Profile

Chuck Enfield III

Edit My Profile


My Content

1 to 20 of 50+ total
Posted By Chuck Enfield 09-22-2022 10:12:11 AM
Found In Egroup: Wireless Local Area Networking
\ view thread
It's more than just an RF issue. 802.11 headers don't include VLAN tags. Every device connected to the same SSID on the same radio sees all the same traffic regardless of the VLAN that client is assigned to. Unicast packets aren't a problem, but broadcast is. Many wireless solutions have proprietary ...
Posted By Chuck Enfield 09-22-2022 08:45:25 AM
Found In Egroup: Wireless Local Area Networking
\ view thread
I'm guessing but is the difference in the two experiences SSO? If Windows is using the domain credential for wireless log-in, then it seems like Credential Guard would get in the way, but if the same unsername and password are stored twice, once as the domain credential, and again as a wireless credential, ...
Posted By Chuck Enfield 09-21-2022 07:24:04 PM
Found In Egroup: Wireless Local Area Networking
\ view thread
That had to take a while. �� Great info as always.
Posted By Chuck Enfield 09-20-2022 08:50:29 AM
Found In Egroup: Wireless Local Area Networking
\ view thread
Wireless incidents we're down about 75%. We usually have 1500-2000 wireless incidents during the first two weeks of the fall semester, and this year it was around 500. Furthermore, almost 400 of the 500 were opened and closed in the first week because of reduced wait times for human agents.
Posted By Chuck Enfield 09-20-2022 08:24:18 AM
Found In Egroup: Wireless Local Area Networking
\ view thread
That was me. We're using Ivy.ai. I was involved in the selection process and user experience was similar for a variety of solutions. The big differences were in make-ready work, which is far from trivial. Our SD thought Ivy would require less effort to prepare and maintain than most other solutions.
Posted By Chuck Enfield 09-15-2022 11:57:28 AM
Found In Egroup: Wireless Local Area Networking
\ view thread
That makes perfect sense. The challenge for domain devices is that many are not tied to a specific user. There are may ways to deal with that, but it's not yet apparent to me which way is best. Password-based user auth is just one possibility. I'm not advocating that approach, but Mike asked if we need ...
Posted By Chuck Enfield 09-15-2022 11:40:34 AM
Found In Egroup: Wireless Local Area Networking
\ view thread
Sorry, I forgot to answer your question about the assertion. That can be handled a few different ways, and which you chose may depend on other segmentation strategies. Options on the table for us are a separate SSID for BYOD or an authorization rule.
Posted By Chuck Enfield 09-15-2022 11:29:57 AM
Found In Egroup: Wireless Local Area Networking
\ view thread
I'll repeat that we're just planning right now, but here are some considerations: Users open wireless tickets, not machines. Having a username for network auth facilitates troubleshooting. People are accustomed using network auth logs for network accountability. If there's no identity info in those ...
Posted By Chuck Enfield 09-15-2022 09:13:52 AM
Found In Egroup: Wireless Local Area Networking
\ view thread
Regarding, "if you are using PEAP or TTLS, you have every reason to NOT trust that devices are onboarded correctly." I disagree on the context of domain-joined devices in our environment where we can simply push the correct settings to the devices. Your concern is precisely why we've got different plans ...
Posted By Chuck Enfield 09-15-2022 08:51:07 AM
Found In Egroup: Wireless Local Area Networking
\ view thread
My $0.02, if you trust that devices are onboarded correctly, there's no problem with PEAP or TTLS. We're just planning our TLS migration now, and we're planning on forcing TLS for BYOD devices (after a migration period as Ryan suggested). But for domain devices there are more options worth considering. ...
Posted By Chuck Enfield 09-15-2022 08:03:00 AM
Found In Egroup: Wireless Local Area Networking
\ view thread
I think that's a feature of all forums like this. I say tons of brilliant and insightful things, all of which get lost somewhere. But the stupid stuff I say all gets through. Can't explain it.
Posted By Chuck Enfield 09-15-2022 06:26:08 AM
Found In Egroup: Wireless Local Area Networking
\ view thread
Hi Bruce, Would you mind explaining what you mean by "TLS with anonymous peer identity"? I'm not familiar with that terminology. Thanks, Chuck
Posted By Chuck Enfield 09-13-2022 03:22:49 PM
Found In Egroup: Wireless Local Area Networking
\ view thread
I don't mean to speak for Ryan here, but it's as given that the service desk will get more tickets for 802.1X than for MAC auth. That's true regardless of EAP type. That said, MAC randomization and IoT certainly increase the number of tickets for MAC auth – just not to EAP levels. I'll share that ...
Posted By Chuck Enfield 09-12-2022 02:03:45 PM
Found In Egroup: Wireless Local Area Networking
\ view thread
FWIW, We limit a client's ARP rate on our Aruba controllers to 50 every 30 seconds. This drops a lot of ARP from a very small percentage of the ill-behaved clients.
Posted By Chuck Enfield 09-12-2022 08:47:57 AM
Found In Egroup: Wireless Local Area Networking
\ view thread
Thanks Dan. I didn't realize you made the switch. Has anybody else moved away from enterprise wireless security for BYOD?
Posted By Chuck Enfield 09-09-2022 07:59:10 PM
Found In Egroup: Wireless Local Area Networking
\ view thread
I'm enjoying reading these answers, particularly to question 7. There's been surprisingly little overlap, and yet all the answers have been good. 802.1X has a lot of pitfalls, and I still maintain it add very little value for BYOD devices. Why in the heck are we still doing it???
Posted By Chuck Enfield 09-09-2022 07:45:47 PM
Found In Egroup: Wireless Local Area Networking
\ view thread
Several RADIUS servers support OCSP stapling now, so it's just a matter of time before Apple or Google requires it.
Posted By Chuck Enfield 09-09-2022 03:44:53 PM
Found In Egroup: Wireless Local Area Networking
\ view thread
I can't disagree with anything you say below Hunter, but I would qualify "The fact is, no OS uses the public CA infrastructure to verify 802.1X certificates" by adding "yet".