We are basically a Cisco shop (routing/switching, voice, telepresence) except for wireless & RADIUS where our partner is Aruba. The wireless team split off from our routing/switching team several years ago.
For wired, we have the switch ports set up for multi-domain, permitting 1 voice and 1 data connection per port. We use EAP-TLS or mac auth for ClearPass to tell the switch that the phone is a voice device. The phones use CDP to get the proper voice vlan. When we decided to move away from our NAC solution, we looked for quite a while at the options out there. We had a well defined set of needs and there did not appear to be a single solution that met the requirements. We actually had a different product we evaluated with ClearPass, but they removed one required function just before our final comparison. That made our decision clear. We use ClearPass APIs with a custom portal to register devices for mac auth on wired & wireless. For guest, we currently use a custom skinned ClearPass portal, but I would like to move to our own portal using APIs for flexibility and scalability. I was heavily involved in researching and implementing our 802.1X infrastructure. On wired, we are enforcing in our dorm areas. RADIUS is used, but not enforced in the campus wired areas. I am not sure of the switch configuration there, because my team was not really involved in that. During my wired research, I came across using layer 3 ACLs on layer 2 access switches. We talked with another school that uses FreeRADIUS for wired 802.1X in their dorm areas. They found that downloadable ACLs placed too much delay in the process and that having predefined ACLs on the access switches and just applying them to ports as needed worked well. Our routing/switching team balked at the idea due to the overhead of keeong all those ACLs consistent & updated. Using predefined ACLs would give more flexibility in granting access. Our students currently do not have access to staff-only resources. Some student workers need access to a subset of those resources to perform their duties. On wireless, we just grant the needed additional access. On wiored, we place them in the Staff vlan, giving them full staff access, which is more access than needed. Feel free to contact me offline if you want to discuss further. Bruce Osborne Wireless Engineer IT Infrastructure & Media Solutions (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Peter P Morrissey [mailto:ppmor...@syr.edu] Sent: Thursday, June 25, 2015 8:13 AM Subject: Re: Network Authentication question Bruce, Interesting that you have mixed Cisco and Aruba. We are actually all Cisco at this time and are considering ISE and ClearPass. (Assuming you meant to say Aruba ClearPass for RADIUS and guest, not Aruba CloudPath.) For us this will initially this will be as a guest access solution, but I believe there is a good chance that the solution we choose will be an obvious contender for replacement of our RADIUS environment at some point. Matt Barber had mentioned that he looked at both and chose ClearPass which apparently drove his wireless decision. If I recall correctly, you guys are Aruba wireless, which perhaps made ClearPass a more obvious choice? Also, curious about your statement regarding port level ACL’s. Would love to hear more about your thinking there. We have yet to deploy VOIP, but I is coming. Are you saying you would do port level ACL’s instead of the VLAN’s for some reason? Thanks, Pete Morrissey From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W (Network Services) Sent: Thursday, June 25, 2015 7:46 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Network Authentication question We are using Aruba CloudPath for RADIUS & Guest and Cloudpath XpressConnect Wizard for onboarding, We have wired 802.1X (PEAP-MSCHAPv2 & MAC auth) in our dorms with Cisco switches. We use vlan names instead of numbers to give scalability in our environment. We also use Cisco phones and have clients connected through the phone. We use EAP-TLS with the preinstalled certificates or mac auth for older models. If I had to do things again, I would look at using predefined ACLs applied at a port level. Bruce Osborne Wireless Engineer IT Infrastructure & Media Solutions (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Danny Eaton [mailto:dannyea...@rice.edu] Sent: Wednesday, June 24, 2015 4:26 PM Subject: Re: Network Authentication question Is anyone doing any of these for wired, using 802.1X? From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John Kaftan Sent: Wednesday, June 24, 2015 3:22 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Network Authentication question I went with the Extreme Netsight product at my last shop and found it to be excellent. I could assign policy to an end user pretty much on any criteria I could think of. I was hard pressed to find something I could not do. The nice thing about Extreme is that it is a fully integrated system across wired and wireless and you can apply the exact same policy to a user no matter how or where they connect. Naturally it works best if you have Extreme for both wired and wireless but it is not necessary. John From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Barber, Matt Sent: Wednesday, June 24, 2015 1:46 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [BULK] Re: [WIRELESS-LAN] Network Authentication question Importance: Low Hi Matthew, We are currently deploying a new Aruba network with ClearPass after evaluating both them and Extreme pretty heavily. ClearPass was one of the major deciding factors in us ending up with Aruba. As Frank and Russ mentioned, it is very full-featured. We are using the RADIUS functionality for our main WPA2-Enterprise network and using their guest and registration features for everything else. We are very impressed so far. I would be happy to talk specifics if you are interested. Take care, Matt Barber ‘06 Network and Systems Manager Morrisville State College 315-684-6053 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Williams, Matthew Sent: Wednesday, June 24, 2015 10:44 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [WIRELESS-LAN] Network Authentication question We’re looking into a few RADIUS solutions and I was wondering if any of you had any experience with the following products and what your thoughts are on them: Cisco ISE Aruba ClearPass Extreme NetSight Cloudpath XPressConnect ES Any input would be appreciated. Thanks. Respectfully, Matthew Williams IT Manager, Wireless Kent State University Office: (330) 672-7246 Mobile: (330) 469-0445 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. !DSPAM:911,558b11734371431181996! ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.