Enterprise security and client compatibility

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
Not every client can support the latest and greatest when it comes to wireless security. Some can do WPA, some can do WPA2. Some can do only TKIP encryption, others only AES. Heck, some can only do WEP.

Then throw in the alphabet soup of EAP methods like PEAP, EAP-TLS, etc. It becomes difficult to force a particular security policy for wireless.

So what do you do? Run WPA with TKIP and AES, run WPA2 with tkip and aes along with the most common eap methods.

seems like overkill but that seems to offer the most in terms of client compatibility. Also, does anybody know the limitations of the XP wireless zero configuration - it seems VERY limited and very picky/troublesome.
 

cmetz

Platinum Member
Nov 13, 2001
2,296
0
0
I've been deploying either WPA-TKIP or WPA-AES depending.

WEP is clearly a no-go, beyond security the UI for inputting the keys varies from implementation to implementation making that a disaster.

WPA2 is still a little too new.

So it's really a question of TKIP or AES, and that's a trade-off between older and newer clients. Security wise it's not a huge deal, yes AES is better but having something resembling real key management beats WEP any day.

As for EAP, that's a wreck. The general answer is whatever Windows wireless zeroconf can do, that's what you can do. Third party clients are in practice a no-go for most environments, too much headache and weird interactions with this or that device. Mac and Linux clients these days can do whatever Windows can do, so Windows is the limiting factor.

Windows's wireless zeroconf only supports a couple of EAP flavors (I believe PEAP is the one I usually use) and it's cranky in a lot of ways, and it has this horrible tendency to just completely forget everything you've configured, or to decide to associate with some random network you didn't want it to. It does suck in many ways. It is a big headache. But every XP client has basically the same WZC and it basically works with all modern 802.11g/n hardware, versus the vendor-specific stuff or third-party stuff. If you try to use a non-WZC client front-end, you'll find that you're actually using and supporting that AND WZC, not that XOR WZC. So if you do things The Microsoft Way, at least you can support one mediocre solution instead of multiple.
 

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
cmetz,

But in a lot of instances the client isn't microsoft OS based. Think other wireless devices that aren't computers. PLCs, wireless serial terminal servers, etc.

And one thing I don't like. the zero config will just up and CHANGE what you have configured and revert to WEP.
 

RebateMonger

Elite Member
Dec 24, 2005
11,586
0
0
I HATE WiFi. The rapid technology changes have left a graveyard of adapters and drivers and applications that are a PITA. I can't count how many hours I've spent trying to get various manufacturers' WiFi adapters and Routers working together with encryption that doesn't quite work right.

As cmetz notes, if possible, I'll use WZC because when a client calls me with a WiFi problem, I hate it when I don't know what his/her WiFi menus look like.

As far as protocols, I run WPA/TKIP. That has a reasonable chance of being compatible with any new hardware that gets introduced into the office or home.
 

nweaver

Diamond Member
Jan 21, 2001
6,813
1
0
On Cisco AP's that we use, it's not "WPA" and "WPA2", it's WPA with TKIP or AES. We run WPA with both TKIP and AES, and you can use WPA or WPA2. We have it set up so you can do LEAP, EAP-Fast, and could set up TLS as well, but haven't (our AD folks don't want to deal with the certificate stuff). We also run a non EAP SSID that is WPA-PSK for "legacy" clients. This allows for most other devices that don't support 802.1x, and we have debated about doing MAC auth on that SSID to, to restrict what uses that SSID. We have found folks that will use that, rather then "deal with" EAP stuff. with that config, we are able to cover most of our stuff, and we don't allow anything that won't do at least WPA-PSK with TKIP on the wireless network. Either it's networkless (few folks mobile devices struggle with WPA-PSK) or updated.
 

jlazzaro

Golden Member
May 6, 2004
1,743
0
0
WPA2 + EAP-TLS...if you dont support it, you're not getting on :p

i'm with Monger in that trying to troubleshoot multiple clients is a bigger headache than just running WZC to begin with. it's downfalls are many, but it does the job for a secondary connection method. i wouldnt dare use it for primary connections though...enter Juniper Odyssey! it's ability to seamlessly push every wireless configuration option imaginable to thousands of clients while being FIPS certified is a godsend.

in the end, it comes down to your environment.
 

nweaver

Diamond Member
Jan 21, 2001
6,813
1
0
Most 3rd party clients use the Oddessy stuff in their client anyway.

We only buy Intel cards for corp laptops, and Intel has done an incredible job of making their tools admin friendly. We do have one or two broadcoms though, but since I've done CCX testing, I know them all. Really though, if you are in any position of pushing out wireless stuff, get one vendor for clients, and it makes things easier.
 

spyordie007

Diamond Member
May 28, 2001
6,229
0
0
I wish I could say there is a magic method to picking encryption/eap types, but no such luck for me :)

On most projects I have a design phase up-front where I sit down with the client(s) and review their standards (assuming they exist), their expectations, their back-end (i.e. Cisco ACS vs. Microsoft IAS; do they have a PKI, etc.), and to gather some information about their client types (assuming they have it). Based on these I try and steer them in a direction that will work with as much as possible and still meet what they can do and their requirements.

Wow, that was almost politician-ish... :D
 

Genx87

Lifer
Apr 8, 2002
41,091
513
126
Originally posted by: spidey07
Not every client can support the latest and greatest when it comes to wireless security. Some can do WPA, some can do WPA2. Some can do only TKIP encryption, others only AES. Heck, some can only do WEP.

Then throw in the alphabet soup of EAP methods like PEAP, EAP-TLS, etc. It becomes difficult to force a particular security policy for wireless.

So what do you do? Run WPA with TKIP and AES, run WPA2 with tkip and aes along with the most common eap methods.

seems like overkill but that seems to offer the most in terms of client compatibility. Also, does anybody know the limitations of the XP wireless zero configuration - it seems VERY limited and very picky/troublesome.

The wireless routers I am using have WPA and WPA2 enabled along with AES and TKIP. Basically if you can do WPA2 it will use it, otherwise fall back on WPA. AES and TKIP is negotiated based on the clients nic capabilities. If your card is so old as to support WEP you are sol.

For me the biggest limitation of the XP zero wireless config is it will try to autheticate with any wireless network available. I have seen clients connected to open nodes while connected to our wired network. Thus I have stopped using it and use the Intel wireless application. XP supports WPA and AES or TKIP encryption. I dont know if they have included WPA2 yet however.

 

jlazzaro

Golden Member
May 6, 2004
1,743
0
0
Originally posted by: Genx87
For me the biggest limitation of the XP zero wireless config is it will try to autheticate with any wireless network available. I have seen clients connected to open nodes while connected to our wired network. Thus I have stopped using it and use the Intel wireless application. XP supports WPA and AES or TKIP encryption. I dont know if they have included WPA2 yet however.
i've NEVER had that issue. are you setup to connect to non-preferred networks, or are your users pathological liars? either way, the intel client is still better...

you need KB893357 for WPA2 support in SP2. i believe Vista supports it by default.
 

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
Originally posted by: jlazzaro
Originally posted by: Genx87
For me the biggest limitation of the XP zero wireless config is it will try to autheticate with any wireless network available. I have seen clients connected to open nodes while connected to our wired network. Thus I have stopped using it and use the Intel wireless application. XP supports WPA and AES or TKIP encryption. I dont know if they have included WPA2 yet however.
i've NEVER had that issue. are you setup to connect to non-preferred networks, or are your users pathological liars? either way, the intel client is still better...

you need KB893357 for WPA2 support in SP2. i believe Vista supports it by default.

Windows would indeed connect and still does connect to SSIDs that are broadcast if they don't have certain fixes.

This is one of the many reasons why it is encouraged to broadcast the SSID. Client treat them differently based on what they see in the beacons.

-edit-
We even saw this behavior with most all cards/utilities 2 years ago. They would automajically connect to any unsecured network.
 

cmetz

Platinum Member
Nov 13, 2001
2,296
0
0
spidey07, random devices I've tried to connect seem to all be able to deal with WPA-TKIP PSK, sometimes WPA-AES PSK, so when I have wacky devices, that's what I used. In the wacky device context, EAP is usually a no-go. If the wacky device only supports WEP, then I get cranky with folks and try to get them to chuck it. Luckily, there have been enough NY Times and CNN reports on wireless hacking that I can make that case with some success. Most environments I deal with understand that wireless can be a big security problem (and liability) if not set up right.

>And one thing I don't like. the zero config will just up and CHANGE what you have configured and revert to WEP.

Yeah, that's just a part of the whole config-forgetting failure mode it has. I think this has gotten better, but it's still a PITA. Thanks, Microsoft. I think this dovetails with the connecting to random networks it's not supposed to problem, something like when it does that is when it's likely to forget bits about the one it's supposed to connect to.

No question that WZC sucks. But it sucks the same for everybody using it / every card, which is a bit of a win over different vendor utilities sucking differently.
 

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
cmetz,

yeah, wep sucks, don't use.

But for early adopters it can literally cost them 2,000 DOLLARS PER DEVICE to replace, these aren't PDAs or PCs. Multiply that by a few hundred devices per site and it becomes an acceptible risk. Think low level devices here.

Who adopted wifi first? Manufacturing. Where just running a cat5 drop costs 1000 bucks and that drop location can change at anytime.

It's a perception problem. Folks are completely acustomed to "gee, if I need power, I need a power cord." Not so when "why do we need a network drop when we can do wireless?"