1. At Liberty University, we do full 802,1X on Aruba wireless and on Cisco switches in the residence halls for several years. We do not currently use RADIUS CoA, but we need to look at that fuirther.
A connected user first hits a captive web portal that has linke to either provision the client for 802.1X (currently using CloudPath XpressConnect) or registering the mac address for mac auth. We have separate VLans for Registration, Registered Devices (mac auth), Students, Staff, & IT Administrators. We assign VLANs by name so differenv=t access switches can have differing VLAN IDs for the same role. For our Cisco voice, we let CDP determine the VLAN? and use either the installed certicicate or mac auth on older phones, so ClearPass have the switch mark it as a voice device. We ise multi-domain authentication which only permits 1 voice & 1 data mac address per port.
We use 802.1X & registration information to map username to ip address for Internet bandwidth management purposes.
2. We are using RADIUS from the access switches to ClearPass.
3. In the past we used Bradford NAC (Aruba ECS) and found it lacking when we looked at mocing to 802.1X in 2006.
5. ClearPass is a very good standards-based solution, especially if you currently have Aruba wireless or wired equipmen
t.