We will have MAB access for devices that don’t support 802.1x. We will also be heavily relying on captive portaling to direct the user where they need to go to get a cert via secureW2 and what not. MAB devices will not receive the full access to our highest tier of protected data unless they are specifically allowed by infosec and manually placed into a special group on ISE. Phones and other special devices are allowed to get where they need and are permitted as long as they profile correctly in ISE.
802.1x devices may receive full access after they onboard with SecureW2 and receive their certificate. Links to the executable are provided via captive portal and we will also set up a “how do I connect?” page. It’s my understanding wired needs admin access so this may be tough…but if you’re BYOD I guess it’s ok to be a little difficult as long as the process isn’t implemented poorly. SecureW2 is a cloud based portal that BYOD users just run on their own, so you have to make sure all your captive portals allow it in the walled garden. It supports SAML auth so users just login and are presented with their university credentialing system. From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of "Smith, Nayef" <nayef.z.sm...@emory.edu> Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Date: Monday, April 13, 2020 at 2:02 PM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] NAC/authentication implementations Hi Lynn, Curious about your high level service design for NAC with eap-tls coming soon. We are in our infancy with NAC and are taking baby steps in our approach towards no authentication, no access. Are you going to a more restrictive service model with eap-tls? Are you thinking about a "no cert = no access" w/ self service onboarding for byod? Nayef Z. Smith | Emory LITS Network Services | Suite 1700 | 1762 Clifton Road | Atlanta GA 30322 | Voice: 404-727-6019 ________________________________ From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Heavrin, Lynn <lheav...@wustl.edu> Sent: Monday, April 13, 2020 10:42 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [External] Re: [WIRELESS-LAN] NAC/authentication implementations We aren’t doing eap-tls other than our lab testing right now but talking to multiple other universities, we decided to go with SecureW2 to do the certificate creation and BYOD onboarding. It works great so far in our testing and we plan to use it on our wired NAC. There’s the option to use the cert for VPN as well. SecureW2 has hooks into JAMF, Windows management, and Airwatch systems to onboard university managed devices, and it also has the BYOD dissolvable agent. Thanks, Lynn Heavrin Network Engineer II | Network Engineering Washington University in St. Louis 4480 Clayton Ave, St. Louis, MO 63110 Mail stop 8218-45-1200 •: 314.935.3877 | •:lheav...@wustl.edu<mailto:lheav...@wustl.edu> From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of "Brady J. Ballstadt" <bjbal...@uark.edu> Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Date: Monday, April 13, 2020 at 9:24 AM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [WIRELESS-LAN] NAC/authentication implementations Hello everyone, Have a few questions as we do some research to add on to our NAC implementation and trying to avoid issues or at least minimize them. 1. If you have a NAC solution do you do port based auth? 2. If you have a NAC solution do you do eap-tls? If so how are you handling the certification “push” to devices? 3. What were the major pain points during implementation? 4. What were the major use cases you were resolving/resolved? 5. Anything you would do differently if you do it again? Any extra information would be great as well. Thank you, Brady Ballstadt University of Arkansas ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ________________________________ The materials in this message are private and may contain Protected Healthcare Information or other information of a sensitive nature. If you are not the intended recipient, be advised that any unauthorized use, disclosure, copying or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error, please immediately notify the sender via telephone or return mail. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ________________________________ This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ________________________________ The materials in this message are private and may contain Protected Healthcare Information or other information of a sensitive nature. If you are not the intended recipient, be advised that any unauthorized use, disclosure, copying or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error, please immediately notify the sender via telephone or return mail. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
