We have a very successful 802.1x wireless network, using native supplicants, WPA/2, PEAP w/ MSCHAPv2, going against AD. In the general production network, we use simple go/nogo from the perspective of AD. If you're in AD, you are allowed in. (We have special WLANs that actually use RADIUS attributes, but not on the big honkin' general WLAN). We use Cisco ACS for RADIUS. We are now looking at adding NAC (possibly Impulse or Lockdown, or one of a couple of others- and please, no NAC vendors contact me after reading this) to both the wired and wireless networks- but it gets a bit weird looking at adding NAC to 802.1x (which is NAC to a certain degree in and of itself) for the likes of posture/health checking. For 802.1x, we tout the value of stored credentials on personal machines to facilitate fast access to the WLAN. But agent-based NAC systems tend to want frequent logins for various functions... I guess I don't have specific questions, but has anyone else wrestled with these issues, and what did you end up doing? I realize I'm giving you little info, but really just looking for general thoughts- offline is fine... Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003
********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
