I'm in the process now of setting up our WLC-4402 to use ADS computer authentication for one of its SSID's. For those of you that have already done this, did you go directly from the WLC to windows RADIUS/IAS, or did you go though Cisco ACS first? Will LDAP from the WLC to an ADS domain controller work, or do you need to stay with RADIUS?
Thanks John From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Danner, Mearl Sent: Thursday, April 08, 2010 1:16 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] AD over wireless IAS policies on the same SSID. Fac/Staff/Domain Computers (no students joined) get one VLAN and their own IP range with no acl's applied. Students get another with an acl to protect our domain ports from virus We can use knowledge of the IP ranges to configure bandwidth filtering, NAT addresses and other things in our systems. Mearl From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman Sent: Thursday, April 08, 2010 11:01 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] AD over wireless Thanks, Heath and everyone else. Do you who are doing wireless AD use a unique SSID for full AD wireless clients, or use the magic of RADIUS and AD to divvy users up? -Lee ________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of heath.barnhart Sent: Thursday, April 08, 2010 11:49 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] AD over wireless We've been doing this for about a year now and like Mearl said it pretty much just works. There are two main issues I've seen: 1. Signal Strength/Quality can really effect how well the process goes on first login. If the user's profile already exists on the system and the system is just getting updates then seems to work fine regardless. Downloading a whole profile under less than optimal wireless conditions seem to be hit or miss. 2. Profile size might also effect success, but again, usually everything just works if the user's profile exists on the host. We haven't done too much in the way of actually setting this up, it just kinda worked and we went with it. AD over wireless is something I do want to work on to get it solid, just haven't had the time to work with it. I don't know how well or if it works with Macs. I know our Mac tech was work on something but I never heard if it works or not. Heath On 4/7/2010 7:32 AM, Lee H Badman wrote: We have been doing big, secure wireless for a number of years, but have yet to really explore AD over the WLAN. We are using PEAP w/ MS-CHAPv2 for EAP, and are starting a conversational collaboration between our AD and security folks and us on the network side. Early questions that have come up (we've done no testing yet): Does the network stack come up in time to allow for domain laptops to get GPO policies and software installs that occur right away on startup? Can computer authentication instead of user authentication be done in our environment? I know that some of you have gone ahead of the rest of us on AD over wireless, and so I appeal to your experience for some perspective. As always- thanks. -Lee Badman Lee H. Badman Wireless/Network Engineer Information Technology and Services Adjunct Instructor, iSchool Syracuse University 315 443-3003 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- Heath Barnhart, CCNA Asst. Systems and Networking Admin Information Systems and Services Washburn University Topeka, KS 66621 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.