We are using 2 factor authentication to authentication our wireless clients on wireless network. Primary authentication is AD based authentication via radius server and secondary is certificate based. We want to get rid of certificate based authentication as this has administration overhead for end user to manage the certificate and get a new certification in case of laptop crash.
Do we have any alternate authentication method for certificate based authentication equally or more secure but simplified.
Any help is really appreciated.
Have you considered something like a Yubikey?
If your devices have a USB port, this may work for you.
At the first CWNP conference earlier this year, Matthew Gast talked about SAE - a new authentication and encryption standard for wireless devices. SAE stands for "Simultaneous Authentication of Equals". If I remember correctly, it was originally developed for Mesh networks.
Aruba has an article about their version which they call "dragonfly" at:
It also has a pointer in it to the IETF RFC.
I suggest you give the Aerohive or Aruba folks a call.
Then do us a favor, here on the Forum, if it looks like SAE might work for you.
Aerohive has a similar version of SAE and it is called Private PSK(PPSK) works well.
Mathew Gast's Presentation on SAE is at:
Is there any evidence to suggest wireless card vendors are implementing SAE support in to their 802.11ac cards? I have seen 802.11ac cards have significant issues roaming in poorly designed wireless networks, where 802.11n cards are not having the same challenges? Thoughts?
I have not heard of any cards using SAE. As far as I know, it is only a MESH network security.
Hopefully Aerohive's patent will be made publicly available/licensed/free someday.
I could imagine that the higher rates in /ac and the higher SNR levels required by them might cause some problems in a poorly designed network.
SNR and radio Receive Sensitivity requirements both go up as the rate and modulation complexity increase.
I figured they built in support for SAE in preparation, but the SNR explanation makes sense, maybe more, too.
A packet capture shows frequent regular incomplete handshakes from the client when issues are seen, almost like a roam trigger was hit midway through.
It is often the case that a client device will scan every channel, within the band, when it believes it needs to roam. However, this can take an inordinate amount of time - even in the 2.GHz band if we are really looking at every legal channel.
Scanning and roaming can be much faster if the client device can be configured to only scan the channels really used in your network. Some clients can be configured this way, but the manufacturer may not make the controls public knowledge. Often only VARS or bigger customers are given this information.
Check it out. You may be pleasantly surprised.