Re: WPA problem and eduroam

[Mohacsi Janos <mohacsi@xxxxxxx>]

On Wed, 3 Dec 2008, Tomasz Wolniewicz wrote:

> Mohacsi Janos wrote:
> > I would change the order:
> > SSID eduroam1 with WPA/TKIP + WPA2/AES
> > SSID eduroam with WPA2/AES ony
> >
> > I would keep eduroam1 for compatibility reason - if somebody has
> > problem from WPA2/AES they can switch back to eduroam1 ....
> To do this would require a serious policy change and would completely

Agreed. We are discussing it now....

> break down the service. All eduroam TKIP users would suddenly lose
> connectivity.
> Doing it the other way round - adding a new "better" SSID would give the
> users an option to configure this new connection, while still keeping
> the old one.
> This way they would have something new without giving up the old. Also
> you will never achieve all sites changing their settings on eduroam, so
> you will never have a "clean" solution. The new SSID would be
> implemented from scratch so the institutions only used it if they wanted
> to start the AES-only service.

In my opinion the institutions can decide in which pace they will 
implement the new policy. Changing with warning or failure might induce 
quicker adoption of new services. If you keep old "just work (tm)" 
configuration, then your users tend to not changing it..... You have to 
operate TKIP forever on eduroam, fearing some users might use it.....

It is more understandable for the users - ok I was warned - I have to use 
eduroam1 or something which might be less secure.....


Regards,
		Janos