Kevin, Unfortunately I must agree with Manoj. Liberty University has historically been a Cisco shop. We are completing our move away from CCA.
CCA is primarily designed as a Layer-2 solution, although it may be deployed as a Layer-3 solution if VRF ( Virtual Routing & Forwarding) and PBR (Policy Based Routing) are added to the network. We deployed CCA as a high availability solution for in-band wireless (with Cisco fat APs) & out-of-band wired. Actually out-of-band users are in-band until they are authenticated. The out-of-band solution for wireless is a relatively new offering that requires the Cisco lightweight wireless solution. I doubt you will find many that currently have this deployed. Our new solution is a Layer-3 totally Out-of-Band solution. We had over 30 physical servers for CCA on out network. The new solution has 4 for high availability. We primarily used LDAP authentication against Active Directory for our students. For University machines, we used single sign on, eliminating the CCA login screen. We used RADIUS accounting to our Cisco ACS server. We considered CCA and Cisco's lightweight wireless solution. We chose another vendor for wireless & NAC. Our new solution is not perfect, but it seems to meet our needs better than the Cisco solutions. Feel free to contact me offline for more information. Bruce Osborne Network Engineer Liberty University From: Kevin Fitzgerald [mailto:[email protected]] Sent: Friday, July 24, 2009 10:59 AM Subject: Re: Replacing Bluesocket with Cisco NAC (formerly known as Clean Access) Well that's encouraging :) I am curious about the dealbreaker issues that you had. Did you uncover some important 'gotchas?' K. Fitzgerald UALR Networks On Fri, Jul 24, 2009 at 9:47 AM, Manoj Abeysekera <[email protected]<mailto:[email protected]>> wrote: We do have a similar setup although we are fast changing. We do OOB for wired with Cisco NAC (CCA). For wireless it still in-band with CCA. No offense but CCA seems to be a (and have been) very problematic product for us and we are hoping to change that soon. Thanks Manoj ------------------------------ P. Manoj Abeysekera, CWNA Network Engineer American University 4200 Wisconsin Ave, NW Washington DC. 20016 Kevin Fitzgerald <[email protected]<mailto:[email protected]>> Sent by: The EDUCAUSE Wireless Issues Constituent Group Listserv <[email protected]<mailto:[email protected]>> 07/24/2009 10:21 AM Please respond to The EDUCAUSE Wireless Issues Constituent Group Listserv <[email protected]<mailto:[email protected]>> To [email protected]<mailto:[email protected]> cc Subject [WIRELESS-LAN] Replacing Bluesocket with Cisco NAC (formerly known as Clean Access) Hello all, We are currently in the process of replacing our Bluesocket Secured Controller appliances with Cisco's NAC. The Bluesockets are only used for LDAP auth (user login). In our environment we will be doing wireless and wired out-of-band (OOB) in virtual gateway mode, and our NAC is centrally deployed. Our wireless access points operate in lightweight mode using Cisco Wireless Lan Controllers. All of our WAPS are Cisco 1231 (LWAPP) running off of Cisco WLCs. We are moving to a Cisco end-to-end solution composed of the NAC, WLCs, and WAPs. I'd love to hear from some folks who have already gone down this road. The documentation that I've read often refers to RADIUS accounting records. Has anyone implemented a wireless OOB solution with LDAP? Kindest regards, K. Fitzgerald Computing Services Networks University of Arkansas at Little Rock ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. <http://www.educause.edu/groups/> ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
