We went that way. It was a relatively easy decision given our old radius cert was expiring and everyone would need to reconfigure anyways. We just used the opportunity to transition to eduroam instead.
We wanted to enforce proper username syntax (both for roaming, and to push CAT so CAs get set up properly), but also allow domain-joined computers to authenticate pre-login (on campus - it's not allowed roaming anyways). That's primarily so non-cached-users can log in, but also useful for management. Our solution was two profiles on Windows - an "eduroam" one that's user-entered credentials for roaming, and a "Bethel eduroam" using machine-credentials for local/default. We then allow windows host syntax (but not windows user syntax) along with the usual user@realm on the radius side. A nice side benefit is the network side doesn't have the user identity, and the having to pull data from an unrelated system discourages inappropriate user-ip data correlation. On Thu, Nov 10, 2016 at 10:04 PM, Becker, Jason <[email protected]> wrote: > We're getting ready to reduce the number of ssid that we have across > Campus and one idea is to use edroam as our main 802.1x secure ssid. Is > anyone else doing this and if so how is it going? > > > > > Thanks, > > Jason > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at http://www.educause.edu/ > groups/. > > -- Jeremy Mooney ITS - Bethel University ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
