We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

How to set up secure Wi-Fi for BYOD environments

QuickConnect and XpressConnect offer cloud-based methods to automate BYOD client configuration and connection

Deploying the enterprise mode of Wi-Fi Protected Access (WPA2) with 802.1X authentication provides great Wi-Fi security, but complicates client configuration and connection. In BYOD environments, this can cause user frustration and a spike in help desk calls. The solution is to deploy an automated configuration process so users can easily connect their devices without invention from IT staff. In this review, we looked at three tools to help distribute Wi-Fi and 802.1X settings to users: ClearPass QuickConnect from Aruba, XpressConnect from CloudPath, and the open source SU1X.

ClearPass QuickConnect

ClearPass QuickConnect from Aruba is a cloud-based service that supports clients using Windows, Mac OS X, iOS and Android. In addition to the 802.1X settings, it can also install the RADIUS server’s CA certificate; but not user certificates — though this functionality is being added in an update slated for next month. To get started with QuickConnect, you log into their website where you’ll find a simple interface. To define the network and client program settings you add a Network.

ClearPass QuickConnect

The settings are fairly straightforward but lack tooltips or other method of description for the settings. The administration user guide provides a thorough description for most settings, but could use some improvement to the layout and flow of the documentation. One major inconvenience of QuickConnect is that you must define separate settings for each OS type: Windows XP, Windows Vista and later, Mac OS X 10.5/10.6, Mac OS X 10.7 and iOS, and Android. For each you must also separately define the wireless and wired settings, even if you’d like them to be the same.

QuickConnect

QuickConnect lets you perform basic customisation of the user interface of the client program, such as your organisation name, reset password and help desk links, and logo. Once you’re done you can generate and download the package of files. And then you can upload to a web server for users to access that will automatically download the appropriate program/app for their OS, or distribute them individually via other means.

QuickConnect

Testing the client configuration process via a web server went smoothly for each OS type. When configuring an Android device, it required that a device PIN/password be set in order to install the RADIUS server’s CA certificate. In Windows and Mac OS X 10.6 and earlier, it downloads a simple wizard-type application where you type in your username and password to configure the network settings and then you can choose to Connect or Close the application. In Mac OS X 10.7 and later and on iOS devices, it downloads and installs the wireless configuration profile. On Android devices, it prompts the user to download the QuickConnect app, where they’d enter their username and password.

XpressConnect

XpressConnect from Cloudpath Networks is a cloud-based service similar to ClearPass QuickConnect and supports Windows, Mac OS X, Ubuntu, iOS, and Android devices. It can also distribute the RADIUS server CA certificate and any user certificates by pulling them from your Microsoft CA XpressConnect via Microsoft CA Integration Module. XpressConnect supports a device’s native supplicant or it can also work with the third-party supplicants XSupplicant or SecureW2. It also supports wireless networks secured with the pre-shared key (PSK) mode of WPA/WPA2 (or even the old WEP) as well.

XpressConnect

To set the network settings and customise the branding of the XpressConnect client program, you use the web-based Cloudpath Administrative Console. The settings are presented in a wizard fashion and are well-explained, and the documentation is thorough. In addition to the text and images of the client interface being customizable, so is the look and feel by changing the text and line colours. After the initial configuration, you can access the advanced settings and adjust the settings for each individual OS type.

XpressConnect

After you’ve defined your network and visual settings for the client application, you have several methods you can use to deploy: web server, standalone (for CD, flash drive, etc), or integration with a Microsoft CA by hosting it on a domain-joined web server so it can automatically hand out user certificates for networks utilizing EAP-TLS. When a user visits the URL where you’ve uploaded the XpressConnect files, they will see your customised welcome page, which by default makes them accept your End-User agreement.

XpressConnect

In our tests each OS’s configuration went smoothly. Installing the CA certificate on Android devices requires the device to have a lock screen password/PIN set. But with XpressConnect you can optionally waive this requirement by enabling storage of the certificate in a location other than the default local keystore. In Windows, Mac OS X 10.6 and earlier, and Ubuntu, a wizard-type of application is downloaded where you can input the username and password to configure and connect to the network. In Mac OS X 10.7 and later and on iOS devices, it downloads and installs the wireless configuration profile. On Android devices, it prompts the user to download the XpressConnect app, where they’d enter their username and password.

SU1X

SU1X is an open source software solution written by Gareth Ayres of Swansea University and released under the Educational Community License, Version 2.0. Use outside of the academic environments is allowed but requires approval from the developer. SU1X supports Windows XP (SP2), Vista (any SP), 7, or 8 to configure the wired or wireless 802.1X settings. Though it doesn’t support smartphones and tablets, it does include step-by-step directions on how to create an automated configuration app for iOS devices using an Apple utility called the iPhone Configuration Utility (IPCU). SU1X also can’t distribute user certificates, but it does support the silent installation of a RADIUS server’s CA certificate.

SU1X

When a user runs the SU1X setup program all they have to do is enter their Username and Password and hit Start Setup. If problems are found it will notify them or when the configuration is complete it will connect. They can also select the Help tab to have it run checks and get help. And if you’ve enabled the Printing tab, they can select it to setup or remove the printer settings you’ve defined in the configuration (.ini) file.

  • ClearPass QuickConnect
  • ClearPass QuickConnect
  • QuickConnect
  • QuickConnect
  • XpressConnect
  • XpressConnect
  • XpressConnect
  • XpressConnect
  • SU1X
  • SU1X
  • Play
  • Play
  • Backward
  • Forward

Deploying the enterprise mode of Wi-Fi Protected Access (WPA2) with 802.1X authentication provides great Wi-Fi security, but complicates client configuration and connection. In BYOD environments, this can cause user frustration and a spike in help desk calls. The solution is to deploy an automated configuration process so users can easily connect their devices without invention from IT staff. In this review, we looked at three tools to help distribute Wi-Fi and 802.1X settings to users: ClearPass QuickConnect from Aruba, XpressConnect from CloudPath, and the open source SU1X.

Deploying the enterprise mode of Wi-Fi Protected Access (WPA2) with 802.1X authentication provides great Wi-Fi security, but complicates client configuration and connection. In BYOD environments, this can cause user frustration and a spike in help desk calls. The solution is to deploy an automated configuration process so users can easily connect their devices without invention from IT staff. In this review, we looked at three tools to help distribute Wi-Fi and 802.1X settings to users: ClearPass QuickConnect from Aruba, XpressConnect from CloudPath, and the open source SU1X.

Send to a friend

Email this article to a friend or colleague:


PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.


ComputerworldUK Knowledge Vault

ComputerworldUK
Share
x
Open
* *