Higher Education

last person joined: 7 days ago 

Got questions on how to enable mobility in education? Submit them here!
Back to discussions
Expand all | Collapse all

Clearpass Integration

This thread has been viewed 8 times

  • 1.  Clearpass Integration

    Posted May 31, 2015 09:34 PM

    Suggestion 

     

    Currently at the Universtiy i work they are using mac auth for wireless users. We are moving into EAP using ClearPass. Any suggetion on how to roll out this properly?

     

    1. Did you create a secondary SSID with a different name and asked the staff, students, etc to start using that one for a period of time and then remove the one with MAC auth?

    2. Did you run into any unexpected issues in the dot1x deployment?

    3. Did you have to keep the mac auth ssid for devices that dont support dot1x in the dorm area? If not, did you created a mac auth service befoe the dot1x in clearpass, so the wireless users will hit that service first. 

    4. Did you roll out one building at a time? or per controller or globally at once? 

     

    Thank you

    Nils. 

     



  • 2.  RE: Clearpass Integration

    EMPLOYEE
    Posted May 31, 2015 09:38 PM

    1) You will have to because it will be a different authentication method. If you use the same SSID, users that have it saved in their device will have issues.

     

    2) If you're using PEAP with username/password and not doing any type of Onboarding, just be prepared that users don't read will click terminte or cancel when they get the prompt asking them if they trust the RADIUS server. 

     

    3) The new idea is one 802.1X network and one open with MAC-auth that can service both "dumb" devices and guest users. There are different attributes you key off of for the open service so ordering doesn't matter.

     

    4) Since it will have to be a new SSID, you can roll it out globally so you don't have roaming issues.

     

     

     



  • 3.  RE: Clearpass Integration

    Posted May 31, 2015 09:46 PM

    Tim

     

    Do you control how many devices the students or staff can mac register? Do you allow staff members that should be doing dot1x connect to the MAC open ssid? 

     

    Yes i will be using PEAP with AD user/pwd. 



  • 4.  RE: Clearpass Integration

    EMPLOYEE
    Posted May 31, 2015 09:50 PM

    In the deployments I've done for universities, most just limit the type of device (media player, printer, game console), not counts.

     

    You can limit access to internal resources when users connect their regular devices to the open network or you can completely block them (see here: http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Guide-Using-ClearPass-to-steer-users-to-secure-networks-mhc/m-p/144823 )



  • 5.  RE: Clearpass Integration

    Posted May 31, 2015 10:13 PM

    Thank you Tim for sharing! 



  • 6.  RE: Clearpass Integration

    Posted Jun 01, 2015 09:46 AM

    FWIW, we deployed three SSIDs - 1. a dot1x, 2. an open one with MAC registration, and 3. a guest one with web registration.  All faculty/staff/students use the dot1x unless they have gear that does not support it, then they can register their MAC and use #2.  We in IT manage and register some gear, such as TVs, thermostats, etc. that do not support dot1x, and put them on #2.  Guest registrations on #3 require certain IDs, have limited internal access, and are cached for a period of time.

     

    We rolled out all of these simultaneously across our campus as we replaced an existing, open SSID / web registration wireless system.  For a short period of time, both systems were live while we transitioned.  We did some good work up front to communicate the changes to the campus community, and we provided some online help instructions to help them get connected.  For faculty/staff computers that are university owned, we pushed a domain policy to them in order to automatically create the wifi connection for the dot1x network.

     

    We had a number of issues with dot1x, mostly with older hardware or older drivers that did not play nicely.  Windows 7 / 8 in particular is problematic for students, because there are a number of hoops for them to have to jump through to set up the connection properly.  We do not allow students to join their personal equipment to our domain, so we cannot easily push a policy to them.  And while we can provide them a batch file to automatically set the connection up, that is not always easy to explain how to do.  Aruba does of course have a solution for this (Quick Connect) but we do not have that.

     

    Conversely, OSX machines simply prompt for credentials and move on.  However, we had a number of connectivity issues with OSX as a result of some (now well known) software updates that caused wifi connectivity issues.

     

     

     

     



  • 7.  RE: Clearpass Integration

    MVP
    Posted Jun 01, 2015 04:11 PM

    We do something similar. We have a secure SSID and a Guest SSID.

    We have an open SSID that serves 2 purposes

    1. People can onboard personal machines to the secure network

    2. Registered non-802.1X devices can use this network. the internal website & blackboard are blocked. Machines needing this access should be using the secure network.

    Users register their own devives for the open network and they are associated with their username.

     We track Internet bandwidth by username.