SlideShare a Scribd company logo

Real-world 802.1X Deployment Challenges

Download as PPTX, PDF
Aruba, a Hewlett Packard Enterprise company
Aruba, a Hewlett Packard Enterprise company

Tim Cappalli of Brandeis University presented on real-world challenges of deploying 802.1X authentication across wired and wireless networks. He discussed common EAP authentication methods like PEAP, EAP-TLS, and TTLS, noting their advantages and disadvantages. Cappalli also outlined challenges Brandeis faces including training support staff, empowering users, and planning for device onboarding. He explained steps Brandeis is taking like exploring EAP-TLS and utilizing client configuration tools to address these challenges.

1 of 44
Real-world 802.1X Deployment Challenges Tim Cappalli March, 2014
2 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf About Me • Mobility Engineer, Brandeis University • Wireless Infrastructure • AAA / Role-based Access Control – wired, wireless and remote networks @tcappy0707
• 6,000 students • 1,300 full time staff • Smallest VHR university • 2,200 access points (mix 11n/11ac) • 5 mobility controllers • 320 edge switches, 92 stacks • AAA: ClearPass Policy Manager • eduroam
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 4 #AirheadsConf Agenda What is EAP? Common EAP Flavors The Good and The Bad Client Support Challenges at Brandeis Open Discussion – What challenges do you face?
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 5 #AirheadsConf 802.1x
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 6 #AirheadsConf 802.1X IEEE STANDARD
7 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf POLL PEAP? TLS? TTLS? WHAT ARE YOU USING?
8 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf What is EAP? • Extensible Authentication Protocol – 802.1X defines EAPOL – Designed for Ethernet, adapted to 802.11 Arran Cudbard-Bell
9 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf EAP Transaction Client AuthenticationServer Request Identity Response Identity (anonymous) Response Identity TLS Start Certificate Client Key exchange Cert. verification Request credentials Response credentials Success EAPOL RADIUS Authenticator EAPOL Start
10 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf EAP FLAVORS
11 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Common EAP Flavors • PEAP (Protected EAP) – Uses a digital certificate on the network side – Password or certificate on the client side – Most common: PEAPv0/EAP-MSCHAPv2 • EAP-TLS (EAP with Transport Layer Security) – Uses a certificate on the network side – Uses a certificate on the client side • TTLS (Tunneled Transport Layer Security) – Uses a certificate on the network side – Password, token, or certificate on the client side – Tunneled Diameter (CHAP, PAP), EAP
12 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf THE GOOD AND THE BAD
13 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf EAP-TLS: The Good • Device or User credential – Revoke device access instead of user • Currently the strongest authentication method • Most widely supported • Extremely difficult to crack a 2048-bit RSA key
14 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf EAP-TLS: The Bad • Certificate distribution – Enrollment or onboard process – Can be an administrative burden without proper tools • User familiarity – Most users have no concept of a certificate – Username and password is the “standard” • Renewals – Notifying users to renew before expiration • Changing certificate chain – Not just “accept new certificate” for users
15 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf PEAP: The Good • Username / password is familiar to users • Users can “just get on” w/ valid credentials • Second most widely supported • Easy integration with AD (“free” NPS)
16 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf PEAP: The Bad • Device credential on Windows AD-joined devices • Passwords are weak! – Users won’t remember a truly secure password • Password expiration – How do you handle AD password expiration for non-AD Windows machines? • Client must be configured correctly • Not so easy with LDAP & Novell – Limited PEAPv1/EAP-GTC native client support
17 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf EAP-GTC vs EAP-MSCHAPv2 • EAP-GTC – Cleartext, NT hash, MD5 hash, salted MD5 hash – SHA1 hash, Slated SHA1 hash, UNIX crypt • EAP-MSCHAPv2 – Cleartext, NT hash, LM hash
18 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Server Certificate • Make sure CA correspondence goes to more than one person! • Nightmares for wireless only devices: – Server certificate expiration – New chain – New server name • Push out new profiles/GPOs ahead of time!
19 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf CLIENT SUPPORT
20 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Native Client Support EAP-PEAP EAP-TLS EAP-TTLS Windows 8 YES YES YES Windows 7 / Vista / XP YES YES NO Mac OS X YES YES YES Linux YES** YES YES iOS YES YES YES* Android YES** YES YES Chrome OS YES** YES YES** Windows Phone 8.1 YES YES (rumored) UNK Windows Phone 7/8 YES NO** NO BlackBerry 10 YES YES YES BlackBerry 7 YES YES YES
21 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Native Client Support EAP-PEAP EAP-TLS EAP-TTLS XBOX 360 NO NO NO XBOX One MAYBE MAYBE MAYBE PlayStation 3 & 4 NO NO NO Nintendo Wii / Wii U NO NO NO
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 22 #AirheadsConf
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 23 #AirheadsConf
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 24 #AirheadsConf
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 25 #AirheadsConf
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 26 #AirheadsConf
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 27 #AirheadsConf
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 28 #AirheadsConf
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 29 #AirheadsConf
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 30 #AirheadsConf
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 31 #AirheadsConf
32 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf MiTM HospiNET radius1.hospital.org Verisign HospiNET VALIDATE SERVER CERT Disabled wireless.hospital.org Self-signed
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 33 #AirheadsConf
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 34 #AirheadsConf COURTESY: LEE BADMAN, SYRACUSE UNIVERSITY
35 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf WHAT’S BRANDEIS DOING?
36 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf What’s Brandeis Doing? • Training support staff – Explaining the different networks – Giving access to troubleshooting tools • Empowering* users – Making it interactive – Making it user friendly • Planning for some type of onboarding • Exploring EAP-TLS – Using network and systems group as PoC for access to secure management networks *attempting
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 37 #AirheadsConf
38 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf What’s Brandeis Doing? 3/5/1410/3/133/15/13
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 39 #AirheadsConf Know the audience
40 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf When in doubt, run __________ • Ensure support staff understand the value of client configuration tools • Utilize a configuration utility – Teaching help desk, “When in doubt, run QuickConnect” • Utilize driver detection tools – Intel Driver Update Utility
41 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf OPEN DISCUSSION
42 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Good Reads • Simply put: How does certificate-based authentication work? (Network World, 3/10/14, Aaron Woland) • Cryptography Decrypted (Amazon)
43
44 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Thank You #AirheadsConf

Recommended

Best Practices on Migrating to 802.11ac Wi-Fi
Best Practices on Migrating to 802.11ac Wi-FiBest Practices on Migrating to 802.11ac Wi-Fi
Best Practices on Migrating to 802.11ac Wi-FiAruba, a Hewlett Packard Enterprise company
 
Wi-Fi Behavior of Popular Mobile Devices #AirheadsConf Italy
Wi-Fi Behavior of Popular Mobile Devices #AirheadsConf ItalyWi-Fi Behavior of Popular Mobile Devices #AirheadsConf Italy
Wi-Fi Behavior of Popular Mobile Devices #AirheadsConf ItalyAruba, a Hewlett Packard Enterprise company
 
Aruba Mobility Controllers
Aruba Mobility ControllersAruba Mobility Controllers
Aruba Mobility ControllersAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- ArubaOS - Rogue AP troubleshooting
EMEA Airheads- ArubaOS - Rogue AP troubleshootingEMEA Airheads- ArubaOS - Rogue AP troubleshooting
EMEA Airheads- ArubaOS - Rogue AP troubleshootingAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads - AP Discovery Logic and AP Deployment
EMEA Airheads - AP Discovery Logic and AP DeploymentEMEA Airheads - AP Discovery Logic and AP Deployment
EMEA Airheads - AP Discovery Logic and AP DeploymentAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- Aruba Instant AP- VPN Troubleshooting
EMEA Airheads- Aruba Instant AP- VPN TroubleshootingEMEA Airheads- Aruba Instant AP- VPN Troubleshooting
EMEA Airheads- Aruba Instant AP- VPN TroubleshootingAruba, a Hewlett Packard Enterprise company
 
Managing and Optimizing RF Spectrum for Aruba WLANs
Managing and Optimizing RF Spectrum for Aruba WLANsManaging and Optimizing RF Spectrum for Aruba WLANs
Managing and Optimizing RF Spectrum for Aruba WLANsAruba, a Hewlett Packard Enterprise company
 
Access Management with Aruba ClearPass
Access Management with Aruba ClearPassAccess Management with Aruba ClearPass
Access Management with Aruba ClearPassAruba, a Hewlett Packard Enterprise company
 

Recommended

Best Practices on Migrating to 802.11ac Wi-Fi
Best Practices on Migrating to 802.11ac Wi-FiBest Practices on Migrating to 802.11ac Wi-Fi
Best Practices on Migrating to 802.11ac Wi-FiAruba, a Hewlett Packard Enterprise company
 
Wi-Fi Behavior of Popular Mobile Devices #AirheadsConf Italy
Wi-Fi Behavior of Popular Mobile Devices #AirheadsConf ItalyWi-Fi Behavior of Popular Mobile Devices #AirheadsConf Italy
Wi-Fi Behavior of Popular Mobile Devices #AirheadsConf ItalyAruba, a Hewlett Packard Enterprise company
 
Aruba Mobility Controllers
Aruba Mobility ControllersAruba Mobility Controllers
Aruba Mobility ControllersAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- ArubaOS - Rogue AP troubleshooting
EMEA Airheads- ArubaOS - Rogue AP troubleshootingEMEA Airheads- ArubaOS - Rogue AP troubleshooting
EMEA Airheads- ArubaOS - Rogue AP troubleshootingAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads - AP Discovery Logic and AP Deployment
EMEA Airheads - AP Discovery Logic and AP DeploymentEMEA Airheads - AP Discovery Logic and AP Deployment
EMEA Airheads - AP Discovery Logic and AP DeploymentAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- Aruba Instant AP- VPN Troubleshooting
EMEA Airheads- Aruba Instant AP- VPN TroubleshootingEMEA Airheads- Aruba Instant AP- VPN Troubleshooting
EMEA Airheads- Aruba Instant AP- VPN TroubleshootingAruba, a Hewlett Packard Enterprise company
 
Managing and Optimizing RF Spectrum for Aruba WLANs
Managing and Optimizing RF Spectrum for Aruba WLANsManaging and Optimizing RF Spectrum for Aruba WLANs
Managing and Optimizing RF Spectrum for Aruba WLANsAruba, a Hewlett Packard Enterprise company
 
Access Management with Aruba ClearPass
Access Management with Aruba ClearPassAccess Management with Aruba ClearPass
Access Management with Aruba ClearPassAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads How licensing works in Aruba OS 8.x
EMEA Airheads How licensing works in Aruba OS 8.xEMEA Airheads How licensing works in Aruba OS 8.x
EMEA Airheads How licensing works in Aruba OS 8.xAruba, a Hewlett Packard Enterprise company
 
ClearPass design scenarios that solve the toughest security policy requirements
ClearPass design scenarios that solve the toughest security policy requirementsClearPass design scenarios that solve the toughest security policy requirements
ClearPass design scenarios that solve the toughest security policy requirementsAruba, a Hewlett Packard Enterprise company
 
Roaming behavior and Client Troubleshooting
Roaming behavior and Client TroubleshootingRoaming behavior and Client Troubleshooting
Roaming behavior and Client TroubleshootingAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- Troubleshooting 802.1x issues
EMEA Airheads- Troubleshooting 802.1x issuesEMEA Airheads- Troubleshooting 802.1x issues
EMEA Airheads- Troubleshooting 802.1x issuesAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- ArubaOS - High availability with AP Fast Failover
EMEA Airheads- ArubaOS - High availability with AP Fast FailoverEMEA Airheads- ArubaOS - High availability with AP Fast Failover
EMEA Airheads- ArubaOS - High availability with AP Fast FailoverAruba, a Hewlett Packard Enterprise company
 
Large scale, distributed access management deployment with aruba clear pass
Large scale, distributed access management deployment with aruba clear passLarge scale, distributed access management deployment with aruba clear pass
Large scale, distributed access management deployment with aruba clear passAruba, a Hewlett Packard Enterprise company
 
Guest Access with ArubaOS
Guest Access with ArubaOSGuest Access with ArubaOS
Guest Access with ArubaOSAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- Layer-3 Redundancy for Mobility Master - ArubaOS 8.x
EMEA Airheads- Layer-3 Redundancy for Mobility Master - ArubaOS 8.xEMEA Airheads- Layer-3 Redundancy for Mobility Master - ArubaOS 8.x
EMEA Airheads- Layer-3 Redundancy for Mobility Master - ArubaOS 8.xAruba, a Hewlett Packard Enterprise company
 
Clear pass policy manager advanced_ashwath murthy
Clear pass policy manager advanced_ashwath murthyClear pass policy manager advanced_ashwath murthy
Clear pass policy manager advanced_ashwath murthyAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- Aruba Central with Instant AP
EMEA Airheads- Aruba Central with Instant APEMEA Airheads- Aruba Central with Instant AP
EMEA Airheads- Aruba Central with Instant APAruba, a Hewlett Packard Enterprise company
 
Useful cli commands v1
Useful cli commands v1Useful cli commands v1
Useful cli commands v1Aruba, a Hewlett Packard Enterprise company
 
Airheads Tech Talks: Advanced Clustering in AOS 8.x
Airheads Tech Talks: Advanced Clustering in AOS 8.xAirheads Tech Talks: Advanced Clustering in AOS 8.x
Airheads Tech Talks: Advanced Clustering in AOS 8.xAruba, a Hewlett Packard Enterprise company
 
ClearPass Policy Manager 6.3 User Guide
ClearPass Policy Manager 6.3 User GuideClearPass Policy Manager 6.3 User Guide
ClearPass Policy Manager 6.3 User GuideAruba, a Hewlett Packard Enterprise company
 
Aos & cppm integration configuration & testing document for eap tls & eap ...
Aos & cppm integration configuration & testing document for eap tls & eap ...Aos & cppm integration configuration & testing document for eap tls & eap ...
Aos & cppm integration configuration & testing document for eap tls & eap ...Abilash Soundararajan
 
Advanced RF Design & Troubleshooting
Advanced RF Design & TroubleshootingAdvanced RF Design & Troubleshooting
Advanced RF Design & TroubleshootingAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- Aruba 8.x Architecture overview & UI Navigation
EMEA Airheads- Aruba 8.x Architecture overview & UI NavigationEMEA Airheads- Aruba 8.x Architecture overview & UI Navigation
EMEA Airheads- Aruba 8.x Architecture overview & UI NavigationAruba, a Hewlett Packard Enterprise company
 
6 understanding aruba rf issues
6 understanding aruba rf issues6 understanding aruba rf issues
6 understanding aruba rf issuesVenudhanraj
 
EMEA Airheads - Configuring different APIs in Aruba 8.x
EMEA Airheads - Configuring different APIs in Aruba 8.x EMEA Airheads - Configuring different APIs in Aruba 8.x
EMEA Airheads - Configuring different APIs in Aruba 8.x Aruba, a Hewlett Packard Enterprise company
 
Getting the most out of the aruba policy enforcement firewall
Getting the most out of the aruba policy enforcement firewallGetting the most out of the aruba policy enforcement firewall
Getting the most out of the aruba policy enforcement firewallAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- ArubaOS - Understanding Control-Plane-Security
EMEA Airheads- ArubaOS - Understanding Control-Plane-SecurityEMEA Airheads- ArubaOS - Understanding Control-Plane-Security
EMEA Airheads- ArubaOS - Understanding Control-Plane-SecurityAruba, a Hewlett Packard Enterprise company
 
Implementing 802.1x Authentication
Implementing 802.1x AuthenticationImplementing 802.1x Authentication
Implementing 802.1x Authenticationdkaya
 
ISE-802.1X-MAB
ISE-802.1X-MABISE-802.1X-MAB
ISE-802.1X-MABEmerson Barros Rivas
 

More Related Content

What's hot

Aos & cppm integration configuration & testing document for eap tls & eap ...
Aos & cppm integration configuration & testing document for eap tls & eap ...Aos & cppm integration configuration & testing document for eap tls & eap ...
Aos & cppm integration configuration & testing document for eap tls & eap ...Abilash Soundararajan
 
6 understanding aruba rf issues
6 understanding aruba rf issues6 understanding aruba rf issues
6 understanding aruba rf issuesVenudhanraj
 

What's hot (20)

EMEA Airheads How licensing works in Aruba OS 8.x
EMEA Airheads How licensing works in Aruba OS 8.xEMEA Airheads How licensing works in Aruba OS 8.x
EMEA Airheads How licensing works in Aruba OS 8.x
 
ClearPass design scenarios that solve the toughest security policy requirements
ClearPass design scenarios that solve the toughest security policy requirementsClearPass design scenarios that solve the toughest security policy requirements
ClearPass design scenarios that solve the toughest security policy requirements
 
Roaming behavior and Client Troubleshooting
Roaming behavior and Client TroubleshootingRoaming behavior and Client Troubleshooting
Roaming behavior and Client Troubleshooting
 
EMEA Airheads- Troubleshooting 802.1x issues
EMEA Airheads- Troubleshooting 802.1x issuesEMEA Airheads- Troubleshooting 802.1x issues
EMEA Airheads- Troubleshooting 802.1x issues
 
EMEA Airheads- ArubaOS - High availability with AP Fast Failover
EMEA Airheads- ArubaOS - High availability with AP Fast FailoverEMEA Airheads- ArubaOS - High availability with AP Fast Failover
EMEA Airheads- ArubaOS - High availability with AP Fast Failover
 
Large scale, distributed access management deployment with aruba clear pass
Large scale, distributed access management deployment with aruba clear passLarge scale, distributed access management deployment with aruba clear pass
Large scale, distributed access management deployment with aruba clear pass
 
Guest Access with ArubaOS
Guest Access with ArubaOSGuest Access with ArubaOS
Guest Access with ArubaOS
 
EMEA Airheads- Layer-3 Redundancy for Mobility Master - ArubaOS 8.x
EMEA Airheads- Layer-3 Redundancy for Mobility Master - ArubaOS 8.xEMEA Airheads- Layer-3 Redundancy for Mobility Master - ArubaOS 8.x
EMEA Airheads- Layer-3 Redundancy for Mobility Master - ArubaOS 8.x
 
Clear pass policy manager advanced_ashwath murthy
Clear pass policy manager advanced_ashwath murthyClear pass policy manager advanced_ashwath murthy
Clear pass policy manager advanced_ashwath murthy
 
EMEA Airheads- Aruba Central with Instant AP
EMEA Airheads- Aruba Central with Instant APEMEA Airheads- Aruba Central with Instant AP
EMEA Airheads- Aruba Central with Instant AP
 
Useful cli commands v1
Useful cli commands v1Useful cli commands v1
Useful cli commands v1
 
Airheads Tech Talks: Advanced Clustering in AOS 8.x
Airheads Tech Talks: Advanced Clustering in AOS 8.xAirheads Tech Talks: Advanced Clustering in AOS 8.x
Airheads Tech Talks: Advanced Clustering in AOS 8.x
 
ClearPass Policy Manager 6.3 User Guide
ClearPass Policy Manager 6.3 User GuideClearPass Policy Manager 6.3 User Guide
ClearPass Policy Manager 6.3 User Guide
 
Aos & cppm integration configuration & testing document for eap tls & eap ...
Aos & cppm integration configuration & testing document for eap tls & eap ...Aos & cppm integration configuration & testing document for eap tls & eap ...
Aos & cppm integration configuration & testing document for eap tls & eap ...
 
Advanced RF Design & Troubleshooting
Advanced RF Design & TroubleshootingAdvanced RF Design & Troubleshooting
Advanced RF Design & Troubleshooting
 
EMEA Airheads- Aruba 8.x Architecture overview & UI Navigation
EMEA Airheads- Aruba 8.x Architecture overview & UI NavigationEMEA Airheads- Aruba 8.x Architecture overview & UI Navigation
EMEA Airheads- Aruba 8.x Architecture overview & UI Navigation
 
6 understanding aruba rf issues
6 understanding aruba rf issues6 understanding aruba rf issues
6 understanding aruba rf issues
 
EMEA Airheads - Configuring different APIs in Aruba 8.x
EMEA Airheads - Configuring different APIs in Aruba 8.x EMEA Airheads - Configuring different APIs in Aruba 8.x
EMEA Airheads - Configuring different APIs in Aruba 8.x
 
Getting the most out of the aruba policy enforcement firewall
Getting the most out of the aruba policy enforcement firewallGetting the most out of the aruba policy enforcement firewall
Getting the most out of the aruba policy enforcement firewall
 
EMEA Airheads- ArubaOS - Understanding Control-Plane-Security
EMEA Airheads- ArubaOS - Understanding Control-Plane-SecurityEMEA Airheads- ArubaOS - Understanding Control-Plane-Security
EMEA Airheads- ArubaOS - Understanding Control-Plane-Security
 

Viewers also liked

Implementing 802.1x Authentication
Implementing 802.1x AuthenticationImplementing 802.1x Authentication
Implementing 802.1x Authenticationdkaya
 
802.1x authentication
802.1x authentication802.1x authentication
802.1x authenticationXiaoqi Zhao
 
ACSR Clear Pass Policy Manager
ACSR Clear Pass Policy ManagerACSR Clear Pass Policy Manager
ACSR Clear Pass Policy ManagerAli Badr
 
IEEE 802.1X and Axis’ Implementation
IEEE 802.1X and Axis’ ImplementationIEEE 802.1X and Axis’ Implementation
IEEE 802.1X and Axis’ ImplementationAxis Communications
 
802.1x Implementation Plan for Seacoast
802.1x Implementation Plan for Seacoast802.1x Implementation Plan for Seacoast
802.1x Implementation Plan for SeacoastSithideth Banavong
 
802.1x Authentication Standard
802.1x Authentication Standard802.1x Authentication Standard
802.1x Authentication StandardDan Miller
 
RF Matching Guidelines for WIFI
RF Matching Guidelines for WIFIRF Matching Guidelines for WIFI
RF Matching Guidelines for WIFIcriterion123
 
Identity Services Engine Overview and Update
Identity Services Engine Overview and UpdateIdentity Services Engine Overview and Update
Identity Services Engine Overview and UpdateCisco Canada
 
Demystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISEDemystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISECisco Canada
 
Aos & cppm integration & testing document for eap tls & eap peap
Aos & cppm integration & testing document for eap tls & eap peapAos & cppm integration & testing document for eap tls & eap peap
Aos & cppm integration & testing document for eap tls & eap peapJulia Ostrowski
 
VMworld 2015: Networking Virtual SAN's Backbone
VMworld 2015: Networking Virtual SAN's BackboneVMworld 2015: Networking Virtual SAN's Backbone
VMworld 2015: Networking Virtual SAN's BackboneVMworld
 
VMworld 2015: vSphere Distributed Switch 6 –Technical Deep Dive
VMworld 2015: vSphere Distributed Switch 6 –Technical Deep DiveVMworld 2015: vSphere Distributed Switch 6 –Technical Deep Dive
VMworld 2015: vSphere Distributed Switch 6 –Technical Deep DiveVMworld
 
VMworld 2015: Building a Business Case for Virtual SAN
VMworld 2015: Building a Business Case for Virtual SANVMworld 2015: Building a Business Case for Virtual SAN
VMworld 2015: Building a Business Case for Virtual SANVMworld
 
VMworld 2015: Explaining Advanced Virtual Volumes Configurations
VMworld 2015: Explaining Advanced Virtual Volumes ConfigurationsVMworld 2015: Explaining Advanced Virtual Volumes Configurations
VMworld 2015: Explaining Advanced Virtual Volumes ConfigurationsVMworld
 

Viewers also liked (20)

Implementing 802.1x Authentication
Implementing 802.1x AuthenticationImplementing 802.1x Authentication
Implementing 802.1x Authentication
 
ISE-802.1X-MAB
ISE-802.1X-MABISE-802.1X-MAB
ISE-802.1X-MAB
 
802.1x authentication
802.1x authentication802.1x authentication
802.1x authentication
 
ACSR Clear Pass Policy Manager
ACSR Clear Pass Policy ManagerACSR Clear Pass Policy Manager
ACSR Clear Pass Policy Manager
 
Ieee 802.1 x
Ieee 802.1 xIeee 802.1 x
Ieee 802.1 x
 
IEEE 802.1X and Axis’ Implementation
IEEE 802.1X and Axis’ ImplementationIEEE 802.1X and Axis’ Implementation
IEEE 802.1X and Axis’ Implementation
 
802.1x Implementation Plan for Seacoast
802.1x Implementation Plan for Seacoast802.1x Implementation Plan for Seacoast
802.1x Implementation Plan for Seacoast
 
802.1x
802.1x802.1x
802.1x
 
Attacking and Securing WPA Enterprise Networks
Attacking and Securing WPA Enterprise NetworksAttacking and Securing WPA Enterprise Networks
Attacking and Securing WPA Enterprise Networks
 
Aruba ClearPass Guest 6.3 User Guide
Aruba ClearPass Guest 6.3 User GuideAruba ClearPass Guest 6.3 User Guide
Aruba ClearPass Guest 6.3 User Guide
 
802.1x Authentication Standard
802.1x Authentication Standard802.1x Authentication Standard
802.1x Authentication Standard
 
RF Matching Guidelines for WIFI
RF Matching Guidelines for WIFIRF Matching Guidelines for WIFI
RF Matching Guidelines for WIFI
 
Identity Services Engine Overview and Update
Identity Services Engine Overview and UpdateIdentity Services Engine Overview and Update
Identity Services Engine Overview and Update
 
Demystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISEDemystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISE
 
Aos & cppm integration & testing document for eap tls & eap peap
Aos & cppm integration & testing document for eap tls & eap peapAos & cppm integration & testing document for eap tls & eap peap
Aos & cppm integration & testing document for eap tls & eap peap
 
VMworld 2015: Networking Virtual SAN's Backbone
VMworld 2015: Networking Virtual SAN's BackboneVMworld 2015: Networking Virtual SAN's Backbone
VMworld 2015: Networking Virtual SAN's Backbone
 
VMworld 2015: vSphere Distributed Switch 6 –Technical Deep Dive
VMworld 2015: vSphere Distributed Switch 6 –Technical Deep DiveVMworld 2015: vSphere Distributed Switch 6 –Technical Deep Dive
VMworld 2015: vSphere Distributed Switch 6 –Technical Deep Dive
 
802.1x
802.1x802.1x
802.1x
 
VMworld 2015: Building a Business Case for Virtual SAN
VMworld 2015: Building a Business Case for Virtual SANVMworld 2015: Building a Business Case for Virtual SAN
VMworld 2015: Building a Business Case for Virtual SAN
 
VMworld 2015: Explaining Advanced Virtual Volumes Configurations
VMworld 2015: Explaining Advanced Virtual Volumes ConfigurationsVMworld 2015: Explaining Advanced Virtual Volumes Configurations
VMworld 2015: Explaining Advanced Virtual Volumes Configurations
 

Similar to Real-world 802.1X Deployment Challenges

ARUBA - Remote Branch-networking-fundamentals-2014
ARUBA - Remote Branch-networking-fundamentals-2014ARUBA - Remote Branch-networking-fundamentals-2014
ARUBA - Remote Branch-networking-fundamentals-2014Marcello Marchesini
 
ARUBA community - WLAN design and troubleshooting
ARUBA community - WLAN design and troubleshootingARUBA community - WLAN design and troubleshooting
ARUBA community - WLAN design and troubleshootingMarcello Marchesini
 

Similar to Real-world 802.1X Deployment Challenges (20)

Advanced Aruba ClearPass Workshop
Advanced Aruba ClearPass WorkshopAdvanced Aruba ClearPass Workshop
Advanced Aruba ClearPass Workshop
 
Shanghai Breakout: Wireless LAN Security Fundamentals
Shanghai Breakout: Wireless LAN Security Fundamentals Shanghai Breakout: Wireless LAN Security Fundamentals
Shanghai Breakout: Wireless LAN Security Fundamentals
 
Access Management with Aruba ClearPass #AirheadsConf Italy
Access Management with Aruba ClearPass #AirheadsConf ItalyAccess Management with Aruba ClearPass #AirheadsConf Italy
Access Management with Aruba ClearPass #AirheadsConf Italy
 
Enabling the Virtual Enterprise
Enabling the Virtual EnterpriseEnabling the Virtual Enterprise
Enabling the Virtual Enterprise
 
Security advanced rich langston_jon green
Security advanced rich langston_jon greenSecurity advanced rich langston_jon green
Security advanced rich langston_jon green
 
Shanghai Breakout: Access Management with Aruba ClearPass
Shanghai Breakout: Access Management with Aruba ClearPassShanghai Breakout: Access Management with Aruba ClearPass
Shanghai Breakout: Access Management with Aruba ClearPass
 
Advanced RF Design & Troubleshooting #AirheadsConf Italy
Advanced RF Design & Troubleshooting #AirheadsConf ItalyAdvanced RF Design & Troubleshooting #AirheadsConf Italy
Advanced RF Design & Troubleshooting #AirheadsConf Italy
 
Wireless LAN Security Fundamentals #AirheadsConf Italy
Wireless LAN Security Fundamentals #AirheadsConf ItalyWireless LAN Security Fundamentals #AirheadsConf Italy
Wireless LAN Security Fundamentals #AirheadsConf Italy
 
Network Management with Aruba Airwave #AirheadsConf Italy
Network Management with Aruba Airwave #AirheadsConf ItalyNetwork Management with Aruba Airwave #AirheadsConf Italy
Network Management with Aruba Airwave #AirheadsConf Italy
 
ARUBA - Remote Branch-networking-fundamentals-2014
ARUBA - Remote Branch-networking-fundamentals-2014ARUBA - Remote Branch-networking-fundamentals-2014
ARUBA - Remote Branch-networking-fundamentals-2014
 
Breakout - Airheads Macau 2013 - ClearPass Access Management Basics
Breakout - Airheads Macau 2013 - ClearPass Access Management Basics Breakout - Airheads Macau 2013 - ClearPass Access Management Basics
Breakout - Airheads Macau 2013 - ClearPass Access Management Basics
 
Building an aruba proof of concept lab javier urtubia
Building an aruba proof of concept lab javier urtubiaBuilding an aruba proof of concept lab javier urtubia
Building an aruba proof of concept lab javier urtubia
 
Enabling AirPrint & AirPlay on Your Network
Enabling AirPrint & AirPlay on Your NetworkEnabling AirPrint & AirPlay on Your Network
Enabling AirPrint & AirPlay on Your Network
 
ARUBA community - WLAN design and troubleshooting
ARUBA community - WLAN design and troubleshootingARUBA community - WLAN design and troubleshooting
ARUBA community - WLAN design and troubleshooting
 
Remote & Branch Networking Fundamentals #AirheadsConf Italy
Remote & Branch Networking Fundamentals #AirheadsConf ItalyRemote & Branch Networking Fundamentals #AirheadsConf Italy
Remote & Branch Networking Fundamentals #AirheadsConf Italy
 
Breaking the Status Quo
Breaking the Status QuoBreaking the Status Quo
Breaking the Status Quo
 
Advanced Access Management with Aruba ClearPass #AirheadsConf Italy
Advanced Access Management with Aruba ClearPass #AirheadsConf ItalyAdvanced Access Management with Aruba ClearPass #AirheadsConf Italy
Advanced Access Management with Aruba ClearPass #AirheadsConf Italy
 
1 voice and video over wi fi-balajee krishnamurthy
1 voice and video over wi fi-balajee krishnamurthy1 voice and video over wi fi-balajee krishnamurthy
1 voice and video over wi fi-balajee krishnamurthy
 
Shanghai Breakout: Advanced RF Design and Troubleshooting
Shanghai Breakout: Advanced RF Design and Troubleshooting Shanghai Breakout: Advanced RF Design and Troubleshooting
Shanghai Breakout: Advanced RF Design and Troubleshooting
 
Defining Advanced AAA Policies for Access Networks
Defining Advanced AAA Policies for Access NetworksDefining Advanced AAA Policies for Access Networks
Defining Advanced AAA Policies for Access Networks
 

More from Aruba, a Hewlett Packard Enterprise company

More from Aruba, a Hewlett Packard Enterprise company (20)

Airheads Tech Talks: Cloud Guest SSID on Aruba Central
Airheads Tech Talks: Cloud Guest SSID on Aruba CentralAirheads Tech Talks: Cloud Guest SSID on Aruba Central
Airheads Tech Talks: Cloud Guest SSID on Aruba Central
 
Airheads Tech Talks: Understanding ClearPass OnGuard Agents
Airheads Tech Talks: Understanding ClearPass OnGuard AgentsAirheads Tech Talks: Understanding ClearPass OnGuard Agents
Airheads Tech Talks: Understanding ClearPass OnGuard Agents
 
EMEA Airheads_ Advance Aruba Central
EMEA Airheads_ Advance Aruba CentralEMEA Airheads_ Advance Aruba Central
EMEA Airheads_ Advance Aruba Central
 
EMEA Airheads_ Aruba AppRF – AOS 6.x & 8.x
EMEA Airheads_ Aruba AppRF – AOS 6.x & 8.xEMEA Airheads_ Aruba AppRF – AOS 6.x & 8.x
EMEA Airheads_ Aruba AppRF – AOS 6.x & 8.x
 
EMEA Airheads- Switch stacking_ ArubaOS Switch
EMEA Airheads- Switch stacking_ ArubaOS SwitchEMEA Airheads- Switch stacking_ ArubaOS Switch
EMEA Airheads- Switch stacking_ ArubaOS Switch
 
EMEA Airheads- LACP and distributed LACP – ArubaOS Switch
EMEA Airheads- LACP and distributed LACP – ArubaOS SwitchEMEA Airheads- LACP and distributed LACP – ArubaOS Switch
EMEA Airheads- LACP and distributed LACP – ArubaOS Switch
 
Introduction to AirWave 10
Introduction to AirWave 10Introduction to AirWave 10
Introduction to AirWave 10
 
EMEA Airheads- Virtual Switching Framework- Aruba OS Switch
EMEA Airheads- Virtual Switching Framework- Aruba OS SwitchEMEA Airheads- Virtual Switching Framework- Aruba OS Switch
EMEA Airheads- Virtual Switching Framework- Aruba OS Switch
 
EMEA Airheads- AirGroup profiling changes across 8.1 & 8.2 – ArubaOS 8.x
EMEA Airheads- AirGroup profiling changes across 8.1 & 8.2 – ArubaOS 8.xEMEA Airheads- AirGroup profiling changes across 8.1 & 8.2 – ArubaOS 8.x
EMEA Airheads- AirGroup profiling changes across 8.1 & 8.2 – ArubaOS 8.x
 
EMEA Airheads- Getting Started with the ClearPass REST API – CPPM
EMEA Airheads- Getting Started with the ClearPass REST API – CPPMEMEA Airheads- Getting Started with the ClearPass REST API – CPPM
EMEA Airheads- Getting Started with the ClearPass REST API – CPPM
 
EMEA Airheads- Manage Devices at Branch Office (BOC)
EMEA Airheads- Manage Devices at Branch Office (BOC)EMEA Airheads- Manage Devices at Branch Office (BOC)
EMEA Airheads- Manage Devices at Branch Office (BOC)
 
EMEA Airheads - What does AirMatch do differently?v2
EMEA Airheads - What does AirMatch do differently?v2 EMEA Airheads - What does AirMatch do differently?v2
EMEA Airheads - What does AirMatch do differently?v2
 
Airheads Meetups: 8400 Presentation
Airheads Meetups: 8400 PresentationAirheads Meetups: 8400 Presentation
Airheads Meetups: 8400 Presentation
 
Airheads Meetups: Ekahau Presentation
Airheads Meetups: Ekahau PresentationAirheads Meetups: Ekahau Presentation
Airheads Meetups: Ekahau Presentation
 
Airheads Meetups- High density WLAN
Airheads Meetups- High density WLANAirheads Meetups- High density WLAN
Airheads Meetups- High density WLAN
 
Airheads Meetups- Avans Hogeschool goes Aruba
Airheads Meetups- Avans Hogeschool goes ArubaAirheads Meetups- Avans Hogeschool goes Aruba
Airheads Meetups- Avans Hogeschool goes Aruba
 
EMEA Airheads - Aruba Remote Access Point (RAP) Troubleshooting
EMEA Airheads - Aruba Remote Access Point (RAP) TroubleshootingEMEA Airheads - Aruba Remote Access Point (RAP) Troubleshooting
EMEA Airheads - Aruba Remote Access Point (RAP) Troubleshooting
 
EMEA Airheads - Multi zone ap and centralized image upgrade
EMEA Airheads - Multi zone ap and centralized image upgradeEMEA Airheads - Multi zone ap and centralized image upgrade
EMEA Airheads - Multi zone ap and centralized image upgrade
 
Bringing up Aruba Mobility Master, Managed Device & Access Point
Bringing up Aruba Mobility Master, Managed Device & Access PointBringing up Aruba Mobility Master, Managed Device & Access Point
Bringing up Aruba Mobility Master, Managed Device & Access Point
 
EMEA Airheads- ArubaOS - Cluster Manager
EMEA Airheads- ArubaOS - Cluster ManagerEMEA Airheads- ArubaOS - Cluster Manager
EMEA Airheads- ArubaOS - Cluster Manager
 

Real-world 802.1X Deployment Challenges

  • 1. Real-world 802.1X Deployment Challenges Tim Cappalli March, 2014
  • 2. 2 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf About Me • Mobility Engineer, Brandeis University • Wireless Infrastructure • AAA / Role-based Access Control – wired, wireless and remote networks @tcappy0707
  • 3. • 6,000 students • 1,300 full time staff • Smallest VHR university • 2,200 access points (mix 11n/11ac) • 5 mobility controllers • 320 edge switches, 92 stacks • AAA: ClearPass Policy Manager • eduroam
  • 4. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 4 #AirheadsConf Agenda What is EAP? Common EAP Flavors The Good and The Bad Client Support Challenges at Brandeis Open Discussion – What challenges do you face?
  • 5. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 5 #AirheadsConf 802.1x
  • 6. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 6 #AirheadsConf 802.1X IEEE STANDARD
  • 7. 7 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf POLL PEAP? TLS? TTLS? WHAT ARE YOU USING?
  • 8. 8 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf What is EAP? • Extensible Authentication Protocol – 802.1X defines EAPOL – Designed for Ethernet, adapted to 802.11 Arran Cudbard-Bell
  • 9. 9 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf EAP Transaction Client AuthenticationServer Request Identity Response Identity (anonymous) Response Identity TLS Start Certificate Client Key exchange Cert. verification Request credentials Response credentials Success EAPOL RADIUS Authenticator EAPOL Start
  • 10. 10 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf EAP FLAVORS
  • 11. 11 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Common EAP Flavors • PEAP (Protected EAP) – Uses a digital certificate on the network side – Password or certificate on the client side – Most common: PEAPv0/EAP-MSCHAPv2 • EAP-TLS (EAP with Transport Layer Security) – Uses a certificate on the network side – Uses a certificate on the client side • TTLS (Tunneled Transport Layer Security) – Uses a certificate on the network side – Password, token, or certificate on the client side – Tunneled Diameter (CHAP, PAP), EAP
  • 12. 12 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf THE GOOD AND THE BAD
  • 13. 13 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf EAP-TLS: The Good • Device or User credential – Revoke device access instead of user • Currently the strongest authentication method • Most widely supported • Extremely difficult to crack a 2048-bit RSA key
  • 14. 14 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf EAP-TLS: The Bad • Certificate distribution – Enrollment or onboard process – Can be an administrative burden without proper tools • User familiarity – Most users have no concept of a certificate – Username and password is the “standard” • Renewals – Notifying users to renew before expiration • Changing certificate chain – Not just “accept new certificate” for users
  • 15. 15 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf PEAP: The Good • Username / password is familiar to users • Users can “just get on” w/ valid credentials • Second most widely supported • Easy integration with AD (“free” NPS)
  • 16. 16 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf PEAP: The Bad • Device credential on Windows AD-joined devices • Passwords are weak! – Users won’t remember a truly secure password • Password expiration – How do you handle AD password expiration for non-AD Windows machines? • Client must be configured correctly • Not so easy with LDAP & Novell – Limited PEAPv1/EAP-GTC native client support
  • 17. 17 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf EAP-GTC vs EAP-MSCHAPv2 • EAP-GTC – Cleartext, NT hash, MD5 hash, salted MD5 hash – SHA1 hash, Slated SHA1 hash, UNIX crypt • EAP-MSCHAPv2 – Cleartext, NT hash, LM hash
  • 18. 18 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Server Certificate • Make sure CA correspondence goes to more than one person! • Nightmares for wireless only devices: – Server certificate expiration – New chain – New server name • Push out new profiles/GPOs ahead of time!
  • 19. 19 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf CLIENT SUPPORT
  • 20. 20 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Native Client Support EAP-PEAP EAP-TLS EAP-TTLS Windows 8 YES YES YES Windows 7 / Vista / XP YES YES NO Mac OS X YES YES YES Linux YES** YES YES iOS YES YES YES* Android YES** YES YES Chrome OS YES** YES YES** Windows Phone 8.1 YES YES (rumored) UNK Windows Phone 7/8 YES NO** NO BlackBerry 10 YES YES YES BlackBerry 7 YES YES YES
  • 21. 21 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Native Client Support EAP-PEAP EAP-TLS EAP-TTLS XBOX 360 NO NO NO XBOX One MAYBE MAYBE MAYBE PlayStation 3 & 4 NO NO NO Nintendo Wii / Wii U NO NO NO
  • 22. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 22 #AirheadsConf
  • 23. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 23 #AirheadsConf
  • 24. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 24 #AirheadsConf
  • 25. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 25 #AirheadsConf
  • 26. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 26 #AirheadsConf
  • 27. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 27 #AirheadsConf
  • 28. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 28 #AirheadsConf
  • 29. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 29 #AirheadsConf
  • 30. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 30 #AirheadsConf
  • 31. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 31 #AirheadsConf
  • 32. 32 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf MiTM HospiNET radius1.hospital.org Verisign HospiNET VALIDATE SERVER CERT Disabled wireless.hospital.org Self-signed
  • 33. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 33 #AirheadsConf
  • 34. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 34 #AirheadsConf COURTESY: LEE BADMAN, SYRACUSE UNIVERSITY
  • 35. 35 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf WHAT’S BRANDEIS DOING?
  • 36. 36 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf What’s Brandeis Doing? • Training support staff – Explaining the different networks – Giving access to troubleshooting tools • Empowering* users – Making it interactive – Making it user friendly • Planning for some type of onboarding • Exploring EAP-TLS – Using network and systems group as PoC for access to secure management networks *attempting
  • 37. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 37 #AirheadsConf
  • 38. 38 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf What’s Brandeis Doing? 3/5/1410/3/133/15/13
  • 39. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 39 #AirheadsConf Know the audience
  • 40. 40 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf When in doubt, run __________ • Ensure support staff understand the value of client configuration tools • Utilize a configuration utility – Teaching help desk, “When in doubt, run QuickConnect” • Utilize driver detection tools – Intel Driver Update Utility
  • 41. 41 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf OPEN DISCUSSION
  • 42. 42 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Good Reads • Simply put: How does certificate-based authentication work? (Network World, 3/10/14, Aaron Woland) • Cryptography Decrypted (Amazon)
  • 43. 43
  • 44. 44 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Thank You #AirheadsConf