Bob: I should complete the thought. What we do today for domain devices is a separate SSID which vlan steers non-domain-joined machines into a vlan that will only permit certain admins 802.1x access. This is for the purpose of joining the machines to the domain if appropriate. What I proposed below would be for the non domain system users.
Randall Grimshaw rgrim...@syr.edu<mailto:rgrim...@syr.edu> ________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Randall C Grimshaw [rgrim...@syr.edu] Sent: Thursday, December 29, 2011 12:40 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Authentication methods Bob: I have built or helped implement a few systems over the years... what I am lately pondering as the direction of choice is a system based on 802.1x user based authentication AND MACaddress based vlan steering. 802.1x PEAP MSCHAPv2 WPA2 will use Radius that backends to your domain servers. The machines do not need to be in the domain, just the user accounts. Call it a quarantine vlan but this would be the way messages could inform the user that they are in curfew or whatever. How the list of MACaddress get into your Radius Server to drive vlan policy is the trick here. Anyone have experience with this? Randall Grimshaw rgrim...@syr.edu<mailto:rgrim...@syr.edu> ________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Bob Williamson [bob_william...@aw.org] Sent: Wednesday, December 28, 2011 9:36 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Authentication methods I am working on a new wireless system and would like to hear some suggestions on authentication methods for our situation. For a smallish environment, we have some complications which make it more complex than normal. Example: We have boarding students, some of which need limited hours of access and will devices of different types. Domain Devices: Windows and OS/X both have computer (and user) accounts in AD. Need both domain and internet access. School owned, non domain devices: Ipad/Ipod (can they be bound to a domain?) Private Devices: Boarders bring in private laptops, devices, etc not bound to the domain. (Internet Only) Guests: Short term devices/laptops for guest usage, Hours of usage: One significant issue is the majority of devices need to be locked out of internet usage after midnight. BUT there is a subset of the above devices/users who get internet access after midnight. Maybe this should be handled at the firewall? We are using a Ruckus ZD3000 as our controller. Seems like Radius would fit the “domain Devices” and handle the hours of usage? Separate SSIDs with MAC authentication? DPSK per device? Etc. Any suggestions would be appreciated, Bob Williamson Network Administrator Annie Wright Schools | 827 N Tacoma Ave, Tacoma, WA 98403 | www.aw.org<https://exchange.syr.edu/owa/UrlBlockedError.aspx> D: +1.253.284.5465 | F: +1.253.572.3616 | bob_william...@aw.org Annie Wright's strong community cultivates individual learners to become well-educated, creative, and responsible citizens for a global society. [Description: AWS Seal 2]<http://www.aw.org/> [Description: Facebook] <http://www.facebook.com/AnneWrighSchool> [Description: Twitter] <http://twitter.com/#!/AnnieWright1884> ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
<<inline: image002.png>>
<<inline: image003.png>>
<<inline: image004.png>>