Re: [WIRELESS-LAN] Cisco WLAN 4400 Controllers and 802.1x
Matt, We use it and have had no issues with it. Since we have to authenticate against several authentication mechanisms, we send the auth packet to a radius server (Funk), who then passes is through to the proper mechanism (LDAP, AD, proxy). Also, please note that this is how we authenticated users (and still do) for our VPN users/clients so we never had to re-invent that spoke on the wheel. If you have any questions about details, please send me an email off line, and I would be more than happy to help out. Thanks. Jorge Bodden Jenkins, Matthew wrote: How many others are doing 802.1x in a Cisco LWAPP environment? Have you had success with it, or would you recommend another route for authentication? Currently we are using VPNs over our secure wireless and I am investigating whether we would be ahead to start using 802.1x coupled with WPA. Any thoughts would be appreciated. Thanks, Matt *Matthew Jenkins *Network/Server Administrator Fairmont State University Visit us online at www.fairmontstate.edu http://www.fairmontstate.edu/ ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. This electronic message is intended to be for the use only of the named recipient, and may contain information that is confidential or privileged. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of the contents of this message is strictly prohibited. If you have received this message in error or are not the named recipient, please notify us immediately by contacting the sender at the electronic mail address noted above, and delete and destroy all copies of this message. Thank you. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Cisco WLAN 4400 Controllers and 802.1x
We do it with WiSMs. WPA (greatest compatibility), TKIP, MS-CHAPv2 with native Windows/Mac supplicants for general users, and WPA2 for higher-security specialty networks. We use AD as credential store, and use ID Engines for supplicant configuration. Here are the biggest hang-ups/issues I see people experience as they ponder and then support 802.1x: - Which EAP type to use - Which RADIUS server to use - Which supplicants to allow/support - How to get those supplicants properly configured - The challenge of getting lots of outdated wireless drivers updated- very important But- once you get there, is largely a piece of cake to support. After having done captive portal and VPN, 802.1x is actually easier for us. But... 802.1x can also get very complex depending on how you choose to implement. There's simple go/nogo (if in AD then allow onto net) or use RADIUS attributes and VLAN steering to get very granular on who goes where and when. The more complex you make it, the harder it can be to support (like anything)... No specific 802.1x issues with LWAPP found here- although we still have all of LWAPP's other quirks to contend with. Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Jenkins, Matthew Sent: Thursday, July 24, 2008 4:01 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Cisco WLAN 4400 Controllers and 802.1x How many others are doing 802.1x in a Cisco LWAPP environment? Have you had success with it, or would you recommend another route for authentication? Currently we are using VPNs over our secure wireless and I am investigating whether we would be ahead to start using 802.1x coupled with WPA. Any thoughts would be appreciated. Thanks, Matt Matthew Jenkins Network/Server Administrator Fairmont State University Visit us online at www.fairmontstate.edu http://www.fairmontstate.edu/ ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Cisco WLAN 4400 Controllers and 802.1x
We're doing 802.1x with LWAPP. We have two controllers, 300 APs and average around 1100 concurrent wireless users. We just switched to 802.1x authentication last year, with great success. Previously we ran a network with just WEP and MAC address registration. Last summer we brought a new wireless network up on the controllers supporting WPA1 and WPA2 with TKIP and AES enabled. We then turned on a captive portal on the legacy network that redirected users to a website containing information on the new network and a switch over date. The users could choose to see the directions on how to switch, or continue using legacy network up until the switchover deadline. A big factor in the 802.1x puzzle that will determine the success of your project is your EAP method. We chose PEAPv0 as it had the greatest compatibility in our environment and lowest overhead. Hope this helps! Walt On Jul 24, 2008, at 3:01 PM, Jenkins, Matthew wrote: How many others are doing 802.1x in a Cisco LWAPP environment? Have you had success with it, or would you recommend another route for authentication? Currently we are using VPNs over our secure wireless and I am investigating whether we would be ahead to start using 802.1x coupled with WPA. Any thoughts would be appreciated. Thanks, Matt Matthew Jenkins Network/Server Administrator Fairmont State University Visit us online at www.fairmontstate.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Cisco WLAN 4400 Controllers and 802.1x
Walt, Good point about the EAP method. Matt, Because we have to authenticate several different users, we HAD to use EAP-TTLS. This is probably where you will have to do most of your research. In this case, there aren't really any wrong ways of doing things. You just have to make an educated decision as to what is best for you, and move forward. Thanks. Jorge Bodden Walt Howd wrote: We're doing 802.1x with LWAPP. We have two controllers, 300 APs and average around 1100 concurrent wireless users. We just switched to 802.1x authentication last year, with great success. Previously we ran a network with just WEP and MAC address registration. Last summer we brought a new wireless network up on the controllers supporting WPA1 and WPA2 with TKIP and AES enabled. We then turned on a captive portal on the legacy network that redirected users to a website containing information on the new network and a switch over date. The users could choose to see the directions on how to switch, or continue using legacy network up until the switchover deadline. A big factor in the 802.1x puzzle that will determine the success of your project is your EAP method. We chose PEAPv0 as it had the greatest compatibility in our environment and lowest overhead. Hope this helps! Walt On Jul 24, 2008, at 3:01 PM, Jenkins, Matthew wrote: How many others are doing 802.1x in a Cisco LWAPP environment? Have you had success with it, or would you recommend another route for authentication? Currently we are using VPNs over our secure wireless and I am investigating whether we would be ahead to start using 802.1x coupled with WPA. Any thoughts would be appreciated. Thanks, Matt *Matthew Jenkins *Network/Server Administrator Fairmont State University Visit us online at www.fairmontstate.edu http://www.fairmontstate.edu/ ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. This electronic message is intended to be for the use only of the named recipient, and may contain information that is confidential or privileged. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of the contents of this message is strictly prohibited. If you have received this message in error or are not the named recipient, please notify us immediately by contacting the sender at the electronic mail address noted above, and delete and destroy all copies of this message. Thank you. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Cisco WLAN 4400 Controllers and 802.1x
I think the biggest challenge was (and still is to some extent) getting people to use it and not user our Guest access or PDA access. We don't require guests configure 1x and not all PDA's can even do 1x. As a result, sometimes people use the network we provide for that instead of using the 1x network. It required a major publicity campaign to get everyone to make the switch. Pete Morrissey From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Jenkins, Matthew Sent: Thursday, July 24, 2008 4:01 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Cisco WLAN 4400 Controllers and 802.1x How many others are doing 802.1x in a Cisco LWAPP environment? Have you had success with it, or would you recommend another route for authentication? Currently we are using VPNs over our secure wireless and I am investigating whether we would be ahead to start using 802.1x coupled with WPA. Any thoughts would be appreciated. Thanks, Matt Matthew Jenkins Network/Server Administrator Fairmont State University Visit us online at www.fairmontstate.edu http://www.fairmontstate.edu/ ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Cisco WLAN 4400 Controllers and 802.1x
Thanks everyone for your quick responses! As far as the EAP method goes, we will primarily be using MS AD to authenticate. I figured we would use MS IAS unless there is something better to sit between MS AD. I'll have to check out Jorge's suggestion of using Funk. We are having a large issue with people wanting to register playstations, pdas, and such on the wireless. Currently we can't do it because our guest network is using the basic Cisco auth page. As far as laptop guests go if we were using 802.1x, we can give out temporary 1-day accounts. However, how is everyone handling PDAs and gaming consoles that do not support 802.1x? Thanks, Matt Matthew Jenkins Network/Server Administrator Fairmont State University Visit us online at www.fairmontstate.edu https://fsmail.fairmontstate.edu/exchweb/bin/redir.asp?URL=http://www.fairmontstate.edu/ From: The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Peter P Morrissey Sent: Thu 7/24/2008 4:38 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Cisco WLAN 4400 Controllers and 802.1x I think the biggest challenge was (and still is to some extent) getting people to use it and not user our Guest access or PDA access. We don't require guests configure 1x and not all PDA's can even do 1x. As a result, sometimes people use the network we provide for that instead of using the 1x network. It required a major publicity campaign to get everyone to make the switch. Pete Morrissey From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Jenkins, Matthew Sent: Thursday, July 24, 2008 4:01 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Cisco WLAN 4400 Controllers and 802.1x How many others are doing 802.1x in a Cisco LWAPP environment? Have you had success with it, or would you recommend another route for authentication? Currently we are using VPNs over our secure wireless and I am investigating whether we would be ahead to start using 802.1x coupled with WPA. Any thoughts would be appreciated. Thanks, Matt Matthew Jenkins Network/Server Administrator Fairmont State University Visit us online at www.fairmontstate.edu http://www.fairmontstate.edu/ ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Cisco WLAN 4400 Controllers and 802.1x
We're lucky in that we do not allow any device onto the wireless network that does not support 802.1x and PEAP. As a previous poster mentioned, it can be very difficult to stop users from using your non-secure networks if they are still available. This policy would not be viable in all institutions but here we provided several months of lead time prior to the switch and heard very little grumbling. The message to the institution was that the network has to be secure and we can't allow any insecure backdoors. For gaming consoles we tell students to plug into the wired network. For PDAs, we recommend devices that do support 802.1x. Later versions of Windows Mobile can access the network as well as the new iPhones. FWIW, we also chose Microsoft IAS over Cisco ACS and use AD as our backend. It has worked well with the Cisco controllers. We have even done dynamic VLAN assignment based off AD group membership since day one and have not had any issues. Walt On Jul 24, 2008, at 4:37 PM, Jenkins, Matthew wrote: Thanks everyone for your quick responses! As far as the EAP method goes, we will primarily be using MS AD to authenticate. I figured we would use MS IAS unless there is something better to sit between MS AD. I'll have to check out Jorge's suggestion of using Funk. We are having a large issue with people wanting to register playstations, pdas, and such on the wireless. Currently we can't do it because our guest network is using the basic Cisco auth page. As far as laptop guests go if we were using 802.1x, we can give out temporary 1-day accounts. However, how is everyone handling PDAs and gaming consoles that do not support 802.1x? Thanks, Matt Matthew Jenkins Network/Server Administrator Fairmont State University Visit us online at www.fairmontstate.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Peter P Morrissey Sent: Thu 7/24/2008 4:38 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Cisco WLAN 4400 Controllers and 802.1x I think the biggest challenge was (and still is to some extent) getting people to use it and not user our Guest access or PDA access. We don’t require guests configure 1x and not all PDA’s can even do 1x. As a result, sometimes people use the network we provide for that instead of using the 1x network. It required a major publicity campaign to get everyone to make the switch. Pete Morrissey From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU ] On Behalf OfJenkins, Matthew Sent: Thursday, July 24, 2008 4:01 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Cisco WLAN 4400 Controllers and 802.1x How many others are doing 802.1x in a Cisco LWAPP environment? Have you had success with it, or would you recommend another route for authentication? Currently we are using VPNs over our secure wireless and I am investigating whether we would be ahead to start using 802.1x coupled with WPA. Any thoughts would be appreciated. Thanks, Matt Matthew Jenkins Network/Server Administrator Fairmont State University Visit us online at www.fairmontstate.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/ . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/ . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Cisco WLAN 4400 Controllers and 802.1x
Walt, how did you do the dynamic vlan assignment based off groups? I assume it is a radius parameter mapped to the AD group somehow? Thanks a bunch, Matt Matthew Jenkins Network/Server Administrator Fairmont State University Visit us online at www.fairmontstate.edu https://fsmail.fairmontstate.edu/exchweb/bin/redir.asp?URL=http://www.fairmontstate.edu/ From: The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Walt Howd Sent: Thu 7/24/2008 5:58 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Cisco WLAN 4400 Controllers and 802.1x We're lucky in that we do not allow any device onto the wireless network that does not support 802.1x and PEAP. As a previous poster mentioned, it can be very difficult to stop users from using your non-secure networks if they are still available. This policy would not be viable in all institutions but here we provided several months of lead time prior to the switch and heard very little grumbling. The message to the institution was that the network has to be secure and we can't allow any insecure backdoors. For gaming consoles we tell students to plug into the wired network. For PDAs, we recommend devices that do support 802.1x. Later versions of Windows Mobile can access the network as well as the new iPhones. FWIW, we also chose Microsoft IAS over Cisco ACS and use AD as our backend. It has worked well with the Cisco controllers. We have even done dynamic VLAN assignment based off AD group membership since day one and have not had any issues. Walt On Jul 24, 2008, at 4:37 PM, Jenkins, Matthew wrote: Thanks everyone for your quick responses! As far as the EAP method goes, we will primarily be using MS AD to authenticate. I figured we would use MS IAS unless there is something better to sit between MS AD. I'll have to check out Jorge's suggestion of using Funk. We are having a large issue with people wanting to register playstations, pdas, and such on the wireless. Currently we can't do it because our guest network is using the basic Cisco auth page. As far as laptop guests go if we were using 802.1x, we can give out temporary 1-day accounts. However, how is everyone handling PDAs and gaming consoles that do not support 802.1x? Thanks, Matt Matthew Jenkins Network/Server Administrator Fairmont State University Visit us online at www.fairmontstate.edu https://fsmail.fairmontstate.edu/exchweb/bin/redir.asp?URL=http://www.fairmontstate.edu/ https://fsmail.fairmontstate.edu/exchweb/bin/redir.asp?URL=http://www.fairmontstate.edu/ From: The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Peter P Morrissey Sent: Thu 7/24/2008 4:38 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Cisco WLAN 4400 Controllers and 802.1x I think the biggest challenge was (and still is to some extent) getting people to use it and not user our Guest access or PDA access. We don't require guests configure 1x and not all PDA's can even do 1x. As a result, sometimes people use the network we provide for that instead of using the 1x network. It required a major publicity campaign to get everyone to make the switch. Pete Morrissey From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf OfJenkins, Matthew Sent: Thursday, July 24, 2008 4:01 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Cisco WLAN 4400 Controllers and 802.1x How many others are doing 802.1x in a Cisco LWAPP environment? Have you had success with it, or would you recommend another route for authentication? Currently we are using VPNs over our secure wireless and I am investigating whether we would be ahead to start using 802.1x coupled with WPA. Any thoughts would be appreciated. Thanks, Matt Matthew Jenkins Network/Server Administrator Fairmont State University Visit us online at www.fairmontstate.edu http://www.fairmontstate.edu/ ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ** Participation and subscription information
Re: [WIRELESS-LAN] Cisco WLAN 4400 Controllers and 802.1x
Here's the information from Cisco: http://www.cisco.com/warp/public/114/dynamicvlan-config.pdf And here's the docs from our build: Define remote access policies as follows: Select New Remote Access Policy Select Use the Wizard Policy Name: Cisco Wireless Student User / Checkout Laptop Policy Access Method: Wireless Group: DOMAIN\Students DOMAIN\Wireless Checkout Laptops EAP Type: Protected EAP (PEAP) Configure Select valid cert from ipsCA Enabled Fast Reconnect: Checked Select Edit at the bottom Number of authentication retries: 5 Allow clients to change password after it has expired: Checked Click Ok, Next, Finish. Select Edit Profile Select the Advanced tab: Select Add Add the following attributes Tunnel-Medium-Type: 802. Tunnel-Pvt-Group-ID: VLANID (208 in this case) Tunnel-Type: VLAN On Jul 24, 2008, at 5:17 PM, Jenkins, Matthew wrote: Walt, how did you do the dynamic vlan assignment based off groups? I assume it is a radius parameter mapped to the AD group somehow? Thanks a bunch, Matt Matthew Jenkins Network/Server Administrator Fairmont State University Visit us online at www.fairmontstate.edu https://fsmail.fairmontstate.edu/exchweb/bin/redir.asp?URL=http://www.fairmontstate.edu/ From: The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Walt Howd Sent: Thu 7/24/2008 5:58 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Cisco WLAN 4400 Controllers and 802.1x We're lucky in that we do not allow any device onto the wireless network that does not support 802.1x and PEAP. As a previous poster mentioned, it can be very difficult to stop users from using your non-secure networks if they are still available. This policy would not be viable in all institutions but here we provided several months of lead time prior to the switch and heard very little grumbling. The message to the institution was that the network has to be secure and we can't allow any insecure backdoors. For gaming consoles we tell students to plug into the wired network. For PDAs, we recommend devices that do support 802.1x. Later versions of Windows Mobile can access the network as well as the new iPhones. FWIW, we also chose Microsoft IAS over Cisco ACS and use AD as our backend. It has worked well with the Cisco controllers. We have even done dynamic VLAN assignment based off AD group membership since day one and have not had any issues. Walt On Jul 24, 2008, at 4:37 PM, Jenkins, Matthew wrote: Thanks everyone for your quick responses! As far as the EAP method goes, we will primarily be using MS AD to authenticate. I figured we would use MS IAS unless there is something better to sit between MS AD. I'll have to check out Jorge's suggestion of using Funk. We are having a large issue with people wanting to register playstations, pdas, and such on the wireless. Currently we can't do it because our guest network is using the basic Cisco auth page. As far as laptop guests go if we were using 802.1x, we can give out temporary 1-day accounts. However, how is everyone handling PDAs and gaming consoles that do not support 802.1x? Thanks, Matt Matthew Jenkins Network/Server Administrator Fairmont State University Visit us online at www.fairmontstate.edu https://fsmail.fairmontstate.edu/exchweb/bin/redir.asp?URL=http://www.fairmontstate.edu/ https://fsmail.fairmontstate.edu/exchweb/bin/redir.asp?URL=http://www.fairmontstate.edu/ From: The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Peter P Morrissey Sent: Thu 7/24/2008 4:38 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Cisco WLAN 4400 Controllers and 802.1x I think the biggest challenge was (and still is to some extent) getting people to use it and not user our Guest access or PDA access. We don't require guests configure 1x and not all PDA's can even do 1x. As a result, sometimes people use the network we provide for that instead of using the 1x network. It required a major publicity campaign to get everyone to make the switch. Pete Morrissey From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU ] On Behalf OfJenkins, Matthew Sent: Thursday, July 24, 2008 4:01 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Cisco WLAN 4400 Controllers and 802.1x How many others are doing 802.1x in a Cisco LWAPP environment? Have you had success with it, or would you recommend another route for authentication? Currently we are using VPNs over our secure wireless and I am investigating whether we would be ahead to start using
RE: [WIRELESS-LAN] Cisco WLAN 4400 Controllers and 802.1x
Matt, At Emory, we are handling what we call PWD's - personal wireless devices - including PDAs, game consoles, on other miscellaneous wireless devices using our Guest Access SSID. For students, staff, and faculty devices that don't support our secure 802.1x SSID, but on campus and have a legitimate need, we use MAC authentication to bypass the guest access captive portal. The user has to bring the device in so that we can verify the type of device and get the MAC address. The MAC address, Users ID, and device type are entered in the RADIUS database. Our Aruba infrastructure then uses that RADIUS server to authenticate our guest access SSID users - a pass will put them into a special PWD role while a fail forces them to use the captive portal for guest access authentication. We lock down our guest access pretty well - only web/secure web and VPN access is allowed and also bandwidth-limited. The PWD role is slightly more open - we add secure mail and some TiVo/game console access. We originally added the MAC authentication to handle the flood of iPhones last fall. The TiVos and game consoles, too. This fall with the iPhone 2.0 firmware supporting WPA/2-Enterprise 802.1x, we will have less of those, but probably more game consoles and other devices. While I'm sure what all the Cisco capabilities are, you should be able to implement something similar to what we've done with our Aruba hardware. - Stan Brooks - CWNA/CWSP Emory University Network Communications Division 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] GoogleTalk: [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Jenkins, Matthew Sent: Thursday, July 24, 2008 5:37 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Cisco WLAN 4400 Controllers and 802.1x Thanks everyone for your quick responses! As far as the EAP method goes, we will primarily be using MS AD to authenticate. I figured we would use MS IAS unless there is something better to sit between MS AD. I'll have to check out Jorge's suggestion of using Funk. We are having a large issue with people wanting to register playstations, pdas, and such on the wireless. Currently we can't do it because our guest network is using the basic Cisco auth page. As far as laptop guests go if we were using 802.1x, we can give out temporary 1-day accounts. However, how is everyone handling PDAs and gaming consoles that do not support 802.1x? Thanks, Matt Matthew Jenkins Network/Server Administrator Fairmont State University Visit us online at www.fairmontstate.eduhttps://fsmail.fairmontstate.edu/exchweb/bin/redir.asp?URL=http://www.fairmontstate.edu/ From: The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Peter P Morrissey Sent: Thu 7/24/2008 4:38 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Cisco WLAN 4400 Controllers and 802.1x I think the biggest challenge was (and still is to some extent) getting people to use it and not user our Guest access or PDA access. We don't require guests configure 1x and not all PDA's can even do 1x. As a result, sometimes people use the network we provide for that instead of using the 1x network. It required a major publicity campaign to get everyone to make the switch. Pete Morrissey From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Jenkins, Matthew Sent: Thursday, July 24, 2008 4:01 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Cisco WLAN 4400 Controllers and 802.1x How many others are doing 802.1x in a Cisco LWAPP environment? Have you had success with it, or would you recommend another route for authentication? Currently we are using VPNs over our secure wireless and I am investigating whether we would be ahead to start using 802.1x coupled with WPA. Any thoughts would be appreciated. Thanks, Matt Matthew Jenkins Network/Server Administrator Fairmont State University Visit us online at www.fairmontstate.eduhttp://www.fairmontstate.edu/ ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you