Higher Education

Reply
This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.
Highlighted
New Contributor
Posts: 7
Registered: ‎07-28-2011
Non dot1x capable devices

We currently have two SSID's broadcast throughout campus, our corporate dot1x SSID which does role assignments based on RADUIS attributes, and our guest wpa2-psk SSID which gets routed out our guest network.  I'd prefer not to put students on the guest network for their non-dot1x capable devices, so I wanted to see how other schools are handling this.

 

We are seeing more and more non-dot1x capable devices that students are bringing on to campus, from portable (and fixed) gaming devices to video playback (Roku for now, but I'm assuming that Chromecast is also not capable of dot1x authentication). 

 

Those fixed devices with USB ports, we had an unpopular, but easy answer for, purchase a USB dongle.  However, devices like Roku set top boxes aren't quite as easy, there's no ethernet port, no usb port.  At this point I also don't want to broadcast another SSID and do MAC authentication, so I'm wondering - is there a better free option?

 

Are there any other schools who have struggled, or are struggling with this issue?

Aruba
Posts: 1,643
Registered: ‎04-13-2009
Re: Non dot1x capable devices

Is there a reason you don't want to put them on the existing PSK network?  Is it technical or just the perception of putting them on a "Guest" SSID?    The schools I have seen as of late seem to be going towards a "Secure" and "Unsecure" network setup.   Unsecure includes visitors as well as game consoles.    In your case, I'd personally rather put them on the existing PSK network than have another SSID advertised.  You can use fingerprinting to put them in different roles if that is what is holding you back.

 

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Contributor II
Posts: 140
Registered: ‎05-12-2010
Re: Non dot1x capable devices

Why use a PSK network at all?

Here at Liberty University, we currently have

1. dot1x SSID (Liberty-Secure),

2. open SSID ()Liberty-Wireless) used for

    a. onboarding with Cloudpath XpressConnect,

    b. MAC registering non-dot1x devices using CloudPath Policy Manager API, and

    c. permitting registered non-dot1x devices . We block our web site & Blackboard to encourage using dot1x, if possible

3. open Guest SSID (Liberty-Guest)that is bandwidth limited & tunneled to a DMZ for Internet access only.

 

We plan on implementing ClearPass Guest when we get our ClearPass Policy Manager infrastructure upgraded to CPPM6.

Bruce Osborne - Wireless Engineer
ACCP
Guru Elite
Posts: 8,335
Registered: ‎09-08-2010
Re: Non dot1x capable devices
[ Edited ]

kjacobs,

 

Do you use ClearPass?

 

We are in the process of consolidating 5 SSIDs (brandeis_secure, brandeis_voice, brandeis_open, brandeis_guest, and eduroam) down to 2 SSIDs, eduroam and OpenWiFi-Brandeis.

 

We are using ClearPass to derive roles based on the context of the user and their device. OpenWiFi-Brandeis is able to serve guests, game/media systems, and other non-1x devices on the same SSID while also providing QuickConnect to configure devices for eduroam.This is all part of a project to get rid of our homegrown network registration system and completely utlitize ClearPass.

 

Here's a few snippets/examples:

 

cp-open-aa.PNG

 

cp-open-a.PNG

 

cp-open-b.PNG

 

 

cp-open-c.PNG


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor
Posts: 7
Registered: ‎07-28-2011
Re: Non dot1x capable devices

We could go with an open guest network, that would be fine as well.  On your open Liberty-Wireless SSID, does the onboarding page that is hit present the option of registering another device, or does the non-dot1x device need to have a web browser?

 

Regarding allowing students on our PSK network, I'd be fine putting the non-dot1x devices there, we do posture checking (Bradford NAC) right now on our students, staff, and faculty and I'd like to enfore this as much as possible.  In large part, we haven't had a problem with students registering - and I also want to allow guests to get to some college resources.  

 

I could see switching from a psk network to an open network for guests, but it doesn't eliminate the desire to have students on the primary SSID.  I think looking at our guest network design is the best place to start and redesigning from there.  I've only looked at Bradford to this point to manage our dot1x network, hopefully we can utilize something there to help with combining a few of these roles on our guest network.

 

Thanks for the input!

New Contributor
Posts: 7
Registered: ‎07-28-2011
Re: Non dot1x capable devices

Tim, thanks for your post!  We currently do not use ClearPass.  I'm hoping we can do a PoC at some point during the year and maybe budget for it next year.  Everything that I've seen with ClearPass has looked great, it is far more capable than our current MS NPS/Bradford combination.

 

Seeing some of your role derivation for your open network, that looks incredibly powerful.  Do you use ClearPass for posture checks as well or just onboard/guest/policy?

Guru Elite
Posts: 8,335
Registered: ‎09-08-2010
Re: Non dot1x capable devices

We currently do not do any posture checking on any of our networks. We are using the Policy Manager, Guest and QuickConnect features. We do not onboard any devices.

 

The role derivation features of ClearPass are incredible! We've been very impressed by the product.

 

Tim


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 140
Registered: ‎05-12-2010
Re: Non dot1x capable devices

Both.

 

The onboarding portal initially has 2 options. For a Windows machone:

 

1. Connect this Windows computer

 

2. Connect another Device

 

Also, if a user with a registered device on the open SSId tries to go to Blackboard or our web site, the get a web page redirecting them to onboard with Cloudpath XpressConnect.

 

We moved away from Bradford NAC to using just using ClearPass Policy Manager as our RADIUS server & MAC Registration server. In my testing Bradford did not handle dot1x very well. It just passed the information from the RADIUS server to the controller or switch. You could not effectively us e the RADIUS attributes in Bradford.

 

Our guests get the same access to our resources as an external user does. (Blackboard, website, webmail, etc.)

Bruce Osborne - Wireless Engineer
ACCP
Contributor II
Posts: 140
Registered: ‎01-04-2012
Re: Non dot1x capable devices

Hello Everyone,

 

I manage the Wireless Infractructe for Nova SouthEastern University in Florida. We currently have 2 SSID. One secure using 802.1x and 1 open for guest access with capitve portal. We recently bought ClearPass Policy Manager to streamline the onboarding process for our staff, students, vendors, etc. ClearPass Policy Manger allowed me to have 1 SSID for 802.1x that queary Active Directly and assign different Roles to staff and students. Now i am working on configuring the Guest Solution. How do you guys connect vendors to the secure wireless? Sometimes, vendors come to do a presentatoin and they need access to the data center and internal servers so currently i have a mac registration portal where i can register them and provide them a role to access internal resources. I am trying to figure out if with ClearPass Guest solution can help me accomodate vendors, guest users, and non-802.1x devices on the same SSID? Any ideas or suggestions?

 

Thank you,

Nils

Guru Elite
Posts: 8,335
Registered: ‎09-08-2010
Re: Non dot1x capable devices

You can create different CP guest roles and then use those roles in an enforcement profile to return a more priveleged role to the controller.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: