Hi James,
We, at Plymouth State University, use the Aruba Wireless Network. We broadcast 3 SSIDS on our 155 Access points, GUEST WIRELESS, PSU WIRELESS and SECURE WIRELESS. Each SSID has different authentication and security configuration. Guests get a captive portal web page which asks for credentials and then allows restricted access to some campus resources, bandwidth limits 1MB per user up/down and open off campus access. PSU WIRELESS is what the students and some staff use, it is authenticated via radius running on a Bradford Campus Manager server, it has no bandwidth limits and has controller based firewall access to all but the most secure campus resources (HIPPA, FREPA). We use Bradford Campus Manager to enforce security policies like anti-virus, OS versions, service packs and updates. SECURE WIRELESS uses 801.1X authentication based on the users active directory role and AES 256bit encryption and its own set of firewall rules configured on the Aruba controller. Each SSID can have its own vlan and address space or they can be pooled. To accommodate all of the student concurrent use we have multiple vlans associated with the PSU WIRELESS SSID, these are assigned in a round robin queue to evenly distribute the users across vlans. The primary method of security is the built in session based firewall. This allows access control right on the WLAN controller, blocked traffic never enters the core of our network. This gives us the ability to look up a user from a central console and drill down to their actual firewall hits on a per user or global basis. With ARM (adaptive radio management) we can place multiple APS in any area where we require dense coverage; the controller will set channels and signal strength automatically and steer the users to the least used AP. When we moved from our old fat AP configuration to a controller based solution we evaluated Cisco, Meru, Trapeze, Nortel, Aruba and others. I could not be happier with our choice, set it and forget it. PS: James, if you wish send information about your current configuration to the email address below and I'll be glad to help, time permitting of course. Chris Drever - PSU Networking [email protected] From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Barber, Matt Sent: Friday, September 18, 2009 3:50 PM To: [email protected] Subject: Re: [WIRELESS-LAN] separating 'types' of users Hi James, We use a single SSID for all normal users, but separate them by VLAN based on their Active Directory group. Faculty/Staff get put into one, students into another. That way we can make different firewall or bandwidth rules based on their subnet. We use Meru wireless and Windows IAS server in the backend for RADIUS, but I am almost certain all of the vendors can do this. Matt From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Jamie Savage Sent: Friday, September 18, 2009 3:33 PM To: [email protected] Subject: [WIRELESS-LAN] separating 'types' of users Hi, We're entertaining the idea of providing separate wireless services to our academic and admin communities. Currently, we have a single SSID that we broadcast campus-wide that everyone uses. We could simply provide separate SSIDs or perhaps provide separate SSIDs on separate channels (ie...RF separation of services as well). I presume there are other methods in use out there?? I'd be interested in hearing what others are doing in this regard. ..........thanks in advance..............J James Savage York University Senior Communications Tech. 108 Steacie Building [email protected] 4700 Keele Street ph: 416-736-2100 ext. 22605 Toronto, Ontario fax: 416-736-5830 M3J 1P3, CANADA ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
