802.1x Roll out w/low managerial overhead?

  • 1
  • Question
  • Updated 2 years ago
We are in the planning phase of our 802.1x deployment within a school of 250 people. There will be 1 administrator for everything (me) and there are two intents we have:

1. Control network access on per user/per devices basis. (right now we do PPSK w/MAC binding where we limit to 1 MAC)

2. The simplest certificate instillation possible.

A few problems regarding the certificates, is that we are BYOD, and Chromebook heavy on school owned devices. Apple, Microsoft, and Chromebooks are all on site, and used daily.

The RADIUS server will be hosted on a cloud based VM that is off-site. The RADIUS server can be any operating system, so it doesnt have to be Windows if something with a lighter managerial footprint exists. 

We have: HMOL v6.6r1

Any documentation regarding this will be greatly appreciated.
Photo of Bill M

Bill M

  • 4 Posts
  • 1 Reply Like

Posted 2 years ago

  • 1
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hi Bill,

Running really late with this reply, I am really sorry about that, manic week tying up loose ends!

To control network access on a per-user or per-device basis, without a doubt, the best method is to use EAP-TLS with device or user certificates. [Note, you cannot easily achieve both, that is per-user and per-device (dual factor). For many reasons, practically, it usually becomes a matter of choosing one or the other in BYOD scenarios.]

To get the simplest certificate installation possible, I suggest looking at CloudPath if you have the budget available for it. Other options are available, and generally at a lower price point but with differing features and differing levels of client support.
http://cloudpath.net/

Aerohive offer Client Management as part of its Mobility Suite by way of an alternative to look at:
http://www.aerohive.com/solutions/technology/mobility-suite.html
http://www.aerohiveworks.com/datasheets/Aerohive_Datasheet_Client-Management.pdf
(I am not yet sure how this fits in, or will fit in, with HM-NG.)

By way of a free on-boarding/provisioning alternative that can be relatively easily adapted (yes, that is subjective), take a look at https://cat.eduroam.org/ and https://github.com/UNINETT/eduroam-configurator and https://wiki.geant.org/display/H2eduroam/A+guide+to+eduroam+CAT+for+institution+administrators

As EAP termination takes place at the RADIUS server, any documentation will be specific to the third-party RADIUS server, the CA solution (where client certificates are in the mix), and the on-boarding/provisioning system that you choose - not Aerohive's HiveManager or HiveOS.

The attributes you return back to HiveOS in the RADIUS Access-Accept are the only thing that is coupled to Aerohive anything Aerohive with a third-party RADIUS server. This has been written up elsewhere in this community, and I can link you to this if that would help.

If you have any specific or further questions, fire back and I will get back to you as soon as possible.

I would also be happy to take a look at what you are doing remotely, or take the discussion 'offline'.

Regards,

Nick