Matt,
We use it and have had no issues with it. Since we have to authenticate
against several authentication mechanisms, we send the auth packet to a
radius server (Funk), who then passes is through to the proper mechanism
(LDAP, AD, proxy). Also, please note that this is how we
We do it with WiSMs. WPA (greatest compatibility), TKIP, MS-CHAPv2 with
native Windows/Mac supplicants for general users, and WPA2 for
higher-security specialty networks. We use AD as credential store, and
use ID Engines for supplicant configuration.
Here are the biggest hang-ups/issues I see
We're doing 802.1x with LWAPP. We have two controllers, 300 APs and
average around 1100 concurrent wireless users.
We just switched to 802.1x authentication last year, with great
success. Previously we ran a network with just WEP and MAC address
registration. Last summer we brought a new
Walt,
Good point about the EAP method.
Matt,
Because we have to authenticate several different users, we HAD to use
EAP-TTLS. This is probably where you will have to do most of your
research. In this case, there aren't really any wrong ways of doing
things. You just have to make an
I think the biggest challenge was (and still is to some extent) getting
people to use it and not user our Guest access or PDA access. We don't
require guests configure 1x and not all PDA's can even do 1x. As a
result, sometimes people use the network we provide for that instead of
using the 1x
This is a follow on to my thread and the others trying to figure out
which method to use in the encryption alphabet soup. We may be driven
to go to EAP-TLS, which means student certs. Are there products out
there that make the cert-issuing process easy? The last thing we need
is for every
Thanks everyone for your quick responses! As far as the EAP method goes, we
will primarily be using MS AD to authenticate. I figured we would use MS IAS
unless there is something better to sit between MS AD. I'll have to check out
Jorge's suggestion of using Funk.
We are having a large
We're lucky in that we do not allow any device onto the wireless
network that does not support 802.1x and PEAP.
As a previous poster mentioned, it can be very difficult to stop users
from using your non-secure networks if they are still available.
This policy would not be viable in all
Walt, how did you do the dynamic vlan assignment based off groups? I assume it
is a radius parameter mapped to the AD group somehow? Thanks a bunch,
Matt
Matthew Jenkins
Network/Server Administrator
Fairmont State University
Visit us online at www.fairmontstate.edu
Here's the information from Cisco:
http://www.cisco.com/warp/public/114/dynamicvlan-config.pdf
And here's the docs from our build:
Define remote access policies as follows:
Select New Remote Access Policy
Select Use the Wizard
Policy Name:
Cisco Wireless Student User / Checkout Laptop Policy
Matt,
At Emory, we are handling what we call PWD's - personal wireless devices -
including PDAs, game consoles, on other miscellaneous wireless devices using
our Guest Access SSID. For students, staff, and faculty devices that don't
support our secure 802.1x SSID, but on campus and have a
11 matches
Mail list logo