iPhone 2.0 to Include 802.1X

One of the nicer (for us, at least) announcements to come out of the iPhone presentation this morning is that the next generation of iPhone software will include an 802.1X supplicant, so it will work with Elektron. Apple is currently taking applications for their beta program. Every singly person here has an iPhone, so we had to create a second Wi-Fi network with WPA Personal security enabled to work around the lack of a supplicant.

Time Capsule

It's an AirPort Extreme with a 500GB or 1TB drive specifically targeting Time Machine backups. At $499, it's very aggressively priced; comparable to low end NAS units that don't include access point functions. I wonder what "server grade hard drive" means — I suspect that just means it's not a 2.5" ATA drive (which has been the knock on using the Mac Mini as a server). Here at the Labs, Mac users get an external Firewire drive and a copy of SuperDuper! for backups. I don't think we'll be replacing that low-tech-but-bulletproof setup anytime soon, but Time Capsule looks really nice for a home setup, particularly in a household with multiple Mac users.

New Xserves

Looking good. Available with four or eight cores, and memory is now expandable to 32 GB. The base models are price competitive with similarly equipped Sun and Dell machines. Plus, they're available with zippy SAS drives. For us IT geeks, this was a bigger announcement than the speculative ultraportable at MacWorld next week.

Mac OS X 10.5.1

Among the fixes is "Resolves an issue with saved passwords for wireless networks." That one has been bugging me since installing Leopard. Available now via Software Update.

The release notes also include this chestnut:

In Security preferences' Firewall tab, the "Block All" option is now called "Allow Only essential services"

So "block all" apparently didn't mean "block all."

Elektron and Leopard

The lab rats have been busy this weekend making sure that Elektron is fully compatible with the final release of Leopard. It only took a couple of minor tweaks, and a new release is now available! You'll only need this release if you're planning on running Elektron on Leopard; if you are keeping your server on Panther or Tiger (or Windows, for that matter) your existing Elektron installation will continue to authenticate Leopard users just fine.

The biggest Leopard Wi-Fi news is the disappearance of Internet Connect. All Wi-Fi configuration now occurs in the Network preference pane inside System Preferences:

One handy new feature is the ability to store 802.1X configurations on a per-user, per-system, or Login Window basis. The per-user configuration is basically how Tiger works; per-system allows you to create a single configuration for all users on the system (that is, the 802.1X login identifies the machine rather than an individual user), and the Login Window configuration allows the user to specify a username and password at login time to connect to the network before logging in. This final configuration is important for users without local accounts.

All in all, a very nice release.

Elektron 2.0.1755

A new bug-fix release of Elektron is available for both Windows and Mac OS X. This fixes intermittent issues with Windows XP client logins failing. If you've had trouble with Windows XP users connecting, you'll want this version.

Get it from our support page.

AirPort Base Station Update 2007-002

The new release includes updated firmware for AirPort Extreme 802.11n base stations. It's not documented, but the new firmware apparently allows you to establish an L2TP VPN tunnel through the base station (previously, a bug limited access to PPTP VPNs only).

AirPort Extreme Update 2007-004

Available now from Apple. Use Software Update to get it, or you can download it yourself from Apple's support page. "This update is recommended for all Intel-based MacBook, MacBook Pro, and Mac mini computers and improves the reliability of AirPort connections." No specifics mentioned, so it's unclear if this update addresses the kernel panic problem.

New Elektron Release: 2.0.1744

This is a bug fix release. It fixes a memory leak in Windows authentication, a bug in how Elektron determines which Active Directory groups a user belongs to, and removes the reliance of the Elektron double-clickable Windows certificate installers on msvcrt8.dll. This release is recommended for Windows-hosted Elektron servers, and optional for Mac OS X-hosted Elektron servers. Get it from our support page.

PARC: Wi-Fi PKI Usability Stinks

The title actually paraphrases Drs. Balfanz, Durfee, Smetters, and Grinter, but the gist is correct: managing your Wi-Fi PKI is nigh impossible. We've been seeing this here at the Labs from the beginning — from day one, the vast majority of our technical support questions have been certificate-related.

PARC conducted the study on Wi-Fi PKI usability, "In Search of Usable Security: Five Lessons from the Field." [PDF] two years ago. They asked expert computer users to try to configure their Windows XP machines to connect to the PARC Wi-Fi network:

Once the wireless network and the PKI were in place, our HCI researcher studied eight subjects’ enrollment experiences. All the subjects had advanced degrees, typically PhDs in computer science and related disciplines, but the average time it took for them to request and retrieve their certificates and then configure their systems was 140 minutes. More significantly, despite using a fairly automated Web-based enrollment system (similar to those used by commercial certificate vendors such as Verisign) and the GUI-based 802.1x wireless configuration software provided by Microsoft Windows XP, the process involved a total of 38 steps to complete enrollment.

Executive summary: "We took a bunch of computer science Phd's, gave them explicit step-by-step instructions, and it still took them over two hours to complete the configuration task, and in the end they didn't know what they had just done to their computers."

Microsoft is clearly aware of the problem, as they modified the Wi-Fi network enrollment process in Vista to suck slightly less. They've still got a long way to go, though. Personally, I'm a fan of the Mac OS X process: just connect to the network, the Mac asks "hey, I've never seen this certificate before, should I trust it?" and you're off. Clearly, Apple is on to something. Of those technical support questions I mentioned above, a lot of them start with "Help: my Macs connect to my Elektron-secured network just fine, but my Windows XP machines refuse to connect!" We've never once received the opposite.