Controllerless Networks

Are there performance differences associated with WPA2 Personal vs Enterprise?

 

Looking to auth devices via mac address to a secure (teacher) role across specific vlans.

Other devices would be placed in a generic (student) role across another set of vlans.

This would allow us to easily identify student traffic and apply content filter roles as needed.

 

Any suggestions greatly appreciated.

Thanks.

Enterprise is per user and or per device authentication (unique credentials) whereas personal uses a shared key.

If your users already have accounts, then enterprise is your best option (and most secure).


Thanks,
Tim

We currently are using Enterprise.

However, we are transititoning away from AD.

Currently our staff only need it to auth into Enterprise wireless network.

 

Is it possible to use Enterprise w/ MAC address only?

In my testing so far its requiring a username and password to be applied.

This is with MAC auth and failover to 802.1x enabled.

 

Thanks,

 

Enterprise, or 802.1x requires a Username and password.

 

"we are transititoning away from AD."

 

What are you moving to? I assume you will still have some sort of directory/radius services? Do you have Aruba Clearpass?

 

"Is it possible to use Enterprise w/ MAC address only?"

 

No, enterprise requires a username and password. Unless the user manually enters their Password as their MAC address, i am not aware of any mechanism to have a device submit their 802.1x auth with their MAC address.

 

I would really suggest you move away from MAC filtering at all on your secure network. It offers basically no security.

Transitioning over to Google Apps for Edu.

Cloudessa provides it as a directory but no budget for it

 

No clearpass either.

 

Even with Enterprise setup to auth via AD teachers still give out creds / lose creds and we have had students on secure network.

 

My hope was that mac auth would limit this further.

Maybe MAC + Another Role ID to transtion into roles rather than VLAN.

 

However, your bring up a great point - our students would be past the mac address auth in no time.

Time to rethink this design.

 

Additionally, our OSX laptops occassionally are not happy with our 802.1x network but auth onto legacy PSK network no problem.

 

Thanks.  Awesome input.

If you do not have the budget, but you do have the time and effort, you could setup FreeRadius

 

http://freeradius.org/

 

I know it's another system to administer, but at least you could stop using AD and save that cost.

 

Another option is that if you have a certifiate authority, you could distribute certs to Teachers, and students would auth with a username and password. Then you can assign roles based on auth type. But again, this might require another investment in hardware, so it's only feasable if you already have a Certificate authority.

 

_ELiasz

No, you need credentials. What are you moving to for an identity store?


Thanks,
Tim

"Are there performance differences associated with WPA2 Personal vs Enterprise?"

 

For actual traffic encryption i believe they use the same encryption algorithm based on AES, so there would be no difference. The main difference is during authentication. During roaming there may be more over head to join the next AP when using Enterprise, but this should not really be noticable ot the end user unless you have high latency between you network and AAA servers.

 

Authing devices via MAC is not very secure, and if you have teksavvy students it's only a matter of time before they figure out how to clone a MAC and get teacher access.

 

What are you using to authenticate your users? If you have AD in the back end you should be able to pass back role information and assign Teacher vs Students to different roles, even while keeping them on the same VLAN in the Aruba infrastructure. if you need to apply FW polices up steam, you might be forced to use VLAN, but i would still suggest role mapping over MAC filtering.

 

Let me know if you have questions about these options.

_ELiasz

No meaningful difference in performance with the encryption types, no.

Any documentation on the Ca
authentication setup and config?

Check out this post:

 

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/EAP-TLS-configuration/td-p/37358

 

There is some information there about what you need to do. From the Aruba side there should be minimal changes, it would be the back end auth server which needs to process the EAP request.

 

As for configuring a PKI, with AD its pretty simple. If you are moving away from AD, you would need to find another CA. There are paid options like Entrust or Clearpass, or free options like http://www.ejbca.org/ (i've not tested this, just some googling found it). If you are not familiar with Public Key Infrastructure(PKI) this might be a large undertaking, and you might need to involve a partner or contractor.

 

Certificate auth is, in my opinion, the best and most secure way to authenticate, but it also is somewhat more complicated(you also need to find a way to put certificates on all the devices).

 

Username/Password on something like FreeRadius might be the best option if you don't have budget for a more enterprise solution.