Walt, how did you do the dynamic vlan assignment based off groups? I assume it
is a radius parameter mapped to the AD group somehow? Thanks a bunch,
Matt
Matthew Jenkins
Network/Server Administrator
Fairmont State University
Visit us online at www.fairmontstate.edu
<https://fsmail.fairmontstate.edu/exchweb/bin/redir.asp?URL=http://www.fairmontstate.edu/>
________________________________
From: The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Walt
Howd
Sent: Thu 7/24/2008 5:58 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco WLAN 4400 Controllers and 802.1x
We're lucky in that we do not allow any device onto the wireless network that
does not support 802.1x and PEAP.
As a previous poster mentioned, it can be very difficult to stop users from
using your non-secure networks if they are still available.
This policy would not be viable in all institutions but here we provided
several months of lead time prior to the switch and heard very little
grumbling. The message to the institution was that "the network has to be
secure" and we can't allow any insecure backdoors.
For gaming consoles we tell students to plug into the wired network.
For PDAs, we recommend devices that do support 802.1x. Later versions of
Windows Mobile can access the network as well as the new iPhones.
FWIW, we also chose Microsoft IAS over Cisco ACS and use AD as our backend. It
has worked well with the Cisco controllers. We have even done dynamic VLAN
assignment based off AD group membership since day one and have not had any
issues.
Walt
On Jul 24, 2008, at 4:37 PM, Jenkins, Matthew wrote:
Thanks everyone for your quick responses! As far as the EAP method
goes, we will primarily be using MS AD to authenticate. I figured we would use
MS IAS unless there is something better to sit between MS AD. I'll have to
check out Jorge's suggestion of using Funk.
We are having a large issue with people wanting to register
playstations, pdas, and such on the wireless. Currently we can't do it because
our guest network is using the basic Cisco auth page. As far as laptop guests
go if we were using 802.1x, we can give out temporary 1-day accounts. However,
how is everyone handling PDAs and gaming consoles that do not support 802.1x?
Thanks,
Matt
Matthew Jenkins
Network/Server Administrator
Fairmont State University
Visit us online at www.fairmontstate.edu
<https://fsmail.fairmontstate.edu/exchweb/bin/redir.asp?URL=http://www.fairmontstate.edu/>
<https://fsmail.fairmontstate.edu/exchweb/bin/redir.asp?URL=http://www.fairmontstate.edu/>
________________________________
From: The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf
of Peter P Morrissey
Sent: Thu 7/24/2008 4:38 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco WLAN 4400 Controllers and 802.1x
I think the biggest challenge was (and still is to some extent) getting
people to use it and not user our Guest access or PDA access. We don't require
guests configure 1x and not all PDA's can even do 1x. As a result, sometimes
people use the network we provide for that instead of using the 1x network. It
required a major publicity campaign to get everyone to make the switch.
Pete Morrissey
________________________________
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf OfJenkins, Matthew
Sent: Thursday, July 24, 2008 4:01 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Cisco WLAN 4400 Controllers and 802.1x
How many others are doing 802.1x in a Cisco LWAPP environment? Have
you had success with it, or would you recommend another route for
authentication? Currently we are using VPNs over our secure wireless and I am
investigating whether we would be ahead to start using 802.1x coupled with WPA.
Any thoughts would be appreciated.
Thanks,
Matt
Matthew Jenkins
Network/Server Administrator
Fairmont State University
Visit us online at www.fairmontstate.edu
<http://www.fairmontstate.edu/>
********** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found
athttp://www.educause.edu/groups/. ********** Participation and subscription
information for this EDUCAUSE Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
********** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found
athttp://www.educause.edu/groups/.
********** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
