Don, We have two separate SSIDs that do 802.1x ut-wpa2 and eduroam, across campus.
This separation is creating a lot of confusion to our community. Sometimes they wonder why use one versus the other! We would like to redesign this and only have the eduroam SSID, but separate the traffic based on authentications (roles). If a user from utk joins the eduroam SSID, the users gets different privileges (e.g. a different role in the controller) than other users. We can do this differentiation in our Aruba controllers based on the REALM of users. (e.g. [email protected]<mailto:[email protected]> would reach a subnet that's routed as if the user was coming from the outside, with a different IP address, and [email protected]<mailto:[email protected]>, would get full access). One problem that we have seen pertains to the MTU size in RADIUS. Since RADIUS uses UDP (RadSec uses TCP!!!), and if you use Certificates that are 2048 bytes, you may encounter problems if you don't enable the frame-fragmentation flag at 1500 or less in your RADIUS server. It won't affect people visiting your campus, but it will affect your users (especially if there is a piece of hardware between Brown's user and your RADIUS server that has small MTU set). eduroam.org<http://eduroam.org> advises an MTU flag of 1400 to be cautious. Also, if you don't mind the initial investment (will save you money in the long run)... get Xpressconnect Best, Philippe Univ. of TN On Jul 29, 2011, at 3:12 PM, Wright, Donald wrote: We have a mandate to setup Eduroam for our campus for the upcoming fall semester and I was wondering how others have done this in the past. Did you use a separate ssid made available throughout your campus ? Any issues or gotchas that I should be aware of as far initial response time for users, credential caching and roaming, etc ? Thanks in advance. Don Wright Senior Network Engineer CIS - Network Technologies Group Brown University ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
