locked
Inband out-of-band setup for wireless RRS feed

  • Question

  • Is there some way to do the inband setup?

    I've been expermenting with 802.1x and Cisco 1210 AP's for user authentication.

    The setup for the user is a bit complex and I think the campus will complain.

     

    A inband solution would be much better.

     

    Is there some doc's on this setup that ya'll know of ?

     

    Thanks

     

    Brian

    Thursday, May 17, 2007 8:25 PM

Answers

  • Brian,

     

    There is an easy way you can achieve what you are looking for. Here is one suggestion that involves use of 802.1x.

     

    Deploy 802.1x using PEAP as the outermethod and MsChapV2 as the inner method at the backend. Enable 802.1x on the Access points. If you have the support, I would recommend using WPA2 AES. 

     

    The clients (stations) need the following config to connect to your network -

     

    1. Wireless Profile (settings to connect to the network)

    2. Trusted root that signed the server cert for the radius server.

    3. Username/password

     

    1 & 2 can be easily distributed on flash drive or kept on a network share, or a web download. There are simple scripting commands on Vista that may help do that.

     

    The user experience will be insert the flash drive, and they will be prompted for username/password. They enter it and now they are connected.

     

    We will be happy to discuss this and other possible approaches.

     

    Please email me directly at TaroonM at Microsoft dot com and we can setup a conference call to discuss your request further.

     

    Best,

    Taroon Mandhana.

     

     

     

     

     

    Thursday, June 14, 2007 9:45 PM

All replies

  • Is there no way to setup for running inband?
    Saturday, May 19, 2007 6:35 PM
  • Hey Brian. Could you define exactly what you mean by "inband" and "out-of-band" for your particular scenario? These are overloaded terms out in the world and I want to understand exactly what you are looking for.

     

     

    NAP the WORLD in 2007,

     

    Jeff Sigman
    NAP Release Manager
    Jeff.Sigman@online.microsoft.com *
    http://blogs.technet.com/nap

    * Remove the "online" to actually email me.
    ** This posting is provided "AS IS" with no warranties, and confers no rights.
    Friday, May 25, 2007 9:20 PM
  • I'm on a college campus, my wireless bubble is getting bigger and I'm starting to be a free ISP.

    We have guest speakers, radio\TV crews etc...always coming a going and always needing connectivity, wireless mostly now.

     

    I don't want the client PC to have to do anything but login with a user name, password and domain can be optional.

    With some in-band setups I have saw, the client tries to connect to the internet and a walled garden page comes up asking for authentication.

    This is what I'm looking for.

     

    With 802.1x wireless, the client has to have WEP turned on, know the WEP key, then they have to setup 802.1x and it's several complicated steps.

    This would not be bad for the students, once they are setup then it's easy to connect from then on.

    But for guests that are only here once, this will be a big problem for them.

     

     

     

     

    Thanks

     

    Brian

     

     

     

     

    Monday, June 4, 2007 1:06 PM
  • I have contacted someone on the wireless team - they should be posting here shortly...

     

    -Chris

    Chris.Edson@online.microsoft.com *

    SDET, Network Access Protection

    * Remove the "online" make the address valid.

    ** This posting is provided "AS IS" with no warranties, and confers no rights.

    Monday, June 4, 2007 5:44 PM
  • Thanks Chris.

    I think this would be something everyone would be interested in, if it's not yet availible in B3.

     

    Brian

    Tuesday, June 5, 2007 4:56 PM
  • Hey Brian,

     

    Do the guests get on the same wireless network as the campus students and faculty. Or is the guest network completely isolated from the primary network.

     

    Also, you mentioned that the guests will try to get on to the network using username/password. How do these guests get username/password in the first place? Is there a directory at the backend where you create accounts for the guests.

     

    Is 802.1x already deployed in the campus wireless network?

     

    thanks much,

    Taroon Mandhana

    Microsoft (taroonm@microsoft.com)

     

     

     

     

     

    Wednesday, June 6, 2007 7:57 PM
  • Guest use the same network now, but later will be isolated to internet only access after the implementation of  some authentication.

     

    The library has guest accounts they issue and change the password on.

     

    The guest accounts are part of my Win2k3 AD.

     

    No, 802.1x is not deployed, but the infrastructure is in place to support it. All new Cisco core\edge switches and access points.

     

    Also were wanting to implement some form of protection for the students along the NAP lines. We already give them anti-virus software, and now we want to make sure it's loaded and all the security patches are loaded on their PC's.

     

    The problem I have found with the 802.1x so far is the setup of it for the client, to many steps and it's hard to do.

     

    Thanks

    Brian

    Wednesday, June 6, 2007 8:34 PM
  • ?

     

    Thursday, June 14, 2007 1:17 PM
  • Brian,

     

    There is an easy way you can achieve what you are looking for. Here is one suggestion that involves use of 802.1x.

     

    Deploy 802.1x using PEAP as the outermethod and MsChapV2 as the inner method at the backend. Enable 802.1x on the Access points. If you have the support, I would recommend using WPA2 AES. 

     

    The clients (stations) need the following config to connect to your network -

     

    1. Wireless Profile (settings to connect to the network)

    2. Trusted root that signed the server cert for the radius server.

    3. Username/password

     

    1 & 2 can be easily distributed on flash drive or kept on a network share, or a web download. There are simple scripting commands on Vista that may help do that.

     

    The user experience will be insert the flash drive, and they will be prompted for username/password. They enter it and now they are connected.

     

    We will be happy to discuss this and other possible approaches.

     

    Please email me directly at TaroonM at Microsoft dot com and we can setup a conference call to discuss your request further.

     

    Best,

    Taroon Mandhana.

     

     

     

     

     

    Thursday, June 14, 2007 9:45 PM
  • You could also take some additional steps in the 802.1x client config which would allow you to roll-out NAP fairly easily down the road. Let me know how your NAP + 802.1x evaluation goes!

    NAP the WORLD in 2007,

    Jeff Sigman
    NAP Release Manager
    Jeff.Sigman@online.microsoft.com *
    http://blogs.technet.com/nap
    * Remove the "online" to actually email me.
    ** This posting is provided "AS IS" with no warranties, and confers no rights.
    Wednesday, June 20, 2007 9:13 PM