NB: Per the spec, the maximum number of VLANs on a network is 4094. In our case, it is not an issue, as our subscriber count should not exceed 3500 in the foreseeable future. If we were to exceed it, we would need to look at other solutions.
That's one hell of a caveat. It works well for them because French universities (this is deployed at SupElec, one of them) are usually small, but wouldn't pass muster in most US situations.
edit: yeah that would be awesome, you could move a VM from a server to your laptop with minimal interruption
And when they hit 4096 user accounts?
It's actually depressing how hard they had to work to enable a basic BYOD network-layer authentication use case. Particularly since network-level device authentication is basically "securing your network 101" which any network in the world practicing good security hygiene should be implementing.
Is this problem not actually solved and your just pointing out how depressing that something seemingly so essential is not solved?
In this case neither is true - they have no control over devices being connected so can’t rely on SSL certs, and they explicitly want to isolate each user on their own VLAN. Given those constraints this is a much harder problem to solve.
There is one thing though that the blog post is missing: devices claiming to support 802.1x but where that path was never tested. This is something I discover often enough in Chinese Android devices - the UI works fine but then the connection simply fails without any error message to the user.
Great article, wonderful to read how you came to your final configuration. Having wired support is a bonus.
Are there any infrastructure / software products out there which offer an experience like that out of the box?
But they wanted to do something new, where you don't have to ask students for something quite obscure for non-techs such as MAC address.
Of course the biggest caveat here is the number of VLANs (4096) that limit the scalability, but which was satisfactory in their case.
Well then, no idea.
For universities there are thing as eduroam, which works like following: 1. there are 802.x authentication with certificates and users + password; 2. for legacy clients just landing page with firewall tricks
Regarding eduroam your comment is incorrect. Most 802.1x auth in universities with eduroam use peap+mschapv2 which is a serious security issue (md4 nt hash). It is way too cumbersome to configure eap-tls and certificates. There are ways to get around it with passpoint/hotspot 2.0 provisionning but this is far from being supported on devices.
> Here at ViaRezo, our job is to offer a high-speed, affordable and reliable Internet connection to the students of CentraleSupélec at Paris-Saclay.
Telling student's they can't BYOD is not acceptable solution to the problem.