Hey Tim-
It's Aaron from Boston College (that should give you some more context).
Also glad to hear you joined Aruba/HP officially. It's a big win for
all of Aruba's customers.
> Writing auth method to the database is not a good idea as it can change at
> any time. Endpoint attributes should be from authorization. Also, the
> combination of consistently writing the data to the database and CoAing
> clients could cause performance issues.
In this setup we are writing the auth method only when it changes, so
it will always update if the auth method changes. But for most clients
it will only be written once-- not every auth.
The CoA will only happen the first time a client that demands MSCHAPv2
connects. If it continues to use MSCHAPv2 it won't need to be written
again. Same with a client that changes from MSCHAPv2 to another
method, only on the auth when it changes. Not every auth.
Most clients on campus support non MSCHAPv2 auth methods so none of
this will apply to them, only our windows base.
> How are you measuring the performance of AD? What were the issues that were
> happening?
We had many different problems with AD. Some of them you were privy to
when you helped us work through them. Measuring performance of
AD-LDAP lookups is done via the RADIUS logs. But those are only half
the equation. The MSCHAP portion of the authentication relies on DNS
SRV records and doesn't load balance well. Depending on AD also means
we're dependent on another service and the team that runs it. So
regardless of the technical problems, from a political perspective,
there is robustness gained by not relying on more than one group for
authentication and authorization.
> These days, the only realistic two options are EAP-PEAP/MSCHAPv2 and
> EAP-TLS. Was EAP-TLS explored? That is the golden standard and is the second
> most supported EAP type by clients (behind PEAP).
EAP-TLS is a pretty financially expensive solution via Aruba OnBoard.
We do use it in labs where user auth isn't viable and in some other
special cases. Moving completely to EAP-TLS isn't reasonable for us as
it would require touching all 20,000 802.1X end user devices.
EAP-GTC is widely supported by all OS versions except Windows 7.
> EAP methods are configured locally on the client so if you are changing the
> EAP method that you'd like to use, you need to touch the clients.
True, but most clients (other than Windows) negotiate this
automatically and don't require manual intervention. For instance
iPhones and OS X (the majority of our user endpoints) will happily
switch between EAP-MSCHAPv2 and EAP-GTC depending on what the service
offers, without reconfiguration or even prompting the user for a
password.
> Also, Windows clients can use LDAP or AD. It really depends on what you're
> trying to do and what AD features you're trying to use.
We've been down this road before. Our LDAP does not store plain text
or one-way hashed passwords as AD does. We cannot use LDAP with
Windows 7 clients.
aaron