Higher Education

Reply
This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.
Highlighted
Contributor II

How to authenticate non 802.1x devices?

Hello,

 

I am currently testing the ClearPass solution and see if we can move it into production. I was wondering how other in the education industry are onboarding non 802.1x devices such as game consoles, printers, apple tvs, wireless thermostasts, wifi phones, etc. Currently, i have the following 3 SSID:

 

1. Onboard SSID: This will allow me to distribute the certificates and onboard non domain computers and users. 

2. Secure 802.1x SSID: This will allow me to connect students and staff using different roles based on AD credentials. 

3. Guest SSID: This will allow me to accomodate guest users on campus. 

4. MAC auth SSID: ? 

 

Now, how do you onboard the non 802.1x devices? I wanted an alternative to create a MAC auth SSID. My concern was students can register mac addresses calling the help desk or via a portal and associate 802.1x capable devices or extra laptops bypassing the secure ssid. I can assign a different role and block blackboard in the MAC auth SSUD to force students to the secure SSID. However, this require us to constanlty monitor what sites we should allow or not. More IT work related. I am trying to simplify the work done by the help desk and provide a great user experience when using the wireless. How many SSID are you using on campus? 

 

Any suggestion :)

 

Thank you

Nils. 

8 REPLIES
Guru Elite

Re: How to authenticate non 802.1x devices?

We haven't quite rolled the entire change into production, but we are moving from:

brandeis_secure, brandeis_guest, brandeis_open, brandeis_voice, and eduroam

 

to: eduroam and openwifi-brandeis (it sounds ridiculous but it's to keep the Apple devices from connecting alphabetically :) )

 

The eduroam network is for anyone with @brandeis.edu credentials or visitors from other eduroam insitutions that have a WPA2-Enterprise capable device.

 

openwifi-brandeis is for devices that do not support WPA2-Enterprise and guest access.

 

When a user connects to openwifi-brandeis for the first time, they are redirected to a page asking if they are a Brandeis user or a guest of the University. Guests proceed to the normal CP Guest registration process. Brandeis users are sent to QuickConnect. 

 

The QuickConnect page guides users to download the quick setup utility or proceed to our Netreg to register game systems and other media devices. (we are currently working on moving this registration process to ClearPass using the MACTrack functionality and AirGroup).

 

Once a media-type device is registered, the captive portal is bypassed the next time they connect and they go into the appropriate role. Once a user successfully connects to eduroam, they are then effectively blocked from using open and receive a redirect loop if they try to connect.

 

There's really no need to have more than 2 SSIDs these days. You should design them based on encryption capabilites and not so much roles. A lot of magic can be done on the back end to take care of roles.

 

cp-open-aa.PNG

 

cp-open-c.PNG


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite

Re: How to authenticate non 802.1x devices?

Here's our friendly, GET OFF OPEN! screen :).

 

The way it works is whenever a device successfully connects to either brandeis_secure or eduroam, their endpoint record is tagged with an attribute we called "AUTHED-VIA-1X". Then at the top of the brandeis_open enforcement profile, right under malware/legal checks, we have a rule that says if AUTHED-VIA-1X = true, then return OPEN-INFO-ROLE-B back to the controller. OPEN-INFO-ROLE-B is just a standard user-role with a captive portal attached but no authentication mechanisms enabled.

 

deis-open.PNG


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: How to authenticate non 802.1x devices?

Tim what just as curosity how much BW you need in your university internet to handle all the students playing, and downloading things hahaha


I bealive you will limit the BW for each application but stilll... the number of student guess is ridicolous!

 

There arent university with dorms in our country neither out university reach not even close in number of what the univesrities in the US got in students!

 

For example there is High School we attending which got around 100mb of Internet connection, they are just a 1000 students School :)

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Guru Elite

Re: How to authenticate non 802.1x devices?

We have about 1.5G of commodity internet access along with connections to the Boston GigaPOP and Internet2.


The Boston GigaPOP has multiple caches including Netflix and Google. 

 

We do not limit bandwidth and at peak (around 1 AM) we use about 75% of our total available bandwidth.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: How to authenticate non 802.1x devices?

Really not even torrents? wont all students downloading torrestn like crazy cap all your 1.5gigs?

 

I remenber when i used to work in an ISP i could take 1.2gigs myself and thats just with torrents  :P  i mean just one user.

 

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Guru Elite

Re: How to authenticate non 802.1x devices?

They do torrent, but the only time we peak above 75% is during major
software updates.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II

Re: How to authenticate non 802.1x devices?

I'm curious how you handle AppleTV devices.  Do you just instruct people to utilize the Open network to connect to these resources?

 

Thanks in advance!

Guru Elite

Re: How to authenticate non 802.1x devices?

Yes, they register them in our registration system as a media device and then connect them to open.

 

Next fall, we'd like to move them to eduroam using a configuration profile that would be installed at the help desk at the beginning of the year.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: