Matt,
At Emory, we are handling what we call PWD's - personal wireless devices -
including PDAs, game consoles, on other miscellaneous wireless devices using
our Guest Access SSID. For students, staff, and faculty devices that don't
support our secure 802.1x SSID, but on campus and have a "legitimate" need, we
use MAC authentication to bypass the guest access captive portal. The user has
to bring the device in so that we can verify the type of device and get the MAC
address. The MAC address, Users ID, and device type are entered in the RADIUS
database. Our Aruba infrastructure then uses that RADIUS server to
authenticate our guest access SSID users - a pass will put them into a special
PWD role while a fail forces them to use the captive portal for guest access
authentication.
We lock down our guest access pretty well - only web/secure web and VPN access
is allowed and also bandwidth-limited. The PWD role is slightly more open - we
add secure mail and some TiVo/game console access. We originally added the MAC
authentication to handle the flood of iPhones last fall. The TiVos and game
consoles, too. This fall with the iPhone 2.0 firmware supporting
WPA/2-Enterprise 802.1x, we will have less of those, but probably more game
consoles and other devices.
While I'm sure what all the Cisco capabilities are, you should be able to
implement something similar to what we've done with our Aruba hardware.
>>-> Stan Brooks - CWNA/CWSP
Emory University
Network Communications Division
404.727.0226
AIM/Y!/Twitter: WLANstan
MSN: [EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>
GoogleTalk: [EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>
From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL
PROTECTED] On Behalf Of Jenkins, Matthew
Sent: Thursday, July 24, 2008 5:37 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco WLAN 4400 Controllers and 802.1x
Thanks everyone for your quick responses! As far as the EAP method goes, we
will primarily be using MS AD to authenticate. I figured we would use MS IAS
unless there is something better to sit between MS AD. I'll have to check out
Jorge's suggestion of using Funk.
We are having a large issue with people wanting to register playstations, pdas,
and such on the wireless. Currently we can't do it because our guest network
is using the basic Cisco auth page. As far as laptop guests go if we were
using 802.1x, we can give out temporary 1-day accounts. However, how is
everyone handling PDAs and gaming consoles that do not support 802.1x?
Thanks,
Matt
Matthew Jenkins
Network/Server Administrator
Fairmont State University
Visit us online at
www.fairmontstate.edu<https://fsmail.fairmontstate.edu/exchweb/bin/redir.asp?URL=http://www.fairmontstate.edu/>
________________________________
From: The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of
Peter P Morrissey
Sent: Thu 7/24/2008 4:38 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco WLAN 4400 Controllers and 802.1x
I think the biggest challenge was (and still is to some extent) getting people
to use it and not user our Guest access or PDA access. We don't require guests
configure 1x and not all PDA's can even do 1x. As a result, sometimes people
use the network we provide for that instead of using the 1x network. It
required a major publicity campaign to get everyone to make the switch.
Pete Morrissey
________________________________
From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL
PROTECTED] On Behalf Of Jenkins, Matthew
Sent: Thursday, July 24, 2008 4:01 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Cisco WLAN 4400 Controllers and 802.1x
How many others are doing 802.1x in a Cisco LWAPP environment? Have you had
success with it, or would you recommend another route for authentication?
Currently we are using VPNs over our secure wireless and I am investigating
whether we would be ahead to start using 802.1x coupled with WPA. Any thoughts
would be appreciated.
Thanks,
Matt
Matthew Jenkins
Network/Server Administrator
Fairmont State University
Visit us online at www.fairmontstate.edu<http://www.fairmontstate.edu/>
********** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. ********** Participation and subscription
information for this EDUCAUSE Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
********** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
________________________________
This e-mail message (including any attachments) is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this message (including any attachments) is strictly
prohibited.
If you have received this message in error, please contact
the sender by reply e-mail message and destroy all copies of the
original message (including attachments).
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
