Higher Education

last person joined: 17 days ago 

Got questions on how to enable mobility in education? Submit them here!
Back to discussions
Expand all | Collapse all

eduroam

This thread has been viewed 13 times

  • 1.  eduroam

    Posted Apr 02, 2015 01:23 PM

    For Higher-Ed Users Who Have Deployed the eduroam SSID


    1) Do you have another 802.1X secured network for your trusted users (faculty, staff, and/or students) that may be branded for your organization?
    2) If you have an 802.1X secured network for your trusted users, did you or do you plan on shutting it down in favor of only having eduroam as your secured network?
    3) Do you have an open / captive portal protected network for guest users to your organization?
    4) For eduroam users visiting your organization, do you give them 1] Access to the same internal resources as your trusted users or 2] Do you treat them like guests (only give them minimal access to internal resources and full access to the internet) or 3] Do you give them something in the middle?
    5) If you give them option 3] (something in the middle in the previous question), how did you determine what access you gave them and how much trust do you place in these users?

    Thanks,

    Brad

     

     



  • 2.  RE: eduroam

    Posted Apr 02, 2015 01:34 PM

    1) Not publically visible

    2) We shut down out branded dot1x when we brought up eduroam

    3) Yup

    4) We give them the same role as Students.  That would be option 3.

    5) We figured that eduroam users are members of education institutions and so, are at least students.  So, we decided to treat them the same as our own students.  Not as open as faculty/staff folks but not as closed off as true guests.  As far as trust, no.  We don't trust our own students, so we certainly aren't going to trust yours! ;)



  • 3.  RE: eduroam

    Posted Apr 02, 2015 01:40 PM

    1) Do you have another 802.1X secured network for your trusted users (faculty, staff, and/or students) that may be branded for your organization?

    We still have our branded SSIDs

     

    2) If you have an 802.1X secured network for your trusted users, did you or do you plan on shutting it down in favor of only having eduroam as your secured network?

    No plans to remove our other 802.1X SSIDs

     

    3) Do you have an open / captive portal protected network for guest users to your organization?

    We have sponsored guest and guest accounts that are attached to guest parking permit requests

     

    4) For eduroam users visiting your organization, do you give them 1] Access to the same internal resources as your trusted users or 2] Do you treat them like guests (only give them minimal access to internal resources and full access to the internet) or 3] Do you give them something in the middle?

    They fall into the same access category as guests

     

    5) If you give them option 3] (something in the middle in the previous question), how did you determine what access you gave them and how much trust do you place in these users? N/A

     



  • 4.  RE: eduroam

    Posted Apr 02, 2015 01:54 PM
    1.) yes
    2.) not at this time but likely someday (no point in 2 wpa2-aes ssids)
    3.) yes, open, unauthenticated (click-through)
    4.) 2 (treat them like guests)
    5.) n/a

    - Ryan -


  • 5.  RE: eduroam

    Posted Apr 06, 2015 02:28 PM

    1.  yes

    2.  we do plan on shutting it down - hopefully next year or two and use eduroam for 802.1X

    3.  captive portal - migrating to cpguest for self-registrations - otherwise requires sponsored access

    4. Same access.  Currently all wireless viewed as external - so same filters on border are in place for wireless users

    5. n/a



  • 6.  RE: eduroam

    Posted Apr 06, 2015 05:33 PM

    Thanks to everyone who provided information on eduroam. This helped a lot.

    Brad

     



  • 7.  RE: eduroam

    Posted Apr 08, 2015 04:06 PM

    1) Yes

    2) No. We will keep three SSIDs, one for our users, one for eduroam visitors, one for guests

    3) Yes, we require sms registration to access guest wifi

    4) We treat them as outsider (like rest of world). It's up to destination to decide whether access eduroam to access.

    5) Up to individual. If a unit wants their eduroam visitors to access their internal resources, we can open up firewall for them.

     



  • 8.  RE: eduroam

    Posted Apr 08, 2015 04:22 PM

    Yu,

    Does this mean ALL of your wireless users are connected outside of your border firewall?

    Thanks,

    Brad

     



  • 9.  RE: eduroam

    Posted Apr 08, 2015 04:27 PM

    In current configuration, yes. We are moving them back befind firewall in three weeks.



  • 10.  RE: eduroam

    Posted Apr 08, 2015 04:36 PM

    Yu,

    What circumstance(s) is/are leading you to move them back inside of the firewall (after you already have them on the outside)? We have the discussion every so often and it centers around the question, "Why would you treat a trusted wireless user differently than a trusted wired user and make them go through more protection points to get to services?"

    Thanks,

    Brad