|
Review: XpressConnect from Cloudpath Networks
By Eric Geier (NoWiresSecurity Founder
& CEO) - originally published on
EnterpriseNetworkingPlanet
Pros: smart wizard, great
customization, great documentation
Cons: lacks support for EAP-TLS (client-side certificates)
The enterprise mode of WPA/WPA2 encryption, along with 802.1X
authentication, can protect your wireless network with multiple
usernames and passwords instead of a single insecure PSK or
passphrase.
This mode, however, requires more configuration on part of the
end-users. Client devices must be configured with the proper server
and login details in order to connect to the network. As you may
already know too well, this can be a huge headache for both end
users and administrators.
Cloudpath Networks sets out to make the configuration and connection
process to 802.1X networks as quick, simple, and secure as possible.
Its XpressConnect product lets administrators create a wizard that
automatically configures client devices. The company says its
product can dramatically lower the costs related to your
WPA-Enterprise, WPA2-Enterprise, or 802.1X network while improving
the user experience.
In this review, we'll see if Cloudpath Networks is successful and
delivers on its promises.
What is XpressConnect?
As briefly mentioned, XpressConnect
lets administrators create a wizard that end users can run on their
computer (running Windows, Mac OS, or Ubuntu Linux) or iPhone to
automatically configure the encryption and PEAP or TTLS
authentication settings of the network. This can also include other
network related settings that can help get users connected. Both
wireless and wired 802.1X authentication are supported, in addition
to WEP, WPA/WPA2-PSK and unprotected access.
Administrators login to the Cloudpath Administrative Console to
create and download the customized XpressConnect wizard. They can
define the network details and customize the wizard interface via
this Web-based console. Then they can download the finished wizard
packaged for a Web server or for standalone installation, such as on
a CD or flash drive. MSI installers can be created, and GPO-based
deployments are supported as well.
Finally, end users can run the wizard on their computer or iPhone
and it will automatically check various settings, configure the
network, and connect to it. This lets even the most novice user get
connected without one-on-one support from the help desk or IT
department.
An ideal setup is to have an unsecured SSID or a guest VLAN with
captive portal that redirects end-users to the Web installer, where
the XpressConnect wizard can then configure the end user for the
secured SSID or private VLAN.
Creating the XpressConnect wizard
Once you, the administrator, log onto
the Cloudpath Administrative Console (see Figure 1), you're greeted
with an introduction of how XpressConnect works and a link to
download the Quick Start Guide.
Figure 1
We started the process by defining the
network details. First up is the Visual Settings. You can change the
default logo, Web image, text, and other things displayed in the
wizard. Then you can define the network related settings.
This isn't a quick task; it's a 12-step comprehensive process. It
covers many different settings and addresses numerous configuration
and network issues -- which is a good thing.
You start with the basics, the SSID (network name) and
encryption/authentication type. Client devices can even use
third-party 802.1X supplicants. You can also specify which operating
systems to support. Plus you can address conflicting SSIDs by making
your network at the top of client's priority list, setting specific
SSIDs to connect manually, and/or deleting network profiles for
particular SSIDs.
You can make the wizard enable certificate validation by selecting
the server's Certificate Authority (CA) or uploading your own. See
Figure 2. You can define the server name, which helps ensure they
connect to only your RADIUS server. You can even have the wizard
check the end-user's system clock, which if incorrect can cause
problems with the certificate validation.
Figure 2
As an added bonus you can also have
the wizard check and enable, if needed, Windows Auto Updates,
Firewall, NAP, and more. See Figure 3. For Windows 7, you can even
make it disable Wireless Hosted Networks, which can pose a security
risk to your network.
Figure 3
Once the XpressConnect wizard gets
them connected, it can open their Web browser to a URL you choose.
You can also have a revert shortcut placed on their desktop in case
they want to undo the changes the wizard has made.
We went through and created a test network here in the office. We
found the settings to be well documented. Each option can be
expanded to see more information about it. The settings and options
themselves show just how sophisticated XpressConnect is.
Using the XpressConnect wizard to configure clients
Next, we tested the wizard to see
check out the end-user experience. First, we downloaded the
standalone package, unzipped it, and put the files onto a CD. Then
we went to a Windows 7 and Windows XP machine.
Once you pop in the CD, the XpressConnect wizard automatically comes
up. See Figure 4. We entered a username and password for our 802.1X
test network and hit Continue. It did the magic and told us we were
successfully connected. It even let us view exactly what changes
were made to the computer and gave us an option to create a revert
shortcut on the desktop. It took us less than a minute to get
connected.
Figure 4
We also tested the Web server
deployment method. We downloaded the HTML package, unzipped it, and
simply uploaded the files to a web host. When you visit the URL, it
downloads a Java Applet or ActiveX program, which resembles the same
XpressConnect wizard as the standalone method. We had no problems,
worked just like the standalone method.
Our final thoughts
We found XpressConnect to be a solid
product. Cloudpath Networks did indeed deliver on its promises. Its
smart wizard can help reduce the employee hours and costs associated
with supporting an 802.1X network. Plus it makes it much more
user-friendly for end users. Additionally, we found XpressConnect to
be very customizable, with great documentation.
The only gripe we have is that it doesn't support EAP-TLS, where
there are client certificates in addition to server verification.
XpressConnect only works with the PEAP and TTLS settings, in regard
to the 802.1X authentication. However, these are the most popular
implementations today. |
