We're an extremely large college campus with 1800+ lightweight radios. Right now we're webauthing our users with no security solution.
Seems as if our attempt at securing the wlan with PEAP isn't going to get approved since we have had many of the pilot users complain about products made by Apple. No problems to speak of with WinXP, Vista, Win7 or Linux Ubuntu.
Being that we're an extremely large college campus with 25,000 users, we cannot "control the clients". We do not specify what device they can bring on campus, so we're looking to others for suggestions.
Has anyone else been in my shoes, with thousands of clients that need to be secured, but no control over what devices come on to the network?
Many thanks in advance.
Did you try with MAC filtering?, i think it will cost you a week to register but can solve this problem,
Each student needs to submit registration form via website to authorize their Wifi device.
in registration form, includes Address, Device model, expired date ....
and you create a script to import those necessary info to your ACL ...
Let they register and policy will be affect after a week, depend on you implement schedule.
Is this a question of securing access to the wlan or encrypting the data, or both?
What problems do Apple users have w/ PEAP?
I don't have the answer, just trying to understand the question as this is something I will probably need to address in the future. Hopefully some of the folks on this forum can help!
It's not good idea to use EAP-PEAP (MSCHAPv2) password based authentication in large campus from security and device control perspective...users could share passwords between each other.
Better solution from security prerspective would be use EAP-TLS computer certificate based authentication . This require more administrative overhead, due certificate generation and manual import of computer certificates and keys using .cer .crt .pem .p12 or .pfx files to local computer certificate store or file system and appropriate configuration of wpa supplicants. It works fine in Windows Vista, Win7, WinXP SP3, WM 6.1, Ubuntu, BT4 ;), iPhone 4.0.
p.s. To enforce computer authentication in WinXP SP3, You must set registry value:
Dynamic PSK was designed for this. Unfortunately, it is only available with Ruckus gear. I could make that happen. :)
Have been reading a bit about this. Very interesting. Nice solution for a number of scenarios. Lots of good features, e.g. employee leaving company....quick key change:
I work for a large university as well (4,000+ APs). We use MAC registration (for accountability, etc) and use WPA2-Enterprise (using PEAP and MSCHAPv2). The overhead and support involved with TLS is too much in our deployment due to the infrastructure involved and our lack of client control. My two cents.
The Ruckus solution seems pretty interesting though.
If anyone would like a demo of DPSK, I can arrange that. It's a really simple solution to a difficult problem.
i'm not really understand advantage of DPSK with other Please demo, i'm eager to see and
I'll shoot a video on DPSK as soon as I get the new studio done, but for now I'll try to have a simple explanation.
The entire goal of 802.1X is to authenticate a user against a database (usually) then provide that user's machine with unique encryption keys. The downside of 802.1X is that the machine is required to have a .1X supplicant installed which can be somewhat difficult. In an environment like higher ed, it is logistically almost impossible to install and troubleshoot 802.1X for every student.
WPA-PSK is extremely secure when long, randomly generated PSKs are used. The problem with WPA-PSK is that everyone has the same PSK. When the PSK effectively becomes public, like among the student body, the effectiveness of WPA-PSK security is negated. If the PSK is known anyone can access the network and all encrypted data can be decrypted.
Dynamic PSK, patented by Ruckus, is exactly as it sounds. It uses PSKs to secure data, but they are dynamic. Every user gets a different PSK. There are a few ways to make this happen, but let's look at one way to do it in higher ed.
There are two SSIDs. One is open in security named "Provision" and another named "Students". A new student connects to the Provision SSID and is browser redirected to a web page where they are asked to enter their user name and password. (This page is SSL encrypted) That user/pass can be a separate database or MS Active Directory or whatever user database you currently use.
Once the end user enters their proper credentials, they click on a link at the next web page. Now, the Ruckus system configures their laptop for them! Yep, you heard it right. It configures their laptop with the "Students" SSID and gives that laptop a unique PSK. Now, the student is on the "Students" SSID with a unique PSK. Nothing else is required. The student has a secure connection with a unique PSK. Simple to implement and secure.