Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Are You Using 802.1X?

Cliff posted more than 11 years ago | from the solving-the-problems-of-802.11 dept.

Technology 239

WirelessMan asks "I work for a certain university in the US, and our IT department has just deployed IEEE 802.1x authentication for our wireless network. One of the benefits is that all users' sessions are encrypted using tumbling WEP keys. One of the (major) drawbacks is the 'newness' of 1x. As far as I can tell (Google, etc) there aren't a whole lot of places out there who have taken the plunge. Google it, or check out this brief description. Does the Slashdot community have any experience with 1x?"

"Here's our story: we're using Windows 2003 servers (for IAS) and PEAP/MSCHAPv2. We're not offering support for Windows clients prior to 2000 (even though clients do exist for 98/ME,etc). Windows 2000 supposedly has builtin support after SP3, but on June 10, Microsoft released a WEP patch that breaks 1x! (At least for our implementation...) Windows XP SP1 works in most cases, but certain onboard-wireless chipsets (Intel) don't work, regardless of OS. I heard that staff struggled with and finally successfully installed a 3rd party client for RedHat 9, and I'm told there's also a client for Mac OS 10.2.

As far as I can tell, the network guys did their homework--I promise--but this deployment is beginning to look like a disaster! Do you have any wisdom to share about how to pull victory from the clutches of shameful defeat? I realize my question is rather broad and vague ... but I'm really interested to see what discussion comes up. Thanks!"

Sorry! There are no comments related to the filter you selected.

Answer (4, Funny)

Anonymous Coward | more than 11 years ago | (#6355219)

No.
Next question please.

Re:Answer (4, Informative)

bethane (686358) | more than 11 years ago | (#6355245)

While 1x provides nice features it is rather unstable right now, we have tried using it at home, not really for any practical reason but just for geeky fun and we had a hard time getting Linux clients to talk to our Win2003 server. I ended up scrapping the whole idea.

-- a fan whore, look at my journal for hot sex [slashdot.org]

Re:Answer (1)

galimore (461274) | more than 11 years ago | (#6355587)

Both myself and my boss have been using 802.1x at home for quite some time now. It's rather solid, I would have to say. In the couple of weeks I have been using it I have not had ANY problems.

My suggestion is not to use Win2003 server. Certainly Windows is unstable. :P

Use the perl-based radius solution called Radiator. It runs on Windows, Mac OS X, Mac OS 9, Linux, Solaris, name your os. Sure, it costs money, but so does Win2003 server, right? (And more, I might add).

Re:Answer (0, Flamebait)

shaklee (631847) | more than 11 years ago | (#6355679)

that is because you are using linux, not because you are using 802.1x you stupid turd.

Re:Answer (1)

The Dobber (576407) | more than 11 years ago | (#6355454)


Could you rephrase the question in the form of multiple choice?

Re:Answer (-1, Troll)

Anonymous Coward | more than 11 years ago | (#6355564)

there's lots and lots of pr0n here!
http://onetwosevendotzerodotzerodotone.com/

Universities and such (3, Insightful)

mrpuffypants (444598) | more than 11 years ago | (#6355228)

Personally I doubt why you would go with a system that makes you scrounge for clients on different OS's just to implement at a university. In the corporate workd you have the luxury of saying "If you want to use out network you will use "n" hardware and nothing else."

At the university level you have people using about 300 different configurations and OS's. If seems like you are making if just that more difficult for those users that get use out of the network that they pay for through their tuition.

Re:Universities and such (5, Informative)

mplex (19482) | more than 11 years ago | (#6355503)

You also can't broadcast the universities data to the world. It's definately a balance, but there are solutions that can work without being too restrictive. We use Funk software's Odyssey server at our University, and it supports a wide range of authentication types(TLS, TTLS, LEAP, PEAP). We have managed to get 98% of our users online without any trouble. Cisco hardware works fine on most OS's (Linux, BSD, pocketpc). There is also an open source TLS authentication method, but that involves issueing client certificates.

Like I said before, there has to be some balance between security and academic freedom, but there must be some sort of security policy in any large wireless network. I think what the industry really needs is a standard rather than 5 or more different solutions with marginal advantages over one another. Then we can work on getting that standard supported everywhere (PEAP I hope). Until then, wireless security will always be hit or miss or none at all.

Re:Universities and such (5, Informative)

galimore (461274) | more than 11 years ago | (#6355601)

Um... 802.1x *IS* an IEEE standard... people just need to start implementing it correctly... ;)

Also, not only is there a TLS open source standard... the open1x project (http://www.open1x.org) has a TTLS release, and PEAP in CVS.

PEAP is a horrid ripoff of TTLS in my opinion.

P.S. The FUNK guys wrote the TTLS RFC. ;)

M$ and Cisco wrote the PEAP RFC, but neither of them follow it, or each other.

Re:Universities and such (-1, Flamebait)

foniksonik (573572) | more than 11 years ago | (#6355621)

SO you're saying that Universities should simply MANDATE what platform their students can use to get access to their network?

What a dumb@ss! Yeah that promotes diversity and learning.... why don't they just institute a UNIFORM policy while they're at it... wouldn't want anyone wearing incompatible clothes or anything.

Re:Universities and such (1)

foniksonik (573572) | more than 11 years ago | (#6355650)

huh, sorry, mis-read your post.

Anyways, their solution doesn't sound that problematic. i haven't come across a VPN solution supports every platform equally. It's the state of the tech.

haha! (-1, Offtopic)

Pi314592 (459587) | more than 11 years ago | (#6355230)

first post!

Re:haha! (0, Offtopic)

sixdotoh (584811) | more than 11 years ago | (#6355240)

ah, the humiliation and agony of losing by 2 FREAKIN' MINUTES!! NOOOOOOoooo. come on man.

Uhm, YES (1, Informative)

Anonymous Coward | more than 11 years ago | (#6355231)

First post

But yes, we use it, have been for quite some time - about November of last year - works great, and is pretty good - requires RADIUS or Active Directory/IAS.

MODERATION ABUSE ON PARENT (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6355266)

Parent is on-topic, crackpipe mods

Re:MODERATION ABUSE ON PARENT (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6355497)

good thing someone chose to use their modpoint to mod parent down, instead of modding grandparent up.

MODERATION ABUSE ON PARENT (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6355684)

The parent is still unfairly modded down.

Parent is ONTOPIC. What about it don't you like? You pissing moderators are an example of the kind of people who should be shot.

ABUSE CONTAINS TO GREAT GRANDCHILDREN (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6355707)

Just predicting that I will get modded down... UNFAIRLY!!

I am sensing a very sinister pattern here.

Get SP4 for W2K (5, Informative)

mike300zx (523956) | more than 11 years ago | (#6355239)

Get SP4 which gets the .1x support back.

whoa (0, Offtopic)

Anonymous Coward | more than 11 years ago | (#6355241)

the left nav bar of slashdot has been redesigned!!!

FUCK YOU DICKHOLE (-1, Troll)

Anonymous Coward | more than 11 years ago | (#6355306)

gay sex

Re:FUCK YOU DICKHOLE (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6355389)

haha, so what if someone modded me up again? :-P

Re:whoa (-1, Offtopic)

Gherald (682277) | more than 11 years ago | (#6355395)

the left nav bar of slashdot has been redesigned!!!

I started reading Slashdot just several weeks ago and I have to say this is a very welcome change.

It makes spotting new stories much easier... props to who ever implemented it!

Testing... Testing... (4, Interesting)

ErikTheRed (162431) | more than 11 years ago | (#6355242)

"Looks like the network guys did their homework..."

Did "homework" include a reasonable test implementation? Anything that affects your infrastructure in such a drastic way should probably be banged on for several weeks with at least a dozen guinea pigs (assuming you don't have a test lab in these days of cost cutting).

Re:Testing... Testing... (4, Funny)

Snoopy77 (229731) | more than 11 years ago | (#6355692)

... should probably be banged on for several weeks with at least a dozen guinea pigs

First make sure that this is legal in your state. Richard Gere got into trouble for involving small rodents in his banging sessions.

Purdue's Solution (5, Interesting)

mjlizzad (686363) | more than 11 years ago | (#6355262)

Take a look at what Purdue University does. They use a Cisco VPN client that is available on win/mac/linux/sun, and ties in with the student accounts to verify access. If you aren't using the VPN client, you are redirected to download it automagically. http://www.itap.purdue.edu/airlink/ This is the best solution I have seen.

Re:Purdue's Solution (2, Interesting)

Anonymous Coward | more than 11 years ago | (#6355288)

RPI has been using the same solution for a while now, I think almost a year and it works really well. I have had no problem with it on win2k,XP or Redhat 8. http://www.union.rpi.edu/wireless/

Re:Purdue's Solution (5, Interesting)

Anonymous Coward | more than 11 years ago | (#6355370)

Actually, the VPN solution, while effective, can be a management pain in the butt -- especially if you have users that wander from AP to AP that may or may not service the same subnet. Plus, almost always its going to be a proprietary solution of some sort, meaning you're locked into a vendor and may face future compatibility issues.

With 802.1x properly implemented, there's little reason to continue using VPN. I have seen a combination of VPN and .1x, but that is merely because using plain WEP doesn't meet DoD standards for encryption of unclassified data over an open medium.

Re:Purdue's Solution (1)

mjlizzad (686363) | more than 11 years ago | (#6355415)

Solution: Your wireless has its own subnet(s). There's no better way... VPN is THE way to secure wireless.

Re:Purdue's Solution (1)

cfoster611 (219409) | more than 11 years ago | (#6355374)

University of Illinois at Urbana uses this too, though you must download both the client and key before you allowed on one of the few offical wireless lans for undergrads. Most buildings that have wlans are MAC restricted to grad students and professors only.

Re:Purdue's Solution (1)

WuphonsReach (684551) | more than 11 years ago | (#6355483)

Assuming you can - put all of the WAPs on a seperate network and force the users to VPN/PPTP into the LAN through a firewall/proxy/vpn/bit-of-toast.

That gets rid of the need to use WEP (which isn't very compatible between different manufacturers), allows you to leverage existing authentication systems, and encrypts the traffic between the laptop and the LAN. Only traffic that isn't encrypted would be if 2 laptops decided to talk to each other directly on the wireless subnet.

Downside is that it's one more VPN/firewall system that you have to setup and support (depending on site plan), plus the cost of supporting a 2nd tier network.

2pac 4ever (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6355265)

gay fuqn penis
law & order rulez

MOD PARENT UP (-1, Troll)

Anonymous Coward | more than 11 years ago | (#6355280)

hell yeah faggotz

Another Question... (1)

mianbao (666582) | more than 11 years ago | (#6355269)

I'm in a similar environment, 802.1x, PEAP/MSCHAPv2 (and DHCP)... Now I have to bring along UTP wires for my laptop running Linux... There is this "Aegis" client, but it doesn't seem to be working too well.. Anyone knows any other solutions out there?

Re:Another Question... (4, Interesting)

galimore (461274) | more than 11 years ago | (#6355612)

Check out the open1x project.

http://open1x.sourceforge.net [sourceforge.net]

I'm not only a client, I'm also a developer. ;)

Re:Another Question... (1, Informative)

Anonymous Coward | more than 11 years ago | (#6355647)

Funny thing, the only way I got the freakin' AEGIS client to work was to read the directions. I thought I knew Linux, but the AEGIS guys know it better ... or something.

So the moral of the story is, read the directions (and don't bother using the RedHat 'neat' utility with AEGIS -- they don't like each other).

TOTALLY Off-Topic, but... (-1, Offtopic)

suwain_2 (260792) | more than 11 years ago | (#6355276)

What just happened to the sidebar? (Look to your left)

Re:TOTALLY Off-Topic, but... (-1, Troll)

Anonymous Coward | more than 11 years ago | (#6355290)

its turned gay!
mac fags at work i tell you!

What I heard (-1, Offtopic)

djupedal (584558) | more than 11 years ago | (#6355351)

...was that only users with such low karma as to make them shunned by lepers could see the new sidebar.

Can you describe it in detail for those of us who aren't yet fallen angels?

Re:TOTALLY Off-Topic, but... (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6355524)

Funny, the "more" labels read "exclusive" instead right after they made the change.

A sign of things to come?

yes, the security it provides is worth it (5, Informative)

puneetb (679679) | more than 11 years ago | (#6355278)

not using even WEP is simply asking for trouble, using basic WEP (pre-shared keys) is a little better, but its still vulnerable and has the hassles of key management (each time you change the keys you need to update all clients). 802.1x is the way to go.

There is some support on OSes for 802.1x (Windows XP has it built it for some authentication methods, for Windows 2000 you can download it from the Microsoft website, for Linux and BSD use xsupplicant (http://www.open1x.org).

One important consideration is what 'EAP method' you use for security. 802.1x is a framework for security and you can tie-in different methods within this framework for doing the actual authentication and key generation.

If you use EAP-TLS then there is can be a problem of configuring certificates on client machines, though its pretty secure once setup. You can use the cisco proprietary LEAP with Cisco AP's and clients or go for a solution based on PEAP or EAP-TTLS.

LEAP only requires you to have a user-name/password type of setup and can be easily tied to existing authentication infrastructure (Eg: the windows network in your LAB). PEAP and EAP-TTLS need only a username and password if you use MS-CHAPV2 or some such method, though you still need valid server-side certificates.

Puneet

Re:yes, the security it provides is worth it (0)

Anonymous Coward | more than 11 years ago | (#6355630)

LEAP and PEAP are not the way to go. They both have issues with somebody being able to setup a rogue access point and steal Windows username/passwords. Which not only gives them access to your network, but also give them access to your systems. IPSEC is the only way to go, anything else is just stupid.

Truth is, if somebody would combine off the shelf tools today LEAP and PEAP would be easier to hack than WEP.

Re:yes, the security it provides is worth it (0)

Anonymous Coward | more than 11 years ago | (#6355671)

except for buying e.g. radius... the costs involved make it useless... use a VPN tunnel instead...

Yes (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6355281)

I'm leeching off my neighbors 802.11b router.
No WEP here, baby!

MOD THIS NIGGER DOWN WHAT THE FUCK (-1, Troll)

Anonymous Coward | more than 11 years ago | (#6355297)

gay

make any card work with 1x! (3, Interesting)

rlthomps-1 (545290) | more than 11 years ago | (#6355282)

I know a lot of people rag on 1x because it isn't supported by every POS WiFi card out there but the security enhancement you get is really indispensible espeically when you consider that your average corporate WEP network is no safer than my linksys AP at home.

A really great client for getting multiple cards to work on 1x networks is the Aegis client from Meetinghouse [mtghouse.com] Their supplicant will take many standard WiFi cards and allow them to use 1x.

Our IT dept doesn't support it (most probably won't) but if you're a frustrated user who doesn't want to buy a new card for a 1x network they've got a 15 day demo which should give you enough time to figure out if it works for you.

802.1x works (4, Informative)

Merlisk (450712) | more than 11 years ago | (#6355283)

I used it on my last contract. 802.1x with WindowsXP SP1 works just fine. We used PEAP and Microsoft's IIS server for RADIUS authentication.

We wanted PEAP since it doesn't require manual certificates.

It took a lot of tweaking on the server, a small bit on the AP, but the client settings were just what you'd expect them to be.

I didn't try it with OS X (even though I used a Powerbook on the job). Take a look at http://www.mtghouse.com/

Per the message boards I've read, their client should work just fine.

I'm using (-1, Troll)

[cx] (181186) | more than 11 years ago | (#6355291)

802.1Y and 802.1Z

I prefer the depth of 802.1Z however!

Re:I'm using (-1, Troll)

Anonymous Coward | more than 11 years ago | (#6355428)

Shut up, you putz

For hardware considerations... (1, Offtopic)

DeathPenguin (449875) | more than 11 years ago | (#6355294)

I'm recently went from wired to 802.11g. However, it wasn't without a struggle. I did a good deal of research but still got suckered into buying a Broadcom-based card only supported in Windows. As it turns out, Broadcom doesn't support Linux well (Or at all, in this case). To add to the confusion, most of the cards that I checked out that had once boasted Linux compatibility had been 'upgraded' to use a Broadcom chip. Even 802.11b hardware that used the supported Prism2 chipset is damn near impossible to find these days as much of it has been changed over to use cheaper hardware (Not necessarily Broadcom, but other non-supported brands as well). Model names / numbers are virtually the same as they were before. It's basically like searching for a PCI non-Winmodem these days.

My advice: Go with a nice ethernet bridge and don't get burned by bad / non-existent drivers. I ended up with a Linksys WET54G, which just so happened to be reviewed by THG [tomshardware.com] earlier. It works flawlessly after I plugged it into my NIC under Linux. It also leaves my options open for other OSes that don't even have as much support as Linux. So long as your network card works (And interconnects via RJ45), you'll have a reliable wireless connection using the bridge. Not only that, but it has a configurator accessable through any web browser, much like their routers. This means configuring the bridge for use with encryption and such will work the same on Windows, Linux, MacOS, etc.

Only problem is they're a bit expensive (Roughly $130). if you don't use Windows full time, it's worth every penny.

I guess you learn something every day. (2)

infonick (679715) | more than 11 years ago | (#6355296)

i alway thought that 802.1x was a set of protocols - i always thoughs the x was a varaible... i know better now. :(

Re:I guess you learn something every day. (5, Informative)

VAXman (96870) | more than 11 years ago | (#6355392)

You're thinking of "802.11x" which generally means any of 802.11b, 802.11a, or 802.11g (wireless protocols). "802.1x" is a security protocol, not a wireless protocol per se. Very confusing, I know...

Re:I guess you learn something every day. (0)

Anonymous Coward | more than 11 years ago | (#6355580)

To make things more fun:

1. The minor revision to IEEE 802.1X is IEEE 802.1aa.

2. The major revision to IEEE 802.11 (and IEEE 802.1X) to replace WEP is called IEEE 802.11i.

3. The interim industry release of IEEE 802.11i-style security, using TKIP instead of AES, is called WPA (WiFi Protected Access).

Re:I guess you learn something every day. (2, Funny)

Lord_Dweomer (648696) | more than 11 years ago | (#6355716)

" You're thinking of "802.11x" which generally means any of 802.11b, 802.11a, or 802.11g (wireless protocols). "802.1x" is a security protocol, not a wireless protocol per se. Very confusing, I know..."

So is this 802.1x Hi-Speed or Full-Speed?

tried it but didnt like it (2, Informative)

senergy (686361) | more than 11 years ago | (#6355298)

using dlink's new firmware for the 900ap+ which supposedly supports 1x and funk softwares radius server and winxp sp1 i thought i would give it all a try...lets just say its not as easy as i would have expected. and in my experience, if its not easy to impliment then people wont use it. let alone how picky you have to be with OS's,clients,hardware that will actually support it.

IPSec (1)

cscx (541332) | more than 11 years ago | (#6355299)

Isn't IPSec a possible solution?

Re:IPSec (1)

engineerjeremy (636126) | more than 11 years ago | (#6355447)

The standard access point is only a 133 Mhz processor. You could use it further upstream possibly, but as in for integration into the AP, it would cost a lot more per AP. AES is going to be the de facto encrpytion for wireless. Unfortunately it will take more than a firmware upgrade to the ap due to intense CPU usage.

Re:IPSec (2, Informative)

Zebra_X (13249) | more than 11 years ago | (#6355467)

The IPSec tunnel is established between the two computers communicating. There would be no reason for the AP to do any processing other than what it already does - moving packets.

Re:IPSec (2, Insightful)

Zebra_X (13249) | more than 11 years ago | (#6355488)

right now IPSec should be the solution. Given what the question asker just posted it's pretty clear that 802.1x is "half baked" as far as a standard goes. IPSec howerver has been out for a while and it's evils are pretty well known. Certainly not easy to setup but as far as ubiquity goes, it's available on almost every platform. In addition - IPSec enhances not only the security of your wireless connections, it also enhances the security of the wired network. With a good certificate distribution infrastructure and a knowledgeable support staff IPSec is a viable alternative.

Re:IPSec (2, Informative)

shokk (187512) | more than 11 years ago | (#6355644)

What we've done is placed a small firewall just outside our main firewall on the same ISP subnet. All clients must use the same VPN software they use when traveling to then access the network through the main firewall. Rules in place on the small firewall only allow authenticated traffic hubbed through the main firewall and nothing else. So you don't even get a free ride on Internet access if you break into the network. 802.1x is definitely next and we may or may not keep the IPSec.

slashdot redesign? (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6355300)

about fucking time!

why did you replace "xx new" stories with "xx exclusive"? There's nothing "exclusive about this shit.

Pearls of Wisdom (-1, Offtopic)

GillBates0 (664202) | more than 11 years ago | (#6355307)

Do you have any wisdom to share about how to pull victory from the clutches of shameful defeat?

Yes, yes I do. You need to be strong of heart and quick of step to emerge victorious. Courage is the key to victory, my friend.

To quote Pierre Corneille: "A victory without danger is a triumph without glory."

Also I must point out Napoleon Bonaparte's immortal words: "Victory belongs to the most persevering."

Worry not, keep persevering and victory shall be yours.

That's enough wisdom for a day...time to sleep. Good night. Spock out \\//

some experience with this (-1)

Fecal Troll Matter (445929) | more than 11 years ago | (#6355308)

I recently went from wired to 802.11g. However, it wasn't without a struggle. I did a good deal of research but still got suckered into buying a Broadcom-based card only supported in Windows. As it turns out, Broadcom doesn't support Linux well (Or at all, in this case). To add to the confusion, most of the cards that I checked out that had once boasted Linux compatibility had been 'upgraded' to use a Broadcom chip. Even 802.11b hardware that used the supported Prism2 chipset is damn near impossible to find these days as much of it has been changed over to use cheaper hardware (Not necessarily Broadcom, but other non-supported brands as well). Model names / numbers are virtually the same as they were before. It's basically like searching for a PCI non-Winmodem these days.

My advice: Go with a nice ethernet bridge and don't get burned by bad / non-existent drivers. I ended up with a Linksys WET54G, which just so happened to be reviewed by THG [tomshardware.com] earlier. It works flawlessly after I plugged it into my NIC under Linux. It also leaves my options open for other OSes that don't even have as much support as Linux. So long as your network card works (And interconnects via RJ45), you'll have a reliable wireless connection using the bridge. Not only that, but it has a configurator accessable through any web browser, much like their routers. This means configuring the bridge for use with encryption and such will work the same on Windows, Linux, MacOS, etc.

Only problem is they're a bit expensive (Roughly $130). if you don't use Windows full time, it's worth every penny.

Our story (-1, Troll)

Fux the Pengiun (686240) | more than 11 years ago | (#6355324)

Funny you should mention this!! My company is doing the switch right here. Here's what we're doing, and maybe you can try something similar.

We're using Windows 2003 servers (for IAS) and PEAP/MSCHAPv2. We're not offering support for Windows clients prior to 2000 (even though clients do exist for 98/ME,etc). Windows 2000 supposedly has builtin support after SP3, but on June 10, Microsoft released a WEP patch that breaks 1x! (At least for our implementation...) Windows XP SP1 works in most cases, but certain onboard-wireless chipsets (Intel) don't work, regardless of OS. I heard that staff struggled with and finally successfully installed a 3rd party client for RedHat 9, and I'm told there's also a client for Mac OS 10.2

The network guys certainly did their homework, and everything turned out great!

Cheers,

FtP

Re:Our story (0, Offtopic)

Quixote (154172) | more than 11 years ago | (#6355475)

Huh? This dude just cut-n-pasted the original guy's second paragraph! Moderators, please wake up... :)

Re:Our story (0)

Anonymous Coward | more than 11 years ago | (#6355512)

Did not.

+3 Informative? +5 Funny please! (-1)

New World Odor (669252) | more than 11 years ago | (#6355515)

Or, am I just reading it all wrong?

802.1x Rolled Out at Baylor University (2, Informative)

adambrock (686365) | more than 11 years ago | (#6355334)

We just rolled out 802.1x at Baylor University this week. Where are you located? I know they are also rolling out at Memphis.edu and Kstate.edu in the fall. E-mail me if I can be of any help...

No plunge here... (2, Interesting)

ChilyWily (162187) | more than 11 years ago | (#6355349)

Well, I work for a large company. We're just getting 802.11b with Cisco's LEAP authentication fully deployed throughout the country. I doubt they will move forward (unless Cisco tells them to).

*sigh*

not really (1)

Turgon33 (179510) | more than 11 years ago | (#6355367)

auburn university is using a cisco vpn solution to secure the node-to-access-point communications. the vpn client is available for windows, macos, and linux.

We just finished rolling out EAP-TLS on a Win2k... (4, Informative)

Sikmaz (686372) | more than 11 years ago | (#6355371)

Outside of the Access-points we used all pre-existing equipment. We already had a Enterprise Root Cert Authority setup on our Root Win2k DC. We then created a cert for wireless access. We deployed the cert by using policies and used IAS to authenticate the users against a remote access policy that verified users group memberships.

For Hardware we used Cisco 1100's and Zyair B1000's (Http://www.zyxel.com). The B1000's have a beta firmware to support EAP-TLS and cost less than $100 bucks!

We only allow Win2k and Windows XP clients to use wireless, setting up the few win98 clients we have is too much of a pain!

With Windows XP Service Pack1 the user will get a prompt that says there is a wireless network available. Included in that is a check box to use 802.1x authentication and since the default is Certificates all the user does is click connect and they are on!

If you have clients other than windows clients you can still use the win2k cert server, just have then download the cert via the web manager. IT will be http://certservername/certsrv. Works great.

question for /. - 802.1x or a firewall (1)

Sabalon (1684) | more than 11 years ago | (#6355375)

We are a school going through the same question - should we setup 802.1x on everything or should we just put a firewall in place that you have to register you NIC with to do anything?

For the FW solution, it is possible to falsify a MAC, but not something your average user would do (though VMWare makes it trivial).

For the 802.1x solution, you have the issues of different cards, drivers, implentations, and then the question of people who wanna run Linux, *BSD, etc... can't just cut them/me off :)

SHUT THE FUCK UP DICKHEAD (-1, Troll)

I_TOTALLY_FART_POO (686368) | more than 11 years ago | (#6355385)

fuck you poo

Re:question for /. - 802.1x or a firewall (2, Interesting)

mplex (19482) | more than 11 years ago | (#6355458)

While there are multiple solutions and types of 1x, they do seem to work together. We support EAP-TTLS, TLS, PEAP, and LEAP on our network just by enabling it on the server side. Mac address filtering would provide way to many headaches for the number of users we have to support. Fortunately, with Cisco hardware, they manage to support more OS's than most. As soon as there is an open source PEAP client, I don't even think it will be an issue anymore. That's seems to be the direction things are going considering future windows support.

Another feature of 1x is that it provides fairly good encryption through rotating keys. This is much better than 40/128bit encryption. In the end, it comes down to support issues and decent security. We have several linux/BSD users on our network but they all have to use cisco hardware. Other than the cost, it works great, but our network is 150+ APs, so this sort of solution might not work on a small scale.

Re:question for /. - 802.1x or a firewall (1)

puneetb (679679) | more than 11 years ago | (#6355481)

While changing MAC address in a Linux system is easy, for Windows 2000 and XP based systems also you can use a tool like SMAC.
http://www.klcconsulting.net/smac/

Couple this with ethereal (where you first sniff
out a valid MAC address) and getting network
access on a MAC based authentication scheme is trivial.

Also, 802.1x will provide you encryption and dynamic keys, something a simple firewall based
solution wont be able to do.

Puneet

Re:question for /. - 802.1x or a firewall (1)

afidel (530433) | more than 11 years ago | (#6355657)

registering NIC's is worthless because MAC spoofing is trivial, so definitly go with 802.1X. Do your homework on hardware and you shouldn't have much problems, most businesses don't have the problems of mixed equipment and OS's that a university does.

Re:question for /. - 802.1x or a firewall (0)

Anonymous Coward | more than 11 years ago | (#6355710)

Funny you should mention this ... at Baylor, 1x is replacing a Wireless Firewall Gateway [baylor.edu] -- no NIC registration required. One significant difference is, with 1x, all traffic is encrypted by the tumbling WEP keys. With the WFG, only the SSL webscript login is encrypted.

Weigh the whole cost-benefit ratio. You could implement the WFG pretty cheaply. I have no idea what a "free" implementation of 1x would cost. I'm sure the Microsoft solution costs a bundle.

Same here (1)

Monoman (8745) | more than 11 years ago | (#6355382)

I work at a community college. We are going with the 802.1x w/ MS PEAP for our initial WLAN rollouts. Currently this is for employee (mostly execs) only. Management made the decision to be a MS shop years ago so 802.1x PEAP turned out to be the solution for us right now.

However, we are still researching WLAN solutions for when the decision is made to provide wireless access for the student VLANs.

Ideally an enterprise solution would

* be as transparent as possible to the users
* NOT involve installing a client to avoid support issues.
* be OS agnostic

Then again maybe I'm dreaming.

Mac OS 10.2 still struggles (2, Informative)

riclewis (617546) | more than 11 years ago | (#6355398)

In my experience (taking my iBook to work) the Aegis client for mac is less than perfect. It has some issues in handling the dynamic WEP keys. Xsupplicant seems fairly immature, and I haven't yet been able to get it to compile on my mac.

My impression is that this is a much needed, but still nubile technology. I wouldn't be surprised to see stronger support flourish in the 'alternate' (non-MSFT) OSes within the next year or so. Microsoft seems to be a bit ahead of the game on this one.

No WEP, Yes IPSec. (4, Informative)

dietlein (191439) | more than 11 years ago | (#6355402)

I don't know about you who use WEP, but please STOP.

It is BROKEN [berkeley.edu] .

Use IPSec. There are many tutorials for using IPSec in tunnel mode as a replacement for WEP. Google it [google.com] . I wrote the 3rd or 4th one down - it isn't that hard, guys. Please don't use WEP, it really isn't smart.

Re:No WEP, Yes IPSec. (1)

afidel (530433) | more than 11 years ago | (#6355668)

Actually if your rotation schedule is short enough for 802.1X then the listener won't record enough packets for the vulnerabilities to be a problem.

This isnt new (2, Informative)

engineerjeremy (636126) | more than 11 years ago | (#6355416)

802.1x authentication is not a new concept. It was developed many years ago for incorporation into the HP ProCurve product line for port based authentication. The good thing about 802.1x is that at least it does provide some encryption from the authenticator to the radius server. So its either this of captive portal, which is implemented into hotspot controllers to provide authentication via redirection of http requests to a website that requests user/password pairs authenticated off a radius server. Pick your tool, something needs to be done.

Solution: Drop Encryptions for a short time... (1)

DM_NeoFLeX (563396) | more than 11 years ago | (#6355430)

I'd drop the encryption for a time, restrict access to web browsing...Allow e-mail but only through the universities secure https webmail server (You do have one?) and the same with any important university interfaces both staff and student based (Class registration and purchasing for example). This will allow the installed infrastructure to be used, but allow you to rollout secure technology at some point it the future... It's really all common sense...

Re:Solution: Drop Encryptions for a short time... (1)

nikpieX (518952) | more than 11 years ago | (#6355535)

This is similiar to our wireless implementation. We keep wireless in a jailed environment and require them to authenticate to go anywhere. To reach any internal network resources, they must use some form of encryption (SSH, IPSec, SSL, etc) and that is enforced by the firewall. Access to public services, like websites, home email, or whatever doesn't need to be encrypted since it's the user's own risk and people could sniff that anywhere along the path anyway.

802.1x is very secure here-no one is able to login (4, Funny)

Anonymous Coward | more than 11 years ago | (#6355437)

At our University we deployed 802.1x and in this
way we reached the highest possible level of security - nobody, even the authorized personel can not log-in. This means that users have complete
protection from hackers, viruses and similar.

Re:802.1x is very secure here-no one is able to lo (1)

galimore (461274) | more than 11 years ago | (#6355575)

This is not true... 802.1x has its flaws. Some vendor APs don't support per user keys. Have you done exhaustive sniffing to make sure your users are actually getting a different key than anyone else?

Viruses usually come in E-mail... 802.1x doesn't do anything to protect your users from viruses.

Highest possible level of security... maybe... I think I'd agree that it's currently the highest possible STANDARD security available today for 802.11 networks that has been ratified by the IEEE.

Re:802.1x is very secure here-no one is able to lo (0)

Anonymous Coward | more than 11 years ago | (#6355688)

802.1x doesn't do anything to protect your users from viruses.
Since when is scanning e-mail for viruses a Layer 2 networking function?

802.1x vs. WPA (0)

Anonymous Coward | more than 11 years ago | (#6355446)

What's the difference between WPA (Wireless Protected Access) and 802.1x? I've heard that WPA includes/uses/requires 802.1x. But is WPA something MORE? Or are the two equivilent?

Re:802.1x vs. WPA (1)

galimore (461274) | more than 11 years ago | (#6355569)

WPA includes portions of 802.11i. Specifically WPA has the TKIP stuff... (Temporal keys) basically gives you per-packet encryption, and a few other things. WPA is a precursor to 802.11i that a lot of vendors are implementing as the next step. It's good stuff.

802.11 (0)

Anonymous Coward | more than 11 years ago | (#6355463)

try going to a college that still uses 802.11 as the only network connection in the dorms. (raylink, 2mbit/s shared)

802.1X is purely for... (-1, Troll)

Anonymous Coward | more than 11 years ago | (#6355526)

... raging faggots. Seriously, it's part of the Homosexual Agenda being forced on America, and anyone who uses it is completely and totally GAY.

University of Utah - 802.1x Campus Standard (5, Informative)

galimore (461274) | more than 11 years ago | (#6355532)

Hi,

I work at the University of Utah. We're currently rolling out 802.1x.

My building has already rolled out 802.1x on about 36 access points. We've been running for over a month and a half.

We've got a lot of people interested in what we're doing. We're using a decentralized model that allows us to let various departments use their user accounts everywhere else on campus (that is using 802.1x).

Check out our whitepaper for more information:

http://utahgeeks.sourceforge.net/projects/Wireless Whitepaper.pdf [sourceforge.net]

The paper covers various issues. Keep in mind that the paper is not quite done yet, but it does have a lot of useful information.

We're officially supporting Mac OS X, Windows 98, Windows 2k, and Windows XP. We're not officially supporting Linux, but my boss and I are lead developers on the open1x project (http://open1x.sourceforge.net [sourceforge.net] ).

It has Linux and Mac OS X support. We support TTLS, TLS, PEAP (in CVS), MD5, and we're going to be implementing EAP_AKA pretty soon.

If you're interested in the specifics please check out some of our support pages:

http://www.laptop.lib.utah.edu/global/support/inde x.html [utah.edu]

The biggest problem has been support for various cards on Windows. The support link above lists the cards we've tested.

We're currently only supporting Airport on Mac OS X due to the lack of a public API from Apple. (Please let apple know that you want a public wireless API so we can support more cards... ;)

We're using a campus site license of the Meetinghouse supplicant for Mac OS X, and Windows. We're using Radiator, a perl based (VERY NICE!) radius server. It's 802.1x implementation rocks.

More info on Radiator: http://www.open.com.au [open.com.au]

802.1x is becoming the University of Utah campus standard. All future wireless purchases made with student task force moneys will be required to be 802.1x compatible.

Please let us know if you have any questions regarding our setup.

Should I be using 802.1x? (3, Interesting)

Erisian Pope (636878) | more than 11 years ago | (#6355541)

I'm running a public WI-FI access point and I've had several people tell me that I should look into one of these encryption methods. Personally, I don't get it. If you're using WI-FI for your internal network then I understand, smb passwords flying around, people dropping into your NFS system, but for simple, public internet access does it really matter?

It seems to me that this type of encryption may not even belong at the connection level. Any type of encryption is going to add significant overhead so shouldn't be up to the application to use make secure connections as needed? For most web browsing, who cares if the signal is intercepted, if you're sending passwords or credit info you should be using https anyway. Likewise IMAP, POP3, FTP and SMTP, use the SSL wrapped alternatives.

Is there something I'm missing here? Shouldn't it generally be up to the app to determine if the overhead of encryption is required.

Re:Should I be using 802.1x? (5, Informative)

galimore (461274) | more than 11 years ago | (#6355558)

You're a little bit confused about how 802.1x ties into everything...

a) 802.1x was designed for port based access, not wireless. It was adapted for wireless. The keying method is WEP. The encryption tunnel for authentication happens VERY quickly. very little overhead.

b) 802.1x allows you to know WHO is on your network. Do you really want to have an open wide public network that some terrorist could potentially get on to talk to his buddies anonymously... not me... ;)

c) Once again... the encryption for the authentication happens very quickly. We're talking miniscule amounts of time. The keying on the card is WEP, but the keys can be per-user, and can rotate at a specified interval. If you're using WEP at all your keys should be rotating no less than every 10 minutes, otherwise it would be very easy to crack.

d) 802.1x *IS* using SSL for its encryption... besides the fact that that portion only happens for authentication... as I said before WEP is used on the cards.

802.11i will provide per-packet keying, which is when you should really start to worry about the overhead...

Re:Should I be using 802.1x? (0)

Anonymous Coward | more than 11 years ago | (#6355594)

Bah...a 400MHz cpu will do about about 4000 packets/sec with IPSEC tunnelling.

Any machine likely to be used for anything that is simultaneously cpu and network strenuous is likely to be beefy enough that the overhead of IPSEC doesn't matter.

802.11b (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6355554)

mmmmm UrinalPOOP!!! [urinalpoop.org]

Hmph... (-1, Offtopic)

Qweezle (681365) | more than 11 years ago | (#6355588)

Well, there's always eBay. I mean, you can buy dead animals on eBay. Surely you can find this "802.1x". Of course, I'm far too advanced to need that....I'm using laser-guided soap dispensers. Crap. That's classified information. You heard nothing. *Flash*

Northwestern University Setup (3, Informative)

PhoenixK7 (244984) | more than 11 years ago | (#6355616)

At NU the IT department has deployed hotspots at a variety of locations. The campus cafe, parts of the student center, certain locations in the dorms, libraries, as well as other locations provide wireless access.

WEP is not used to secure the network. Instead they're using VPN to provide authentication as well as secure/encrypted connections. Nothing beyond the VPN server and other clients of the AP are accessible without connecting to VPN. As an added benefit VPN allows off-campus users to use the NU mail relays, and other things that are restricted the university subnets.

Check it out:

http://www.tss.northwestern.edu/wireless/ [northwestern.edu]

http://www.tss.northwestern.edu/vpn/ [northwestern.edu]

Wow (0, Flamebait)

programmingart (574001) | more than 11 years ago | (#6355623)

Someone actually researched something before submitting their question to Slashdot.......so now we don't have to deal with "ever hear of Google" comments.

dude its a university , security doesnt matter (-1, Troll)

Anonymous Coward | more than 11 years ago | (#6355691)

Seriously your on a unversity network , except for faculuty who cares? Give the faculty there own nice little protected VPN and let the students run wild.
Universities are supposed to be where you learn about cool little computer things , how can you do that if you only have access to equipment which you were told you could access?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?