- This topic is empty.
September 11, 2007 at 5:13 pm #40767
Some months back I wrote a guide for performing WPA Enterprise with Zeroshell as I implemented it in my home network. I have seen several posts by other users stating that they have successfully used my guide to get WPA Enterprise working, but I don’t recall details in the way of the size of network using Zeroshell for WPA Enterprise.
Has used it in a business environment? If so, how many APs? How many users?
Was there anything that needed to be done differently that was originally documented in my guide?
Anything else I should do to update the guide?
PaulSeptember 12, 2007 at 5:35 am #45841
I’m not using ZeroShell in a business environment Paul, just a small home network in the big bad city, with several mobile clients for the extended family. I’d like to see your guide updated with the details to use TTLS as an auth protocol in Windows Vista using SecureW2.
Vista supports PEAP but when used, it doesnt cache the user credentials reliably and requires the user to re-enter the credentials at each login. Using SecureW2 and TTLS avoids this problem.
If you read this post:
You’ll see my post about halfway down with the link to your guide and a link to a university site that explains how to setup SecureW2. You could add these instructions to your guide to help those with Vista clients and ZeroShell.September 12, 2007 at 11:20 am #45842
Thanks for the information. I’ll try to look into that, but I can’t promise anything. I don’t have any Vista clients on my home network.
One question about this method – It involves using client side certificates, right? How easy is it to update these when the 1 year is up on the cert? When you revoke and renew the cert, is there a way that lets the client update automatically? The possibility of having to go back around to each client once per year is one thing that keeps us from using this method (at my job.. At home it wouldn’t be a big deal.)
PaulSeptember 12, 2007 at 8:33 pm #45843
No Paul, using TTLS you dont have to use a client side certificate, it is basically very similar to PEAP, server cert only.September 12, 2007 at 10:15 pm #45844joarMember
We use it with 10 accesspoints and ca. 100 users. Works ok with a mix of mac, xp and vista clients. No problems at all. The first vista clients was set up with SecureW2, but after beta6 came out we used peap.
By the way – the mac clients only need the CA-cert to be installed on a keyring – click on the wireless symbol – put in the username and password – and it connects. No need for any configuration.
JoarSeptember 13, 2007 at 12:22 am #45845
Since you switched back to PEAP Joar, are your Vista clients retaining the user credentials between reboots then?September 14, 2007 at 9:33 pm #45846joarMember
Since you switched back to PEAP Joar, are your Vista clients retaining the user credentials between reboots then?
Yes. 😀September 18, 2007 at 3:00 pm #45847
Ok – I tested out TTLS with my wife’s Mac the other night… She’s been running ever since using it without complaint. I only changed the checkbox from PEAP to TTLS and unchecked the MSCHAPv2 box (in the TTLS properties), so it would use PAP, as suggested by the university site you pointed to above. I’m guessing it would probably work with MSCHAP too, but I haven’t tested it yet. Of course, I didn’t have any certificate issues, since it was already a trusted certificate from when I used PEAP.
At any rate, we’ve just started converting clients over to WPA2 Enterpise at my work today, using PEAP to minimize what has to be installed on the client machine. So far, so good.
PaulSeptember 19, 2007 at 4:21 pm #45848
Yes, it does work with EAP-TTLS [MSCHAPv2], but not EAP-TTLS [EAP-MSCHAPv2], which is strange because PEAP works with EAP-MSCHAPv2 as an inner authentication protocol (EAP-PEAP [EAP-MSCHAPv2]November 5, 2007 at 5:19 am #45849rockwater321Member
Your guide is great. 1 problem I encountered (which took 2hours to figure out) is that you have to specify the username as user@ and leave domain field blank in XP. Both in Windows Managed and Intel Pro wireless management software.
Step 1 of 2 : PEAP User
Confirm Password: xxxxxxxx
I found that entering entering localdomain in Domain: does not work. Just a heads up for others out thereFebruary 24, 2008 at 2:08 pm #45850danielriganoMember
Paul’s guide is very useful!February 24, 2008 at 2:35 pm #45851rochajoelMember
Step 1 of 2 : PEAP User
Confirm Password: xxxxxxxx
I found that entering entering localdomain in Domain: does not work. Just a heads up for others out there
I think you can use:
domain:March 9, 2008 at 4:40 pm #45852
At my place of work, we have multiple vendors that each seem to use their own hardware and client. We’ve found that you have to experiment with some of the clients to get them to work. With some, the username@domain seems to be the only way to get it to work, but with others the username alone seems to suffice.
- You must be logged in to reply to this topic.