802.1x Issue

[Alan Buxey]

Hi,

>    Well, lets say its not possible... since we are an university, with
>    something about 600 conections every night, with lots of O.S working (70%

we are a university with around 6500 concurrent wireless users and 5000 concurrent
wired connections in the student residential network. 

>    windows), it would be kinda hard to configure every single computer with a
>    software.
>    Its better to make a new DB with new passwords on EAP and use a .bat + xml
>    profile to configure windows notebooks.

we use a profile deployment tool - our current choice is cloudpath Xpressconnect 
- which does its job. our Windows clients are configured to use standard microsoft PEAP
PEAPv0/MSCHAPv2 - our backend authentication is Microsoft ActiveDirectory - our
FreeRADIUS servers authenticate the users via the AD - and we have a post-auth
PERL script which does some checks and then, if eg a student - puts them onto a
student VLAN.  all basic 802.1X and AAA stuff.

we are also a member of eduroam - so visitors to our campus who are also from eduroam
sites just get online - most without even realising as they have en eduroam profile
on their smartphone or tablet. zero config 'open laptop and be online' - all
done by the same FreeRADIUS architecture.

Old Windows systems need an extra supplicant to do other forms of EAP such as EAP-TTLS/PAP
- eg open1X or SecureW2 - Windows 8 now natively supports such EAP methods - so those
new surface tablets should make life easier. Just ensure that your settings are actually
secure on the clients - ie ensure that the clients are set to trust the CA of your
RADIUS server and are set to have the CN of your RADIUS server.

alan