Matt, At Emory, we are handling what we call PWD's - personal wireless devices - including PDAs, game consoles, on other miscellaneous wireless devices using our Guest Access SSID. For students, staff, and faculty devices that don't support our secure 802.1x SSID, but on campus and have a "legitimate" need, we use MAC authentication to bypass the guest access captive portal. The user has to bring the device in so that we can verify the type of device and get the MAC address. The MAC address, Users ID, and device type are entered in the RADIUS database. Our Aruba infrastructure then uses that RADIUS server to authenticate our guest access SSID users - a pass will put them into a special PWD role while a fail forces them to use the captive portal for guest access authentication.
We lock down our guest access pretty well - only web/secure web and VPN access is allowed and also bandwidth-limited. The PWD role is slightly more open - we add secure mail and some TiVo/game console access. We originally added the MAC authentication to handle the flood of iPhones last fall. The TiVos and game consoles, too. This fall with the iPhone 2.0 firmware supporting WPA/2-Enterprise 802.1x, we will have less of those, but probably more game consoles and other devices. While I'm sure what all the Cisco capabilities are, you should be able to implement something similar to what we've done with our Aruba hardware. >>-> Stan Brooks - CWNA/CWSP Emory University Network Communications Division 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: [EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]> GoogleTalk: [EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]> From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Jenkins, Matthew Sent: Thursday, July 24, 2008 5:37 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Cisco WLAN 4400 Controllers and 802.1x Thanks everyone for your quick responses! As far as the EAP method goes, we will primarily be using MS AD to authenticate. I figured we would use MS IAS unless there is something better to sit between MS AD. I'll have to check out Jorge's suggestion of using Funk. We are having a large issue with people wanting to register playstations, pdas, and such on the wireless. Currently we can't do it because our guest network is using the basic Cisco auth page. As far as laptop guests go if we were using 802.1x, we can give out temporary 1-day accounts. However, how is everyone handling PDAs and gaming consoles that do not support 802.1x? Thanks, Matt Matthew Jenkins Network/Server Administrator Fairmont State University Visit us online at www.fairmontstate.edu<https://fsmail.fairmontstate.edu/exchweb/bin/redir.asp?URL=http://www.fairmontstate.edu/> ________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Peter P Morrissey Sent: Thu 7/24/2008 4:38 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Cisco WLAN 4400 Controllers and 802.1x I think the biggest challenge was (and still is to some extent) getting people to use it and not user our Guest access or PDA access. We don't require guests configure 1x and not all PDA's can even do 1x. As a result, sometimes people use the network we provide for that instead of using the 1x network. It required a major publicity campaign to get everyone to make the switch. Pete Morrissey ________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Jenkins, Matthew Sent: Thursday, July 24, 2008 4:01 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Cisco WLAN 4400 Controllers and 802.1x How many others are doing 802.1x in a Cisco LWAPP environment? Have you had success with it, or would you recommend another route for authentication? Currently we are using VPNs over our secure wireless and I am investigating whether we would be ahead to start using 802.1x coupled with WPA. Any thoughts would be appreciated. Thanks, Matt Matthew Jenkins Network/Server Administrator Fairmont State University Visit us online at www.fairmontstate.edu<http://www.fairmontstate.edu/> ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ________________________________ This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.