WPA Enterprise installations

Home Page Forums Network Management ZeroShell WPA Enterprise installations

This topic contains 11 replies, has 0 voices, and was last updated by  ptaylor 11 years, 3 months ago.

Viewing 13 posts - 1 through 13 (of 13 total)
  • Author
    Posts
  • #40767

    ptaylor
    Member

    Some months back I wrote a guide for performing WPA Enterprise with Zeroshell as I implemented it in my home network. I have seen several posts by other users stating that they have successfully used my guide to get WPA Enterprise working, but I don’t recall details in the way of the size of network using Zeroshell for WPA Enterprise.

    Has used it in a business environment? If so, how many APs? How many users?

    Was there anything that needed to be done differently that was originally documented in my guide?

    Anything else I should do to update the guide?

    Thanks,
    Paul

    #45841

    OnHeL
    Member

    I’m not using ZeroShell in a business environment Paul, just a small home network in the big bad city, with several mobile clients for the extended family. I’d like to see your guide updated with the details to use TTLS as an auth protocol in Windows Vista using SecureW2.

    Vista supports PEAP but when used, it doesnt cache the user credentials reliably and requires the user to re-enter the credentials at each login. Using SecureW2 and TTLS avoids this problem.

    If you read this post:
    http://www.zeroshell.net/eng/forum/viewtopic.php?t=363

    You’ll see my post about halfway down with the link to your guide and a link to a university site that explains how to setup SecureW2. You could add these instructions to your guide to help those with Vista clients and ZeroShell.

    #45842

    ptaylor
    Member

    Thanks for the information. I’ll try to look into that, but I can’t promise anything. I don’t have any Vista clients on my home network.

    One question about this method – It involves using client side certificates, right? How easy is it to update these when the 1 year is up on the cert? When you revoke and renew the cert, is there a way that lets the client update automatically? The possibility of having to go back around to each client once per year is one thing that keeps us from using this method (at my job.. At home it wouldn’t be a big deal.)

    Paul

    #45843

    OnHeL
    Member

    No Paul, using TTLS you dont have to use a client side certificate, it is basically very similar to PEAP, server cert only.

    #45844

    joar
    Member

    We use it with 10 accesspoints and ca. 100 users. Works ok with a mix of mac, xp and vista clients. No problems at all. The first vista clients was set up with SecureW2, but after beta6 came out we used peap.
    By the way – the mac clients only need the CA-cert to be installed on a keyring – click on the wireless symbol – put in the username and password – and it connects. No need for any configuration.

    Joar

    #45845

    OnHeL
    Member

    Since you switched back to PEAP Joar, are your Vista clients retaining the user credentials between reboots then?

    #45846

    joar
    Member

    @onhel wrote:

    Since you switched back to PEAP Joar, are your Vista clients retaining the user credentials between reboots then?

    Yes. 😀

    #45847

    ptaylor
    Member

    Ok – I tested out TTLS with my wife’s Mac the other night… She’s been running ever since using it without complaint. I only changed the checkbox from PEAP to TTLS and unchecked the MSCHAPv2 box (in the TTLS properties), so it would use PAP, as suggested by the university site you pointed to above. I’m guessing it would probably work with MSCHAP too, but I haven’t tested it yet. Of course, I didn’t have any certificate issues, since it was already a trusted certificate from when I used PEAP.

    At any rate, we’ve just started converting clients over to WPA2 Enterpise at my work today, using PEAP to minimize what has to be installed on the client machine. So far, so good.

    Paul

    #45848

    OnHeL
    Member

    Yes, it does work with EAP-TTLS [MSCHAPv2], but not EAP-TTLS [EAP-MSCHAPv2], which is strange because PEAP works with EAP-MSCHAPv2 as an inner authentication protocol (EAP-PEAP [EAP-MSCHAPv2]

    #45849

    rockwater321
    Member

    Thanks Paul,

    Your guide is great. 1 problem I encountered (which took 2hours to figure out) is that you have to specify the username as user@ and leave domain field blank in XP. Both in Windows Managed and Intel Pro wireless management software.

    e.g
    ___________________________________
    Step 1 of 2 : PEAP User

    username: rockwater321@localdomain
    Domain:
    Password: xxxxxxxxx
    Confirm Password: xxxxxxxx
    __________________________________

    I found that entering entering localdomain in Domain: does not work. Just a heads up for others out there

    #45850

    danielrigano
    Member

    Paul’s guide is very useful!

    #45851

    rochajoel
    Member

    @rockwater321 wrote:

    Thanks Paul,
    ___________________________________
    Step 1 of 2 : PEAP User

    username: rockwater321@localdomain
    Domain:
    Password: xxxxxxxxx
    Confirm Password: xxxxxxxx
    __________________________________

    I found that entering entering localdomain in Domain: does not work. Just a heads up for others out there

    I think you can use:

    username: rockwater321
    Domain: localdomain

    or

    username: rockwater321@localdomain
    domain:

    #45852

    ptaylor
    Member

    At my place of work, we have multiple vendors that each seem to use their own hardware and client. We’ve found that you have to experiment with some of the clients to get them to work. With some, the username@domain seems to be the only way to get it to work, but with others the username alone seems to suffice.

    Paul

Viewing 13 posts - 1 through 13 (of 13 total)

You must be logged in to reply to this topic.