I’ve been asked to post some information on how I implemented 802.1x authentication in our wireless network. This setup involved a lot of experimentation, and I’m not completely done although I have a working solution. This post will be a high-level overview of the process. I will post some additional information when I have time (no guarantees!) that contains a bit more of the nitty-gritty details of some of the steps. How did I learn? I had a burning desire to figure out how “real enterprises” did wireless security and authentication, so I read, and Googled, and read, and read, and tested, and read, and tested some more. And that was just with an off-the-shelf Linksys router! When we got the good equipment and I learned its configuration options, I just needed to do a bit more configuration and testing to get it functional at the level of the Linksys, but with more flexibility.

I’m using the built-into-Windows-Server IAS, which is the Microsoft implementation of a RADIUS server. Basically, I set up a profile in the IAS configuration to allow specific Windows Active Directory groups to be allowed “dial-up” access through a Wireless port type. Then I created a new client in IAS with its IP address and a secret key that I also enter in the wireless access point (AP) where it asks for a RADIUS server (while setting up WPA/WPA2 authentication, not the Pre-Shared Key (PSK) kind). If I did everything right (insert hours of testing and learning here), I can connect to the wireless SSID I configured by specifying a username and password (or to use the Windows logon credentials) in the settings, rather than needing a pre-shared key that’s the same for everyone.

If I go a step further and put a certificate on the server that the clients trust, I can also authenticate with the certificates rather than the username/password credentials, which is actually more secure due to the certificate being longer, more random, and harder to obtain than a username and password (this is why I limit access for now to users in the Active Directory group I specify, creating fewer users with wireless login privileges). I haven’t completed the certificate step of the process, and I’m still running a WPA-PSK SSID as an alternate connection method until I’m sure I have everyone switched over to the RADIUS-based SSID. But once I deactivate the WPA-PSK network, security should go up because now you can’t just share the PSK key, which has a way of getting out no matter how hard you try and protect it (having free wi-fi now helps this as well, since if someone just wants internet access, they don’t need the internal network key!). And your keys get changed every time your passwords change, rather than coordinating updating the PSK and then making sure everyone needing wireless access has the new key (if they don’t, expect cell phone calls asking for it pretty quickly).

That’s the high level why and how. I sleep now :-)

I was going over some to-do list stuff in my head the other day while I was driving, and I kept forgetting the first thing I thought of by the time I got to the next thing! Then when I got into the office, it all went away when I had to jump into whatever was going on there…so much for remembering what I needed to do! Should I buy a pocket voice recorder? I can’t really type fast enough on my Treo 650 to make that useful while thinking fast (not while driving, anyway). But today on the Church IT Podcast someone mentioned Jott. It’s free (first plus!) and it does several things. The most useful is just to call their phone number, they recognize you based on Caller ID, and then you just say who you want to send a Jott to (“me” works) and then record up to a 30 minute message that is transcribed with voice recognition software and emailed to you (or whoever you sent it to).

It’s just what I was looking for, and I’m looking forward to using this a lot in the near future! Great timing, and I learn so much new stuff every Church IT Podcast I can’t recommend it highly enough if you’re in Church IT!

Success! This past weekend was our first weekend providing free wireless internet access. I haven’t figured out the exact details that will let me log every access in the way I want to use for trending, but it appears it was used by several people on Sunday. The bigger test of the Indiana District Council yesterday and today, however, is a bigger success! For one, I was actually here :-) But the use was a lot heavier, due to all the brochures on the cafe tables, handed out to people, personalized assistance from yours truly…not that it was needed, the brochure did an admirable job if I do say so myself.

I checked on the stats of how many people were connected at a time throughout the day (the stats-gathering was a bit random but better than nothing) and it looks like the highest number of connections I saw was this afternoon, at about 18 simultaneous users. Yesterday one man I talked to came up to me later and said he was glad there was wireless access and was very appreciative! Given that wireless access was not announced prior to the event, the turnout of people with laptops was still pretty high. Right about right, I’m not sure I would want to support more users than that on the first test. Better a successful slow ramp-up than an all-out crash-and-burn, in my opinion.

While making the rounds on Monday afternoon, I ended up talking to a speaker who had a booth at the Council and ended up showing him how to remove some annoying spyware someone had hacked into showing up on his website, and giving him a pointer to Google Analytics for some more useful stats than the tools his cPanel installation provided.

So…success! There wasn’t a single issue that was made aware of with the wireless the entire time. No complaints, no issues with speed throttling, no issues connecting even though it required a password from the brochure and going through a portal page (I’ll get some more details on how I have this set up when I get a chance). And no issues with things being blocked that shouldn’t have been through ScrubIT. Well, I take it back, there was one issue. One of our volunteers was trying to use a PPTP VPN to connect to her workplace and do some work on downtime. The connection kept timing out and would never connect. The VPN connectoid kept throwing Error 619. Google didn’t turn up anything related, but I suspect it has to do with the connection being double-NATted. I did see someone else’s Cisco VPN connecter work just fine, but that’s just a success story, not related to the PPTP error I’m sure.

But if that’s the worst that happened (and it was)…I’m happy! It’s been a long process through to the release, since I ordered the equipment at the end of last October!

I’ve finally taken a little while to play with FreeMind. It’s a useful little open source tool for organizing disorganized thinking, planning, and brainstorming. It does take a while to get the “feel” for mind mapping, which is what FreeMind does is often called, but once you grasp the non-linear layout, it turns into a cool tool. So far I’ve used it to lay out two small projects and make sure I wasn’t forgetting anything. The branching layout and the keyboard shortcuts seemed to work well with my thinking style.

I’ll need to use it a bit more extensively before it becomes part of my daily arsenal, and it could use some polish that I’ve seen a bit of in the newest Beta (0.9.0 Beta 9) compared to the current 0.8.0 stable version, although I’m sticking with the stable for use right now. Things 0.9.0 adds include attributes, which I haven’t really looked at yet, and a scrolling side “icon bar” which is nice because 0.8.0 has an icon bar that drops a bit off the bottom of my screen with no way to get to the lower icons (they’re still available on the context menu).

I haven’t used all the features by far, and I keep discovering useful little things I didn’t know it could do (“Automatic layout” on the Format menu makes a map look much better and more readable!). I recommend giving it a try. The Max version for Windows (it’s written in Java and is cross-platform) has some plugins that add PDF and various other export formats, some additional help, and some reminders (that I haven’t used or even found!).

I’d heard of mind mapping before discovering FreeMind, but only in the form of MindManager, which isn’t free (quite the opposite, in fact). A post from Jason at Renolds Life and Times got me looking at FreeMind and gave me some ideas, most of which I haven’t tried yet (mapping out blog posts before posting sounds the most interesting, and he has an example). His post on the topic is more cohesive and detailed than mine; perhaps I should get started on that post-mapping he recommends! (Why do you think I linked to him after you’ve read my post? :-) Overall a useful tool I’ve been meaning to mention for a while.

One more quick note: An online, web-based (think Web 2.0) mind mapping tool, MindMeister, is just coming out of beta and I haven’t played with it much, but it’s not only a centralized place to mind map, but it includes some sweet real-time collaboration features! Kind of like a web-based mind-mapping version of Microsoft OneNote 2007 sharing (note to self: write about how awesome Microsoft OneNote is sometime soon). MindMeister is not free, it’s subscription based, but it’s reasonable compared to MindManager and the added collaboration features could definitely be worth it for many.

We just released our Free Wi-Fi without much hurrah this week(end) (I’m out of town, so I hope no one needs help!). The big test will be Monday and Tuesday (when I will be in town) with us hosting our Indiana District Council.

Right now, content filtering on the public wireless is being provided by ScrubIT, a free DNS-based filtering service. Not bad but not as much control or information as I want; it’s a temporary solution (and I haven’t been given an account at ScrubIT yet, so I have no control at all). Matthew Irvine has a couple of excellent posts on his new blog, techlesia, talking about the open source SmoothWall Express firewall and DansGuardian content filter. I have a bit of Linux experience, dabbling at best, but not anything extensive enough for me to set up DansGuardian on a production machine, although I might play with it virtually (SmoothWall Express, if we needed a firewall, might be an option since it is plug-and-play, but we already have ISA 2004). The company SmoothWall has a commercial version of both products, with the content filter called Corporate Guardian, and from the preliminary pricing I’ve found it appears to be much, much less expensive than most of the commercial filtering boxes I’ve researched so far, which translates into “actually affordable.”

I think the Corporate Guardian looks the most promising, since they turn DansGuardian into a commercially-supported product, with the main benefit being that it’s plug-and-play, in addition to blacklist and updates subscriptions. Everyone wins. However, their evaluation terms concern me a bit. The terms state, in part, “You may not communicate the results of your evaluation with other companies, organizations or persons not employed by your company or organization, unless this has been agreed in writing beforehand with SmoothWall.” They also state that after the evaluation, you will “Not make public any notes, analyses, computations, studies or other documents prepared as part of this evaluation unless this has been agreed in writing beforehand with SmoothWall.”

Why does this concern me? Well, I want to share my findings with you on this blog, and these terms say I have to get their permission first. This seems to run counter to the company’s open source products philosophy, and makes me think they are scared of how their product compares to other similar products if someone were to write a review on their blog, for instance. Sure, I could ask for permission to write a review, but if it’s not positive, why would they let me post it? They can do what they want, but I’m not very happy with these particular terms and I’m seriously debating whether or not it’s worth giving up my ability to comment on my findings in order to evaluate the software beyond the claims they make on their website. Is anyone else using SmoothWall’s commercial products, and if so, are you limited in your ability to comment on your company’s use of the products similar to the terms of the evaluation terms, or does that clause go away after you’ve made the purchase?

Thanks Matthew for getting me started on this particular content filter! If I can get past the terms above I’m willing to give it a shot and maybe save some serious money in the process. Or I may find that the open source versions are functional enough and easy enough to set up for my needs; now I just have to find the time to test it.

Is anyone else using 802.1x for wired authentication? I’ve got it working for wireless networking, which is pretty cool. But what about wired ports? I don’t necessarily want to go to the trouble of locking down every port on campus with 802.1x. Or do I? But public ports are what worry me. For now, the only wired ports in public areas are either physically unplugged at the rack (since they’re mostly brand new), hooked up to the public wi-fi VLAN so you could get free internet access just as if you had wi-fi, or locked down with port security to only the MAC addresses of the authorized equipment that’s already installed.

But, with 802.1x, there’s the possibility of making the ports automatically members of the public VLAN for free access. But when a computer connects that can authenticate via 802.1x, it can bump them onto the employee VLAN. Sweet. But I need to do some manual-reading and testing on our ProCurve switches. Is it worth the effort? Is the Windows XP SP2 802.1x supplicant good enough, or would we need to pay for a third party supplicant? I’ve noticed that for wireless, the Windows 802.1x supplicant seems to be much better that it was originally, and most laptops are coming with even better software built-in from the manufacturer. A year or two ago, I wouldn’t implement an 802.1x-based network with the Windows XP client if you paid me. Well, depends on how much, but it would hurt anyway…

Our server room’s battery backup consists of a couple of off-the-shelf APC battery backup units, running an ever-expanding collection of servers (about six, depending on what you term a “server”).  Not the optimal solution, but a cost-effective one that was good enough when the server count was lower.

It’s been so good, in fact, that a very long time has past since the runtime on the battery backups was tested.  Today, the test was unintentional.

Fortunately, since server room cooling has become an issue with such an enclosed space being filled with more and more machines, we are finally installing a cooling unit specifically to keep the server room cool.  A big improvement over walking into the server room and starting to sweat almost immediately, to be sure!  However, installing the cooling unit required turning off the power to the server room for a little while.  It was off for a few minutes before I headed up to our all-staff meeting this afternoon, but it was back on before I went to the meeting and the battery backups held just fine.  I knew it would need to be off for a little longer during the meeting, so I hoped the batteries would hold out.  They didn’t.  When you can’t connect to the Exchange server, or even get a new IP via DHCP over wireless, something’s up.  Or, down rather.

I still don’t know how long the battery backups lasted exactly, as everything was already back on when I made it downstairs.  Reboot everything in the right order, and half-an-hour later you’d never know anything had happened.  And with everyone in the staff meeting, I was able to warn them before the meeting broke that I would need to work on the servers for a little while and not to expect it to be operational when they went back downstairs.

It worked out all right in the end, but it’s something I need to address and haven’t had the time or resources available.  Nothing like a little priority-setting all done up nice for you :-)

Anyone have recommendations about on how you go about battery backup selection?  I took the new building opportunity when replacing the core network switches to purchase a Tripp Lite rack-mount UPS unit for each of our three network closets, which so far have worked admirably, were cheaper than comparable APC brand units, and held the network rack up even through this same power outage.

Does it make sense to buy a smaller off-the-shelf UPS for each server, or each pair of servers perhaps, or to purchase one larger unit that can handle everything, even with the sticker-shock price tag?  (Granted, several smaller units do add up themselves.)  I have a feeling I know, but I’d be interested in feedback.

Last Thursday and Friday, someone decided it would be fun to use the Google Video feature that lets you invite a friend to view a video by email to send emails to most of our staff referring them to some questionable/conspiratorial videos (which I haven’t watched, but they sound more like hate and conspiracy videos than anything obscene from the descriptions).  The videos are set up so they appear to come at first glance from our senior pastor, with his name (run together and all lowercase) in the From line, even though the email address is noreply@google.com (and the Reply To address is his real email).

The emails appear to have stopped on Friday, although if they continue I can easily block them at one of several points (such as our spam filter).  I’ve sent an email to our staff explaining the details in case anyone was confused about the sender of the emails.  But there is no easy way for me to track down who actually sent the emails, since technically, Google did.  I could contact them about the abuse, and will if there is more of it.  But it is very annoying to have an email system that’s so open to abuse and spoofing and takes time out of my day to deal with such petty junk pulled as a prank.  And we have no idea whether this was sent to any church members or anyone outside of the staff, and if it was…will they know enough to realize it’s a spoofed piece of junk?  I know there are email verification and authentication schemes out there, some good, some bad, and none universal.  There are big problems with most, and the likelihood of authenticated emails becoming a global practice anytime soon is not something I’m holding my breath for, but an IT guy can dream, can’t he?

Thanks for letting me vent, as much as my strong feelings have been held back above to prevent publishing anything I’ll later regret :-)

Work was crazy leading up to our new building’s grand opening.  The good part?  We made it!  We had a major advertising supplement in the local paper, which was copied on their website.  Our Marketing and Communications department released our new website design in time..  However, while not “bad,” things have actually gotten crazier since then.  All the small projects that were left undone to prepare for grand opening, now they have to get done.  Offices have to be moved (including mine, soon!) into the new building.  New Sharp color copiers/printers were installed last week (I’ll have to post about them soon, they rock!).  And the obligatory computers that aren’t working properly and need to be fixed keep popping up, new specialized computers still need to be configured (I’ve started testing the demo of Fortres Grand lockdown software and it looks pretty good so far, details coming); you know, the usual and then some.  (Oh yeah, did I mention public wifi needs to be up by the middle of next month?)  Exciting and fun, but not much time to post!

Normally, I’d just spend some time at home posting.  Of course, at the same time as all of the above is going on at Lakeview, my wife and I are building a house (just made all the final design selections today!) and I have a bit of homework for a class I’m taking due this coming Monday (okay, “bit of” is an understatement :-)

For all these reasons…I’ll be back soon.  The homework can’t wait any longer.  I’ve enjoyed reading all the Church IT Roundtable posts and they’ve made excellent diversions from schoolwork for as long as possible :-)

Just a quick note that HP ProCuve has some new (since I last checked) web-managed (but still VLAN-capable) switches, the 1700 series. The 1700-8G is a 10/100 8-port switch, and the 1700-24G is a 24-port model of the same, which also has two dual-personality ports (ports 23 and 24 are copper Ethernet ports by default, but you can buy the “personality” expansion GBICs to turn them into fiber ports). The price point on these is very low, to the point where you could use them in an office as a workgroup switch when you couldn’t run another home-run to your network closet (or your facilities guy complained about having to make home runs everywhere) but you need the flexibility of multiple VLANs at the very edge of your network. These are the “little brothers” to the older 1800 series, the 1800-8G and 1800-24G. I’m using two of the 1800-8Gs and one of the 1800-24Gs, the main difference is that the 1800 series is all Gigabit and the 1700 series is 10/100. But you save half the cost of the Gigabit models, where you know you won’t need Gigabit.

I’d love to put the Gigabit or even 10/100 regular managed switches with all the SNMP and other “big network” goodness including 802.1X security and all the bells and whistles everywhere I need an extra port, but I’m probably going to have to pick up at least one 1700-series switch in the very near future to pick up the slack until the additional home runs I want become a reality. At least I’m still getting a lifetime warranty, and I’ve never had a single problem with any of the ProCurve switches I’ve purchased (not so with Linksys!). Even the 408 switches that I’ve purchased for the same purpose (but unmanaged) in the past have been rock-solid, and they replaced some pretty flaky Linksys workgroup switches!