3 tools for secure BYOD Wi-Fi setup

See how to use ClearPass QuickConnect from Aruba, XpressConnect from CloudPath and open-source SU1X for configuring safe Wi-Fi connections.

3 tools for secure BYOD Wi-FI

Deploying the enterprise mode of Wi-Fi Protected Access (WPA2) with 802.1X authentication provides great Wi-Fi security, but it also complicates client configuration and connection. In BYOD environments, this can cause user frustration and a spike in help desk calls. One solution is to deploy an automated configuration process so users can easily connect their devices without intervention from IT staff. In this review, we looked at three tools to help distribute Wi-Fi and 802.1X settings to users: ClearPass QuickConnect from Aruba, XpressConnect from CloudPath and the open-source SU1X. Story version.

ClearPass QuickConnect

ClearPass QuickConnect

ClearPass QuickConnect from Aruba is a cloud-based service that supports Windows, Mac OS X, iOS and Android clients. In addition to the 802.1X settings, it can install the RADIUS server’s CA certificate but not user certificates — though this functionality is being added in an update slated for next month. To get started with QuickConnect, you log into their website where you’ll find a simple interface. To define the network and client program settings, you add a Network.

ClearPass QuickConnect

ClearPass QuickConnect

The settings are fairly straightforward but lack tooltips or other descriptions for the settings. The administration user guide provides a thorough description for most settings but could use some improvement to the layout and flow of the documentation. One major inconvenience of QuickConnect is that you must define separate settings for each OS type: Windows XP, Windows Vista and later, Mac OS X 10.5/10.6, Mac OS X 10.7 and iOS, and Android. For each you must also separately define the wireless and wired settings, even if you’d like them to be the same.

QuickConnect

ClearPass QuickConnect

QuickConnect lets you perform basic customization of the client program's user interface, such as organization name, reset password and help desk links, and logo. Once you’re done you can generate and download the package of files. And then you can upload to a Web server users can access that will automatically download the appropriate program/app for their OS, or you can distribute files individually via other means.

QuickConnect

ClearPass QuickConnect

Testing the client configuration process via a Web server went smoothly for each OS type. When configuring an Android device, it required that a device PIN/password be set in order to install the RADIUS server’s CA certificate. In Windows and Mac OS X 10.6 and earlier, it downloads a simple wizard-type application where you type in your username and password to configure the network settings, and then you can choose to Connect or Close the application. In Mac OS X 10.7 and later and on iOS devices, it downloads and installs the wireless configuration profile. On Android devices, it prompts the user to download the QuickConnect app, where they’d enter their username and password.

XpressConnect

XpressConnect

XpressConnect from Cloudpath Networks is a cloud-based service similar to ClearPass QuickConnect. It supports Windows, Mac OS X, Ubuntu, iOS and Android devices. It can also distribute the RADIUS server CA certificate and any user certificates by pulling them from your Microsoft CA XpressConnect via Microsoft CA Integration Module. XpressConnect supports a device’s native supplicant or it can work with the third-party supplicants XSupplicant or SecureW2. It also supports wireless networks secured with the pre-shared key (PSK) mode of WPA/WPA2 (or even the old WEP) as well.

XpressConnect

XpressConnect

To set the network settings and customize the branding of the XpressConnect client program, you use the Web-based Cloudpath Administrative Console. The settings are presented in a wizard fashion and are well explained, and the documentation is thorough. In addition to the text and images of the client interface being customizable, so is the look and feel by changing the text and line colors. After the initial configuration, you can access the advanced settings and adjust settings for each OS type.

XpressConnect

XpressConnect

After you’ve defined your network and visual settings for the client application, you have several methods you can use to deploy: Web server, standalone (for CD, flash drive, etc) or integration with a Microsoft CA by hosting it on a domain-joined Web server so it can automatically hand out user certificates for networks utilizing EAP-TLS. When users visit the URL where you’ve uploaded the XpressConnect files, they will see your customized welcome page, which by default makes them accept your end-user agreement.

XpressConnect

XpressConnect

In our tests each OS’s configuration went smoothly. Installing the CA certificate on Android devices requires the device to have a lock screen password/PIN set. But with XpressConnect you can optionally waive this requirement by enabling storage of the certificate in a location other than the default local keystore. In Windows, Mac OS X 10.6 and earlier, and Ubuntu, a wizard type of application is downloaded where you can input the username and password to configure and connect to the network. In Mac OS X 10.7 and later and on iOS devices, it downloads and installs the wireless configuration profile. On Android devices, it prompts users to download the XpressConnect app, where they’d enter their username and password.

SU1X

SU1X

SU1X is open-source software written by Gareth Ayres of Swansea University and released under the Educational Community License, Version 2.0. Use outside of an academic environment is allowed but requires approval from the developer. SU1X supports Windows XP (SP2), Vista (any SP), 7 or 8 to configure the wired or wireless 802.1X settings. Though it doesn’t support smartphones and tablets, it does include step-by-step directions on how to create an automated configuration app for iOS devices using an Apple utility called the iPhone Configuration Utility (IPCU). SU1X also can’t distribute user certificates, but it does support the silent installation of a RADIUS server’s CA certificate.

SU1X

SU1X

When a user runs the SU1X setup program, all they have to do is enter their Username and Password and hit Start Setup. If problems are found, SU1X will notify them or when the configuration is complete it will connect. They can also select the Help tab to have the application run checks and get help. And if you’ve enabled the Printing tab, they can select it to set up or remove the printer settings you’ve defined in the configuration (.ini) file.

Eric Geier is a freelance tech writer—keep up with his writings on his Facebook Fan Page. He’s also the founder of NoWiresSecurity, a cloud-based Wi-Fi security service, and On Spot Techs, an on-site computer services company.