Email address obfuscation in effect -- please
click here to turn it off.
[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
- To: "MLUG Members" <EMAIL:PROTECTED>
- Subject: RE: [MLUG] FYI: Tigernet WEP key changes on Monday...
- From: "McNutt, Justin M." <EMAIL:PROTECTED>
- Date: Mon, 1 Aug 2005 11:43:03 -0500
- Delivery-date: Mon, 01 Aug 2005 11:43:10 -0500
- Envelope-to: EMAIL:PROTECTED
- Reply-to: MLUG Members <EMAIL:PROTECTED>
- Sender: EMAIL:PROTECTED
- Thread-index: AcWWtdLnOFRfYSvmSpevIkdi7RZSMAAAX4Aw
- Thread-topic: [MLUG] FYI: Tigernet WEP key changes on Monday...
I recently configured a mixed wireless / wired network for full
authentication using 802.1x PEAP with an Active Directory backed radius
server. Not my first choice, but it worked pretty well. The
wireless would either let you on or not while the wired would place your port
in a guest vlan until you authenticated.
The
big problem with guest VLANs is that means dynamically reconfiguring the network
*itself*. This is a bad idea, in general, and we've pretty much decided
against anything that does business this way. Choosing not to allow
dynamic network reconfiguration also means avoiding most of the vendor-specific
issues one gets into, so another bonus there.
However, it also means that it limits a lot of what you can do with
*unathenticated* users. For now, they just don't get access to the
network, which is why we only have EAP deployed in the wireless network where we
have another option (WEP-only "TigerNet"). We're hardly done working on
this, though.
See
below...
The biggest pain of it
was working in a mixed vendor environment. HP switches and Cisco
WAPs. I'm still not sure if I'd recommend the HP procurve switches or
not. They are the right price, but every vendor has it own
quirks.
802.1x auth is very cool. I'm not sure about
GNU/Linux support for it especially on the wired side (I think I remember
seeing that WPA Supplicant can do 802.1x on most ethernet interfaces, but I
can't be sure). I know FreeBSD doesn't do it at all (as a client) unless
you are using the 6.x branch.
Any
way you look at it, this is what it boils down to: client
support. Whether wired or wireless, the end station has to have a
(well-behaved) 802.1x supplicant installed or it all falls
apart. I have mixed feelings about this, but I'm
hopeful based on the world's experiences with DHCP clients. It took a
while for the networking world to figure out how to get along, but eventually it
happened, since everybody wanted DHCP.
Well,
now everybody wants network-level authentication (which, I must
point out, has been around since the first dial-up system asked someone to
authenticate before setting up a SLIP connection), so I'm hopeful that the
supplicant support issues will work themselves out over the next year or
so.
<grumble> I still don't have my Linux supplicant working, but then
again, I only spent about 30 minutes on it while in the Op Center. NOT a
place conducive to getting anything actually done.
</grumble>
_______________________________________________
members mailing list
EMAIL:PROTECTED
http://mlug.missouri.edu/mailman/listinfo/members
Home | FAQ | Server | Presentations | Mailing Lists/Archives | Member Tools | Links | Sponsors | Contact