Higher Education

I have inhertied an Aruba environment  (7210 Controller, Mobility Switches, Airwave, and ClearPass) Currently we have our students join their consoles to our "Guest" network. However, I am working on creating a captive portal for the Guest network with a EULA. We do not currently leverage the abilities of our ClearPass to put devices into roles. Currently we only put people in VLANs based on their AD (we have two Domains, a student and a staff).  We have about 600 daily users average of about 1100 clients connected (phones included)

Really I am just curious what others in the industry have done and want to make sure what I think will work is not the complete wrong direction.

My Thoughts are having students join their consoles to the same network that they connect to on their laptops. Using Clearpass to put their different devices into roles. We would like for students to have to register (MACtrack?) their devices. 

We would also like this to extend to the ports on the AP-93Hs we have in their apartments. 

We are a smaller private university and how we currently handle game consoles is via mac-based authentication. We have a standard captive portal for users on mobile devices (laptops, tablets, cell phones, etc.) login via web browser. Your situation may be different, but we don't have Clearpass and just use the Aruba controller. We use the Internal DB to manually register individual consoles by MAC Address and under an authenticated role.(most we've had registered is less than 30 so far). Best of luck to you!

We encourage students to use the wired connection because the consoles do not support WPA2-Enterprise/802.1x.  The reason we mandate that they plugin is that our open network is restricted to external only traffic over ports 80 and 443.  The issue with that is that it restricts them from playing games online.

We aren’t running Clearpass but our NAC autodiscovers the device type and sets it into an authenticated role and assigns the proper vlans.  What we did in the past for MACtracking was a page where they would manually input the info for their device.

MacTrack is a good way to go especially if users are already CP guest for other features (airgroups)  you can also use device fingerprinting and send devices that match that profile out a different vlan. Xbox360s do not play well on a NATed network so giving them public IPs from a IP pool is the best way to make sure they work properly, the only other alternative is UPnP which you would not really want on any network except the xbox one because of its terrible terrible security concerns. The 93h wired ports should work just the same as wifi for MacTrack and device fingerprinting.

We are currently using a hybrid ClearPass and home-grown network registration solution with the goal of removing the netreg piece for this upcoming fall. All users will register "non-browser", non WPA2-E capable devices in ClearPass guest and the appropriate role will be assigned when they connect them to our open network.

Right now we are populating the ClearPass database with entries from the old Netreg system as they MAC-AUTH. The second time they MAC-AUTH, the request is handled internally in ClearPass.

Here's a snippet of my massive open MAC-AUTH enforcement. Enter at your own risk :)

And for after you finish deciphering:

http://www.amazon.com/Tylenol-Extra-Strength-Acetaminophen-Caplets/dp/B003BDUBRA/ref=sr_1_2?ie=UTF8&qid=1393631480&sr=8-2&keywords=tylenol

So do you have an SSID that is just meant to self register MACs? That's a portion of this that I have a big question mark over because I'm not really sure what the best practices way to handle it is. 

Also. I do not believe that tylenol will ever cure the headache I have now. While trying to put together what was happening there, my mind was outside on what I'd need to do for my own implementation and I don't think my head has a heatsink large enough. We have some definite overheating. 

Our open network uses MAC authentication. Any user that has a registered device can connect to open although most devices get redirected to an information page telling them go use eduroam. Game systems, media players and other non-browser devices automatically get put in the appropriate role.

This summer we will be merging open and guest into one SSID.

Oh Yea I remember previously reading a thread that you had posted about your setup. 

I have the ability to completely redesign the way our wireless works so I am trying to make sure I am following what is considered the "Best Practices" 

We use 2 ssid's for our entire campus here, the main one and a guest ssid.  For gaming we use Clearpass, the mac track portal that's built into it with device fingerprinting, and that will get the device dropped into the proper roll.  It's clean, user self serviced, and works well.  My only complaint is that it's not easy customized to keep the look and feel the same as the main registration pages.

Scott Wolke

Network Engineer

The University of Findlay

Question: is your guest SSID a captive portal via clearpass? 

Yes it is.

Ours is as well.