+ Post New Thread
Results 1 to 11 of 11
Internet Related/Filtering/Firewall Thread, BYOD, wireless 802.1x in Technical; Folks, Anyone using 802.1x to secure their wireless? I'd be interested to hear your thoughts on how well it works, ...
  1. #1


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,461
    Thank Post
    866
    Thanked 845 Times in 667 Posts
    Rep Power
    195

    Question BYOD, wireless 802.1x

    Folks,

    Anyone using 802.1x to secure their wireless?
    I'd be interested to hear your thoughts on how well it works, and to learn how you have it set up - particularly if you're a Smoothwall user...

    Tom

  2. #2

    Join Date
    Nov 2009
    Location
    Sunderland
    Posts
    45
    Thank Post
    4
    Thanked 11 Times in 8 Posts
    Rep Power
    11
    Hi Tom, yes we are, works really well.

    Wireless access points are configured for 802.1x authentication against a RADIUS server, it's only used by devices owned by us which are all joined to our windows domain and we have our Smoothwall configured for transparent authentication. Really I suppose best thing I can say is "it works" doesn't cause us any bother.

  3. #3
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,424
    Thank Post
    10
    Thanked 488 Times in 428 Posts
    Rep Power
    111
    I don't know if it's still there, but a couple of years ago I was using 802.1x for both wired and wireless devices, AD credentials for wireless users to connect which dropped them into a vlan connected to a smoothwall box. 802.1x works on most wireless devices, setting proxies and app/proxy support etc are still an issue.

  4. #4

    Join Date
    Dec 2007
    Posts
    864
    Thank Post
    90
    Thanked 164 Times in 139 Posts
    Rep Power
    49
    Currently use 802.1x EAP for our domain joined laptops with Ruckus authenticating against our RADIUS Server then assigning to appropriate VLAN that is configured on our Smoothwall UTM-1000 appliance.

    Not tried on wired and/or non-domain devices as yet.

  5. #5
    cpjitservices's Avatar
    Join Date
    Jul 2010
    Location
    Hessle
    Posts
    2,421
    Thank Post
    508
    Thanked 282 Times in 258 Posts
    Rep Power
    81
    not a Smoothie user here but have implemented it in our PFSense/Juniper based network... We use PacketFence

    PacketFence: Open Source NAC (Network Access Control)

    Works a charm!

  6. #6
    Duke5A's Avatar
    Join Date
    Jul 2010
    Posts
    795
    Thank Post
    81
    Thanked 130 Times in 113 Posts
    Blog Entries
    8
    Rep Power
    31
    We're using it on a managed Cisco wireless network. A pair of W2k8 R2 Radius servers are used to handle authentication against AD to join the network and a pair of Squid proxies setup for Kerberos handle student and staff web traffic. When it was originally setup the Radius server would allow you to join based off of computer and/or user credentials. I discovered that students were using their AD accounts to join private phones to our network. To stop it I changed the wireless policy for student computers in AD to only use computer authentication and then denied the top level student user group access in the Radius policy. All in all, the setup works great.

  7. #7

    AngryTechnician's Avatar
    Join Date
    Oct 2008
    Posts
    3,730
    Thank Post
    698
    Thanked 1,211 Times in 761 Posts
    Rep Power
    394
    Yes, we use it for almost all wireless devices. Windows laptops authenticate using EAP-TLS with their machine certificate from the on-site CA, while iPads and staff-owned devices use a username & password via EAP-MSCHAPv2. Different VLANs are assigned depending on Windows group membership of the supplied account (accounts not in an authorised group are rejected).

    The RADIUS server is a Sever 2008 R2 box with the NPS role installed.

    We are a Smoothwall user, currently using a mixture of Kerberos and IP auth (plus NTLM just for Java, because Java sucks).
    Last edited by AngryTechnician; 1st March 2013 at 02:27 PM.

  8. #8


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,461
    Thank Post
    866
    Thanked 845 Times in 667 Posts
    Rep Power
    195
    Interesting - thanks folks.
    @AngryTechnician (or anyone else authing ipads etc like this) - would you be interested in talking to some of my developer friends, we have a better plan than putting folk in vlans based on auth, which would involve passing the 802.1x auth straight to the smoothie for fully granular filtering and logging, but we need to know that our solution would fit into our customers' networks. Drop me a PM if you'd be willing to spare 30 mins

  9. #9

    Join Date
    Nov 2012
    Posts
    13
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by tom_newton View Post
    Interesting - thanks folks.
    @AngryTechnician (or anyone else authing ipads etc like this) - would you be interested in talking to some of my developer friends, we have a better plan than putting folk in vlans based on auth, which would involve passing the 802.1x auth straight to the smoothie for fully granular filtering and logging, but we need to know that our solution would fit into our customers' networks. Drop me a PM if you'd be willing to spare 30 mins
    Interesting as we are going to be looking at new filtering soon and a larger wireless deployment. We have 802.1x at the moment in the form of Eduroam and many of my counterparts in our sector are struggling with the filtering issue. We have many thousands of students and the provision of wireless seamlessly is a big thing for us. Eduroam complicates the matter as we don't want to break the roaming experience for users by placing proxy settings on the device.

  10. #10


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,461
    Thank Post
    866
    Thanked 845 Times in 667 Posts
    Rep Power
    195
    Drop me an email brainchylde I think we might have something fun brewing :-)

  11. #11

    Join Date
    Nov 2012
    Posts
    13
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by tom_newton View Post
    Drop me an email brainchylde I think we might have something fun brewing :-)
    Done

SHARE:
+ Post New Thread

Similar Threads

  1. Connecting HP iPAQ to wireless NPS PEAP 802.1x SSID
    By FatBoy in forum Netbooks, PDA and Phones
    Replies: 1
    Last Post: 19th October 2010, 02:45 PM
  2. Replies: 9
    Last Post: 1st December 2009, 05:03 PM
  3. 802.1x-Radius Wireless Authentication
    By jayemm in forum Wireless Networks
    Replies: 5
    Last Post: 22nd September 2009, 10:50 AM
  4. Wireless 802.1x RADIUS authentication using IAS server
    By spc-rocket in forum Wireless Networks
    Replies: 0
    Last Post: 3rd January 2008, 06:15 PM
  5. Wireless - WPA/802.1x
    By wesleyw in forum Hardware
    Replies: 2
    Last Post: 4th October 2007, 09:34 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •