Here at Emory, we have fully migrated to 802.1x (WPA/WPA2-Enterprise) as of the
first of the year - except for guest access. Our progress towards this goal
was pretty straightforward and occurred over about a one year timeframe. The
move was prompted to improve the users' wireless experience using Emory's
wireless network. Previously we were using VPN authentication and encryption
for our users. The VPN could drop, causing the user to have to reconnect - a
real PITA. With 802.1x, the pain is the initial connection - after they are
connected once, Windows caches credentials and will log the user in
automatically whenever they are in range.
We initially rolled out 802.1x as a pilot/trial in Fall 2005. We developed
some instruction sheets and scripts for setting up WinXP and Mac clients for
our Emory-OnLine CD-ROM during this pilot. At the start of Spring Semester
2006 (January 2006), we started pushing the "new" way to connect to the
wireless Network. Our local support team worked with students at various
"wireless parties" and workshops at locations on campus to help them get
connected using 802.1x. We also started a publicity campaign with posters and
emails touting the benefits of 802.1x connections (we called it "Emory
Unplugged"). By the end of Spring Semester, we had just under 50% of our users
converted. The rest continued to use VPN access.
In preparation for Move-In Weekend 2006 and the Fall 2006 Semester, we decided
to "force" the issue in our residential areas and disabled both guest and VPN
access in those areas. We also set up ResNet wireless access to use our
NetReg system to ensure user devices were up to date on patches, anti-virus
definitions, etc. Move-In Weekend 2006 saw us touching a lot of student
machines to get them authenticating on 802.1x, but the adoption results were
amazing. Our wireless user count more than doubled from the previous semester,
and VPN usage was way down (mainly because it wasn't available in the dorms,
and that we had converted most of the students to 802.1x).
We set a VPN sunset date of the first of this year, and sent out emails to the
last few VPN users informing them of the impending change - VPN Access would be
shut off as of 01/01/07, with only guest access and 802.1x access available.
We held additional wireless workshops in those areas of high VPN usage, and
continued to distribute our configuration flyers and tools to users.
With nary a whimper, VPN access was disabled on 01/03/07. We received
virtually no complaints from users about the removal of this wireless access
method. There wasn't even much of a rush for or local support teams to convert
the last holdouts.
Today, we offer two methods of access on Emory's campus: 802.1x/WPA-Enterprise,
and Open Guest Access.
Just a couple of notes on guest access - we only allow web browsing or VPN
access to your home organization, and guests are bandwidth-limited to 500kbps.
There may be some Emory folks that still use guest access to VPN to Emory
servers, but the vast majority of users are using (and quite happy with)
802.1x. Guest access is not available in the dorms during the school year -
only 802.1x access. For summer conferences or other special events, we turn on
guest access as requested by housing.
I recommend using 802.1x for all of the authentication and encryption that it
brings to your wireless network. With out some sort of encryption, anyone can
"sniff the air" and gather users' email and other credentials. Authentication
is seamless with 802.1x as well (after the first connection), so that there is
no need to log in through a captive portal every time you connect.
I'd be happy to chat further about our experiences with the 802.1x rollout if
you are interested.
>>-> Stan Brooks - CWNA/CWSP
Emory University
Network Communications Division
404.727.0226
[EMAIL PROTECTED]
AIM: WLANstan Yahoo!: WLANstan MSN: [EMAIL PROTECTED]
-----Original Message-----
From: Lee Badman [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 15, 2007 11:23 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] First-time rollout of 802.1x, opening of Fall semester
madness
Here at Syracuse University, we are feeling pretty good about 802.1x and will
be transitioning to it (for the wireless network only) before the Fall
semester. Our topologies are defined, our building blocks are in place, and our
WLAN skills in general are quite solid.
One issue we are wrestling with though, is how to effectively get a large
number of user machines "ready" for 802.1x from a client cnfiguration
perspective. We are piloting self-developed utilities based on keyboard macros
and the tool that Aruba was kind enough to float to many of us on this list,
along with an Apple-scripted configurator for the Mac folks. We are loosely
playing with a home-grown framework that is akin to part of what Identity
Engines does in their product set, and are also mildly considering a commercial
solution just for supplicant configuration.
I also know that many schools forego the automation of client configuration and
rely on detailed "how to" pages provided on paper and the web.
My questions after all this- for those who have recently moved to one 802.1x in
conjunction with the usual rigors of the start of a new academic year- how did
you transition users over to 802.1x? What worked, what failed? Was there a
tidal wave of support calls? Did a supplicant configuration tool prove to be
essential, or were instructions on manually configuring the native Windows and
Mac supplicants sufficient?
We are envisioning that once the 802.1x "culture" is created on our campus,
we'll be fine- it's the getting over the hump, so to speak, where we fully
expect to see challenges- and so would love to glom on to the wisdom gained
from the experience of others for this rollout.
Regards-
Lee Badman
Lee Badman
Network/Wireless Engineer
Syracuse University
315 443-3003
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
