Thanks Hector (and Mike and David). Hector- we see visitors with locked-down laptops that expect to be able to VPN out over a guest path- that's where that question originates. Everything else makes sense... is your FreeRADIUS server the same RADIUS box used for your 802.1x network(s)? Wondering if anyone is actually using the Lobby Ambassador feature on any scale? Lee ________________________________
From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Hector J Rios Sent: Tuesday, January 06, 2009 1:48 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Cisco LWAPP Guest Portal Satisfaction Answers below: How (or where) do you enforce the http/https restriction? We created an ACL on the controllers to the guest interface. Any demand to allow VPN protocols out? The way we look at guests is that if they want quick access to the web, our guest SSID should accomplish this. No driver updates or complicated configurations needed. If they need anything else, they need to connect to our main SSID which requires 802.1x authentication and is encrypted. The same guest account that they use for the guest SSID works on the secure SSID, so there is no need to create additional accounts. I'm guessing that the admin website for account creation is on another box- can you describe the integration? Yes it is. The guest user database is on a BSD box running PostgreSQL. FreeRADIUS (which is on a separate box) queries this database. And I'm guessing this is on a guest SSID? Yes. We've tried running this on the same SSID as the secure one, but we've had problems getting the automatic VLAN assignment to work reliably on freeRADIUS. Finally- one thing that perplexes me a bit- we have 24 controllers- how would you gracefully coordinate the portal across all of them? Isn't it really one portal per controller and there's no way to force users from other APs on other controllers through a common portal? Is it one portal per controller? In essence it is. If your controllers belong to the same mobility group and your guest SSID is replicated across all controllers, then it should all work are virtually one common portal. Hope this helps. Hector ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
