on 11-11-2013 01:28 PM
I am currently testing the ClearPass solution and see if we can move it into production. I was wondering how other in the education industry are onboarding non 802.1x devices such as game consoles, printers, apple tvs, wireless thermostasts, wifi phones, etc. Currently, i have the following 3 SSID:
1. Onboard SSID: This will allow me to distribute the certificates and onboard non domain computers and users.
2. Secure 802.1x SSID: This will allow me to connect students and staff using different roles based on AD credentials.
3. Guest SSID: This will allow me to accomodate guest users on campus.
4. MAC auth SSID: ?
Now, how do you onboard the non 802.1x devices? I wanted an alternative to create a MAC auth SSID. My concern was students can register mac addresses calling the help desk or via a portal and associate 802.1x capable devices or extra laptops bypassing the secure ssid. I can assign a different role and block blackboard in the MAC auth SSUD to force students to the secure SSID. However, this require us to constanlty monitor what sites we should allow or not. More IT work related. I am trying to simplify the work done by the help desk and provide a great user experience when using the wireless. How many SSID are you using on campus?
Any suggestion :)
11-11-2013 01:56 PM - edited 11-11-2013 02:02 PM
We haven't quite rolled the entire change into production, but we are moving from:
brandeis_secure, brandeis_guest, brandeis_open, brandeis_voice, and eduroam
to: eduroam and openwifi-brandeis (it sounds ridiculous but it's to keep the Apple devices from connecting alphabetically :) )
The eduroam network is for anyone with @brandeis.edu credentials or visitors from other eduroam insitutions that have a WPA2-Enterprise capable device.
openwifi-brandeis is for devices that do not support WPA2-Enterprise and guest access.
When a user connects to openwifi-brandeis for the first time, they are redirected to a page asking if they are a Brandeis user or a guest of the University. Guests proceed to the normal CP Guest registration process. Brandeis users are sent to QuickConnect.
The QuickConnect page guides users to download the quick setup utility or proceed to our Netreg to register game systems and other media devices. (we are currently working on moving this registration process to ClearPass using the MACTrack functionality and AirGroup).
Once a media-type device is registered, the captive portal is bypassed the next time they connect and they go into the appropriate role. Once a user successfully connects to eduroam, they are then effectively blocked from using open and receive a redirect loop if they try to connect.
There's really no need to have more than 2 SSIDs these days. You should design them based on encryption capabilites and not so much roles. A lot of magic can be done on the back end to take care of roles.
on 11-12-2013 05:20 AM
Here's our friendly, GET OFF OPEN! screen :).
The way it works is whenever a device successfully connects to either brandeis_secure or eduroam, their endpoint record is tagged with an attribute we called "AUTHED-VIA-1X". Then at the top of the brandeis_open enforcement profile, right under malware/legal checks, we have a rule that says if AUTHED-VIA-1X = true, then return OPEN-INFO-ROLE-B back to the controller. OPEN-INFO-ROLE-B is just a standard user-role with a captive portal attached but no authentication mechanisms enabled.
on 12-15-2013 05:54 AM
Tim what just as curosity how much BW you need in your university internet to handle all the students playing, and downloading things hahaha
I bealive you will limit the BW for each application but stilll... the number of student guess is ridicolous!
There arent university with dorms in our country neither out university reach not even close in number of what the univesrities in the US got in students!
For example there is High School we attending which got around 100mb of Internet connection, they are just a 1000 students School :)
Product Manager - Aruba Networks
on 12-15-2013 08:21 AM
We have about 1.5G of commodity internet access along with connections to the Boston GigaPOP and Internet2.
The Boston GigaPOP has multiple caches including Netflix and Google.
We do not limit bandwidth and at peak (around 1 AM) we use about 75% of our total available bandwidth.
on 12-15-2013 08:32 AM
Really not even torrents? wont all students downloading torrestn like crazy cap all your 1.5gigs?
I remenber when i used to work in an ISP i could take 1.2gigs myself and thats just with torrents :P i mean just one user.
Product Manager - Aruba Networks
on 12-15-2013 08:35 AM
on 12-16-2013 07:11 AM
Yes, they register them in our registration system as a media device and then connect them to open.
Next fall, we'd like to move them to eduroam using a configuration profile that would be installed at the help desk at the beginning of the year.