Secure Wireless Design Guide 1.0

Similar Messages

• High Density Meraki Wireless - "Design Guide".

  Hi All
  Im looking for a discussion / thoughts of how to implement a Meraki Wireless network for many clients on a single location.
  I have read Mearkis Whitepaper on : "Successful WiFi Deployment for Large Events", and it has a lot of good points.
  https://meraki.cisco.com/lib/pdf/meraki_whitepaper_large_events.pdf
  (even though I would not set a bandwidth limit today at 100Kbit/sec - the paper is from 2011 a lot has happened since then). 
  But my top concern is broadcast and multicast traffic, because this traffic is sent at low datarates.
  Is there a way to disable broadcast and multicast on Meraki Wireless solution, like on a Cisco "Classic" Wireless LAN Controller solution ? (Proxy ARP and so on.)
  I am not that concerned about the physical layer (AP placement, Antennas, Channels and Transmit power).
  How would you design a Meraki Wireless network for many clients (1,2 maybe 3K connected clients in peak hours) ?
  What I am thinking:
  Im thinking about setting the Meraki APs up in NAT mode, to avoid being flooded with Broadcast and Multicast traffic from that many clients, like in a "normal" bridged mode solution from the wired / wireless network.
  But is this the best solution ?
  How does Merakis Layer 3 (with and without MX appliance) work when factoring in broadcast and multicast ?
  I cant seem to find any design / configuration guides explaining this.
  Anyone care to share their thoughts ?

  Nicolas is right on with his assement; but there are a couple other potential pit-falls with this scenario. I did a venue that was about half the size I'd say and one of the biggest issues I encountered was that there were soo many client devices trying to transmit that the spectrum was flooded with beacons, and association requests and the like. Now I am not saying that it's not possible to cover this area, but it is certainly more difficult if your only utilizing the 2.4ghz band since there are only 3 channels you can choose to use.
  For what it's worth in my installation I used direction patch antennas (as narrow as I could find) and mounted them on the ceiling (about 60' high) and estimated their anticpated coverage at a very very low transmit power (1mw to  3 mw I believe). to estimate the coverage I took the beam width of the antenna (42 degrees vertical, 80 degrees horizontal) and then figure out at 60' how wide would that area be that gave me a rough idea of the basic coverage area and from that I could determine how many clients that AP would see, and from there I could atleast set one up and test the actual coverage and also estimate the number of AP and possibly placement so you can review the channelization and such. If too many clients could potentially be in the coverage zone you may need to use a different antenna or change positions, etc. Does that make sense?
  This is no definitive template for this, many people would do this many different ways.
  Hope this helps you out.

• Wireless design guide/help

  Hi guys........just have  few qestions about designing WLC 5508
  The  scenario is  that currently one of the client has a firewall Tiering T1 internet facing and T2 internal whioch has multiple DMZ connected.
  T2 firewall has a DMZ switch connected which has a router which connects to MPLS cloud to different site across the country. (around 10 sites) all static routing.
  Now the client is thinking to deploy wireless at all 10 sites using H-REAP. The issue is that client has only one WLC and they are not willing to buy other as i was thinking to deploy two WLC one for corporate and one for guest users. (one in internal network and on in DMZ)
  Now my question is as follwow.
  1- Keeping in mind that there is only one WLC where should i physically put it?
  2- How guest users will work ? How the authentication will be done?
  3-There are 8 SFP ports in WLC how physical topology will look like?
  4-How many Vlans i have to make for wirless users  will that be 10? (1 at each site) ?
  my last question is that how these ports work on WLC are they just like swicth e.g  one port can be assigned to different vlan....just confuse about interfaces and vlans on WLC (interfces concept)
  Thanks guy and hope to get a response ASAP.

  1- Keeping in mind that there is only one WLC where should i physically put it?
  Well since you will also be supporting Corporate and I'm guessing that is where the WLC sites, it should be in the inside network.  You would just need to allow udp 5246 & 5247
  2- How guest users will work ? How the authentication will be done?
  Guest users can use webauth in which the credentials will be stored on the WLC.
  3-There are 8 SFP ports in WLC how physical topology will look like?
  This is the tricky part.  You can either lag or not lag.  You can't split up the lag (etherchannel).  So you can either use all 8 if you with and create an etherchannel and then acl the guest traffic out the internet or you can put the guest on a layer 2 vlan in which you would connect that out to the dmz.  Or you can use one port for the management and also have a backup port, one for your internal wireless and also have a backup port and the same for guest.  SO it would look like this:
  Management primary port 1 backup port 2
  SSID primary port 3 backup port 4
  Guest primary port 5 guest port 6
  OR
  Management & SSID's primary port 1 backup port 2
  Guest primary port 3 guest port 4
  4-How many Vlans i have to make for wireless users will that be 10? (1 at each site) ?
  If you use local switching which I would think you would, the vlans for the SSID at the remote site will be created locally at each remote site.  If you want to centrally switch, means all traffic will come back to the WLC, then you will need at least one.  Now you can use a large subnet or have a subnet for each site, its up to you.  You would use AP Groups for that.
  my last question is that how these ports work on WLC are they just like switch e.g one port can be assigned to different vlan....just confuse about interfaces and vlans on WLC (interface concept)
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Design guides for Ironport Web Security

  Hi All,
  I am looking for a proxy solution for our enterprise network, and considering Ironport WebSecurity S370 appliance.
  I am just curious if there is any good design guides on how to properly implement Ironport on the network.
  I need best practices documents, i.e.  can I place two units with one virtual IP address and so on.
  Thanks!

  WSA's don't cluster, with a shared virtual IP, how you handle mulitple WSA boxes is a function of how you're redirecting traffic to them.
       WCCP - you just add them as multiple WCCP destinations
       PAC file - you add seperate entries and the browser/app figures out which one is available.
       Policy Based Routing (eg. no Cisco router) - I'm not sure, as I've never done it.
  You might be able to use a load balancer, but my feeling is that gets too complicated.
  I used this to set up one box using WCCP
  http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Smart_Business_Architecture/H1CY11/SBA_Mid_BN_WebSecurityDeploymentGuide-H1CY11.pdf
  There's a caveat when you use WCCP for 2 boxes, you need to tweak the ACL so that you don't get loops:
  http://ironport.custhelp.com/cgi-bin/ironport.cfg/php/enduser/std_adp.php?p_faqid=1603&p_created=1278697344&p_sid=zzjbITyk&p_accessibility=0&p_redirect=0&p_srch=1&p_lva=772&p_sp=cF9zcmNoPTEmcF9zb3J0X2J5PSZwX2dyaWRzb3J0PSZwX3Jvd19jbnQ9MzA4LDMwOCZwX3Byb2RzPTAmcF9jYXRzPTAmcF9wdj0mcF9jdj0mcF9zZWFyY2hfdHlwZT1hbnN3ZXJzLnNlYXJjaF9ubCZwX3BhZ2U9MSZwX3NlYXJjaF90ZXh0PW11bHRpcGxlIFdTQQ!!&p_li=cF91c2VyaWQ9MXJvblAwcnQmcF9wYXNzd2Q9Zm8wQmE1&p_topview=1

• Unable to connect to a secure wireless network - Event ID: 8002 Task Category: AcmConnection..., Event ID: 11006, Event ID: 11006

  Hi, 
  I have a Dell Latitude E6440 running Win 7
  Enterprise 64 on a domain. It will connect to any unsecured network, and it can see the secured network in the list when I click the wireless connection icon on the system tray. When I go to manage wireless networks, the secured network does not show
  up (and thus, I cannot delete the network to try to re-add it). Normally, we would add the secure network here. I click Add, give the name in the correct syntax, add the needed information (WPA/2-Enterprise, EAS or TKIP), and hit Next, it immediately returns
  with "An unexpected error occurred". A similar thing happens when I hit Connect from the list of available networks that pops up when I open the system tray icon: it says it was unable to connect, when I hit troubleshoot, it says that it could not
  identify the problem. The event log shows the error below. I haven't been able to find any resolutions here or elsewhere that address the fact that I can connect to unsecured wireless networks, but not secured wireless networks.
  Other notable troubleshooting steps:
  Uninstalled/Reinstalled wireless adapter with the latest driver
  Other laptops are able to access the same secure wireless network
  The first WLAN-AutoConfig error in the event log was Event ID: 12013, attempting a 802.1x authentication. Then Event ID: 11006; stating "Explicit Eap failure received". After a few days of alternating all 3 errors, they started to only error on
  Event ID 8002.
  Log Name:      Microsoft-Windows-WLAN-AutoConfig/Operational
  Source:        Microsoft-Windows-WLAN-AutoConfig
  Date:          6/4/2014 11:53:55 AM
  Event ID:      8002
  Task Category: AcmConnection
  Level:         Error
  Keywords:      (512)
  User:          SYSTEM
  Computer:      [COMPUTERNAME.DOMAIN]
  Description:
  WLAN AutoConfig service failed to connect to a wireless network.
  Network Adapter: Intel(R) Centrino(R) Advanced-N 6235 Interface GUID: {f27af762-dff8-4927-84e0-7f4ade30dcc9}
  Connection Mode: Connection to a secure network without a profile Profile Name: [SECURE NETWORK NAME]
  SSID: [SECURE NETWORK SSID]
  BSS Type: Infrastructure
  Failure Reason:The specific network is not available.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-Windows-WLAN-AutoConfig" Guid="{9580D7DD-0379-4658-9870-D5BE7D52D6DE}" />
      <EventID>8002</EventID>
      <Version>0</Version>
      <Level>2</Level>
      <Task>24010</Task>
      <Opcode>191</Opcode>
      <Keywords>0x8000000000000200</Keywords>
      <TimeCreated SystemTime="2014-06-04T16:53:55.956762800Z" />
      <EventRecordID>1475</EventRecordID>
      <Correlation />
      <Execution ProcessID="432" ThreadID="5348" />
      <Channel>Microsoft-Windows-WLAN-AutoConfig/Operational</Channel>
      <Computer>[COMPUTERNAME.DOMAIN]</Computer>
      <Security UserID="S-1-5-18" />
    </System>
    <EventData>
      <Data Name="InterfaceGuid">{F27AF762-DFF8-4927-84E0-7F4ADE30DCC9}</Data>
      <Data Name="InterfaceDescription">Intel(R) Centrino(R) Advanced-N 6235</Data>
      <Data Name="ConnectionMode">Connection to a secure network without a profile</Data>
      <Data Name="ProfileName">[SECURE NETWORK NAME]</Data>
      <Data Name="SSID">[SECURE NETWORK NAME]</Data>
      <Data Name="BSSType">Infrastructure</Data>
      <Data Name="FailureReason">The specific network is not available.</Data>
      <Data Name="ReasonCode">163851</Data>
      <Data Name="ConnectionId">0x6</Data>
    </EventData>
  </Event>

  check this article:http://technet.microsoft.com/en-us/library/cc735927(v=ws.10).aspx
  also could contact your domain administrator to ask for help.

• Second WiSM Design Guide

  Hi All,
  I have been running a WiSM successfully for months now, but our wireless network has grown quite a bit so we have purchased a second WiSM.
  Are there any best practises for implementing another one, or are there any design guides?
  Thanks,
  Michael

  Hello Michael,
  Your setup is basically going to be the same. However, you do want to make sure the virtual IP address on both WLCs on the 2nd WISM you purchased are configured the same as the other WISM if you intend to allow mobility between APs and clients. Additionally, you will also have to add your two mobility members to your existing controllers and configure them correctly on your new ones.
  If you intended to configure manual load balancing you can use the primary/secondary/tert configuration on the access points.
  All of the above is mentioned in the 4.0 configuration guide and it does cover multiple WLC implementation as well:
  http://cco/en/US/products/ps6366/products_configuration_guide_book09186a00806b0077.html
  I hope this helps!
  -Mark

• HP Deskjet 3050 - Unable to connect to WPA secured wireless network

  Hello,
  My first post here so please excuse any faux pas on my part.  I bought this HP Deskjet 3050 a week ago and have been waging war with it ever since.  I'd be really grateful if someone could possibly advise on how I can resolve this.
  I am unable to connect the printer to my secured wireless network, even though other computers, cell phones, etc. are connected without issue.  I have tried WPA, WPA2 and WPA2-Mixed security modes with the same failure. Specifically, the connection wizard reaches 66% and then displays the error that the wizard is unable to find network/printer.  If I disable the security, the printer connects fine.
  I'm using a Linksys WRVS4400N router with firewall and associated firewall settings disabled.  The router is broadcasting on 802.11G/N mixed mode.
  I'm installing the software supplied on the setup CD on a Windows XP SP3 system.  I have confirmed that the network the PC and printer are connected to are the same.
  A question as well, if I may:  I haven't tried these drivers yet but I see there are updated drivers for the printer dated 14/12/2010.  The release notes indicate improved networking, but don't elaborate beyond this.  Does anyone know if there was a known problem with connecting to secured networks that has now been fixed?
  Finally, just a note that I'm partially sighted and am using a screen reader on all systems.  I'll try my best to be as helpful as I can but please do excuse me if I occasionally can't find settings, etc. on screen and need a bit more detailed help.
  Thanks in advance for your help, which I really will appreciated.
  Have a pleasant day,
  All the best for now and take care,
  Hussein.
  It's not the fact it can't be done, it's the fact it hasn't been done, yet.
  This question was solved.
  View Solution.

  HI,
  firstly, apologies for the delay getting back to you.  Poor health has meant I've had little time nor inclination to do much on the computer side of htings.
  Anyway, I'm please to say the problem with the HP 3050 failing to connect to my network is now solved.  It seems to be a bug with the setup software, and that seems to include the latest version posted Dec 2010.
  To resolve the problem, I did the following:
  1. Disable all security options for the network, so it's just an open network.
  2. Connect the HP 3050 to the network using the setup wizard. This time it connected OK for me.
  3. Locate the printer's IP address.  I used the client list table accessed through my router's interface. You may be able to get this through the printer's on-screen menu, but as I'm partially sighted, this wasn't an option for me.
  4. Log into the printer's control panel at http://ip.address.of.printer e.g. http://192.168.2.108
  5. Under the advanced options, configure the settings for the network, including security protocol and passphrase.  Remember to enter the SSID of the network exactly as configured on the router.
  6. Apply the settings and log out of the printer's control panel.
  7. Log back into the router's control panel and re-apply the security options.  Be sure that they match those match those entered for the printer.
  Hopefully this will be of use to others in the same position.
  Thanks again for your time.
  Best,
  H.
  It's not the fact it can't be done, it's the fact it hasn't been done, yet.

• Connecting with secure wireless

  Hi, this is my 1st venture with an apple computer but I seem to have hit a wall already.
  I am using a wireless G unbranded router that is secured by a 10 digit WEP passcode, it can also be set up to use WPA but I had trouble with the vista laptop that connects to the network using WPA, there is also an XP laptop which will connect using either. I believe the WEP is only 64 bit so I'll try upping it to 128 and see what happens. For information there are 3 laptops that need to connect all with different operating systems, OSX, XP & Vista.
  The problem is my MBP doesn't like the secured connection, it will connect wirelessly if the connection is unsecured or it will connect via ethernet so I know it can communicate with the router.
  If I secure the connection by WEP then it says connection failed or if I do it by WPA then it says connection timed out, at no time does it have trouble seeing the network.
  Does anyone know what i need to do to get it working. I believe the WEP is only 64 bit so I'll try upping it to 128 and see what happens but does anyone else have any other ideas?
  Many thanks
  James

  Right I am very pleased to say that I am typing this on my secured wireless connection, I could go on about how much I'm loving the laptop but I'm sure you already know.
  I have noticed that when I reboot or put it to sleep that when it comes back on it won't connect again, it says that none of my prefered networks are available but when I click connect it remembers the key but states login failed. In order to connect I use the assist function then diagnostics, select airport, select my network, it then asks if my network is PPPoE or DHCP, I select DHCP, then it scans and states that the connection appears to be working correctly and I'm able to use the net.
  I have to do this everytime, I have updated to the latest software available for everything but it's made no difference. Is there anything that I am doing wrong?
  Thanks again

• Secure wireless and generic ldap

  Hi All,
  I'm looking into setting up a secure wireless network and can't seem to find a good fit with environment we have.
  Environment:
  WLC's
  ACS 4.1
  Generic ldap
  95% of laptops use built in Windows XP(SP3) configuration tool.
  I can get everything working fine with Dell Wireless Utility or Intel utility in XP, Vista built in or 3rd party client but I CAN'T seem to get Windows XP built in client to work with anything.
  I read the EAP Authentication Protocol and User Database Compatibility document and found out that I can use EAP-GTC, EAP-FAST phase 2 and EAP-TLS.
  I'm looking into the most seamless way for our users to connect and taking "20 minutes" to configure their network card isn't a really good option.
  Any ideas or suggestion (something I'm missing) would be greatly appreciated.
  Craig

  Hi. I am currently running a whole mix of clients with regards to WPA security. I have most of the laptops on their respective ccx supplicant / utility. However I do have users that run the WZC service from XP. I am not at SP3, but rather SP2 for most of the machines. I'm using PEAP (MSCHAPv2) and it works well in the SP2 environment. I did notice some issues running WZC on Vista with the new Intel N cards and early release drivers, but I didn't get a chance to try the updated versions to see if it would solve the problem. I'm running the Funk OAS radius server and the Microsoft IAS service. The problem with XP and WZC is the lack of EAP types supported. I lucked out because PEAP MSCHAPv2 is natively supported. I'm 99.9 percent positive that WZC under XP does not support LEAP and EAP-FAST since they are Cisco. So, unfortunately in order to get those clients going with WPA Enterprise security you're going to have to install the client card utility or have them run a different EAP type config.

• Secured wireless connection

  I have an older Linksys BEFW11s4 I want to have a secured wireless connection and I don't know how to do it. When I see my wireless connection, it says unsecured.

  The information you seek is located in your manual, searching the web or you may go here.

• Hi, I am trying to print to an HP4050n via a secure wireless network.  It prints but the default page setting sent to the printer is JIS B5.  I have to hit the "Go" to get the printer to print.  I have the correct setting in my Printer Settings (Letter).

  I am attempting to print via a wireless (secure) network to an HP4050n printer.  The document prints AFTER I choose "GO" on the printer.  It is waiting as it wants me to load the JIS B5 paper/tray.  I have the printer defined as Letter but in spite of that, it is requesting a different setting.  I am thinking that because I am using the Generic PCL setting (I also tried the HP 4/5 PCL ) it is not communicating correctly.  It does print once I get up and hit the GO button.
  Any ideas?  Thanks.

  The paper size would normally be coming from the application rather than some setting in the driver. I've never seen the Generic PCL driver send a request for B5, but then I do use A4 rather than Letter and I don't have a PCL printer at home to check this. But I do think it has more to do with the application/document being printed.
  For the application that you are using, is there are a separate Page Setup menu?
  If the page and document is correctly set to Letter, you mention a wireless secure. If you mean something more than a wireless network that requires a password to access it, such as using https to connect to a remote server, then it could be settings for the shared printer queue. Although these shared printers are usually just an access point (throughport) for the remote client. Still, if you do have some additional network server for this secure wireless network, then this could be contributing to the incorrect paper size call.

• Oracle DBI Designer Guide

  Hi,
  Can any one tell me where i can find Oracle DBI Designer Guide. I want to develop custom reports and dashboards , in which guide i can find the help regarding dimension creation , reports and dashborads and graphs.
  Thank you.

  All Oracle Apps 11iR12 docs can be found at:
  Applications Releases 11i and 12
  http://www.oracle.com/technetwork/indexes/documentation/index.html
  Oracle Business Intelligence
  http://www.oracle.com/technetwork/middleware/bi-publisher/documentation/xmlpdocs-084437.html
  Thanks,
  Hussein

• Secure Wireless Connection

  I have been thinking about getting the iPhone ever since it came out and I guess I was wondering if anyone could answer whether or not it can connect to secure wireless connections that require a password. I am a college student and we have wireless throughout campus but it requires my student id and password to be typed in if it were used on a computer. Thanks for any information.

  I have the same problem. I can easily access wireless networks everywhere except at work (a college also). Our system requires both a user name and password. Laptops easily access the network but I can't log on with my iphone. It is a real bummer because our campus has thick old brick buildings and edge will not penetrate them meaning that I am dead in the water without wireless. BTW network wireless at the college is the only thing that I don't have working flawlessly on the iphone. I had two of out best IT guys mess with my iphone for a couple of hours and they said that unless apple gives a fix that allow for both a user name and pass work when logging in that they can't help me. ANYONE HAVING THE SAME ISSUE?

• Secure wireless bridge

  I want to establish a secure wireless bridge (with a root bridge and one non root bridge). I can set in the non-root which is the MAC address of the parent, but how can I set in the root bridge with MAC is the non-root one ? I want to avoid other non root bridges can connect to the parent
  Thanks

  Have an encryption running between the bridges. This way even if a unknown nonroot gets associated to the root, you will not be able to transmit or recevie data if the encryption keys are incorrect, and we have control over the encryption keys

• Secure wireless authentication

  I have just been reading all the posts about secure wireless access and I am
  not happy with the direction Novell has chosen to take.
  I have been extremely pleased with Netware, GroupWise & ZenWorks but Novell
  is starting to loose it's appeal.
  Let me summarize what I have learned and see if I have made any mistakes
  with my understanding.
  1. Novell has stopped development on their Radius server and have no plans
  to resume development.
  2. Novell contributed code to the open source FreeRadius project.
  http://www.novell.com/news/press/arc...2/pr05008.html
  3. There isn't any Radius server with 802.1x authentication that runs on
  Netware (Netware kernel).
  a. Novell's Radius server (BMAS or the newer NMAS server) doesn't do
  802.1x authentication.
  b. I have contacted Funk and this is their reply. Steel-Belted Radius
  Server will run on Windows and Solaris (Linux is coming).
  http://www.funk.com/News&Events/sbr_linux_pn.asp
  c. MTG House hasn't gotten back to me about a solution for Netware. (I
  am doubtful, I didn't find anything on their website.)
  4. You need to run a Radius server that does 802.1x authentication and will
  work/integrate with eDir.
  a. FreeRadius (Linux) will integrate with Edir.
  http://www.novell.com/documentation/...ius/index.html
  http://www.novell.com/coolsolutions/feature/15383.html
  b. Funk's Steel-Belted Radius server (Windows, Solaris & Linux is in
  beta).
  http://www.funk.com/radius/default.asp
  c. Aegis Server
  http://www.mtghouse.com/products/aeg...er/index.shtml
  5. You need a 802.1x Client to authenticate to a Radius server for wireless
  authentication.
  a. Microsoft has 802.1x support in their client. (read this from other
  posts in this forum)
  b. Novell isn't planning on putting 802.1x support in the NW Client.
  (read this from other posts in this forum)
  c. There are 2 Radius clients that integrate with the NW Client for
  Radius Edir authentication.
  1. Funk's Odyssey Client ($45 - $50 per workstation depending on
  quantity) + added annual maintenance costs.
  $2281.25 for 50 Client licenses & annual maintenance.
  http://www.funk.com/radius/wlan/wlan_c_radius.asp
  2. Aegis' Client ($32 - $39.99 per workstation depending on
  quantity) + added annual maintenance costs.
  $2240.00 for 50 Client licenses & annual maintenance.
  http://www.mtghouse.com/products/aeg...nt/index.shtml
  http://www.mtghouse.com/novell_app_note_122204.pdf
  3. When FreeRadius is integrated with Edir is this separate client
  still needed?
  I didn't see anything about a separate client being needed while
  reading the Integrating FreeRadius with Edir documentation.
  6. FreeRadius support is going to be built-in to the next version of Edir.
  http://www.novell.com/news/press/arc...2/pr05008.html
  Why didn't Novell contribute code to port FreeRadius to Netware?
  At this point in time they are still giving us a choice between the Netware
  kernel and the Linux kernel. To me that says they are willing to make
  things work with both systems until they drop support for the Netware
  kernel. Ok, so give me support for 802.1x authentication in the Netware
  kernel. I don't have stray single purpose servers floating around my
  network and I don't want to have to begin that practice just to get Radius
  802.1x authentication working.
  I also won't put my district at a disadvantage by upgrading to the Linux
  kernel until I know Linux well enough to administer it properly. I am the
  IT department at this district so I don't have a great deal of extra time to
  run about learning the new things I would LOVE to learn. I'm sure I'm not
  the only person in this situation so Novell should take these things into
  concideration before they just drop support for a product they say they are
  still supporting. Obviously all of the real support is going toward the
  Linux side at Novell.
  Daniel Blake
  Milford Central School

  Ok, I'll give them the benefit of the doubt and say fine the Netware kernel
  might as well be considered dead. So they are giving me support via
  FreeRadius if I just migrate to OES (Linux). Ok, I might/can live with that
  as a Novell decision.
  But that still doesn't explain why they don't give us some client to log in
  via 802.1x. Giving us the server but not the client is like giving us a
  locked door without a key. That's just plain stupid. I would rather stay a
  Netware - OES shop, but if Novell can't think something this simple through
  then I'm a little nervous about staying with them. What could they think up
  next?
  I guess Novell has decided to port all it's software to Windows cause it
  sucks so bad at business decisions. GroupWise & ZenWorks run completely on
  Windows now, so why do I need OES at all? Except for complexity &
  integration issues of course. I mean why would I need to purchase Edir for
  Windows if I didn't stay with OES? Or Nsure Identity Manager for that
  matter. So if we start looking deeper into this we see Marketing all over
  this thing. Novell Marketing has always done such a good job for Novell.
  Novell has given me a real choice that will work though. If I migrate
  completely to a Windows network it just works without any added costs. Heck
  it even makes my installs easier without having to install the NW Client on
  every new workstation. I can still run ZenWorks & GroupWise too.
  Now, how is Novell Marketing going to screw up and make me hate GroupWise &
  Zenworks so I migrate completely away from Novell products? Way to go
  Novell!
  Daniel Blake
  Milford Central School
  "Jim Michael" <[email protected]> wrote in message
  news:[email protected]...
  > mcsdtech wrote:
  >
  >> 1. Novell has stopped development on their Radius server and have no
  >> plans to resume development.
  >
  > Correct, so far as we know.
  >
  >> 2. Novell contributed code to the open source FreeRadius project.
  >> http://www.novell.com/news/press/arc...2/pr05008.html
  >
  > Yes. Code to allow easier integration with eDirectory.
  >
  >> 3. There isn't any Radius server with 802.1x authentication that runs on
  >> Netware (Netware kernel).
  >
  > Correct.
  >
  >> a. Novell's Radius server (BMAS or the newer NMAS server) doesn't do
  >> 802.1x authentication.
  >
  > Correct. It was developed quite a while before 802.1x even existed.
  >
  >> b. I have contacted Funk and this is their reply. Steel-Belted
  >> Radius Server will run on Windows and Solaris (Linux is coming).
  >> http://www.funk.com/News&Events/sbr_linux_pn.asp
  >
  > Correct, but Stell-Belted Radius is probably the last solution I would
  > look at. Radiator is a commercial product that runs on Linux or Windows
  > (it is Perl-based) and you will get far better support from them on
  > eDirectory issues and general Radius problems. freeRADIUS is what I would
  > run on Linux if you don't want to spend a dime on the software.
  >
  >> c. MTG House hasn't gotten back to me about a solution for Netware.
  >> (I am doubtful, I didn't find anything on their website.)
  >
  > Not familiar with them.
  >
  >> 4. You need to run a Radius server that does 802.1x authentication and
  >> will work/integrate with eDir.
  >> a. FreeRadius (Linux) will integrate with Edir.
  >> b. Funk's Steel-Belted Radius server (Windows, Solaris & Linux is
  >> in beta).
  >
  >> c. Aegis Server
  >
  > And Radiator (what I run) http://www.open.com.au This is the solution we
  > run.
  >
  >> 5. You need a 802.1x Client to authenticate to a Radius server for
  >> wireless authentication.
  >
  > Correct.
  >
  >> a. Microsoft has 802.1x support in their client. (read this from
  >> other posts in this forum)
  >
  > Correct. Technically, the "support" is in Windows, not the MS client.
  >
  >> b. Novell isn't planning on putting 802.1x support in the NW Client.
  >> (read this from other posts in this forum)
  >
  > Correct.
  >
  >> c. There are 2 Radius clients that integrate with the NW Client for
  >> Radius Edir authentication.
  >> 1. Funk's Odyssey Client 2. Aegis' Client ($32 - $39.99 per
  >> workstation depending on
  >
  > Correct.
  >
  >> 3. When FreeRadius is integrated with Edir is this separate
  >> client still needed?
  >
  > Yes. You ALWAYS need a 802.1x supplicant (client) on the workstation.
  > Windows has one built-in, which works FINE against eDirectory. HOWEVER,
  > because of the way it works you must log into eDirectory *after* fully
  > logging into windows. That is unacceptable to most organizations (you
  > would have to manually log in and map drives to NW, etc). This is why
  > there are third-party clients that integrate specifically with the NetWare
  > client.. they allow the 802.1x authentication to "insert" itself
  > in -between the Windows and eDirectory login, thus preserving all of the
  > normal features like dynamic local user, zen policies, etc.
  >
  >> I didn't see anything about a separate client being needed
  >> while reading the Integrating FreeRadius with Edir documentation.
  >
  > A client is always assumed.
  >
  >> Why didn't Novell contribute code to port FreeRadius to Netware?
  >
  > Because Novell's future direction is Linux, and there isn't much demand
  > for a NetWare Radius server.
  >
  >> At this point in time they are still giving us a choice between the
  >> Netware kernel and the Linux kernel. To me that says they are willing to
  >> make things work with both systems until they drop support for the
  >> Netware kernel. Ok, so give me support for 802.1x authentication in the
  >> Netware kernel. I don't have stray single purpose servers floating
  >> around my network and I don't want to have to begin that practice just to
  >> get Radius 802.1x authentication working.
  >
  > You can always make your wishes known at
  > http://support.novell.com/enhancement
  >
  >> I also won't put my district at a disadvantage by upgrading to the Linux
  >> kernel until I know Linux well enough to administer it properly. I am
  >> the IT department at this district so I don't have a great deal of extra
  >> time to run about learning the new things I would LOVE to learn. I'm
  >> sure I'm not the only person in this situation so Novell should take
  >> these things into concideration before they just drop support for a
  >> product they say they are still supporting. Obviously all of the real
  >> support is going toward the Linux side at Novell.
  >
  > I understand the frustration, but I doubt things will change. There is a
  > big difference between "supporting" existing products and adding major
  > enhancements to products to support new standards. I just don't think
  > Novell believes it is worth dedicating development resources to enhancing
  > Radius on NetWare, for those few that can't/won't run a Linux or Windows
  > box where the software already exists.
  >
  >
  > --
  > Jim
  > NSC SYsop