Re: [WIRELESS-LAN] eduroam in a Cisco environment

[Jon Scot Prunckle]

Tim,

Per your questions:

Do you have eduroam deployed as your primary SSID or in addition to your SSID’s?

‘eduroam’ is a companion SSID to our campus-branded SSID.  However, the two 
networks use identical encryption and authentication methods.

Do you separate/tag your eduraom users? If so, how(acs/ISE/free radius, etc)?

We do not separate our internal eduroam users from external eduroam users at 
the vlan level.  All users, as they are on secure, authenticated networks are 
placed in a “trust” firewall group.  We are currently using FreeRADIUS for user 
authentication.

How big are your wireless subnets?

Our campus-branded SSID uses /22 networks separated on building boundaries; 
sometimes we require multiple networks per building based on user density.  We 
have several small outlier buildings that have /24 networks.

Our eduroam SSIDs are all /24 networks at this point.  They are deployed 1 per 
building.

We currently have approximately 25,000 wireless users.  We saw a peak in 
September 2014 of over 10,000,000 successful authentications (combined eduroam 
+ University-branded-SSID) via RADIUS.

We’ve expanded the wireless network to an additional 20 buildings since that 
time and are excited to see the September 2015 numbers.

Due to the size of the campus and our central-management network design, we’re 
looking forward to a stable release of round-robin vlan-pooling from our 
wireless equipment provider to reduce the number of vlans we have deployed 
(currently about 110 within a /14 private IP range).

Sincerely,


J. Scot Prunckle
Network Engineer
UITS Network and Operations Services
University of Wisconsin-Milwaukee
Office Mobile: (414) 416-9709
E-mail: prunc...@uwm.edu

On Sep 24, 2015, at 3:38 PM, Timothy Burns 
> wrote:

We are just now starting down the eduroam path.

We are a Cisco shop and currently have our controllers pointed towards 
xpressconnect to onboard/authenticate our students.

We currently have many interfaces on our controllers per building/SSID. We were 
thinking of collapsing many of those interfaces and have larger subnets and 
vlan tag the clients based on access we want to allow using the single 
"eduroam" ssid.

So, for example, our local users will be placed in vlan 1 and eduroam users 
from different colleges would be placed in vlan 2 with internet only access. We 
have brought this up to our SE and VAR engineers and they are a little hesitant 
on this approach as they say the the subnets will be too large. But, as I 
understand it, the broadcast messages are suppressed at the controller.

Xpressconnect only supports 1 vlan tag so we were looking at using free radius 
and create different realms and vlan tag the clients based on end of the 
username(ex: @.edu). We still have ACS at our disposal as 
we were using it very heavily before using xpressconnect, so we thought it may 
be an option to bring that back into the picture and use it to tag the clients.

The answers I am looking to gain from this are:

Do you have eduroam deployed as your primary SSID or in addition to your SSID's?

Do you separate/tag your eduraom users? If so, how(acs/ISE/free radius, etc)?

How big are your wireless subnets?

Any opinions/suggestion/questions are welcome.

Thanks again in advance.

--

Tim Burns

Junior Network Administrator
1 University Heights
Asheville, NC 28804
828-232-5013
bu...@unca.edu

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] eduroam in a Cisco environment

[Danny Eaton]

That’s essentially what we do – we have our campus segmented with L3 MPLS VPN’s 
(wired and wireless), one for staff, one for students and one for visitors.  
This simplifies firewall exception policies into a centralized management area. 
 We have 8 /22’s on each HA pair for staff that belong to the interface group 
‘staff (g)’, and 8 /22’s for student, and again, 8 /22’s for visitors.  It 
might be a bit of overkill (we’re at about 1650 APs and 1 client devices a 
day), but I’d rather have to many IPs than not enough.  Whether on the branded 
WiFi or eduroam, our staff/faculty end up in the same VRF, and are students end 
up in theirs.  For visitors, our Visitor WiFi (captive portal, splash page, 
Acceptable Use Policy), or those that log on to eduroam with credentials, get 
in the visitor MPLS VRF and those IP ranges.  

 

 

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jake Snyder
Sent: Thursday, September 24, 2015 6:21 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] eduroam in a Cisco environment

 

You can always do an interface group and use the name of the group instead of 
the vlan ID coming from Cloudpath. Just keep all interfaces in the group the 
same size.

Thanks

Jake Snyder

jsny...@compunet.biz

208-286-3015

 

Sent from my iPhone


On Sep 24, 2015, at 2:38 PM, Timothy Burns <bu...@unca.edu> wrote:

We are just now starting down the eduroam path. 

We are a Cisco shop and currently have our controllers pointed towards 
xpressconnect to onboard/authenticate our students.

We currently have many interfaces on our controllers per building/SSID. We were 
thinking of collapsing many of those interfaces and have larger subnets and 
vlan tag the clients based on access we want to allow using the single 
"eduroam" ssid.

So, for example, our local users will be placed in vlan 1 and eduroam users 
from different colleges would be placed in vlan 2 with internet only access. We 
have brought this up to our SE and VAR engineers and they are a little hesitant 
on this approach as they say the the subnets will be too large. But, as I 
understand it, the broadcast messages are suppressed at the controller. 

Xpressconnect only supports 1 vlan tag so we were looking at using free radius 
and create different realms and vlan tag the clients based on end of the 
username(ex: @.edu). We still have ACS at our disposal as we were using it 
very heavily before using xpressconnect, so we thought it may be an option to 
bring that back into the picture and use it to tag the clients.

The answers I am looking to gain from this are:

Do you have eduroam deployed as your primary SSID or in addition to your 
SSID's? 

Do you separate/tag your eduraom users? If so, how(acs/ISE/free radius, etc)?

How big are your wireless subnets?

 

Any opinions/suggestion/questions are welcome.

Thanks again in advance.

 

-- 

Tim Burns

Junior Network Administrator
1 University Heights
Asheville, NC 28804
828-232-5013
 <mailto:bu...@unca.edu> bu...@unca.edu

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/. 

!DSPAM:911,5604859542972302511535! 

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/. 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] eduroam in a Cisco environment

[Jerry Bucklaew]

The answers I am looking to gain from this are:

Do you have eduroam deployed as your primary SSID or in addition to 
your SSID's?




Yes, we have it deployed as an additional SSID but are getting ready to 
make it our primary.


Do you separate/tag your eduraom users? If so, how(acs/ISE/free 
radius, etc)?




Yes, We hand back a vlan interface via radius so the users end up on 
their own subnet.



How big are your wireless subnets?


We use /22's.  It seems to be a nice mix in between a small number of 
huge subnets and a large number of small subnets.   We peak around 
25,000 users.




Any opinions/suggestion/questions are welcome.


Just consider making it your primary up front.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] eduroam in a Cisco environment

[Chad Burnham]

Hi Tim,
We are Aruba on the AP/controllers, and Cisco on the Core and firewalls.
Do you have eduroam deployed as your primary SSID or in addition to your SSID's?
Eduroam is our primary 802.1x secure SSID, however we now have an unsecured 
SSID for “general use” and “guests” for the masses.
Do you separate/tag your eduraom users?
Yes, the separate network using the “@ (realm)” to discern our users and our 
own Eduroam folks – this allows rules that defines role and ultimately acl 
rules. We also use Cisco SUP2Ts and VPLS-PE (MPLS) across two core routers to 
keep networks redundant across two core routers. This is a layer 2.5 approach 
if you will to deal with separate routed domains.
If so, how(acs/ISE/free radius, etc)?
Aruba ClearPass
How big are your wireless subnets?

2 x /16 – Aruba whitepaper recommends large networks now – in the old days they 
did not.

Chad

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] eduroam in a Cisco environment

[Hector J Rios]

Do you have eduroam deployed as your primary SSID or in addition to your SSID's?
Eduroam is our primary SSID.
Do you separate/tag your eduraom users? If so, how(acs/ISE/free radius, etc)?
Yes. We use radiator.
How big are your wireless subnets?
Our eduroam subnet is a /17. We recently collapsed our two 6500 wireless core 
into a VSS and that allowed us to define a single subnet for eduroam.

Any opinions/suggestion/questions are welcome.
Thanks again in advance.

--

Tim Burns

Junior Network Administrator
1 University Heights
Asheville, NC 28804
828-232-5013
bu...@unca.edu
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] eduroam in a Cisco environment

[Jake Snyder]

You can always do an interface group and use the name of the group instead of 
the vlan ID coming from Cloudpath. Just keep all interfaces in the group the 
same size.

Thanks
Jake Snyder
jsny...@compunet.biz
208-286-3015

Sent from my iPhone

> On Sep 24, 2015, at 2:38 PM, Timothy Burns  wrote:
> 
> We are just now starting down the eduroam path. 
> 
> We are a Cisco shop and currently have our controllers pointed towards 
> xpressconnect to onboard/authenticate our students.
> 
> We currently have many interfaces on our controllers per building/SSID. We 
> were thinking of collapsing many of those interfaces and have larger subnets 
> and vlan tag the clients based on access we want to allow using the single 
> "eduroam" ssid.
> 
> So, for example, our local users will be placed in vlan 1 and eduroam users 
> from different colleges would be placed in vlan 2 with internet only access. 
> We have brought this up to our SE and VAR engineers and they are a little 
> hesitant on this approach as they say the the subnets will be too large. But, 
> as I understand it, the broadcast messages are suppressed at the controller. 
> 
> Xpressconnect only supports 1 vlan tag so we were looking at using free 
> radius and create different realms and vlan tag the clients based on end of 
> the username(ex: @.edu). We still have ACS at our disposal as we were 
> using it very heavily before using xpressconnect, so we thought it may be an 
> option to bring that back into the picture and use it to tag the clients.
> 
> The answers I am looking to gain from this are:
> 
> Do you have eduroam deployed as your primary SSID or in addition to your 
> SSID's? 
> 
> Do you separate/tag your eduraom users? If so, how(acs/ISE/free radius, etc)?
> 
> How big are your wireless subnets?
> 
> Any opinions/suggestion/questions are welcome.
> 
> Thanks again in advance.
> 
> -- 
> Tim Burns
> 
> Junior Network Administrator
> 1 University Heights
> Asheville, NC 28804
> 828-232-5013
> bu...@unca.edu
> 
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] eduroam in a Cisco environment

[Turner, Ryan H]

The answers I am looking to gain from this are:
Do you have eduroam deployed as your primary SSID or in addition to your SSID's?
Eduroam is the primary SSID
Do you separate/tag your eduraom users? If so, how(acs/ISE/free radius, etc)?
Yes.  We use freeRadius.  However, we don’t use freeradius for tagging.  Since 
we have an Aruba environment, we use a simple feature that allows us, at the 
controller, without any messing around in freeRadius, to assign a VLAN based on 
user realm.  So, unc.edu users get one vlan, and non unc.edu get another.
How big are your wireless subnets?

Huge.  Thousands and thousands.  With the broadcast suppression, it hasn’t been 
an issue for us.  You can message me privately if you want me to give you more 
specifics.  I just pulled up our interface config for main campus and stopped 
counting after a few thousand.

Any opinions/suggestion/questions are welcome.
Thanks again in advance.

--

Tim Burns

Junior Network Administrator
1 University Heights
Asheville, NC 28804
828-232-5013
bu...@unca.edu
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.