Security

Reply
Frequent Contributor II
Posts: 143
Registered: ‎07-27-2012

dot1x on College Campus

We've recently installed a Clearpass system on a college campus and are setup to do dot1x authentication for students.

But we're receiving a lot of negative feedback about the complexity of configuring Windows clients.

 

Is there an easy (or easier) way to do this? What are other schools doing?

 

Thanks,

Tony

 

MVP
Posts: 4,301
Registered: ‎07-20-2011

Re: dot1x on College Campus

I'm guessing that these are non-domain devices ?

You could use EAP-TLS with clearPass Onboard or quickconnect to help provision your wireless devices
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor II
Posts: 143
Registered: ‎07-27-2012

Re: dot1x on College Campus

Hi Victor:

Currently I'm running EAP-PEAP and authenticating via AD.

The user's group membership (staff vs. student) and type of device (AD member / non-AD member) determines what VLAN and profile they get.

 

Can quick connect be used in this environment? How would it work from the user's standpoint?

 

Thanks,

Tony

 

Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: dot1x on College Campus

Yes. This is exactly what QuickConnect is for.

Also, these complexities go away with Windows 8.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II
Posts: 143
Registered: ‎07-27-2012

Re: dot1x on College Campus

>>> Also, these complexities go away with Windows 8.

 

Oh really? That's good to know.

Are the Win 8 defaults conducive to this setup, or is it employing any smart logic?

Thanks

Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: dot1x on College Campus

[ Edited ]

The "issue" with Windows 7 and earlier is that it tries to machine authenticate first, which is actually normal behavior in a corporate owned device environment. It also attempts to use Windows credentials by default. The other piece is the server certificate dialog box is not well worded so often people click terminate instead of Connect.

In Win 8, user authentication is attempted first and the "use Windows account" option is not enabled by default. They've also cleaned up the server verification box to make it clear to the end user.

It sounds like QuickConnect would be perfect for your environment. Onboard is overkill for students in a university environment but is perfect for faculty/staff personal devices.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: