Lee, Since the installed base is not big in the US (15 institutions), it's hard to gauge a real demand/usage. I can give number like "thousands of authentications" but in term of unique users it is not more than 20-30 per week. We did provide eduroam at the last Internet2 member meeting and got 50+ users to join out of 700 participants. No bad for a first time, and no helpdesk call at all (all done with Cisco FAT APs). The highest traffic that we see for the US federation is between LSU and LSU Health. In that particular case eduroam is an attractive way of connecting two different 802.1X domains.
As a side note, I wish all our incoming students new about eduroam! Yesterday, first day of class, our visitor network was down due to lack of IP addresses. Most of our incoming students for some strange reason had decided to join the visitor network and the 1000 or so IP addresses were not enough to respond to the demand. With 802.1X (and in this case the eduroam SSID), you don't get an IP address until you really mean to connect! Maybe we need to rename our visitor SSID "donotconnect" instead of "ut-visitor" ;-) Philippe On Aug 19, 2010, at 12:45 PM, Lee H Badman wrote: > Phillipe- > > Good summary. On the topic of Eduroam- any sense of real demand and usage for > the service? > > Thanks- > > Lee > > > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:wireless-...@listserv.educause.edu] On Behalf Of Philippe Hanset > Sent: Thursday, August 19, 2010 12:15 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] share 802.1x experience? > > Kay, > > Just a few heads up: > > -Definitely do WPA2 > -The choice of EAP method is important. EAP-PEAP with AD as the backend makes > life easier, though > you can create a SAMBA front end to LDAP if you want (there is documentation > on eduroamus.org) > -The choice of the CA seems to matter in how smooth the roll out goes > (Verisign works well), self signed certificates can be a pain. > -If you decide to support EAP-TTLS, people on this list have been very please > with XpressConnect to facilitate the deployment of supplicants for Windows > -Educate the community (documentation etc...) on how important the > certificate verification is. Man In the Middle with 802.1x over Wireless > is not that hard! > -Be aware that the RADIUS admin will be able to read clear text passwords > going to your authentication backend if you use PAP instead of M > -802.1x authenticates users at layer two, you still need to deal with IP > management (NetReg etc...) > -Look into mechanisms to be able to disconnect a user (802.1x doesn't have a > built-in mechanism, you Wireless LAN vendor will > provide this function. e.g. Blacklisting) > -For eduroam, be aware that the outer identity is essential, include this in > your documentation (e.g. make you users type their full > identifier from day one; use...@realm). Most supplicants (Mac OSX supplicant, > Windows supplicant) will set the outer identity automatically from > the userid. > -On the eduroam side again: you choice of RADIUS is important (Some versions > of RADIUS do not support proxying, e.g: Steel Belted RADIUS if it's not the > Global Enterprise edition). > -The eduroamus.org site has documentation for FreeRADIUS, RADIATOR, Microsoft > NPS, Juniper SBR (Same as Steel Belted) > > Feel free to contact the eduroamus.org team even for 802.1x questions, > > Best, > > Philippe Hanset > University of Tennessee > eduroamus.org > > > > > > On Aug 19, 2010, at 9:21 AM, Kay Sandacz wrote: > > > Hey Bryn, > > We’re planning on deploying eduroam three days after the 802.1x rollout. > Nonetheless, we have communications to prepare for the 802.1x rollout, so I’m > looking for end user experience, things that could have been done better, > things that worked in that scenario right now. > > And yes, we’re Cisco throughout. > > Thanks, > -kay- > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:wireless-...@listserv.educause.edu] On Behalf Of Bryn Jones > Sent: Thursday, August 19, 2010 8:17 AM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] share 802.1x experience? > > Hi Kay > > I don’t know whether you are aware of ‘eduroam’ > (http://www.eduroamus.org/eduroam_international_map), which is a shared > authentication infrastructure in Higher Education? > > We used the introduction of the ‘eduroam’ SSID onto campus here in Leeds as a > method of introducing 802.1x onto our Cisco WiSM architecture. > > I’ll be quite happy to share information if you have Cisco kit. > > Thanks > > Bryn > > > Bryn Jones > ISS Network Development > Rm 8.01e Computing Block > EC Stoner Building > University of Leeds > LS2 9JT > > 0113 343 7055 > > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:wireless-...@listserv.educause.edu] On Behalf Of Kay Sandacz > Sent: 19 August 2010 13:56 > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: [WIRELESS-LAN] share 802.1x experience? > > Hey folks. > > Anyone care to share experience in rolling out 802.1x? We’re looking only at > wireless just now. Support issues or user experience would be particularly > helpful. > > And did anyone attempt to run 802.1x on a previously existing SSID? > > Thanks, > -kay- > > Kay Sandacz, Assistant Director > Data Networking, IT Services > The University of Chicago > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
