My apologies for being unclear. We desire our NAC solution to be "the same everywhere for everyone". We are currently using different SSIDs with different access methods, encryption keys, etc. for students, employees and guests. At this time out wireless encryption is mostly WPA-PSK but that will undoubtedly change over time. To start we are trying to keep things simple and fairly close to the current implementation.
Our desire is to provide authorized people with unfettered access as appropriate and we want the solution to "feel the same" for wired and wireless connections as much as possible. We may well end up providing (and perhaps enforcing) more stringent mechanisms for university owned devices used by faculty and staff. However, to start with simple is a good thing and we plan to continue to refine and improve as time goes on. -- Robin D. Kundert email: [email protected] Sr. Network Administrator voice: 206.281.2507 Seattle Pacific University Computer & Information Systems Dept. 3307 Third Ave. West, Suite 206, Seattle, WA 98119-1950 -----Original Message----- From: Olivier Bilodeau [mailto:[email protected]] Sent: Friday, May 28, 2010 14:44 To: [email protected] Subject: Re: [Packetfence-users] PacketFence and Aruba Kundert, Robin wrote: > Greetings. > > We are working toward a summer deployment of PacketFence here at Seattle > Pacific University to replace our current Cisco Clean Access NAC. One > of the components that will need to be brought under the control of > PacketFence is our Aruba Networks wireless system. We have been told by > Inverse that other folks are doing this and that most have, apparently, > chosen to */_NOT_/* use 802.11x. I just want to be really clear about what we have said. Most of our clients have chosen not to use wireless 802.1x _alone_. They run two SSIDs one that is secured (802.1x) and one that is open. What we have noticed in these deployments is that when user have a choice they tend to be lazy thus they don't configure 802.1x. In the types of setup like I described above, I would say (ballpark) that less than 3% of the wireless population is using WPA2-Enterprise (802.1x). Because of the complexity of a 802.1x wireless configuration we always recommend to have a approach with both SSIDs (open and secure). Then, over time you could educate your users and migrate them. Successful approach include forcing the staff to use 802.1x and allowing students to use both. Staff machines can be configured using a GPO in Active Directory (although I have no experience with that, some of our clients have done it). Note also that WPA-PSK (pre-shared key) is also possible although we never recommend it because of the management burden (changing key is complicated) and we believe it provides a false sense of security (key is known and shared by a large group, little authentication). I hope our stand on WPA2-Enterprise (802.1x) vs WPA-PSK vs Open Wi-Fi is clearer now. Please share your experience with Robin on this list or in private. Have a nice weekend! -- Olivier Bilodeau [email protected] :: +1.514.447.4918 *115 :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
