[unisog] Current 802.1x experiences?

Vijay S Sarvepalli VSSARVEP VSSARVEP at uncg.edu
Sat Mar 4 13:40:36 GMT 2006


Depends on what is your directory behind.  Novell e-directory has 
extensions to support MSCHAPv2,
yes Universal password required - but can be secured to localhost only.
Instead of fight with the leader (MS$) we just choose possible options, 
can support both Mac 
and Windows so far easily with native clients; 
Auth menchanism we support with our radius server (freeradius) at 
1. TTLS + CHAP 
2.  TTLS + PAP  (MOST MACS do this, Secure-W2 does this great.)
3.  TTLS + MS CHAPv2
4. PEAPv0 + MSCHAPv2 (MOST WINDOWS do this)
5. PEAP + GTC  (good supplicants such as Intel Proset, IBM access 
connections, Funk Odyssey do this)

This covers pretty much all bases, Trapeeze is good integrating wtih 
freeradius as well.  We are a Cisco shop 
though.  Cisco has some issues with WPA users roaming etc, we have fine 
tuned the config for Cisco old
Aironet IOS based devices, ow will have to move to their Airespace 
sometime (figures..)

We can support WPA1 + WPA 2 with both MAC and Windows native clients.  We 
also rolled out
a version of Secure-W2 for campus users to test, but nobody likes to 
install software on their system just for
wireless networks - except IT pepople themselves.

Regards
Vijay 

Let me know if I can help in anyway - I have been burned to the been 
tweaking config for dot1x / radius and 
universal client support. 








Peter Van Epp <vanepp at sfu.ca> 
Sent by: unisog-bounces at lists.sans.org
03/03/2006 01:04 PM
Please respond to
UNIversity Security Operations Group <unisog at lists.sans.org>


To
unisog at lists.sans.org
cc

Subject
[unisog] Current 802.1x experiences?






                 I'm curious about people's experience with 802.1x 
especially outside
Windows 2K / XP (i.e. Macs of all flavors and versions, OS 9 and OS 10, 
Linux, Solaris etc.). The last time I remember this being discussed which 
is 
a couple of years ago there were a number of horror stories about non 
Windows
supplicants not working very well. We are about to refresh our wireless 
authentication (to Trapize) and can do 802.1x (as can all of our edge 
switches
which is also being considered) as well as web page authentication 
(primarily 
because we pushed to make sure everything we own could do web page :-)).
                 You can reply to me and I'll summarize or reply to the 
list as you 
choose since I expect there may be wider interest.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada
_______________________________________________
unisog mailing list
unisog at lists.sans.org
http://www.dshield.org/mailman/listinfo/unisog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/unisog/attachments/20060304/d73a3eac/attachment.htm


More information about the unisog mailing list