[unisog] 802.1x Wireless Deployment

Ed Gibson egibson at uwo.ca
Thu Apr 10 14:01:13 GMT 2003


Hi Paul

I didn't completely reveal the whole story in an attempt to keep the
feedback focused on the 802.1x issue. We have purchased the Bluesocket
solution and have been using 802.1q vlan's to back haul the wireless Vlans
to the bluesocket as a gateway device. We are still in the early
implementation phases, but are happy with what has developed so far.

One of the original goals with the wireless deployment was to force faculty
ans staff into encrypted conversations, we have looked at both VPN and
802.1x as potential solutions to this mandate. We are leaning towards "X"
over vlan'ing in that it gives us experience with network authentication
protocols. We are essentially using MAC addresses as the registration key in
our residences and recognize the weakness associated with this stance.
Moving the residence environment into a port level authentication model has
it's perks from our perspective.

Ed Gibson


"Asadoorian, Paul D" wrote:

> Ed,
>
> We came to a similar conclusion, but determined that TTLS (along with
> LEAP, PEAP, and 802.1x) is just not ready for primetime.  We tested
> clients from Funk and Meeting House with little success, and this was
> just on the windows platform.
>
> Our strategy is now much different, we have a couple of ways out of our
> wireless cloud:
>
> 1) Authenticated/Non-encrypted - There is no WEP or TTLS on our wireless
> network (that we know of), its all open, broadcasting SSID's, etc...
> When a user opens a web browser it gets intercepted by the wireless
> gateway, which runs a free product called NoCat (http://nocat.net) which
> is a culmination of Linux/iptables/dhcpd/apache/perl that essentially
> grabs everyone's traffic, authenticated them (via Radius), and lets them
> out on only certain ports (80,443,22).  There is also a commercial
> product (if your into that sorta thing) called BlueSocket
> (http://www.bluesocket.com) that we tested, but found that we were only
> using 1/3 of its features, so decided to run the pilot on free/open
> source software.
>
> 2) VPN - Which is not yet officially supported, but unauthenticated
> users will be allowed to talk directly to our Cisco 3030 and establish a
> VPN tunnel.
>
> Our testing has gone well with NoCat, and coincidentally today is the
> first official day the pilot wireless service is being offered, so I'll
> let you know how it goes :-)
>
> Paul Asadoorian, GCIA
> Brown University
> 115 Waterman St.
> Providence, RI 02912
> 401.863.7553
>
> PGP Key: http://pauldotcom.com/Paul_Asadoorian.asc
> Fingerprint: 42CB D9A8 37C4 2D1C A2FE  927F C946 9174 41DC 7A4F
> Web: http://www.pauldotcom.com
>
>
> -----Original Message-----
> From: Ed Gibson [mailto:egibson at uwo.ca]
> Sent: Wednesday, April 09, 2003 4:50 PM
> To: unisog at sans.org
> Subject: [unisog] 802.1x Wireless Deployment
>
> We are looking at deploying 802.1x as a potential solution to the
> insecurities associated with WEP. (i.e. implementation of dynamic key
> exchange).
>
> This of course has delved us into an analysis of TLS vs TTLS vs PEAP.
> Our conclusion is that TTLS makes the most sense for us for the
> following reasons:
>
> TLS implies client certificate distribution and we would prefer to avoid
> that can of worms.
>
> PEAP seems to have an affiliation with MD4 hashing, since our LDAP
> implementation only supports MD5 hashes we were somewhat leery about
> getting in to multiple copies of password hashes.
>
> Which leaves TTLS as the least of all evils.  Deciding to focus on
> EAP/TTLS has now put us into the quandary of determining what client to
> deploy. We have been able to identify three clients out there,
> MeetingHouse, Funk Software's Odyssey client, or SecureW2 which has been
> just recently offered for free.
>
> My question is has any one out there made similar conclusions? Or is
> there any feedback available on our conclusions? And has anyone
> completed any evaluation on these three client applications?
>
> Not asking for too much am I ? :-)  Just figured we couldn't be the only
> ones playing around with this model and felt additional feedback would
> be enlightening.
>
> Ed Gibson
> University of Western Ontario
> Network Operations



More information about the unisog mailing list