Higher Education

Reply
This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.
Highlighted
Regular Contributor I
Posts: 241
Registered: ‎04-03-2007
educating users about .1X config

Hi,

 

Our .1X SSID uses EAP-TTLS. We use an onboarding tool from another vendor to guide users through the supplicant configuration process. This adds TTLS support and does other magic (inserts radius cert + sets SSL to Always Trust (Apple KB) , positions .1X SSID at the top, removes open SSID, etc.).

 

Essentially, this means user must go to our open SSID to run the config tool before connecting to our .1X SSID. Our user population is having problems with this basic rule ("Go Here to Get to There") which results in our Help Desk being overwhelmed each September by users who try to connect to .1X but fail with a crippled (at best) connection.

 

What are folks doing to educate users to "Go Here to Get There"? What messaging is effective? Are there good ways of using enforcemnet, like not allowing users to use the open SSID (send them to redireact?). Can the .1X SSID "fall through" to a web page that says "You need to launch this app first"?

 

Thanks,

Mike

 

 

Frequent Contributor I
Posts: 126
Registered: ‎07-06-2010
Re: educating users about .1X config

We simply do not do cert based .1x any more because of this...  We moved to PEAP mschapv2 and have not really looked back - since the move we have had almost zero requests on how to access the network...  We sync their AD credentials to Google Apps and utilize single-sign-on for everything so its one username/password to get where you need to go.

 

I like the security aspect of TTLS, but we would never deploy to our student population again unless it is much, much easier.

 

Now the population of machines we control I have no issues with TTLS as I can manage all of that from AD...

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010
Re: educating users about .1X config

So you don't use any client configuration utility? You're opening yourself up to man-in-the-middle vulnerabilities.

 

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 126
Registered: ‎07-06-2010
Re: educating users about .1X config

cappalli wrote:

So you don't use any client configuration utility? You're opening yourself up to man-in-the-middle vulnerabilities.

 

 


We have a simple guide on how to setup your client.  Along with trusting the certificate, etc.. most of the students follow the instructions, some simply click "connect"

 

IMO 802.1x PEAP is still light years better than WPA2, and we simply do not have the support staff to handle the massive ammount of issues that TTLS brings to the table.  Aruba has a nice solution - but for a small organization it is totally out of our budget...

 

 

Frequent Contributor II
Posts: 251
Registered: ‎09-14-2011
Re: educating users about .1X config

Isn't this the whole purpose of Clearpass onboarding? to do all that for you?

Scott McNeil - IT Specialist, Global Process Automation
Network+ | CWNA | CWTS | ACSP | ACMP | ACMA | BREC
Frequent Contributor I
Posts: 126
Registered: ‎07-06-2010
Re: educating users about .1X config

americanmcneil wrote:

Isn't this the whole purpose of Clearpass onboarding? to do all that for you?


Yes.  But for some this product is simply out of reach.

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010
Re: educating users about .1X config
[ Edited ]

When using PEAP, most users simply enter their credentials and go on their way. Little do they know that their credentials can easily be captured.

 

I always recommend requiring some type of supplicant configuration utility or moving to EAP-TLS.

 

Also keep in mind that Aruba has an independent product called ClearPass QuickConnect that can do supplicant configuration and is very reasonably priced if onboarding is out of your budget.

 

If you use eduroam, they have a free supplicant configuration utility that members can use.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I
Posts: 241
Registered: ‎04-03-2007
Re: educating users about .1X config
What would ClearPass do differently than my other config utility? Isn't the problem essentially the same: you got to go here (open SSID) to get there (.1X SSID)?

Our users aren't "going here" and instead getting stuck "going there" first. How would ClearPass resolve this?

Mike
Guru Elite
Posts: 8,759
Registered: ‎09-08-2010
Re: educating users about .1X config

I was responding to danstl. (Sorry!)


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I
Posts: 241
Registered: ‎04-03-2007
Re: educating users about .1X config
Tim,

Can the CAT tool install our radius cert on OSX and set relevant certs to SSL Trust (Apple workaround?).

Can ClearPass?
Search Airheads
Showing results for 
Search instead for 
Did you mean: