Tim, Per your questions:
Do you have eduroam deployed as your primary SSID or in addition to your SSID’s? ‘eduroam’ is a companion SSID to our campus-branded SSID. However, the two networks use identical encryption and authentication methods. Do you separate/tag your eduraom users? If so, how(acs/ISE/free radius, etc)? We do not separate our internal eduroam users from external eduroam users at the vlan level. All users, as they are on secure, authenticated networks are placed in a “trust” firewall group. We are currently using FreeRADIUS for user authentication. How big are your wireless subnets? Our campus-branded SSID uses /22 networks separated on building boundaries; sometimes we require multiple networks per building based on user density. We have several small outlier buildings that have /24 networks. Our eduroam SSIDs are all /24 networks at this point. They are deployed 1 per building. We currently have approximately 25,000 wireless users. We saw a peak in September 2014 of over 10,000,000 successful authentications (combined eduroam + University-branded-SSID) via RADIUS. We’ve expanded the wireless network to an additional 20 buildings since that time and are excited to see the September 2015 numbers. Due to the size of the campus and our central-management network design, we’re looking forward to a stable release of round-robin vlan-pooling from our wireless equipment provider to reduce the number of vlans we have deployed (currently about 110 within a /14 private IP range). Sincerely, J. Scot Prunckle Network Engineer UITS Network and Operations Services University of Wisconsin-Milwaukee Office Mobile: (414) 416-9709 E-mail: [email protected]<mailto:[email protected]> On Sep 24, 2015, at 3:38 PM, Timothy Burns <[email protected]<mailto:[email protected]>> wrote: We are just now starting down the eduroam path. We are a Cisco shop and currently have our controllers pointed towards xpressconnect to onboard/authenticate our students. We currently have many interfaces on our controllers per building/SSID. We were thinking of collapsing many of those interfaces and have larger subnets and vlan tag the clients based on access we want to allow using the single "eduroam" ssid. So, for example, our local users will be placed in vlan 1 and eduroam users from different colleges would be placed in vlan 2 with internet only access. We have brought this up to our SE and VAR engineers and they are a little hesitant on this approach as they say the the subnets will be too large. But, as I understand it, the broadcast messages are suppressed at the controller. Xpressconnect only supports 1 vlan tag so we were looking at using free radius and create different realms and vlan tag the clients based on end of the username(ex: @xxxx.edu<http://xxxx.edu/>). We still have ACS at our disposal as we were using it very heavily before using xpressconnect, so we thought it may be an option to bring that back into the picture and use it to tag the clients. The answers I am looking to gain from this are: Do you have eduroam deployed as your primary SSID or in addition to your SSID's? Do you separate/tag your eduraom users? If so, how(acs/ISE/free radius, etc)? How big are your wireless subnets? Any opinions/suggestion/questions are welcome. Thanks again in advance. -- Tim Burns Junior Network Administrator 1 University Heights Asheville, NC 28804 828-232-5013 [email protected]<mailto:[email protected]> ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
