I inherited a bunch of new Ruckus wireless equipment from a previous admin that just bought a bunch of stuff without really planning how it was all going to work and now it's my problem. He purchased a bunch of R720 AP's, two SmartZone 100 controllers, and a cloud hosted instance of CloudPath. Now I have to make it all work to our requirements. This is for a college that sees around 2500 devices on the wifi at any given time.
For the devices that we own and manage we are using 802.1x authentication. The cert install is handled through MDM or Group Policy. That all works fine. For guests I have a guest portal setup with walled garden. Users connect, enter an e-mail or phone number and then enter the code they receive. A traffic access policy only allows them to access things outside of our internal network. That also works fine.
For BYOD (staff and employee) the college want's the process to be as easy for users as possible, but they want to have some accountability as far as who is on the network. I tested with a small group using 802.1x but issues with redirecting from the CNA browser and having to install the cloudpath app on Android made the process very difficult for users and we got a lot of calls. Then I decided to try using Ruckus DPSK. After they connected to the onboarding SSID they had to authenticate and we generated a DPSK for them with instructions to connect to the BYOD network and enter in the key. That seemed to work well but after setting it up I found that the controller only supports 10000 DPSK's which is not enough for us. My last try was using the same type of setup as I use for guests. They connect to the BYOD network, enter in their AD credentials and the walled garden is removed and they are on the network. No encryption this way but administration is more concerned about ease of use and accountability than encrypting the BYOD network. This seemed ok and I configured CloudPath to create a MAC registration valid for 1 year during this process. After a day devices start prompting to login to the network again. I found the setting in the login portal for session timeout and it has a max of just a few days so they are going to have to keep having to login over and over. Ideally they wouldn't have to authenticate again for at least 6 months.
What would you guys do in my situation?
No comments:
Post a Comment