At Emory, we've been using PEAP authentication for our wireless users
for almost a year, now. We originally decided on a VPN security model
for wireless 2-3 years ago, and currently support both VPN and WPA/WPA2
with PEAP. Our wireless hardware (Aruba) makes it easy to support both
VPN and WPA - and has scaled very well as we've grown the network.
Last fall, we started testing WPA authentication. We announced its
general availability last January at the start of spring semester. This
fall for Move-in weekend, we decided to "force" the adoption WPA
authentication in the Res halls by disabling VPN and guest access (only
in our ResNet). All of our student housing - dorms, apartments, Frat &
sorority houses - are fully covered with wireless.
The BIG issue with PEAP is the initial connection. We have one page
fliers with configuration directions for PCs/Macs and automated
WinXP/Mac scripts for configuring PEAP that was integrated into our
Emory On-Line CD. Even with these directions and scripts, we had a very
high "touch" rate for students on Move-in weekend. The good news is
that once it's set up, it (usually) doesn't need any additional support.
We've got some ResTechs that are very adept at "fixing" ornery
machines :-)
We are using Microsoft IAS as the authentication server - we have two
running for redundancy. They use our back-end AD to authenticate
against. The only issue we've had is that even with Verisign signed
cert on each RADIUS server, we still have to manually accept the cert
(only once) the first time the client authenticates.
Currently, we are in the process of "sunsetting" wireless VPN access
because of the much better user experience that WPA with PEAP provides -
automatic connection and authentication with cached user credentials on
most clients; you turn on your wireless enabled laptop and it has
authenticated network connectivity with encryption - no muss, no fuss
after the first connection.
Some numbers...
We've seen our wireless usage grow tremendously over the last year. Our
WPA users grew from a handful of test users to 250 simultaneous users at
the end of spring semester. That compares to about 550 peak
simultaneous VPN users. During Move-in weekend, we experienced a peak
simultaneous WPA user count of over 1650 (total peak wireless user count
is around 1840). Our VPN usage is now down to a peak of about 150
simultaneous users and we are working to drive that down even further in
preparation for sunsetting VPN support.
Currently, we have about 890 APs serving the university, including about
500 in ResNet.
>>-> Stan Brooks - CWNA/CWSP
Emory University
Network Communications Division
404.727.0226
[EMAIL PROTECTED]
AIM: WLANstan Yahoo!: WLANstan MSN: [EMAIL PROTECTED]
-------- Original Message --------
From: Stephen Holland
Date: 9/22/2006 12:04 PM
I have two questions for the list
1) We are looking into implementing PEAP and I would be interested to know
how others have implemented it , issues that came up, number of users, and
any other insights you might have.
2) We have some address space issues and the use of NAT has been proposed.
I am of the opinion that NAT is not the optimal solution in the EDU
environment because somebody always develops an application that breaks
it. However, I would be interested to know what other folks on the list
think about the use of NAT.
Thanks so much
Stephen Holland
Network Engineer
Northeastern University
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
