Roger,
If I could, here is how I would do it.
3 SSIDs, and I will name them for your campus as an example:
# uthsc-open (open SSID controlled by a Web gateway)
# eduroam (802.1X only)
# uthsc-personal (hidden or not, you decide...great for medical instruments and
various styles of scanners etc..., could be only present
in specific buildings)
# uthsc-open. Would have an initial splash page with:
-Option to get material to connect to the 802.1X SSID (using Xpressconnect,
QuickConnect, SecureW2,...you name it)
-Option to register campus devices that can't do 802.1X. A MAC based
authentication using NetReg or other forms.
(with an option to sponsor long term visitors..e.g. a Faculty can register
the MAC address of a long term visitor)
If you don't want too many users to join this one and emphasize the secure SSID
you could remove the option and just have a comment
directing users that have devices that can't do 802.1X to the Help Desk (or
other forms of incentives)
-Option to handle visitors that can't use 802.1X (an option for non-sponsored
visitors and an option for sponsored visitors)
Sponsored visitors is great for conferences (they can get credentials from
their organizers. Either common credentials,
or dedicated ones if you are willing to deal with that)
# eduroam (or your own 802.1x SSID if you don't do eduroam)
Role Based authentication (with VLAN assignment based on the identifier or the
REALM)
(everything is possible here since you have a device AND a username AND a REALM)
For your own users you can still direct them to the Network Registration page
after they get connected to the 802.1X network
to have their devices registered (easier if you have to track problems...also
some schools use this as an inventory of devices)
# utshc-personal
WPA2-PSK. I would keep that one as "stealth" as possible and restrict it to
only School's owned devices
(I don't mean Faculty laptops but projectors, scanners, Blood pumps, etc...)
Also, think about a remediation Web page when you assign a user to a
remediation VLAN
in case you disconnect them for security reasons (this doesn't have to involve
a full blown NAC
system... just another method to communicate with users and prevent costly Help
Desk calls!)
Philippe
Philippe Hanset
www.eduroam.us<http://www.eduroam.us>
On May 2, 2013, at 10:03 AM, "Schwartz, Roger J"
<[email protected]<mailto:[email protected]>> wrote:
I am looking for ideas to reduce the number of ssid's we advertise on our
campus, faculty/staff, student, mobile, eduroam and guest. I know some folks
have gone to just eduroam, if you have, what security do you have on the vlan,
do users vpn back to the campus network, etc. We are looking at some form of
Identity Service to push users into particular vlans, and that isn't working
that great at this time. So what are you doing or going to be doing to resolve
this type of issue.
Any and all comments, suggestions are welcome
Roger
Senior Wireless Network Technician
University of Tennessee Health Science Center
Memphis, Tennessee
[email protected]<mailto:[email protected]>
********** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
