had their updates to know they should trust it yet. Our particular root CA was undergoing a change almost to the day we ordered our certs from them so that complicated things for us further from a client perspective. We were rolling out a cert that Windows did not know about yet. I will definitely check that next time before making a decision on my CA vendor. In summary the best tool I have had in finding the issues have been the Radius server logs. The solutions to the issues have been to manually install the proper root and intermediate CAs in the proper certificate stores in Windows, then use MMC to check and make sure they are where they are supposed to be.. It's a manual process on each machine but it really does work. I wish you the best. Mike From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jeff Kell Sent: Wednesday, July 13, 2011 8:51 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] WPA2/Enterprise startup/rollout headaches... One of our summer projects is to bring WPA2/Enterprise to our wireless network, which is currently either plaintext or using pre-shared keys, simply terminating on the controller. We have assembled the pieces of the puzzle we know about: * Aruba controllers configured for AAA via Radius, * Bradford Campus Manager is proxying the Radius requests (was doing mac-authentication before), * Radiator has been setup for "AuthBy NTLM" against our Active Directory domain controllers. With these bits done, we can successfully authenticate at the Radiator command line (ntlm_auth works). We can successfully authenticate from the Bradford Radius test page. We can successfully authenticate from the Aruba AAA test page. However, we cannot seem to get any clients to successfully authenticate to wireless. Win7 seems to get the farthest (out-of-the-box, no supplicants or certificates), prompting once for credentials when it tries PEAP, and failing that (perhaps due to the unknown certificate?), it prompts again in a pop-up window for "EAP-TTLS credentials" asking for domain\userID and password. We then see Radiator trying the request/challenge several times before eventually rejecting, and there is no connection. Is there another whole piece of the puzzle we are missing to carry over to the clients? I know at times in the past that various supplicants, shims, or some "connectivity add-ons" (e.g., XpressConnect) were required to complete the picture, but I thought most of this could be done "out of the box" by now? It seems that we are so close but missing this final leap out to the client. I had expected issues with bizarre devices (iThings, game consoles, etc), but not a wholesale failure of everything... Any suggestions, pointers, recipes, how-tos, "WPA2 for Dummies", magical incantations, war stories, drinking games, wishes, holy grails, etc., would be most welcome :) Thanks in advance, Jeff
Current thread:
- Re: WPA2/Enterprise startup/rollout headaches..., (continued)
- Re: WPA2/Enterprise startup/rollout headaches... Randall C Grimshaw (Jul 13)
- Re: WPA2/Enterprise startup/rollout headaches... Justin Azoff (Jul 13)
- Re: WPA2/Enterprise startup/rollout headaches... Maloney, Michael (Jul 13)
- Re: WPA2/Enterprise startup/rollout headaches... Josh Richard (Jul 13)
- Re: WPA2/Enterprise startup/rollout headaches... Jeff Kell (Jul 14)
- Re: WPA2/Enterprise startup/rollout headaches... Lang, Matthew (Jul 15)
- Re: WPA2/Enterprise startup/rollout headaches... Josh Richard (Jul 15)
- Re: WPA2/Enterprise startup/rollout headaches... Rich Graves (Jul 15)
- Re: WPA2/Enterprise startup/rollout headaches... Randall C Grimshaw (Jul 15)
- Re: WPA2/Enterprise startup/rollout headaches... Josh Richard (Jul 15)
- Re: WPA2/Enterprise startup/rollout headaches... Whitlow, Michael (Jul 26)