LinkBack URL
About LinkBacks@sahmeepee: There is a WPA2 supplicant that you need to install on your clients. This appears to work OK. I have also noticed that the Intel Pro/Wireless tool for the 2200BG chipset includes this and seems to work better.
@sahmeepee: There is a WPA2 supplicant that you need to install on your clients. This appears to work OK. I have also noticed that the Intel Pro/Wireless tool for the 2200BG chipset includes this and seems to work better.
@Ric_: we've installed the WPA2 patch from Microsoft. Are you saying there's a way of enforcing WPA2 via group policy?
We're using laptops with the 2200BG cards in and the Intel tools seemed quite good, but pure Windows seems to be working fine with computer authentication so I decided to remove a variable!
WPA2 is not available as one of the options in group policy last time I looked, as the template wasn't updated at the time.
Edit: I should point out that WPA is an option though
@sahmeepee: Sorry, I thought you meant that WPA2 wasn't available.
The Intel tool is the business though and you can enforce WPA2 at the AP level.
@sahmeepee
Why would you need to roll out the certificate to the client if they use PEAP (MS-CHAP v2)? If all the clients are joined to the domain then the CA cert will be automatically be copied in the root authority of the client when they join the domain.
I do agree with you point about only doing machine authentication, if people require more granular support then i suppose people should do both machine and user authentication.
As for the Becta's WPA2 requirement, not all requirements can be fulfilled and i don't really see a reason for deploying WPA2 in school at the moment because WPA is good enough in my opinion.
Shame about good old Microsoft supporting on a max of 50 radius clients on standard edition. The enterprise edition doesn't have any limit.
Ashok.
You can push out client certificates with GPO's in AD anyway.
That's interesting. When I tried it, the root CA I'd created wasn't copied down by default to the client, so I popped it into a GPO which seemed to work. Maybe it's something to do with my root CA being "standalone" rather than "enterprise"? Or not giving it enough reboots? I'll try it without the GPO again at some point.Originally Posted by ashok
Yes, you can only have 50 RADIUS clients with standard, but that means 50 access points per IAS server, because you set the server up to look at the AP not the (laptop) client. If I get to the point where I have over 50 APs I wouldn't be too phased by sticking IAS on my other DC as well. If we get over a hundred APs I'm changing jobs.
Hi,
Yeah i know the clients are actually APs. At our place we are trying to do both the APs and also the switches for (using 802.1x for wired connections) and we already have about 45 switches!and i know we will be drawn into the wireless bandwagon sooner than later i guess.
You're right about installing more ias servers, this will solve the problem or alternativily use the enterprise edition - maybe an overkill.
Regarding the certificate we tested it using the enterprise CA, so you may be right that if you use the stand-alone CA then it may not copy.
Ashok.
A Linux server running FreeRadius will also overcome the limitation.
Ashok,
Maybe stacking your switches where possible would reduce the number that the RADIUS server sees. With our 3com kit i think we can stack upto 8 switches into 1. I guess it depends on your switching kit and the layout of your cabinets though.
Well done for tackling 802.1x for your wired connections by the way. It's definitely a project I'd be interested in doing at some point. At the moment I'm a bit put off by the complexity of making port-by-port exclusions for "dumb" devices like printers/photocopiers/EPOS.
@sahmeepee
Yeah we got few students who likes to plug in their own laptops on the network and also we're trying to tie down the ports from a security point of view. We use all cisco kit here and i'm trying to phase out older switches i.e. 2900xl and 3500xl which sadly don't support 802.1x.
enabling the 802.1x on cisco siwtches is not hard, cisco also supports the stacking but i'd like to have them seperate because of the vlan logging and also managing them via AAA authentication.
Ashok.
Dumb question but do all swiches have to be 802.1x aware before it can be implemented? If most switches in the network support it, especially the ones connecting the servers, can the older switches just pass along the extra information without processing it?
Here's the completed step-by-step guide for configuring 802.1x wireless authentication using IAS and PEAP.
Please feel free to provide feedback and suggestions for improvements.
Thanks.
Ash.
ahuxham (3rd September 2008), amfony (20th November 2008), dezt (29th October 2008), joe90bass (9th April 2009), MattCrick (6th November 2008), meastaugh1 (31st October 2008), OverWorked (24th November 2008), superdooley (1st July 2010), timzim (8th August 2008), tomscaper (20th November 2008), wagnerk (26th March 2009)
is that in a whitepaper on the BECTA site, I am trying to look for it. If you could let me know where that information is, it would be much appreciated.
thanks
Would you still recommend these as good AP's to play with?
I'm currently considering more expensive units but if these will do the job as well as anything else out there I'd like to have a play with a couple of these first.
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
