[unisog] 802.1x Wireless Deployment

Asadoorian, Paul D Paul_Asadoorian at Brown.edu
Thu Apr 10 12:05:46 GMT 2003


Ed,

We came to a similar conclusion, but determined that TTLS (along with
LEAP, PEAP, and 802.1x) is just not ready for primetime.  We tested
clients from Funk and Meeting House with little success, and this was
just on the windows platform.

Our strategy is now much different, we have a couple of ways out of our
wireless cloud:

1) Authenticated/Non-encrypted - There is no WEP or TTLS on our wireless
network (that we know of), its all open, broadcasting SSID's, etc...
When a user opens a web browser it gets intercepted by the wireless
gateway, which runs a free product called NoCat (http://nocat.net) which
is a culmination of Linux/iptables/dhcpd/apache/perl that essentially
grabs everyone's traffic, authenticated them (via Radius), and lets them
out on only certain ports (80,443,22).  There is also a commercial
product (if your into that sorta thing) called BlueSocket
(http://www.bluesocket.com) that we tested, but found that we were only
using 1/3 of its features, so decided to run the pilot on free/open
source software.

2) VPN - Which is not yet officially supported, but unauthenticated
users will be allowed to talk directly to our Cisco 3030 and establish a
VPN tunnel.

Our testing has gone well with NoCat, and coincidentally today is the
first official day the pilot wireless service is being offered, so I'll
let you know how it goes :-)

Paul Asadoorian, GCIA
Brown University
115 Waterman St.
Providence, RI 02912
401.863.7553

PGP Key: http://pauldotcom.com/Paul_Asadoorian.asc
Fingerprint: 42CB D9A8 37C4 2D1C A2FE  927F C946 9174 41DC 7A4F
Web: http://www.pauldotcom.com 
 

-----Original Message-----
From: Ed Gibson [mailto:egibson at uwo.ca] 
Sent: Wednesday, April 09, 2003 4:50 PM
To: unisog at sans.org
Subject: [unisog] 802.1x Wireless Deployment


We are looking at deploying 802.1x as a potential solution to the
insecurities associated with WEP. (i.e. implementation of dynamic key
exchange).

This of course has delved us into an analysis of TLS vs TTLS vs PEAP.
Our conclusion is that TTLS makes the most sense for us for the
following reasons:

TLS implies client certificate distribution and we would prefer to avoid
that can of worms.

PEAP seems to have an affiliation with MD4 hashing, since our LDAP
implementation only supports MD5 hashes we were somewhat leery about
getting in to multiple copies of password hashes.

Which leaves TTLS as the least of all evils.  Deciding to focus on
EAP/TTLS has now put us into the quandary of determining what client to
deploy. We have been able to identify three clients out there,
MeetingHouse, Funk Software's Odyssey client, or SecureW2 which has been
just recently offered for free.

My question is has any one out there made similar conclusions? Or is
there any feedback available on our conclusions? And has anyone
completed any evaluation on these three client applications?

Not asking for too much am I ? :-)  Just figured we couldn't be the only
ones playing around with this model and felt additional feedback would
be enlightening.

Ed Gibson
University of Western Ontario
Network Operations



More information about the unisog mailing list