-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Peter, > I didn't think the following suitable > for the 'WIRELESS-ADMIN' list for obvious reasons! > > Pre Windows XP SP3 where Microsoft have opted to 'hide' > 802.1x on wired interfaces (until the relevant service is started) > I vaguely thought end-user configuration of 802.1x for wired interfaces > was slightly easier than the wireless equivalent. It is. But the Windows supplicant can be very temperamental. I'd recommend writing your documentation such, that it includes the installation of SecureW2, and then configures an EAP-TTLS-PAP profile. Your users will thank you in the future. > > Now we've progressed to a certain point with a rollout > of 802.1x wireless we're pondering whether to go the whole hog > and go for 802.1x wired in our Halls for the next academic year as well. > > Can anyone here comment on whether they opted for 802.1x (and as a result > but not necessarily 'eduroam') everywhere for itinerant users > or that you're still maintaining seperate systems and why? We opted for 802.1X on wired back in 2007. It really depends on your networking hardware as to what you can support. The way we've got it set up means that eduroam users can connect in residences just as well as students; very good for conferences etc... There's no real reason to maintain separate systems; the trick is getting the VLANs you need disseminated to al the points in the network where they could be potentially assigned. > > Looking at websites for a few institutions I can see places where > web-based 'registration' systems are still in place, for example. They're not really required. With RADIUS accounting you'll always have a record of who used what and where. Though it's good to have some kind of captive portal to disseminate instructions/ patches/ etc, and record AUP acceptance. I know Cico switches do Mac-Auth bypass, so that if a supplicant doesn't respond they get authenticated by MAC-Address. You can use the mac-auth process to assign them to a setup and quarantine VLAN, then just redirect all web traffic on that VLAN to a captive portal. Best Regards, Arran PS: I don't know how much inter college cooperation goes on between University of London institutions, but I know Alexander Clouter at SOAS has done some development work with 802.1X on wired. He might be able to offer you some more advice. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkomvDwACgkQcaklux5oVKJVzgCeMZ9RPptUSAyXJzwBSOVe2dUS w4oAn3AIUE3Vm35Dwp6yE99fGi6lCUKo =AupW -----END PGP SIGNATURE-----