We’ve got a pure open SSID – but with a captive portal AUP acceptance page. Keeps some of the devices off that either don’t have a browser or can’t click on “Accept”. It ends up in our visitor VRF, which we treat devices as if they are at Starbucks, etc., so cannot reach private devices (storage, etc.), but can reach publically available resources (email, etc.). For the most part, it works pretty well – but we have folks who want to connect game consoles, TV streaming devices, etc. to it. If a user wants to join that instead of the 802.1X wireless network, that’s fine too, for basic internet access, they just won’t be able to get to some resources on campus.
From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman Sent: Wednesday, August 03, 2016 6:51 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Cisco ISE This is without MAC auth. Pure open, piloted market leading MAC auth solutions and fingerprinting was less than impressive. This is an experiment. On Aug 3, 2016, at 7:36 AM, Osborne, Bruce W (Network Services) <bosbo...@liberty.edu <mailto:bosbo...@liberty.edu> > wrote: We have been doing open network with mac authentication for non-802.1X devices for years. We just block some things like our web site & course system that would not be used by those devices anyway. This “encourages” people to use the secure 802.1X network. Bruce Osborne Wireless Engineer IT Network Oprations - Wireless (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Lee H Badman [mailto:lhbad...@syr.edu] Sent: Tuesday, August 2, 2016 7:01 PM Subject: Re: Cisco ISE Open network, brother. We're about to test the good and bad of it in production for non-smart resnet devices. On Aug 2, 2016, at 12:10 PM, Shayne Ghere <sgh...@fsmail.bradley.edu <mailto:sgh...@fsmail.bradley.edu> > wrote: Bruce, It was a consultant that recommended it, but for gaming/non-802.1x capable devices. I may have stated it incorrectly. Our problem is that we have more and more devices that are non-standard Windows/Mac OS so the certificate don’t work. Most are Engineering/IT students and it’s an uphill battle for us. We’re currently looking at Apogee to take over our Dorm wired/wireless network, but we can do the same thing with our own equipment. The question we’re asking ourselves is..do we want to create an open network in the dorms, firewall them from everything unless they’re using secure wireless, or continue to fight the certificate issues. We have a homegrown registration system, but we’re quickly outgrowing it and need to move to something that’s all encompassing. We used ACS a few years ago, but our CIO (at the time) wanted to move to all open source and that’s caused more headaches than anything. I do have a conference call with Cisco deployment on Wednesday, but just wanted to get a feel how others in our field like the product, and what real world issues you’ve had. Unfortunately, we don’t get that kind of feedback from the manufacturer. I appreciate all the e-mails and responses! Shayne From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> ] On Behalf Of Osborne, Bruce W (Network Services) Sent: Tuesday, August 02, 2016 6:33 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Cisco ISE I am surprised ( and appalled) that Cisco would recommend *WPA2-Personal* (aka WPA2-PSK) in an Enterprise environment. We are currently using PEAP-MSCHAPv2 with our WPAs-Enterprise (aka 802.1X) wireless network. For self-registration on devices that cannot use 802.1X, we are using a custom portal with the ClearPass APIs. We are currently using an open network for mac authentication. We block our website & Blackboard system to “encourage” users to use our secure network for laptops instead of registering for mac auth. We are considering moving to using certs with ClearPass Onbiard, but have not yet imp;lemented. We are currently using CloudPath Wizard for onboarding 802.1X devices. Bruce Osborne Wireless Engineer IT Network Services - Wireless (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: T. Shayne Ghere [mailto:sgh...@fsmail.bradley.edu] Sent: Monday, August 1, 2016 10:06 AM Subject: Cisco ISE Good morning, Currently we have a home grown wireless registration system in place that is becoming obsolete. We are getting ready to refresh our Cisco AP’s, and I’m writing to see if anyone has any positive/negative issues in using Cisco ISE for individual “self” registration on your wireless network. We also use WPA2/AES Certificate based security, but that is problematic because of compatibility issues and devices that have no way of accepting certs. In talking with some Cisco Wireless Engineers, they recommend WPA2/AES-PSK but we don’t have the manpower to set that up on every device. We also do not NAT any devices. If you have any suggestions, or comments on using ISE and moving away from Certs, I would greatly appreciate them. Thanks Shayne ---------------------------------- T. Shayne Ghere Bradley University Wireless/Lan Network Engineer 1501 W. Bradley Ave, Jobst 224A <mailto:sgh...@fsmail.bradley.edu> sgh...@fsmail.bradley.edu FBI CA Graduate2011 Alumni FBI InfraGard Member ---------------------------------- UPCOMING OUT OF OFFICE None ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at <http://www.educause.edu/groups/> http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at <http://www.educause.edu/groups/> http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at <http://www.educause.edu/groups/> http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at <http://www.educause.edu/groups/> http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at <http://www.educause.edu/groups/> http://www.educause.edu/groups/. !DSPAM:911,57a1dab7280891489195706! ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at <http://www.educause.edu/groups/> http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
