RE: Network Authentication question
We are using Aruba CloudPath for RADIUS Guest and Cloudpath XpressConnect Wizard for onboarding, We have wired 802.1X (PEAP-MSCHAPv2 MAC auth) in our dorms with Cisco switches. We use vlan names instead of numbers to give scalability in our environment. We also use Cisco phones and have clients connected through the phone. We use EAP-TLS with the preinstalled certificates or mac auth for older models. If I had to do things again, I would look at using predefined ACLs applied at a port level. Bruce Osborne Wireless Engineer IT Infrastructure Media Solutions (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Danny Eaton [mailto:dannyea...@rice.edu] Sent: Wednesday, June 24, 2015 4:26 PM Subject: Re: Network Authentication question Is anyone doing any of these for wired, using 802.1X? From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John Kaftan Sent: Wednesday, June 24, 2015 3:22 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Network Authentication question I went with the Extreme Netsight product at my last shop and found it to be excellent. I could assign policy to an end user pretty much on any criteria I could think of. I was hard pressed to find something I could not do. The nice thing about Extreme is that it is a fully integrated system across wired and wireless and you can apply the exact same policy to a user no matter how or where they connect. Naturally it works best if you have Extreme for both wired and wireless but it is not necessary. John From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Barber, Matt Sent: Wednesday, June 24, 2015 1:46 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [BULK] Re: [WIRELESS-LAN] Network Authentication question Importance: Low Hi Matthew, We are currently deploying a new Aruba network with ClearPass after evaluating both them and Extreme pretty heavily. ClearPass was one of the major deciding factors in us ending up with Aruba. As Frank and Russ mentioned, it is very full-featured. We are using the RADIUS functionality for our main WPA2-Enterprise network and using their guest and registration features for everything else. We are very impressed so far. I would be happy to talk specifics if you are interested. Take care, Matt Barber ‘06 Network and Systems Manager Morrisville State College 315-684-6053 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Williams, Matthew Sent: Wednesday, June 24, 2015 10:44 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Network Authentication question We’re looking into a few RADIUS solutions and I was wondering if any of you had any experience with the following products and what your thoughts are on them: Cisco ISE Aruba ClearPass Extreme NetSight Cloudpath XPressConnect ES Any input would be appreciated. Thanks. Respectfully, Matthew Williams IT Manager, Wireless Kent State University Office: (330) 672-7246 Mobile: (330) 469-0445 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. !DSPAM:911,558b11734371431181996! ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Network Authentication question
I am sure they were referring to Cloudpath Xpressconnect Wizard. Cloudpath ES is their attempt at a full RADIUS system that includes XpressConnect Wizard. XpressConnect wizard is definitely the best onboarding app I have tested. During the launch of XpressConnect ES, it appeared to be lacking in features, and many of the features mentioned were not available at that time. The product would need to mature before I would consider it. We have heard indications that all CloudPath RD is focused on ES. They will only add new OS support to Wizard, Bruce Osborne Wireless Engineer IT Infrastructure Media Solutions (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Steven D. Veron [mailto:sve...@lamar.edu] Sent: Wednesday, June 24, 2015 1:07 PM Subject: Re: Network Authentication question I don't remember who said it to give them credit, but give me Cloudpath or give me death. So far the only issues have been device issues that no vendor can overcome. Steven D Veron Senior Network Analyst Lamar University Office- 409-880-2386 Cell- 409-351-5961 steven.ve...@lamar.edumailto:steven.ve...@lamar.edu From: Frank Sweetser f...@wpi.edumailto:f...@wpi.edu To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Sent: Wednesday, June 24, 2015 9:56:03 AM Subject: Re: [WIRELESS-LAN] Network Authentication question We're in the early stages of doing Aruba ClearPass. It's a very flexible RADIUS system at it's core, which means that a) it appears to be able to handle every use case we've thrown at it, including integrating with home-brew backend systems, and b) there's a lot of initial setup work to accommodate all of that flexibility. Guest network access is also a very strong point, and is also where we're initially deploying it (More specifically, we're using it to handle multi-vendor guest wireless networks while we transition from Juniper to Aruba). It also includes onboarding and MDM functionality, but we haven't looked into them yet. Cloudpath is an excellent onboarding system - we've been using it for about three years now. Their RADIUS side is fairly new, and has a pretty targeted use case - authenticating cert based users, and handling a MAC RADIUS style registration database for non 1x capable devices. That might be good enough for you, but if you do anything fancy like require registration in an IPAM system, you're probably going to run into limitations in a hurry. Feel free to let me know if you have any follow up questions, or I'd be happy to chat via phone. Frank Sweetser fs at wpi.edu| For every problem, there is a solution that Manager of Network Operations | is simple, elegant, and wrong. Worcester Polytechnic Institute | - HL Mencken On 06/24/2015 10:44 AM, Williams, Matthew wrote: We’re looking into a few RADIUS solutions and I was wondering if any of you had any experience with the following products and what your thoughts are on them: Cisco ISE Aruba ClearPass Extreme NetSight Cloudpath XPressConnect ES Any input would be appreciated. Thanks. Respectfully, Matthew Williams IT Manager, Wireless Kent State University Office: (330) 672-7246 Mobile: (330) 469-0445 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. CONFIDENTIALITY: Any information contained in this e-mail (including attachments) is the property of The State of Texas and unauthorized disclosure or use is prohibited. Sending, receiving or forwarding of confidential, proprietary and privileged information is prohibited under Lamar Policy. If you received this e-mail in error, please notify the sender and delete this e-mail from your system.
RE: Network Authentication question
Russ, Are you sure you are not confusing Aruba ClearPass and Aruba Airwave? We have Airwave send alerts, but I do not see how ClearPass could help with this. Bruce Osborne Wireless Engineer IT Infrastructure Media Solutions (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Jerry Bucklaew [mailto:j...@buffalo.edu] Sent: Wednesday, June 24, 2015 11:18 AM Subject: Re: Network Authentication question On 06/24/2015 10:56 AM, Russ Leathe wrote: Aruba clearpass allows us to recover loss/stolen devices if they are inrange of an ap. We are just deploying clearpass and it indeed seems to be a very flexible system. How exactly do you do the tracking/recovery? I assume you need to have a interface to track stolen lost/stolen and then you set it up to report when seen? From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Williams, Matthew Sent: Wednesday, June 24, 2015 10:44 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Network Authentication question We’re looking into a few RADIUS solutions and I was wondering if any of you had any experience with the following products and what your thoughts are on them: Cisco ISE Aruba ClearPass Extreme NetSight Cloudpath XPressConnect ES Any input would be appreciated. Thanks. Respectfully, Matthew Williams IT Manager, Wireless Kent State University Office: (330) 672-7246 Mobile: (330) 469-0445 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Microfridge vs wifi
We just noticed that our Residence Life department started renting Microfridges (https://www.collegiateconcepts.net/34/index.html) to students in our dorms. Does anyone have experience with these appliances on their campuses? If so, are the microwaves causing any issues in the 2.4 range? *Van K. Jones* Network Support Manager Mississippi College P: 601.925.3493 | F: 601.925.3955 Facebook http://www.facebook.com/mississippicollege | Twitter http://www.twitter.com/misscollege | Vimeo http://www.vimeo.com/misscollege http://www.mc.edu/ ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Network Authentication question
We use freeradius for our wired (dorms with dot1X MAC auth) and wireless (guests with PAP, eduroam visitors with proxy, and users/machines with dox1X - PEAP) authentications. The biggest advantage of using freeradius is it's free. It is customizable to fit our needs and a powerful tool. If you have someone with strong Linux background, give FR a try. We are also looking into Cloudpath onboarding for implementing EAP-TLS if we can get it funded. Yu Wang The Florida State University From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jason Cook Sent: Wednesday, June 24, 2015 8:31 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Network Authentication question We are using freeradius and it works very well. It's linux and CLI based though so would recommend having a good solid base of those skills in the team that's supporting it. It's been reliable and flexible. Another +1 for Cloudpath onboarding, we've been on XC for quite some time and are currently moving to ES. We won't be using their internal radius at this point but will look into it later. We mainly use PEAP for auth but have introduced EAP-TLS with Cloudpath, it's gone well and we expect to be going live with that soon We don't run wired dot1x but did get a pilot up and running about 18 months ago with Cisco 3750 series switches. We had it all up and running with Windows, Apple Linux devices able to auth. Over time we noticed some issues but with no project to head down this path it was all spare time work. As such it got dropped, we don't know where the issues were but the initial setup was easy so we are confident it would all be good providing we have the time to implement properly. -- Jason Cook The University of Adelaide, AUSTRALIA 5005 Ph: +61 8 8313 4800 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Danny Eaton Sent: Thursday, 25 June 2015 5:56 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Network Authentication question Is anyone doing any of these for wired, using 802.1X? From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John Kaftan Sent: Wednesday, June 24, 2015 3:22 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Network Authentication question I went with the Extreme Netsight product at my last shop and found it to be excellent. I could assign policy to an end user pretty much on any criteria I could think of. I was hard pressed to find something I could not do. The nice thing about Extreme is that it is a fully integrated system across wired and wireless and you can apply the exact same policy to a user no matter how or where they connect. Naturally it works best if you have Extreme for both wired and wireless but it is not necessary. John From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Barber, Matt Sent: Wednesday, June 24, 2015 1:46 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [BULK] Re: [WIRELESS-LAN] Network Authentication question Importance: Low Hi Matthew, We are currently deploying a new Aruba network with ClearPass after evaluating both them and Extreme pretty heavily. ClearPass was one of the major deciding factors in us ending up with Aruba. As Frank and Russ mentioned, it is very full-featured. We are using the RADIUS functionality for our main WPA2-Enterprise network and using their guest and registration features for everything else. We are very impressed so far. I would be happy to talk specifics if you are interested. Take care, Matt Barber '06 Network and Systems Manager Morrisville State College 315-684-6053 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Williams, Matthew Sent: Wednesday, June 24, 2015 10:44 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Network Authentication question We're looking into a few RADIUS solutions and I was wondering if any of you had any experience with the following products and what your thoughts are on them: Cisco ISE Aruba ClearPass Extreme NetSight Cloudpath XPressConnect ES Any input would be appreciated. Thanks. Respectfully, Matthew Williams IT Manager, Wireless Kent State University Office: (330) 672-7246 Mobile: (330) 469-0445 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at
RE: Network Authentication question
I’m interested in your thoughts on port ACLs as well. We setup a proof of concept with Clearpass wired 802.1x(PEAP/MSCHAP-V2)and per port downloadable ACL’s to our Cisco switches, with the idea that wired and wireless would look the same. The testing we’ve done so far is going well, but we haven’t scaled this out to large populations. Mike From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Peter P Morrissey Sent: Thursday, June 25, 2015 5:13 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Network Authentication question Bruce, Interesting that you have mixed Cisco and Aruba. We are actually all Cisco at this time and are considering ISE and ClearPass. (Assuming you meant to say Aruba ClearPass for RADIUS and guest, not Aruba CloudPath.) For us this will initially this will be as a guest access solution, but I believe there is a good chance that the solution we choose will be an obvious contender for replacement of our RADIUS environment at some point. Matt Barber had mentioned that he looked at both and chose ClearPass which apparently drove his wireless decision. If I recall correctly, you guys are Aruba wireless, which perhaps made ClearPass a more obvious choice? Also, curious about your statement regarding port level ACL’s. Would love to hear more about your thinking there. We have yet to deploy VOIP, but I is coming. Are you saying you would do port level ACL’s instead of the VLAN’s for some reason? Thanks, Pete Morrissey From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W (Network Services) Sent: Thursday, June 25, 2015 7:46 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Network Authentication question We are using Aruba CloudPath for RADIUS Guest and Cloudpath XpressConnect Wizard for onboarding, We have wired 802.1X (PEAP-MSCHAPv2 MAC auth) in our dorms with Cisco switches. We use vlan names instead of numbers to give scalability in our environment. We also use Cisco phones and have clients connected through the phone. We use EAP-TLS with the preinstalled certificates or mac auth for older models. If I had to do things again, I would look at using predefined ACLs applied at a port level. Bruce Osborne Wireless Engineer IT Infrastructure Media Solutions (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Danny Eaton [mailto:dannyea...@rice.edu] Sent: Wednesday, June 24, 2015 4:26 PM Subject: Re: Network Authentication question Is anyone doing any of these for wired, using 802.1X? From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John Kaftan Sent: Wednesday, June 24, 2015 3:22 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Network Authentication question I went with the Extreme Netsight product at my last shop and found it to be excellent. I could assign policy to an end user pretty much on any criteria I could think of. I was hard pressed to find something I could not do. The nice thing about Extreme is that it is a fully integrated system across wired and wireless and you can apply the exact same policy to a user no matter how or where they connect. Naturally it works best if you have Extreme for both wired and wireless but it is not necessary. John From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Barber, Matt Sent: Wednesday, June 24, 2015 1:46 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [BULK] Re: [WIRELESS-LAN] Network Authentication question Importance: Low Hi Matthew, We are currently deploying a new Aruba network with ClearPass after evaluating both them and Extreme pretty heavily. ClearPass was one of the major deciding factors in us ending up with Aruba. As Frank and Russ mentioned, it is very full-featured. We are using the RADIUS functionality for our main WPA2-Enterprise network and using their guest and registration features for everything else. We are very impressed so far. I would be happy to talk specifics if you are interested. Take care, Matt Barber ‘06 Network and Systems Manager Morrisville State College 315-684-6053 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Williams, Matthew Sent: Wednesday, June 24, 2015 10:44 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Network Authentication question We’re looking into a few RADIUS solutions and I was wondering if any of you had any experience with the following products and what your thoughts are on them: Cisco ISE Aruba ClearPass Extreme NetSight
Re: [WIRELESS-LAN] Favourite Wifi Dongles
I don’t have any answers but found it interesting that the Edimax EW-7711MAC AC450 appears to only be supported for Mac OS X and it only works on 5 GHz. On Jun 25, 2015, at 11:00 AM, Thomas Carter tcar...@austincollege.edu wrote: We’ve used a number of the Netgear WNA1000M adapters and have been happy, but the use has just been Windows. It seems USB wifi dongles seem hit or miss with OSX (is anything “officially” supported?). We liked these units due to the small size so they could be used inconspicuously to avoid disappearing. We’ve used them frequently in situations where temporary, ad-hoc labs were created with desktops in an area without easy access to wired connections. Thanks, Thomas Carter Network Operations Manager Austin College From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jason Cook Sent: Thursday, June 25, 2015 12:36 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Favourite Wifi Dongles Just putting out a question to see if anyone has preferences when it comes to USB dongles. We typically like to have a number available and they have helped out of few times over the years to deal with broken internal cards, 2.4ghz only cards and temporary setups etc. We’ve often purchased a couple of varieties, tested them and stocked up on our favourite. Considering things like performance, stability, included drivers in OS, supporting multiple OS’s. Our most recent was a few years ago now Edimax AC1200 (EW-7822UAC) but have also been pretty happy with Linksys. The edimax performs pretty well and supports Windows, Mac and Linux. But it’s time to get a few more. -- Jason Cook Technology Services The University of Adelaide, AUSTRALIA 5005 Ph: +61 8 8313 4800 JabberCall Me browser-based video chat e-mail: jason.c...@adelaide.edu.aumailto:jason.c...@adelaide.edu.au CRICOS Provider Number 00123M --- This email message is intended only for the addressee(s) and contains information which may be confidential and/or copyright. If you are not the intended recipient please do not read, save, forward, disclose, or copy the contents of this email. If this email has been sent to you in error, please notify the sender by reply email and delete this email and any copies or links to this email completely and immediately from your system. No representation is made that this email is free of viruses. Virus scanning is recommended and is the responsibility of the recipient. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. --- Bruce Curtis bruce.cur...@ndsu.edu Certified NetAnalyst II701-231-8527 North Dakota State University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Favourite Wifi Dongles
We've used a number of the Netgear WNA1000M adapters and have been happy, but the use has just been Windows. It seems USB wifi dongles seem hit or miss with OSX (is anything officially supported?). We liked these units due to the small size so they could be used inconspicuously to avoid disappearing. We've used them frequently in situations where temporary, ad-hoc labs were created with desktops in an area without easy access to wired connections. Thanks, Thomas Carter Network Operations Manager Austin College From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jason Cook Sent: Thursday, June 25, 2015 12:36 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Favourite Wifi Dongles Just putting out a question to see if anyone has preferences when it comes to USB dongles. We typically like to have a number available and they have helped out of few times over the years to deal with broken internal cards, 2.4ghz only cards and temporary setups etc. We've often purchased a couple of varieties, tested them and stocked up on our favourite. Considering things like performance, stability, included drivers in OS, supporting multiple OS's. Our most recent was a few years ago now Edimax AC1200 (EW-7822UAC) but have also been pretty happy with Linksys. The edimax performs pretty well and supports Windows, Mac and Linux. But it's time to get a few more. -- Jason Cook Technology Services The University of Adelaide, AUSTRALIA 5005 Ph: +61 8 8313 4800 JabberCall Mehttps://ts-plaza-guest-exp-e.voip.net.adelaide.edu.au:9443/call/jason.c...@adelaide.edu.au browser-based video chat e-mail: jason.c...@adelaide.edu.aumailto:jason.c...@adelaide.edu.aumailto:jason.c...@adelaide.edu.au%3cmailto:jason.c...@adelaide.edu.au CRICOS Provider Number 00123M --- This email message is intended only for the addressee(s) and contains information which may be confidential and/or copyright. If you are not the intended recipient please do not read, save, forward, disclose, or copy the contents of this email. If this email has been sent to you in error, please notify the sender by reply email and delete this email and any copies or links to this email completely and immediately from your system. No representation is made that this email is free of viruses. Virus scanning is recommended and is the responsibility of the recipient. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] [BULK] Re: [WIRELESS-LAN] Network Authentication question
One thing I've noticed is that by default Windows seems to prefer the setting User or Computer Authentication, and if you're not using certificates, then the Computer Authentication will fail. The really goofy thing is that Windows will use the username/credentials 5 times in a row, then just decide it wants to use the computer authentication/certificate (which doesn't exist), and fails authentication. We have in our setup documentation (for our current round of testing with Cisco ISE), to set the Authentication to User Authentication only. Just FYI, but the wireless does this as well. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John Kaftan Sent: Thursday, June 25, 2015 12:07 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] [BULK] Re: [WIRELESS-LAN] Network Authentication question I tried 802.1x via wired and it fell on its face. I have tried this on both Cisco and Extreme gear. What I found from hours of looking at packet captures is that the MS supplicant just doesn't work consistently. It seemed that the switches and RADIUS servers were working properly and moving packets along as designed but the supplicant would just flake out. It wouldn't not respond part way through an 802.1x authentication or it would not prompt the end user for credentials when needed etc. I have seen this behavior all the way from Win XP through Win8. I tried updates and combing the forums and found that many other folks are having issues with wired 802.1x but was never able to resolve it partially due to the intermittent nature. I tried NIC driver updates, OS patches anything I could find. The weird thing is that wireless works well. I would think it would be one supplicant for both and the connection method would not matter. John From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Danny Eaton Sent: Wednesday, June 24, 2015 4:26 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [BULK] Re: [WIRELESS-LAN] Network Authentication question Importance: Low Is anyone doing any of these for wired, using 802.1X? From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John Kaftan Sent: Wednesday, June 24, 2015 3:22 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Network Authentication question I went with the Extreme Netsight product at my last shop and found it to be excellent. I could assign policy to an end user pretty much on any criteria I could think of. I was hard pressed to find something I could not do. The nice thing about Extreme is that it is a fully integrated system across wired and wireless and you can apply the exact same policy to a user no matter how or where they connect. Naturally it works best if you have Extreme for both wired and wireless but it is not necessary. John From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Barber, Matt Sent: Wednesday, June 24, 2015 1:46 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [BULK] Re: [WIRELESS-LAN] Network Authentication question Importance: Low Hi Matthew, We are currently deploying a new Aruba network with ClearPass after evaluating both them and Extreme pretty heavily. ClearPass was one of the major deciding factors in us ending up with Aruba. As Frank and Russ mentioned, it is very full-featured. We are using the RADIUS functionality for our main WPA2-Enterprise network and using their guest and registration features for everything else. We are very impressed so far. I would be happy to talk specifics if you are interested. Take care, Matt Barber '06 Network and Systems Manager Morrisville State College 315-684-6053 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Williams, Matthew Sent: Wednesday, June 24, 2015 10:44 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Network Authentication question We're looking into a few RADIUS solutions and I was wondering if any of you had any experience with the following products and what your thoughts are on them: Cisco ISE Aruba ClearPass Extreme NetSight Cloudpath XPressConnect ES Any input would be appreciated. Thanks. Respectfully, Matthew Williams IT Manager, Wireless Kent State University Office: (330) 672-7246 Mobile: (330) 469-0445 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this
RE: [BULK] Re: [WIRELESS-LAN] Network Authentication question
I tried 802.1x via wired and it fell on its face. I have tried this on both Cisco and Extreme gear. What I found from hours of looking at packet captures is that the MS supplicant just doesn't work consistently. It seemed that the switches and RADIUS servers were working properly and moving packets along as designed but the supplicant would just flake out. It wouldn't not respond part way through an 802.1x authentication or it would not prompt the end user for credentials when needed etc. I have seen this behavior all the way from Win XP through Win8. I tried updates and combing the forums and found that many other folks are having issues with wired 802.1x but was never able to resolve it partially due to the intermittent nature. I tried NIC driver updates, OS patches anything I could find. The weird thing is that wireless works well. I would think it would be one supplicant for both and the connection method would not matter. John From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Danny Eaton Sent: Wednesday, June 24, 2015 4:26 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [BULK] Re: [WIRELESS-LAN] Network Authentication question Importance: Low Is anyone doing any of these for wired, using 802.1X? From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John Kaftan Sent: Wednesday, June 24, 2015 3:22 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Network Authentication question I went with the Extreme Netsight product at my last shop and found it to be excellent. I could assign policy to an end user pretty much on any criteria I could think of. I was hard pressed to find something I could not do. The nice thing about Extreme is that it is a fully integrated system across wired and wireless and you can apply the exact same policy to a user no matter how or where they connect. Naturally it works best if you have Extreme for both wired and wireless but it is not necessary. John From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Barber, Matt Sent: Wednesday, June 24, 2015 1:46 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [BULK] Re: [WIRELESS-LAN] Network Authentication question Importance: Low Hi Matthew, We are currently deploying a new Aruba network with ClearPass after evaluating both them and Extreme pretty heavily. ClearPass was one of the major deciding factors in us ending up with Aruba. As Frank and Russ mentioned, it is very full-featured. We are using the RADIUS functionality for our main WPA2-Enterprise network and using their guest and registration features for everything else. We are very impressed so far. I would be happy to talk specifics if you are interested. Take care, Matt Barber '06 Network and Systems Manager Morrisville State College 315-684-6053 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Williams, Matthew Sent: Wednesday, June 24, 2015 10:44 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Network Authentication question We're looking into a few RADIUS solutions and I was wondering if any of you had any experience with the following products and what your thoughts are on them: Cisco ISE Aruba ClearPass Extreme NetSight Cloudpath XPressConnect ES Any input would be appreciated. Thanks. Respectfully, Matthew Williams IT Manager, Wireless Kent State University Office: (330) 672-7246 Mobile: (330) 469-0445 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. !DSPAM:911,558b11734371431181996! ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Network Authentication question
Thank you for your insights, everyone. We appreciate it. I am somewhat surprised that Cisco ISE wasn’t really mentioned. The input was helpful and again, thank you. Respectfully, Matthew Williams IT Manager, Wireless Kent State University Office: (330) 672-7246 Mobile: (330) 469-0445 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Mike Ricci Sent: Thursday, June 25, 2015 11:26 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Network Authentication question I’m interested in your thoughts on port ACLs as well. We setup a proof of concept with Clearpass wired 802.1x(PEAP/MSCHAP-V2)and per port downloadable ACL’s to our Cisco switches, with the idea that wired and wireless would look the same. The testing we’ve done so far is going well, but we haven’t scaled this out to large populations. Mike From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Peter P Morrissey Sent: Thursday, June 25, 2015 5:13 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Network Authentication question Bruce, Interesting that you have mixed Cisco and Aruba. We are actually all Cisco at this time and are considering ISE and ClearPass. (Assuming you meant to say Aruba ClearPass for RADIUS and guest, not Aruba CloudPath.) For us this will initially this will be as a guest access solution, but I believe there is a good chance that the solution we choose will be an obvious contender for replacement of our RADIUS environment at some point. Matt Barber had mentioned that he looked at both and chose ClearPass which apparently drove his wireless decision. If I recall correctly, you guys are Aruba wireless, which perhaps made ClearPass a more obvious choice? Also, curious about your statement regarding port level ACL’s. Would love to hear more about your thinking there. We have yet to deploy VOIP, but I is coming. Are you saying you would do port level ACL’s instead of the VLAN’s for some reason? Thanks, Pete Morrissey From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W (Network Services) Sent: Thursday, June 25, 2015 7:46 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Network Authentication question We are using Aruba CloudPath for RADIUS Guest and Cloudpath XpressConnect Wizard for onboarding, We have wired 802.1X (PEAP-MSCHAPv2 MAC auth) in our dorms with Cisco switches. We use vlan names instead of numbers to give scalability in our environment. We also use Cisco phones and have clients connected through the phone. We use EAP-TLS with the preinstalled certificates or mac auth for older models. If I had to do things again, I would look at using predefined ACLs applied at a port level. Bruce Osborne Wireless Engineer IT Infrastructure Media Solutions (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Danny Eaton [mailto:dannyea...@rice.edu] Sent: Wednesday, June 24, 2015 4:26 PM Subject: Re: Network Authentication question Is anyone doing any of these for wired, using 802.1X? From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John Kaftan Sent: Wednesday, June 24, 2015 3:22 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Network Authentication question I went with the Extreme Netsight product at my last shop and found it to be excellent. I could assign policy to an end user pretty much on any criteria I could think of. I was hard pressed to find something I could not do. The nice thing about Extreme is that it is a fully integrated system across wired and wireless and you can apply the exact same policy to a user no matter how or where they connect. Naturally it works best if you have Extreme for both wired and wireless but it is not necessary. John From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Barber, Matt Sent: Wednesday, June 24, 2015 1:46 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [BULK] Re: [WIRELESS-LAN] Network Authentication question Importance: Low Hi Matthew, We are currently deploying a new Aruba network with ClearPass after evaluating both them and Extreme pretty heavily. ClearPass was one of the major deciding factors in us ending up with Aruba. As Frank and Russ mentioned, it is very full-featured. We are using the RADIUS functionality for our main WPA2-Enterprise network and using their guest and registration features for everything else. We are very impressed so far. I would be happy to talk
Re: [WIRELESS-LAN] [BULK] Re: [WIRELESS-LAN] Network Authentication question
We've been having very good results rolling out a strictly MAB based deployment across our entire wired infrastructure. Because we require pre-registration of all MAC addresses, it allow us to get at least some context on devices to take some basic actions on, without entailing the joy of supporting dot1x on client wired interfaces. Frank Sweetser fs at wpi.edu| For every problem, there is a solution that Manager of Network Operations | is simple, elegant, and wrong. Worcester Polytechnic Institute | - HL Mencken On 06/25/2015 02:23 PM, Danny Eaton wrote: Understood Lee, and I agree. One goal, at least one stated goal, is port agnosticism. A port in the colleges is the same as a port in the library as the same in the Humanities building(s). Simplifies troubleshooting because every port is the same (data centers excluded, perhaps), and expected behavior is the same everywhere – you can take your AppleTV from your dorm room to an empty classroom, and it should do the same thing in both places. We are obviously testing MAB (for the TV’s, games, FEP BAS, etc.), so most of the wired stuff in the colleges will in fact be MAB’ed anyway. *From:*Lee H Badman [mailto:lhbad...@syr.edu] *Sent:* Thursday, June 25, 2015 1:06 PM *To:* 'dannyea...@rice.edu'; WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* RE: [WIRELESS-LAN] [BULK] Re: [WIRELESS-LAN] Network Authentication question The thing I struggle with a bit on the notion of wired 802.1X: If I have 10K ports in Resnet, and 95%+ of them are idle because Wi-FI is preferred access method, and the ports that ARE used are games and TVs (primarily)- is the effort and complexity of 1X on the wired side worth it? That’s not to say I’ve reached a definitive conclusion, but I will admit to being skeptical to the value of the wired 1X paradigm so far. -Lee *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Danny Eaton *Sent:* Thursday, June 25, 2015 1:27 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] [BULK] Re: [WIRELESS-LAN] Network Authentication question One thing I’ve noticed is that by default Windows seems to prefer the setting “User or Computer Authentication”, and if you’re not using certificates, then the “Computer Authentication” will fail. The really goofy thing is that Windows will use the username/credentials 5 times in a row, then just decide it wants to use the computer authentication/certificate (which doesn’t exist), and fails authentication. We have in our setup documentation (for our current round of testing with Cisco ISE), to set the Authentication to “User Authentication” only. Just FYI, but the wireless does this as well. *From:*The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *John Kaftan *Sent:* Thursday, June 25, 2015 12:07 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] [BULK] Re: [WIRELESS-LAN] Network Authentication question I tried 802.1x via wired and it fell on its face. I have tried this on both Cisco and Extreme gear. What I found from hours of looking at packet captures is that the MS supplicant just doesn’t work consistently. It seemed that the switches and RADIUS servers were working properly and moving packets along as designed but the supplicant would just flake out. It wouldn’t not respond part way through an 802.1x authentication or it would not prompt the end user for credentials when needed etc. I have seen this behavior all the way from Win XP through Win8. I tried updates and combing the forums and found that many other folks are having issues with wired 802.1x but was never able to resolve it partially due to the intermittent nature. I tried NIC driver updates, OS patches anything I could find. The weird thing is that wireless works well. I would think it would be one supplicant for both and the connection method would not matter. John *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Danny Eaton *Sent:* Wednesday, June 24, 2015 4:26 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* [BULK] Re: [WIRELESS-LAN] Network Authentication question *Importance:* Low Is anyone doing any of these for wired, using 802.1X? *From:*The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *John Kaftan *Sent:* Wednesday, June 24, 2015 3:22 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Network Authentication question I went with the Extreme Netsight product at my last shop and found it to be excellent. I could assign policy to an end user pretty much on any criteria I could think of.
RE: [WIRELESS-LAN] [BULK] Re: [WIRELESS-LAN] Network Authentication question
The thing I struggle with a bit on the notion of wired 802.1X: If I have 10K ports in Resnet, and 95%+ of them are idle because Wi-FI is preferred access method, and the ports that ARE used are games and TVs (primarily)- is the effort and complexity of 1X on the wired side worth it? That's not to say I've reached a definitive conclusion, but I will admit to being skeptical to the value of the wired 1X paradigm so far. -Lee From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Danny Eaton Sent: Thursday, June 25, 2015 1:27 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] [BULK] Re: [WIRELESS-LAN] Network Authentication question One thing I've noticed is that by default Windows seems to prefer the setting User or Computer Authentication, and if you're not using certificates, then the Computer Authentication will fail. The really goofy thing is that Windows will use the username/credentials 5 times in a row, then just decide it wants to use the computer authentication/certificate (which doesn't exist), and fails authentication. We have in our setup documentation (for our current round of testing with Cisco ISE), to set the Authentication to User Authentication only. Just FYI, but the wireless does this as well. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John Kaftan Sent: Thursday, June 25, 2015 12:07 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] [BULK] Re: [WIRELESS-LAN] Network Authentication question I tried 802.1x via wired and it fell on its face. I have tried this on both Cisco and Extreme gear. What I found from hours of looking at packet captures is that the MS supplicant just doesn't work consistently. It seemed that the switches and RADIUS servers were working properly and moving packets along as designed but the supplicant would just flake out. It wouldn't not respond part way through an 802.1x authentication or it would not prompt the end user for credentials when needed etc. I have seen this behavior all the way from Win XP through Win8. I tried updates and combing the forums and found that many other folks are having issues with wired 802.1x but was never able to resolve it partially due to the intermittent nature. I tried NIC driver updates, OS patches anything I could find. The weird thing is that wireless works well. I would think it would be one supplicant for both and the connection method would not matter. John From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Danny Eaton Sent: Wednesday, June 24, 2015 4:26 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [BULK] Re: [WIRELESS-LAN] Network Authentication question Importance: Low Is anyone doing any of these for wired, using 802.1X? From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John Kaftan Sent: Wednesday, June 24, 2015 3:22 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Network Authentication question I went with the Extreme Netsight product at my last shop and found it to be excellent. I could assign policy to an end user pretty much on any criteria I could think of. I was hard pressed to find something I could not do. The nice thing about Extreme is that it is a fully integrated system across wired and wireless and you can apply the exact same policy to a user no matter how or where they connect. Naturally it works best if you have Extreme for both wired and wireless but it is not necessary. John From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Barber, Matt Sent: Wednesday, June 24, 2015 1:46 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [BULK] Re: [WIRELESS-LAN] Network Authentication question Importance: Low Hi Matthew, We are currently deploying a new Aruba network with ClearPass after evaluating both them and Extreme pretty heavily. ClearPass was one of the major deciding factors in us ending up with Aruba. As Frank and Russ mentioned, it is very full-featured. We are using the RADIUS functionality for our main WPA2-Enterprise network and using their guest and registration features for everything else. We are very impressed so far. I would be happy to talk specifics if you are interested. Take care, Matt Barber '06 Network and Systems Manager Morrisville State College 315-684-6053 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Williams, Matthew Sent: Wednesday, June 24, 2015 10:44 AM To:
RE: [WIRELESS-LAN] [BULK] Re: [WIRELESS-LAN] Network Authentication question
Understood Lee, and I agree. One goal, at least one stated goal, is port agnosticism. A port in the colleges is the same as a port in the library as the same in the Humanities building(s). Simplifies troubleshooting because every port is the same (data centers excluded, perhaps), and expected behavior is the same everywhere - you can take your AppleTV from your dorm room to an empty classroom, and it should do the same thing in both places. We are obviously testing MAB (for the TV's, games, FEP BAS, etc.), so most of the wired stuff in the colleges will in fact be MAB'ed anyway. From: Lee H Badman [mailto:lhbad...@syr.edu] Sent: Thursday, June 25, 2015 1:06 PM To: 'dannyea...@rice.edu'; WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: RE: [WIRELESS-LAN] [BULK] Re: [WIRELESS-LAN] Network Authentication question The thing I struggle with a bit on the notion of wired 802.1X: If I have 10K ports in Resnet, and 95%+ of them are idle because Wi-FI is preferred access method, and the ports that ARE used are games and TVs (primarily)- is the effort and complexity of 1X on the wired side worth it? That's not to say I've reached a definitive conclusion, but I will admit to being skeptical to the value of the wired 1X paradigm so far. -Lee From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Danny Eaton Sent: Thursday, June 25, 2015 1:27 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] [BULK] Re: [WIRELESS-LAN] Network Authentication question One thing I've noticed is that by default Windows seems to prefer the setting User or Computer Authentication, and if you're not using certificates, then the Computer Authentication will fail. The really goofy thing is that Windows will use the username/credentials 5 times in a row, then just decide it wants to use the computer authentication/certificate (which doesn't exist), and fails authentication. We have in our setup documentation (for our current round of testing with Cisco ISE), to set the Authentication to User Authentication only. Just FYI, but the wireless does this as well. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John Kaftan Sent: Thursday, June 25, 2015 12:07 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] [BULK] Re: [WIRELESS-LAN] Network Authentication question I tried 802.1x via wired and it fell on its face. I have tried this on both Cisco and Extreme gear. What I found from hours of looking at packet captures is that the MS supplicant just doesn't work consistently. It seemed that the switches and RADIUS servers were working properly and moving packets along as designed but the supplicant would just flake out. It wouldn't not respond part way through an 802.1x authentication or it would not prompt the end user for credentials when needed etc. I have seen this behavior all the way from Win XP through Win8. I tried updates and combing the forums and found that many other folks are having issues with wired 802.1x but was never able to resolve it partially due to the intermittent nature. I tried NIC driver updates, OS patches anything I could find. The weird thing is that wireless works well. I would think it would be one supplicant for both and the connection method would not matter. John From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Danny Eaton Sent: Wednesday, June 24, 2015 4:26 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [BULK] Re: [WIRELESS-LAN] Network Authentication question Importance: Low Is anyone doing any of these for wired, using 802.1X? From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John Kaftan Sent: Wednesday, June 24, 2015 3:22 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Network Authentication question I went with the Extreme Netsight product at my last shop and found it to be excellent. I could assign policy to an end user pretty much on any criteria I could think of. I was hard pressed to find something I could not do. The nice thing about Extreme is that it is a fully integrated system across wired and wireless and you can apply the exact same policy to a user no matter how or where they connect. Naturally it works best if you have Extreme for both wired and wireless but it is not necessary. John From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Barber, Matt Sent: Wednesday, June 24, 2015 1:46 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [BULK] Re: [WIRELESS-LAN] Network Authentication question Importance: Low Hi Matthew, We are currently deploying a new Aruba network with ClearPass after evaluating both them and Extreme