Hi Jason,
we've been on ES3 for a while now, and are planning on moving to ES4 in
production this week. First, your questions:
- We've been exclusively on EAP-TLS fore wireless since before we moved to
Cloudpath, and it's worked on very well. The multiple certificate templates
and workflows give you quite a bit of flexibility in who gets what (different
CAs for student vs staff, different expiration period, etc). The server acts
as an OCSP responder, so you can easily revoke any specific certificates,
allowing you to knock a single device offline rather than all devices owned by
a given user. In addition, it can also use the OCSP checks to track
certificate usage, and send out notices to users who are actively using
certificates coming up on expiration in the near future.
If you have other registration systems, you can also trigger a server side
HTTP callout on certificate issuance. We have this as a tie in to our IPAM
system, automating that portion of it completely and allowing our users to
skip several steps.
- We haven't gone live on Cloudpath based guests, but have mocked it up in
the lab, and it should work. While I don't believe they have a whole lot of
explicit guest functionality, the workflows are flexible enough that you can
still accomplish a lot. If you can have temporary guest credentials set up in
your upstream authentication source with appropriate group memberships, you
can easily flag them in Cloudpath for special treatment - for example, you can
have long term guests set up with 90 day certificates for authentication.
- Their features on this look pretty good, but we haven't used them at all.
- Ditto - we're currently using freeradius with a custom tie in to our IPAM
system, but are seriously looking at Clearpass to replace it in the near future.
Two other caveats I'll mention for free:
- The ES system includes a complete from-scratch rewrite of the wizard, so
it won't be the same one you're used to. The initial releases didn't have all
of the same functionality as the cloud hosted one, so while they've promised
full feature parity, I'd double check carefully that all of the features you
need are already implemented.
- The clustering functionality looks pretty cool, but read it carefully and
test, as it's still a newish feature with a lot of caveats. Also, last time I
checked in order to take full advantage of it you'll need to front it with a
load balancer, as I don't believe it had any built in service failover.
That said, we've been very happy with ES3, and ES4 has done well in our
testing. We're especially looking forward to it, as we currently have a SHA-1
certificate rolled out, and ES4 now includes a method of converting your CA to
SHA-2 in-place without invalidating any of your currently issued identity or
server certificates. We expect this to become a critical feature for us when
Microsoft follows through on their threats to stop honoring any SHA-1 CAs,
currently scheduled at the end of this year.
Feel free to let me know if you have any other questions.
Frank Sweetser fs at wpi.edu | For every problem, there is a solution that
Manager of Network Operations | is simple, elegant, and wrong.
Worcester Polytechnic Institute | - HL Mencken
On 3/10/2015 11:20 PM, Jason Cook wrote:
HI,
We’ve been using XpressConnect Wizard for a number of years quite happily but
haven’t ever made the moved to ES. Just wondering what the experience is for
others with using ES.
In particularly
·if you have moved to EAP-TLS over PEAP-MS-CHAP (or running both)
ocert management work ok?
oAre user password changes as trivial as it seems they should be
·using sponsored approval for guest access
·PSK/MAC access lists for non dot1x devices.
·Used the internal radius server
Regards
Jason
--
Jason Cook
Technology Services
The University of Adelaide, AUSTRALIA 5005
Ph : +61 8 8313 4800
e-mail: [email protected]<mailto:[email protected]
<mailto:[email protected]%3cmailto:[email protected]>>
CRICOS Provider Number 00123M
-----------------------------------------------------------
This email message is intended only for the addressee(s) and contains
information which may be confidential and/or copyright. If you are not the
intended recipient please do not read, save, forward, disclose, or copy the
contents of this email. If this email has been sent to you in error, please
notify the sender by reply email and delete this email and any copies or links
to this email completely and immediately from your system. No representation
is made that this email is free of viruses. Virus scanning is recommended and
is the responsibility of the recipient.
********** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
