Southern Polytechnic's Solution (Score 3, Informative)

We started acquiring the elements of our 1x deployment over a year ago, and things have really come a long way. We have been testing since February and have been live for about 2 months. We are using 1x on both wired and wireless connections.

We are running Funk Software's Steel Belted RADIUS (SBR) on Solaris for 1x authentication requests using TTLS. SBR verifies user credentials on the back end against our OpenLDAP server. We also return the group membership of the validated user with each login so the RAS can implement individual firewalls (at the user's point of access!) based on each users' credentials (aka User Personalized Networking). This is essential for supporting large numbers of open-access ports (i.e. dorms, Library, Student Center, labs...)

We use Enterasys equipment exclusively, including their R2 access points for wireless. We use their Netsight Atlas Policy Manager software to enforce UPN policies.

We have an academic site license for the Meeting House Aegis 1x client. This has worked brilliantly with 2000/XP and MacOS. Linux support has been shaky (it's beta) but we have had success with Open1x in that application. The problem with the Mac is that it doesn't come preconfigured with any certificate authorities under OpenSSL, so we have had to add one manually to each station.

The only problems we have had is a small bug in SBR that caused it to periodically lose contact with LDAP (fixed in SBR 4.0.4) and some quirky early versions of the Aegis clients (fixed). Meeting House has also just released (beta) an enterprise-deployment option that allows us to distribute a preconfigured client. Funk's client is worth looking at also, but it is very pricey.

My sugestions: plan well, test a LOT, and stay the HECK away from any of the MS garbage -- your life will be MUCH simpler!