Review: XpressConnect from Cloudpath Networks

by Eric Geier

XpressConnect simplifies access to your Wi-Fi network by providing easy-to-follow wizards that connect Linux, Windows, Mac and iPhone clients in a snap.

Product: XpressConnect from Cloudpath Networks

Pros: smart wizard, great customization, great documentation

Cons: lacks support for EAP-TLS (client-side certificates)

The enterprise mode of WPA/WPA2 encryption, along with 802.1X authentication, can protect your wireless network with multiple usernames and passwords instead of a single insecure PSK or passphrase.

This mode, however, requires more configuration on part of the end-users. Client devices must be configured with the proper server and login details in order to connect to the network. As you may already know too well, this can be a huge headache for both end users and administrators.

Cloudpath Networks sets out to make the configuration and connection process to 802.1X networks as quick, simple, and secure as possible. Its XpressConnect product lets administrators create a wizard that automatically configures client devices. The company says its product can dramatically lower the costs related to your WPA-Enterprise, WPA2-Enterprise, or 802.1X network while improving the user experience.

In this review, we'll see if Cloudpath Networks is successful and delivers on its promises.

What is XpressConnect?

As briefly mentioned, XpressConnect lets administrators create a wizard that end users can run on their computer (running Windows, Mac OS, or Ubuntu Linux) or iPhone to automatically configure the encryption and PEAP or TTLS authentication settings of the network. This can also include other network related settings that can help get users connected. Both wireless and wired 802.1X authentication are supported, in addition to WEP, WPA/WPA2-PSK and unprotected access.

Administrators login to the Cloudpath Administrative Console to create and download the customized XpressConnect wizard. They can define the network details and customize the wizard interface via this Web-based console. Then they can download the finished wizard packaged for a Web server or for standalone installation, such as on a CD or flash drive. MSI installers can be created, and GPO-based deployments are supported as well.

Finally, end users can run the wizard on their computer or iPhone and it will automatically check various settings, configure the network, and connect to it. This lets even the most novice user get connected without one-on-one support from the help desk or IT department.

An ideal setup is to have an unsecured SSID or a guest VLAN with captive portal that redirects end-users to the Web installer, where the XpressConnect wizard can then configure the end user for the secured SSID or private VLAN.

Creating the XpressConnect wizard

Once you, the administrator, log onto the Cloudpath Administrative Console (see Figure 1), you're greeted with an introduction of how XpressConnect works and a link to download the Quick Start Guide.

Figure 1

We started the process by defining the network details. First up is the Visual Settings. You can change the default logo, Web image, text, and other things displayed in the wizard. Then you can define the network related settings.

This isn't a quick task; it's a 12-step comprehensive process. It covers many different settings and addresses numerous configuration and network issues -- which is a good thing.

You start with the basics, the SSID (network name) and encryption/authentication type. Client devices can even use third-party 802.1X supplicants. You can also specify which operating systems to support. Plus you can address conflicting SSIDs by making your network at the top of client's priority list, setting specific SSIDs to connect manually, and/or deleting network profiles for particular SSIDs.

You can make the wizard enable certificate validation by selecting the server's Certificate Authority (CA) or uploading your own. See Figure 2. You can define the server name, which helps ensure they connect to only your RADIUS server. You can even have the wizard check the end-user's system clock, which if incorrect can cause problems with the certificate validation.

Figure 2

As an added bonus you can also have the wizard check and enable, if needed, Windows Auto Updates, Firewall, NAP, and more. See Figure 3. For Windows 7, you can even make it disable Wireless Hosted Networks, which can pose a security risk to your network.

Figure 3

Once the XpressConnect wizard gets them connected, it can open their Web browser to a URL you choose. You can also have a revert shortcut placed on their desktop in case they want to undo the changes the wizard has made.

We went through and created a test network here in the office. We found the settings to be well documented. Each option can be expanded to see more information about it. The settings and options themselves show just how sophisticated XpressConnect is.

Using the XpressConnect wizard to configure clients

Next, we tested the wizard to see check out the end-user experience. First, we downloaded the standalone package, unzipped it, and put the files onto a CD. Then we went to a Windows 7 and Windows XP machine.

Once you pop in the CD, the XpressConnect wizard automatically comes up. See Figure 4. We entered a username and password for our 802.1X test network and hit Continue. It did the magic and told us we were successfully connected. It even let us view exactly what changes were made to the computer and gave us an option to create a revert shortcut on the desktop. It took us less than a minute to get connected.

Figure 4

We also tested the Web server deployment method. We downloaded the HTML package, unzipped it, and simply uploaded the files to a web host. When you visit the URL, it downloads a Java Applet or ActiveX program, which resembles the same XpressConnect wizard as the standalone method. We had no problems, worked just like the standalone method.

Our final thoughts

We found XpressConnect to be a solid product. Cloudpath Networks did indeed deliver on its promises. Its smart wizard can help reduce the employee hours and costs associated with supporting an 802.1X network. Plus it makes it much more user-friendly for end users. Additionally, we found XpressConnect to be very customizable, with great documentation.

The only gripe we have is that it doesn't support EAP-TLS, where there are client certificates in addition to server verification. XpressConnect only works with the PEAP and TTLS settings, in regard to the 802.1X authentication. However, these are the most popular implementations today.

Eric Geier is the Founder and CEO of NoWiresSecurity, which helps businesses easily protect their Wi-Fi with enterprise-level encryption by offering an outsourced RADIUS/802.1X authentication service. He is also the author of many networking and computing books, for brands such as For Dummies and Cisco Press.

This article was originally published on Wednesday Aug 11th 2010