1. If you have a NAC solution do you do port based auth?
* Yes. We use Clearpass to implement.
2. If you have a NAC solution do you do eap-tls? If so how are you handling
the certification “push” to devices?
* Yes our primary preferred authentication protocol is EAP-TLS, however
we do offer and support EAP-PEAP and PSK methods for devices that do not
support tls certificates or have a bad user experience with them (looking at
you chromebooks!). We use a product called SecureW2 for self-service user
onboarding to WiFi which inserts the certificate into the device.
3. What were the major pain points during implementation?
* Client onboarding via a local captive portal. Client captive portal
browsers are volatile and can their behavior can severely affect the client
experience.
4. What were the major use cases you were resolving/resolved?
* We were looking to move away from EAP-PEAP largely for security and
convenience reasons. One particular pain point was the regularly scheduled
expiration of user account passwords. This in turn would knock a device with
saved EAP-PEAP credentials off of the network. Our client certificates are
valid for a longer period of time and largely avoid this issue. Network access
is tied to a combination of valid certificate and valid account lifecycle check.
5. Anything you would do differently if you do it again?
* I would have liked to have spent more time polishing the onboarding
experience. Our deployment timeline however did not allow for it. As other
threads on this list have mentioned, if you go down this road you will be
served well by testing your workflow extensively and often. Each device type
has different behaviors of captive portal behavior as well as the possibility
of application changes with new device software updates.
Ryan
--
Ryan Johnston he/him/his
Associate Director of Infrastructure
DePaul University
55 E Jackson Blvd | Chicago, Illinois 60604
https://www.depaul.edu<https://www.depaul.edu/> | https://helpdesk.depaul.edu
From: The EDUCAUSE Wireless Issues Community Group Listserv
<[email protected]> On Behalf Of Brady J. Ballstadt
Sent: Monday, April 13, 2020 9:24 AM
To: [email protected]
Subject: [EXT] [WIRELESS-LAN] NAC/authentication implementations
Hello everyone,
Have a few questions as we do some research to add on to our NAC implementation
and trying to avoid issues or at least minimize them.
1. If you have a NAC solution do you do port based auth?
2. If you have a NAC solution do you do eap-tls? If so how are you handling
the certification “push” to devices?
3. What were the major pain points during implementation?
4. What were the major use cases you were resolving/resolved?
5. Anything you would do differently if you do it again?
Any extra information would be great as well.
Thank you,
Brady Ballstadt
University of Arkansas
**********
Replies to EDUCAUSE Community Group emails are sent to the entire community
list. If you want to reply only to the person who sent the message, copy and
paste their email address and forward the email reply. Additional participation
and subscription information can be found at https://www.educause.edu/community
**********
Replies to EDUCAUSE Community Group emails are sent to the entire community
list. If you want to reply only to the person who sent the message, copy and
paste their email address and forward the email reply. Additional participation
and subscription information can be found at https://www.educause.edu/community
