I think what it is interesting to consider is that eduroam developed in Europe more or less in parallel with 802.1X, so at the point where it all came together to be workable and understood, many European sites were fairly new to having an 802.1X deployment and just jumped straight to providing a single 'eduroam' SSID for all users, or had manageable numbers of users to migrate from a locally branded 802.1X deployment.
In the case of US, eduroam has come along some time after you had established 802.1X provision, so you are already quite some way down one road and trying to find easy ways to backup or build a bridge to another road, something not necessarily very easily. I don't envy you. Jethro. On Mon, 4 Nov 2013, Hanset, Philippe C wrote: > Matt, > > To add to what people have already mentioned on the list: > If you already have a working 802.1X implementation, the work on the RADIUS > server to become eduroam enabled is really basic. > (instructions are located on the website > www.eduroam.us<http://www.eduroam.us> for various RADIUS flavors. Those > instructions are community driven.) > Some schools were eduroam enabled on the IdP (Identity Provider) side in less > than 2 hours. > > On the network side (enabling the SSID to become a SP, Service Provider) > it's all about picking subnets, making firewall rules, and advertise the > SSID. > > One school did a really quick shortcut in network configurations (I > forgot who it was) by routing all institution's eduroam users to its > current secure SSID network, and all of its eduroam visitors to its > current visitor SSID network (VLAN assignments in the controller). They > had to bypass the need for the web portal on the visitor side and make > sure that local clients joining eduroam use the full REALM (user@domain) > to be ready when they travel (a RADIUS config change). > > Best, > > Philippe > > Philippe Hanset > www.eduroam.us<http://www.eduroam.us> > > > > On Nov 4, 2013, at 8:56 AM, Matt Williams > <[email protected]<mailto:[email protected]>> > wrote: > > Thanks for all of the input. I appreciate it. From what I'm hearing it > seems like it is no more time intensive than any other service. I'll be sure > to pass all of this along. Thanks, again. > > Respectfully, > > Matthew "Will" Williams > Assistant Director, Networking > Bucknell University > 570.577.1491 > > > On Mon, Nov 4, 2013 at 7:31 AM, Tim Cappalli > <[email protected]<mailto:[email protected]>> wrote: > Same here at 'Deis. A Brandeis user connecting to eduroam is treated > exactly the same as they would be if they were connecting to our legacy > branded secure network. We are using a lot of role-based magic from AD and > enterprise LDAP. > > Also, there are some tweaks you can do in RADIUS to allow non-user devices > to connect to eduroam with an "@fqdn" account (as long as they aren't > expected to leave campus: Cisco wireless phones, wireless printers, ticket > readers, etc) > > > Tim Cappalli, Network Engineer > LTS | Brandeis University > x67149 | (617) 701-7149<tel:%28617%29%20701-7149> > [email protected]<mailto:[email protected]> > > -----Original Message----- > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:[email protected]<mailto:[email protected]>] > On Behalf Of Julian Y Koh > Sent: Sunday, November 03, 2013 9:58 PM > To: > [email protected]<mailto:[email protected]> > Subject: Re: [WIRELESS-LAN] Eduroam rollout- one more time > > On Nov 1, 2013, at 11:34 , Lee H Badman > <[email protected]<mailto:[email protected]>> wrote: > > > > Go the easy path, and push it the Eduroam SSID everywhere, as an > additional WLAN, and live with the fact that it won’t get a lot of use in > most places and puts management traffic in the air that isn’t generally > going to be used. > > This is what we did at NU. > > We do some role-based stuff on the back end such that if an NU person > connects to eduroam, they get the same IP addressing and setup as if they > use our regular 802.1X SSID. > > > -- > Julian Y. Koh > Acting Associate Director, Telecommunications and Network Services > Northwestern University Information Technology (NUIT) > > 2001 Sheridan Road #G-166 > Evanston, IL 60208 > 847-467-5780<tel:847-467-5780> > NUIT Web Site: <http://www.it.northwestern.edu/> PGP Public > Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > > . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks, Network Manager, Information Services Directorate, University Of Strathclyde, Glasgow, UK The University of Strathclyde is a charitable body, registered in Scotland, number SC015263. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
