Your project of multi-SSID VLAN support seems like the direction we want to go into in the near future. We already have multiple SSIDs at our institution that are configured similar to what you described. But, the big question is how do I make sure users are "confined" to those VLANs/SSIDs without having to touch client computers or having directions that are so complicated for our students (especially).
MAC authentication may work to a point. But what I really need is the ability to have two things: 1. University machines - Dynamic encryption, VLAN/SSID security, minimal client computer configuration. 2. Student machines - Encryption optional, confined VLAN/SSID (ideally something dynamic so that users could be quarantined to a specific VLAN, registered, and then dynamically connect to another more secure VLAN/SSID), no touching of student machines. (Oh yea...one more thing...can we do it with no cost accept maybe some of me and my network teams time??? It is tough being a small public liberal arts institution in a state where they are cutting state funding and looking to higher education to take the brunt of the cuts.) Any advice anyone? Thanks, D. Michael Martin, Jr. Network Administrator University of Montevallo -----Original Message----- From: Metzler, David [mailto:[EMAIL PROTECTED] Sent: Friday, February 20, 2004 1:52 PM To: [EMAIL PROTECTED] Subject: Re: [WIRELESS-LAN] RADIUS authentication It provides a super-set of RADIUS, so no it should work with other devices that support RADIUS. I haven't used it that way yet, but I'm pretty confident it would work. With CISCO equipment it can be configured to do a host of other things. The reason we purchased it is that it gives us the ability to configure a cisco modem pool to dictate which IP address you get based on what Global Group you're a member of. We are testing the set up on our wireless network to try and facilitate a multi-SSID access point that uses the CISCO VLAN support support a public/broadcast SSID for general student and conference work, but provides a secure encrypted SSID that has access to more of our network. We're configuring it in such a way that Access to the secure network would be controlled based on membership in our facultyandstaff global group. What people have access to is then controlled by simple router access lists. It works well when you've got virtual lans in your network architecture. I'm pretty sure that the cisco extensions would be required to facilitate this setup, but if you're just talking about a RADIUS server, this would do the job. As was mentioned in another post, if you have cisco equipment, you can use the network accounts to control access to your switches as well. David Metzler Network Services The Evergreen State College 360-867-6728 [EMAIL PROTECTED] http://www.evergreen.edu/netservices -----Original Message----- From: Brian David [mailto:[EMAIL PROTECTED] Sent: Friday, February 20, 2004 9:23 AM To: [EMAIL PROTECTED] Subject: Re: [WIRELESS-LAN] RADIUS authentication David, Does the Cisco ACS secure only work with the Cisco Access point? -----Original Message----- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] Behalf Of Metzler, David Sent: Friday, February 20, 2004 11:50 AM To: [EMAIL PROTECTED] Subject: Re: [WIRELESS-LAN] RADIUS authentication Cisco also has a product called Cisco ACS Secure, which will provide pass-through authentication to your Active Directory Databases. We've been using this product to provide RADIUS authentication against windows domain accounts since NT 4.0. We are using this to Authenticate our modem pool, and are working on deploying this to authenticate our Cisco Access points. I think the product was less than 3k last I checked. David Metzler Network Services The Evergreen State College 360-867-6728 [EMAIL PROTECTED] http://www.evergreen.edu/netservices > Is anyone out there using Microsoft Internet Authentication Service > (IAS) for RADIUS authentication with their wireless access points? (We > use Cisco 802.11b/g radios...Aironet 340s, 350s, 1100s) > > > > IAS is free and included with Microsoft Windows 2000 Server and we > have needed to get into using RADIUS authentication with our wireless > implementation. Using PEAP, EAP, etc.. and 802.1x is not out of the > question (at least long term) but I have many applications were MAC > authentication is the only recourse (wireless printers, bridges, > etc...). > > > > Any advice (or help) would be greatly appreciated. > > > > Thanks, > > > > D. Michael Martin, Jr. > > Network Administrator > > University of Montevallo > > ********** Participation and subscription information for this > EDUCAUSE Constituent Group discussion list can be found at > http://www.educause.edu/cg/. > > ********** > Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/cg/. > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/.
