Re: [WIRELESS-LAN] share 802.1x experience? (Eduroam Question)

2010-08-19 Thread Oliver Gorwits
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 19/08/2010 17:45, Lee H Badman wrote:
> Good summary. On the topic of Eduroam- any sense of real demand and
> usage for the service?

As a partial answer... we now use Eduroam (and hence 802.1X) as the
primary service for members of our institution, with a backup
service leveraging VPN for those few not able to get .1X working.

So that means we have several hundred concurrent connections every
day from local users, and a good number of roaming (visiting) users
from other institutions.

Some sites combine this with RADIUS based VLAN assignment so local
users get more privileged access to the network when at home, but
are able to use the same SSID/config when at home or away.

HTH,

- -- 
Oliver Gorwits, Network and Telecommunications Group,
Oxford University Computing Services
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkxtsa4ACgkQ2NPq7pwWBt4IyQCdHZcUQIfywNwZZllWbKFpR7h6
jeAAn2clhvLBUczO9PViyQUgaK3aIFPD
=AfZA
-END PGP SIGNATURE-

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.


Re: [WIRELESS-LAN] share 802.1x experience? (Eduroam Question)

2010-08-19 Thread James J J Hooper

On 19/08/2010 17:45, Lee H Badman wrote:

Phillipe-

Good summary. On the topic of Eduroam- any sense of real demand and usage
for the service?

Thanks-

Lee


Hi Lee,

We are in the UK, but some stats for you:

1) People visiting Bristol in the last month is on the diagram here:
http://www.wireless.bris.ac.uk/getconnected/services/eduroam/eduroam-visitors-advice/

2) Stefan at Restena has put together a prototype system that shows daily 
usage between a selection of European countries:

http://ticker.eduroam.lu/daily.php
{So far today: a total of 3251 devices visiting another organisation 
within their own country, and 379 devices roaming outside their home country.}


-James


--
James J J Hooper
Network Specialist
Information Services
University of Bristol
http://www.wireless.bristol.ac.uk/eduroam
--

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.


Re: [WIRELESS-LAN] share 802.1X experience? (Eduroam Question)

2010-08-19 Thread Philippe Hanset
Lee,

Since the installed base is not big in the US (15 institutions), it's hard to 
gauge a real demand/usage.
I can give number like "thousands of authentications" but in term of unique 
users it is not more than 20-30 per week.
We did provide eduroam at the last Internet2 member meeting and got 50+ users 
to join out of 700 participants.
No bad for a first time, and no helpdesk call at all (all done with Cisco FAT 
APs).
The highest traffic that we see for the US federation is between LSU and LSU 
Health.
In that particular case eduroam is an attractive way of connecting two 
different 802.1X
domains.

As a side note, I wish all our incoming students new about eduroam!
Yesterday, first day of class, our visitor network was down due to lack of IP 
addresses.
Most of our incoming students for some strange reason had decided to join the 
visitor network and the 1000 or so IP addresses
were not enough to respond to the demand. With 802.1X (and in this case the 
eduroam SSID),
you don't get an IP address until you really mean to connect!
Maybe we need to rename our visitor SSID "donotconnect" instead of "ut-visitor" 
;-)

Philippe


On Aug 19, 2010, at 12:45 PM, Lee H Badman wrote:

> Phillipe-
>  
> Good summary. On the topic of Eduroam- any sense of real demand and usage for 
> the service?
>  
> Thanks-
>  
> Lee
>  
>  
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:wireless-...@listserv.educause.edu] On Behalf Of Philippe Hanset
> Sent: Thursday, August 19, 2010 12:15 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] share 802.1x experience?
>  
> Kay,
>  
> Just a few heads up:
>  
> -Definitely do WPA2
> -The choice of EAP method is important. EAP-PEAP with AD as the backend makes 
> life easier, though
> you can create a SAMBA front end to LDAP if you want (there is documentation 
> on eduroamus.org)
> -The choice of the CA seems to matter in how smooth the roll out goes 
> (Verisign works well), self signed certificates can be a pain.
> -If you decide to support EAP-TTLS, people on this list have been very please 
> with XpressConnect to facilitate the deployment of supplicants for Windows
> -Educate the community (documentation etc...) on how important the 
> certificate verification is. Man In the Middle with 802.1x over Wireless
>  is not that hard!
> -Be aware that the RADIUS admin will be able to read clear text passwords 
> going to your authentication backend if you use PAP instead of M
> -802.1x authenticates users at layer two, you still need to deal with IP 
> management (NetReg etc...)
> -Look into mechanisms to be able to disconnect a user (802.1x doesn't have a 
> built-in mechanism, you Wireless LAN vendor will
> provide this function. e.g. Blacklisting)
> -For eduroam, be aware that the outer identity is essential, include this in 
> your documentation  (e.g. make you users type their full
> identifier from day one; use...@realm). Most supplicants (Mac OSX supplicant, 
> Windows supplicant) will set the outer identity automatically from
> the userid.
> -On the eduroam side again: you choice of RADIUS is important (Some versions 
> of RADIUS do not support proxying, e.g: Steel Belted RADIUS if it's not the 
> Global Enterprise edition).
> -The eduroamus.org site has documentation for FreeRADIUS, RADIATOR, Microsoft 
> NPS, Juniper SBR (Same as Steel Belted)
>  
> Feel free to contact the eduroamus.org team even for 802.1x questions,
>  
> Best,
>  
> Philippe Hanset
> University of Tennessee
> eduroamus.org
>  
>  
>  
>  
>  
> On Aug 19, 2010, at 9:21 AM, Kay Sandacz wrote:
> 
> 
> Hey Bryn,
>  
> We’re planning on deploying eduroam three days after the 802.1x rollout.  
> Nonetheless, we have communications to prepare for the 802.1x rollout, so I’m 
> looking for end user experience, things that could have been done better, 
> things that worked in that scenario right now. 
>  
> And yes, we’re Cisco throughout.
>  
> Thanks,
> -kay-
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:wireless-...@listserv.educause.edu] On Behalf Of Bryn Jones
> Sent: Thursday, August 19, 2010 8:17 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] share 802.1x experience?
>  
> Hi Kay
>  
> I don’t know whether you are aware of ‘eduroam’ 
> (http://www.eduroamus.org/eduroam_international_map), which is a shared 
> authentication infrastructure in Higher Education?
>  
> We used the introduction of the ‘eduroam’ SSID onto campus here in Leeds as a 
> method of introducing 802.1x onto our Cisco WiSM architecture.
>  
> I’ll be quite happy to share information if you have Cisco kit.
>  
> Thanks
>  
> Bryn
>  
>  
> Bryn Jones
> ISS Network Development
> Rm 8.01e Computing Block
> EC Stoner Building
> University of Leeds
> LS2 9JT
>  
> 0113 343 7055
>  
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:wireless-...@listserv.educause.edu] On Behalf Of Kay Sandacz
> Sen

RE: [WIRELESS-LAN] share 802.1x experience? (Eduroam Question)

2010-08-19 Thread Lee H Badman
Phillipe-

Good summary. On the topic of Eduroam- any sense of real demand and usage for 
the service?

Thanks-

Lee




From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Philippe Hanset
Sent: Thursday, August 19, 2010 12:15 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] share 802.1x experience?

Kay,

Just a few heads up:

-Definitely do WPA2
-The choice of EAP method is important. EAP-PEAP with AD as the backend makes 
life easier, though
you can create a SAMBA front end to LDAP if you want (there is documentation on 
eduroamus.org)
-The choice of the CA seems to matter in how smooth the roll out goes (Verisign 
works well), self signed certificates can be a pain.
-If you decide to support EAP-TTLS, people on this list have been very please 
with XpressConnect to facilitate the deployment of supplicants for Windows
-Educate the community (documentation etc...) on how important the certificate 
verification is. Man In the Middle with 802.1x over Wireless
 is not that hard!
-Be aware that the RADIUS admin will be able to read clear text passwords going 
to your authentication backend if you use PAP instead of M
-802.1x authenticates users at layer two, you still need to deal with IP 
management (NetReg etc...)
-Look into mechanisms to be able to disconnect a user (802.1x doesn't have a 
built-in mechanism, you Wireless LAN vendor will
provide this function. e.g. Blacklisting)
-For eduroam, be aware that the outer identity is essential, include this in 
your documentation  (e.g. make you users type their full
identifier from day one; use...@realm). Most supplicants (Mac OSX supplicant, 
Windows supplicant) will set the outer identity automatically from
the userid.
-On the eduroam side again: you choice of RADIUS is important (Some versions of 
RADIUS do not support proxying, e.g: Steel Belted RADIUS if it's not the Global 
Enterprise edition).
-The eduroamus.org site has documentation for FreeRADIUS, 
RADIATOR, Microsoft NPS, Juniper SBR (Same as Steel Belted)

Feel free to contact the eduroamus.org team even for 
802.1x questions,

Best,

Philippe Hanset
University of Tennessee
eduroamus.org





On Aug 19, 2010, at 9:21 AM, Kay Sandacz wrote:


Hey Bryn,

We're planning on deploying eduroam three days after the 802.1x rollout.  
Nonetheless, we have communications to prepare for the 802.1x rollout, so I'm 
looking for end user experience, things that could have been done better, 
things that worked in that scenario right now.

And yes, we're Cisco throughout.

Thanks,
-kay-

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Bryn Jones
Sent: Thursday, August 19, 2010 8:17 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] share 802.1x experience?

Hi Kay

I don't know whether you are aware of 'eduroam' 
(http://www.eduroamus.org/eduroam_international_map), which is a shared 
authentication infrastructure in Higher Education?

We used the introduction of the 'eduroam' SSID onto campus here in Leeds as a 
method of introducing 802.1x onto our Cisco WiSM architecture.

I'll be quite happy to share information if you have Cisco kit.

Thanks

Bryn


Bryn Jones
ISS Network Development
Rm 8.01e Computing Block
EC Stoner Building
University of Leeds
LS2 9JT

0113 343 7055


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Kay Sandacz
Sent: 19 August 2010 13:56
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] share 802.1x experience?

Hey folks.

Anyone care to share experience in rolling out 802.1x?  We're looking only at 
wireless just now.  Support issues or user experience would be particularly 
helpful.

And did anyone attempt to run 802.1x on a previously existing SSID?

Thanks,
-kay-

Kay Sandacz, Assistant Director
Data Networking, IT Services
The University of Chicago

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.