Thanks for the response Mike. > Are the computers (laptops / desktops) joined to a domain? (Same domain?) > What do you support? Windows XP / Windows Vista / Mac OS x / Linux / They > bring it, you support it? >
We're looking to control access to network drops with .1x. We're also looking to authenticate two classes of wireless users a) staff b) students. We use Win2k3 to provide auth. We have a mix of Windows, Linux and OSX users most using some sort of domain authentication (the OSX stations are primarily media stations and have local credentials). Our test set up looks like Active Directory <-- winbind --> <-- Freeradius --> <--dotX capable switch or AP --> client. Here's a conjecture about how this will work out: Group A: Wired users will authenticate use domain credentials and .1X. Certificates on the client computers to guarantee that users and computers are who they say they are. Group B: Staff users on Wireless Lans will use laptops issued by the school district and will use WPA2 w/ certs and domain credentials in order to validate against AD via the Freeradius server. Group C: Student users will connect via the same physical AP via a seperate SSID beacon and be offered services tailored to them on their own vlan. Do the users have administrative control over the computers? Does your group have administrative control over the computers? We control Group A and B users credentials and machines. We control group C credentials. > Is there a budget, or does this have no funding? > Very little funding. We are strapped for cash but we believe that we can make this work with some lowbudget switch upgrades via Ebay. We're looking at HP 2650 which go for approx. 150.00 U.S. these days. We believe we can use PacketProtector, a remix of OpenWRT on Linksys wrtg54 to provide dual beacon, WPA2, .1X and VLAN to wireless users. > > Answering the above questions and we can offer opinions on what will help > you the best. > > Some of the options are: > > Computers are on a domain: > > - Publish an 802.1x wireless profile via Active Directory. (if you go > this route, you don't even need to purchase your own Cert) > > Can I import an OpenSSL into AD and get it pushed? That would be a great solution! > > - > > Computers not on a domain, users are administrators of they're machine: > > - http://www.cloudpath.net/ They make a utility that will auto > configure your 802.1x settings (as well as deploy some patches and AV > software among other things) > - Write your own script that auto configures the OS. > > THis looks interesting. I don't see a pricing structure on the website. I guess I'd need to contact them to find out? > > - > > > The parting bit of advice I have for you is that you should consider > getting a real certificate for your Radius server. Check out > http://certs.ipsca.com/ for free certs for .edu's. (There are > considerations for using this CA. They're based out of Spain, just so you > know) > Interesting. Is the reason for this that users browsers will complain less? Thanks again! John > >> ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
