Will the Pix 501 and 1100 series WAP's Work with the new authentication system?

Discussions about Internet service providers (ISPs), the Meetinghouse Firewall, wired and wireless networking, usage, management, and support of Meetinghouse Internet
User avatar
Biggles
Senior Member
Posts: 923
Joined: Tue May 27, 2008 4:14 am
Location: Watford, England

Will the Pix 501 and 1100 series WAP's Work with the new authentication system?

Postby Biggles » Thu Jun 28, 2012 3:51 am

Purely out of interest, will the authentication system work with the 1100 series WAP's and Pix 501, when it goes live?

This is a repeat of my post in another thread, which may be I should have done originally, but was hoping for clarification in that thread.

bradhokanson
Church Employee
Church Employee
Posts: 41
Joined: Sun Mar 06, 2011 12:31 pm
Location: Utah, USA

Postby bradhokanson » Thu Jun 28, 2012 5:24 am

No they wont.

Biggles wrote:Purely out of interest, will the authentication system work with the 1100 series WAP's and Pix 501, when it goes live?

This is a repeat of my post in another thread, which may be I should have done originally, but was hoping for clarification in that thread.
Security Engineering
The Church of Jesus Christ of Latter-Day Saints

User avatar
aebrown
Community Administrator
Posts: 14693
Joined: Tue Nov 27, 2007 8:48 pm
Location: Sandy, Utah

Postby aebrown » Thu Jun 28, 2012 5:37 am

Biggles wrote:Purely out of interest, will the authentication system work with the 1100 series WAP's and Pix 501, when it goes live?

This is a repeat of my post in another thread, which may be I should have done originally, but was hoping for clarification in that thread.


It's my understanding that the new authentication system based on LDS Account will not work with the older hardware -- it will require the 881w firewall. I did a quick look, and the only online documentation I could find to back that up is in the January 2011 Brown Bag Session, where you see this:
What are the password requirements on the wireless access points? In the past, wireless access points have been left up to local STS to determine what to use. Going forward, there is a wireless access point available through the eStore. For now, access will be controlled by a global pre-shared key. In the near future (i.e., later this year), this will change to LDS account authentication, and the pre-shared key will no longer be required. NOTE: This will only be available with the new firewall and access points.
Questions that can benefit the larger community should be asked in a public forum, not a private message.

User avatar
Biggles
Senior Member
Posts: 923
Joined: Tue May 27, 2008 4:14 am
Location: Watford, England

Postby Biggles » Thu Jun 28, 2012 6:10 am

aebrown wrote:It's my understanding that the new authentication system based on LDS Account will not work with the older hardware -- it will require the 881w firewall. I did a quick look, and the only online documentation I could find to back that up is in the January 2011 Brown Bag Session, where you see this:

Many thanks for the reference. With this information and working through the Stake PFR, we will try and persuade our FM Group manager to update our system, in time for the rollout of the authentification system!

russellhltn
Community Administrator
Posts: 20772
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Postby russellhltn » Thu Jun 28, 2012 10:42 am

Do the WAPs have to be updated as well? I was under the impression that the authentication was all in the firewall.
Have you searched the Wiki?
Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.

harddrive
Member
Posts: 445
Joined: Thu Jan 03, 2008 7:52 pm

Postby harddrive » Fri Jun 29, 2012 5:46 am

RussellHltn wrote:Do the WAPs have to be updated as well? I was under the impression that the authentication was all in the firewall.


My question is when will this authentication change take place? I have two units that are using ASA 5505's.

I got changes that will need to be done at some of my buildings for this authentication to happen. I would like to get them fixed before this happens.

Thanks for letting me know.

russellhltn
Community Administrator
Posts: 20772
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Postby russellhltn » Fri Jun 29, 2012 10:29 am

I haven't seen any timetine for LDS Authentication. But the Wiki on Legacy meetinghouse firewalls says
If you have an older meetinghouse firewall, you should contact your FM group to budget for and schedule their replacement with the current meetinghouse firewall offering during the latter half of 2012 or early 2013. Upgraded firewalls will support new local administration capabilities being deployed near the end of 2012.


Note that timelines frequently slip, but that's the most specific information I've seen.
Have you searched the Wiki?

Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.

User avatar
jonahhex
New Member
Posts: 17
Joined: Fri Jun 08, 2012 12:33 pm
Location: Salt Lake City

Postby jonahhex » Fri Jun 29, 2012 3:00 pm

This is one point that is not that clear from our engineers yet. The ASA and PIX firewalls do not have password or authentication for WiFi when you connect a 1041n besides a configuration line that lets it talk to a controller. We think all authentication would be handled by the controller and should be able to use ASAs and PIX firewalls... but they are saying no... so far. This is not a finalized system and there can still be changes to come in the near future.
Keeping the Church Communication Network working
Tim Johnson - GSC - Connectivity

User avatar
aebrown
Community Administrator
Posts: 14693
Joined: Tue Nov 27, 2007 8:48 pm
Location: Sandy, Utah

Postby aebrown » Fri Jun 29, 2012 7:13 pm

jonahhex wrote:This is one point that is not that clear from our engineers yet. The ASA and PIX firewalls do not have password or authentication for WiFi when you connect a 1041n besides a configuration line that lets it talk to a controller. We think all authentication would be handled by the controller and should be able to use ASAs and PIX firewalls... but they are saying no... so far. This is not a finalized system and there can still be changes to come in the near future.


What about the other kind of mixed combination -- an 881w with 1100 or 1200 WAPs? Would that combination support the new authentication? RussellHltn asked that question earlier, and your answer still leaves me wondering about that situation (which applies to two buildings in our stake).
Questions that can benefit the larger community should be asked in a public forum, not a private message.

russellhltn
Community Administrator
Posts: 20772
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Postby russellhltn » Fri Jun 29, 2012 8:49 pm

Prior information suggested that Authentication would also be effective on wired connections. (In general, I support that, except for FHCs). Perhaps the challenge with WAPs is to make sure the firewall sees each connection as a new "user" since it's all coming from the same device.

One of my concerns about this is that someone will stick a rouge home router/WAP in the clerks office. As long as everyone using it has to authenticate, I'm not concerned. But if it allows everyone to use one person's login, then I have a concern.

(We're full of questions, aren't we? )
Have you searched the Wiki?

Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.


Return to “Meetinghouse Internet”

Who is online

Users browsing this forum: No registered users and 1 guest