Wireless Network/Guest Access - CALEA
Hi Everyone - For some of you who have been in higher education a while, this topic might ring a bell but I'm wondering whether I'm missing something about the need for continued compliance. Back in the early 2000s, there was a push to lock down wireless networks due to the CALEA Act - while the law was passed in the early 1990s and covered phone surveillance by law enforcement, there was an expected expansion of it in the 2000s to cover the area of wireless network. Basically, we were told that we needed to lock down guest access with a password that would have to be changed on a regular basis and provided to guests who came to campus and wanted to use our wireless network resources (basically internet) as a way to prevent an unauthorized end user from accessing our network.. Here is a link to one resource on the topic that is more complete than some of the government links I've found: https://www.eff.org/issues/calea I'm curious if people are still following this law and whether something has come out that has superseded it that I have not heard of since I've again become involved with some of our networking projects. Thanks everyone! Ron Loneker, Jr. Director, IT Special Projects Saint Elizabeth University Mahoney Library 2 Convent Road Morristown, NJ 07960 Phone: 973-290-4229 e-mail: rlone...@steu.edu ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Re: [WIRELESS-LAN] Ucopia, for Guest Access?
Does Ucopia support IPv6? > On Dec 17, 2015, at 7:31 AM, Lee H Badman wrote: > > Wondering if anyone on the list uses, or has looked into Ucopia > http://www.ucopia.com/en/ for guest access? > > -Lee Badman > > > > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. --- Bruce Curtis bruce.cur...@ndsu.edu Certified NetAnalyst II701-231-8527 North Dakota State University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Ucopia, for Guest Access?
Wondering if anyone on the list uses, or has looked into Ucopia http://www.ucopia.com/en/ for guest access? -Lee Badman ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Cisco WLC w/ ISE and/or Clearpass for Large-Scale Guest Access, MAC exceptions- problems?
Sure- is CSCuw19713. -Lee Lee Badman | Network Architect Information Technology Services 206 Machinery Hall 120 Smith Drive Syracuse, New York 13244 t 315.443.3003 f 315.443.4325 e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w its.syr.edu SYRACUSE UNIVERSITY syr.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Sullivan, Don Sent: Monday, October 12, 2015 2:45 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Cisco WLC w/ ISE and/or Clearpass for Large-Scale Guest Access, MAC exceptions- problems? Lee, We are running an 8510 also. We have not seen any catastrophic issues on 8.0.115.0. We are only around 5k clients so I wouldn't say we are tasking our controller that hard. Do you mind sharing the bug id if you get one for your issue? I would like to track it so I will know what code there is a fix included. Thanks. Don Sullivan Network Administrator 205-726-2111 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman Sent: Monday, October 12, 2015 11:11 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [WIRELESS-LAN] Cisco WLC w/ ISE and/or Clearpass for Large-Scale Guest Access, MAC exceptions- problems? Hello to the excellent group. I'm dealing with a catastrophic code issue with AVC right now on our 8510s that has me nervous about another feature we plan on using- the tight integration between our WLCs and either ISE, Clearpass, or SafeConnect SE. We currently do all wireless guest access through a 3rd party box that is growing long in the tooth. For those on high-capacity 85xx controllers and using the likes of web redirect/policies on the WLC for guest operations and MAC exceptions, have you run into any WLC code issues that have crippled the service or resulted in organization embarrassment? Any gotchas or disappointments? Thanks- Lee Lee Badman | Network Architect Information Technology Services 206 Machinery Hall 120 Smith Drive Syracuse, New York 13244 t 315.443.3003 f 315.443.4325 e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w its.syr.edu SYRACUSE UNIVERSITY syr.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Cisco WLC w/ ISE and/or Clearpass for Large-Scale Guest Access, MAC exceptions- problems?
Lee, We are running an 8510 also. We have not seen any catastrophic issues on 8.0.115.0. We are only around 5k clients so I wouldn't say we are tasking our controller that hard. Do you mind sharing the bug id if you get one for your issue? I would like to track it so I will know what code there is a fix included. Thanks. Don Sullivan Network Administrator 205-726-2111 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman Sent: Monday, October 12, 2015 11:11 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Cisco WLC w/ ISE and/or Clearpass for Large-Scale Guest Access, MAC exceptions- problems? Hello to the excellent group. I'm dealing with a catastrophic code issue with AVC right now on our 8510s that has me nervous about another feature we plan on using- the tight integration between our WLCs and either ISE, Clearpass, or SafeConnect SE. We currently do all wireless guest access through a 3rd party box that is growing long in the tooth. For those on high-capacity 85xx controllers and using the likes of web redirect/policies on the WLC for guest operations and MAC exceptions, have you run into any WLC code issues that have crippled the service or resulted in organization embarrassment? Any gotchas or disappointments? Thanks- Lee Lee Badman | Network Architect Information Technology Services 206 Machinery Hall 120 Smith Drive Syracuse, New York 13244 t 315.443.3003 f 315.443.4325 e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w its.syr.edu SYRACUSE UNIVERSITY syr.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Cisco WLC w/ ISE and/or Clearpass for Large-Scale Guest Access, MAC exceptions- problems?
Thanks, Brandon. For us, when we got around 14K clients with AVC enabled, latency on all WLANs shot up to several hundreds of ms. Is still an open TAC case, easily reproducible, but it did take a certain number of clients before the effect manifested. Very good to hear the rest of your success. -Lee Lee Badman | Network Architect Information Technology Services 206 Machinery Hall 120 Smith Drive Syracuse, New York 13244 t 315.443.3003 f 315.443.4325 e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w its.syr.edu SYRACUSE UNIVERSITY syr.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Case, Brandon J Sent: Monday, October 12, 2015 1:40 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Cisco WLC w/ ISE and/or Clearpass for Large-Scale Guest Access, MAC exceptions- problems? Hi Lee, Here are Purdue we've got a fleet of WLCs, mostly WiSM2s from which we're migrating to 8510s. We have one 8510 dedicated to wireless service in our residence halls. It has around 2400 APs joined to it and I've personally seen the concurrent user count reach over 11k during peak hours. It provides 4 SSIDs (not great but could be worse): our main 1x network that we provide everywhere else on campus, one for gaming/media/non-1x devices, eduroam and attwifi. The gaming/media SSID is open with MAC auth and has the most complex setup of all of those. We use ISE to have the students register their various devices through a portal which then adds it to an identity group that's used in authorization policy. To prevent students from connecting their laptop/phone/tablet/whatever to the gaming/media network we're using a logical profile in ISE. If they do happen to connect something to the gaming/media network that could connect to the 1x network we drop them at a page that instructs them to connect the device to the main 1x network. It works well enough but the biggest headache we've had with it is XBox Ones. Since they profile in ISE as Windows 8 machines most of the time, we've had to manually assign some of them to the XBox One profile we created. Of course that means a request comes through a trouble ticket via our helpdesk or the ever-popular back channels that seem to keep working. Either way, a less than satisfactory user experience. However, by and large the system works well and has seen increased usage as time has gone on (this is the second semester it has been live). We do have AVC enabled on the 1x network but so far /knockonwood we haven't had any problems as a result of that. To answer your original questions though: we haven't had any major issues or disappointments related to the controller. Thanks, -- Brandon Case Senior Network Engineer IT Infrastructure Services Purdue University ca...@purdue.edu<mailto:ca...@purdue.edu> Office: (765) 49-67096 Mobile: (765) 421-6259 Fax:(765) 49-46620 PGP Fingerprint: 99CB 02D6 983C 1E2A 015F 205C C7AA E985 A11A 1251 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman Sent: Monday, October 12, 2015 12:11 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [WIRELESS-LAN] Cisco WLC w/ ISE and/or Clearpass for Large-Scale Guest Access, MAC exceptions- problems? Hello to the excellent group. I'm dealing with a catastrophic code issue with AVC right now on our 8510s that has me nervous about another feature we plan on using- the tight integration between our WLCs and either ISE, Clearpass, or SafeConnect SE. We currently do all wireless guest access through a 3rd party box that is growing long in the tooth. For those on high-capacity 85xx controllers and using the likes of web redirect/policies on the WLC for guest operations and MAC exceptions, have you run into any WLC code issues that have crippled the service or resulted in organization embarrassment? Any gotchas or disappointments? Thanks- Lee Lee Badman | Network Architect Information Technology Services 206 Machinery Hall 120 Smith Drive Syracuse, New York 13244 t 315.443.3003 f 315.443.4325 e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w its.syr.edu SYRACUSE UNIVERSITY syr.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Cisco WLC w/ ISE and/or Clearpass for Large-Scale Guest Access, MAC exceptions- problems?
Hi Lee, Here are Purdue we've got a fleet of WLCs, mostly WiSM2s from which we're migrating to 8510s. We have one 8510 dedicated to wireless service in our residence halls. It has around 2400 APs joined to it and I've personally seen the concurrent user count reach over 11k during peak hours. It provides 4 SSIDs (not great but could be worse): our main 1x network that we provide everywhere else on campus, one for gaming/media/non-1x devices, eduroam and attwifi. The gaming/media SSID is open with MAC auth and has the most complex setup of all of those. We use ISE to have the students register their various devices through a portal which then adds it to an identity group that's used in authorization policy. To prevent students from connecting their laptop/phone/tablet/whatever to the gaming/media network we're using a logical profile in ISE. If they do happen to connect something to the gaming/media network that could connect to the 1x network we drop them at a page that instructs them to connect the device to the main 1x network. It works well enough but the biggest headache we've had with it is XBox Ones. Since they profile in ISE as Windows 8 machines most of the time, we've had to manually assign some of them to the XBox One profile we created. Of course that means a request comes through a trouble ticket via our helpdesk or the ever-popular back channels that seem to keep working. Either way, a less than satisfactory user experience. However, by and large the system works well and has seen increased usage as time has gone on (this is the second semester it has been live). We do have AVC enabled on the 1x network but so far /knockonwood we haven't had any problems as a result of that. To answer your original questions though: we haven't had any major issues or disappointments related to the controller. Thanks, -- Brandon Case Senior Network Engineer IT Infrastructure Services Purdue University ca...@purdue.edu Office: (765) 49-67096 Mobile: (765) 421-6259 Fax:(765) 49-46620 PGP Fingerprint: 99CB 02D6 983C 1E2A 015F 205C C7AA E985 A11A 1251 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman Sent: Monday, October 12, 2015 12:11 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Cisco WLC w/ ISE and/or Clearpass for Large-Scale Guest Access, MAC exceptions- problems? Hello to the excellent group. I'm dealing with a catastrophic code issue with AVC right now on our 8510s that has me nervous about another feature we plan on using- the tight integration between our WLCs and either ISE, Clearpass, or SafeConnect SE. We currently do all wireless guest access through a 3rd party box that is growing long in the tooth. For those on high-capacity 85xx controllers and using the likes of web redirect/policies on the WLC for guest operations and MAC exceptions, have you run into any WLC code issues that have crippled the service or resulted in organization embarrassment? Any gotchas or disappointments? Thanks- Lee Lee Badman | Network Architect Information Technology Services 206 Machinery Hall 120 Smith Drive Syracuse, New York 13244 t 315.443.3003 f 315.443.4325 e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w its.syr.edu SYRACUSE UNIVERSITY syr.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Cisco WLC w/ ISE and/or Clearpass for Large-Scale Guest Access, MAC exceptions- problems?
Hello to the excellent group. I'm dealing with a catastrophic code issue with AVC right now on our 8510s that has me nervous about another feature we plan on using- the tight integration between our WLCs and either ISE, Clearpass, or SafeConnect SE. We currently do all wireless guest access through a 3rd party box that is growing long in the tooth. For those on high-capacity 85xx controllers and using the likes of web redirect/policies on the WLC for guest operations and MAC exceptions, have you run into any WLC code issues that have crippled the service or resulted in organization embarrassment? Any gotchas or disappointments? Thanks- Lee Lee Badman | Network Architect Information Technology Services 206 Machinery Hall 120 Smith Drive Syracuse, New York 13244 t 315.443.3003 f 315.443.4325 e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w its.syr.edu SYRACUSE UNIVERSITY syr.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest Access
Thanks, Caston- will have a look. My own full disclosure- not a fan of Gartner's Quadrants http://wirednot.wordpress.com/2014/07/02/nothing-magic-about-gartners-quadrant-when-it-comes-to-wi-fi/ :) We have no desire for NAC per se, just the guest access part (which is surprisingly hard to separate out at times, I realize). -Lee From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Caston Thomas Sent: Tuesday, July 08, 2014 12:12 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest Access The base level product will do what you need it to do... http://www.forescout.com/product/counteract/ Topped Gartner's NAC magic quadrant last time around. Full disclosure: I'm a Forescout integrator. My participation here is not a solicitation, as I would graciously reject an invitation from Syracuse to participate in a NAC deployment due to geography. :) From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman Sent: Tuesday, July 08, 2014 12:05 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest Access Not familiar... any specific product? From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Caston Thomas Sent: Tuesday, July 08, 2014 11:58 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest Access Why not Forescout? Overwhelming majority of their customers are enterprise Cisco shops. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman Sent: Friday, June 27, 2014 1:58 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest Access Thanks Phillipe. I love Xpressconnect, but ES is married to TLS, and we're not there yet. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hanset, Philippe C Sent: Friday, June 27, 2014 1:37 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest Access Clearpass or Xpressconnect ES On Jun 27, 2014, at 1:28 PM, "John Kaftan" mailto:jkaf...@utica.edu>> wrote: Lee: We have that same functionality built-in to the Netsight NAC - by Enterasys now Extreme. I know they sell their NAC to Cisco shops too. Not exactly what you are looking for but if you also want to do something with NAC\BYOD down the road this would be an option. It does everything you mentioned. John On Fri, Jun 27, 2014 at 1:11 PM, Lee H Badman mailto:lhbad...@syr.edu>> wrote: Happy Summer! We run a large Cisco WLAN, and the native guest access functionality has never been suitable for our straightforward needs. So, for years, we've used a Bluesocket gateway on a dedicated guest VLAN/SSID to accomplish the following: - Anyone with our 802.1x credentials can sponsor a guest using either guest email address or 10-digit mobile phone number - Any guest can self-sponsor, but only with 10 digit mobile phone number that gets the password texted to them - We control data rate, session durations, firewall rules etc in the Bluesocket for guests - When we need a place to stick oddball wireless devices (like Google Glass) that can't do 802.1x we give them a MAC exception in the Bluesocket This all works great, and is what is right for us (please don't tell me all the different ways we could do guest access, just not what I'm looking for here). I know there are many other options out there for guest access/MAC exceptions (we also use Twillio on Meraki sites for texting/self sponsor) but I'd love to find an exact replacement for Bluesocket that replicates all the same functionality from a single appliance that could drop in instead of Bluesocket. Adtran bought Bluesocket, and I don't care for their response, support, or direction. I'm wondering if anyone on the list uses Aruba's ClearPass solution is with Cisco WLAN in the way I'm describing? Thanks- Lee Badman Wireless/Network Architect ITS, Syracuse University 315.443.3003 (Blog: http://wirednot.wordpress.com) ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- John Kaftan IT Infrastructure Manager Utica College ** Participation and subscription i
RE: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest Access
The base level product will do what you need it to do... http://www.forescout.com/product/counteract/ Topped Gartner's NAC magic quadrant last time around. Full disclosure: I'm a Forescout integrator. My participation here is not a solicitation, as I would graciously reject an invitation from Syracuse to participate in a NAC deployment due to geography. :) From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman Sent: Tuesday, July 08, 2014 12:05 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest Access Not familiar... any specific product? From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Caston Thomas Sent: Tuesday, July 08, 2014 11:58 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest Access Why not Forescout? Overwhelming majority of their customers are enterprise Cisco shops. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman Sent: Friday, June 27, 2014 1:58 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest Access Thanks Phillipe. I love Xpressconnect, but ES is married to TLS, and we're not there yet. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hanset, Philippe C Sent: Friday, June 27, 2014 1:37 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest Access Clearpass or Xpressconnect ES On Jun 27, 2014, at 1:28 PM, "John Kaftan" mailto:jkaf...@utica.edu>> wrote: Lee: We have that same functionality built-in to the Netsight NAC - by Enterasys now Extreme. I know they sell their NAC to Cisco shops too. Not exactly what you are looking for but if you also want to do something with NAC\BYOD down the road this would be an option. It does everything you mentioned. John On Fri, Jun 27, 2014 at 1:11 PM, Lee H Badman mailto:lhbad...@syr.edu>> wrote: Happy Summer! We run a large Cisco WLAN, and the native guest access functionality has never been suitable for our straightforward needs. So, for years, we've used a Bluesocket gateway on a dedicated guest VLAN/SSID to accomplish the following: - Anyone with our 802.1x credentials can sponsor a guest using either guest email address or 10-digit mobile phone number - Any guest can self-sponsor, but only with 10 digit mobile phone number that gets the password texted to them - We control data rate, session durations, firewall rules etc in the Bluesocket for guests - When we need a place to stick oddball wireless devices (like Google Glass) that can't do 802.1x we give them a MAC exception in the Bluesocket This all works great, and is what is right for us (please don't tell me all the different ways we could do guest access, just not what I'm looking for here). I know there are many other options out there for guest access/MAC exceptions (we also use Twillio on Meraki sites for texting/self sponsor) but I'd love to find an exact replacement for Bluesocket that replicates all the same functionality from a single appliance that could drop in instead of Bluesocket. Adtran bought Bluesocket, and I don't care for their response, support, or direction. I'm wondering if anyone on the list uses Aruba's ClearPass solution is with Cisco WLAN in the way I'm describing? Thanks- Lee Badman Wireless/Network Architect ITS, Syracuse University 315.443.3003 (Blog: http://wirednot.wordpress.com) ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- John Kaftan IT Infrastructure Manager Utica College ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can
RE: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest Access
Not familiar... any specific product? From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Caston Thomas Sent: Tuesday, July 08, 2014 11:58 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest Access Why not Forescout? Overwhelming majority of their customers are enterprise Cisco shops. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman Sent: Friday, June 27, 2014 1:58 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest Access Thanks Phillipe. I love Xpressconnect, but ES is married to TLS, and we're not there yet. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hanset, Philippe C Sent: Friday, June 27, 2014 1:37 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest Access Clearpass or Xpressconnect ES On Jun 27, 2014, at 1:28 PM, "John Kaftan" mailto:jkaf...@utica.edu>> wrote: Lee: We have that same functionality built-in to the Netsight NAC - by Enterasys now Extreme. I know they sell their NAC to Cisco shops too. Not exactly what you are looking for but if you also want to do something with NAC\BYOD down the road this would be an option. It does everything you mentioned. John On Fri, Jun 27, 2014 at 1:11 PM, Lee H Badman mailto:lhbad...@syr.edu>> wrote: Happy Summer! We run a large Cisco WLAN, and the native guest access functionality has never been suitable for our straightforward needs. So, for years, we've used a Bluesocket gateway on a dedicated guest VLAN/SSID to accomplish the following: - Anyone with our 802.1x credentials can sponsor a guest using either guest email address or 10-digit mobile phone number - Any guest can self-sponsor, but only with 10 digit mobile phone number that gets the password texted to them - We control data rate, session durations, firewall rules etc in the Bluesocket for guests - When we need a place to stick oddball wireless devices (like Google Glass) that can't do 802.1x we give them a MAC exception in the Bluesocket This all works great, and is what is right for us (please don't tell me all the different ways we could do guest access, just not what I'm looking for here). I know there are many other options out there for guest access/MAC exceptions (we also use Twillio on Meraki sites for texting/self sponsor) but I'd love to find an exact replacement for Bluesocket that replicates all the same functionality from a single appliance that could drop in instead of Bluesocket. Adtran bought Bluesocket, and I don't care for their response, support, or direction. I'm wondering if anyone on the list uses Aruba's ClearPass solution is with Cisco WLAN in the way I'm describing? Thanks- Lee Badman Wireless/Network Architect ITS, Syracuse University 315.443.3003 (Blog: http://wirednot.wordpress.com) ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- John Kaftan IT Infrastructure Manager Utica College ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest Access
Why not Forescout? Overwhelming majority of their customers are enterprise Cisco shops. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman Sent: Friday, June 27, 2014 1:58 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest Access Thanks Phillipe. I love Xpressconnect, but ES is married to TLS, and we're not there yet. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hanset, Philippe C Sent: Friday, June 27, 2014 1:37 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest Access Clearpass or Xpressconnect ES On Jun 27, 2014, at 1:28 PM, "John Kaftan" mailto:jkaf...@utica.edu>> wrote: Lee: We have that same functionality built-in to the Netsight NAC - by Enterasys now Extreme. I know they sell their NAC to Cisco shops too. Not exactly what you are looking for but if you also want to do something with NAC\BYOD down the road this would be an option. It does everything you mentioned. John On Fri, Jun 27, 2014 at 1:11 PM, Lee H Badman mailto:lhbad...@syr.edu>> wrote: Happy Summer! We run a large Cisco WLAN, and the native guest access functionality has never been suitable for our straightforward needs. So, for years, we've used a Bluesocket gateway on a dedicated guest VLAN/SSID to accomplish the following: - Anyone with our 802.1x credentials can sponsor a guest using either guest email address or 10-digit mobile phone number - Any guest can self-sponsor, but only with 10 digit mobile phone number that gets the password texted to them - We control data rate, session durations, firewall rules etc in the Bluesocket for guests - When we need a place to stick oddball wireless devices (like Google Glass) that can't do 802.1x we give them a MAC exception in the Bluesocket This all works great, and is what is right for us (please don't tell me all the different ways we could do guest access, just not what I'm looking for here). I know there are many other options out there for guest access/MAC exceptions (we also use Twillio on Meraki sites for texting/self sponsor) but I'd love to find an exact replacement for Bluesocket that replicates all the same functionality from a single appliance that could drop in instead of Bluesocket. Adtran bought Bluesocket, and I don't care for their response, support, or direction. I'm wondering if anyone on the list uses Aruba's ClearPass solution is with Cisco WLAN in the way I'm describing? Thanks- Lee Badman Wireless/Network Architect ITS, Syracuse University 315.443.3003 (Blog: http://wirednot.wordpress.com) ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- John Kaftan IT Infrastructure Manager Utica College ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Aruba Clearpass Bolted Up To Cisco WLAN For Guest Access
Thanks, Bruce, and everyone else. I have to say, Bluesocket really packed a lot into a single package in this regard, it's a crying shame that Adtran didn't keep it current as a third-party appliance for those not wanting convoluted guest solutions. The more I look at other options, the more I appreciate what the thing can do all out of a single box. :) -Lee -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W (Network Services) Sent: Monday, June 30, 2014 8:04 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest Access Lee, ClearPass, at its core is FreeRADIUS based, with a database (I forget if MySQL or PostgreSQL) added. In the Aruba system, the firewall functions are part of the wireless controller. ClearPass RADIUS chooses the firewall role enforced by the wireless controller (& AP) before the user even gets network access. I think Cisco keeps the firewall external to the wireless controller because they sell external firewall hardware. For very small installations or demonstration, the controller can act as a DHCP server (up to 512 clients, IIRC). Bruce Osborne Network Engineer – Wireless Team IT Network Services (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 -Original Message- From: Lee H Badman [mailto:lhbad...@syr.edu] Sent: Saturday, June 28, 2014 8:14 AM Subject: Re: Aruba Clearpass Bolted Up To Cisco WLAN For Guest Access Good info, thanks Mike. I'd not need RADIUS in my scenario, and I'm guessing Clearpass can't act like DHCP server or NAT box? Just comparing to how we use BlueSocket. Lee > On Jun 27, 2014, at 5:32 PM, "Mike Ricci" > wrote: > > Hi Lee, > > We use Clearpass with the Aruba APs but are in the process of setting up > another site that has Aerohive AP's to integrate captive portal > authentication with Clearpass. > > So, not Cisco, but I can tell you how it bolts onto another third party > wireless: > > * We've made clearpass the radius server on the Aerohive "controller". > * Clearpass actually serves the captive portal which is stored on it's > disk, mates to directory services, and sends back to the Aerohive controller > an ID once the user has auth'd. > * The Aerohive controller takes the ID and assigns a subnet based on that > ID. > > Here's the setup for this - I'm sure this is very similar to what you > would do with the Cisco controller, specifying an outside radius > server: > http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Tutori > al-Aerohive-Integration-with-Clearpass-corp-and-guest-mhc/td-p/149134 > > From there we have to control the firewall rules on the Aerohive > controller/AP side, based on the subnet or vlan that the device is dropped > into. Basically Clearpass does authentication for us, but does not control > any type of bandwidth limitations, firewall, etc. This is controlled through > the AP Controller, which would be the Cisco controller in your case. > > Haven't turned up our guest wireless on Clearpass with the Aerohives, just a > basic captive portal so far, but our Clearpass Guest with Aruba AP's has the > following features all controlled from Clearpass (I assume it would be the > same with any wireless system): > > > * It allows you to give user(s) the right to sponsor a guest via a web > page. > * Guests can also self-register themselves, receiving a login via text > message or email > * You can manually input MAC addresses into Clearpass for devices like > Apple TV's. > > Clearpass is a bit of a beast to setup, but very customizable; that's the > trade off. It runs as a VM, so if you wanted to test it out and had a > resource who had some time to learn, you could probably do a PoC to make sure > it mates up to Cisco. > > Not sure if this is useful, but I can update you when I turn up our Guest > network on the Aerohive AP's in a few weeks. > > > Mike Ricci > Marymount California University > 310.303.7263 > ________ > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > on behalf of Lee H Badman > > Sent: Friday, June 27, 2014 12:49 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN > For Guest Access > > Gotcha- thanks for clarification. > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John Kaftan > Sent: Friday, June 27, 2014 2:36 PM &g
RE: Aruba Clearpass Bolted Up To Cisco WLAN For Guest Access
Lee, ClearPass, at its core is FreeRADIUS based, with a database (I forget if MySQL or PostgreSQL) added. In the Aruba system, the firewall functions are part of the wireless controller. ClearPass RADIUS chooses the firewall role enforced by the wireless controller (& AP) before the user even gets network access. I think Cisco keeps the firewall external to the wireless controller because they sell external firewall hardware. For very small installations or demonstration, the controller can act as a DHCP server (up to 512 clients, IIRC). Bruce Osborne Network Engineer – Wireless Team IT Network Services (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 -Original Message- From: Lee H Badman [mailto:lhbad...@syr.edu] Sent: Saturday, June 28, 2014 8:14 AM Subject: Re: Aruba Clearpass Bolted Up To Cisco WLAN For Guest Access Good info, thanks Mike. I'd not need RADIUS in my scenario, and I'm guessing Clearpass can't act like DHCP server or NAT box? Just comparing to how we use BlueSocket. Lee > On Jun 27, 2014, at 5:32 PM, "Mike Ricci" > wrote: > > Hi Lee, > > We use Clearpass with the Aruba APs but are in the process of setting up > another site that has Aerohive AP's to integrate captive portal > authentication with Clearpass. > > So, not Cisco, but I can tell you how it bolts onto another third party > wireless: > > * We've made clearpass the radius server on the Aerohive "controller". > * Clearpass actually serves the captive portal which is stored on it's > disk, mates to directory services, and sends back to the Aerohive controller > an ID once the user has auth'd. > * The Aerohive controller takes the ID and assigns a subnet based on that > ID. > > Here's the setup for this - I'm sure this is very similar to what you > would do with the Cisco controller, specifying an outside radius > server: > http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Tutori > al-Aerohive-Integration-with-Clearpass-corp-and-guest-mhc/td-p/149134 > > From there we have to control the firewall rules on the Aerohive > controller/AP side, based on the subnet or vlan that the device is dropped > into. Basically Clearpass does authentication for us, but does not control > any type of bandwidth limitations, firewall, etc. This is controlled through > the AP Controller, which would be the Cisco controller in your case. > > Haven't turned up our guest wireless on Clearpass with the Aerohives, just a > basic captive portal so far, but our Clearpass Guest with Aruba AP's has the > following features all controlled from Clearpass (I assume it would be the > same with any wireless system): > > > * It allows you to give user(s) the right to sponsor a guest via a web > page. > * Guests can also self-register themselves, receiving a login via text > message or email > * You can manually input MAC addresses into Clearpass for devices like > Apple TV's. > > Clearpass is a bit of a beast to setup, but very customizable; that's the > trade off. It runs as a VM, so if you wanted to test it out and had a > resource who had some time to learn, you could probably do a PoC to make sure > it mates up to Cisco. > > Not sure if this is useful, but I can update you when I turn up our Guest > network on the Aerohive AP's in a few weeks. > > > Mike Ricci > Marymount California University > 310.303.7263 > ________ > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > on behalf of Lee H Badman > > Sent: Friday, June 27, 2014 12:49 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN > For Guest Access > > Gotcha- thanks for clarification. > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John Kaftan > Sent: Friday, June 27, 2014 2:36 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN > For Guest Access > > NAC is part of the Netsight Suite. You would have to go with NAC to get the > functionality you need. NAC licensing is expensive and it wouldn't be the > way to go just for the functionality you seek. If you wanted to embrace NAC > then I would say look at them as it is quite good plus has the functionality > you need. > > John > > On Fri, Jun 27, 2014 at 1:33 PM, Lee H Badman > mailto:lhbad...@syr.edu>> wrote: > Thanks, John. We’re steering away from NAC but will take a look at Netsight. > > -Lee > > From: The ED
RE: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest Access
As far as I know it doesn't have these functions. DHCP,NAT/Firewall, and Routing would be through a separate device. Clearpass doesn't really work the same as the Bluesocket. No production traffic is sent inline through Clearpass. Mike Ricci Marymount California University 310.303.7263 From: The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Lee H Badman Sent: Saturday, June 28, 2014 5:13 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest Access Good info, thanks Mike. I'd not need RADIUS in my scenario, and I'm guessing Clearpass can't act like DHCP server or NAT box? Just comparing to how we use BlueSocket. Lee > On Jun 27, 2014, at 5:32 PM, "Mike Ricci" > wrote: > > Hi Lee, > > We use Clearpass with the Aruba APs but are in the process of setting up > another site that has Aerohive AP's to integrate captive portal > authentication with Clearpass. > > So, not Cisco, but I can tell you how it bolts onto another third party > wireless: > > * We've made clearpass the radius server on the Aerohive "controller". > * Clearpass actually serves the captive portal which is stored on it's > disk, mates to directory services, and sends back to the Aerohive controller > an ID once the user has auth'd. > * The Aerohive controller takes the ID and assigns a subnet based on that > ID. > > Here's the setup for this - I'm sure this is very similar to what you would > do with the Cisco controller, specifying an outside radius server: > http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Tutorial-Aerohive-Integration-with-Clearpass-corp-and-guest-mhc/td-p/149134 > > From there we have to control the firewall rules on the Aerohive > controller/AP side, based on the subnet or vlan that the device is dropped > into. Basically Clearpass does authentication for us, but does not control > any type of bandwidth limitations, firewall, etc. This is controlled through > the AP Controller, which would be the Cisco controller in your case. > > Haven't turned up our guest wireless on Clearpass with the Aerohives, just a > basic captive portal so far, but our Clearpass Guest with Aruba AP's has the > following features all controlled from Clearpass (I assume it would be the > same with any wireless system): > > > * It allows you to give user(s) the right to sponsor a guest via a web > page. > * Guests can also self-register themselves, receiving a login via text > message or email > * You can manually input MAC addresses into Clearpass for devices like > Apple TV's. > > Clearpass is a bit of a beast to setup, but very customizable; that's the > trade off. It runs as a VM, so if you wanted to test it out and had a > resource who had some time to learn, you could probably do a PoC to make sure > it mates up to Cisco. > > Not sure if this is useful, but I can update you when I turn up our Guest > network on the Aerohive AP's in a few weeks. > > > Mike Ricci > Marymount California University > 310.303.7263 > ____ > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > on behalf of Lee H Badman > > Sent: Friday, June 27, 2014 12:49 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest > Access > > Gotcha- thanks for clarification. > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John Kaftan > Sent: Friday, June 27, 2014 2:36 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest > Access > > NAC is part of the Netsight Suite. You would have to go with NAC to get the > functionality you need. NAC licensing is expensive and it wouldn't be the > way to go just for the functionality you seek. If you wanted to embrace NAC > then I would say look at them as it is quite good plus has the functionality > you need. > > John > > On Fri, Jun 27, 2014 at 1:33 PM, Lee H Badman > mailto:lhbad...@syr.edu>> wrote: > Thanks, John. We’re steering away from NAC but will take a look at Netsight. > > -Lee > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] > On Behalf Of John Kaftan > Sent: Friday, June 27, 2014 1:28 PM > To: > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU&g
Re: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest Access
Thanks, James. Great information. > On Jun 27, 2014, at 11:58 PM, "James Andrewartha" > wrote: > > Actually, a little further reading and I can see PacketFence does allow > inline enforcement, at which point you have the full power of iptables > available to you. > > -- > James Andrewartha > Network & Projects Engineer > Christ Church Grammar School > Claremont, Western Australia > Ph. (08) 9442 1757 > Mob. 0424 160 877 > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of James Andrewartha > [jandrewar...@ccgs.wa.edu.au] > Sent: Saturday, 28 June 2014 11:49 AM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest > Access > > Hi Lee, > > Although it is a NAC, PacketFence is GPLv2 and comes with a guest module that > seems to do everything you > want<http://www.packetfence.org/en/about/advanced_features.html#c1491>. And > if not, you can code it yourself or engage Inverse to develop it for you. > > The only thing from your list that I can't quite see is data rate/session > duration and firewall rules. I'm guessing for some of those the architecture > would be to set up policies on your wireless controller and have the > PacketFence send RADIUS attributes to the WLC to assign the user to the > appropriate profile. I've only ever briefly looked at ClearPass, but I have a > feeling it would be subject to the same limitation. > > At work we use NetSight/NAC for guest portals, as well as wireless 802.1x > authentication. I also do MAC auth on our switches, and currently it's mostly > pass-through authentication for visibility. My goal is to have a way for the > AV department, building management etc. to register their equipment MAC > addresses combined with a policy to put them in the right VLAN, so I don't > have to manually configure the VLAN of switch ports. Maybe one day I'll look > at 802.1x on wired too, but the tooling around X.509 will have to improve a > lot before I do. > > Thanks, > > -- > James Andrewartha > Network & Projects Engineer > Christ Church Grammar School > Claremont, Western Australia > Ph. (08) 9442 1757 > Mob. 0424 160 877 > > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman > [lhbad...@syr.edu] > Sent: Saturday, 28 June 2014 1:33 AM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest > Access > > Thanks, John. We’re steering away from NAC but will take a look at Netsight. > > -Lee > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John Kaftan > Sent: Friday, June 27, 2014 1:28 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest > Access > > Lee: > > We have that same functionality built-in to the Netsight NAC - by Enterasys > now Extreme. I know they sell their NAC to Cisco shops too. Not exactly > what you are looking for but if you also want to do something with NAC\BYOD > down the road this would be an option. It does everything you mentioned. > > John > > On Fri, Jun 27, 2014 at 1:11 PM, Lee H Badman > mailto:lhbad...@syr.edu>> wrote: > Happy Summer! > > We run a large Cisco WLAN, and the native guest access functionality has > never been suitable for our straightforward needs. So, for years, we've used > a Bluesocket gateway on a dedicated guest VLAN/SSID to accomplish the > following: > > - Anyone with our 802.1x credentials can sponsor a guest using either guest > email address or 10-digit mobile phone number > - Any guest can self-sponsor, but only with 10 digit mobile phone number that > gets the password texted to them > - We control data rate, session durations, firewall rules etc in the > Bluesocket for guests > - When we need a place to stick oddball wireless devices (like Google Glass) > that can't do 802.1x we give them a MAC exception in the Bluesocket > > This all works great, and is what is right for us (please don’t tell me all > the different ways we could do guest access, just not what I’m looking for > here). I know there are many other options out there for guest access/MAC > exceptions (we also use Twillio on Meraki sites for texting/self sponsor) but > I'd love to find an exact replacement for Bluesocket that r
Re: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest Access
Good info, thanks Mike. I'd not need RADIUS in my scenario, and I'm guessing Clearpass can't act like DHCP server or NAT box? Just comparing to how we use BlueSocket. Lee > On Jun 27, 2014, at 5:32 PM, "Mike Ricci" > wrote: > > Hi Lee, > > We use Clearpass with the Aruba APs but are in the process of setting up > another site that has Aerohive AP's to integrate captive portal > authentication with Clearpass. > > So, not Cisco, but I can tell you how it bolts onto another third party > wireless: > > * We've made clearpass the radius server on the Aerohive "controller". > * Clearpass actually serves the captive portal which is stored on it's > disk, mates to directory services, and sends back to the Aerohive controller > an ID once the user has auth'd. > * The Aerohive controller takes the ID and assigns a subnet based on that > ID. > > Here's the setup for this - I'm sure this is very similar to what you would > do with the Cisco controller, specifying an outside radius server: > http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Tutorial-Aerohive-Integration-with-Clearpass-corp-and-guest-mhc/td-p/149134 > > From there we have to control the firewall rules on the Aerohive > controller/AP side, based on the subnet or vlan that the device is dropped > into. Basically Clearpass does authentication for us, but does not control > any type of bandwidth limitations, firewall, etc. This is controlled through > the AP Controller, which would be the Cisco controller in your case. > > Haven't turned up our guest wireless on Clearpass with the Aerohives, just a > basic captive portal so far, but our Clearpass Guest with Aruba AP's has the > following features all controlled from Clearpass (I assume it would be the > same with any wireless system): > > > * It allows you to give user(s) the right to sponsor a guest via a web > page. > * Guests can also self-register themselves, receiving a login via text > message or email > * You can manually input MAC addresses into Clearpass for devices like > Apple TV's. > > Clearpass is a bit of a beast to setup, but very customizable; that's the > trade off. It runs as a VM, so if you wanted to test it out and had a > resource who had some time to learn, you could probably do a PoC to make sure > it mates up to Cisco. > > Not sure if this is useful, but I can update you when I turn up our Guest > network on the Aerohive AP's in a few weeks. > > > Mike Ricci > Marymount California University > 310.303.7263 > ____ > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > on behalf of Lee H Badman > > Sent: Friday, June 27, 2014 12:49 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest > Access > > Gotcha- thanks for clarification. > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John Kaftan > Sent: Friday, June 27, 2014 2:36 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest > Access > > NAC is part of the Netsight Suite. You would have to go with NAC to get the > functionality you need. NAC licensing is expensive and it wouldn't be the > way to go just for the functionality you seek. If you wanted to embrace NAC > then I would say look at them as it is quite good plus has the functionality > you need. > > John > > On Fri, Jun 27, 2014 at 1:33 PM, Lee H Badman > mailto:lhbad...@syr.edu>> wrote: > Thanks, John. We’re steering away from NAC but will take a look at Netsight. > > -Lee > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] > On Behalf Of John Kaftan > Sent: Friday, June 27, 2014 1:28 PM > To: > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > Subject: Re: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest > Access > > Lee: > > We have that same functionality built-in to the Netsight NAC - by Enterasys > now Extreme. I know they sell their NAC to Cisco shops too. Not exactly > what you are looking for but if you also want to do something with NAC\BYOD > down the road this would be an option. It does everything you mentioned. > > John > > On Fri, Jun 27, 2014 at 1:11 PM, Lee H Badman > mailto:lhbad...@syr.edu>> wrote: > Happy Summ
RE: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest Access
Actually, a little further reading and I can see PacketFence does allow inline enforcement, at which point you have the full power of iptables available to you. -- James Andrewartha Network & Projects Engineer Christ Church Grammar School Claremont, Western Australia Ph. (08) 9442 1757 Mob. 0424 160 877 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of James Andrewartha [jandrewar...@ccgs.wa.edu.au] Sent: Saturday, 28 June 2014 11:49 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest Access Hi Lee, Although it is a NAC, PacketFence is GPLv2 and comes with a guest module that seems to do everything you want<http://www.packetfence.org/en/about/advanced_features.html#c1491>. And if not, you can code it yourself or engage Inverse to develop it for you. The only thing from your list that I can't quite see is data rate/session duration and firewall rules. I'm guessing for some of those the architecture would be to set up policies on your wireless controller and have the PacketFence send RADIUS attributes to the WLC to assign the user to the appropriate profile. I've only ever briefly looked at ClearPass, but I have a feeling it would be subject to the same limitation. At work we use NetSight/NAC for guest portals, as well as wireless 802.1x authentication. I also do MAC auth on our switches, and currently it's mostly pass-through authentication for visibility. My goal is to have a way for the AV department, building management etc. to register their equipment MAC addresses combined with a policy to put them in the right VLAN, so I don't have to manually configure the VLAN of switch ports. Maybe one day I'll look at 802.1x on wired too, but the tooling around X.509 will have to improve a lot before I do. Thanks, -- James Andrewartha Network & Projects Engineer Christ Church Grammar School Claremont, Western Australia Ph. (08) 9442 1757 Mob. 0424 160 877 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman [lhbad...@syr.edu] Sent: Saturday, 28 June 2014 1:33 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest Access Thanks, John. We’re steering away from NAC but will take a look at Netsight. -Lee From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John Kaftan Sent: Friday, June 27, 2014 1:28 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest Access Lee: We have that same functionality built-in to the Netsight NAC - by Enterasys now Extreme. I know they sell their NAC to Cisco shops too. Not exactly what you are looking for but if you also want to do something with NAC\BYOD down the road this would be an option. It does everything you mentioned. John On Fri, Jun 27, 2014 at 1:11 PM, Lee H Badman mailto:lhbad...@syr.edu>> wrote: Happy Summer! We run a large Cisco WLAN, and the native guest access functionality has never been suitable for our straightforward needs. So, for years, we've used a Bluesocket gateway on a dedicated guest VLAN/SSID to accomplish the following: - Anyone with our 802.1x credentials can sponsor a guest using either guest email address or 10-digit mobile phone number - Any guest can self-sponsor, but only with 10 digit mobile phone number that gets the password texted to them - We control data rate, session durations, firewall rules etc in the Bluesocket for guests - When we need a place to stick oddball wireless devices (like Google Glass) that can't do 802.1x we give them a MAC exception in the Bluesocket This all works great, and is what is right for us (please don’t tell me all the different ways we could do guest access, just not what I’m looking for here). I know there are many other options out there for guest access/MAC exceptions (we also use Twillio on Meraki sites for texting/self sponsor) but I'd love to find an exact replacement for Bluesocket that replicates all the same functionality from a single appliance that could drop in instead of Bluesocket. Adtran bought Bluesocket, and I don't care for their response, support, or direction. I’m wondering if anyone on the list uses Aruba’s ClearPass solution is with Cisco WLAN in the way I’m describing? Thanks- Lee Badman Wireless/Network Architect ITS, Syracuse University 315.443.3003 (Blog: http://wirednot.wordpress.com) ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- John Kaftan IT Infrastructure Manager Ut
RE: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest Access
Hi Lee, Although it is a NAC, PacketFence is GPLv2 and comes with a guest module that seems to do everything you want<http://www.packetfence.org/en/about/advanced_features.html#c1491>. And if not, you can code it yourself or engage Inverse to develop it for you. The only thing from your list that I can't quite see is data rate/session duration and firewall rules. I'm guessing for some of those the architecture would be to set up policies on your wireless controller and have the PacketFence send RADIUS attributes to the WLC to assign the user to the appropriate profile. I've only ever briefly looked at ClearPass, but I have a feeling it would be subject to the same limitation. At work we use NetSight/NAC for guest portals, as well as wireless 802.1x authentication. I also do MAC auth on our switches, and currently it's mostly pass-through authentication for visibility. My goal is to have a way for the AV department, building management etc. to register their equipment MAC addresses combined with a policy to put them in the right VLAN, so I don't have to manually configure the VLAN of switch ports. Maybe one day I'll look at 802.1x on wired too, but the tooling around X.509 will have to improve a lot before I do. Thanks, -- James Andrewartha Network & Projects Engineer Christ Church Grammar School Claremont, Western Australia Ph. (08) 9442 1757 Mob. 0424 160 877 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman [lhbad...@syr.edu] Sent: Saturday, 28 June 2014 1:33 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest Access Thanks, John. We’re steering away from NAC but will take a look at Netsight. -Lee From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John Kaftan Sent: Friday, June 27, 2014 1:28 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest Access Lee: We have that same functionality built-in to the Netsight NAC - by Enterasys now Extreme. I know they sell their NAC to Cisco shops too. Not exactly what you are looking for but if you also want to do something with NAC\BYOD down the road this would be an option. It does everything you mentioned. John On Fri, Jun 27, 2014 at 1:11 PM, Lee H Badman mailto:lhbad...@syr.edu>> wrote: Happy Summer! We run a large Cisco WLAN, and the native guest access functionality has never been suitable for our straightforward needs. So, for years, we've used a Bluesocket gateway on a dedicated guest VLAN/SSID to accomplish the following: - Anyone with our 802.1x credentials can sponsor a guest using either guest email address or 10-digit mobile phone number - Any guest can self-sponsor, but only with 10 digit mobile phone number that gets the password texted to them - We control data rate, session durations, firewall rules etc in the Bluesocket for guests - When we need a place to stick oddball wireless devices (like Google Glass) that can't do 802.1x we give them a MAC exception in the Bluesocket This all works great, and is what is right for us (please don’t tell me all the different ways we could do guest access, just not what I’m looking for here). I know there are many other options out there for guest access/MAC exceptions (we also use Twillio on Meraki sites for texting/self sponsor) but I'd love to find an exact replacement for Bluesocket that replicates all the same functionality from a single appliance that could drop in instead of Bluesocket. Adtran bought Bluesocket, and I don't care for their response, support, or direction. I’m wondering if anyone on the list uses Aruba’s ClearPass solution is with Cisco WLAN in the way I’m describing? Thanks- Lee Badman Wireless/Network Architect ITS, Syracuse University 315.443.3003 (Blog: http://wirednot.wordpress.com) ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- John Kaftan IT Infrastructure Manager Utica College ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Guest access again: Bradford / Aruba and SMS credentials...
We use ClearPass Guest (we're on all-Aruba shop for wireless) with a self-registration portal. Users enter their name, email address, and SMS-able phone number. The username (email address) and password are sent to both the email address (if they have a smart phone they should be able to access email over cellular data0) and the phone number by SMS. Each device is handled separately (although you only have to register once, we let you use the same credentials for multiple devices); and nothing gets online until the user signs in that first time with that device. Once they've signed in the first time, ClearPass does some magic to re-admit them to the network using MAC authentication, so that they do not have to re-enter their credentials (except if they have another device) for 7 days. This is really popular, as it makes things "just work" as people go from building to building, leave and come back the next day, etc. For the SMS messages, we have an account with BulkSMS.com, which enables SMS to both U.S. and international numbers, as we have a large number of international students and visitors. We buy "credits" that are then used up as text messages are sent (price depends on destination; most cost about 1 credit). This has worked very well; the only problem occurs with those international visitors who choose to turn off SMS rather than pay the roaming rates. The solution we recommend for those people is to just enter their friend's/child's/sponsor's phone number or something, and get the password that way. This has been working quite since December 2013 with very, very few people having any trouble at all, and the few that do are usually easily talked through it by the help desk. I dunno about Bradford integration with ClearPass, but BulkSMS (and the other providers, like Clickatell) use pretty simple RESTful APIs and even provide libraries. If Bradford lets you call out to an external program to send the text message, it would be pretty easy to write a Perl/Python/whatever script to do it... --Dave -- *DAVID A. CURRY, CISSP* • DIRECTOR OF INFORMATION SECURITY *THE NEW SCHOOL* • 55 W. 13TH STREET • NEW YORK, NY 10011 +1 212 229-5300 x4728 • david.cu...@newschool.edu On Fri, Jun 27, 2014 at 6:08 PM, Jeff Kell wrote: > I started to hijack the "ClearPass / Cisco" guest thread but thought I'd > be polite and start another thread... > > We are under pressure to "ease" our guest access policies, as has been > discussed here before. We are a Bradford shop (Network Sentry / Campus > Manager) and they have guest access support... and more recent releases > even allow guest "self-registration" which sends out emails to a defined > list of allowed sponsors / approvers, and if granted, they can email or > SMS text credentials to the user. Email is rather a "non-starter" if > the guest doesn't already have network access, so we would prefer an SMS > option. > > Unfortunately, Bradford has no "direct" SMS support. They allow you to > register a guest with a cell phone number *and* a provider, and they > have a database of the various provider/carrier SMS text gateways and > the address formats to use to reach the user. This seems "kludgy" at > best. And there is still the "approval" delay (and we would consider a > valid cell number "adequate" identification for limited guest access). > > We've explored the default Aruba portal, but it just collects an email > address (unverified) and just lets them online. And the Aruba "guest" > SSID cannot be controlled by Bradford, so we lose the quarantine > capability for any problem cases that may arise, so we would prefer > something that will integrate into our existing Bradford-managed SSIDs. > > What are other folks doing for the "guest with SMS credentials" option? > Bonus points if there's some Bradford integration :) > > Jeff > > ** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Guest access again: Bradford / Aruba and SMS credentials...
I started to hijack the "ClearPass / Cisco" guest thread but thought I'd be polite and start another thread... We are under pressure to "ease" our guest access policies, as has been discussed here before. We are a Bradford shop (Network Sentry / Campus Manager) and they have guest access support... and more recent releases even allow guest "self-registration" which sends out emails to a defined list of allowed sponsors / approvers, and if granted, they can email or SMS text credentials to the user. Email is rather a "non-starter" if the guest doesn't already have network access, so we would prefer an SMS option. Unfortunately, Bradford has no "direct" SMS support. They allow you to register a guest with a cell phone number *and* a provider, and they have a database of the various provider/carrier SMS text gateways and the address formats to use to reach the user. This seems "kludgy" at best. And there is still the "approval" delay (and we would consider a valid cell number "adequate" identification for limited guest access). We've explored the default Aruba portal, but it just collects an email address (unverified) and just lets them online. And the Aruba "guest" SSID cannot be controlled by Bradford, so we lose the quarantine capability for any problem cases that may arise, so we would prefer something that will integrate into our existing Bradford-managed SSIDs. What are other folks doing for the "guest with SMS credentials" option? Bonus points if there's some Bradford integration :) Jeff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest Access
Hi Lee, We use Clearpass with the Aruba APs but are in the process of setting up another site that has Aerohive AP's to integrate captive portal authentication with Clearpass. So, not Cisco, but I can tell you how it bolts onto another third party wireless: * We've made clearpass the radius server on the Aerohive "controller". * Clearpass actually serves the captive portal which is stored on it's disk, mates to directory services, and sends back to the Aerohive controller an ID once the user has auth'd. * The Aerohive controller takes the ID and assigns a subnet based on that ID. Here's the setup for this - I'm sure this is very similar to what you would do with the Cisco controller, specifying an outside radius server: http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Tutorial-Aerohive-Integration-with-Clearpass-corp-and-guest-mhc/td-p/149134 From there we have to control the firewall rules on the Aerohive controller/AP side, based on the subnet or vlan that the device is dropped into. Basically Clearpass does authentication for us, but does not control any type of bandwidth limitations, firewall, etc. This is controlled through the AP Controller, which would be the Cisco controller in your case. Haven't turned up our guest wireless on Clearpass with the Aerohives, just a basic captive portal so far, but our Clearpass Guest with Aruba AP's has the following features all controlled from Clearpass (I assume it would be the same with any wireless system): * It allows you to give user(s) the right to sponsor a guest via a web page. * Guests can also self-register themselves, receiving a login via text message or email * You can manually input MAC addresses into Clearpass for devices like Apple TV's. Clearpass is a bit of a beast to setup, but very customizable; that's the trade off. It runs as a VM, so if you wanted to test it out and had a resource who had some time to learn, you could probably do a PoC to make sure it mates up to Cisco. Not sure if this is useful, but I can update you when I turn up our Guest network on the Aerohive AP's in a few weeks. Mike Ricci Marymount California University 310.303.7263 From: The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Lee H Badman Sent: Friday, June 27, 2014 12:49 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest Access Gotcha- thanks for clarification. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John Kaftan Sent: Friday, June 27, 2014 2:36 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest Access NAC is part of the Netsight Suite. You would have to go with NAC to get the functionality you need. NAC licensing is expensive and it wouldn't be the way to go just for the functionality you seek. If you wanted to embrace NAC then I would say look at them as it is quite good plus has the functionality you need. John On Fri, Jun 27, 2014 at 1:33 PM, Lee H Badman mailto:lhbad...@syr.edu>> wrote: Thanks, John. We’re steering away from NAC but will take a look at Netsight. -Lee From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of John Kaftan Sent: Friday, June 27, 2014 1:28 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest Access Lee: We have that same functionality built-in to the Netsight NAC - by Enterasys now Extreme. I know they sell their NAC to Cisco shops too. Not exactly what you are looking for but if you also want to do something with NAC\BYOD down the road this would be an option. It does everything you mentioned. John On Fri, Jun 27, 2014 at 1:11 PM, Lee H Badman mailto:lhbad...@syr.edu>> wrote: Happy Summer! We run a large Cisco WLAN, and the native guest access functionality has never been suitable for our straightforward needs. So, for years, we've used a Bluesocket gateway on a dedicated guest VLAN/SSID to accomplish the following: - Anyone with our 802.1x credentials can sponsor a guest using either guest email address or 10-digit mobile phone number - Any guest can self-sponsor, but only with 10 digit mobile phone number that gets the password texted to them - We control data rate, session durations, firewall rules etc in the Bluesocket for guests - When we need a place to stick oddball wireless devices (like Google Glass) that can't do 802.1x we give them a MAC exception in the Bluesocket This all works great, and is what is right for us (please don’
RE: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest Access
Gotcha- thanks for clarification. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John Kaftan Sent: Friday, June 27, 2014 2:36 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest Access NAC is part of the Netsight Suite. You would have to go with NAC to get the functionality you need. NAC licensing is expensive and it wouldn't be the way to go just for the functionality you seek. If you wanted to embrace NAC then I would say look at them as it is quite good plus has the functionality you need. John On Fri, Jun 27, 2014 at 1:33 PM, Lee H Badman mailto:lhbad...@syr.edu>> wrote: Thanks, John. We’re steering away from NAC but will take a look at Netsight. -Lee From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of John Kaftan Sent: Friday, June 27, 2014 1:28 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest Access Lee: We have that same functionality built-in to the Netsight NAC - by Enterasys now Extreme. I know they sell their NAC to Cisco shops too. Not exactly what you are looking for but if you also want to do something with NAC\BYOD down the road this would be an option. It does everything you mentioned. John On Fri, Jun 27, 2014 at 1:11 PM, Lee H Badman mailto:lhbad...@syr.edu>> wrote: Happy Summer! We run a large Cisco WLAN, and the native guest access functionality has never been suitable for our straightforward needs. So, for years, we've used a Bluesocket gateway on a dedicated guest VLAN/SSID to accomplish the following: - Anyone with our 802.1x credentials can sponsor a guest using either guest email address or 10-digit mobile phone number - Any guest can self-sponsor, but only with 10 digit mobile phone number that gets the password texted to them - We control data rate, session durations, firewall rules etc in the Bluesocket for guests - When we need a place to stick oddball wireless devices (like Google Glass) that can't do 802.1x we give them a MAC exception in the Bluesocket This all works great, and is what is right for us (please don’t tell me all the different ways we could do guest access, just not what I’m looking for here). I know there are many other options out there for guest access/MAC exceptions (we also use Twillio on Meraki sites for texting/self sponsor) but I'd love to find an exact replacement for Bluesocket that replicates all the same functionality from a single appliance that could drop in instead of Bluesocket. Adtran bought Bluesocket, and I don't care for their response, support, or direction. I’m wondering if anyone on the list uses Aruba’s ClearPass solution is with Cisco WLAN in the way I’m describing? Thanks- Lee Badman Wireless/Network Architect ITS, Syracuse University 315.443.3003 (Blog: http://wirednot.wordpress.com) ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- John Kaftan IT Infrastructure Manager Utica College ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- John Kaftan IT Infrastructure Manager Utica College ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest Access
NAC is part of the Netsight Suite. You would have to go with NAC to get the functionality you need. NAC licensing is expensive and it wouldn't be the way to go just for the functionality you seek. If you wanted to embrace NAC then I would say look at them as it is quite good plus has the functionality you need. John On Fri, Jun 27, 2014 at 1:33 PM, Lee H Badman wrote: > Thanks, John. We’re steering away from NAC but will take a look at > Netsight. > > > > -Lee > > > > *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *John Kaftan > *Sent:* Friday, June 27, 2014 1:28 PM > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > *Subject:* Re: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For > Guest Access > > > > Lee: > > > > We have that same functionality built-in to the Netsight NAC - by > Enterasys now Extreme. I know they sell their NAC to Cisco shops too. Not > exactly what you are looking for but if you also want to do something with > NAC\BYOD down the road this would be an option. It does everything you > mentioned. > > > > John > > > > On Fri, Jun 27, 2014 at 1:11 PM, Lee H Badman wrote: > > Happy Summer! > > > > We run a large Cisco WLAN, and the native guest access functionality has > never been suitable for our straightforward needs. So, for years, we've > used a Bluesocket gateway on a dedicated guest VLAN/SSID to accomplish the > following: > > > > - Anyone with our 802.1x credentials can sponsor a guest using either > guest email address or 10-digit mobile phone number > > - Any guest can self-sponsor, but only with 10 digit mobile phone number > that gets the password texted to them > > - We control data rate, session durations, firewall rules etc in the > Bluesocket for guests > > - When we need a place to stick oddball wireless devices (like Google > Glass) that can't do 802.1x we give them a MAC exception in the Bluesocket > > > > This all works great, and is what is right for us (please don’t tell me > all the different ways we could do guest access, just not what I’m looking > for here). I know there are many other options out there for guest > access/MAC exceptions (we also use Twillio on Meraki sites for texting/self > sponsor) but I'd love to find an exact replacement for Bluesocket that > replicates all the same functionality from a single appliance that could > drop in instead of Bluesocket. Adtran bought Bluesocket, and I don't care > for their response, support, or direction. > > > > I’m wondering if anyone on the list uses Aruba’s ClearPass solution is > with Cisco WLAN in the way I’m describing? > > > > > > Thanks- > > > > > > Lee Badman > > Wireless/Network Architect > > ITS, Syracuse University > > 315.443.3003 > > (Blog: http://wirednot.wordpress.com) > > > > > > > > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > > > > -- > > John Kaftan > > IT Infrastructure Manager > > Utica College > > > > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > -- John Kaftan IT Infrastructure Manager Utica College ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest Access
Thanks Phillipe. I love Xpressconnect, but ES is married to TLS, and we're not there yet. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hanset, Philippe C Sent: Friday, June 27, 2014 1:37 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest Access Clearpass or Xpressconnect ES On Jun 27, 2014, at 1:28 PM, "John Kaftan" mailto:jkaf...@utica.edu>> wrote: Lee: We have that same functionality built-in to the Netsight NAC - by Enterasys now Extreme. I know they sell their NAC to Cisco shops too. Not exactly what you are looking for but if you also want to do something with NAC\BYOD down the road this would be an option. It does everything you mentioned. John On Fri, Jun 27, 2014 at 1:11 PM, Lee H Badman mailto:lhbad...@syr.edu>> wrote: Happy Summer! We run a large Cisco WLAN, and the native guest access functionality has never been suitable for our straightforward needs. So, for years, we've used a Bluesocket gateway on a dedicated guest VLAN/SSID to accomplish the following: - Anyone with our 802.1x credentials can sponsor a guest using either guest email address or 10-digit mobile phone number - Any guest can self-sponsor, but only with 10 digit mobile phone number that gets the password texted to them - We control data rate, session durations, firewall rules etc in the Bluesocket for guests - When we need a place to stick oddball wireless devices (like Google Glass) that can't do 802.1x we give them a MAC exception in the Bluesocket This all works great, and is what is right for us (please don't tell me all the different ways we could do guest access, just not what I'm looking for here). I know there are many other options out there for guest access/MAC exceptions (we also use Twillio on Meraki sites for texting/self sponsor) but I'd love to find an exact replacement for Bluesocket that replicates all the same functionality from a single appliance that could drop in instead of Bluesocket. Adtran bought Bluesocket, and I don't care for their response, support, or direction. I'm wondering if anyone on the list uses Aruba's ClearPass solution is with Cisco WLAN in the way I'm describing? Thanks- Lee Badman Wireless/Network Architect ITS, Syracuse University 315.443.3003 (Blog: http://wirednot.wordpress.com) ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- John Kaftan IT Infrastructure Manager Utica College ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest Access
Clearpass or Xpressconnect ES On Jun 27, 2014, at 1:28 PM, "John Kaftan" mailto:jkaf...@utica.edu>> wrote: Lee: We have that same functionality built-in to the Netsight NAC - by Enterasys now Extreme. I know they sell their NAC to Cisco shops too. Not exactly what you are looking for but if you also want to do something with NAC\BYOD down the road this would be an option. It does everything you mentioned. John On Fri, Jun 27, 2014 at 1:11 PM, Lee H Badman mailto:lhbad...@syr.edu>> wrote: Happy Summer! We run a large Cisco WLAN, and the native guest access functionality has never been suitable for our straightforward needs. So, for years, we've used a Bluesocket gateway on a dedicated guest VLAN/SSID to accomplish the following: - Anyone with our 802.1x credentials can sponsor a guest using either guest email address or 10-digit mobile phone number - Any guest can self-sponsor, but only with 10 digit mobile phone number that gets the password texted to them - We control data rate, session durations, firewall rules etc in the Bluesocket for guests - When we need a place to stick oddball wireless devices (like Google Glass) that can't do 802.1x we give them a MAC exception in the Bluesocket This all works great, and is what is right for us (please don’t tell me all the different ways we could do guest access, just not what I’m looking for here). I know there are many other options out there for guest access/MAC exceptions (we also use Twillio on Meraki sites for texting/self sponsor) but I'd love to find an exact replacement for Bluesocket that replicates all the same functionality from a single appliance that could drop in instead of Bluesocket. Adtran bought Bluesocket, and I don't care for their response, support, or direction. I’m wondering if anyone on the list uses Aruba’s ClearPass solution is with Cisco WLAN in the way I’m describing? Thanks- Lee Badman Wireless/Network Architect ITS, Syracuse University 315.443.3003 (Blog: http://wirednot.wordpress.com) ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- John Kaftan IT Infrastructure Manager Utica College ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest Access
Thanks, John. We’re steering away from NAC but will take a look at Netsight. -Lee From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John Kaftan Sent: Friday, June 27, 2014 1:28 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest Access Lee: We have that same functionality built-in to the Netsight NAC - by Enterasys now Extreme. I know they sell their NAC to Cisco shops too. Not exactly what you are looking for but if you also want to do something with NAC\BYOD down the road this would be an option. It does everything you mentioned. John On Fri, Jun 27, 2014 at 1:11 PM, Lee H Badman mailto:lhbad...@syr.edu>> wrote: Happy Summer! We run a large Cisco WLAN, and the native guest access functionality has never been suitable for our straightforward needs. So, for years, we've used a Bluesocket gateway on a dedicated guest VLAN/SSID to accomplish the following: - Anyone with our 802.1x credentials can sponsor a guest using either guest email address or 10-digit mobile phone number - Any guest can self-sponsor, but only with 10 digit mobile phone number that gets the password texted to them - We control data rate, session durations, firewall rules etc in the Bluesocket for guests - When we need a place to stick oddball wireless devices (like Google Glass) that can't do 802.1x we give them a MAC exception in the Bluesocket This all works great, and is what is right for us (please don’t tell me all the different ways we could do guest access, just not what I’m looking for here). I know there are many other options out there for guest access/MAC exceptions (we also use Twillio on Meraki sites for texting/self sponsor) but I'd love to find an exact replacement for Bluesocket that replicates all the same functionality from a single appliance that could drop in instead of Bluesocket. Adtran bought Bluesocket, and I don't care for their response, support, or direction. I’m wondering if anyone on the list uses Aruba’s ClearPass solution is with Cisco WLAN in the way I’m describing? Thanks- Lee Badman Wireless/Network Architect ITS, Syracuse University 315.443.3003 (Blog: http://wirednot.wordpress.com) ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- John Kaftan IT Infrastructure Manager Utica College ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest Access
Lee: We have that same functionality built-in to the Netsight NAC - by Enterasys now Extreme. I know they sell their NAC to Cisco shops too. Not exactly what you are looking for but if you also want to do something with NAC\BYOD down the road this would be an option. It does everything you mentioned. John On Fri, Jun 27, 2014 at 1:11 PM, Lee H Badman wrote: > Happy Summer! > > We run a large Cisco WLAN, and the native guest access functionality has > never been suitable for our straightforward needs. So, for years, we've > used a Bluesocket gateway on a dedicated guest VLAN/SSID to accomplish the > following: > > - Anyone with our 802.1x credentials can sponsor a guest using either > guest email address or 10-digit mobile phone number > - Any guest can self-sponsor, but only with 10 digit mobile phone number > that gets the password texted to them > - We control data rate, session durations, firewall rules etc in the > Bluesocket for guests > - When we need a place to stick oddball wireless devices (like Google > Glass) that can't do 802.1x we give them a MAC exception in the Bluesocket > > This all works great, and is what is right for us (please don’t tell me > all the different ways we could do guest access, just not what I’m looking > for here). I know there are many other options out there for guest > access/MAC exceptions (we also use Twillio on Meraki sites for texting/self > sponsor) but I'd love to find an exact replacement for Bluesocket that > replicates all the same functionality from a single appliance that could > drop in instead of Bluesocket. Adtran bought Bluesocket, and I don't care > for their response, support, or direction. > > I’m wondering if anyone on the list uses Aruba’s ClearPass solution is > with Cisco WLAN in the way I’m describing? > > > Thanks- > > > Lee Badman > Wireless/Network Architect > ITS, Syracuse University > 315.443.3003 > (Blog: *http://wirednot.wordpress.com* <http://wirednot.wordpress.com>) > > > > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > -- John Kaftan IT Infrastructure Manager Utica College ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Aruba Clearpass Bolted Up To Cisco WLAN For Guest Access
Happy Summer! We run a large Cisco WLAN, and the native guest access functionality has never been suitable for our straightforward needs. So, for years, we've used a Bluesocket gateway on a dedicated guest VLAN/SSID to accomplish the following: - Anyone with our 802.1x credentials can sponsor a guest using either guest email address or 10-digit mobile phone number - Any guest can self-sponsor, but only with 10 digit mobile phone number that gets the password texted to them - We control data rate, session durations, firewall rules etc in the Bluesocket for guests - When we need a place to stick oddball wireless devices (like Google Glass) that can't do 802.1x we give them a MAC exception in the Bluesocket This all works great, and is what is right for us (please don't tell me all the different ways we could do guest access, just not what I'm looking for here). I know there are many other options out there for guest access/MAC exceptions (we also use Twillio on Meraki sites for texting/self sponsor) but I'd love to find an exact replacement for Bluesocket that replicates all the same functionality from a single appliance that could drop in instead of Bluesocket. Adtran bought Bluesocket, and I don't care for their response, support, or direction. I'm wondering if anyone on the list uses Aruba's ClearPass solution is with Cisco WLAN in the way I'm describing? Thanks- Lee Badman Wireless/Network Architect ITS, Syracuse University 315.443.3003 (Blog: http://wirednot.wordpress.com) ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] open guest access?
Here at Rice since we began offering campus wide Wi-Fi, we have had a "Visitor" SSID that uses a captive web-portal that displays our Acceptable Use Policy and an accept button. The goal 10 years ago was to make it as easy as Wi-Fi at a hotel, etc. This visitor SSID maps to a Visitor VRF, and is restricted in that it cannot use on campus resources (except DNS and DHCP) - we treat it as if you're connecting via AT&T, Comcast, TWC, etc. among other restrictions. In the event we have someone do something wrong, we black hole that MAC address - if we cannot identify them someway else. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Ashfield, Matt (NBCC) Sent: Thursday, February 20, 2014 11:45 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] open guest access? Hello, I'm just wondering what people are doing in terms of guest access authentication. We are currently doing web-portal auth with guest accounts, but with the advent of free wifi all over the place, I'm wondering why we are forcing our guests to authenticate if we are only offering "internet" services to them? Obviously, authentication is great for tracking down users during incidents, but I'm wondering what the legal obligation is, particularly for those of us in Canada? Why can Tim Horton's do it, but not us? Any info/advice is appreciated. Thanks Matt Ashfield NBCC !DSPAM:911,53063f3f303731537788910! ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
open guest access?
Hello, I'm just wondering what people are doing in terms of guest access authentication. We are currently doing web-portal auth with guest accounts, but with the advent of free wifi all over the place, I'm wondering why we are forcing our guests to authenticate if we are only offering "internet" services to them? Obviously, authentication is great for tracking down users during incidents, but I'm wondering what the legal obligation is, particularly for those of us in Canada? Why can Tim Horton's do it, but not us? Any info/advice is appreciated. Thanks Matt Ashfield NBCC ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Social media "credentials" for guest access?
My thoughts (not speaking for my employer) are right along the same lines. The analytics are nice, but if they’re of interest to departments or colleges, the same data can likely be gleaned from the university’s own records. On the other hand, in public venues (sports arenas, outreach events, college expos, campus tours) it might still be worthwhile. -- Toivo Voll Network Engineer Information Technology Communications University of South Florida From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman Sent: Tuesday, December 10, 2013 2:59 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Social media "credentials" for guest access? Hello to the Group- Among WLAN vendors and portal provider, the usage of social media login as an acceptable guest network sign-in mechanism is getting more common. I get the appeal for retail/hospitality WLANs that ultimately will Target marketing at you based on these credentials, but I’m not digging it myself for use in higher ed because of the “anyone can come up with a BS social media sign-in” factor. At the same time, to dismiss any system that uses social media means narrowing down your choices for guest access when you’re shopping, and so I wonder… Are any schools using guest access that is based on social media login? How’s it working out for you, and have you ever regretted the choice? Thanks- Lee Badman ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Social media "credentials" for guest access?
Lee, We're on the same wavelength--I can see the allure for commercial applications. Higher ed uses will lean more toward attribution. We tried Facebook authentication for about 20 seconds before coming to the conclusion that our target population would be overly skeptical about what we might do with the data. We're currently authenticating guests via SMS. Rand Rand P. Hall Director, Network Services askIT! Merrimack College 978-837-3532 rand.h...@merrimack.edu If I had an hour to save the world, I would spend 59 minutes defining the problem and one minute finding solutions. – Einstein On Tue, Dec 10, 2013 at 2:59 PM, Lee H Badman wrote: > Hello to the Group- > > Among WLAN vendors and portal provider, the usage of social media login as > an acceptable guest network sign-in mechanism is getting more common. I get > the appeal for retail/hospitality WLANs that ultimately will Target > marketing at you based on these credentials, but I’m not digging it myself > for use in higher ed because of the “anyone can come up with a BS social > media sign-in” factor. At the same time, to dismiss any system that uses > social media means narrowing down your choices for guest access when you’re > shopping, and so I wonder… > > Are any schools using guest access that is based on social media login? > How’s it working out for you, and have you ever regretted the choice? > > > Thanks- > > Lee Badman > > > > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Social media "credentials" for guest access?
Hello to the Group- Among WLAN vendors and portal provider, the usage of social media login as an acceptable guest network sign-in mechanism is getting more common. I get the appeal for retail/hospitality WLANs that ultimately will Target marketing at you based on these credentials, but I'm not digging it myself for use in higher ed because of the "anyone can come up with a BS social media sign-in" factor. At the same time, to dismiss any system that uses social media means narrowing down your choices for guest access when you're shopping, and so I wonder... Are any schools using guest access that is based on social media login? How's it working out for you, and have you ever regretted the choice? Thanks- Lee Badman ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] wireless guest access
It is great to hear what everyone is doing, it's a great confirmation of what we too are doing. We have a website that allows anyone to create an account. It works by sending the user a website to visit after filling out some preliminary information and has at least a little verification in that the e-mail address is at least checked. In conjunction with this we have a sponsored account. We try to use this the most. It allows a department to create accounts for their guests and or allows the guest to make their own accounts on behalf of the department they are working for. All of these accounts are in our LDAP and RADIUS servers. Cheers, -Original Message- From: Jonn Martell [mailto:[EMAIL PROTECTED] Sent: Monday, February 26, 2007 2:23 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Re: [WIRELESS-LAN] wireless guest access What we did at UBC, was to allow any faculty and staff to "sponsor" guests. Much like a faculty member can grant a visiting faculty member the use of their office, meeting room etc. we felt it sense to allow them to do this for network access. The Faculty/Staff is effectively responsible to properly identify the user by providing all the details and ultimately, the sponsors are responsible since they granted them access. Since I left IT last year, I won't comment on things that aren't public. For non-affiliated commercial users, the two options available was to create a commercial/hotspot service to validate users based on billing information or just partner with a commercial Hotspot provider. Last summer, the decision was made to partner with a private sector operator for a one year pilot/trial. So UBC students, staff and faculty have free roaming to Fatport locations in exchange for Fatport selling commercial services on campus via a dedicated SSID/BSSID which they are responsible for on the AUP side of things. Not a bad approach if you have the size to attract the commercial provider(s). I can't provide any information except what is in the public domain; please refer to the URLs below for more specific info and contact information. http://www.it.ubc.ca/internet/wireless/fatport.html http://fatport.com/aboutus/press_releases/press58.php It should be interesting to see if the trial agreement turns into a long term one. . Jonn Martell, PMP, CWNE, CWNT Martell Consulting, www.martell.ca [EMAIL PROTECTED] Tech instructor - UBC [EMAIL PROTECTED] On 2/26/07, Landau, Gary <[EMAIL PROTECTED]> wrote: > > At LMU we have a guest/visitor account that a faculty/staff member can > request the password to and we change the password periodically. This is > akin to what Ken Connell indicated they're doing at Ryerson Univ. > > Our library also provides paid admittance to the Library for people in the > community and they give out the password when that is done. This was > initially a concern, but we learned that libraries are exempt from CALEA. > > -Gary > > Gary Landau, CISSP, CCNP > Director | Network Services > - > Loyola Marymount University > Information Technology > One LMU Drive | Los Angeles, CA 90045 > p.310.338.4434 f.310.338.2326 > [EMAIL PROTECTED] | http://its.lmu.edu > - > LMU|LA IT: We Deliver! > > > > From: Scholz, Greg [mailto:[EMAIL PROTECTED] > Sent: Monday, February 26, 2007 10:16 AM > > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] wireless guest access > > > > > Very timely. I am about to launch a project called "public port security and > guest access" that will attempt to define exactly this. I would like to hear > all other responses as well. (I suggest if you are considering Wireless > guests, you should be considering wired as well) > > * Currently we have NO guest access on wireless. > > * We recently changed all our "public lab" computers to use AD > authentication (e.g. no more public/guest access) > > * We use CCA in reshalls and enable the guest button JUST FOR THE > SUMMER (for all the conferences/camps we have during that time) so > effectively no guest access except for summer > > * The ONLY real guest access we have right now is any network port in > a publicly accessible location can be used by anyone without any type of > check. (These are the "public ports" referred to in my project title above). > INCLUDING if someone unplugs a lab/office/kiosk computer and plugs in their > own. > > * We will attempt to balance the tremendous desire for wireless & > wired guest access, CALEA, security and manageability. > > > > I am thinking we may wind up w
RE: [WIRELESS-LAN] Re: [WIRELESS-LAN] wireless guest access
It is great to hear what everyone is doing, it's a great confirmation of what we too are doing. We have a website that allows anyone to create an account. It works by sending the user a website to visit after filling out some preliminary information and has at least a little verification in that the e-mail address is at least checked. In conjunction with this we have a sponsored account. We try to use this the most. It allows a department to create accounts for their guests and or allows the guest to make their own accounts on behalf of the department they are working for. All of these accounts are in our LDAP and RADIUS servers. Cheers, -Original Message- From: Cal Frye [mailto:[EMAIL PROTECTED] Sent: Monday, February 26, 2007 5:23 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Re: [WIRELESS-LAN] wireless guest access Lee Badman wrote: > Anybody rethinking any of their sponsored guest/open access policies > because of CALEA concerns? Bingo. We are just beginning to roll out a means of provisioning sponsored accounts. Basically, a student, faculty, or staff member will be able to create N number of guest accounts with a duration of X days, limited rights granted to the network. It's expected that maximum values of N and X will vary with the role of the creator. Sponsored accounts will have a standard prefix to avoid collision with existing usernames, and passwords will be generated at account creation. These sponsored accounts will then in turn be permitted to authenticate to the network via Cisco NAC. All wired and wireless communications will pass through Cisco NAC, so we'll catch everybody. This will replace the built-in guest access provisions of Cisco NAC. We're doing this as a part of a self-service password reset application we were already considering -- that's the carrot to go along with the stick. -- Regards, -- Cal Frye, Network Administrator, Oberlin College www.calfrye.com, www.pitalabs.com "In American work places, bosses routinely snoop into personal e-mails and monitor our web-surfing practices. How did it come about that so many Americans have grown to accept such demeaning intrusions into our privacy?" -- Phil Rockstroh. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] wireless guest access
Lee Badman wrote: > Anybody rethinking any of their sponsored guest/open access policies > because of CALEA concerns? Bingo. We are just beginning to roll out a means of provisioning sponsored accounts. Basically, a student, faculty, or staff member will be able to create N number of guest accounts with a duration of X days, limited rights granted to the network. It's expected that maximum values of N and X will vary with the role of the creator. Sponsored accounts will have a standard prefix to avoid collision with existing usernames, and passwords will be generated at account creation. These sponsored accounts will then in turn be permitted to authenticate to the network via Cisco NAC. All wired and wireless communications will pass through Cisco NAC, so we'll catch everybody. This will replace the built-in guest access provisions of Cisco NAC. We're doing this as a part of a self-service password reset application we were already considering -- that's the carrot to go along with the stick. -- Regards, -- Cal Frye, Network Administrator, Oberlin College www.calfrye.com, www.pitalabs.com "In American work places, bosses routinely snoop into personal e-mails and monitor our web-surfing practices. How did it come about that so many Americans have grown to accept such demeaning intrusions into our privacy?" -- Phil Rockstroh. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: RE: [WIRELESS-LAN] wireless guest access
I am not aware of the "piggy-back" compliance concept in the CALEA regulations. The lack of CALEA compliant devices does not excuse an organization that needs to be CALEA-compliant from becoming so. Most service providers are becoming compliant by other buying the appropriate probes or establishing a relation with a trusted third-party who does so on their behalf. All educational institutions should have discussed questions surrounding CALEA with their legal counsel prior to the February 12 filing date, even if they believe it doesn't apply to their school. Regards, Frank -Original Message- From: Casey, J Bart [mailto:[EMAIL PROTECTED] Sent: Monday, February 26, 2007 2:49 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: RE: [WIRELESS-LAN] wireless guest access As for the CALEA issue, we have spent a fair amount of time discussing CALEA and its implications internally and with our 2 ISPs and have come to the conclusion that even though we provide anonymous access, we are exempt for the following reasons: 1) Both of our ISPs are CALEA compliant. So, we "piggy-back" off of their compliance. 2) There are no CALEA compliant devices available to our organization at this point in time. I hope that helps. J. Bart Casey Network Engineer Wofford College -Original Message- From: Lee Badman [mailto:[EMAIL PROTECTED] Sent: Monday, February 26, 2007 1:04 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] wireless guest access Would like to expand out Kevin's question- what of wireless access for guests, and for the non-affiliated folks (anonymous) that might end up on campus? Anybody rethinking any of their sponsored guest/open access policies because of CALEA concerns? Regards- Lee Badman Network/Wireless Engineer Syracuse University 315 443-3003 >>> Kevin Lanning <[EMAIL PROTECTED]> 2/26/2007 12:46:48 PM >>> Wondering what academic institutions are doing these days regarding wireless access for guests? -- -- Kevin Lanning lanning at unc.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] wireless guest access
Kevin and Lee, We are providing Guest access via a beaconed SSID on our Cisco Aironet 1230s. When a user connects to that SSID, they are placed into a VLAN for one of our DMZs and are assigned IP addressing and DNS information by a Linux Box running a Captive Portal Package (NoCat Auth). We limit the DHCP scope to 126 devices as we don't have many guests connecting to our "guest wireless network". When users connect they are required to click-to-accept an AUP before being provided access to the internet. Their connectivity is valid for a period of 24 hours or 5 minutes of inactivity (these are adjustable); whichever comes first. At the point of expiration, the user is required to re-accept the AUP before continuing. All of their information is logged to include assigned IP address, system name, and MAC-Address. All of the bandwidth is rate-shaped to 256Kbps Up/Down via 2 CBQ configuration files (one for ingress and one for egress). Since this software is iptables based, we are also able to limit the type of traffic that is allowed for these guests. We allow http, https, pop3, imap, telnet, and SSH. Everything else is explicitly denied including SMTP as we don't want to provide the ability to spam from our network. This system has no access to our internal network at all which helps keep our internal systems and traffic secure in relation to the Guest Network. We provide "authorized wireless access" through a non-beaconed SSID on the same access point and a different VLAN. We also use PEAP on the "authorized wireless network" which helps keep the two methods of access further separated. Yes, I'm aware there are better methods for securing our "authorized wireless network" but due to the dynamic nature of our "authorized clients" and political boundaries, we have opted for a path with minimal resistance. As for the CALEA issue, we have spent a fair amount of time discussing CALEA and its implications internally and with our 2 ISPs and have come to the conclusion that even though we provide anonymous access, we are exempt for the following reasons: 1) Both of our ISPs are CALEA compliant. So, we "piggy-back" off of their compliance. 2) There are no CALEA compliant devices available to our organization at this point in time. As a side note, the Captive Portal box is also configured to provide guest access to the wired network which will be of great use as we convert the campus to support 802.1x for wired connections. Through this method, guests have the option to log in using RADIUS credentials and gain access to the secure certificates and configuration instructions or connect as a guest using the same method listed above with the wireless guest access. We provide a larger DHCP scope for our wired users (1022) since more people connect to the wired network. Since RADIUS is clear text and I haven't found a package that supports TACACS authentication yet we don't provide this option to wireless users. I hope that helps. J. Bart Casey Network Engineer Wofford College -Original Message- From: Lee Badman [mailto:[EMAIL PROTECTED] Sent: Monday, February 26, 2007 1:04 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] wireless guest access Would like to expand out Kevin's question- what of wireless access for guests, and for the non-affiliated folks (anonymous) that might end up on campus? Anybody rethinking any of their sponsored guest/open access policies because of CALEA concerns? Regards- Lee Badman Network/Wireless Engineer Syracuse University 315 443-3003 >>> Kevin Lanning <[EMAIL PROTECTED]> 2/26/2007 12:46:48 PM >>> Wondering what academic institutions are doing these days regarding wireless access for guests? -- -- Kevin Lanning lanning at unc.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] wireless guest access
Are libraries really exempt from CALEA? "It depends", is probably a better answer. See http://www.merit.edu/events/mjts/meetings/pdf/Abshere_MJTS.pdf for some details, and review www.educause.edu/calea for more info. The main concern is the extent of public access. It seems that if such usage is incidental and minor that it shouldn't require the institution to be CALEA-compliant, but having an open SSID on a campus-wide wireless network might swing things the other way. Frank _ From: Landau, Gary [mailto:[EMAIL PROTECTED] Sent: Monday, February 26, 2007 12:32 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] wireless guest access At LMU we have a guest/visitor account that a faculty/staff member can request the password to and we change the password periodically. This is akin to what Ken Connell indicated they're doing at Ryerson Univ. Our library also provides paid admittance to the Library for people in the community and they give out the password when that is done. This was initially a concern, but we learned that libraries are exempt from CALEA. -Gary Gary Landau, CISSP, CCNP Director | Network Services - Loyola Marymount University Information Technology One LMU Drive | Los Angeles, CA 90045 p.310.338.4434 f.310.338.2326 [EMAIL PROTECTED] | http://its.lmu.edu - LMU|LA IT: We Deliver! _ From: Scholz, Greg [mailto:[EMAIL PROTECTED] Sent: Monday, February 26, 2007 10:16 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] wireless guest access Very timely. I am about to launch a project called "public port security and guest access" that will attempt to define exactly this. I would like to hear all other responses as well. (I suggest if you are considering Wireless guests, you should be considering wired as well) * Currently we have NO guest access on wireless. * We recently changed all our "public lab" computers to use AD authentication (e.g. no more public/guest access) * We use CCA in reshalls and enable the guest button JUST FOR THE SUMMER (for all the conferences/camps we have during that time) so effectively no guest access except for summer * The ONLY real guest access we have right now is any network port in a publicly accessible location can be used by anyone without any type of check. (These are the "public ports" referred to in my project title above). INCLUDING if someone unplugs a lab/office/kiosk computer and plugs in their own. * We will attempt to balance the tremendous desire for wireless & wired guest access, CALEA, security and manageability. I am thinking we may wind up with a 1x solution to determine appropriate port settings (security/vlan/etc) based on recognition of user, computer, or both and then computer health for non-campus managed computers. _ Thank you, Gregory R. Scholz Director of Telecommunications Information Technology Group Keene State College (603)358-2070 --Lead, follow, or get out of the way. (author unknown) -Original Message- From: Lee Badman [mailto:[EMAIL PROTECTED] Sent: Monday, February 26, 2007 1:04 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] wireless guest access Would like to expand out Kevin's question- what of wireless access for guests, and for the non-affiliated folks (anonymous) that might end up on campus? Anybody rethinking any of their sponsored guest/open access policies because of CALEA concerns? Regards- Lee Badman Network/Wireless Engineer Syracuse University 315 443-3003 >>> Kevin Lanning <[EMAIL PROTECTED]> 2/26/2007 12:46:48 PM >>> Wondering what academic institutions are doing these days regarding wireless access for guests? -- -- Kevin Lanning lanning at unc.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] wireless guest access
All, The FWNA (Federated Wireless Network Auth) working group from Internet2 is putting together a "visitor access" survey. It should be up in less than 2 weeks, the final results will be presented at the April Member Meeting (Arlington, VA)and results will be online as well. This is a pretty extensive survey (Sponsoring , Calea, 802.1x, ...) So hold you breath and save us some energy please ;-) We will send the link to the survey to this list. Thanks, Philippe Hanset University of TN On Mon, 26 Feb 2007, Kevin Lanning wrote: > Wondering what academic institutions are doing these days regarding > wireless access for guests? -- -- Kevin Lanning lanning at unc.edu > > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] wireless guest access
What we did at UBC, was to allow any faculty and staff to "sponsor" guests. Much like a faculty member can grant a visiting faculty member the use of their office, meeting room etc. we felt it sense to allow them to do this for network access. The Faculty/Staff is effectively responsible to properly identify the user by providing all the details and ultimately, the sponsors are responsible since they granted them access. Since I left IT last year, I won't comment on things that aren't public. For non-affiliated commercial users, the two options available was to create a commercial/hotspot service to validate users based on billing information or just partner with a commercial Hotspot provider. Last summer, the decision was made to partner with a private sector operator for a one year pilot/trial. So UBC students, staff and faculty have free roaming to Fatport locations in exchange for Fatport selling commercial services on campus via a dedicated SSID/BSSID which they are responsible for on the AUP side of things. Not a bad approach if you have the size to attract the commercial provider(s). I can't provide any information except what is in the public domain; please refer to the URLs below for more specific info and contact information. http://www.it.ubc.ca/internet/wireless/fatport.html http://fatport.com/aboutus/press_releases/press58.php It should be interesting to see if the trial agreement turns into a long term one. .. Jonn Martell, PMP, CWNE, CWNT Martell Consulting, www.martell.ca [EMAIL PROTECTED] Tech instructor - UBC [EMAIL PROTECTED] On 2/26/07, Landau, Gary <[EMAIL PROTECTED]> wrote: At LMU we have a guest/visitor account that a faculty/staff member can request the password to and we change the password periodically. This is akin to what Ken Connell indicated they're doing at Ryerson Univ. Our library also provides paid admittance to the Library for people in the community and they give out the password when that is done. This was initially a concern, but we learned that libraries are exempt from CALEA. -Gary Gary Landau, CISSP, CCNP Director | Network Services - Loyola Marymount University Information Technology One LMU Drive | Los Angeles, CA 90045 p.310.338.4434 f.310.338.2326 [EMAIL PROTECTED] | http://its.lmu.edu - LMU|LA IT: We Deliver! From: Scholz, Greg [mailto:[EMAIL PROTECTED] Sent: Monday, February 26, 2007 10:16 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] wireless guest access Very timely. I am about to launch a project called "public port security and guest access" that will attempt to define exactly this. I would like to hear all other responses as well. (I suggest if you are considering Wireless guests, you should be considering wired as well) · Currently we have NO guest access on wireless. · We recently changed all our "public lab" computers to use AD authentication (e.g. no more public/guest access) · We use CCA in reshalls and enable the guest button JUST FOR THE SUMMER (for all the conferences/camps we have during that time) so effectively no guest access except for summer · The ONLY real guest access we have right now is any network port in a publicly accessible location can be used by anyone without any type of check. (These are the "public ports" referred to in my project title above). INCLUDING if someone unplugs a lab/office/kiosk computer and plugs in their own. · We will attempt to balance the tremendous desire for wireless & wired guest access, CALEA, security and manageability. I am thinking we may wind up with a 1x solution to determine appropriate port settings (security/vlan/etc) based on recognition of user, computer, or both and then computer health for non-campus managed computers. _ Thank you, Gregory R. Scholz Director of Telecommunications Information Technology Group Keene State College (603)358-2070 --Lead, follow, or get out of the way. (author unknown) -Original Message- From: Lee Badman [mailto:[EMAIL PROTECTED] Sent: Monday, February 26, 2007 1:04 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] wireless guest access Would like to expand out Kevin's question- what of wireless access for guests, and for the non-affiliated folks (anonymous) that might end up on campus? Anybody rethinking any of their sponsored guest/open access policies because of CALEA concerns? Regards- Lee Badman Network/Wireless Engineer Syracuse University 315 443-3003 >>> Kevin Lanning <[EMAIL PROTECTED]> 2/26/2007 12:46:48 PM >>> Wondering what academic institutions are doing these days regarding wireless access for guests? -- --
Re: [WIRELESS-LAN] wireless guest access
Thus spake Kevin Lanning ([EMAIL PROTECTED]) on Mon, Feb 26, 2007 at 12:46:48PM -0500: > Wondering what academic institutions are doing these days regarding > wireless access for guests? In general, a person not affiliated with the institution may not use our network. However, anyone on payroll (including students) can authorize individual guest access by generating a temporary ID that will only allow access through a captive portal. http://www.doit.wisc.edu/security/policies/guest_NetID.asp http://www.doit.wisc.edu/services/guestid/index.asp The id can last up from 1-31 days. It they need access for longer, there is a more formal affiliation procedure used (that can also optionally allow access to other systems). One nice thing I like about our system is that it can generate many id's at once which is crucial for conferences. Dale -- Dale W. Carder - Network Engineer University of Wisconsin at Madison http://net.doit.wisc.edu/~dwcarder ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] wireless guest access
At LMU we have a guest/visitor account that a faculty/staff member can request the password to and we change the password periodically. This is akin to what Ken Connell indicated they're doing at Ryerson Univ. Our library also provides paid admittance to the Library for people in the community and they give out the password when that is done. This was initially a concern, but we learned that libraries are exempt from CALEA. -Gary Gary Landau, CISSP, CCNP Director | Network Services - Loyola Marymount University Information Technology One LMU Drive | Los Angeles, CA 90045 p.310.338.4434 f.310.338.2326 [EMAIL PROTECTED] | http://its.lmu.edu - LMU|LA IT: We Deliver! From: Scholz, Greg [mailto:[EMAIL PROTECTED] Sent: Monday, February 26, 2007 10:16 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] wireless guest access Very timely. I am about to launch a project called "public port security and guest access" that will attempt to define exactly this. I would like to hear all other responses as well. (I suggest if you are considering Wireless guests, you should be considering wired as well) * Currently we have NO guest access on wireless. * We recently changed all our "public lab" computers to use AD authentication (e.g. no more public/guest access) * We use CCA in reshalls and enable the guest button JUST FOR THE SUMMER (for all the conferences/camps we have during that time) so effectively no guest access except for summer * The ONLY real guest access we have right now is any network port in a publicly accessible location can be used by anyone without any type of check. (These are the "public ports" referred to in my project title above). INCLUDING if someone unplugs a lab/office/kiosk computer and plugs in their own. * We will attempt to balance the tremendous desire for wireless & wired guest access, CALEA, security and manageability. I am thinking we may wind up with a 1x solution to determine appropriate port settings (security/vlan/etc) based on recognition of user, computer, or both and then computer health for non-campus managed computers. _ Thank you, Gregory R. Scholz Director of Telecommunications Information Technology Group Keene State College (603)358-2070 --Lead, follow, or get out of the way. (author unknown) -Original Message- From: Lee Badman [mailto:[EMAIL PROTECTED] Sent: Monday, February 26, 2007 1:04 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] wireless guest access Would like to expand out Kevin's question- what of wireless access for guests, and for the non-affiliated folks (anonymous) that might end up on campus? Anybody rethinking any of their sponsored guest/open access policies because of CALEA concerns? Regards- Lee Badman Network/Wireless Engineer Syracuse University 315 443-3003 >>> Kevin Lanning <[EMAIL PROTECTED]> 2/26/2007 12:46:48 PM >>> Wondering what academic institutions are doing these days regarding wireless access for guests? -- -- Kevin Lanning lanning at unc.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] wireless guest access
Very timely. I am about to launch a project called "public port security and guest access" that will attempt to define exactly this. I would like to hear all other responses as well. (I suggest if you are considering Wireless guests, you should be considering wired as well) * Currently we have NO guest access on wireless. * We recently changed all our "public lab" computers to use AD authentication (e.g. no more public/guest access) * We use CCA in reshalls and enable the guest button JUST FOR THE SUMMER (for all the conferences/camps we have during that time) so effectively no guest access except for summer * The ONLY real guest access we have right now is any network port in a publicly accessible location can be used by anyone without any type of check. (These are the "public ports" referred to in my project title above). INCLUDING if someone unplugs a lab/office/kiosk computer and plugs in their own. * We will attempt to balance the tremendous desire for wireless & wired guest access, CALEA, security and manageability. I am thinking we may wind up with a 1x solution to determine appropriate port settings (security/vlan/etc) based on recognition of user, computer, or both and then computer health for non-campus managed computers. _ Thank you, Gregory R. Scholz Director of Telecommunications Information Technology Group Keene State College (603)358-2070 --Lead, follow, or get out of the way. (author unknown) -Original Message- From: Lee Badman [mailto:[EMAIL PROTECTED] Sent: Monday, February 26, 2007 1:04 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] wireless guest access Would like to expand out Kevin's question- what of wireless access for guests, and for the non-affiliated folks (anonymous) that might end up on campus? Anybody rethinking any of their sponsored guest/open access policies because of CALEA concerns? Regards- Lee Badman Network/Wireless Engineer Syracuse University 315 443-3003 >>> Kevin Lanning <[EMAIL PROTECTED]> 2/26/2007 12:46:48 PM >>> Wondering what academic institutions are doing these days regarding wireless access for guests? -- -- Kevin Lanning lanning at unc.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] wireless guest access
We have a GUEST SSID with WEP and captive portal. There is a daily username/password any faculty/staff member can get for the day, or accounts can be made for guests who need access for longer periods. So far that's worked for us... Ken Connell Intermediate Network Engineer Computer & Communication Services Ryerson University 350 Victoria St RM AB50 Toronto, Ont M5B 2K3 416-979-5000 x6709 - Original Message - From: Lee Badman <[EMAIL PROTECTED]> Date: Monday, February 26, 2007 1:05 pm Subject: Re: [WIRELESS-LAN] wireless guest access To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Would like to expand out Kevin's question- what of wireless access for > guests, and for the non-affiliated folks (anonymous) that might end up > on campus? > > Anybody rethinking any of their sponsored guest/open access policies > because of CALEA concerns? > > Regards- > > > > Lee Badman > Network/Wireless Engineer > Syracuse University > 315 443-3003 > > >>> Kevin Lanning <[EMAIL PROTECTED]> 2/26/2007 12:46:48 PM >>> > Wondering what academic institutions are doing these days regarding > wireless access for guests? > -- > -- > Kevin Lanning > lanning at unc.edu > > ** > Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ** > Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] wireless guest access
Would like to expand out Kevin's question- what of wireless access for guests, and for the non-affiliated folks (anonymous) that might end up on campus? Anybody rethinking any of their sponsored guest/open access policies because of CALEA concerns? Regards- Lee Badman Network/Wireless Engineer Syracuse University 315 443-3003 >>> Kevin Lanning <[EMAIL PROTECTED]> 2/26/2007 12:46:48 PM >>> Wondering what academic institutions are doing these days regarding wireless access for guests? -- -- Kevin Lanning lanning at unc.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
wireless guest access
Wondering what academic institutions are doing these days regarding wireless access for guests? -- -- Kevin Lanning lanning at unc.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. smime.p7s Description: S/MIME Cryptographic Signature
RE: [WIRELESS-LAN] Cisco LWAPP Lobby Ambassador/Guest Access
We run clean access behind LWAPP. We do not require the guest to use the Clean Access Agent. They have a 2 hour connection time before they have to login again. Guest users only get http(80), https(443) , DNS(53) and what ports are needed for VPN. We have found that there are some guests who do not have the privileges to update windows. We do cut it off guest access for the first 2 weeks of school so that students will use the guest access to get around the updateslogin and get postured. Todd Joyce Network Services Radford University - The Smart Choice [EMAIL PROTECTED] (540) 831- Keep your boots and ChapStick and ice hotels. Give me shorts and sandals and a thirty-blocker. Temperance Brennan - Monday Mourning -Original Message- From: Christopher M. Bomba [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 24, 2007 7:45 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Cisco LWAPP Lobby Ambassador/Guest Access If you are using the lobby ambassador to grant guest access you might want to look into adding Cisco Clean Access. You can put a CAS right in front of a controller in the DMZ and create an anchor from a controller on the inside so your LWAPP tunnel is terminated in the DMZ. Once the client connects to the guest SSID on the inside it will hit the CAS before it gets to the controller. Here you can run your posture checks and make them login. So what I am getting at is that the lobby ambassador feature in the Cisco Clean Access is a lot better than doing it on the WLC or WCS. Chris -Original Message- From: Bob Brunke [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 24, 2007 4:24 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: Cisco LWAPP Lobby Ambassador/Guest Access We looked at Lobby Ambassador, found too many deficiencies, and are now looking to see if we can write our own. - Bob. -Original Message- From: Lee Badman [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 24, 2007 2:33 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Cisco LWAPP Lobby Ambassador/Guest Access Wondering if anyone is using the Lobby Ambassador option in the Cisoc LWAPP system to allow users to build their own guest/sponsored accounts- and if so how satisfied you may be with it. Lee ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Cisco LWAPP Lobby Ambassador/Guest Access
If you are using the lobby ambassador to grant guest access you might want to look into adding Cisco Clean Access. You can put a CAS right in front of a controller in the DMZ and create an anchor from a controller on the inside so your LWAPP tunnel is terminated in the DMZ. Once the client connects to the guest SSID on the inside it will hit the CAS before it gets to the controller. Here you can run your posture checks and make them login. So what I am getting at is that the lobby ambassador feature in the Cisco Clean Access is a lot better than doing it on the WLC or WCS. Chris -Original Message- From: Bob Brunke [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 24, 2007 4:24 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: Cisco LWAPP Lobby Ambassador/Guest Access We looked at Lobby Ambassador, found too many deficiencies, and are now looking to see if we can write our own. - Bob. -Original Message- From: Lee Badman [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 24, 2007 2:33 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Cisco LWAPP Lobby Ambassador/Guest Access Wondering if anyone is using the Lobby Ambassador option in the Cisoc LWAPP system to allow users to build their own guest/sponsored accounts- and if so how satisfied you may be with it. Lee ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Cisco LWAPP Lobby Ambassador/Guest Access
We looked at Lobby Ambassador, found too many deficiencies, and are now looking to see if we can write our own. - Bob. -Original Message- From: Lee Badman [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 24, 2007 2:33 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Cisco LWAPP Lobby Ambassador/Guest Access Wondering if anyone is using the Lobby Ambassador option in the Cisoc LWAPP system to allow users to build their own guest/sponsored accounts- and if so how satisfied you may be with it. Lee ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Cisco LWAPP Lobby Ambassador/Guest Access
Wondering if anyone is using the Lobby Ambassador option in the Cisoc LWAPP system to allow users to build their own guest/sponsored accounts- and if so how satisfied you may be with it. Lee ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: Guest access and Library Licenses
WIRELESS-LAN automatic digest system wrote: There are 3 messages totalling 139 lines in this issue. Topics of the day: 1. Guest Access and Library Licenses (2) ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. Hi - I do network services for an academic library. I discussed this with the dept head, and here was his answer: In general, I guess the answer is "It depends." It depends on the specifics of the license and on whether guest-access would entitle the guest to off-campus access to library resources. If guest status just means on-campus network access, then it should be ok at most public universities since they typically negotiate walk-in clauses into their licenses. Off-campus access can be problematic depending on how the licenses are constructed, etc. I would suggest you contact your library for a definitive answer. But in general, yes, if the wireless access you are extending to the guest is "on campus" you should be ok. - this would be no different from a guest using a computer in a researchers office to access electronic resources. -- Date:Wed, 12 Apr 2006 10:36:14 -0400 From:Geoff Nathan <[EMAIL PROTECTED]> Subject: Guest Access and Library Licenses I'm new to the list, and apologize if this has been discussed already, but I couldn't find anything appropriate in the archives, and this group seems the best to answer this question. We're planning a guest access facility that will allow anyone at Wayne to sponsor guests for up to five days. Someone has asked whether this will infringe on our Library's agreements with organizations like J-Store that license access to journals, books and such to those offically affiliated with Wayne. Because of the way our library handles this on campus our guest solution will not segregate our guests from access to those resources. Has anyone had to deal with this? Do libraries in general care about this level of access? (as opposed to access, say, for alums, which would be long-term) Geoff Nathan -- -- Shanna Leonard AHS Library 626-2923 [EMAIL PROTECTED] -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Guest Access and Library Licenses
Our wireless guest access is a captive portal that has the ability to specify different rules for guests than members of the campus community. We also have a very restricted anonymous access category that may naturally provide the required limits. So far the use of the guest level has been less than expected. <>>> [EMAIL PROTECTED] 4/12/2006 10:36:14 AM >>> I'm new to the list, and apologize if this has been discussed already, but I couldn't find anything appropriate in the archives, and this group seems the best to answer this question. We're planning a guest access facility that will allow anyone at Wayne to sponsor guests for up to five days. Someone has asked whether this will infringe on our Library's agreements with organizations like J-Store that license access to journals, books and such to those offically affiliated with Wayne. Because of the way our library handles this on campus our guest solution will not segregate our guests from access to those resources. Has anyone had to deal with this? Do libraries in general care about this level of access? (as opposed to access, say, for alums, which would be long-term) Geoff Nathan -- Geoffrey S. Nathan, Security Policy Coordinator, Computing and Information Technology, and Associate Professor of English Linguistics Program Phone Numbers Department of English Computing and Information Technology: (313) 577-1259 Wayne State University Linguistics (English): (313) 577-8621 Detroit, MI, 48202 C&IT Fax: (313) 577-1338 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Guest Access and Library Licenses
I'm new to the list, and apologize if this has been discussed already, but I couldn't find anything appropriate in the archives, and this group seems the best to answer this question. We're planning a guest access facility that will allow anyone at Wayne to sponsor guests for up to five days. Someone has asked whether this will infringe on our Library's agreements with organizations like J-Store that license access to journals, books and such to those offically affiliated with Wayne. Because of the way our library handles this on campus our guest solution will not segregate our guests from access to those resources. Has anyone had to deal with this? Do libraries in general care about this level of access? (as opposed to access, say, for alums, which would be long-term) Geoff Nathan -- Geoffrey S. Nathan, Security Policy Coordinator, Computing and Information Technology, and Associate Professor of English Linguistics Program Phone Numbers Department of English Computing and Information Technology: (313) 577-1259 Wayne State University Linguistics (English): (313) 577-8621 Detroit, MI, 48202 C&IT Fax: (313) 577-1338 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Guest access
> Bill, > > Very interesting. I would like to research your comment "a commercial > carrier that rides our same access points" with a little more detail. > You can contact me offline if you wish.=20 I'm sure they do the same thing that we do here at Georgia Tech: We have a guest SSID configured on our Cisco APs with no security and broadcast SSID. This traffic is bridged at layer two to a local WISP that provides DHCP, DNS, AUTHn, AUTHz, etc. The guest users end up in the ISP's address space, not ours. I think GSU is even using the same WISP that we do. -- Earl Barfield -- Academic & Research Technologies / Information Technology Georgia Institute of Technology, Atlanta Georgia, 30332 Internet: [EMAIL PROTECTED][EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Guest access - CALEA rabbit trail
Regarding CALEA: First, it's important to note that the revision currently under discussion has not been finalized, and so any statements about what will or will not be required are speculative. Note also that, regardless of what the FCC ends up ordering, a number of organizations (not least of all, EDUCAUSE) have initiated legal action challenging the FCC's authority to extend CALEA as proposed. With that said, there is nothing in any of the published proposals from the FCC that would require campuses (or anyone else, for that matter) to acquire or retain any data (including authentication or identification data) they are not already gathering. Traditionally and on its face, CALEA deals only with the technical means by which data is made available to law enforcement, not what data is collected. Which is not to say you will never receive a court order requiring you to gather or save something new, just that, so far, such an order would have nothing to do with CALEA. I've shared the stage a couple of times recently with Ed Thomas, former Chief of the FCC's Office of Engineering and Technology. In that position, Ed had responsibility for CALEA compliance, and one of the few things we agreed upon was that campuses should make decisions about authentication on the basis of their own needs and policies, not on the basis of CALEA. There's a discussion currently underway on the CIO list about campus policies on anonymous access. Searchable archives are at <http://listserv.educause.edu/archives/cio.html>. But one more time: The CALEA revision remains a work in progress and, to quote Ed Thomas, there are no facts about the future. For more information, see our resource page (http://www.educause.edu/calea) and/or sign on to the CALEA discussion list (http://listserv.educause.edu/cgi-bin/wa.exe?A0=CALEA-HE). Steve -- Steven L. Worona Director of Policy and Networking Programs EDUCAUSE / 1150 18th St. NW suite 1010 / Washington, DC 20036 202-872-4200 x 5358 / 202-872-4318 fax / [EMAIL PROTECTED] - At 10:00 AM -0500 3/31/06, Barros, Jacob wrote: >Nothing specific about the act itself. If my understanding is correct, >CALEA will just require you to have the ability to completely track >anyone the government specifies. In my understanding of how anonymous >users are handled by many campuses, just http ssl and dns are allowed. >I just assume that many of our off campus students won't care if they >are never more than a guest user. So how can you track John Doe if he >is an anonymous user? Maybe the question is more, how do you handle (in >light of CALEA) a student that chooses to never register or use his >(her) username and password and is happy with 'guest access'? > > >-Original Message- >From: King, Michael [mailto:[EMAIL PROTECTED] >Sent: Friday, March 31, 2006 9:16 AM >To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU >Subject: Re: [WIRELESS-LAN] Guest access - CALEA rabbit trail > > Jake, > >We too have begun to consider anonymous guest access. > >Where in CALEA are you to referring to? (A hyperlink would help) I'd >like to approach this new initiative aware of all the facts, and this is >one I hadn't considered before. > >> -Original Message- >> From: Barros, Jacob [mailto:[EMAIL PROTECTED] >> Sent: Friday, March 31, 2006 9:00 AM >> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU >> Subject: Re: [WIRELESS-LAN] Guest access - CALEA rabbit trail >> >> We've been forcing all users to authenticate and were considering >> anonymous guest access as well, but in light of CALEA enforcement >> probability we are hesitant. For those of you that do allow anonymous > >> guests, are you considering changing that policy in light of CALEA? >> Have you any other legal 'problems' with anonymous access? >> >> Jake Barros >> Grace College >> > >** >Participation and subscription information for this EDUCAUSE Constituent >Group discussion list can be found at http://www.educause.edu/groups/. > >** >Participation and subscription information for this EDUCAUSE Constituent Group >discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Guest access
On Fri, 31 Mar 2006, Simon Kissler wrote: > I have two thoughts to offer. I will state that we are not a public > university so maybe my point of view is somewhat different. That said, you > mention RIAA. How do you respond to RIAA/MPAA/etc. complaints regarding > anonymous users ? > RIAA trusts that (once notified) you will take the right action... otherwiseSo, if these are guests only, by the time RIAA let's you know they will be gone from your campus (and be someone else's problem). People who are visitors/guests for more that a month should probably be a part of authenticated access anyway. If you notice folks who frequent campus too often, well, you can kick them out or further investigate, up to your AUP for guest access. If you comply 95% with RIAA they'll let you go with few unresolved cases, won't they? > Second, I was wondering the same about Panera and others. I have noticed > two things in that regard. The recently built Panera here has impeccable > video surveillance in their store (and we're far from being a high crime > location). They can probably track down a wireless user simply by looking > at their surveillance footage given a date/time and looking at who's using > wireless in their store. Probably not perfect, but still probably enough > for them to give something to an inquiring law enforcement agency. > If there are multiple users, good luck to find each individual. How long do they keep tapes before erasing/overwriting them? The point is "doing enough" to get law enforcement happy. You don't have to hand law enforcement everything! And they probably wouldn't know what to do with it anyway. There are reasonable ways and answers for everything law enforcement would want. Again most guest users are nice. They want to check e-mail, browse web and go home. But, what ifyou just deal with it! I helped in the past get someone arrested based on tracking on wireless. > I've also noticed that an increasing number of hotels I visit now require > authentication with room number and a password which you obtain from the > front desk. This has been the case at several marriott and hilton chain > hotels I recently stayed at. > > This could be coincidental, but maybe it is a trend at a middle ground of > authenticated or at least reasonably verifiable free wifi services. > I was at an airline lounge in Hong Kong last week. They had a big candy jar with WEP keys in it. Take one, it's on us! :-))) They probably satisfied some security requirement need with it! So, can't blame them! You can always find someone if you look hard. The question is do you spend a lot of money in advance, or just investigate when needed. If it's a case that cost you need to investigate < cost to deploy all those security tools you could, your budgetary folks will be happy, private or public school the same. The problem with tracking and collecting everything is that this is the future you create for your children and grandchildren. Private or public! You've got the power to make choices (and justify them)...at least I hope you still do. I don't mean to inflame or prolong this discussion. Just want you to keep in mind they are alternatives to provide better services rather then overspending money on security. (Limited but) Free and un-authenticated access is good for the economy! :-))) -Predrag - Predrag Radulovic Phone: (865) 974-0301 IT Administrator III OIT - Network Services Fax: (865) 974-3531 108 James D Hoskins Library 1400 Cumberland Ave University of Tennessee, E-mail: [EMAIL PROTECTED] Knoxville, TN 37996-4005 http://www.predrag.us - ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Guest access
We take our GUEST traffic, wired and/or wireless, pump that through a vlan which sits behind some RovingPlanet equipment and pass on username/password to a different leaf in LDAP that's specific to GUEST accounts. Ken Connell Intermediate Network Engineer Computer & Communication Services Ryerson University 350 Victoria St RM AB50 Toronto, Ont M5B 2K3 416-979-5000 x6709 - Original Message - From: "Entwistle, Bruce" <[EMAIL PROTECTED]> Date: Thursday, March 30, 2006 7:32 pm Subject: [WIRELESS-LAN] Guest access > We have recently installed a wireless network on a portion of the > campus. The student and administrators are all authenticated > through a > front end device which validates user accounts against an LDAP server > running on a domain controller. However we now have the requirement > for guests of the campus to connect to the wireless network. We have > some ideas how we would like to handle this issue but are curious > as to > what others have done to accommodate these guest connections. Please > let me know. > > > > Thank you > > Bruce Entwistle > > Network Manager > > University of Redlands > > > ** > Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Guest access
I have two thoughts to offer. I will state that we are not a public university so maybe my point of view is somewhat different. That said, you mention RIAA. How do you respond to RIAA/MPAA/etc. complaints regarding anonymous users ? Second, I was wondering the same about Panera and others. I have noticed two things in that regard. The recently built Panera here has impeccable video surveillance in their store (and we're far from being a high crime location). They can probably track down a wireless user simply by looking at their surveillance footage given a date/time and looking at who's using wireless in their store. Probably not perfect, but still probably enough for them to give something to an inquiring law enforcement agency. I've also noticed that an increasing number of hotels I visit now require authentication with room number and a password which you obtain from the front desk. This has been the case at several marriott and hilton chain hotels I recently stayed at. This could be coincidental, but maybe it is a trend at a middle ground of authenticated or at least reasonably verifiable free wifi services. -S On Fri, 31 Mar 2006, Predrag Radulovic wrote: > > It is amazing how many times this question pops up! (Public) Universities > are supposed to do public service, which should by all means include net > access to all visitors. Question of how much you should spend it > completely separate from that. Ideally, you would only protect your > network from guests and provide best-effort 'be-a-good-net-citizen" > towards the rest of internet. Limiting BW they consume is an OK measure, > too. I don't see a point of limiting applications. We get too concerned > about security, CALEA, etc.? How does Panera Bread or all those hotels > you get free access deal with it? They probably don't! We monitor and > occasionally take an action. It wold be good to have separate IP space > for guests, but that is individually depending on University. If you're > deploying dark fiber networks, you pay $10-20 per meg per month > for Internet access. So, for <$200/mo you can provide nice access for all > guests. That's a price of one good desktop PC per year! What we want is to > discourage regular users bypassing regular network. So, you block access > to your e-mail servers and other useful app servers and they probably > won't even consider using it. Especially if you have BW control! > > We're a large university with close to 2000 concurrent wireless users at > peak times, generating around 60 Mbps of traffic. So for those few > guests, 10 M or less should be sufficient. If you have a access control > box (Vernier and such) available that is very nice to use, otherwise > routers can provide plenty of BW control (e.g. ISDN quality per user). It > is really a cheap solution, it you just for a second forget all > probably-will-never-happen security incidents. Security incidents on > wireless are not even a percent of work created for security groups. > They continue to deal with worms, virus infections, RIAA and such, and > that is where money gets spent. Assuming you use VLAN/SSID solution and > existing wireless nad wired infrastructure, cost is really minimal. > > So, free your mind! And serve better your community AND guests! > > > Regards, > -Predrag > > P.S. U. of TN is considering this model for guest access. Currently, we > allow folks associated with university to sponsor/register guests. And > guests get the same treatment as regular users (i.e. no app/BW control). > > P.P.S. Do you thing that free/anonimous access at Panera and hotels will > disappear with CALEA? I don't! Too many people and businesses like it! > > - > Predrag RadulovicPhone: (865) 974-0301 > IT Administrator III > OIT - Network Services Fax: (865) 974-3531 > 108 James D Hoskins Library > 1400 Cumberland Ave > University of Tennessee, E-mail: [EMAIL PROTECTED] > Knoxville, TN 37996-4005 http://www.predrag.us > - > > ** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > --- Simon Kissler [EMAIL PROTECTED] UNIX Systems Administrator Phone: (219) 464 6773 Electronic Information Services Fax : (219) 464 5381 Valparaiso University Kretzmann Hall B22 Valparaiso, IN 46383 ---
Re: [WIRELESS-LAN] Guest access
> From: Entwistle, Bruce [mailto:[EMAIL PROTECTED] > Subject: [WIRELESS-LAN] Guest access > > We have some ideas how we would like to handle this issue but are curious as > to > what others have done to accommodate these guest connections. Please > let me know. We hand out guest accounts to authorized users of the network. Currently, anyone on payroll (including students) can authorize guest id's. As soon as the web interface is updated, anyone can generate guest id's. This gets around a key issue we see which is that students are giving out their login credentials to their friends so they can access the network. So we still handle all authentication, but authorization will work more /realisticly/. All users have the option using our VPN service (vendor c's vpn 3k) to encrypt their traffic or they can authenticate to our login gateway. The login gateway is used both for the wireless networks plus more and more datajacks in public areas. We do not differentiate the level of service we provide on our network. Faculty, staff, researchers, students, guests, and whoever is otherwise authorized are all valid users of our network and we do not DEGRADE our service to any of these user groups. I challenge peer public intitutions to stop this practice. Dale Dale W. Carder - Network Engineer | DoIT Network Services University of Wisconsin at Madison | [EMAIL PROTECTED] (608) 263-3628 | 24hr NOC: 263-4188 | http://net.doit.wisc.edu/~dwcarder ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Guest access
It is amazing how many times this question pops up! (Public) Universities are supposed to do public service, which should by all means include net access to all visitors. Question of how much you should spend it completely separate from that. Ideally, you would only protect your network from guests and provide best-effort 'be-a-good-net-citizen" towards the rest of internet. Limiting BW they consume is an OK measure, too. I don't see a point of limiting applications. We get too concerned about security, CALEA, etc.? How does Panera Bread or all those hotels you get free access deal with it? They probably don't! We monitor and occasionally take an action. It wold be good to have separate IP space for guests, but that is individually depending on University. If you're deploying dark fiber networks, you pay $10-20 per meg per month for Internet access. So, for <$200/mo you can provide nice access for all guests. That's a price of one good desktop PC per year! What we want is to discourage regular users bypassing regular network. So, you block access to your e-mail servers and other useful app servers and they probably won't even consider using it. Especially if you have BW control! We're a large university with close to 2000 concurrent wireless users at peak times, generating around 60 Mbps of traffic. So for those few guests, 10 M or less should be sufficient. If you have a access control box (Vernier and such) available that is very nice to use, otherwise routers can provide plenty of BW control (e.g. ISDN quality per user). It is really a cheap solution, it you just for a second forget all probably-will-never-happen security incidents. Security incidents on wireless are not even a percent of work created for security groups. They continue to deal with worms, virus infections, RIAA and such, and that is where money gets spent. Assuming you use VLAN/SSID solution and existing wireless nad wired infrastructure, cost is really minimal. So, free your mind! And serve better your community AND guests! Regards, -Predrag P.S. U. of TN is considering this model for guest access. Currently, we allow folks associated with university to sponsor/register guests. And guests get the same treatment as regular users (i.e. no app/BW control). P.P.S. Do you thing that free/anonimous access at Panera and hotels will disappear with CALEA? I don't! Too many people and businesses like it! - Predrag Radulovic Phone: (865) 974-0301 IT Administrator III OIT - Network Services Fax: (865) 974-3531 108 James D Hoskins Library 1400 Cumberland Ave University of Tennessee, E-mail: [EMAIL PROTECTED] Knoxville, TN 37996-4005 http://www.predrag.us - ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Guest access
We also have a commercial hotspot provided on our campus here at London Business School. TheCloud provides a service across our existing network of Access Points. The campus network access points have two SSIDs, and the public hotspot traffic runs in a separate VLAN across our LAN and over a VPN to their core network. The landing page that clients get when attached to commercial hotspot is slightly different from other sites in that there are links that allow free access to our website and portal (walled garden links) that were agreed when the service was set up, so a guest on our site need not pay to get to the majority of our campus resources, but can use a voucher, a supported roaming account, or a credit card to browse elsewhere. It was reasonably easy to set up, the service works well and is well received by our customers. I would imagine that hotspot operators in the US would be able to provide a similar service, and it can generate a revenue stream if that was required. -- Tomo. Network & Telecoms Project Engineer, Information Systems Division London Business School, Sussex Place, Regents Park, London. NW1 4SA t: +44 (0)20 7000 direct --- +44 (0)20 7262 5050 general f: +44 (0)20 7000 7771 direct --- +44 (0)20 7724 7875 general e: mailto:[EMAIL PROTECTED] w: http://www.london.edu/technology/ On 31/03/2006 15:16, William Paraska wrote: That certainly is the question and one that ought to bother all of us. That is the reason that GSU has stopped providing access to non-University affiliated users. We push them to a commercial carrier that rides our same access points. They require identification and they track the bad actors. Bill Paraska Director, University Computing and Communications Information Systems and Technology (404) 651-0881 [EMAIL PROTECTED] 03/31/06 9:10 AM >>> Ok, I have to ask the question that's been sitting on my mind for a while now. All the places that essentially allow unauthenticated wireless (including asking for an e-mail that anybody could easily just put [EMAIL PROTECTED]): How do you deal with abuse ? I realize that your choice of protocols likely limits the options, but it's still quite viable (for example posting of content to a message board, blog comment, or other public space that triggers legal or law enforcement response) ? Many of the safe harbor provisions protecting us legally are predicated on our ability to "point the finger" at the real offender. If we're unable to do so, we automatically become liable for the actions. How do you track down misbehaving guest users ? -S On Fri, 31 Mar 2006, Joyce, Todd N wrote: We allow these services for Guest Wireless Access and we are working to allow VPN to the outside. DNS - UDP 53 HTTP - TCP 80 HTTPS - TCP 443 Todd Joyce Network Services Radford University - The Smart Choice [EMAIL PROTECTED] (540) 831- Keep your boots and ChapStick and ice hotels. Give me shorts and sandals and a thirty-blocker. Temperance Brennan - Monday Mourning From: Entwistle, Bruce [mailto:[EMAIL PROTECTED] Sent: Thursday, March 30, 2006 7:33 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Guest access We have recently installed a wireless network on a portion of the campus. The student and administrators are all authenticated through a front end device which validates user accounts against an LDAP server running on a domain controller. However we now have the requirement for guests of the campus to connect to the wireless network. We have some ideas how we would like to handle this issue but are curious as to what others have done to accommodate these guest connections. Please let me know. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Guest access - CALEA rabbit trail
Nothing specific about the act itself. If my understanding is correct, CALEA will just require you to have the ability to completely track anyone the government specifies. In my understanding of how anonymous users are handled by many campuses, just http ssl and dns are allowed. I just assume that many of our off campus students won't care if they are never more than a guest user. So how can you track John Doe if he is an anonymous user? Maybe the question is more, how do you handle (in light of CALEA) a student that chooses to never register or use his (her) username and password and is happy with 'guest access'? -Original Message- From: King, Michael [mailto:[EMAIL PROTECTED] Sent: Friday, March 31, 2006 9:16 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Guest access - CALEA rabbit trail Jake, We too have begun to consider anonymous guest access. Where in CALEA are you to referring to? (A hyperlink would help) I'd like to approach this new initiative aware of all the facts, and this is one I hadn't considered before. > -Original Message- > From: Barros, Jacob [mailto:[EMAIL PROTECTED] > Sent: Friday, March 31, 2006 9:00 AM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] Guest access - CALEA rabbit trail > > We've been forcing all users to authenticate and were considering > anonymous guest access as well, but in light of CALEA enforcement > probability we are hesitant. For those of you that do allow anonymous > guests, are you considering changing that policy in light of CALEA? > Have you any other legal 'problems' with anonymous access? > > Jake Barros > Grace College > ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Guest access
We use Vernier edgewalls and force guest users to register a username and password. Once their machine is scanned and determined 'complient' we allow all IP out to the Internet. We have been running in this way for about 8 months and have not had a problem. Jeff McIntyre Network Systems Administrator II St. John Fisher College Phone-585-385-8020 -Original Message- From: Simon Kissler [mailto:[EMAIL PROTECTED] Sent: Friday, March 31, 2006 9:10 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Guest access Ok, I have to ask the question that's been sitting on my mind for a while now. All the places that essentially allow unauthenticated wireless (including asking for an e-mail that anybody could easily just put [EMAIL PROTECTED]): How do you deal with abuse ? I realize that your choice of protocols likely limits the options, but it's still quite viable (for example posting of content to a message board, blog comment, or other public space that triggers legal or law enforcement response) ? Many of the safe harbor provisions protecting us legally are predicated on our ability to "point the finger" at the real offender. If we're unable to do so, we automatically become liable for the actions. How do you track down misbehaving guest users ? -S On Fri, 31 Mar 2006, Joyce, Todd N wrote: > > We allow these services for Guest Wireless Access and we are working to > allow VPN to the outside. > > > > DNS - UDP 53 > > HTTP - TCP 80 > > HTTPS - TCP 443 > > > > > > Todd Joyce > Network Services > Radford University - The Smart Choice > [EMAIL PROTECTED] > (540) 831- > > > > Keep your boots and ChapStick and ice hotels. > > Give me shorts and sandals and a thirty-blocker. > > > > Temperance Brennan - Monday Mourning > > > > > > From: Entwistle, Bruce [mailto:[EMAIL PROTECTED] > Sent: Thursday, March 30, 2006 7:33 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: [WIRELESS-LAN] Guest access > > > > We have recently installed a wireless network on a portion of the > campus. The student and administrators are all authenticated through a > front end device which validates user accounts against an LDAP server > running on a domain controller. However we now have the requirement > for guests of the campus to connect to the wireless network. We have > some ideas how we would like to handle this issue but are curious as to > what others have done to accommodate these guest connections. Please > let me know. > > > > Thank you > > Bruce Entwistle > > Network Manager > > University of Redlands > > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ** > Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. > --- Simon Kissler [EMAIL PROTECTED] UNIX Systems Administrator Phone: (219) 464 6773 Electronic Information Services Fax : (219) 464 5381 Valparaiso University Kretzmann Hall B22 Valparaiso, IN 46383 --- "They may forget what you said, but they will never forget how you made them feel." -Carl W. Buechner --- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Guest access
Bill, Very interesting. I would like to research your comment "a commercial carrier that rides our same access points" with a little more detail. You can contact me offline if you wish. (To be clear, as it has happened in the past, this is a request for information from Mr. Paraska, or any other edu to contact me with information. Not a request for a sales call. Thanks) Sincerely, Chip Greene Network Services University of Richmond [EMAIL PROTECTED] -Original Message- From: William Paraska [mailto:[EMAIL PROTECTED] Sent: Friday, March 31, 2006 9:16 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Guest access That certainly is the question and one that ought to bother all of us. That is the reason that GSU has stopped providing access to non-University affiliated users. We push them to a commercial carrier that rides our same access points. They require identification and they track the bad actors. Bill Paraska Director, University Computing and Communications Information Systems and Technology (404) 651-0881 >>> [EMAIL PROTECTED] 03/31/06 9:10 AM >>> Ok, I have to ask the question that's been sitting on my mind for a while now. All the places that essentially allow unauthenticated wireless (including asking for an e-mail that anybody could easily just put [EMAIL PROTECTED]): How do you deal with abuse ? I realize that your choice of protocols likely limits the options, but it's still quite viable (for example posting of content to a message board, blog comment, or other public space that triggers legal or law enforcement response) ? Many of the safe harbor provisions protecting us legally are predicated on our ability to "point the finger" at the real offender. If we're unable to do so, we automatically become liable for the actions. How do you track down misbehaving guest users ? -S On Fri, 31 Mar 2006, Joyce, Todd N wrote: > > We allow these services for Guest Wireless Access and we are working to > allow VPN to the outside. > > > > DNS - UDP 53 > > HTTP - TCP 80 > > HTTPS - TCP 443 > > > > > > Todd Joyce > Network Services > Radford University - The Smart Choice > [EMAIL PROTECTED] > (540) 831- > > > > Keep your boots and ChapStick and ice hotels. > > Give me shorts and sandals and a thirty-blocker. > > > > Temperance Brennan - Monday Mourning > > > > > > From: Entwistle, Bruce [mailto:[EMAIL PROTECTED] > Sent: Thursday, March 30, 2006 7:33 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: [WIRELESS-LAN] Guest access > > > > We have recently installed a wireless network on a portion of the > campus. The student and administrators are all authenticated through a > front end device which validates user accounts against an LDAP server > running on a domain controller. However we now have the requirement > for guests of the campus to connect to the wireless network. We have > some ideas how we would like to handle this issue but are curious as to > what others have done to accommodate these guest connections. Please > let me know. > > > > Thank you > > Bruce Entwistle > > Network Manager > > University of Redlands > > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ** > Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. > --- Simon Kissler [EMAIL PROTECTED] UNIX Systems Administrator Phone: (219) 464 6773 Electronic Information Services Fax : (219) 464 5381 Valparaiso University Kretzmann Hall B22 Valparaiso, IN 46383 --- "They may forget what you said, but they will never forget how you made them feel." -Carl W. Buechner --- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Guest access - CALEA rabbit trail
Jake, We too have begun to consider anonymous guest access. Where in CALEA are you to referring to? (A hyperlink would help) I'd like to approach this new initiative aware of all the facts, and this is one I hadn't considered before. > -Original Message- > From: Barros, Jacob [mailto:[EMAIL PROTECTED] > Sent: Friday, March 31, 2006 9:00 AM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] Guest access - CALEA rabbit trail > > We've been forcing all users to authenticate and were > considering anonymous guest access as well, but in light of > CALEA enforcement probability we are hesitant. For those of > you that do allow anonymous guests, are you considering > changing that policy in light of CALEA? Have you any other > legal 'problems' with anonymous access? > > Jake Barros > Grace College > ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Guest access
That certainly is the question and one that ought to bother all of us. That is the reason that GSU has stopped providing access to non-University affiliated users. We push them to a commercial carrier that rides our same access points. They require identification and they track the bad actors. Bill Paraska Director, University Computing and Communications Information Systems and Technology (404) 651-0881 >>> [EMAIL PROTECTED] 03/31/06 9:10 AM >>> Ok, I have to ask the question that's been sitting on my mind for a while now. All the places that essentially allow unauthenticated wireless (including asking for an e-mail that anybody could easily just put [EMAIL PROTECTED]): How do you deal with abuse ? I realize that your choice of protocols likely limits the options, but it's still quite viable (for example posting of content to a message board, blog comment, or other public space that triggers legal or law enforcement response) ? Many of the safe harbor provisions protecting us legally are predicated on our ability to "point the finger" at the real offender. If we're unable to do so, we automatically become liable for the actions. How do you track down misbehaving guest users ? -S On Fri, 31 Mar 2006, Joyce, Todd N wrote: > > We allow these services for Guest Wireless Access and we are working to > allow VPN to the outside. > > > > DNS - UDP 53 > > HTTP - TCP 80 > > HTTPS - TCP 443 > > > > > > Todd Joyce > Network Services > Radford University - The Smart Choice > [EMAIL PROTECTED] > (540) 831- > > > > Keep your boots and ChapStick and ice hotels. > > Give me shorts and sandals and a thirty-blocker. > > > > Temperance Brennan - Monday Mourning > > > > > > From: Entwistle, Bruce [mailto:[EMAIL PROTECTED] > Sent: Thursday, March 30, 2006 7:33 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: [WIRELESS-LAN] Guest access > > > > We have recently installed a wireless network on a portion of the > campus. The student and administrators are all authenticated through a > front end device which validates user accounts against an LDAP server > running on a domain controller. However we now have the requirement > for guests of the campus to connect to the wireless network. We have > some ideas how we would like to handle this issue but are curious as to > what others have done to accommodate these guest connections. Please > let me know. > > > > Thank you > > Bruce Entwistle > > Network Manager > > University of Redlands > > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > --- Simon Kissler [EMAIL PROTECTED] UNIX Systems Administrator Phone: (219) 464 6773 Electronic Information Services Fax : (219) 464 5381 Valparaiso University Kretzmann Hall B22 Valparaiso, IN 46383 --- "They may forget what you said, but they will never forget how you made them feel." -Carl W. Buechner --- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Guest access
Ok, I have to ask the question that's been sitting on my mind for a while now. All the places that essentially allow unauthenticated wireless (including asking for an e-mail that anybody could easily just put [EMAIL PROTECTED]): How do you deal with abuse ? I realize that your choice of protocols likely limits the options, but it's still quite viable (for example posting of content to a message board, blog comment, or other public space that triggers legal or law enforcement response) ? Many of the safe harbor provisions protecting us legally are predicated on our ability to "point the finger" at the real offender. If we're unable to do so, we automatically become liable for the actions. How do you track down misbehaving guest users ? -S On Fri, 31 Mar 2006, Joyce, Todd N wrote: > > We allow these services for Guest Wireless Access and we are working to > allow VPN to the outside. > > > > DNS - UDP 53 > > HTTP - TCP 80 > > HTTPS - TCP 443 > > > > > > Todd Joyce > Network Services > Radford University - The Smart Choice > [EMAIL PROTECTED] > (540) 831- > > > > Keep your boots and ChapStick and ice hotels. > > Give me shorts and sandals and a thirty-blocker. > > > > Temperance Brennan - Monday Mourning > > > > > > From: Entwistle, Bruce [mailto:[EMAIL PROTECTED] > Sent: Thursday, March 30, 2006 7:33 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: [WIRELESS-LAN] Guest access > > > > We have recently installed a wireless network on a portion of the > campus. The student and administrators are all authenticated through a > front end device which validates user accounts against an LDAP server > running on a domain controller. However we now have the requirement > for guests of the campus to connect to the wireless network. We have > some ideas how we would like to handle this issue but are curious as to > what others have done to accommodate these guest connections. Please > let me know. > > > > Thank you > > Bruce Entwistle > > Network Manager > > University of Redlands > > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > --- Simon Kissler [EMAIL PROTECTED] UNIX Systems Administrator Phone: (219) 464 6773 Electronic Information Services Fax : (219) 464 5381 Valparaiso University Kretzmann Hall B22 Valparaiso, IN 46383 --- "They may forget what you said, but they will never forget how you made them feel." -Carl W. Buechner --- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Guest access - CALEA rabbit trail
We've been forcing all users to authenticate and were considering anonymous guest access as well, but in light of CALEA enforcement probability we are hesitant. For those of you that do allow anonymous guests, are you considering changing that policy in light of CALEA? Have you any other legal 'problems' with anonymous access? Jake Barros Grace College -Original Message- From: Donald R Gallerie [mailto:[EMAIL PROTECTED] Sent: Friday, March 31, 2006 8:51 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Guest access Bruce, We use Cisco gear and set up two vlans. One is a broadcast ssid which places the user in a captive vlan which they can escape via LDAP-authenticated VPN. The other is a non-broadcast guest ssid which has no encryption. The ssid changes monthly and we tell our technical coordinators and help desk folks what that ssid is. The traffic from the guest ssid gets routed to our edge router so it looks like an external user to the rest of the network. Don Gallerie The University at Albany -Original Message- From: Entwistle, Bruce [mailto:[EMAIL PROTECTED] Sent: Thursday, March 30, 2006 7:33 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Guest access We have recently installed a wireless network on a portion of the campus. The student and administrators are all authenticated through a front end device which validates user accounts against an LDAP server running on a domain controller. However we now have the requirement for guests of the campus to connect to the wireless network. We have some ideas how we would like to handle this issue but are curious as to what others have done to accommodate these guest connections. Please let me know. Thank you Bruce Entwistle Network Manager University of Redlands ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Guest access
Bruce, We use Cisco gear and set up two vlans. One is a broadcast ssid which places the user in a captive vlan which they can escape via LDAP-authenticated VPN. The other is a non-broadcast guest ssid which has no encryption. The ssid changes monthly and we tell our technical coordinators and help desk folks what that ssid is. The traffic from the guest ssid gets routed to our edge router so it looks like an external user to the rest of the network. Don Gallerie The University at Albany -Original Message- From: Entwistle, Bruce [mailto:[EMAIL PROTECTED] Sent: Thursday, March 30, 2006 7:33 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Guest access We have recently installed a wireless network on a portion of the campus. The student and administrators are all authenticated through a front end device which validates user accounts against an LDAP server running on a domain controller. However we now have the requirement for guests of the campus to connect to the wireless network. We have some ideas how we would like to handle this issue but are curious as to what others have done to accommodate these guest connections. Please let me know. Thank you Bruce Entwistle Network Manager University of Redlands ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Guest access
We allow these services for Guest Wireless Access and we are working to allow VPN to the outside. DNS – UDP 53 HTTP – TCP 80 HTTPS – TCP 443 Todd Joyce Network Services Radford University – The Smart Choice [EMAIL PROTECTED] (540) 831- Keep your boots and ChapStick and ice hotels. Give me shorts and sandals and a thirty-blocker. Temperance Brennan – Monday Mourning From: Entwistle, Bruce [mailto:[EMAIL PROTECTED] Sent: Thursday, March 30, 2006 7:33 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Guest access We have recently installed a wireless network on a portion of the campus. The student and administrators are all authenticated through a front end device which validates user accounts against an LDAP server running on a domain controller. However we now have the requirement for guests of the campus to connect to the wireless network. We have some ideas how we would like to handle this issue but are curious as to what others have done to accommodate these guest connections. Please let me know. Thank you Bruce Entwistle Network Manager University of Redlands ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Guest access
There was a similar thread last week that might be useful to lookup. We also use LDAP for regular access, but Guests are kept in SQL, and and a third option is anonymous access. Any regular user can create a guest account for friends, which is only slightly different from regular access. Our anonymous access is limited to web,webmail, and vpn at a noticably reduced speed. <>>> [EMAIL PROTECTED] 03/30/06 7:32 PM >>> We have recently installed a wireless network on a portion of the campus. The student and administrators are all authenticated through a front end device which validates user accounts against an LDAP server running on a domain controller. However we now have the requirement for guests of the campus to connect to the wireless network. We have some ideas how we would like to handle this issue but are curious as to what others have done to accommodate these guest connections. Please let me know. Thank you Bruce Entwistle Network Manager University of Redlands ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Guest access
Bruce, At Emory, our guest access is limited to web, secure web, and VPN access. We also bandwidth limit guests to 500kbps. Guests have to open a browser and re redirected to our captive portal where we display our AUP & TOS to which they must agree. We then collect their email address and "authenticate" them to Internet access - web and VPN only. To date, this has worked very well. I've only had one complaint - a user wanted secure POP3/SMTP access. My answer was that if the guests want more access, then they should establish a VPN to their home organization. We are using hardware from Aruba Networks for wireless. It gives us the captive portal, firewalling and bandwidth limiting functionality that we use for guest access, as well as authenticated access for our student/faculty/staff. >>-> Stan Brooks - CWNA/CWSP Emory University Network Communications Division 404.727.0226 [EMAIL PROTECTED] AIM: WLANstan Yahoo!: WLANstan MSN: [EMAIL PROTECTED] Original Message From: Entwistle, Bruce Date: 3/30/2006 7:32 PM We have recently installed a wireless network on a portion of the campus. The student and administrators are all authenticated through a front end device which validates user accounts against an LDAP server running on a domain controller. However we now have the requirement for guests of the campus to connect to the wireless network. We have some ideas how we would like to handle this issue but are curious as to what others have done to accommodate these guest connections. Please let me know. Thank you Bruce Entwistle Network Manager University of Redlands ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Guest access
Hi Bruce. We are using cisco equip. with wireless vlans. Our "guest vlan" is an open, broadcast ssid and is controlled with an access list on our core router. The access list allows guests access to the internet and our internal web servers. Basically, what they would have access to with a broadband connection from outside our network. Phil Trivilino Manager of Network Infrastructure St. Lawrence University Entwistle, Bruce wrote: We have recently installed a wireless network on a portion of the campus. The student and administrators are all authenticated through a front end device which validates user accounts against an LDAP server running on a domain controller. However we now have the requirement for guests of the campus to connect to the wireless network. We have some ideas how we would like to handle this issue but are curious as to what others have done to accommodate these guest connections. Please let me know. Thank you Bruce Entwistle Network Manager University of Redlands ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Guest access
We have recently installed a wireless network on a portion of the campus. The student and administrators are all authenticated through a front end device which validates user accounts against an LDAP server running on a domain controller. However we now have the requirement for guests of the campus to connect to the wireless network. We have some ideas how we would like to handle this issue but are curious as to what others have done to accommodate these guest connections. Please let me know. Thank you Bruce Entwistle Network Manager University of Redlands ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless Guest Access
At the moment, its pretty much up to the sponsor of the guest to get them that information, but, yes, the instructions themselves are published on a public web page. When the sponsor registers the account, the confirmation page displays a link to those web instructions, which are tailored to visitors, and invites the sponsor to email the link to his guest(s) before they arrive. --Mike On Mar 22, 2006, at 5:26 PM, Philippe Hanset wrote: Michael, How do you distribute the 802.1x material/instructions to visitors? Any web interface at any point? Philippe Hanset University of Tennessee On Wed, 22 Mar 2006, Michael Griego wrote: We require 802.1x authentications for all users on our network. As such, I recently wrote an application that will allow a FTE staff/faculty member to request a guest 802.1x login for their guest(s). The account is then autogenerated, loaded into our RADIUS servers (FreeRADIUS), and we get an email notifying us of the new account. The accounts all start with "guest-", and the users is allowed to pick an up-to-8-character identifier for their users to make the login easy to remember, so the actual username ends up being "guest- identifier". The password is autogenerated. Currently, due to limitations in our equipment, they're stuck on the same VLAN as the rest of our wireless users, however we expect to segregate these users once we get some upgraded hardware in place. The though there is to, once they've authenticated, force each user to a captive portal where they can acknowledge our AUP before continuing. So far, the application seems to have been very well received. Previously, a "sponsor" had to contact the help desk to have the MAC address of the user(s) registered and get the user set up with the correct WEP key. Now, a "sponsor" can simply follow the directions to request an account, and no help desk or other outside human intervention is required. When the account is created, the "sponsor" is given a web link on how to properly configure the wireless settings for our network that can be given to the guest ahead of time or printed for when he/she/they arrives on campus. So, the only time the help desk or other personnel get involved is when there is a problem. And, we didn't have to open up our network to allow guest access. :) --Mike Bennefield, Cully A. wrote: We are exploring the possibility of offering guest wireless access and I would like to get a feel for how others might be handling it. Any and all information and opinions will be greatly appreciated. Thanks, Cully Cully Bennefield Baylor University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. smime.p7s Description: S/MIME cryptographic signature
Re: [WIRELESS-LAN] Wireless Guest Access
Michael, How do you distribute the 802.1x material/instructions to visitors? Any web interface at any point? Philippe Hanset University of Tennessee On Wed, 22 Mar 2006, Michael Griego wrote: > We require 802.1x authentications for all users on our network. As > such, I recently wrote an application that will allow a FTE > staff/faculty member to request a guest 802.1x login for their guest(s). > The account is then autogenerated, loaded into our RADIUS servers > (FreeRADIUS), and we get an email notifying us of the new account. The > accounts all start with "guest-", and the users is allowed to pick an > up-to-8-character identifier for their users to make the login easy to > remember, so the actual username ends up being "guest-identifier". The > password is autogenerated. > > Currently, due to limitations in our equipment, they're stuck on the > same VLAN as the rest of our wireless users, however we expect to > segregate these users once we get some upgraded hardware in place. The > though there is to, once they've authenticated, force each user to a > captive portal where they can acknowledge our AUP before continuing. > > So far, the application seems to have been very well received. > Previously, a "sponsor" had to contact the help desk to have the MAC > address of the user(s) registered and get the user set up with the > correct WEP key. Now, a "sponsor" can simply follow the directions to > request an account, and no help desk or other outside human intervention > is required. When the account is created, the "sponsor" is given a web > link on how to properly configure the wireless settings for our network > that can be given to the guest ahead of time or printed for when > he/she/they arrives on campus. So, the only time the help desk or other > personnel get involved is when there is a problem. And, we didn't have > to open up our network to allow guest access. :) > > --Mike > > > Bennefield, Cully A. wrote: > > We are exploring the possibility of offering guest wireless access and I > > would like to get a feel for how others might be handling it. Any and > > all information and opinions will be greatly appreciated. > > > > Thanks, > > Cully > > > > Cully Bennefield > > Baylor University > > > > ** > > Participation and subscription information for this EDUCAUSE Constituent > > Group discussion list can be found at http://www.educause.edu/groups/. > > ** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless Guest Access
Here at Emory, we have an open SSID for guest access as well as "legacy" VPN Student/Faculty/Staff access. We use a captive portal to present guests with 4 screens worth of our AUP, TOS, rules and regulations before requesting their email address for guest access "authentication". Guest access is limited to Web (80), Secure Web (443), DNS (53), and VPN - IPsec or PPTP. We also limit their bandwidth to 500kbps. If the guest wants to do anything besides web, like POP3 or IMAP email, FTP, IM, etc, they need to VPN to their home company or institution. We also have an 802.1X/WPA/WPA2 SSID for authenticated Student/Faculty/Staff access. Our wireless hardware from Aruba allows us to do all of this - captive portal, firewall/bandwidth limiting, and legacy VPN concentration - easily without any additional boxes. >>-> Stan Brooks - CWNA/CWSP Emory University Network Communications Division Original Message From: Bennefield, Cully A. Date: 3/22/2006 3:02 PM We are exploring the possibility of offering guest wireless access and I would like to get a feel for how others might be handling it. Any and all information and opinions will be greatly appreciated. Thanks, Cully Cully Bennefield Baylor University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Wireless Guest Access
We use a product called "Roving Planet" that controls access by everyone to our wireless system. Our wireless system is in its own vlan with the Roving Planet acting a vlan bridge for authenticated users. The product interfaces with our Active Directory system, so we have set up a number of guest accounts that are controlled by our help desk. The help desk resets the passwords on these accounts periodically. Roving Planet also allows us to control access to wired ports using the same authentication scheme as long as the wired ports are in a specific vlan. Jim Driskell University of Puget Sound -Original Message- From: Bennefield, Cully A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 22, 2006 12:03 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Wireless Guest Access We are exploring the possibility of offering guest wireless access and I would like to get a feel for how others might be handling it. Any and all information and opinions will be greatly appreciated. Thanks, Cully Cully Bennefield Baylor University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless Guest Access
At Syracuse we use a captive portal. There are three levels of access: LDAP authenticated - Full Access - users in LDAP can create SQL based Guest Accounts for friends - Nearly Full Access * anonymous Free access - limited in speed and ports (perceptably annoying web,https, vpn) (We have the ability to readily boot off and deny access by MAC -- IDS sensors) (The portal is consistent with our resnet policy enforcement requirements) <>>> [EMAIL PROTECTED] 3/22/2006 3:02:33 PM >>> We are exploring the possibility of offering guest wireless access and I would like to get a feel for how others might be handling it. Any and all information and opinions will be greatly appreciated. Thanks, Cully Cully Bennefield Baylor University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless Guest Access
We offer guest access with captive portal. Users must ask for access and a temp account will be created. Ken Connell Intermediate Network Engineer Computer & Communication Services Ryerson University 350 Victoria St RM AB50 Toronto, Ont M5B 2K3 416-979-5000 x6709 - Original Message - From: David Gillett <[EMAIL PROTECTED]> Date: Wednesday, March 22, 2006 3:25 pm Subject: Re: [WIRELESS-LAN] Wireless Guest Access > At the moment, all of our access is "guest" except for specific > client laptops that belong to the college. This will provide access > to our portal when it comes online, so users with portal accounts > will be able to reach additional resources through that. > Eventually, deployment of Identity Management and 802.1x and VPN > may, in some combination, allow us to offer non-guest access at > the wireless connection, but that's still somewhere in the pipeline. > > Note that there are a variety of "wireless security" products > which focus on access to the wireless service, and so don't apply > if you offer "guest" access. Instead, attention needs to focus on > "where can these clients get to", and that applies as well to open > wired ports (we're starting to see these in some classrooms and > drop-in areas) as to wireless. > > David Gillett, CISSP CCNP > Foothill-DeAnza College District > > > > -Original Message- > > From: Bennefield, Cully A. [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, March 22, 2006 12:03 PM > > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > > Subject: [WIRELESS-LAN] Wireless Guest Access > > > > We are exploring the possibility of offering guest wireless > > access and I would like to get a feel for how others might be > > handling it. Any and all information and opinions will be > > greatly appreciated. > > > > Thanks, > > Cully > > > > Cully Bennefield > > Baylor University > > > > ** > > Participation and subscription information for this EDUCAUSE > > Constituent Group discussion list can be found at > > http://www.educause.edu/groups/. > > > > ** > Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Wireless Guest Access
Cully, We currently have three VLANs on our wireless system: One for students (non-broadcast SSID), and one for faculty and staff (also non-broadcast). These require network credentials for authentication. Then we have the broadcasted VLAN for guests/public use. This VLAN is effectively a secondary DMZ hanging off of our firewall, and has no access to the internal LAN at all. Hope this helps, John Steely Network Manager Infrastructure Systems Department Library and Information Services Dickinson College P.O. Box 1773 Carlisle, PA 17013 [EMAIL PROTECTED] -Original Message- From: Bennefield, Cully A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 22, 2006 3:03 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Wireless Guest Access We are exploring the possibility of offering guest wireless access and I would like to get a feel for how others might be handling it. Any and all information and opinions will be greatly appreciated. Thanks, Cully Cully Bennefield Baylor University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless Guest Access
We require 802.1x authentications for all users on our network. As such, I recently wrote an application that will allow a FTE staff/faculty member to request a guest 802.1x login for their guest(s). The account is then autogenerated, loaded into our RADIUS servers (FreeRADIUS), and we get an email notifying us of the new account. The accounts all start with "guest-", and the users is allowed to pick an up-to-8-character identifier for their users to make the login easy to remember, so the actual username ends up being "guest-identifier". The password is autogenerated. Currently, due to limitations in our equipment, they're stuck on the same VLAN as the rest of our wireless users, however we expect to segregate these users once we get some upgraded hardware in place. The though there is to, once they've authenticated, force each user to a captive portal where they can acknowledge our AUP before continuing. So far, the application seems to have been very well received. Previously, a "sponsor" had to contact the help desk to have the MAC address of the user(s) registered and get the user set up with the correct WEP key. Now, a "sponsor" can simply follow the directions to request an account, and no help desk or other outside human intervention is required. When the account is created, the "sponsor" is given a web link on how to properly configure the wireless settings for our network that can be given to the guest ahead of time or printed for when he/she/they arrives on campus. So, the only time the help desk or other personnel get involved is when there is a problem. And, we didn't have to open up our network to allow guest access. :) --Mike Bennefield, Cully A. wrote: We are exploring the possibility of offering guest wireless access and I would like to get a feel for how others might be handling it. Any and all information and opinions will be greatly appreciated. Thanks, Cully Cully Bennefield Baylor University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Wireless Guest Access
We allow it through Clean Access. DNS - udp 53, HTTP - port 80, and https - port 443 todd Todd Joyce Network Services Radford University - The Smart Choice [EMAIL PROTECTED] (540) 831- Keep your boots and ChapStick and ice hotels. Give me shorts and sandals and a thirty-blocker. Temperance Brennan - Monday Mourning -Original Message- From: Bennefield, Cully A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 22, 2006 3:03 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Wireless Guest Access We are exploring the possibility of offering guest wireless access and I would like to get a feel for how others might be handling it. Any and all information and opinions will be greatly appreciated. Thanks, Cully Cully Bennefield Baylor University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Wireless Guest Access
At the moment, all of our access is "guest" except for specific client laptops that belong to the college. This will provide access to our portal when it comes online, so users with portal accounts will be able to reach additional resources through that. Eventually, deployment of Identity Management and 802.1x and VPN may, in some combination, allow us to offer non-guest access at the wireless connection, but that's still somewhere in the pipeline. Note that there are a variety of "wireless security" products which focus on access to the wireless service, and so don't apply if you offer "guest" access. Instead, attention needs to focus on "where can these clients get to", and that applies as well to open wired ports (we're starting to see these in some classrooms and drop-in areas) as to wireless. David Gillett, CISSP CCNP Foothill-DeAnza College District > -Original Message- > From: Bennefield, Cully A. [mailto:[EMAIL PROTECTED] > Sent: Wednesday, March 22, 2006 12:03 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: [WIRELESS-LAN] Wireless Guest Access > > We are exploring the possibility of offering guest wireless > access and I would like to get a feel for how others might be > handling it. Any and all information and opinions will be > greatly appreciated. > > Thanks, > Cully > > Cully Bennefield > Baylor University > > ** > Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Wireless Guest Access
> We are exploring the possibility of offering guest wireless > access and I would like to get a feel for how others might be > handling it. Any and all information and opinions will be > greatly appreciated. our Aironet APs are setup with two SSIDs, an authenticated/encrypted SSID, and a completely open unauthenticated/unencrypted SSID for guests/visitors. The 'GUEST' ssid maps to a vLAN with quite a few firewall restrictions, not permitting anything more than basic web, vpn, instant messaging, and mail connectivity. - Gabriel Kuri | Sr. Network Analyst Instructional and Information Technology Division California State Polytechnic University, Pomona http://www.csupomona.edu/~iit | +1 909 979 6363 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Wireless Guest Access
We are exploring the possibility of offering guest wireless access and I would like to get a feel for how others might be handling it. Any and all information and opinions will be greatly appreciated. Thanks, Cully Cully Bennefield Baylor University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Guest Access
Bart, Seems like a good plan. for your special visitors you may consider EDUROAM in the future (http://security.internet2.edu/fwna) Only works with 802.1x though! > 1.Determine which APs are going to provide this guest access. > Guest access won't be necessary for all APs Once you enable a second SSID, you may as well enable it all over. It might become a redundancy feature the day your RADIUS is having problems or an OS vendor releases a nasty patch that breaks wireless client software. > 2.Configure the selected APs with a second SSID We don't broadcast any of our SSIDs for Wireless Hygiene reasons (read: in order to deal as best as possible with MS Wireless Zero config). When one SSID is broadcasted and others are not, some Wireless clients tend to always join the broacasted one. > 4.Place users who use the second SSID into the new VLAN > 5.Only allow the new VLAN to access the internet > 6.Limit the bandwidth to the internet to about 512Kbps (This > should be sufficient for the Media's needs and allow any guest to check > email etc.) > 7.Provide some sort of security but not as in depth as we > currently use. On additional feature: In our design we were considering NAT for the visitor network with an IP that comes from a range outside of our campus range. If the visitor network is abused, you have the option to change the IP address and not have your campus addresses banned all over the Internet! We don't provide encryption for Visitors. Encryption is optional for our campus users. In order to provide encryption for visitors you will have to deal at some point with credentials... good luck. Reminds me of these web sites that want you to create a profile with login and password to make a $5 purchase! If you give your visitors bandwidth and inform them through a "required" reading about the features of the wireless network, you should be fine. Philippe Hanset University of Tennessee > > > > > > What are your comments on beaconing the new SSID? > > What are you thoughts on security and encryption? > > Does a user that connects to our network have expectations of security > and encryption? > > Are we obligated to provide some sort of security and encryption to > protect these guest users? > > At what point does administrative burden overcome security? > > > > > > Your thoughts and ideas are greatly appreciated. > > > > Thanks in advance, > > > > J. Bart Casey > > > ** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Guest Access
> What are your comments on beaconing the new SSID? Once there are clients using the SSID, it's in the air often enough to be picked up by tools like NetStumbler and Kismet. So not beaconing provides, IMHO, little security, and so I don't think you'll lose significantly by beaconing the second. [The concern vendors have expressed to us has been that *multiple* beaconed SSIDs cut into time available for actual traffic.] > What are you thoughts on security and encryption? To do good encryption, a client probably needs a closer relationship to you (certificate, etc) than "guest" access probably implies. Our approach has been to limit what guests can do -- but read on. > Does a user that connects to our network have expectations of security and encryption? Probably -- but is that a *reasonable* expectation? Our policy forbids snooping on users, but retains the right for support personnel to sniff traffic as part of half a dozen necessary efforts such as troubleshooting. > Are we obligated to provide some sort of security and encryption to protect these guest users? It's a matter of perspective. Our current wireless security posture -- subject to review as we integrate better identity management solutions -- treats wireless guests as the THREAT and the network itself as the ASSET. Guests do benefit from our overall network defences, but we don't currently do anything extra to protect THEM. > At what point does administrative burden overcome security? In theory, where the cost of providing security outstrips the probable repair/replacement cost of the asset. Unless you have a reason to attach a big premium to guest access (we have a location which is dear to the heart of one of our presidents, for example), its value is probably fairly low and so only a relatively limited expense/effort is justified. (Protecting other network resources from guests, however, probably has value that will justify more effort (if needed). Your plan to provide them only with access to the Internet sounds good, although be aware that any damage they do there may be tracked back to your institution.) David Gillett ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Guest Access
At St. Lawrence we use Cisco APs with multiple vlans. We do provide an "open vlan" for "guest" access. "guests" get what they might expect if they were at home on a broadband connection, for access via an acl on the router for the guest vlan. We provide no encryption and advertise that fact. I think you are on the right track with your guest access. We provide this for many reasons: sports information, library users, conference attendees, to name a few. We push our faculty, staff and students to use the secure, 802.1x vlans with encryption for their own use. Actually we "entice" them, since they can not accomplish on the guest vlan what they can on the wired or authenticated vlans. Phil Casey, J Bart wrote: Hey All, It has been deemed necessary by the powers that be that we provide some level of wireless access to guests on our campus. Some of these people might include members of the Media for athletic events, alumni visiting the campus, and guest professors/speakers. While I am not exactly thrilled about the idea, I can certainly understand the need. I would like some feedback on how other schools are handling issues such as this. Our current wireless network is comprised solely of Cisco Aironet 1200 series APs. We use a single SSID which allows authenticated users to be placed in a wireless VLAN. We do not beacon our SSID. In order to connect to the wireless network, our users must know the SSID. We require users to install a secure certificate, and also require them to authenticate their domain user credentials against a radius server. We currently use IAS but are migrating to CSACS. My initial plan is as follows: Determine which APs are going to provide this guest access. Guest access won’t be necessary for all APs Configure the selected APs with a second SSID Create a new VLAN for the second SSID Place users who use the second SSID into the new VLAN Only allow the new VLAN to access the internet Limit the bandwidth to the internet to about 512Kbps (This should be sufficient for the Media’s needs and allow any guest to check email etc.) Provide some sort of security but not as in depth as we currently use. What are your comments on beaconing the new SSID? What are you thoughts on security and encryption? Does a user that connects to our network have expectations of security and encryption? Are we obligated to provide some sort of security and encryption to protect these guest users? At what point does administrative burden overcome security? Your thoughts and ideas are greatly appreciated. Thanks in advance, J. Bart Casey ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Guest Access
We provide GUEST access as follows: - The SSID is not hidden - Static WEP. They are given the key (don't want every Tom, Dick & Harry associating just because) - Captive Portal with limited rights - Given an ID for x amount of days which is in LDAP We have a group/dept that deals with users coming on-site for conferences, meeting, and so on... They have a GUI to input guest names into LDAP and provide basic support for the "guest" users. Ken Connell Intermediate Network Engineer Computer & Communication Services Ryerson University 350 Victoria St RM AB50 Toronto, Ont M5B 2K3 416-979-5000 x6709 - Original Message - From: "Casey, J Bart" <[EMAIL PROTECTED]> Date: Tuesday, January 31, 2006 12:07 pm Subject: [WIRELESS-LAN] Guest Access > Hey All, > > > > It has been deemed necessary by the powers that be that we provide > somelevel of wireless access to guests on our campus. Some of > these people > might include members of the Media for athletic events, alumni > visitingthe campus, and guest professors/speakers. While I am not > exactlythrilled about the idea, I can certainly understand the > need. I would > like some feedback on how other schools are handling issues such as > this. > > > > Our current wireless network is comprised solely of Cisco Aironet 1200 > series APs. We use a single SSID which allows authenticated users > to be > placed in a wireless VLAN. We do not beacon our SSID. In order to > connect to the wireless network, our users must know the SSID. We > require users to install a secure certificate, and also require > them to > authenticate their domain user credentials against a radius > server. We > currently use IAS but are migrating to CSACS. > > > > My initial plan is as follows: > > > > 1.Determine which APs are going to provide this guest access. > Guest access won't be necessary for all APs > 2.Configure the selected APs with a second SSID > 3.Create a new VLAN for the second SSID > 4.Place users who use the second SSID into the new VLAN > 5.Only allow the new VLAN to access the internet > 6.Limit the bandwidth to the internet to about 512Kbps (This > should be sufficient for the Media's needs and allow any guest to > checkemail etc.) > 7.Provide some sort of security but not as in depth as we > currently use. > > > > > > What are your comments on beaconing the new SSID? > > What are you thoughts on security and encryption? > > Does a user that connects to our network have expectations of security > and encryption? > > Are we obligated to provide some sort of security and encryption to > protect these guest users? > > At what point does administrative burden overcome security? > > > > > > Your thoughts and ideas are greatly appreciated. > > > > Thanks in advance, > > > > J. Bart Casey > > > ** > Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Guest Access
Title: Re: [WIRELESS-LAN] Guest Access At Indiana University we have gone from no guest wireless access to VPN-protected guest access (they hated it) to Web-redirected/authentication/no encryption guest access. Our campus users register their MAC address and get put on one subnet that is VPN-protected (can only get to the VPN server). Guests do not register, get put on a different subnet on the same vlan. However the path to the router for the guest subnet passes through an HP Access Control Module (blade in a 5300 switch) that performs the redirection and authentication. The guest traffic headed to the campus network experiences the same border filter as an off-site user. Outbound port 25 is blocked. Any faculty or staff can create a temporary guest ID after authenticating to a web page. These accounts (ADS) have no privileges other than wireless access (they are not members of Domain Users). If you don’t broadcast the SSID and the guest network isn’t ubiquitous the user can’t tell if they are in range or not. Tom Zeller 812-855-6214 [EMAIL PROTECTED] On 1/31/06 12:07 PM, "Casey, J Bart" <[EMAIL PROTECTED]> wrote: Hey All, It has been deemed necessary by the powers that be that we provide some level of wireless access to guests on our campus. Some of these people might include members of the Media for athletic events, alumni visiting the campus, and guest professors/speakers. While I am not exactly thrilled about the idea, I can certainly understand the need. I would like some feedback on how other schools are handling issues such as this. Our current wireless network is comprised solely of Cisco Aironet 1200 series APs. We use a single SSID which allows authenticated users to be placed in a wireless VLAN. We do not beacon our SSID. In order to connect to the wireless network, our users must know the SSID. We require users to install a secure certificate, and also require them to authenticate their domain user credentials against a radius server. We currently use IAS but are migrating to CSACS. My initial plan is as follows: Determine which APs are going to provide this guest access. Guest access won’t be necessary for all APs Configure the selected APs with a second SSID Create a new VLAN for the second SSID Place users who use the second SSID into the new VLAN Only allow the new VLAN to access the internet Limit the bandwidth to the internet to about 512Kbps (This should be sufficient for the Media’s needs and allow any guest to check email etc.) Provide some sort of security but not as in depth as we currently use. What are your comments on beaconing the new SSID? What are you thoughts on security and encryption? Does a user that connects to our network have expectations of security and encryption? Are we obligated to provide some sort of security and encryption to protect these guest users? At what point does administrative burden overcome security? Your thoughts and ideas are greatly appreciated. Thanks in advance, J. Bart Casey ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Guest Access
Hey All, It has been deemed necessary by the powers that be that we provide some level of wireless access to guests on our campus. Some of these people might include members of the Media for athletic events, alumni visiting the campus, and guest professors/speakers. While I am not exactly thrilled about the idea, I can certainly understand the need. I would like some feedback on how other schools are handling issues such as this. Our current wireless network is comprised solely of Cisco Aironet 1200 series APs. We use a single SSID which allows authenticated users to be placed in a wireless VLAN. We do not beacon our SSID. In order to connect to the wireless network, our users must know the SSID. We require users to install a secure certificate, and also require them to authenticate their domain user credentials against a radius server. We currently use IAS but are migrating to CSACS. My initial plan is as follows: Determine which APs are going to provide this guest access. Guest access won’t be necessary for all APs Configure the selected APs with a second SSID Create a new VLAN for the second SSID Place users who use the second SSID into the new VLAN Only allow the new VLAN to access the internet Limit the bandwidth to the internet to about 512Kbps (This should be sufficient for the Media’s needs and allow any guest to check email etc.) Provide some sort of security but not as in depth as we currently use. What are your comments on beaconing the new SSID? What are you thoughts on security and encryption? Does a user that connects to our network have expectations of security and encryption? Are we obligated to provide some sort of security and encryption to protect these guest users? At what point does administrative burden overcome security? Your thoughts and ideas are greatly appreciated. Thanks in advance, J. Bart Casey ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Guest access strategy
Mearl Danner wrote: Samford is in the process of establishing policies for wireless access on campus. We have Airespace/Cisco 4100 controllers and are in the process of deploying model 1100 APs in various areas around campus. Using this hardware we are able to establish different default ACL's for each SSID, and have sucessfully applied custom ACL's using Radius (freeradius/eDirectory) reply items. We plan to provide restricted access to campus guests on an open SSID and a higher default level of access on an 802.1x authenticated SSID. We would like to make it a relatively simple process for campus visitors to access the guest SSID, but make it's access restrictive enough to encourage members of the campus community to go the extra steps required to configure for 802.1x. We'd appreciate any information on access strategies any list members have implemented (or are considering). We're doing exactly this (same equipment, 802.1x + open guest); visitors must log in using a web portal using a single-use token. The web pages also provide instructions for connecting to the 802.1x SSID. We built a system here to provide the web login portal; it's tied into the Airespace controllers. If there is sufficient interest this could likely be shared. Some details: http://wireless.duke.edu/noauth/login/more_info http://www.oit.duke.edu/access/duke-secure/token/ -Kevin ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Guest access strategy
I forgot: In our still gigantic layer2 domain (about 1000 AP in one subnet with most of the users in it...up to 1600 concurrents these days) we have isolated the management of the AP to another subnet. This reduces a lot of the broadcasting from IAPP. By implementing multiple SSIDs, it helps folks that have large layer 2 domains in the broadcasting management. I call this vertical subnetting as opposed to horizontal subnetting (or geographical subnetting). Our buildings are so close to each other that the horizontal subnetting would be hard to implement (you don't always get signal from the building that you are in, especially if you are close to a window) -PH On Thu, 15 Sep 2005, Philippe Hanset wrote: > Mearl, > > The stage: > > #regular open Wireless > #Netreg (web based), > #automatic patching and distribution of antivirus (22 minutes to > register!) > #802.1x for WLAN > #University people, visitors > > Problems: > #How to distribute material on a closed network? > (first time join...need an open network) > #how to allow visitors and not patch them or give them > AV (we don't pay licenses for visitors!) > #How to allow "special" visitors no patch them but still > give them advanced privileges > #What incentives should we use to move people to 802.1x > considering that the regular wless network works so well > and that 802.1x is such a pain...all this to provide encryption > over the air ONLY and know who is on the network ;-) > > The UT Knoxville Solution: > > (while waiting to implement total Identity based networking... > you could imagine a first 1x authentication with an > anonymous login, then switch to a non-anonymous..all this > while staying on the same SSID, assuming that the client > has the right 802.1x supplicant...in a near future... > If people don't understand 1x, they can use their cell phone > and call our outsourced helpdesk) > > Meanwhile, > > ##One SSID, non broadcasted (if you don't know the SSID ask around > or call the helpdesk...or dial ZERO and ask for the operator) > If Microsoft knew how to configure wireless (maybe that's why > it's called "Wireless Zero Config.") we would broadcast the SSID > > That SSID lets you: > Register yourself (using NetReg and LDAP) if you are from UT > Register friends (up to 5 people per account) > Register more than 5 people if you are an authorized person > (I call it Proxy-trust) > > ##One SSID, non-broadcasted for 802.1x supporting EAP-TTLS > and maybe one day EAP-PEAP if MS understands the weaknesses > of MD-4 and stops the proprietary approach requiring Active Directory or > ugly hacks. Our APs can support multiple encryption types > on one SSID (eg: dynamic WEP, WPA, WPA2) so "theoreticaly, > there is no need for extra SSID in that arena > > On top of that our RADIUS server will be part of EDUROAM/FWNA > to support EDU institutions form around the world > (more info at www.eduroam.org or security.internet2.edu/fwna) > So, that same SSID will be able to authenticate over 802.1x > "trusted" people in the EDU community (visiting scientists, etc...) > > ##One SSID, non-broadcasted, for unkwown visitors, NATed, and higly > restricted. No patching required, lots of ACL etc... > (to be implemented) Use an IP gateway address that is not part of your > big IP domain to be able to switch it in case that network gets blocked > by the rest of the world. It only takes one visitor to be "banned"! > > Our incentives to move people from non1x to 1x are: > NAT all non 1x SSIDs, restrict access to sensitive > apps to 1x only, provide free Napster service on 1x (just kidding!) > > Since neither Netreg, nor 802.1x are good at preventing > IP stealing, we also do an active monitoring of IP addresses > in the background, correlating data from AP/DHCP/RADIUS... > > > Best, > > Philippe Hanset > University of Tennessee > > > > > > On Thu, 15 Sep 2005, Mearl Danner wrote: > > > Samford is in the process of establishing policies for wireless access on > > campus. > > > > We have Airespace/Cisco 4100 controllers and are in the process of > > deploying model 1100 APs in various areas around campus. Using this > > hardware we are able to establish different default ACL's for each SSID, > > and have sucessfully applied custom ACL's using Radius > > (freeradius/eDirectory) reply items. > > > > We plan to provide restricted access to campus guests on an open SSID and a > > higher default level of access on an 802.1x authenticated SSID. > > > > We would like to make it a relatively simple process for campus visitors to > > access the guest SSID, but make it's access restrictive enough to encourage > > members of the campus community to go the extra steps required to configure > > for 802.1x. > > > > We'd appreciate any information on access strategies any list members have > > implemented (or are considering). > > > > Thanks, > > > > > > > > > > > > Mearl Danner > > Systems Programmer > > [EMAIL PROTECTED] > > Samford University > > htt
Re: [WIRELESS-LAN] Guest access strategy
Mearl, The stage: #regular open Wireless #Netreg (web based), #automatic patching and distribution of antivirus (22 minutes to register!) #802.1x for WLAN #University people, visitors Problems: #How to distribute material on a closed network? (first time join...need an open network) #how to allow visitors and not patch them or give them AV (we don't pay licenses for visitors!) #How to allow "special" visitors no patch them but still give them advanced privileges #What incentives should we use to move people to 802.1x considering that the regular wless network works so well and that 802.1x is such a pain...all this to provide encryption over the air ONLY and know who is on the network ;-) The UT Knoxville Solution: (while waiting to implement total Identity based networking... you could imagine a first 1x authentication with an anonymous login, then switch to a non-anonymous..all this while staying on the same SSID, assuming that the client has the right 802.1x supplicant...in a near future... If people don't understand 1x, they can use their cell phone and call our outsourced helpdesk) Meanwhile, ##One SSID, non broadcasted (if you don't know the SSID ask around or call the helpdesk...or dial ZERO and ask for the operator) If Microsoft knew how to configure wireless (maybe that's why it's called "Wireless Zero Config.") we would broadcast the SSID That SSID lets you: Register yourself (using NetReg and LDAP) if you are from UT Register friends (up to 5 people per account) Register more than 5 people if you are an authorized person (I call it Proxy-trust) ##One SSID, non-broadcasted for 802.1x supporting EAP-TTLS and maybe one day EAP-PEAP if MS understands the weaknesses of MD-4 and stops the proprietary approach requiring Active Directory or ugly hacks. Our APs can support multiple encryption types on one SSID (eg: dynamic WEP, WPA, WPA2) so "theoreticaly, there is no need for extra SSID in that arena On top of that our RADIUS server will be part of EDUROAM/FWNA to support EDU institutions form around the world (more info at www.eduroam.org or security.internet2.edu/fwna) So, that same SSID will be able to authenticate over 802.1x "trusted" people in the EDU community (visiting scientists, etc...) ##One SSID, non-broadcasted, for unkwown visitors, NATed, and higly restricted. No patching required, lots of ACL etc... (to be implemented) Use an IP gateway address that is not part of your big IP domain to be able to switch it in case that network gets blocked by the rest of the world. It only takes one visitor to be "banned"! Our incentives to move people from non1x to 1x are: NAT all non 1x SSIDs, restrict access to sensitive apps to 1x only, provide free Napster service on 1x (just kidding!) Since neither Netreg, nor 802.1x are good at preventing IP stealing, we also do an active monitoring of IP addresses in the background, correlating data from AP/DHCP/RADIUS... Best, Philippe Hanset University of Tennessee On Thu, 15 Sep 2005, Mearl Danner wrote: > Samford is in the process of establishing policies for wireless access on > campus. > > We have Airespace/Cisco 4100 controllers and are in the process of deploying > model 1100 APs in various areas around campus. Using this hardware we are > able to establish different default ACL's for each SSID, and have sucessfully > applied custom ACL's using Radius (freeradius/eDirectory) reply items. > > We plan to provide restricted access to campus guests on an open SSID and a > higher default level of access on an 802.1x authenticated SSID. > > We would like to make it a relatively simple process for campus visitors to > access the guest SSID, but make it's access restrictive enough to encourage > members of the campus community to go the extra steps required to configure > for 802.1x. > > We'd appreciate any information on access strategies any list members have > implemented (or are considering). > > Thanks, > > > > > > Mearl Danner > Systems Programmer > [EMAIL PROTECTED] > Samford University > http://www.samford.edu > > ** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Guest access strategy
Well put, Dave. The big news right now for Syracuse, as Dave mentioned, is the ability to easily sponsor guests and allow Jane Q. Public to access our growing wireless network. It will be interesting to see how our traffic patterns change with wireless being opened up to a larger population, and what specific APs get to be "popular" with non-campus users. Will also be an exercise in seeing how healthy or not anonymous machines are, and whether they cause much trouble for the SU network. A lot to watch, but well worth it for the ease of access that these "other" wireless groups should soon be able to enjoy. But also at Syracuse, with our current topology, we are limited in certain capacities that don't yet impact us. For example- Because we don't have VoIP on either the wired or wireless, the fact that we can't roam across VPN spaces or home-grown gateway spaces isn't an issue-yet. If a wireless user lugging a laptop or PDA traverses one gateway-front-ended network space to another, they'd have to reconnect on that new space. Our home-brew gateways and VPN appliances don't have the intelligent coordination to use the likes of GRE tunnels and such to gracefully move sessions from one space to another (as many commercial solutions provide). But again, not a real concern yet. By the time we're done, we'll likely have as many as 10-12 of these spaces, each with it's own gateway, meaning that many pieces of campus with roaming "boundaries" until we devise an alternate, budget-compliant solution that overcomes the effect. Great group, by the way- lots of good posts being shared. Lee Lee H. Badman Network Engineer CWSP, CWNA (CWNP011288) Computing and Media Services (NSS) 250 Machinery Hall Syracuse University Syracuse, NY 13244 (315) 443-3003 Voice (315) 443-1621 Fax >>> [EMAIL PROTECTED] 09/15/05 11:45 AM >>> At Syracuse, we are close to going live with a new web-based wireless access portal that provides three levels of access: 1. Normal University users authenticate with their campus NetID and have full access. 2. Anyone having a valid NetID can also provision a time-limited sponsored guest account. These sponsored guests get the same level of access as a normal University user. 3. A third level of access is an open, unauthenticated guest access that is restricted to basic web/Internet access and throttled back to about 200kbps. In addition, we also provide secure access through a VPN and plan to eventually add 802.1x services. I'm affiliated with one of the academic schools on campus and I'm not part of the central computing organization (though I did manage the campus network from 1991 to 1998). It took us a long time to develop a strategy that serves the interests of end users and IT staff alike. I think we've done that, though only time will tell. I also think this strategy is consistent with our administration's efforts to engage more effectively with the local community. Lee Badman may want to comment more about this from a central IT perspective. dm > -Original Message- > From: Mearl Danner [mailto:[EMAIL PROTECTED] > Sent: Thursday, September 15, 2005 10:53 AM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: [WIRELESS-LAN] Guest access strategy > > Samford is in the process of establishing policies for wireless access on > campus. > > We have Airespace/Cisco 4100 controllers and are in the process of > deploying model 1100 APs in various areas around campus. Using this > hardware we are able to establish different default ACL's for each SSID, > and have sucessfully applied custom ACL's using Radius > (freeradius/eDirectory) reply items. > > We plan to provide restricted access to campus guests on an open SSID and > a higher default level of access on an 802.1x authenticated SSID. > > We would like to make it a relatively simple process for campus visitors > to access the guest SSID, but make it's access restrictive enough to > encourage members of the campus community to go the extra steps required > to configure for 802.1x. > > We'd appreciate any information on access strategies any list members have > implemented (or are considering). > > Thanks, > > > > > > Mearl Danner > Systems Programmer > [EMAIL PROTECTED] > Samford University > http://www.samford.edu > > ** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Guest access strategy
Some might be interested that the web-based guest wireless portal we are about to deploy is a new HP product. It's a blade (access control module) that goes into an HP 5300 switch. The switch is then configured to pass particular vlans through the blade. There is also a central controller (access control server). It can handle a bunch of the blades. Traffic doesn't go through the central controller. On the controller one defines what traffic is to be allowed for various classes of users (e.g. unauthenticated users, authenticated users, users from blade #1, etc). We do see 802.1x as the ultimate solution. However, despite the fact that more than a few universities are already using 802.1x, personally I would like to see a higher degree of maturity and interoperability by native clients. (Of course, I'm still waiting for that to occur with VPN clients). In the short run I'm not sure I see a huge advantage of 802.1x over our current vpn-protected wireless scheme. However I certainly would like to hear from 802.1x outfits how they have found that experience, both from the backend and the user's perspective, and to hear what the advantages of 802.1x are. Tom Zeller Indiana University [EMAIL PROTECTED] -Original Message- From: Dave Molta [mailto:[EMAIL PROTECTED] Sent: Thursday, September 15, 2005 10:45 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Guest access strategy At Syracuse, we are close to going live with a new web-based wireless access portal that provides three levels of access: 1. Normal University users authenticate with their campus NetID and have full access. 2. Anyone having a valid NetID can also provision a time-limited sponsored guest account. These sponsored guests get the same level of access as a normal University user. 3. A third level of access is an open, unauthenticated guest access that is restricted to basic web/Internet access and throttled back to about 200kbps. In addition, we also provide secure access through a VPN and plan to eventually add 802.1x services. I'm affiliated with one of the academic schools on campus and I'm not part of the central computing organization (though I did manage the campus network from 1991 to 1998). It took us a long time to develop a strategy that serves the interests of end users and IT staff alike. I think we've done that, though only time will tell. I also think this strategy is consistent with our administration's efforts to engage more effectively with the local community. Lee Badman may want to comment more about this from a central IT perspective. dm > -Original Message- > From: Mearl Danner [mailto:[EMAIL PROTECTED] > Sent: Thursday, September 15, 2005 10:53 AM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: [WIRELESS-LAN] Guest access strategy > > Samford is in the process of establishing policies for wireless access on > campus. > > We have Airespace/Cisco 4100 controllers and are in the process of > deploying model 1100 APs in various areas around campus. Using this > hardware we are able to establish different default ACL's for each SSID, > and have sucessfully applied custom ACL's using Radius > (freeradius/eDirectory) reply items. > > We plan to provide restricted access to campus guests on an open SSID and > a higher default level of access on an 802.1x authenticated SSID. > > We would like to make it a relatively simple process for campus visitors > to access the guest SSID, but make it's access restrictive enough to > encourage members of the campus community to go the extra steps required > to configure for 802.1x. > > We'd appreciate any information on access strategies any list members have > implemented (or are considering). > > Thanks, > > > > > > Mearl Danner > Systems Programmer > [EMAIL PROTECTED] > Samford University > http://www.samford.edu > > ** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Guest access strategy
I don't support this, and don't use it. But you should know that it exists WPS Wireless Provisioning Services http://www.microsoft.com/whdc/device/network/wireless/wps.mspx Wireless Provisioning Services (WPS) enable the discovery of and connection to wireless networks. WPS enhancements are included in Microsoft Windows XP Service Pack 2 (SP2) and under consideration for Windows Server(tm) 2003 Service Pack 1 (SP1). WPS extends the wireless client software included with Windows XP and the Internet Authentication Service (IAS) included with Windows Server 2003 to allow for a consistent and automated configuration process when connecting to public wireless hotspots or private wireless networks that provide guest access to the Internet. The WPS APIs allow for the pre-provisioning of network information to connect to these networks and the provisioning of network settings to connect to private wireless networks. > -Original Message- > From: Mearl Danner [mailto:[EMAIL PROTECTED] > Sent: Thursday, September 15, 2005 10:53 AM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: [WIRELESS-LAN] Guest access strategy > > Samford is in the process of establishing policies for > wireless access on campus. > > We have Airespace/Cisco 4100 controllers and are in the > process of deploying model 1100 APs in various areas around > campus. Using this hardware we are able to establish > different default ACL's for each SSID, and have sucessfully > applied custom ACL's using Radius (freeradius/eDirectory) reply items. > > We plan to provide restricted access to campus guests on an > open SSID and a higher default level of access on an 802.1x > authenticated SSID. > > We would like to make it a relatively simple process for > campus visitors to access the guest SSID, but make it's > access restrictive enough to encourage members of the campus > community to go the extra steps required to configure for 802.1x. > > We'd appreciate any information on access strategies any list > members have implemented (or are considering). > > Thanks, > > > > > > Mearl Danner > Systems Programmer > [EMAIL PROTECTED] > Samford University > http://www.samford.edu > > ** > Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.