Higher Education

Hello

I was wondering what would be your top 10 or top 5 features  for the educational vertical fr having clearpass..

If you have to tell another network admin of another university why they MUST get clearpass what would you tell them?? what would be your top reasons?

If theere are money savers reasons that would be awsome as well :)

 

 

Cheers

Carlos

One of the things i would like to know what issues you had before not having clearpass and what after having it you dont have that issue anymore.

Profiling, visbility/troubleshooting, non-browser device registration

ClearPass is like a swiss-army knife. It excels in all areas of AAA. Well worth the money spent. Wasn't as expensive as I thought it would be either (we use virtual).

 

We use ours to handle BYOD, but it can do a lot more.

 

Guests get redirected to a captive portal to accept TOS. They must accept every 24 hours. No login required, but the role applied gives them only basic internet access.

 

Students and faculty get redirected to a captive portal to accept TOS. Logins are mac-cached for 120 days. They have less restrictive access than guests, and more bandwidth.

 

BYOD faculty and staff will be onboarded to a secure network very easily via captive portal -- we are in process of configuring this.

 

It is a nice overlay that gives you more granular control. We are and will use it solve 2 big issues for us.

We are using the MAC-Cache feature to allow our guest users to have a more eduroam like experience. The biggest complaint around captive portal for our short term participants was the need to continually log in on a mobile device. We can now offer them a more friendly approach where they only have to log in every 2 weeks, as their MAC is cached and provided they have passed user auth, then that is it for 14 days, they automatically connect.

 

They also love the self registration feature and it has taken a load off the helpdesk guys.

 

We plan to offer a more desktop like experience for our staff laptops, if the laptop has a domain account and the user passes their authentication as a member of the staff AD group, then we have permissioned the same access as they have for their desktop. If they log in on a non university laptop, then they just get the standard staff wireless profile - all done through ClearPass policies.

 

 

Do you guys for the studends  access do you use more clearpass guest with mac caching or do you use onboard? for universities?

 

Im looking to know if for student access i should offer onboard or  guest license..

It would be helpful with some examples like i would use guest becuase of this, this and this or i would use onboard because this, this and this.

 

Cheers

Carlos

Just have students do PEAP (username password). Then you only need base licenses.

But then i would need to use the quick connect as well  right?

 

Cheers

Carlos

---

@NightShade1 wrote:

But then i would need to use the quick connect as well  right?

 

Cheers

Carlos

---

As long as your radius server (clearpass I'm guessing) has a publicly trusted certificate, you don't "need" quickconnect. 

 

When users connect to your PEAP network, they will be prompted to enter their username and password, and then many Operating Systems require them to verify that they trust the certificate of the radius server (the public one you installed).

 

It's not the most secure or the prettiest for the users, but it also the most affordable!

If its a computer which is on a domain let say a student which bring a laptop of the work, then it will try using his credentials for it.   It wont be automatically just like it...

 

cheers

Carlos

Anyways what i want to offer is the correct way not the most affordable :)

no they dont have that.

 

Cheers

Carlos

---

@NightShade1 wrote:

If its a computer which is on a domain let say a student which bring a laptop of the work, then it will try using his credentials for it.   It wont be automatically just like it...

 

cheers

Carlos

---

Depending on the version of Windows, behavior is a little diffrent, but generally speaking, Windows will try to pass the current user credentials, and when those fail, it will prompt for the user to enter some other credential.

 

It is true that quickconnect takes away that problem, but I can tell you we have been doing it this way for about 3 years, no quickconnect, no clearpass (NPS for three years, testing clearpass now), and it works.

We are trying to sell a clearpass :)

 

Cheers

Carlos

---

@NightShade1 wrote:

We are trying to sell a clearpass :)

 

Cheers

Carlos

---

Well, you can use clearpass as the radius server instead of NPS, and no additional licenses are needed for student access. It has many benefits when it comes to ease of authentication troubleshooting, powerful ways to profile and pass back roles to the aruba controller, etc.

 

They will only need enough Guest licenses to service true campus visitors.

Carlos,

 

You have many different options. One thing to always put into consideration is security.

I have a lot of different college and universities using all or some of the features.

 

Scenario 1

 

Staff- onboard

Students PC mobile- .1x

Student Gaming/Apple TV/etc. Mactrac  (No guest lic are used)

Guest Captive portal

 

Scenario 2

 

Staff/Student - .1x using quickconnect

Student Gaming/Apple TV/etc. Mactrac  (No guest lic are used)

Guest Captive portal

 

Scenario 3

 

Staff- Onboard

Students – Guest captive portal with AD credentials (No guest lic are used)

Student Gaming/Apple TV/etc. Mactrac  (No guest lic are used)

Guest Captive portal

 

And there are many more. The reason I brought up security is that if they are not concerned with the data going over the air the easiest way is Scenario 3. The students and the guest can use the CP and you can enable mac caching.

 

Some customers will deploy .1x and guest to start off and move to TLS. They like not having to worry about putting in passwords when they connect or password expirations which makes it easier for both students and Staff, but again it all comes down to cost.

 

You can give Derin (My UK counterpart) a call and he can also work through all the scenarios, but the first few things I would talk to the customer about to narrow down the options is

 

# 1 Security

 

# 2 Ease of use

 

# 3 Cost

 

 

 

As a reference point using Troy?s excellent summary, we are currently practicing scenario 2 with an eye towards scenario 1. FWIW...

GREAT summery Troy thank you very much!

 

Looks more clear now.

Question about scanario 1 on the students part.

it is 802.1x with onboarding for students? so the student dont have to configure anything.   I mean like a one time process and that they dont have to do it anymore?

 

Cheers

Carlos

Another question Troy 

How come on scenario 3 no guest license is used?, if you using clearpass guest and also using mac caching isnt that consume one guest license? or in what way you mean normal NPS without clearpass with active directory  and the NPS being the radius server of that aaa profile?

 

Cheers

Carlos 

Question 1

 

Most are either have a page that explains to the students how to connect (which has quite a few steps) or they would use quickconnect.

 

 

Question 2

 

If the students sign into the guest portal with AD credentials then you are not using a guest lic. A guest lic is only used when you create a guest account or the user uses the self-reg portal on CPPM.

Troy Really????

2 more  questions :) 

 

1)So this mean i could be using all the branding of clearpass Guest, and yet not using Guest license?

 

How about in this scenario

 

2)Using Captive portal with all the branding AND using mac caching with mac authentication, but using AD as a database for user and password? would this not consume any license? as im not using guest selft registration neither im creating  a guest user

What im not sure is that if using mac authentication woudl count as creating a guest user???

 

Cheers

Carlos

Neither one would use a guest lic just a core CPPM lic

 

Remember if they are using a open SSID then they are sending their credentials over the air unencrypted. That is why most do not use that option. You are at the risk of a man in the middle. 

 

 

 

 

Really?

Though as the captive portal using https the user and password weres encrypted.  Is that wrong?

 

Im aware of the man in the middle attack as the device has no way to know to who he is connecting and it vulnarable to a man in the middle attack.

 

Cheers

Carlos

If someone did a man in the middle they could hijack all traffic and brute force or even just create their own portal page and remove the https.

There are a lot of holes in using an unencrypted SSID.

Yeah i edit my message a few mins back :)

 

The thing is that i got it more clear now, and i can gve all the options to the client, and the pro and cons of each, and let  him choose, and yes the budget is always a heavy weight!

 

Anyways thanks Troy :) dont ever leave this forum :D

 

Cheers

Carlos

For what it is worth, we are a fairly new Aruba customer and we chose these options:

 

1. An 802.1X wireless SSID for "smart" devices that can handle it.  Pushed an Active Directory policy to school-owned Windows machines to set up the connection automatically.  Have online instructions for students to use for BYOD devices (but students don't really read these days, so the helpdesk sees action from this).

 

2. An open SSID for "dumb" devices that can't do 802.1X such as DVD players, TVs, etc.  Students are sent to ClearPass Guest to register their devices by MAC address and choose any AirPlay sharing settings - this does NOT consume a guest license, only a standard ClearPass license.  School-owned devices are registered by IT as a known endpoint in main ClearPass.

 

3. An open Guest SSID that uses the controller's portal and authenticates against a specific Active Directory container of guest IDs that we already had created in a previous life and given out to different departments.  We already tie almost everything to Active Directory, so for now we continue to change the passwords for these guest IDs regularly and send instructions to each department to hand them out as they see fit.

 

4. We have a Cisco switch infrastructure and are in the process of changing the wired ports in student areas to authenticate against ClearPass via 802.1X with fall back to MAB (Mac Auth Bypass).  This works OK, but is one more thing that students have to figure out.  We are considering making it so that if they fail authentication, they are in a controlled VLAN that hijacks DNS and takes them to detailed instructions.  This is possible in the Cisco config to specify a VLAN when authentication fails.

 

I'd be curious to know how this stacks up against what other schools are doing.  I'd also be curious to hear what you do about blocking routers in dorms.  We had hoped to be able to use ClearPass policies to look at the device type that ClearPass detects, but because student devices are registered in ClearPass Guest, it doesn't look like we have that type of data available to use in a policy.  So, nothing prevents a student from registering the MAC address of a router and moving right along, and nothing prevents them from registering a Windows machine this way, as well, even though we'd prefer it to be on the 802.1X network instead.

 

 

Why not combine 2+3 into one SSID?

In terms of blocking routers, the problem is that it won't be accurately profiled unless they use it like a traditional home router and plug the "internet" port into the network. You could use the mac-oui-vendor profile to block them although some of those vendors now make legit client devices.

If they plug in one of the switch ports, then you'll never see a profile. It might be best to turn on port-security and limit the number of MACs.

Probably could but we started with the device SSID set up differently (using a WPA2 password), then changed our minds.

 

Yeah the vanilla Cisco port security setup does exactly what you suggest - throws a violation if more than one MAC is seen.  It is just a bummer that you can't in ClearPass for devices registered through Guest say "if it is classified as a router, then deny it".

 

You can write a rule that checks for the router category and denies, just keep in mind that it won't catch passive L2 devices.

When I chose Authorization: Guest Device Repository as a condition (which is where things registered in CP Guest live), there are no options to look at such as Category, OS Family, etc. the way there are when you select Endpoints Repository.

You would use the category in the endpoints repository. It wouldn't stop the device from being registered, but it would stop it from authenticating when it was connected.

I can't seem to make a router device hit a rule to stop it.  I have a rule in the policy that serves for our devices that says Authorization [Endpoints Repository] Category EQUALS Router >> Deny Access but it seems to skip over that.  

 

I should probably add that the service which handles the wired connections from Cisco switches DOES have profiling enabled, and I DO see our test router in the Endpoints repository with category of "Router".

Do you have the endpoints repository as an authorization source in your service?

Also, try adding a second rule to that set that says :

Authentication MAC Auth matches any and select all three options.

I did NOT have Endpoints as an auth source - added it and tried both with and without the added rule as you suggest, but it still passes OK and the profiles I see returned are the ones in the rules below these that basically say "if auth did not fail".

Can you post a SS of your enforcement policy?

Sure - thanks.

 

Hmm. Can you post the summary screen of your service?

Sure...

 

You need to enable authorization also. 

That appears to have been the issue - didn't have authorization turned on for the wired service, so it was not fetching the Endpoints database info.  Thanks much all.

Do you use eduroam at your University/college?
They have something called eduroam cat which helps with getting people on.