Right now I'm running 4 SSIDs, 2 with WPA-PSK for owned devices and 2 open with web authentication against an older ClearPass server for guest and personal. I was asked why we aren't doing 802.1x, and my short answer was "it's too complicated." Still, it's the "right" way to do it, as I have to do things right now like have a different SSID for sysadmins because the firewall role for the primary SSID prevents access to certain parts of our infrastructure. Also, we have a key floating around that could get out and then we've lost control of it and have to reset and reconfigure a whole lot of stuff.
The problem is, I can't come up with an easy way of transitioning, because of several factors:
- We're a Novell house, so we don't have AD accounts for machine authentication but I want to keep personal devices restricted to the tighter firewalled personal SSID, leaving the main SSID for validated devices.
- We're a mix of Windows 7, Mac OS, iOS devices and mobile Linux based Citrix thin clients. All support various 802.1x implementations, but consistency among them isn't great.
- We need it to "just work" to the end users exactly like it would if we pre-loaded the key. We can't deal with multiple authentications or "it only works if you log in like this" type things.
So, the issue really is I can't come up with a neat way of resolving all this. Perhaps EAP-TLS to lock out personal devices? Anyone tackle this particular combination of hurdles and get it working properly?