12-10-2014 05:05 AM
We use freeradius and AD for eduroam with a mac-auth fall-back that presently works seamlesly on our wired ports through the switched estate. I want to be able to replicate this in Wi-Fi for devices that are incapable of doing 802.1x but without creating another SSID. Essentially I want devices to be authorised over Wi-Fi using the eduroam SSID only, is this possible and if so how?
12-10-2014 05:21 AM
12-10-2014 05:55 AM
I know of institutions and businesses that are moving towards a single SSID for all device types and users based on a 802.1x network. How will they get around this inevitability if the controller cannot meet these business policies and objectives?
Perhaps it's slightly more complicated with Wi-Fi where the SSID only exists in one state whereas a switch has capability for 3-4 states so far as 802.1x is concerned but still...
12-10-2014 06:02 AM
I don't know of anyone authenticating consumer, non-1X devices on a 1X network.
It is not feasible to go down to a single 802.1X SSID. You will always need one 802.1X network and one open/PSK network if you plan to support guests and "dumb" devices.
12-10-2014 12:50 PM
Most will adjust their "business policies and objectives" to prevent consumer crap from being allowed to use wifi, I believe. Even were 11u to allow a mixed 1x/PSK environment, if the device can't do 1x, the odds of it doing 11u are pretty bleak, and if you allow a device to talk open, then everything that talks to it is talking in the clear.