Wireless 802.1X Fun Times

deanwebb · July 09, 2015, 11:39:51 PM

Most of our laptops get on our wireless with a computer certificate. They're fine.

But some laptops and all our iDevices use a user certificate. That used to be fine, until we started to roll out a certificate that looked kinda like a user cert to the laptops and iDevices, so they got confused and hung when prompted for a certificate in the 802.1X flow of things... or every now and then, they mess up on a re-auth and randomly offer up the wrong cert and get bounced or put into a hung Access-Challenge state.

I get to talk with the PKI team in a little while... I hope they do this:

So that I don't have to do this:

We shall see...

deanwebb · July 09, 2015, 11:41:02 PM

And for the company of a certain size fun: I'm in the states, they're in Europe, so after my presentation to Asia, I'll catch them as they walk in, using my Lync status lights by their names to cyberstalk them.

deanwebb · July 11, 2015, 05:43:56 PM

Found out that iOS 8.4 doesn't support DH groups of less than 2048 bits... now to see if that's our issue, or if it's maybe related to the new version of MDM that rolled out around the same time as our upgrade to 8.4... which also coincides with the new cert that causes contention on Windows devices - and which may or may not be causing a similar contention on iOS devices... the issue is not as simple as I thought it was in the OP.

Anyone else seeing issues where iDevices are intermittently dropping connections or hanging and not able to access the wireless for a period of time?

hizzo3 · July 13, 2015, 09:53:00 PM

Quote from: deanwebb on July 09, 2015, 11:41:02 PM
I'll catch them as they walk in, using my Lync status lights by their names to cyberstalk them.

Ha ha.. Glad to see I'm not the only one that stalks people on Lync... I really do hate it though when they go busy right after I message them. Its OK though... I just wait for it to go green again. I have 3 monitors and its no waste on my desktop.

deanwebb · July 14, 2015, 11:30:09 AM

Lync codes and their meanings:
GREY: Either the guy is totally out, lurking, or deliberately not logged on to Lync. Send email then call him on his mobile to see if he got your email.
YELLOW: He's wandered away, be it to lunch, to go to the printer, to talk with the guy in the next cube, or somewhere his computer is not. Text his mobile then call his mobile to see if he got your text.
GREEN: Fresh meat! That, or he's away from his computer and he forgot to lock it. Best to send an email asking if you can hit him up on Lync and then call his desk phone to see if he got your email. If he does not answer his desk phone, call him on his mobile.
RED: The best Lync color. It means he's in a meeting and needs a distraction. Contact him on Lync directly.

hizzo3 · July 15, 2015, 05:56:38 PM

Lol. That is spot on here.

wintermute000 · September 28, 2015, 02:40:30 AM

so what happened? Did you find a single certificate solution? Or do iDevices play nice now with IOS9? or???

Am I reading this right: so you used to use 802.1X via AD (presumably) for user auth and machine certs for device auth - but this is no good for iDevices?

Most places I seen get around this by not enforcing certs on the iDevice BYOD/guest network and restricting iDevices to the BYOD/guest WLAN. But yes its no good for company owned iDevices that are MDMed hence theoretically deemed secure.

deanwebb · September 28, 2015, 01:34:32 PM

AD certificates on both the Windows and iDevices (via MDM on the mobiles).

No resolution beyond, "We are now aware of this situation." I still see it happening, but for now, most people expect the wireless to be shite so they go to the Guest Wireless.

wintermute000 · October 01, 2015, 07:41:55 PM

Tried eap-fast for byod ssid? Meant to work for fruity devices

deanwebb · October 01, 2015, 08:06:41 PM

EAP-FAST makes me gag.

It's EAP-TLS or use the LTE network.

wintermute000 · October 01, 2015, 09:52:30 PM

What's so bad about it, it's not That compromised is it?

deanwebb · October 02, 2015, 08:22:14 AM

EAP-FAST is fine if it's using EAP-TLS as an underlying method. But if you're doing that, might as well just use EAP-TLS.

wintermute000 · October 02, 2015, 05:02:17 PM

I hate to think what your opinion of (non EAP-TLS inside) PEAP.

Apparently, if the clients are configured to validate server certs and are unable to accept a new CA (which obvs you enforce via GP), its pretty secure (as obviously its a 'genuine HTTPS tunnel')

deanwebb · October 03, 2015, 08:39:52 AM

Quote from: wintermute000 on October 02, 2015, 05:02:17 PM
I hate to think what your opinion of (non EAP-TLS inside) PEAP.

Oh? You mean plaintext?

Mr. Clarkson and I agree, it's a joke. For enterprise security, you really want to have a good PKI server stood up, and the best news is that you can do it with a Windows Server on the cheap. As in free. For all the lads at home wanting to lab up some security, don't just go with self-signed certs and click through the error messages: stand up a Windows server and generate some for yourself, properly. Practice installing them so that you don't fear the whole arcane process.

And, yes, as Wintermute says, we don't allow acceptance of new CAs. Which can be an issue if we change RADIUS servers. That can either be taken care of via a fresh WLAN profile or via a registry entry push to Windows clients to accept the new RADIUS server. It can also be handled if the wireless is set up properly to push its config to the clients.

wintermute000 · October 06, 2015, 04:04:38 AM

forgive me if its going over my head, but what do you mean plaintext? Isn't PEAP using a TLS tunnel - granted only authenticating the server cert - and thus the credentials are passing over a tunnel? (like a normal https website)

guess who has to take stupid wireless exams in a few months and learn how to setup 802.1x properly. LOL

going on an Aruba clearpass course on Friday, should be educational