Sean Convery

I just saw this story from iPhone Matters listing a petition with over a thousand names looking for 802.1X support in the iPhone. Somewhat comically, the article refers to 802.1X as 802.11X, 802.1, and 802.1x. Though I’m sure Apple will get it right, I don’t care what they call it, so long as they add it. The iPhone WiFi capability has been far less useful than I was expecting; I generally only use it at home. The time the iPhone takes to check for available networks and let you choose is often longer than the time EDGE would take to complete your request. Also, the Google WiFi network in Mountain View periodically asks for re-authentication via an HTTP captive portal but the iPhone can’t tell when this is requested without me opening Safari. Consider the following scenario:

1. I am presented with “GoogleWiFi” as an available SSID and select it.
2. I now have to open Safari and enter my Google ID and password before I get a connection.
3. From this point on, my iPhone will remember that I use GoogleWiFi but it won’t track when my password is requested.
4. So if I’m walking downtown and decide to check my email I’ll never know that Google wants my ID again without always loading Safari first. Want to check weather? Same problem. Essentially, the whims of Google prompting me for my password determine when my phone’s data connection works. If I’m sitting at a stoplight and want to check traffic on Google maps, that is a horrible time to be asked to enter an eight digit user ID and a 13-digit password (what can I say, I’m a security guy).
5. Also, the iPhone makes no attempts to determine the signal strength before joining one of your “preferred” networks. So if you happen to get a whiff of GoogleWiFi while at that stoplight and then drive away while your request is being processed, you may wind up in network limbo for far longer than it would take for EDGE to do the job.

As a result, I turned off the “Ask to Join Networks” feature since it mostly wastes my time. Apple needs to do a couple things to really improve the iPhone WiFi capability:

1. Add 802.1X Support (Google has an 802.1X option that would largely address my inconsistent authentication concerns). This would also make office connectivity much easier.
2. Add a selection when joining a WiFi network to “Join once, then forget.” If you join a pay-to-play open wireless network, you don’t want to rejoin this every time as you won’t have connectivity the next time without reentering your credit card info. This makes the Tmobile Starbucks iTunes connectivity almost more nuisance than novelty. If you connect to Tmobile for free to use the iTunes WiFi store, the rest of your data services stop working until you disconnect from that WiFi network, or pay them some money.
3. Be able to set a minimum signal strength prior to joining any previously known wireless network.
4. Instead of showing which wireless networks are locked in the “ask to join” screen, instead show which allow network connectivity (i.e. giving out DHCP addresses and not asking for HTTP authentication). I realize this is probably unsolvable as the battery life involved in joining and probing all those wireless networks is probably far too high. Additionally, probing networks is probably a bit unsportsmanlike. I suppose you could implement an “active scan” option on the “ask to join” screen and have a confirmation before you allow it to happen. This would address the battery issue and also perhaps keep Apple out of any direct culpability.

Until then, I’ll deal with EDGE. I actually have been pleasantly surprised by EDGE’s performance. After turning off “ask to join” on WiFi, the phone can get right to making the request, speeding things up considerably.

Technorati Tags: 802.1X, Supplicant, wireless

If you would have asked me two years ago if my company’s products would be broadly deployed by large universities, hospitals, and government I would have said yes. As expected, these types of customers have deployed our products and are starting to get quite sophisticated in their use of authenticated networks. However, if you would have suggested that community colleges would have found our offering compelling I might have though you a bit crazy. However, much to my surprise, community colleges are deploying Identity Engines’ products (and authenticated networks in general) regularly.

If you think about it for just a moment, it makes perfect sense. Community colleges have among the highest user turnover rates of any type of organization; thousands of users are often coming and going each semester. The faculty at these colleges is often a mix of full-time staff and part-time instructors with day jobs in the marketplace. Additionally, most community colleges have multiple campuses through a geographic area and need to coordinate access policies among them. Guest access is another key requirement as community colleges engage with the residents of their host city in a significant way.

Kevin Jones of Metropolitan Community College (MCC) and I recently gave a talk at the League of Innovations CIT 2007 conference. This is a conference focused on community colleges and their unique IT needs. We discussed MCC’s deployment of authenticated networks and delivered the presentation to a standing-room only crowd. So much for convention wisdom…

I generally don’t blog about the various webinars that I do for my company but this last one was very interesting. I moderated a panel discussion on 802.1X with Pat Cronin, Steve Pettit, and Fred Collett. Pat is a VP at Bridgewater State College, Steve is the president of Great Bay Software, and Fred is a senior consultant at CBE Technologies. All of these guys have extensive experience in 802.1X deployments and Pat even walks through the details of his own rollout. Also of note is the massive interest we saw in the subject matter; over 500 people registered for the webinar. I really think we’re starting to see 802.1X get legs for more than just wireless. So all in all a useful way to spend an hour if you are considering 802.1X or role-based access control. You can view the archive here. Just as fair warning, registration is required and I would expect someone from Identity Engines’ sales organization to contact you afterwards. Happy Thanksgiving everyone!

Technorati Tags: 802.1X, Supplicant

Things have been busy over at the OpenSEA Alliance and its Open1X project. Today we announced a call for participation to the community around the latest release of Xsupplicant. Due to the multitude of desktop software permutations and the resulting hardware interactions, Xsupplicant needs more testing than your average piece of software. The alliance and its members can only take this so far, we need your help! Whether it is just downloading the client and giving it a try on a test machine or getting more involved in the identifying and closing out of bugs, head on over to the Open1X project’s website and pitch in!

Technorati Tags: 802.1X, Supplicant

Well besides all the good news on the open supplicant front, it has been a while since I mentioned 802.1X adoption in general. We’re certainly seeing more interest in wired 802.1X at my company but it is seen often in the news these days as well. Here are a couple examples: first up is Intel adding hardware 802.1X support to its latest motherboards (the implications of this on virtualized OS instances could be interesting). And second, Linksys is expanding its low-end SMB line into the security arena with support for 802.1X. This adds more evidence to my contention that the core enforcement capabilities in network infrastructure are becoming commodities. I firmly believe that the future of network security will not be about more sophisticated packet inspection or manipulation techniques but rather the intelligent control of the methods we already have.

Technorati Tags: 802.1X, security, Supplicant

I’m pleased to relay the news that a development version of XSupplicant (an open source 802.1X supplicant) is now available for download. The OpenSEA alliance formed a while back and this is some of the initial results of the group (well really the talented developers of the Open1X project within OpenSEA). While this is most definitely a development release and should not be used in production, the developers are actively seeking feedback. So if you have the time and interest, they’d love any comments you may have.

Technorati Tags: 802.1X, Supplicant

John Roese, Nortel’s CTO, has a nice post on why he thinks we are almost at the point where enterprise network infrastructure can go wireless only. He’s careful not to say we’re exactly there now, but certainly sees Nortel as a leader in this space. He writes:

It is our position that, after a decade of evolution, both Wi-Fi and broadband wireless (4G) technologies are getting close enough to the expectations of the customer that we are becoming able to build the Unwired Enterprise from an access perspective.

I’m seeing this as well, though I think wired will be around for a long time to come. At Identity Engines, we have a prominent enterprise customer that finally decided to deploy wired at a new facility only because the VoIP quality wasn’t yet there for wireless. Furthermore, our experience in the education market shows that wireless only is already here in principle for many university students and staff; these university users frequently never connect to the wired network, even in their home location. The next several years will be interesting indeed, Roese thinks they might even shift the vendor landscape:

This is great for mobility and productivity from a customer view, but it is also an inflection point that can force a re-thinking of the enterprise LAN architecture. That is something that happens very rarely but, when it does, the market can be remade and the vendor landscape can be transformed.

I tend to agree but I think it might cause more of a trend towards commodity, standards-based, network infrastructure coupled closely with robust identity management for the network. Then again, I could be a bit biased in this regard…

Technorati Tags: 802.1X, wireless

Part two of a two-part article titled Network Authentication, Authorization, and Accounting was just published in the Internet Protocol Journal. I wrote the article to be a survey of the entire AAA space and so it covers a lot of ground without spending too much time in one place. If you are new to AAA or are looking for a conceptual model of AAA to help others grasp its concepts, please take a look. Here’s a snippet:

Network Authentication, Authorization, and Accounting has been used since before the days of the Internet as we know it today. Authentication asks the question, “Who or what are you?” Authorization asks, “What are you allowed to do?” And finally, accounting wants to know, “What did you do?” These fundamental security building blocks are being used in expanded ways today. The first part of this two-part series focused on the overall concepts of AAA, the elements involved in AAA communications, and high-level approaches to achieving specific AAA goals. It was published in IPJ Volume 10, No. 1. This second part of the series discusses the protocols involved, specific applications of AAA, and considerations for the future of AAA.

Although AAA is often thought of as the exclusive province of the Remote Authentication Dial-In User Service (RADIUS) protocol, in reality a range of protocols is involved at various stages of the AAA conversation. This section introduces these AAA protocols, organized according to the parties involved in the communication. We divide AAA communications into the following categories: Client to Policy Enforcement Point (PEP), PEP to Policy Decision Point (PDP), Client to PDP, and PDP to Policy Information Point (PIP).

You can get the HTML or the PDF.

Technorati Tags: 802.1X, AAA, IPJ

My fellow OpenSEA colleagues Messers Oltsik and Gast have both recently pointed to the need for more 802.1X support in non-PC devices. Last year I made a post indicating that support seemed to be improving and I certainly agree that OpenSEA can help accelerate this. The iPhone is definitely a step in the other direction though. As Matthew points out, Mac OS X already has a native supplicant and the iPhone supposedly runs Mac OS X. I’m guessing this is more a matter of QA resources butting up against launch plans than anything else; my iPhone’s browser still crashes from time to time which certainly seems like a higher priority.

I wonder how sensitive the multi-touch interface is? It would be interesting if you could record guestures as a way to access a password wallet. The iPhone keyboard does a great job of correcting common English language mistakes but it is quite horrible at entering passwords like dkIH$l_73n!.

On an unrelated note, seeing that Matthew is using the same Wordpress default template as I am left me feeling sheepish. As Jack says about Marla in Fight Club, “Her lie reflected my lie.” Oh well, none of you really suspected I had any HTML skills I’m sure.

Technorati Tags: 802.1X, Supplicant

With the announcement of OpenSEA and some new announcements from my company, I’ve been away from blogging for a while. Plenty has happened while I was gone. First, Microsoft and the TNC announced that a core NAP protocol would be part of the TNC. Second, OpenSEA got great press and we’re seeing lots of interest from new companies in joining. Finally, Caymas Systems went under making at least one of my blog predictions for 2007 correct. Each of these probably warrants its own post and I hope to get to each soon.

Technorati Tags: 802.1X, NAC, OpenSEA