Jeffrey LeMay wrote:
I am interested in knowing how other academic institutions authenticate their
wireless users, particularly for Macintosh clients.
At Ithaca College, we currently require wireless users to authenticate via an
SSL VPN device (firepass from F5 Networks). This allows us to see who is using
the wireless network (via the logs) and provides a level of security for the
users as well. This solution works very well for Windows clients but Macintosh
clients have experienced a number of problems. We have been working with F5’s
technical support on the Mac problems for quite some time.
Is there an alternative that we could look at? Do other institutions support
SSL VPN for Macintosh clients?
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
Jeffery,
We currently separate authentication and encryption services. For
authentication we have a firewall that only allows https authentication,
no clear text http authentication. We started with CheckPoint/Nokia in
2000 and then moved to NetScreen around 2002. The new firewall we rolled
out in 2005 is called Captivator. It was written by Dale Carder who is
in the same group I am. We have decided to make our authentication
service available for both wired and wireless connections. That way
conference rooms, kiosks and other public areas could have
authentication services. The wired connections need multi cast for our
Digital Academic Television Network. The wireless service does not have
multi cast turned on. We could not find a firewall to do multi cast.
That's one of the reasons we decided to build our own. We built twelve
for use at twelve nodes around campus. The cost was 1/10 of what a major
firewall vendor wanted for an appliance that wouldn't do all we wanted.
The Captivator is configured to allow users access to certain web sites
like the Help Desk or the campus information site without any need to
authenticate. That works great for guests who need general information
about the campus. We have another web service that creates guest
accounts for up to 30 day for anyone sponsored by faculty and staff. The
Captivator also passes all traffic to the Cisco VPN server without
authentication at the firewall on on the VPN server. For encryption we
are using the Cisco 3080 product. By doing this the wireless VPN users
only need to authenticate one time not twice. It's also nice because we
have the source code for all the pieces and can customize it the way we
want. Also helps with debugging problems.
--
Rusty Smith
[EMAIL PROTECTED]
University of Wisconsin Madison
Division of Information Technology
Network Services
1210 W. Dayton St. Rm B116
Madison WI 53706 (608) 263-6307
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
