on 04-24-2014 07:53 AM
Our .1X SSID uses EAP-TTLS. We use an onboarding tool from another vendor to guide users through the supplicant configuration process. This adds TTLS support and does other magic (inserts radius cert + sets SSL to Always Trust (Apple KB) , positions .1X SSID at the top, removes open SSID, etc.).
Essentially, this means user must go to our open SSID to run the config tool before connecting to our .1X SSID. Our user population is having problems with this basic rule ("Go Here to Get to There") which results in our Help Desk being overwhelmed each September by users who try to connect to .1X but fail with a crippled (at best) connection.
What are folks doing to educate users to "Go Here to Get There"? What messaging is effective? Are there good ways of using enforcemnet, like not allowing users to use the open SSID (send them to redireact?). Can the .1X SSID "fall through" to a web page that says "You need to launch this app first"?
on 04-24-2014 07:58 AM
We simply do not do cert based .1x any more because of this... We moved to PEAP mschapv2 and have not really looked back - since the move we have had almost zero requests on how to access the network... We sync their AD credentials to Google Apps and utilize single-sign-on for everything so its one username/password to get where you need to go.
I like the security aspect of TTLS, but we would never deploy to our student population again unless it is much, much easier.
Now the population of machines we control I have no issues with TTLS as I can manage all of that from AD...
on 04-24-2014 08:01 AM
on 04-24-2014 08:04 AM
So you don't use any client configuration utility? You're opening yourself up to man-in-the-middle vulnerabilities.
We have a simple guide on how to setup your client. Along with trusting the certificate, etc.. most of the students follow the instructions, some simply click "connect"
IMO 802.1x PEAP is still light years better than WPA2, and we simply do not have the support staff to handle the massive ammount of issues that TTLS brings to the table. Aruba has a nice solution - but for a small organization it is totally out of our budget...
on 04-24-2014 08:05 AM
Isn't this the whole purpose of Clearpass onboarding? to do all that for you?
Network+ | CWNA | ACSP | ACMP | ACMA | BREC
04-24-2014 08:08 AM - edited 04-24-2014 08:09 AM
When using PEAP, most users simply enter their credentials and go on their way. Little do they know that their credentials can easily be captured.
I always recommend requiring some type of supplicant configuration utility or moving to EAP-TLS.
Also keep in mind that Aruba has an independent product called ClearPass QuickConnect that can do supplicant configuration and is very reasonably priced if onboarding is out of your budget.
If you use eduroam, they have a free supplicant configuration utility that members can use.
on 04-24-2014 08:14 AM
Our users aren't "going here" and instead getting stuck "going there" first. How would ClearPass resolve this?