on 05-31-2015 06:33 PM
Currently at the Universtiy i work they are using mac auth for wireless users. We are moving into EAP using ClearPass. Any suggetion on how to roll out this properly?
1. Did you create a secondary SSID with a different name and asked the staff, students, etc to start using that one for a period of time and then remove the one with MAC auth?
2. Did you run into any unexpected issues in the dot1x deployment?
3. Did you have to keep the mac auth ssid for devices that dont support dot1x in the dorm area? If not, did you created a mac auth service befoe the dot1x in clearpass, so the wireless users will hit that service first.
4. Did you roll out one building at a time? or per controller or globally at once?
05-31-2015 06:38 PM - edited 05-31-2015 06:39 PM
1) You will have to because it will be a different authentication method. If you use the same SSID, users that have it saved in their device will have issues.
2) If you're using PEAP with username/password and not doing any type of Onboarding, just be prepared that users don't read will click terminte or cancel when they get the prompt asking them if they trust the RADIUS server.
3) The new idea is one 802.1X network and one open with MAC-auth that can service both "dumb" devices and guest users. There are different attributes you key off of for the open service so ordering doesn't matter.
4) Since it will have to be a new SSID, you can roll it out globally so you don't have roaming issues.
on 05-31-2015 06:46 PM
Do you control how many devices the students or staff can mac register? Do you allow staff members that should be doing dot1x connect to the MAC open ssid?
Yes i will be using PEAP with AD user/pwd.
05-31-2015 06:49 PM - edited 05-31-2015 06:50 PM
In the deployments I've done for universities, most just limit the type of device (media player, printer, game console), not counts.
You can limit access to internal resources when users connect their regular devices to the open network or you can completely block them (see here: http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Guide-Using-ClearPass-to-steer-users-to-secure-networks-mhc/m-p/144823 )
on 06-01-2015 06:45 AM
FWIW, we deployed three SSIDs - 1. a dot1x, 2. an open one with MAC registration, and 3. a guest one with web registration. All faculty/staff/students use the dot1x unless they have gear that does not support it, then they can register their MAC and use #2. We in IT manage and register some gear, such as TVs, thermostats, etc. that do not support dot1x, and put them on #2. Guest registrations on #3 require certain IDs, have limited internal access, and are cached for a period of time.
We rolled out all of these simultaneously across our campus as we replaced an existing, open SSID / web registration wireless system. For a short period of time, both systems were live while we transitioned. We did some good work up front to communicate the changes to the campus community, and we provided some online help instructions to help them get connected. For faculty/staff computers that are university owned, we pushed a domain policy to them in order to automatically create the wifi connection for the dot1x network.
We had a number of issues with dot1x, mostly with older hardware or older drivers that did not play nicely. Windows 7 / 8 in particular is problematic for students, because there are a number of hoops for them to have to jump through to set up the connection properly. We do not allow students to join their personal equipment to our domain, so we cannot easily push a policy to them. And while we can provide them a batch file to automatically set the connection up, that is not always easy to explain how to do. Aruba does of course have a solution for this (Quick Connect) but we do not have that.
Conversely, OSX machines simply prompt for credentials and move on. However, we had a number of connectivity issues with OSX as a result of some (now well known) software updates that caused wifi connectivity issues.
06-01-2015 01:10 PM - edited 06-01-2015 01:12 PM
We do something similar. We have a secure SSID and a Guest SSID.
We have an open SSID that serves 2 purposes
1. People can onboard personal machines to the secure network
2. Registered non-802.1X devices can use this network. the internal website & blackboard are blocked. Machines needing this access should be using the secure network.
Users register their own devives for the open network and they are associated with their username.
We track Internet bandwidth by username.