Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

2017-04-25 Thread Walter Reynolds 
We have been doing the attribute method for a while and have not really had
any problems.  We use Freeradius with an LDAP check for the attributes.



Walter Reynolds
Principal Systems Security Development Engineer
Information and Technology Services
University of Michigan
(734) 615-9438

On Tue, Apr 25, 2017 at 2:57 PM, Hunter Fuller  wrote:

> Just like Brian mentioned, we sort users based on their attributes. If you
> are staff, and you connect to eduroam, you end up on the staff network.
>
> Those who didn't go that route, but instead kept the other ESSID for
> separation, what did you find were the shortcomings were with the
> attribute-based method? (Are we about to regret doing this, is really what
> I'm asking.)
>
> On Tue, Apr 25, 2017 at 1:10 PM Stephen Belcher <
> steve.belc...@mail.wvu.edu> wrote:
>
>> That is the same situation with WVU. We maintain WVU.Encrypted for
>> faculty, staff and students. We treat those users as “on campus”.
>>
>> We treat WVU.Guest and Eduroam as “off campus".
>>
>>
>> -Original Message-
>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
>> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Fligor, Debbie
>> Sent: Monday, April 24, 2017 4:38 PM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> Subject: Re: [WIRELESS-LAN] Eduroam adoption (and migration process)
>>
>> I can’t speak for the campuses you named, but we have not switched to
>> eduroam as our main SSID, and we have no current plans to. I’m sure someone
>> is happy about the branding somewhere, but it’s also for technical reasons.
>> Eduroam, like our guest wireless, is routed outside our campus border
>> firewall. When you are on our campus's IllinoisNet SSID you are on the
>> campus side of the border firewall and have more access to campus resources
>> than you do when you are on the eduroam SSID or our IllinoisNet_Guest
>> SSID.  Our campus network design has very little internal firewalling - the
>> majority of the protection for offices, labs, classrooms, wireless, and
>> anything other than University-wide Admin applications is the border
>> firewall. So putting guests on the outside, and faculty, staff and students
>> on the inside is important.
>>
>> Additionally the firewall for the eduroam network is set up to allow the
>> minimum ports required by the eduroam agreement, so that when our faculty,
>> staff and students test that something works on eduroam before they travel,
>> they are reasonably well guaranteed it will work on any eduroam net
>> anywhere. With our change from Meru/Radiator to Aruban/Clearpass last
>> summer, it’s likely that it would be much simpler to drop eduroam users
>> that are local onto a “different” version of eduroam that was on the campus
>> side of the border firewall, but then the user experience on eduroam here
>> would not be the same experience as if they were at a different site
>> providing eduroam. Both in what ports were allowed in/out of the eduroam
>> network and much more importantly how connections to campus resources
>> function for networks off-campus. We want users to have a consistent
>> experience with how eduroam works for their use cases, regardless of
>> whether they are on our campus or somewhere else.
>>
>>
>> To answer the other questions, we currently have 3 non-eduroam SSIDs
>>
>> our main SSID that is inside the campus board firewalls is 802.1x we have
>> an open guest SSID that uses the Clearpass guest captive portal system we
>> have a devices SSID that is MAC auth but I believe this one is being phased
>> out in favor of using features in ClearPass to do something similar. This
>> is mostly for gaming consoles and the things that really can’t do 802.1x.
>>
>>
>> It’s been quite a few years since I ran the wireless network on our
>> campus, but I believe I’ve got the current technical details correct, Chuck
>> can correct me if I got anything wrong.
>>
>>
>> --
>> -debbie
>> Debbie Fligor, n9dn   Lead Network Engineer @ Univ. of Il at
>> Urbana-Champaign
>> email: fli...@illinois.edu
>>
>>
>>
>> > On Apr 24, 2017, at 14:18, Marcelo Maraboli 
>> wrote:
>> >
>> > I would like to thank all who responded.
>> >
>> > Everybody who responded is making EduRoam their main SSID
>> > deprecating their old SSID (MAC or .1x).
>> >
>> > I still wonder why Universities like MIT,Harvard,Stanford and Berkeley
>> > only use Eduroam as a secondary SSID and still keep their main SSID.
>> > The only thing I can think of is branding.
>> >
>> >
>> >
>> > thanks.
>> >
>> >
>> > On 4/20/17 6:16 PM, Marcelo Maraboli wrote:
>> >> Hello everyone.
>> >>
>> >> We are finally adopting EduROAM in our University and we currently
>> have one
>> >> SSID with MAC-based authentication, so moving to EduROAM is also a
>> 802.1x upgrade
>> >> for us as well.
>> >>
>> >> Would you be so kind to respond a couple of questions?:
>> >>
>> >>
>> >> If you adopted EduROAM as your primary SSID:

Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

2017-04-25 Thread Hunter Fuller 
Just like Brian mentioned, we sort users based on their attributes. If you
are staff, and you connect to eduroam, you end up on the staff network.

Those who didn't go that route, but instead kept the other ESSID for
separation, what did you find were the shortcomings were with the
attribute-based method? (Are we about to regret doing this, is really what
I'm asking.)

On Tue, Apr 25, 2017 at 1:10 PM Stephen Belcher 
wrote:

> That is the same situation with WVU. We maintain WVU.Encrypted for
> faculty, staff and students. We treat those users as “on campus”.
>
> We treat WVU.Guest and Eduroam as “off campus".
>
>
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Fligor, Debbie
> Sent: Monday, April 24, 2017 4:38 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Eduroam adoption (and migration process)
>
> I can’t speak for the campuses you named, but we have not switched to
> eduroam as our main SSID, and we have no current plans to. I’m sure someone
> is happy about the branding somewhere, but it’s also for technical reasons.
> Eduroam, like our guest wireless, is routed outside our campus border
> firewall. When you are on our campus's IllinoisNet SSID you are on the
> campus side of the border firewall and have more access to campus resources
> than you do when you are on the eduroam SSID or our IllinoisNet_Guest
> SSID.  Our campus network design has very little internal firewalling - the
> majority of the protection for offices, labs, classrooms, wireless, and
> anything other than University-wide Admin applications is the border
> firewall. So putting guests on the outside, and faculty, staff and students
> on the inside is important.
>
> Additionally the firewall for the eduroam network is set up to allow the
> minimum ports required by the eduroam agreement, so that when our faculty,
> staff and students test that something works on eduroam before they travel,
> they are reasonably well guaranteed it will work on any eduroam net
> anywhere. With our change from Meru/Radiator to Aruban/Clearpass last
> summer, it’s likely that it would be much simpler to drop eduroam users
> that are local onto a “different” version of eduroam that was on the campus
> side of the border firewall, but then the user experience on eduroam here
> would not be the same experience as if they were at a different site
> providing eduroam. Both in what ports were allowed in/out of the eduroam
> network and much more importantly how connections to campus resources
> function for networks off-campus. We want users to have a consistent
> experience with how eduroam works for their use cases, regardless of
> whether they are on our campus or somewhere else.
>
>
> To answer the other questions, we currently have 3 non-eduroam SSIDs
>
> our main SSID that is inside the campus board firewalls is 802.1x we have
> an open guest SSID that uses the Clearpass guest captive portal system we
> have a devices SSID that is MAC auth but I believe this one is being phased
> out in favor of using features in ClearPass to do something similar. This
> is mostly for gaming consoles and the things that really can’t do 802.1x.
>
>
> It’s been quite a few years since I ran the wireless network on our
> campus, but I believe I’ve got the current technical details correct, Chuck
> can correct me if I got anything wrong.
>
>
> --
> -debbie
> Debbie Fligor, n9dn   Lead Network Engineer @ Univ. of Il at
> Urbana-Champaign
> email: fli...@illinois.edu
>
>
>
> > On Apr 24, 2017, at 14:18, Marcelo Maraboli 
> wrote:
> >
> > I would like to thank all who responded.
> >
> > Everybody who responded is making EduRoam their main SSID
> > deprecating their old SSID (MAC or .1x).
> >
> > I still wonder why Universities like MIT,Harvard,Stanford and Berkeley
> > only use Eduroam as a secondary SSID and still keep their main SSID.
> > The only thing I can think of is branding.
> >
> >
> >
> > thanks.
> >
> >
> > On 4/20/17 6:16 PM, Marcelo Maraboli wrote:
> >> Hello everyone.
> >>
> >> We are finally adopting EduROAM in our University and we currently have
> one
> >> SSID with MAC-based authentication, so moving to EduROAM is also a
> 802.1x upgrade
> >> for us as well.
> >>
> >> Would you be so kind to respond a couple of questions?:
> >>
> >>
> >> If you adopted EduROAM as your primary SSID:
> >> - Did you leave an SSID for legacy devices ? (What AUTH mechanism for
> this SSID?)
> >> - How did you "force-move" your users to EdoROAM from your old SSID ?
> >>
> >> If you added EduROAM as just another SSID:
> >> - why not adopt EduROAM as your primary SSID ?  (Branding or no
> interest? )
> >> - Is your primary SSID also 802.1x o MAC-based ?
> >> - if 802.1x, why have 2 SSIDs with 802.1x ?
> >>
> >>
>
>
>
>
>
>
>
>
>
>
>
>
> **
> Participation and subscription information for

RE: [WIRELESS-LAN] Eduroam adoption (and migration process)

2017-04-25 Thread Stephen Belcher 
That is the same situation with WVU. We maintain WVU.Encrypted for faculty, 
staff and students. We treat those users as “on campus”. 

We treat WVU.Guest and Eduroam as “off campus".


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Fligor, Debbie
Sent: Monday, April 24, 2017 4:38 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

I can’t speak for the campuses you named, but we have not switched to eduroam 
as our main SSID, and we have no current plans to. I’m sure someone is happy 
about the branding somewhere, but it’s also for technical reasons. Eduroam, 
like our guest wireless, is routed outside our campus border firewall. When you 
are on our campus's IllinoisNet SSID you are on the campus side of the border 
firewall and have more access to campus resources than you do when you are on 
the eduroam SSID or our IllinoisNet_Guest SSID.  Our campus network design has 
very little internal firewalling - the majority of the protection for offices, 
labs, classrooms, wireless, and anything other than University-wide Admin 
applications is the border firewall. So putting guests on the outside, and 
faculty, staff and students on the inside is important. 

Additionally the firewall for the eduroam network is set up to allow the 
minimum ports required by the eduroam agreement, so that when our faculty, 
staff and students test that something works on eduroam before they travel, 
they are reasonably well guaranteed it will work on any eduroam net anywhere. 
With our change from Meru/Radiator to Aruban/Clearpass last summer, it’s likely 
that it would be much simpler to drop eduroam users that are local onto a 
“different” version of eduroam that was on the campus side of the border 
firewall, but then the user experience on eduroam here would not be the same 
experience as if they were at a different site providing eduroam. Both in what 
ports were allowed in/out of the eduroam network and much more importantly how 
connections to campus resources function for networks off-campus. We want users 
to have a consistent experience with how eduroam works for their use cases, 
regardless of whether they are on our campus or somewhere else.


To answer the other questions, we currently have 3 non-eduroam SSIDs

our main SSID that is inside the campus board firewalls is 802.1x we have an 
open guest SSID that uses the Clearpass guest captive portal system we have a 
devices SSID that is MAC auth but I believe this one is being phased out in 
favor of using features in ClearPass to do something similar. This is mostly 
for gaming consoles and the things that really can’t do 802.1x.


It’s been quite a few years since I ran the wireless network on our campus, but 
I believe I’ve got the current technical details correct, Chuck can correct me 
if I got anything wrong.


-- 
-debbie
Debbie Fligor, n9dn   Lead Network Engineer @ Univ. of Il at 
Urbana-Champaign
email: fli...@illinois.edu 



> On Apr 24, 2017, at 14:18, Marcelo Maraboli  wrote:
> 
> I would like to thank all who responded.
> 
> Everybody who responded is making EduRoam their main SSID
> deprecating their old SSID (MAC or .1x).
> 
> I still wonder why Universities like MIT,Harvard,Stanford and Berkeley
> only use Eduroam as a secondary SSID and still keep their main SSID.
> The only thing I can think of is branding.
> 
> 
> 
> thanks.
> 
> 
> On 4/20/17 6:16 PM, Marcelo Maraboli wrote:
>> Hello everyone.
>> 
>> We are finally adopting EduROAM in our University and we currently have one
>> SSID with MAC-based authentication, so moving to EduROAM is also a 802.1x 
>> upgrade
>> for us as well.
>> 
>> Would you be so kind to respond a couple of questions?:
>> 
>> 
>> If you adopted EduROAM as your primary SSID:
>> - Did you leave an SSID for legacy devices ? (What AUTH mechanism for this 
>> SSID?)
>> - How did you "force-move" your users to EdoROAM from your old SSID ?
>> 
>> If you added EduROAM as just another SSID:
>> - why not adopt EduROAM as your primary SSID ?  (Branding or no interest? )
>> - Is your primary SSID also 802.1x o MAC-based ?
>> - if 802.1x, why have 2 SSIDs with 802.1x ? 
>> 
>> 












**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] Eduroam adoption (and migration process)

2017-04-25 Thread Brian Helman 
Ahh, I see.  They are separate networks.  We are using a NAC to place users in 
their proper vlan, so there’s no differentiation between our current university 
ssid and eduroam.

By the way, I keep writing “EDUROAM”.  I know it’s “eduroam” .. it’s just habit 
from typing “EDUCAUSE”.

Thanks!

-Brian

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John Heartlein
Sent: Tuesday, April 25, 2017 1:52 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

Hello Brian.  SLU-users has more direct access to internal services like file 
and print services that we didn't want to provide to eduroam users.  If we were 
ever to lock down SLU-users more to require VPN access to all internal 
resources, I think we'd recommend re-evaluating our SSIDs.

On Mon, Apr 24, 2017 at 8:14 AM, Brian Helman 
> wrote:
John,

Do you know what the thought process was behind maintaining both an EDUROAM 
SSID as well as your SLU-users?  I’m just firing up our SSID for EDUROAM 
university-wide this week, so it would be the summer before our legacy SSID 
would go away.  If there is a compelling reason that we haven’t discovered for 
keeping the legacy SSID, I certainly don’t want to get rid of it.

-Brian

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
 On Behalf Of John Heartlein
Sent: Friday, April 21, 2017 5:08 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

Saint Louis University deployed eduroam in late 2015.  Besides eduroam we have 
an 802.1x SSID SLU-users for our students, faculty, and staff.  We also have 
SLUguest for guests and legacy devices.  Here's a link to more information:

https://www.slu.edu/its/services-and-products/internet-and-network-services/wireless-networks-at-slu

On Fri, Apr 21, 2017 at 12:30 PM, Brian Helman 
> wrote:
We have moved into the “testing” phase of our EDUROAM connectivity.  I’m hoping 
to fire up the EDUROAM SSID university-wide next week.  Currently, we have a 
.1x SSID that will stay through the summer.  Once EDUROAM is fully pushed, 
we’ll start our advertisement campaign to get people to log in to it.  I would 
have waited until the summer to fire up EDUROAM so it is just available when 
everyone returns in the fall, but there’s such a strong benefit for our 
students, staff and faculty if they are traveling over the summer that I want 
to get it to them.

There will be no “force move”, but the old .1x SSID won’t be available in the 
fall, so it benefits them to change their config now.   One note, we don’t 
currently support devices that do not support WPA/2 Enterprise (.1x) on our 
wireless network.  Essentially, we’re talking about gaming consoles (whether 
they support .1x or not), smart tv’s and media devices.  Students are told 
those devices need to be Ethernet-capable.  I suspect we’re at least another 
year away from supporting non-WPA/2 Ent devices on our wireless network.

From what I have seen and it my discussions with our peers at other 
institutions, unless there is a marketing reason the .1x auths are via EDUROAM 
and the branded SSID’s are either specialized or they go away.

-Brian

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
 On Behalf Of Bucklaew, Jerry
Sent: Friday, April 21, 2017 8:35 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

We are currently moving to eduraom as the primary ssid.   We are doing a 
communication campaign and will retire the old 802.1x ssid at some point.  We 
do have a non802.1x ssid for “other” devices.  It is a “start here” ssid that 
will also configure you for 802.1x.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Marcelo Maraboli
Sent: Thursday, April 20, 2017 5:17 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Eduroam adoption (and migration process)

Hello everyone.

We are finally adopting EduROAM in our University and we currently have one
SSID with MAC-based authentication, so moving to EduROAM is also a 802.1x 
upgrade
for us as well.

Would you be so kind to respond a couple of questions?:


If you adopted EduROAM as your primary SSID:
- Did you leave an SSID for legacy devices ? (What AUTH mechanism for this 
SSID?)
- How did you "force-move" your users to EdoROAM from your old SSID ?

If you added EduROAM as just another SSID:
- why not adopt EduROAM

Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

2017-04-25 Thread John Heartlein 
Hello Brian.  SLU-users has more direct access to internal services like
file and print services that we didn't want to provide to eduroam users.
If we were ever to lock down SLU-users more to require VPN access to all
internal resources, I think we'd recommend re-evaluating our SSIDs.

On Mon, Apr 24, 2017 at 8:14 AM, Brian Helman 
wrote:

> John,
>
>
>
> Do you know what the thought process was behind maintaining both an
> EDUROAM SSID as well as your SLU-users?  I’m just firing up our SSID for
> EDUROAM university-wide this week, so it would be the summer before our
> legacy SSID would go away.  If there is a compelling reason that we haven’t
> discovered for keeping the legacy SSID, I certainly don’t want to get rid
> of it.
>
>
>
> -Brian
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *John Heartlein
> *Sent:* Friday, April 21, 2017 5:08 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] Eduroam adoption (and migration process)
>
>
>
> Saint Louis University deployed eduroam in late 2015.  Besides eduroam we
> have an 802.1x SSID SLU-users for our students, faculty, and staff.  We
> also have SLUguest for guests and legacy devices.  Here's a link to more
> information:
>
>
>
> https://www.slu.edu/its/services-and-products/
> internet-and-network-services/wireless-networks-at-slu
>
>
>
> On Fri, Apr 21, 2017 at 12:30 PM, Brian Helman 
> wrote:
>
> We have moved into the “testing” phase of our EDUROAM connectivity.  I’m
> hoping to fire up the EDUROAM SSID university-wide next week.  Currently,
> we have a .1x SSID that will stay through the summer.  Once EDUROAM is
> fully pushed, we’ll start our advertisement campaign to get people to log
> in to it.  I would have waited until the summer to fire up EDUROAM so it is
> just available when everyone returns in the fall, but there’s such a strong
> benefit for our students, staff and faculty if they are traveling over the
> summer that I want to get it to them.
>
>
>
> There will be no “force move”, but the old .1x SSID won’t be available in
> the fall, so it benefits them to change their config now.   One note, we
> don’t currently support devices that do not support WPA/2 Enterprise (.1x)
> on our wireless network.  Essentially, we’re talking about gaming consoles
> (whether they support .1x or not), smart tv’s and media devices.  Students
> are told those devices need to be Ethernet-capable.  I suspect we’re at
> least another year away from supporting non-WPA/2 Ent devices on our
> wireless network.
>
>
>
> From what I have seen and it my discussions with our peers at other
> institutions, unless there is a marketing reason the .1x auths are via
> EDUROAM and the branded SSID’s are either specialized or they go away.
>
>
>
> -Brian
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Bucklaew, Jerry
> *Sent:* Friday, April 21, 2017 8:35 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] Eduroam adoption (and migration process)
>
>
>
> We are currently moving to eduraom as the primary ssid.   We are doing a
> communication campaign and will retire the old 802.1x ssid at some point.
> We do have a non802.1x ssid for “other” devices.  It is a “start here” ssid
> that will also configure you for 802.1x.
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [
> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> ] *On Behalf Of *Marcelo Maraboli
> *Sent:* Thursday, April 20, 2017 5:17 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* [WIRELESS-LAN] Eduroam adoption (and migration process)
>
>
>
> Hello everyone.
>
> We are finally adopting EduROAM in our University and we currently have one
> SSID with MAC-based authentication, so moving to EduROAM is also a 802.1x
> upgrade
> for us as well.
>
> Would you be so kind to respond a couple of questions?:
>
>
> If you adopted EduROAM as your primary SSID:
> - Did you leave an SSID for legacy devices ? (What AUTH mechanism for this
> SSID?)
> - How did you "force-move" your users to EdoROAM from your old SSID ?
>
> If you added EduROAM as just another SSID:
> - why not adopt EduROAM as your primary SSID ?  (Branding or no interest? )
> - Is your primary SSID also 802.1x o MAC-based ?
> - if 802.1x, why have 2 SSIDs with 802.1x ?
>
>
> thank you all,
>
> --
> *Marcelo Maraboli Rosselott*
> Subdirector de Redes y Seguridad
> Dirección de Informática
> Pontificia Universidad Católica de Chile
> http://informatica.uc.cl/
> 
> --
> Campus San Joaquín, Av. Vicuña Mackenna 4860, Macul
>