06-03-2014 11:10 AM
Right now I'm running 4 SSIDs, 2 with WPA-PSK for owned devices and 2 open with web authentication against an older ClearPass server for guest and personal. I was asked why we aren't doing 802.1x, and my short answer was "it's too complicated." Still, it's the "right" way to do it, as I have to do things right now like have a different SSID for sysadmins because the firewall role for the primary SSID prevents access to certain parts of our infrastructure. Also, we have a key floating around that could get out and then we've lost control of it and have to reset and reconfigure a whole lot of stuff.
The problem is, I can't come up with an easy way of transitioning, because of several factors:
- We're a Novell house, so we don't have AD accounts for machine authentication but I want to keep personal devices restricted to the tighter firewalled personal SSID, leaving the main SSID for validated devices.
- We're a mix of Windows 7, Mac OS, iOS devices and mobile Linux based Citrix thin clients. All support various 802.1x implementations, but consistency among them isn't great.
- We need it to "just work" to the end users exactly like it would if we pre-loaded the key. We can't deal with multiple authentications or "it only works if you log in like this" type things.
So, the issue really is I can't come up with a neat way of resolving all this. Perhaps EAP-TLS to lock out personal devices? Anyone tackle this particular combination of hurdles and get it working properly?
Solved! Go to Solution.
06-03-2014 11:21 AM - edited 06-03-2014 11:22 AM
clearpass onboard sounds like it can help. you or your users can deploy certificates on all kind of devices and use those for authentication. based on the device type you can send devices to different vlans or use roles.
have a look at the data sheet:
your local SE can probably help out with more info and possibly a demo.