Walt, how did you do the dynamic vlan assignment based off groups? I assume it is a radius parameter mapped to the AD group somehow? Thanks a bunch, Matt Matthew Jenkins Network/Server Administrator Fairmont State University Visit us online at www.fairmontstate.edu <https://fsmail.fairmontstate.edu/exchweb/bin/redir.asp?URL=http://www.fairmontstate.edu/>
________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Walt Howd Sent: Thu 7/24/2008 5:58 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Cisco WLAN 4400 Controllers and 802.1x We're lucky in that we do not allow any device onto the wireless network that does not support 802.1x and PEAP. As a previous poster mentioned, it can be very difficult to stop users from using your non-secure networks if they are still available. This policy would not be viable in all institutions but here we provided several months of lead time prior to the switch and heard very little grumbling. The message to the institution was that "the network has to be secure" and we can't allow any insecure backdoors. For gaming consoles we tell students to plug into the wired network. For PDAs, we recommend devices that do support 802.1x. Later versions of Windows Mobile can access the network as well as the new iPhones. FWIW, we also chose Microsoft IAS over Cisco ACS and use AD as our backend. It has worked well with the Cisco controllers. We have even done dynamic VLAN assignment based off AD group membership since day one and have not had any issues. Walt On Jul 24, 2008, at 4:37 PM, Jenkins, Matthew wrote: Thanks everyone for your quick responses! As far as the EAP method goes, we will primarily be using MS AD to authenticate. I figured we would use MS IAS unless there is something better to sit between MS AD. I'll have to check out Jorge's suggestion of using Funk. We are having a large issue with people wanting to register playstations, pdas, and such on the wireless. Currently we can't do it because our guest network is using the basic Cisco auth page. As far as laptop guests go if we were using 802.1x, we can give out temporary 1-day accounts. However, how is everyone handling PDAs and gaming consoles that do not support 802.1x? Thanks, Matt Matthew Jenkins Network/Server Administrator Fairmont State University Visit us online at www.fairmontstate.edu <https://fsmail.fairmontstate.edu/exchweb/bin/redir.asp?URL=http://www.fairmontstate.edu/> <https://fsmail.fairmontstate.edu/exchweb/bin/redir.asp?URL=http://www.fairmontstate.edu/> ________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Peter P Morrissey Sent: Thu 7/24/2008 4:38 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Cisco WLAN 4400 Controllers and 802.1x I think the biggest challenge was (and still is to some extent) getting people to use it and not user our Guest access or PDA access. We don't require guests configure 1x and not all PDA's can even do 1x. As a result, sometimes people use the network we provide for that instead of using the 1x network. It required a major publicity campaign to get everyone to make the switch. Pete Morrissey ________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf OfJenkins, Matthew Sent: Thursday, July 24, 2008 4:01 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Cisco WLAN 4400 Controllers and 802.1x How many others are doing 802.1x in a Cisco LWAPP environment? Have you had success with it, or would you recommend another route for authentication? Currently we are using VPNs over our secure wireless and I am investigating whether we would be ahead to start using 802.1x coupled with WPA. Any thoughts would be appreciated. Thanks, Matt Matthew Jenkins Network/Server Administrator Fairmont State University Visit us online at www.fairmontstate.edu <http://www.fairmontstate.edu/> ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.