Mike, My Security Officer requires us to have a Banner page for wireless login ins, even for the one that will use 802.1 (WPA/WPA2). We haven't set up our RADIUS device for VLAN assignments as of yet, we are still discussing how we will implement that down the road. We are moving away from the Bluesocket and plan on placing a WISM into production come fall. I did do some more reading and believe that I will need a separate SSID that is set up for MAC filtering/authentication (to control who can use this SSID) to allow facility/staff mobile devices to access the network after they authenticate. I am just not sure I am going about it the right way.
Mike v/r Michael M. Williams Network Systems Analyst Information Technology Services Tarleton State University Box T-0220 Stephenville, TX Tel: (254) 968-1850 Fax: (254) 968-9393 [email protected] From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Mike King Sent: Monday, June 29, 2009 9:28 AM To: [email protected] Subject: Re: [WIRELESS-LAN] Mobile device authentication Mike, I'm not sure what your goal is.... are you offering the webpage bypass for devices that cannot display the page (Mobile devices/cellphones), or are you just offering ANY faculty and staff device the option of bypassing the webpage? (IE laptops) but I can offer this: You can have 1 SSID performing 802.1x. That SSID can put users on different VLANs based on group membership. You could theorectially have faculty and staff dropped on a different VLAN that does not even terminate on the bluesocket device, and students put on a 2nd VLAN that does terminate on the bluesocket device. My point would be, with 802.1x and WPA2, you would not need a web-authentication portal, since you will always know what user is associated based on the RADIUS logs / WCS Display. I wouldn't even think that you would need to have the students on the the bluesocket. Now, if you use the bluesocket for anything more than as a authentication gateway (remediation, access control, etc.... ) then this might not apply so much to you. On Fri, Jun 26, 2009 at 5:03 PM, Williams, Mr. Michael <[email protected]<mailto:[email protected]>> wrote: We are currently in the process of setting up our WISM and WCS server and plan on putting it into production in the fall. We also have 86 autonomous APs which will be converted over to Light AP. We currently have a Bluesocket device which is used as an authentication gateway. Bluesocket allows me to store MAC address (mostly IPhones) for facility and staff member which allows them to bypass the web login page. I would like to continue this using the WISM and WCS. We currently do not use encryption on our network, but plan on enforcing WPA/WPA2 (using Cisco RADIUS SE) for all SSIDs, except for our visitors and other guests. We would like to continue using web authentication bypass for facility and staff but require them to use WPA/WPA2 and their domain credentials. The question I have is as follows. How can I accomplish this? Do I need to create a separate SSID that restricts access via ones MAC? Or is there another method that would work? Thanks Mike v/r Michael M. Williams Network Systems Analyst Information Technology Services Tarleton State University Box T-0220 Stephenville, TX Tel: (254) 968-1850 Fax: (254) 968-9393 [email protected]<mailto:[email protected]> ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
