(Answers embedded below)
From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of John Duran Sent: Thursday, September 11, 2008 10:54 AM To: [email protected] Subject: [WIRELESS-LAN] Network Access Control Good Morning All, Who is using NAC (Network Access Control) for wireless client authentication and posturing? 1) What solution did you select? Cisco Clean Access (CCA) 2) How easily did it integrate with you existing infrastructure? Very easily as we already had it in place at the time for the students (we have since put the rest of the campus behind it) 3) What is you existing infrastructure and wireless solution? Cisco 4) How well has it performed? CCA has performed pretty well, though it has had its share of problems. 5) If you had to do it again would you select the same product? Not sure; I know that we should've have done a thorough RFP on it in retrospect, but we just didn't have the time. We chose it quickly to solve a terrible problem we were having with viruses. 6) What were the success and failures of the deployment? Ramming it down users' throats was a challenge, but we pulled it off. LOTS of legwork from our Helpdesk folks for documentation, training, and communication. We have practically eliminated viruses on campus as a result, and those staff hours (to track them down and clean them up) have been reclaimed for other more productive purposes. It also makes network registration of users a cinch (we authenticate via ldap against active directory where everyone has a login), and if we need to track someone down in a hurry it is very easy now. We are still having some problems with failover on the appliances, i.e. it ain't workin' (appears to be a software issue with the sync and only happens under load), but it's been an open issue for so long because we haven't given the Cisco TAC time to debug it with us. We also have purposely not upgraded to the latest version because it seems like people are still having lots of problems [that we don't want to deal with]; we're still at 4.1.2.1. Users still occasionally complain that CCA rejects them because their computer isn't updated, to which we say Too Bad Pal (insert diplomacy here). That's the whole purpose, get over it and fix your computer. The worst case of this is when a professor goes into a classroom 5 minutes before class and turns on all the computers (which have been diligently turned off the night before to save energy). An update came out recently, and all the computers fail CCA login until they are updated. Our answer to that has basically been "well then plan ahead and show up sooner than 5 minutes beforehand". It can be a difficult situation, but we're working through it. 7) What was the impact on your technical staff to prepare for deployment? For us in the Networks group it was HUGE. We had to re-IP a lot of things, and since CCA is implemented in-band here it had major implications on our core network setup. We actually paid our Cisco reseller to have several consultants on-site for the initial implementation, including an expert engineer who originally worked at Perfigo. I also had a vacant position for primary network person, which was back-filled by consultants for this implementation. I ended up hiring one of them full-time, and he's still with us after 3 years (and hopefully many more!). 8) How well does it scale? Great, just buy more appliances to handle more users. I think it was something like 1,500 users per appliance? We own 4 pairs of servers (we have 2,400 students plus all the faculty and staff), and another pair which manages the whole setup (10 servers total). 9) How are the management tools and maintenance for the solution? The whole thing is managed through a secure web gui from the manager server pair, and it is pretty complete and fairly easy to use. There are a few things missing from it that we'd like to see added, but for the most part it works well for us. Good luck!!! Thank a million, John V. Duran University of New Mexico Network Engineer ITS/Network Communications/Data Services Ph: (505) 249-7890 Fax: (505) 277-8101 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -Tim --- Tim Cantin, Senior Network Engineer Wellesley College, IS/Technology Infrastructure Group 223 Simpson Hall East, 106 Central Street Wellesley, Massachusetts 02481-8203 http://www.wellesley.edu/~tcantin/ <BLOCKED::http://www.wellesley.edu/~tcantin/> phone: (781)283-3520 fax: (781)283-3682 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
