[tech] Problems with 802.1x wireless (Was: Port security for clubroom wall ports)

David Adam zanchey at ucc.gu.uwa.edu.au
Wed Sep 12 11:06:52 WST 2012 

On Mon, 10 Sep 2012, Matt Didcoe wrote:
> [TRS] suggested implementing something like PacketFence[1], but
> investigations suggested that OpenWRT/DD-WRT do not support dynamic
> VLAN assignment via radius (other users of PacketFence appear to have
> run into this issue), which kind of renders the solution pointless. I
> do like the idea though as it adds a GUI to help people when they get
> stuck along the way. As discussed on IRC last night, a lot of it could
> well be implemented just using IOS on Bitumen, but if someone messes
> up, there's nothing to flag that and explain how to put it right (I
> also think we'd still run into the dynamic VLAN issue).
> 
> We could fix that by buying "enterprise"(TM) wireless gear - or
> something that at least has a broader feature set, but its whether its
> worth going through all that.
> 
> Open to thoughts on what we can do to (a) make the wireless easier for
> people that have dodgy support for authentication; or (b) a system
> where we can do some other form of auth that will allow people on in
> the event they do not have 802.1x support.

I had a look at PacketFence, and a look at OpenWRT, and it does look like 
it could be made to work - hostapd supports dynamic VLAN assignment and it 
is compiled in on our routers. It would just be a matter of setting up the 
right configuration. Alternatively it can be run in inline mode which 
isn't as secure but would definitely work.

My understanding of the problem is that:
a) the 802.1x authentication is hard to configure especially on Windows
(note that it is ridiculously easy on iOS and reasonably easy on Linux)
b) the captive portal [*] on UCC-Public doesn't have any documentation on 
how to configure the harder OSes

(and possibly c) the UCC-Public SSID doesn't get paid a lot of attention, 
and it certainly looks like it didn't work at all between the Bitumen 
upgrade and five minutes ago).

PacketFence looks like it would be great if we wanted to enforce endpoint 
security or provide guest accounts. However if my understanding is correct 
PacketFence will require us to run a public, open SSID with a 
documentation page and a secure SSID - which we already do!

I think we would be better off making a clear set of documentation on how 
to join the wireless network. http://wiki.ucc.asn.au/Wifi is a start and 
should probably be linked from http://www.ucc.asn.au/ucc-public-wireless/. 
Actually I'm going to do that right now.

David Adam
UCC Wheel Member
zanchey at ucc.gu.uwa.edu.au

More information about the tech mailing list