Re: [WIRELESS-LAN] ClearPass and IPv6

2016-07-21 Thread Coughlan, Jamie (NBCC Moncton) 
Sorry about the email. It was a pocket email.

Sent from my BlackBerry 10 smartphone on the Bell network.
  Original Message
From: Coughlan, Jamie (NBCC Moncton)
Sent: Thursday, July 21, 2016 6:41 PM
To: Bucklaew, Jerry
Cc: Brad Donovan; McCarthy, Brent (NBCC Miramichi)
Subject: Re: [WIRELESS-LAN] ClearPass and IPv6


Oy

Sent from my BlackBerry 10 smartphone on the Bell network.
  Original Message
From: Bucklaew, Jerry
Sent: Thursday, July 21, 2016 5:07 PM

‎
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Reply To: The EDUCAUSE Wireless Issues Constituent Group emo‎
Subject: Re: [WIRELESS-LAN] ClearPass and IPv6


On 07/21/2016 04:00 PM, Hector J Rios wrote:
> Jerry,
>
> We actually performed a packet capture to confirm that the accounting record 
> was making it to ClearPass and it is. It's disappointing to hear that it has 
> taken them this long to fix it.
>
>


Ok, I have learned the hard way, that it all depends on where you look for it.  
 Just because it is (maybe) being
recorded in the internal DB does not mean it will show up on any report yet.  
Those might be future enhancements.


Let me upgrade to 6.1 and I will see if I have the same issues.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] ClearPass and IPv6

2016-07-21 Thread Coughlan, Jamie (NBCC Moncton) 
Oy

Sent from my BlackBerry 10 smartphone on the Bell network.
  Original Message
From: Bucklaew, Jerry
Sent: Thursday, July 21, 2016 5:07 PM

‎
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Reply To: The EDUCAUSE Wireless Issues Constituent Group emo‎
Subject: Re: [WIRELESS-LAN] ClearPass and IPv6


On 07/21/2016 04:00 PM, Hector J Rios wrote:
> Jerry,
>
> We actually performed a packet capture to confirm that the accounting record 
> was making it to ClearPass and it is. It's disappointing to hear that it has 
> taken them this long to fix it.
>
>


Ok, I have learned the hard way, that it all depends on where you look for it.  
 Just because it is (maybe) being
recorded in the internal DB does not mean it will show up on any report yet.  
Those might be future enhancements.


Let me upgrade to 6.1 and I will see if I have the same issues.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] ClearPass and IPv6

2016-07-21 Thread Bucklaew, Jerry 
On 07/21/2016 04:00 PM, Hector J Rios wrote:
> Jerry,
>
> We actually performed a packet capture to confirm that the accounting record 
> was making it to ClearPass and it is. It's disappointing to hear that it has 
> taken them this long to fix it.
>
>


Ok, I have learned the hard way, that it all depends on where you look for it.  
 Just because it is (maybe) being 
recorded in the internal DB does not mean it will show up on any report yet.  
Those might be future enhancements.


Let me upgrade to 6.1 and I will see if I have the same issues.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] ClearPass and IPv6

2016-07-21 Thread Hector J Rios 
Jerry, 

We actually performed a packet capture to confirm that the accounting record 
was making it to ClearPass and it is. It's disappointing to hear that it has 
taken them this long to fix it. 

Thank you for your response. 

-H

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Bucklaew, Jerry
Sent: Thursday, July 21, 2016 2:48 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] ClearPass and IPv6

Yeah, We have been pushing them to get it straightened out for almost a year 
now.


Last I left it there were two pieces.

clearpass needs to support ipv6 accounting records, due out in 6.1

The aruba controllers need to send ipv6 accounting records, due out in 6.5 I 
think




Where are you looking for the accounting records in clearpass, monitoring --> 
accounting

Are you sure your cisco's are sending it, you have to configure it via cli last 
I remember.


My cisco was on Steelbelted radius and was definetly sending the records so I 
can upgrade my clearpass to 6.1 and see what I see if you want?



On 07/21/2016 03:36 PM, Hector J Rios wrote:
> Since we are on the topic of ClearPass, I have a comment/question. We 
> recently deployed ClearPass on our wireless. We
> are a Cisco shop; 802.1X/PEAP/MSCHAPv2. We are also dual stack, so all of our 
> hosts get IPv4/IPv6 addresses. We noticed
> that in the RADIUS accounting log, the IPv6 addresses do not show up. This 
> came to use as a surprise because with our
> previous RADIUS server (radiator) we did not have this limitation.
>
> The latest 6.6.1 patch just came out and in the release notes they mention 
> that they now have support for the
> Framed-IPv6-Address RADIUS attribute (IETF 168). However, after upgrading, we 
> are still not seeing IPv6 addresses.
>
> Anyone out there running ClearPass and IPv6 experiencing a similar issue?
>
> Regards,
>
> Hector Rios
>
> Louisiana State University
>
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found
> at http://www.educause.edu/groups/.
>


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] ClearPass and IPv6

2016-07-21 Thread Bucklaew, Jerry 
Yeah, We have been pushing them to get it straightened out for almost a year 
now.


Last I left it there were two pieces.

clearpass needs to support ipv6 accounting records, due out in 6.1

The aruba controllers need to send ipv6 accounting records, due out in 6.5 I 
think




Where are you looking for the accounting records in clearpass, monitoring --> 
accounting

Are you sure your cisco's are sending it, you have to configure it via cli last 
I remember.


My cisco was on Steelbelted radius and was definetly sending the records so I 
can upgrade my clearpass to 6.1 and see 
what I see if you want?



On 07/21/2016 03:36 PM, Hector J Rios wrote:
> Since we are on the topic of ClearPass, I have a comment/question. We 
> recently deployed ClearPass on our wireless. We
> are a Cisco shop; 802.1X/PEAP/MSCHAPv2. We are also dual stack, so all of our 
> hosts get IPv4/IPv6 addresses. We noticed
> that in the RADIUS accounting log, the IPv6 addresses do not show up. This 
> came to use as a surprise because with our
> previous RADIUS server (radiator) we did not have this limitation.
>
> The latest 6.6.1 patch just came out and in the release notes they mention 
> that they now have support for the
> Framed-IPv6-Address RADIUS attribute (IETF 168). However, after upgrading, we 
> are still not seeing IPv6 addresses.
>
> Anyone out there running ClearPass and IPv6 experiencing a similar issue?
>
> Regards,
>
> Hector Rios
>
> Louisiana State University
>
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found
> at http://www.educause.edu/groups/.
>


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

ClearPass and IPv6

2016-07-21 Thread Hector J Rios 
Since we are on the topic of ClearPass, I have a comment/question. We recently 
deployed ClearPass on our wireless. We are a Cisco shop; 802.1X/PEAP/MSCHAPv2. 
We are also dual stack, so all of our hosts get IPv4/IPv6 addresses. We noticed 
that in the RADIUS accounting log, the IPv6 addresses do not show up. This came 
to use as a surprise because with our previous RADIUS server (radiator) we did 
not have this limitation.

The latest 6.6.1 patch just came out and in the release notes they mention that 
they now have support for the Framed-IPv6-Address RADIUS attribute (IETF 168). 
However, after upgrading, we are still not seeing IPv6 addresses.

Anyone out there running ClearPass and IPv6 experiencing a similar issue?

Regards,

Hector Rios
Louisiana State University

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Guest Wireless Public DNS or Internal DNS

2016-07-21 Thread Jeffrey D. Sessler 
We’re using OpenDNS, but with their add-on Umbrella protection product. It 
provides great visibility (audit trails) and protection against threats (bad 
sites, malware, command and control) without the need to put an agent on the 
guest device. If so inclined, it also provides “net nanny” features e.g. block 
adult sites.

Jeff

From: "wireless-lan@listserv.educause.edu"  
on behalf of Alexandre Adao 
Reply-To: "wireless-lan@listserv.educause.edu" 

Date: Thursday, July 21, 2016 at 5:55 AM
To: "wireless-lan@listserv.educause.edu" 
Subject: [WIRELESS-LAN] Guest Wireless Public DNS or Internal DNS

I would like to know if anyone has opted to use their own local/internal DNS 
for Guest Wireless or Eduroam instead public DNS (e.g.Google, OpenDNS, etc). 
What would be the reasons? Ex: Audit trails? and What would the risk if any? 
Any feedback, I appreciate.

Thanks,

--Alex Adao


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Aruba and Bradford

2016-07-21 Thread Adam T Ferrero 

  We are very happy with our Aruba Clearpass implementation.  We brought it in 
for host integrity checking in our residence halls and have continued to add 
more services.  It handled Meru and now Aruba wireless as well as our Avaya 
wired infrastructure.  It is feature rich and very flexible.

  We have 6,000 students in Temple managed residence halls (13 - 15k devices) 
with less than 5% of the devices connecting wired.  We do force the Onguard 
agent on Windows and MACs and require our managed anti-virus.  Other devices 
can just authenticate and work against wireless WPA2 enterprise SSID or wired 
.1x.  Non .1x capable devices are self-registered by the students into 
Clearpass (they add the mac address and we then mac auth accept them).  We 
built out all the pretty captive portal pages so onboarding process is terribly 
smooth and self service.

  We've rolled all our enterprise WPA2 enterprise authentication onto Clearpass 
as well (~50,000 concurrent clients).  I was against the purchase initially two 
years ago (being a freeradius / Packet Fence fanatic) but it has served us 
superbly.  Last fall showed the lowest Help Desk ticket volume of any move-in 
ever.  Here's hoping we all do equally well this fall.

  Adam

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Brian Helman
Sent: Thursday, July 21, 2016 9:28 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Aruba and Bradford

Thanks everyone.  Keep the info flowing ...

Bruce, we're a mixed shop on the wired side.  Since 2011 we've been a Juniper 
shop.  Before that, and I still have a lot of their gear that I haven't 
upgraded, we were Alcatel(-Lucent).

Those of you who are using ClearPass, anyone have a mixed wireless shop (ie, 
did you start with another vendor and move to Aruba)?  I'm curious if you 
avoided using ClearPass on the other wireless or embraced it, and to what level 
of success?

So, how many of your friends/acquaintances think you all get the summer off, 
because we work in academia?  This is all great information everyone!

-Brian 

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W 
(Network Services)
Sent: Thursday, July 21, 2016 7:26 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Aruba and Bradford

Brian,

What wired vendor are you using?  I know for Cisco wired switches, you can pass 
the vlan name (as defined on the access switch) instead of the vlan ID for a 
role. This lets you have many student VLANs in the network, for instance.

​
 
Bruce Osborne
Wireless Engineer
IT Network Services - Wireless
 
(434) 592-4229
 
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

-Original Message-
From: Bucklaew, Jerry [mailto:j...@buffalo.edu]
Sent: Wednesday, July 20, 2016 4:50 AM
Subject: Re: Aruba and Bradford

Brian,

We are a bradford shop and are migrating to clearpass.  We used the 
bradford for registration or our resnet as well as our wireless gaming network. 
 It worked ok, but my major issues with it were..

1. Bradford is designed around vlan switching, moving ports from one vlan to 
the other.  Vlan switch is labor/process intensive to setup/run because it 
needs to know about every switch, needs to know about every link change and 
needs to talk to every switch.

2. Bradford is not flexible when it comes to passing back radius attributes.  
For example you can pass back only one attribute, interface-name I think.  You 
can not do multiple.

3. Bradford is not flexible about registration, the device needs to be on the 
network in order to register.  User admin of registration does not exists.


We moved to clearpass for our wirelesss network and it is just a much more 
flexible system.  It can do almost anything, very customizable.  Our main 
driver was dorm Ap's.  By moving to dorm ap's (every other room) we are putting 
half our wired ports through the aruba system.  To get the same look and feel 
from a user perspective both wired and dorm ap wired need to be off the same 
system.  We moved away from vlan switching to 802.1x/mac off on the dorm ap's 
and a inline 
system for the rest of the wired ports.   Eventually we are moving to 
802.1x/mac off for everything, away from vlan 
switching.  Besides the same look and feel, it gives us a much more flexible 
registration system and a very nice "my devices" portal so users can manage 
their own registrations.

I can give more specifics if you need it.


On 7/19/2016 5:10 PM, Brian Helman wrote:
> Feel free to ping me off-list.  I may sanitize/redact comments and repost 
> them for the benefit of others though..
>
>
>
> If you are an Aruba AND Bradford shop, what was you reason for using 
> Bradford vs Clearpass?  Our primary interest in NAC is onboarding and 
> guest networks (wired and w

RE: Aruba and Bradford

2016-07-21 Thread Brian Helman 
Thanks everyone.  Keep the info flowing ...

Bruce, we're a mixed shop on the wired side.  Since 2011 we've been a Juniper 
shop.  Before that, and I still have a lot of their gear that I haven't 
upgraded, we were Alcatel(-Lucent).

Those of you who are using ClearPass, anyone have a mixed wireless shop (ie, 
did you start with another vendor and move to Aruba)?  I'm curious if you 
avoided using ClearPass on the other wireless or embraced it, and to what level 
of success?

So, how many of your friends/acquaintances think you all get the summer off, 
because we work in academia?  This is all great information everyone!

-Brian 

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W 
(Network Services)
Sent: Thursday, July 21, 2016 7:26 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Aruba and Bradford

Brian,

What wired vendor are you using?  I know for Cisco wired switches, you can pass 
the vlan name (as defined on the access switch) instead of the vlan ID for a 
role. This lets you have many student VLANs in the network, for instance.

​
 
Bruce Osborne
Wireless Engineer
IT Network Services - Wireless
 
(434) 592-4229
 
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

-Original Message-
From: Bucklaew, Jerry [mailto:j...@buffalo.edu]
Sent: Wednesday, July 20, 2016 4:50 AM
Subject: Re: Aruba and Bradford

Brian,

We are a bradford shop and are migrating to clearpass.  We used the 
bradford for registration or our resnet as well as our wireless gaming network. 
 It worked ok, but my major issues with it were..

1. Bradford is designed around vlan switching, moving ports from one vlan to 
the other.  Vlan switch is labor/process intensive to setup/run because it 
needs to know about every switch, needs to know about every link change and 
needs to talk to every switch.

2. Bradford is not flexible when it comes to passing back radius attributes.  
For example you can pass back only one attribute, interface-name I think.  You 
can not do multiple.

3. Bradford is not flexible about registration, the device needs to be on the 
network in order to register.  User admin of registration does not exists.


We moved to clearpass for our wirelesss network and it is just a much more 
flexible system.  It can do almost anything, very customizable.  Our main 
driver was dorm Ap's.  By moving to dorm ap's (every other room) we are putting 
half our wired ports through the aruba system.  To get the same look and feel 
from a user perspective both wired and dorm ap wired need to be off the same 
system.  We moved away from vlan switching to 802.1x/mac off on the dorm ap's 
and a inline 
system for the rest of the wired ports.   Eventually we are moving to 
802.1x/mac off for everything, away from vlan 
switching.  Besides the same look and feel, it gives us a much more flexible 
registration system and a very nice "my devices" portal so users can manage 
their own registrations.

I can give more specifics if you need it.


On 7/19/2016 5:10 PM, Brian Helman wrote:
> Feel free to ping me off-list.  I may sanitize/redact comments and repost 
> them for the benefit of others though..
>
>
>
> If you are an Aruba AND Bradford shop, what was you reason for using 
> Bradford vs Clearpass?  Our primary interest in NAC is onboarding and 
> guest networks (wired and wireless).  We are currently a Bradford 
> shop.  I don’t see a reason to change, but I’d like to understand the 
> benefits (or drawbacks) for staying with Bradford (or moving to Clearpass, 
> for that matter).
>
>
>
> If you migrated from Bradford to Clearpass, would you do it again?  Pains?  
> Successes?
>
>
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Guest Wireless Public DNS or Internal DNS

2016-07-21 Thread Alexandre Adao 
I would like to know if anyone has opted to use their own local/internal
DNS for Guest Wireless or Eduroam instead public DNS (e.g.Google, OpenDNS,
etc). What would be the reasons? Ex: Audit trails? and What would the risk
if any? Any feedback, I appreciate.

Thanks,

--Alex Adao

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Aruba and Bradford

2016-07-21 Thread Osborne, Bruce W (Network Services) 
Brian,

What wired vendor are you using?  I know for Cisco wired switches, you can pass 
the vlan name (as defined on the access switch) instead of the vlan ID for a 
role. This lets you have many student VLANs in the network, for instance.

​
 
Bruce Osborne
Wireless Engineer
IT Network Services - Wireless
 
(434) 592-4229
 
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

-Original Message-
From: Bucklaew, Jerry [mailto:j...@buffalo.edu] 
Sent: Wednesday, July 20, 2016 4:50 AM
Subject: Re: Aruba and Bradford

Brian,

We are a bradford shop and are migrating to clearpass.  We used the 
bradford for registration or our resnet as well as our wireless gaming network. 
 It worked ok, but my major issues with it were..

1. Bradford is designed around vlan switching, moving ports from one vlan to 
the other.  Vlan switch is labor/process intensive to setup/run because it 
needs to know about every switch, needs to know about every link change and 
needs to talk to every switch.

2. Bradford is not flexible when it comes to passing back radius attributes.  
For example you can pass back only one attribute, interface-name I think.  You 
can not do multiple.

3. Bradford is not flexible about registration, the device needs to be on the 
network in order to register.  User admin of registration does not exists.


We moved to clearpass for our wirelesss network and it is just a much more 
flexible system.  It can do almost anything, 
very customizable.  Our main driver was dorm Ap's.  By moving to dorm ap's 
(every other room) we are putting half our 
wired ports through the aruba system.  To get the same look and feel from a 
user perspective both wired and dorm ap 
wired need to be off the same system.  We moved away from vlan switching to 
802.1x/mac off on the dorm ap's and a inline 
system for the rest of the wired ports.   Eventually we are moving to 
802.1x/mac off for everything, away from vlan 
switching.  Besides the same look and feel, it gives us a much more flexible 
registration system and a very nice "my 
devices" portal so users can manage their own registrations.

I can give more specifics if you need it.


On 7/19/2016 5:10 PM, Brian Helman wrote:
> Feel free to ping me off-list.  I may sanitize/redact comments and repost 
> them for the benefit of others though..
>
>
>
> If you are an Aruba AND Bradford shop, what was you reason for using Bradford 
> vs Clearpass?  Our primary interest in NAC
> is onboarding and guest networks (wired and wireless).  We are currently a 
> Bradford shop.  I don’t see a reason to
> change, but I’d like to understand the benefits (or drawbacks) for staying 
> with Bradford (or moving to Clearpass, for
> that matter).
>
>
>
> If you migrated from Bradford to Clearpass, would you do it again?  Pains?  
> Successes?
>
>
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Aruba and Bradford

2016-07-21 Thread Osborne, Bruce W (Network Services) 
Kevin,

Feel free to ping me off-list for any questions, etc. on ClearPass Guest.

We moved our guest over a couple of years ago, but there are some things I 
would do differently, if I had the time and the insight I have now.

​

Bruce Osborne
Wireless Engineer
IT Network Services - Wireless

(434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Kevin.Jacobs [mailto:kevin.jac...@trnty.edu]
Sent: Wednesday, July 20, 2016 10:47 PM
Subject: Re: Aruba and Bradford

Brian,

We migrated from Bradford to ClearPass last summer.  We were deciding between 
licensing some of the newer Bradford features (integrating with our firewall, 
etc) or moving to ClearPass.

We were using Microsoft NPS for RADIUS proxied through our Bradford 
NetworkSentry to return the appropriate role to our Aruba controller.  We also 
used Bradford for posture checks as students registered devices, requiring 
antivirus, etc.  We had Bradford in place for all wired dorm port control as 
well as campus-wide wireless authentication.  One thing that we liked with 
Bradford was the ability for students to have a switch in their room (with all 
registered devices) if there were not enough wired ports in an area.  This was 
more of an issue in the past, with the prevalence of wireless devices in the 
dorms, our wired port utilization is much lower than it used to be.

After deciding posture checking wasn’t a requirement moving forward (which 
Bradford has always done very well for us) we ended up with a decision that we 
could possibly utilize ClearPass better with our existing Aruba infrastructure. 
 We are currently using ClearPass for:

·802.1X authentication for campus wireless

·802.1X/MAC authentication for dorm wired ports (anything that can use 
802.1X does, other devices can MAC Auth and are registered through ClearPass – 
we were able to utilize multiple VLANs for registered devices as well, 
depending on what the device is profiled as – one issue here was Xbox One 
consoles/Windows 10 machines, still not sure if there’s a great answer there…)

·Device Registration (all non-802.1X devices need to MAC Auth) – Users 
can register devices which then get profiled and assigned a VLAN based on 
device type and network restrictions (helped keep console gamers happy).

·Student AirPlay limitation (ClearPass has the ability to limit what 
wireless users can AirPlay to a student’s registered devices, they choose when 
it is registered but can modify it later)

·TACACS+ for network device administration.

·RADIUS – far better to look/search through than NPS, each attempt is 
logged and an alert tab often points to the problem with the authentication 
attempt.  We’re able to provide read-only access to our HelpDesk which allows 
them with a bit more confidence to identify the problem.

·Firewall Integration - ClearPass passes User ID information to our 
firewall allowing better defined rules.

We are working on implementing a better guest management solution with 
ClearPass right now, hopefully we’ll have it branded/working within the next 
couple weeks… we’ll see how that goes.  We also plan to use ClearPass to secure 
more than just dorm ports on campus as switches are replaced.

I think ClearPass has a steeper learning curve than Bradford did (especially 
when we implemented it), but the additional features and flexibility have 
definitely been worth it so far.  Once you have an understanding of how it 
works and can pass back multiple attributes to different systems you can do a 
lot with it (for example, we return User ID info to the firewall, update the 
Endpoint record in ClearPass with the switch/port the device is connected to, 
and return the appropriate VLAN based on the building that the user is in).

Feel free to contact me off-list if you have any other questions.

Kevin Jacobs
IT Systems Manager
Trinity Christian College
708.239.4735





From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Brian Helman
Sent: Tuesday, July 19, 2016 4:10 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Aruba and Bradford

Feel free to ping me off-list.  I may sanitize/redact comments and repost them 
for the benefit of others though..

If you are an Aruba AND Bradford shop, what was you reason for using Bradford 
vs Clearpass?  Our primary interest in NAC is onboarding and guest networks 
(wired and wireless).  We are currently a Bradford shop.  I don’t see a reason 
to change, but I’d like to understand the benefits (or drawbacks) for staying 
with Bradford (or moving to Clearpass, for that matter).

If you migrated from Bradford to Clearpass, would you do it again?  Pains?  
Successes?

Vendors:  This is not a solicitation for NAC’s or wireless.  I’m collecting 
information.

Thanks!

-Brian




Brian