My current environment is a medium size hospital with mulitple campuses. We have a number of different types of devices; Laptops, CoW's (Computer on Wheels) 7921's, BlackBerry's. Currently the majority of my clients are running WPA/WPA2-PSK. Personally, I'm sick to death of PSK. It's an easy and samll footprint, but managing keys is a major pain in the butt. At any one time I have an average of 500 clients connected to my WLC's (4.2.205). I've been trying to run a project on moving the devices to an EAP scenerio. Laptops work fine in EAP-TLS as do BlackBerry's but as everyone knows, EAP-TLS has some authentication overhead. Here's my problem, the CoW's. The CoW is simply a mini-pc put into a specialized cart that the nurses pull from room to room for BedSide Meds and such. With EAP-TLS testing I'm having a lot of issues with the authentication taking to long and the user getting kicked out of their app, Meditech. Our version of Meditech is basically a crap telnet application and if it doesn't get a response quickly it'll throw you to the desktop. Also, although I know EAP-TLS had some overhead, I'm dissapointed in it's roaming ability and how slow it is. As I see it, the users I have testing EAP-TLS on laptops and Blackberry's are not truely mobile. They typically don't attempt to use their device while on the move versus's the CoW. Here are a few things I've ran into in trying to figure out a security solution and hopefully you guys can help me out and suggest somethings I haven't thought of:
EAP-TLS - Obvious overhead issues as stated above. Is anyone running this in a similiar environment, how do you deal with it?
PEAP - Rely's on a strong user/pass which does not work in our world. The nurses log into the CoW witha generic username/password that pretty much everyone is aware of. Although Windows it's self is locked WAY down, your still on the network if you have access to this user/pass.
EAP-FAST - As I understand it, with EAP-FAST and MSCHAPv2, there's a PAC for each user. If the user logs in more then once from different locations, I suspect this would be a problem. Not to mention I'm not sure how the manageability on usernames would work. I looked at using the Certificate on the machine to do the authentication and setting EAP-FAST to require this for autehntication and it works fine for my laptop and the IntelPro/Set Wireless utility but on the CoW's, not so.. The Cow's have an Atheros AR5006x chip and with the Atheros Client Utility, the utility will only allow you to select a personal cert, not a machine certificate for anything. Does anyone know of an Client Utility that will allow me to do this with out spending $$$$ or of Atheros Client that will allow me to do this?
How is everyone else providing an enterprise solution with manageabillity and stability?