Kevin, Feel free to ping me off-list for any questions, etc. on ClearPass Guest.
We moved our guest over a couple of years ago, but there are some things I would do differently, if I had the time and the insight I have now. Bruce Osborne Wireless Engineer IT Network Services - Wireless (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Kevin.Jacobs [mailto:kevin.jac...@trnty.edu] Sent: Wednesday, July 20, 2016 10:47 PM Subject: Re: Aruba and Bradford Brian, We migrated from Bradford to ClearPass last summer. We were deciding between licensing some of the newer Bradford features (integrating with our firewall, etc) or moving to ClearPass. We were using Microsoft NPS for RADIUS proxied through our Bradford NetworkSentry to return the appropriate role to our Aruba controller. We also used Bradford for posture checks as students registered devices, requiring antivirus, etc. We had Bradford in place for all wired dorm port control as well as campus-wide wireless authentication. One thing that we liked with Bradford was the ability for students to have a switch in their room (with all registered devices) if there were not enough wired ports in an area. This was more of an issue in the past, with the prevalence of wireless devices in the dorms, our wired port utilization is much lower than it used to be. After deciding posture checking wasn’t a requirement moving forward (which Bradford has always done very well for us) we ended up with a decision that we could possibly utilize ClearPass better with our existing Aruba infrastructure. We are currently using ClearPass for: · 802.1X authentication for campus wireless · 802.1X/MAC authentication for dorm wired ports (anything that can use 802.1X does, other devices can MAC Auth and are registered through ClearPass – we were able to utilize multiple VLANs for registered devices as well, depending on what the device is profiled as – one issue here was Xbox One consoles/Windows 10 machines, still not sure if there’s a great answer there…) · Device Registration (all non-802.1X devices need to MAC Auth) – Users can register devices which then get profiled and assigned a VLAN based on device type and network restrictions (helped keep console gamers happy). · Student AirPlay limitation (ClearPass has the ability to limit what wireless users can AirPlay to a student’s registered devices, they choose when it is registered but can modify it later) · TACACS+ for network device administration. · RADIUS – far better to look/search through than NPS, each attempt is logged and an alert tab often points to the problem with the authentication attempt. We’re able to provide read-only access to our HelpDesk which allows them with a bit more confidence to identify the problem. · Firewall Integration - ClearPass passes User ID information to our firewall allowing better defined rules. We are working on implementing a better guest management solution with ClearPass right now, hopefully we’ll have it branded/working within the next couple weeks… we’ll see how that goes. We also plan to use ClearPass to secure more than just dorm ports on campus as switches are replaced. I think ClearPass has a steeper learning curve than Bradford did (especially when we implemented it), but the additional features and flexibility have definitely been worth it so far. Once you have an understanding of how it works and can pass back multiple attributes to different systems you can do a lot with it (for example, we return User ID info to the firewall, update the Endpoint record in ClearPass with the switch/port the device is connected to, and return the appropriate VLAN based on the building that the user is in). Feel free to contact me off-list if you have any other questions. Kevin Jacobs IT Systems Manager Trinity Christian College 708.239.4735 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Brian Helman Sent: Tuesday, July 19, 2016 4:10 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [WIRELESS-LAN] Aruba and Bradford Feel free to ping me off-list. I may sanitize/redact comments and repost them for the benefit of others though.. If you are an Aruba AND Bradford shop, what was you reason for using Bradford vs Clearpass? Our primary interest in NAC is onboarding and guest networks (wired and wireless). We are currently a Bradford shop. I don’t see a reason to change, but I’d like to understand the benefits (or drawbacks) for staying with Bradford (or moving to Clearpass, for that matter). If you migrated from Bradford to Clearpass, would you do it again? Pains? Successes? Vendors: This is not a solicitation for NAC’s or wireless. I’m collecting information. Thanks! -Brian ____________________________________ Brian Helman, M.Ed | Director, ITS/Networking Services | •: 978.542.7272 Salem State University, 352 Lafayette St., Salem Massachusetts 01970 GPS: 42.502129, -70.894779 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.