date:20210416

Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

2021-04-16 Thread Jonathan Waldrep

On 2021-04-16 22:38:48+, Jeffrey D. Sessler wrote:
> Educause did an extensive review of DMCA and concluded there is no
> need to "know with reasonable certainty who is using the network."

 What about for CALEA? I found [this][1] page, but all the FAQs linked
are dead links.

[1]: https://library.educause.edu/topics/policy-and-law/calea

-- 
Jonathan Waldrep
Network Engineer
Network Infrastructure and Services
Virginia Tech

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

signature.asc
Description: PGP signature

RE: [WIRELESS-LAN] WPA3/OWE as campus solution?

2021-04-16 Thread Jeffrey D. Sessler

Paul,

Educause did an extensive review of DMCA and concluded there is no need to 
“know with reasonable certainty who is using the network.”  Colleges have opted 
to do so for education purposes, but it’s not required. I would recommend 
reading the FAQ educause put together as you may be spending a lot of 
time/expense for something you do not need to do.

https://www.educause.edu/focus-areas-and-initiatives/policy-and-security/educause-policy/dmca-faq

What if I can’t match the IP address and time stamp given in a DMCA notice to 
an individual?
If your institution, after taking reasonable efforts to investigate and match a 
user to the IP address designated in the DMCA notice, cannot, for technical or 
other legitimate reasons, match a user to this IP address, the DMCA does not 
specifically require any other action.

11. Are there different requirements for claims relating to student-owned 
computers (e.g., in residence halls) than for computers owned by the 
institution?

Most student and guest activity on university networks occurs through 
personally owned equipment and thus falls under 17 U.S.C. Section 512(a). This 
section provides immunity to the ISP for information that simply transits the 
ISP’s networks, with no direction, input, or interference from the ISP itself, 
and is not stored anywhere on the ISP’s network. Notably, no additional 
proactive steps are required for an ISP to avail itself of this immunity. 
However, for a variety of reasons, some institutions have made a policy 
decision to treat these notices as if they fall under Section 512(c), 
terminating users from the network unless and until the infringing content is 
removed. Often such activity is handled through a student affairs process, 
rather than as a legal or IT matter, so as to seize upon a “teachable moment” 
for students. And while there may be no legal requirements under this section 
of the DMCA, the HEOA requirements still apply. See Question 18.


Jeff

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Neumann, Paul
Sent: Friday, April 16, 2021 1:42 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

I agree that forcing client to jump through hoops unnecessarily is a Bad Thing. 
 Requiring someone to go through a simple self-service onboarding process (or 
proceed as guest without access to Uni resources) does not seem unreasonable to 
me.  The problem is that we do these measures because we have to.  Federal 
requirements such as DMCA, CALEA force us to know with reasonable certainty who 
is using the network and to be able to provide those records upon demand – 
which for DMCA happens regularly.  I need to be able to tell the Motion Picture 
Association of America that student X downloaded Shrek at 10:10pm last night -- 
by federal law.

If there was a federal law requiring you to provide proof of who used the 
shower last night at 10:10pm at what time, there may also be an onboarding 
process/logins for your sinks and showers.

Universities occupy an interesting niche.  We’re very reluctant to do things 
that most businesses have no problems doing.  Corporations have no problem 
disallowing BYOD, performing posture assessment upon login,  forcing you to 
install certs to allow deep packet inspection or forcing you through extremely 
restrictive proxies.  Requiring only a userid/password and unrestricted 
Internet would appear crazy to most large corporations.

Paul
--
Paul Neumann
Lead Network Engineer

Technology Solutions (Formerly ACCC) Network Services
University of Illinois at Chicago
E: pa...@uic.edu
P: (312) 355-0113

it.uic.edu
Visit the new UIC Help Center at help.uic.edu to find IT services, Answers, and 
Support!

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Jeffrey D. Sessler
Sent: Friday, April 16, 2021 11:47 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

I’m all for the connection experience being as simple as possible. We subject 
our casual users to often extreme onboarding measures when they’ll never 
experience this outside of their 4-years, or even outside the college community.

If we consider the forward march to SaaS and other aaS products in higher 
education, in the not so distant future, we’ll run almost nothing on-campus. 
Wireless will just be a commodity connection-point out to a bunch of Internet 
services. If an end user can “do what they need” at the myriad wifi hotspot 
locations in the US e.g. starbucks, then we shouldn’t need to ask them to jump 
through more hoops just because they are on a college campus.  Is there such a 
thing as wireless elitism?

Perhaps the challenge with wireless is that it’s still a service owned and 
managed by IT? If the governance was customer focused, with goals centered on 
community

RE: WPA3/OWE as campus solution?

2021-04-16 Thread Enfield, Chuck

I've been floating this idea to IT leadership for years, with no interest on 
their part.  We implemented an open guest network with no rate limiting about 
18 months ago, so now any student who doesn't want to onboard doesn't have to.  
I figured that would get the bosses asking why we bother to authenticate on the 
other SSID, but still no.  It's ironic that the people who constantly stress 
the importance of customer experience and regularly complain to me about the 
onboarding experience can't be bothered to consider obvious alternatives.  I 
wouldn't be so disappointed if we discussed the pros and cons and they came to 
a different conclusion than I have, but it sounds so radical to them that they 
don't even care to discuss it.

Chuck

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Lee H Badman
Sent: Friday, April 16, 2021 10:09 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] WPA3/OWE as campus solution?

One more for you all- anyone contemplating ditching 802.1X for the BYOD side of 
your WLAN (not managed laptops and "business" clients) and simplifying with 
OWE/WPA3? Like... the open network that's actually moderately secure leveraging 
the latest security options?

Thanks,

Lee Badman | Network Architect (CWNE#200)
Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   e lhbad...@syr.edu w its.syr.edu
Campus Wireless Policy: 
https://answers.syr.edu/display/network/Wireless+Network+and+Systems
SYRACUSE UNIVERSITY
syr.edu


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] WPA3/OWE as campus solution?

2021-04-16 Thread Neumann, Paul

I agree that forcing client to jump through hoops unnecessarily is a Bad Thing. 
 Requiring someone to go through a simple self-service onboarding process (or 
proceed as guest without access to Uni resources) does not seem unreasonable to 
me.  The problem is that we do these measures because we have to.  Federal 
requirements such as DMCA, CALEA force us to know with reasonable certainty who 
is using the network and to be able to provide those records upon demand – 
which for DMCA happens regularly.  I need to be able to tell the Motion Picture 
Association of America that student X downloaded Shrek at 10:10pm last night -- 
by federal law.

If there was a federal law requiring you to provide proof of who used the 
shower last night at 10:10pm at what time, there may also be an onboarding 
process/logins for your sinks and showers.

Universities occupy an interesting niche.  We’re very reluctant to do things 
that most businesses have no problems doing.  Corporations have no problem 
disallowing BYOD, performing posture assessment upon login,  forcing you to 
install certs to allow deep packet inspection or forcing you through extremely 
restrictive proxies.  Requiring only a userid/password and unrestricted 
Internet would appear crazy to most large corporations.

Paul
--
Paul Neumann
Lead Network Engineer

Technology Solutions (Formerly ACCC) Network Services
University of Illinois at Chicago
E: pa...@uic.edu
P: (312) 355-0113

it.uic.edu
Visit the new UIC Help Center at help.uic.edu to find IT services, Answers, and 
Support!

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jeffrey D. Sessler
Sent: Friday, April 16, 2021 11:47 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

I’m all for the connection experience being as simple as possible. We subject 
our casual users to often extreme onboarding measures when they’ll never 
experience this outside of their 4-years, or even outside the college community.

If we consider the forward march to SaaS and other aaS products in higher 
education, in the not so distant future, we’ll run almost nothing on-campus. 
Wireless will just be a commodity connection-point out to a bunch of Internet 
services. If an end user can “do what they need” at the myriad wifi hotspot 
locations in the US e.g. starbucks, then we shouldn’t need to ask them to jump 
through more hoops just because they are on a college campus.  Is there such a 
thing as wireless elitism?

Perhaps the challenge with wireless is that it’s still a service owned and 
managed by IT? If the governance was customer focused, with goals centered on 
community experience vs enterprise risk, perhaps a happy medium could be 
reached between what the consumer of the service desires, and what those 
managing it can provide?

If my facilities director told me that the water spigot I wanted installed in 
my building required a pass-code or onboarding before use, I’d consider them 
crazy. After all, my home version requires a simple turn of the handle.  When I 
look at what lengths some of us have gone with our college wifi, I wonder if 
the pass-code water spigot is far off.  

Jeff

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Lee H Badman
Sent: Friday, April 16, 2021 8:29 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

All good input- again, just thinking free here... thanks for playing the game.
Lee Badman (mobile)


On Apr 16, 2021, at 11:07 AM, David Logan 
mailto:tarheeldav...@gmail.com>> wrote:

So - truly thinking out loud...

1. To Tim's point on lack of identity, the unstated requirement that could be 
chosen to be fulfilled or not - there would need to be post-connect, 
post-activity monitoring such that "bad activity" could be detected, mitigated, 
prevented.  Anybody and any device within throw range of the WLAN could connect 
and do whatever they want, within the bounds of monitoring and enforcement at 
L2/L3/L7.  IRL - none of your doors have locks, but you could choose to 
implement security cameras if someone you don't know comes in to take the TV.

2.  It certainly suggests creating "network segments of one" to ensure that the 
ability for a bad actor with a connected device cannot recon nor exploit the 
other local connected devices, systems, apps, protocols.   Suggests all local 
traffic would have to be firewalled or proxied, or else the "network segment of 
one" architecture is unenforceable.

2a.   OR - it suggests a "don't care what happens between non-IT sanctioned 
systems" - i.e. if a bad actor on a moderately sized broadcast domain/subnet 
co-opts an attached non-IT device (like a smart TV) and "does something bad" - 
that's OK.  This then suggests that consequences of consumer IT product vendors 
implementing poor embedded software

Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

2021-04-16 Thread Curtis, Bruce



> On Apr 16, 2021, at 9:17 AM, Lee H Badman 
> <00db5b77bd95-dmarc-requ...@listserv.educause.edu> wrote:
> 
> Exactly- hance the notion of simplifying… relying on application security, 
> 2FA etc for actual security while making simply connecting much, much easier.


  So with important services protected by 2FA you might also have a record to 
map identities to devices.  For example here our authentication for many 
important services (including many protected by 2FA) go through a CAS web page 
which has a record of the ID and IP number and timestamp.

  So if 80 % of your devices access a LMS like Blackboard or Canvas that 
require 2FA would that be a high enough percentage of identified devices so 
satisfy security requirements?  If not would 90 or 95 % be high enough?


> Lee Badman | Network Architect (CWNE#200)
> 
> Information Technology Services
> (NDD Group)
> 206 Machinery Hall
> 120 Smith Drive
> Syracuse, New York 13244
> 
> t 315.443.3003   e lhbad...@syr.edu w its.syr.edu
> 
> Campus Wireless Policy: 
> https://answers.syr.edu/display/network/Wireless+Network+and+Systems
> 
> SYRACUSE UNIVERSITY
> syr.edu
> 
>  
> 
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  On Behalf Of Tim Cappalli
> Sent: Friday, April 16, 2021 10:16 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?
> 
>  
> 
> Just keep in mind that OWE does not have an identity layer.
> 
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  on behalf of Lee H Badman 
> <00db5b77bd95-dmarc-requ...@listserv.educause.edu>
> Sent: Friday, April 16, 2021 10:08
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> Subject: [WIRELESS-LAN] WPA3/OWE as campus solution?
> 
>  
> 
> One more for you all- anyone contemplating ditching 802.1X for the BYOD side 
> of your WLAN (not managed laptops and “business” clients) and simplifying 
> with OWE/WPA3? Like… the open network that’s actually moderately secure 
> leveraging the latest security options?
> 
>  
> 
> Thanks,
> 
>  
> 
> Lee Badman | Network Architect (CWNE#200)
> 
> Information Technology Services
> (NDD Group)
> 206 Machinery Hall
> 120 Smith Drive
> Syracuse, New York 13244
> 
> t 315.443.3003   e lhbad...@syr.edu w its.syr.edu
> 
> Campus Wireless Policy: 
> https://answers.syr.edu/display/network/Wireless+Network+and+Systems
> 
> SYRACUSE UNIVERSITY
> syr.edu
> 
>  
> 
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community
> 
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community
> 
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community
> 

Bruce Curtis
Network Engineer  /  Information Technology
NORTH DAKOTA STATE UNIVERSITY
phone: 701.231.8527
bruce.cur...@ndsu.edu


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [EXTERNAL] Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

2021-04-16 Thread Brian Helman

I’m not sure you’re comparing oranges to oranges.  It’s not that your 
facilities director would tell you a water spigot would require a punch code to 
install, it’s that “you” would tell the facilities director that it takes too 
long and is too expensive to install the spigot, so they should just use 
electrical tape instead of sweating the pipe.

We all understand that home networks are simpler (although my home network 
probably rivals my work-enterprise network).  But how many of you are (or 
should) consider training on building home networks now that untrained staff 
are working from home and STILL complaining about connectivity problems after 
previously saying they never have at home?  I got into a head-scratching debate 
with a neighbor a couple years ago because his 2.4GHz router is set to channel 
5.  I tried to explain what he’s doing to the neighborhood.  He then lectured 
me on how he’s an engineer and knows RF.  So yeah, good luck with governance.

Sure making things simpler is always better, but just search the archives on 
the schools that tried the ‘wild west’ in their residence halls and quickly 
backtracked.

And don’t get me started on the failed experiment of the corporatization of 
academia…

-Brian

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Lee H Badman
Sent: Friday, April 16, 2021 2:00 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [EXTERNAL] Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

CAUTION: This email originated from outside of Salem State University. Do not 
click links or open attachments unless you recognize the sender and know the 
content is safe.
Well said.
Lee Badman (mobile)


On Apr 16, 2021, at 12:47 PM, Jeffrey D. Sessler 
mailto:j...@scrippscollege.edu>> wrote:

I’m all for the connection experience being as simple as possible. We subject 
our casual users to often extreme onboarding measures when they’ll never 
experience this outside of their 4-years, or even outside the college community.

If we consider the forward march to SaaS and other aaS products in higher 
education, in the not so distant future, we’ll run almost nothing on-campus. 
Wireless will just be a commodity connection-point out to a bunch of Internet 
services. If an end user can “do what they need” at the myriad wifi hotspot 
locations in the US e.g. starbucks, then we shouldn’t need to ask them to jump 
through more hoops just because they are on a college campus.  Is there such a 
thing as wireless elitism?

Perhaps the challenge with wireless is that it’s still a service owned and 
managed by IT? If the governance was customer focused, with goals centered on 
community experience vs enterprise risk, perhaps a happy medium could be 
reached between what the consumer of the service desires, and what those 
managing it can provide?
If my facilities director told me that the water spigot I wanted installed in 
my building required a pass-code or onboarding before use, I’d consider them 
crazy. After all, my home version requires a simple turn of the handle.  When I 
look at what lengths some of us have gone with our college wifi, I wonder if 
the pass-code water spigot is far off.  

Jeff

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Lee H Badman
Sent: Friday, April 16, 2021 8:29 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

All good input- again, just thinking free here... thanks for playing the game.
Lee Badman (mobile)


On Apr 16, 2021, at 11:07 AM, David Logan 
mailto:tarheeldav...@gmail.com>> wrote:

So - truly thinking out loud...

1. To Tim's point on lack of identity, the unstated requirement that could be 
chosen to be fulfilled or not - there would need to be post-connect, 
post-activity monitoring such that "bad activity" could be detected, mitigated, 
prevented.  Anybody and any device within throw range of the WLAN could connect 
and do whatever they want, within the bounds of monitoring and enforcement at 
L2/L3/L7.  IRL - none of your doors have locks, but you could choose to 
implement security cameras if someone you don't know comes in to take the TV.

2.  It certainly suggests creating "network segments of one" to ensure that the 
ability for a bad actor with a connected device cannot recon nor exploit the 
other local connected devices, systems, apps, protocols.   Suggests all local 
traffic would have to be firewalled or proxied, or else the "network segment of 
one" architecture is unenforceable.

2a.   OR - it suggests a "don't care what happens between non-IT sanctioned 
systems" - i.e. if a bad actor on a moderately sized broadcast domain/subnet 
co-opts an attached non-IT device (like a smart TV) and "does something bad" - 
that's OK.  This then suggests that consequences of consumer IT product vendors 
implementing poor embedded software

Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

2021-04-16 Thread Ricardo Stella

I agree but to one extent. One could say we just open up WiFi like
Starbucks. Students, Faculty, Staff, visitors, anyone could just simply hop
on, check a box and connect.

But wouldn't it better to do it more like we do at home? Have some type of
password or method of authenticating who can use the home network? After
all, you wouldn't want anyone from the street to come over and open the
spigot.  Or just park in front of your house and just wardrive.

A network with the simplest level of authentication for members of the
community is the ideal solution.  And if you want, also a "one-click" Guest
network.  But having students onboard I think it's overkill.

My .02...

On Fri, Apr 16, 2021 at 12:46 PM Jeffrey D. Sessler 
wrote:

> I’m all for the connection experience being as simple as possible. We
> subject our casual users to often extreme onboarding measures when they’ll
> never experience this outside of their 4-years, or even outside the college
> community.
>
>
>
> If we consider the forward march to SaaS and other aaS products in higher
> education, in the not so distant future, we’ll run almost nothing
> on-campus. Wireless will just be a commodity connection-point out to a
> bunch of Internet services. If an end user can “do what they need” at the
> myriad wifi hotspot locations in the US e.g. starbucks, then we shouldn’t
> need to ask them to jump through more hoops just because they are on a
> college campus.  Is there such a thing as wireless elitism?
>
>
>
> Perhaps the challenge with wireless is that it’s still a service owned and
> managed by IT? If the governance was customer focused, with goals centered
> on community experience vs enterprise risk, perhaps a happy medium could be
> reached between what the consumer of the service desires, and what those
> managing it can provide?
>
> If my facilities director told me that the water spigot I wanted installed
> in my building required a pass-code or onboarding before use, I’d consider
> them crazy. After all, my home version requires a simple turn of the
> handle.  When I look at what lengths some of us have gone with our
> college wifi, I wonder if the pass-code water spigot is far off.  
>
>
>
> Jeff
>
>
>
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Lee H Badman
> *Sent:* Friday, April 16, 2021 8:29 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] WPA3/OWE as campus solution?
>
>
>
> All good input- again, just thinking free here... thanks for playing the
> game.
>
> Lee Badman (mobile)
>
>
>
> On Apr 16, 2021, at 11:07 AM, David Logan  wrote:
>
> 
>
> So - truly thinking out loud...
>
>
>
> 1. To Tim's point on lack of identity, the unstated requirement that could
> be chosen to be fulfilled or not - there would need to be post-connect,
> post-activity monitoring such that "bad activity" could be detected,
> mitigated, prevented.  Anybody and any device within throw range of the
> WLAN could connect and do whatever they want, within the bounds of
> monitoring and enforcement at L2/L3/L7.  IRL - none of your doors have
> locks, but you could choose to implement security cameras if someone you
> don't know comes in to take the TV.
>
>
>
> 2.  It certainly suggests creating "network segments of one" to ensure
> that the ability for a bad actor with a connected device cannot recon nor
> exploit the other local connected devices, systems, apps, protocols.
>  Suggests all local traffic would have to be firewalled or proxied, or else
> the "network segment of one" architecture is unenforceable.
>
>
>
> 2a.   OR - it suggests a "don't care what happens between non-IT
> sanctioned systems" - i.e. if a bad actor on a moderately sized
> broadcast domain/subnet co-opts an attached non-IT device (like a smart TV)
> and "does something bad" - that's OK.  This then suggests that *consequences
> *of consumer IT product vendors implementing poor embedded software
> systems/exploitable protocols would trickle down to the end-user and back
> out to the consumer IT vendor.
>
>
>
> 2b.  Also suggests that if the local network segments are not policed
> using firewalls of some sort, then the local IT-managed systems (if there
> ARE any) - definitely need to be up to date on patch management and support
> and vendor-product-software security.
>
>
>
> -- Dave
>
>
>
>
>
> On Fri, Apr 16, 2021 at 10:33 AM Lee H Badman <
> 00db5b77bd95-dmarc-requ...@listserv.educause.edu> wrote:
>
> Not sure how, or even if you’d need to depending on how it all worked. No
> plan here, just discussion..
>
>
>
> *Lee Badman* | Network Architect (CWNE#200)
>
> Information Technology Services
> (NDD Group)
> 206 Machinery Hall
> 120 Smith Drive
> Syracuse, New York 13244
>
> *t* 315.443.3003  * e* lhbad...@syr.edu *w* its.syr.edu
>
> Campus Wireless Policy:
> https://answers.syr.edu/display/network/Wireless+Network+and+Systems
>
> *SYRACUSE UNIVERSITY*
> syr.edu
>
>
>
>

Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

2021-04-16 Thread Jonathan Waldrep

 I have some more detailed thoughts that I'll share when I finish
hammering them out. This presentation from Columbia University probably
adds more to the conversation than I have to say, though:

https://www.youtube.com/watch?v=ihsXATBsLV8

On 2021-04-16 17:59:54+, Lee H Badman wrote:
> Well said.
> 
> Lee Badman (mobile)
> 
> On Apr 16, 2021, at 12:47 PM, Jeffrey D. Sessler  
> wrote:
> 
> 
> I’m all for the connection experience being as simple as possible. We subject 
> our casual users to often extreme onboarding measures when they’ll never 
> experience this outside of their 4-years, or even outside the college 
> community.
> 
> If we consider the forward march to SaaS and other aaS products in higher 
> education, in the not so distant future, we’ll run almost nothing on-campus. 
> Wireless will just be a commodity connection-point out to a bunch of Internet 
> services. If an end user can “do what they need” at the myriad wifi hotspot 
> locations in the US e.g. starbucks, then we shouldn’t need to ask them to 
> jump through more hoops just because they are on a college campus.  Is there 
> such a thing as wireless elitism?
> 
> Perhaps the challenge with wireless is that it’s still a service owned and 
> managed by IT? If the governance was customer focused, with goals centered on 
> community experience vs enterprise risk, perhaps a happy medium could be 
> reached between what the consumer of the service desires, and what those 
> managing it can provide?
> If my facilities director told me that the water spigot I wanted installed in 
> my building required a pass-code or onboarding before use, I’d consider them 
> crazy. After all, my home version requires a simple turn of the handle.  When 
> I look at what lengths some of us have gone with our college wifi, I wonder 
> if the pass-code water spigot is far off.  
> 
> Jeff
> 
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  On Behalf Of Lee H Badman
> Sent: Friday, April 16, 2021 8:29 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?
> 
> All good input- again, just thinking free here... thanks for playing the game.
> Lee Badman (mobile)
> 
> 
> On Apr 16, 2021, at 11:07 AM, David Logan 
> mailto:tarheeldav...@gmail.com>> wrote:
> 
> So - truly thinking out loud...
> 
> 1. To Tim's point on lack of identity, the unstated requirement that could be 
> chosen to be fulfilled or not - there would need to be post-connect, 
> post-activity monitoring such that "bad activity" could be detected, 
> mitigated, prevented.  Anybody and any device within throw range of the WLAN 
> could connect and do whatever they want, within the bounds of monitoring and 
> enforcement at L2/L3/L7.  IRL - none of your doors have locks, but you could 
> choose to implement security cameras if someone you don't know comes in to 
> take the TV.
> 
> 2.  It certainly suggests creating "network segments of one" to ensure that 
> the ability for a bad actor with a connected device cannot recon nor exploit 
> the other local connected devices, systems, apps, protocols.   Suggests all 
> local traffic would have to be firewalled or proxied, or else the "network 
> segment of one" architecture is unenforceable.
> 
> 2a.   OR - it suggests a "don't care what happens between non-IT sanctioned 
> systems" - i.e. if a bad actor on a moderately sized broadcast domain/subnet 
> co-opts an attached non-IT device (like a smart TV) and "does something bad" 
> - that's OK.  This then suggests that consequences of consumer IT product 
> vendors implementing poor embedded software systems/exploitable protocols 
> would trickle down to the end-user and back out to the consumer IT vendor.
> 
> 2b.  Also suggests that if the local network segments are not policed using 
> firewalls of some sort, then the local IT-managed systems (if there ARE any) 
> - definitely need to be up to date on patch management and support and 
> vendor-product-software security.
> 
> -- Dave
> 
> 
> On Fri, Apr 16, 2021 at 10:33 AM Lee H Badman 
> <00db5b77bd95-dmarc-requ...@listserv.educause.edu>
>  wrote:
> Not sure how, or even if you’d need to depending on how it all worked. No 
> plan here, just discussion..
> 
> Lee Badman | Network Architect (CWNE#200)
> Information Technology Services
> (NDD Group)
> 206 Machinery Hall
> 120 Smith Drive
> Syracuse, New York 13244
> t 315.443.3003   e lhbad...@syr.edu w 
> its.syr.edu
> Campus Wireless Policy: 
> https://answers.syr.edu/display/network/Wireless+Network+and+Systems
> SYRACUSE UNIVERSITY
> syr.edu
> 
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
>  On Behalf Of Tim Cappalli
> Sent: Friday, April 16, 2021 10:23 AM
> To: 
>

Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

2021-04-16 Thread Lee H Badman

Well said.

Lee Badman (mobile)

On Apr 16, 2021, at 12:47 PM, Jeffrey D. Sessler  
wrote:


I’m all for the connection experience being as simple as possible. We subject 
our casual users to often extreme onboarding measures when they’ll never 
experience this outside of their 4-years, or even outside the college community.

If we consider the forward march to SaaS and other aaS products in higher 
education, in the not so distant future, we’ll run almost nothing on-campus. 
Wireless will just be a commodity connection-point out to a bunch of Internet 
services. If an end user can “do what they need” at the myriad wifi hotspot 
locations in the US e.g. starbucks, then we shouldn’t need to ask them to jump 
through more hoops just because they are on a college campus.  Is there such a 
thing as wireless elitism?

Perhaps the challenge with wireless is that it’s still a service owned and 
managed by IT? If the governance was customer focused, with goals centered on 
community experience vs enterprise risk, perhaps a happy medium could be 
reached between what the consumer of the service desires, and what those 
managing it can provide?
If my facilities director told me that the water spigot I wanted installed in 
my building required a pass-code or onboarding before use, I’d consider them 
crazy. After all, my home version requires a simple turn of the handle.  When I 
look at what lengths some of us have gone with our college wifi, I wonder if 
the pass-code water spigot is far off.  

Jeff

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Lee H Badman
Sent: Friday, April 16, 2021 8:29 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

All good input- again, just thinking free here... thanks for playing the game.
Lee Badman (mobile)


On Apr 16, 2021, at 11:07 AM, David Logan 
mailto:tarheeldav...@gmail.com>> wrote:

So - truly thinking out loud...

1. To Tim's point on lack of identity, the unstated requirement that could be 
chosen to be fulfilled or not - there would need to be post-connect, 
post-activity monitoring such that "bad activity" could be detected, mitigated, 
prevented.  Anybody and any device within throw range of the WLAN could connect 
and do whatever they want, within the bounds of monitoring and enforcement at 
L2/L3/L7.  IRL - none of your doors have locks, but you could choose to 
implement security cameras if someone you don't know comes in to take the TV.

2.  It certainly suggests creating "network segments of one" to ensure that the 
ability for a bad actor with a connected device cannot recon nor exploit the 
other local connected devices, systems, apps, protocols.   Suggests all local 
traffic would have to be firewalled or proxied, or else the "network segment of 
one" architecture is unenforceable.

2a.   OR - it suggests a "don't care what happens between non-IT sanctioned 
systems" - i.e. if a bad actor on a moderately sized broadcast domain/subnet 
co-opts an attached non-IT device (like a smart TV) and "does something bad" - 
that's OK.  This then suggests that consequences of consumer IT product vendors 
implementing poor embedded software systems/exploitable protocols would trickle 
down to the end-user and back out to the consumer IT vendor.

2b.  Also suggests that if the local network segments are not policed using 
firewalls of some sort, then the local IT-managed systems (if there ARE any) - 
definitely need to be up to date on patch management and support and 
vendor-product-software security.

-- Dave


On Fri, Apr 16, 2021 at 10:33 AM Lee H Badman 
<00db5b77bd95-dmarc-requ...@listserv.educause.edu>
 wrote:
Not sure how, or even if you’d need to depending on how it all worked. No plan 
here, just discussion..

Lee Badman | Network Architect (CWNE#200)
Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   e lhbad...@syr.edu w 
its.syr.edu
Campus Wireless Policy: 
https://answers.syr.edu/display/network/Wireless+Network+and+Systems
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tim Cappalli
Sent: Friday, April 16, 2021 10:23 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

How would you limit local services like printing, screen mirroring, media 
casting, etc?

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Lee H Badman 
<00db5b77bd95-dmarc-requ...@listserv.educause.edu>
Sent: Friday, April 16, 2021 10:17
To:

RE: [WIRELESS-LAN] WPA3/OWE as campus solution?

2021-04-16 Thread Jeffrey D. Sessler

I’m all for the connection experience being as simple as possible. We subject 
our casual users to often extreme onboarding measures when they’ll never 
experience this outside of their 4-years, or even outside the college community.

If we consider the forward march to SaaS and other aaS products in higher 
education, in the not so distant future, we’ll run almost nothing on-campus. 
Wireless will just be a commodity connection-point out to a bunch of Internet 
services. If an end user can “do what they need” at the myriad wifi hotspot 
locations in the US e.g. starbucks, then we shouldn’t need to ask them to jump 
through more hoops just because they are on a college campus.  Is there such a 
thing as wireless elitism?

Perhaps the challenge with wireless is that it’s still a service owned and 
managed by IT? If the governance was customer focused, with goals centered on 
community experience vs enterprise risk, perhaps a happy medium could be 
reached between what the consumer of the service desires, and what those 
managing it can provide?
If my facilities director told me that the water spigot I wanted installed in 
my building required a pass-code or onboarding before use, I’d consider them 
crazy. After all, my home version requires a simple turn of the handle.  When I 
look at what lengths some of us have gone with our college wifi, I wonder if 
the pass-code water spigot is far off.  

Jeff

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Lee H Badman
Sent: Friday, April 16, 2021 8:29 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

All good input- again, just thinking free here... thanks for playing the game.
Lee Badman (mobile)


On Apr 16, 2021, at 11:07 AM, David Logan 
mailto:tarheeldav...@gmail.com>> wrote:

So - truly thinking out loud...

1. To Tim's point on lack of identity, the unstated requirement that could be 
chosen to be fulfilled or not - there would need to be post-connect, 
post-activity monitoring such that "bad activity" could be detected, mitigated, 
prevented.  Anybody and any device within throw range of the WLAN could connect 
and do whatever they want, within the bounds of monitoring and enforcement at 
L2/L3/L7.  IRL - none of your doors have locks, but you could choose to 
implement security cameras if someone you don't know comes in to take the TV.

2.  It certainly suggests creating "network segments of one" to ensure that the 
ability for a bad actor with a connected device cannot recon nor exploit the 
other local connected devices, systems, apps, protocols.   Suggests all local 
traffic would have to be firewalled or proxied, or else the "network segment of 
one" architecture is unenforceable.

2a.   OR - it suggests a "don't care what happens between non-IT sanctioned 
systems" - i.e. if a bad actor on a moderately sized broadcast domain/subnet 
co-opts an attached non-IT device (like a smart TV) and "does something bad" - 
that's OK.  This then suggests that consequences of consumer IT product vendors 
implementing poor embedded software systems/exploitable protocols would trickle 
down to the end-user and back out to the consumer IT vendor.

2b.  Also suggests that if the local network segments are not policed using 
firewalls of some sort, then the local IT-managed systems (if there ARE any) - 
definitely need to be up to date on patch management and support and 
vendor-product-software security.

-- Dave


On Fri, Apr 16, 2021 at 10:33 AM Lee H Badman 
<00db5b77bd95-dmarc-requ...@listserv.educause.edu>
 wrote:
Not sure how, or even if you’d need to depending on how it all worked. No plan 
here, just discussion..

Lee Badman | Network Architect (CWNE#200)
Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   e lhbad...@syr.edu w 
its.syr.edu
Campus Wireless Policy: 
https://answers.syr.edu/display/network/Wireless+Network+and+Systems
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tim Cappalli
Sent: Friday, April 16, 2021 10:23 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

How would you limit local services like printing, screen mirroring, media 
casting, etc?

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Lee H Badman 
<00db5b77bd95-dmarc-requ...@listserv.educause.edu>
Sent: Friday, April 16, 2021 10:17
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>

Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

2021-04-16 Thread Lee H Badman

All good input- again, just thinking free here... thanks for playing the game.

Lee Badman (mobile)

On Apr 16, 2021, at 11:07 AM, David Logan  wrote:


So - truly thinking out loud...

1. To Tim's point on lack of identity, the unstated requirement that could be 
chosen to be fulfilled or not - there would need to be post-connect, 
post-activity monitoring such that "bad activity" could be detected, mitigated, 
prevented.  Anybody and any device within throw range of the WLAN could connect 
and do whatever they want, within the bounds of monitoring and enforcement at 
L2/L3/L7.  IRL - none of your doors have locks, but you could choose to 
implement security cameras if someone you don't know comes in to take the TV.

2.  It certainly suggests creating "network segments of one" to ensure that the 
ability for a bad actor with a connected device cannot recon nor exploit the 
other local connected devices, systems, apps, protocols.   Suggests all local 
traffic would have to be firewalled or proxied, or else the "network segment of 
one" architecture is unenforceable.

2a.   OR - it suggests a "don't care what happens between non-IT sanctioned 
systems" - i.e. if a bad actor on a moderately sized broadcast domain/subnet 
co-opts an attached non-IT device (like a smart TV) and "does something bad" - 
that's OK.  This then suggests that consequences of consumer IT product vendors 
implementing poor embedded software systems/exploitable protocols would trickle 
down to the end-user and back out to the consumer IT vendor.

2b.  Also suggests that if the local network segments are not policed using 
firewalls of some sort, then the local IT-managed systems (if there ARE any) - 
definitely need to be up to date on patch management and support and 
vendor-product-software security.

-- Dave


On Fri, Apr 16, 2021 at 10:33 AM Lee H Badman 
<00db5b77bd95-dmarc-requ...@listserv.educause.edu>
 wrote:
Not sure how, or even if you’d need to depending on how it all worked. No plan 
here, just discussion..

Lee Badman | Network Architect (CWNE#200)
Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   e lhbad...@syr.edu w 
its.syr.edu
Campus Wireless Policy: 
https://answers.syr.edu/display/network/Wireless+Network+and+Systems
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tim Cappalli
Sent: Friday, April 16, 2021 10:23 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

How would you limit local services like printing, screen mirroring, media 
casting, etc?

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Lee H Badman 
<00db5b77bd95-dmarc-requ...@listserv.educause.edu>
Sent: Friday, April 16, 2021 10:17
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?


Exactly- hance the notion of simplifying… relying on application security, 2FA 
etc for actual security while making simply connecting much, much easier.



Lee Badman | Network Architect (CWNE#200)

Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244

t 315.443.3003   e lhbad...@syr.edu w 
its.syr.edu

Campus Wireless Policy: 
https://answers.syr.edu/display/network/Wireless+Network+and+Systems

SYRACUSE UNIVERSITY
syr.edu



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tim Cappalli
Sent: Friday, April 16, 2021 10:16 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?



Just keep in mind that OWE does not have an identity layer.



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Lee H Badman

Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

2021-04-16 Thread David Logan

So - truly thinking out loud...

1. To Tim's point on lack of identity, the unstated requirement that could
be chosen to be fulfilled or not - there would need to be post-connect,
post-activity monitoring such that "bad activity" could be detected,
mitigated, prevented.  Anybody and any device within throw range of the
WLAN could connect and do whatever they want, within the bounds of
monitoring and enforcement at L2/L3/L7.  IRL - none of your doors have
locks, but you could choose to implement security cameras if someone you
don't know comes in to take the TV.

2.  It certainly suggests creating "network segments of one" to ensure that
the ability for a bad actor with a connected device cannot recon nor
exploit the other local connected devices, systems, apps, protocols.
 Suggests all local traffic would have to be firewalled or proxied, or else
the "network segment of one" architecture is unenforceable.

2a.   OR - it suggests a "don't care what happens between non-IT sanctioned
systems" - i.e. if a bad actor on a moderately sized
broadcast domain/subnet co-opts an attached non-IT device (like a smart TV)
and "does something bad" - that's OK.  This then suggests that *consequences
*of consumer IT product vendors implementing poor embedded software
systems/exploitable protocols would trickle down to the end-user and back
out to the consumer IT vendor.

2b.  Also suggests that if the local network segments are not policed using
firewalls of some sort, then the local IT-managed systems (if there ARE
any) - definitely need to be up to date on patch management and support and
vendor-product-software security.

-- Dave

On Fri, Apr 16, 2021 at 10:33 AM Lee H Badman <
00db5b77bd95-dmarc-requ...@listserv.educause.edu> wrote:

> Not sure how, or even if you’d need to depending on how it all worked. No
> plan here, just discussion..
>
>
>
> *Lee Badman* | Network Architect (CWNE#200)
>
> Information Technology Services
> (NDD Group)
> 206 Machinery Hall
> 120 Smith Drive
> Syracuse, New York 13244
>
> *t* 315.443.3003  * e* lhbad...@syr.edu *w* its.syr.edu
>
> Campus Wireless Policy:
> https://answers.syr.edu/display/network/Wireless+Network+and+Systems
>
> *SYRACUSE UNIVERSITY*
> syr.edu
>
>
>
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Tim Cappalli
> *Sent:* Friday, April 16, 2021 10:23 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] WPA3/OWE as campus solution?
>
>
>
> How would you limit local services like printing, screen mirroring, media
> casting, etc?
> --
>
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Lee H Badman <
> 00db5b77bd95-dmarc-requ...@listserv.educause.edu>
> *Sent:* Friday, April 16, 2021 10:17
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject:* Re: [WIRELESS-LAN] WPA3/OWE as campus solution?
>
>
>
> Exactly- hance the notion of simplifying… relying on application security,
> 2FA etc for actual security while making simply connecting much, much
> easier.
>
>
>
> *Lee Badman* | Network Architect (CWNE#200)
>
> Information Technology Services
> (NDD Group)
> 206 Machinery Hall
> 120 Smith Drive
> Syracuse, New York 13244
>
> *t* 315.443.3003  * e* lhbad...@syr.edu *w* its.syr.edu
>
> Campus Wireless Policy:
> https://answers.syr.edu/display/network/Wireless+Network+and+Systems
> 
>
> *SYRACUSE UNIVERSITY*
> syr.edu
>
>
>
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Tim Cappalli
> *Sent:* Friday, April 16, 2021 10:16 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] WPA3/OWE as campus solution?
>
>
>
> Just keep in mind that OWE does not have an identity layer.
> --
>
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Lee H Badman <
> 00db5b77bd95-dmarc-requ...@listserv.educause.edu>
> *Sent:* Friday, April 16, 2021 10:08
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject:* [WIRELESS-LAN] WPA3/OWE as campus solution?
>
>
>
> One more for you all- anyone contemplating ditching 802.1X for the BYOD
> side of your WLAN (not managed laptops and “business” clients) and
> simplifying with OWE/WPA3? Like… the open network that’s actually
> moderately secure leveraging the latest security

RE: [WIRELESS-LAN] WPA3/OWE as campus solution?

2021-04-16 Thread James Andrewartha

Printing has auth, any decent screen mirrorring solution requires a PIN, plus 
airgroup or similar to limit by location.

Sent from my Galaxy

 Original message 
From: Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: 16/4/21 22:22 (GMT+08:00)
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

How would you limit local services like printing, screen mirroring, media 
casting, etc?

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Lee H Badman 
<00db5b77bd95-dmarc-requ...@listserv.educause.edu>
Sent: Friday, April 16, 2021 10:17
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

Exactly- hance the notion of simplifying… relying on application security, 2FA 
etc for actual security while making simply connecting much, much easier.

Lee Badman | Network Architect (CWNE#200)

Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244

t 315.443.3003   e lhbad...@syr.edu w its.syr.edu

Campus Wireless Policy: 
https://answers.syr.edu/display/network/Wireless+Network+and+Systems

SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Tim Cappalli
Sent: Friday, April 16, 2021 10:16 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

Just keep in mind that OWE does not have an identity layer.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Lee H Badman 
<00db5b77bd95-dmarc-requ...@listserv.educause.edu>
Sent: Friday, April 16, 2021 10:08
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] WPA3/OWE as campus solution?

One more for you all- anyone contemplating ditching 802.1X for the BYOD side of 
your WLAN (not managed laptops and “business” clients) and simplifying with 
OWE/WPA3? Like… the open network that’s actually moderately secure leveraging 
the latest security options?

Thanks,

Lee Badman | Network Architect (CWNE#200)

Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244

t 315.443.3003   e lhbad...@syr.edu w its.syr.edu

Campus Wireless Policy: 
https://answers.syr.edu/display/network/Wireless+Network+and+Systems

SYRACUSE UNIVERSITY
syr.edu

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**

Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

2021-04-16 Thread Michael Usher

Identifying the “owner” of a device is a mandatory requirement of the UC-wide 
IS policy, so we’re heading towards 802.1X, not away.

Our dorm networks are currently PSK with SafeConnect for user auth.  We’re 
planning to move to straight up 802.1X, but that means we need a fallback PSK 
network (iPSK really) for affiliated people to create their own personal PSK 
for their devices.  That way we still satisfy they IS requirements.

But we are also rolling out WPA3 on our WiFi-6 APs.

Also contemplating switching our Guest network from a registration portal to 
OpenRoaming,. But that’s just in discussion phase.  Also enabling SAE for open 
auth on WiFi-6 APs.
—
Michael Usher
Network Operations Manager
University of California, Santa Cruz
mus...@ucsc.edu831-459-3697

> On Apr 16, 2021, at 7:32 AM, Lee H Badman 
> <00db5b77bd95-dmarc-requ...@listserv.educause.edu> wrote:
> 
> Not sure how, or even if you’d need to depending on how it all worked. No 
> plan here, just discussion..
>  
> Lee Badman | Network Architect (CWNE#200)
> 
> Information Technology Services
> (NDD Group)
> 206 Machinery Hall
> 120 Smith Drive
> Syracuse, New York 13244
> 
> t 315.443.3003   e lhbad...@syr.edu  w its.syr.edu 
> 
> Campus Wireless Policy: 
> https://answers.syr.edu/display/network/Wireless+Network+and+Systems 
> 
> SYRACUSE UNIVERSITY
> syr.edu 
>  
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  On Behalf Of Tim Cappalli
> Sent: Friday, April 16, 2021 10:23 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?
>  
> How would you limit local services like printing, screen mirroring, media 
> casting, etc?
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  > on behalf of Lee H Badman 
> <00db5b77bd95-dmarc-requ...@listserv.educause.edu 
> >
> Sent: Friday, April 16, 2021 10:17
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
>  
>  >
> Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?
>  
> Exactly- hance the notion of simplifying… relying on application security, 
> 2FA etc for actual security while making simply connecting much, much easier.
>  
> Lee Badman | Network Architect (CWNE#200)
> 
> Information Technology Services
> (NDD Group)
> 206 Machinery Hall
> 120 Smith Drive
> Syracuse, New York 13244
> 
> t 315.443.3003   e lhbad...@syr.edu  w its.syr.edu
> Campus Wireless Policy: 
> https://answers.syr.edu/display/network/Wireless+Network+and+Systems 
> 
> SYRACUSE UNIVERSITY
> syr.edu
> 
>  
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  > On Behalf Of Tim Cappalli
> Sent: Friday, April 16, 2021 10:16 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> 
> Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?
>  
> Just keep in mind that OWE does not have an identity layer.
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  > on behalf of Lee H Badman 
> <00db5b77bd95-dmarc-requ...@listserv.educause.edu 
> >
> Sent: Friday, April 16, 2021 10:08
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
>  
>  >
> Subject: [WIRELESS-LAN] WPA3/OWE as campus solution?
>  
> One more for you all- anyone contemplating ditching 802.1X for the BYOD side 
> of your WLAN (not managed laptops and “business” clients) and simplifying 
> with OWE/WPA3? Like… the open network that’s actually moderately secure 
> leveraging the latest security options?
>  
> Thanks,
>  
> Lee Badman | Network Architect (CWNE#200)
> 
> Information Technology Services
> (NDD Group)
> 206 Machinery Hall
> 120 Smith Drive
> Syracuse, New York 13244
> 
> t 315.443.3003   e lhbad...@syr.edu  w its.syr.edu
> Campus Wireless Policy: 
> https://answers.syr.edu/display/network/Wireless+Network+and+Systems 
>

Re: [WIRELESS-LAN] 802.1X, onboarders, continued

2021-04-16 Thread Jonathan Waldrep

 We're another organization looking to move away from PEAP/MSCHAPv2. We
actually moved away from EAP-TLS a few years back due to lack of good
onboarding (it was before my time, so I don't have any more details
there).

 Our current setup is no onboarding tool, separate credentials for
network access, with a fallback to helpdesk using eduroamCAT.

 We are looking to move to EAP-TLS, so I am also interested in hearing
what others have to say. So far, the responses have been about what I
would expect.

On 2021-04-13 13:42:14+, Lee H Badman wrote:
> [...]
> * For your onboarder of choice (focusing on CAT Tool, Cloudpath ES,
>   and Secure W2) how responsive is the provider to support issues and
>   OS updates?
 As far as I can tell (and if someone has more up to date info, please
correct this), eduroamCAT is currently using some deprecated Android
APIs. This hasn't been a problem _yet_, but it does make it difficult to
verify that the device is setup correctly.

> * Are you using, or have you recently used CAT Tool, Cloudpath ES or
>   Secure W2 and found yourself dissatisfied with the tool or
>   vender/provider- and why?
 eduroamCAT has the extra step of selecting your institution. Its a
small thing, but when the goal is to reduce friction as much as
possible, it is significant.

> * Here's the fun one, asked in complete seriousness: has anyone gone
>   down the road of robustly securing staff/"company" devices while
>   turning the general wireless network into a wide-open WLAN, relying
>   on other controls to provide security?
 I'll tackle this one in a follow up to your more recent thread.

-- 
Jonathan Waldrep
Network Engineer
Network Infrastructure and Services
Virginia Tech

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

signature.asc
Description: PGP signature

RE: WPA3/OWE as campus solution?

2021-04-16 Thread Lee H Badman

Not sure how, or even if you'd need to depending on how it all worked. No plan 
here, just discussion..

Lee Badman | Network Architect (CWNE#200)
Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   e lhbad...@syr.edu w its.syr.edu
Campus Wireless Policy: 
https://answers.syr.edu/display/network/Wireless+Network+and+Systems
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Tim Cappalli
Sent: Friday, April 16, 2021 10:23 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

How would you limit local services like printing, screen mirroring, media 
casting, etc?

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Lee H Badman 
<00db5b77bd95-dmarc-requ...@listserv.educause.edu>
Sent: Friday, April 16, 2021 10:17
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?


Exactly- hance the notion of simplifying... relying on application security, 
2FA etc for actual security while making simply connecting much, much easier.



Lee Badman | Network Architect (CWNE#200)

Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244

t 315.443.3003   e lhbad...@syr.edu w its.syr.edu

Campus Wireless Policy: 
https://answers.syr.edu/display/network/Wireless+Network+and+Systems

SYRACUSE UNIVERSITY
syr.edu



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tim Cappalli
Sent: Friday, April 16, 2021 10:16 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?



Just keep in mind that OWE does not have an identity layer.



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Lee H Badman 
<00db5b77bd95-dmarc-requ...@listserv.educause.edu>
Sent: Friday, April 16, 2021 10:08
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] WPA3/OWE as campus solution?



One more for you all- anyone contemplating ditching 802.1X for the BYOD side of 
your WLAN (not managed laptops and "business" clients) and simplifying with 
OWE/WPA3? Like... the open network that's actually moderately secure leveraging 
the latest security options?



Thanks,



Lee Badman | Network Architect (CWNE#200)

Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244

t 315.443.3003   e lhbad...@syr.edu w its.syr.edu

Campus Wireless Policy: 
https://answers.syr.edu/display/network/Wireless+Network+and+Systems

SYRACUSE UNIVERSITY
syr.edu



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the

Re: WPA3/OWE as campus solution?

2021-04-16 Thread Tim Cappalli

How would you limit local services like printing, screen mirroring, media 
casting, etc?

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Lee H Badman 
<00db5b77bd95-dmarc-requ...@listserv.educause.edu>
Sent: Friday, April 16, 2021 10:17
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

Exactly- hance the notion of simplifying… relying on application security, 2FA 
etc for actual security while making simply connecting much, much easier.

Lee Badman | Network Architect (CWNE#200)

Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244

t 315.443.3003   e lhbad...@syr.edu w its.syr.edu

Campus Wireless Policy: 
https://answers.syr.edu/display/network/Wireless+Network+and+Systems

SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Tim Cappalli
Sent: Friday, April 16, 2021 10:16 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

Just keep in mind that OWE does not have an identity layer.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Lee H Badman 
<00db5b77bd95-dmarc-requ...@listserv.educause.edu>
Sent: Friday, April 16, 2021 10:08
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] WPA3/OWE as campus solution?

One more for you all- anyone contemplating ditching 802.1X for the BYOD side of 
your WLAN (not managed laptops and “business” clients) and simplifying with 
OWE/WPA3? Like… the open network that’s actually moderately secure leveraging 
the latest security options?

Thanks,

Lee Badman | Network Architect (CWNE#200)

Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244

t 315.443.3003   e lhbad...@syr.edu w its.syr.edu

Campus Wireless Policy: 
https://answers.syr.edu/display/network/Wireless+Network+and+Systems

SYRACUSE UNIVERSITY
syr.edu

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at

RE: WPA3/OWE as campus solution?

2021-04-16 Thread Lee H Badman

Exactly- hance the notion of simplifying... relying on application security, 
2FA etc for actual security while making simply connecting much, much easier.

Lee Badman | Network Architect (CWNE#200)
Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   e lhbad...@syr.edu w its.syr.edu
Campus Wireless Policy: 
https://answers.syr.edu/display/network/Wireless+Network+and+Systems
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Tim Cappalli
Sent: Friday, April 16, 2021 10:16 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

Just keep in mind that OWE does not have an identity layer.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Lee H Badman 
<00db5b77bd95-dmarc-requ...@listserv.educause.edu>
Sent: Friday, April 16, 2021 10:08
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] WPA3/OWE as campus solution?


One more for you all- anyone contemplating ditching 802.1X for the BYOD side of 
your WLAN (not managed laptops and "business" clients) and simplifying with 
OWE/WPA3? Like... the open network that's actually moderately secure leveraging 
the latest security options?



Thanks,



Lee Badman | Network Architect (CWNE#200)

Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244

t 315.443.3003   e lhbad...@syr.edu w its.syr.edu

Campus Wireless Policy: 
https://answers.syr.edu/display/network/Wireless+Network+and+Systems

SYRACUSE UNIVERSITY
syr.edu



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: WPA3/OWE as campus solution?

2021-04-16 Thread Tim Cappalli

Just keep in mind that OWE does not have an identity layer.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Lee H Badman 
<00db5b77bd95-dmarc-requ...@listserv.educause.edu>
Sent: Friday, April 16, 2021 10:08
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: [WIRELESS-LAN] WPA3/OWE as campus solution?

One more for you all- anyone contemplating ditching 802.1X for the BYOD side of 
your WLAN (not managed laptops and “business” clients) and simplifying with 
OWE/WPA3? Like… the open network that’s actually moderately secure leveraging 
the latest security options?

Thanks,

Lee Badman | Network Architect (CWNE#200)

Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244

t 315.443.3003   e lhbad...@syr.edu w its.syr.edu

Campus Wireless Policy: 
https://answers.syr.edu/display/network/Wireless+Network+and+Systems

SYRACUSE UNIVERSITY
syr.edu

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

WPA3/OWE as campus solution?

2021-04-16 Thread Lee H Badman

One more for you all- anyone contemplating ditching 802.1X for the BYOD side of 
your WLAN (not managed laptops and "business" clients) and simplifying with 
OWE/WPA3? Like... the open network that's actually moderately secure leveraging 
the latest security options?

Thanks,

Lee Badman | Network Architect (CWNE#200)
Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   e lhbad...@syr.edu w its.syr.edu
Campus Wireless Policy: 
https://answers.syr.edu/display/network/Wireless+Network+and+Systems
SYRACUSE UNIVERSITY
syr.edu


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

RE: [WIRELESS-LAN] WPA3/OWE as campus solution?

RE: WPA3/OWE as campus solution?

RE: [WIRELESS-LAN] WPA3/OWE as campus solution?

Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

RE: [EXTERNAL] Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

RE: [WIRELESS-LAN] WPA3/OWE as campus solution?

Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

RE: [WIRELESS-LAN] WPA3/OWE as campus solution?

Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

Re: [WIRELESS-LAN] 802.1X, onboarders, continued

RE: WPA3/OWE as campus solution?

Re: WPA3/OWE as campus solution?

RE: WPA3/OWE as campus solution?

Re: WPA3/OWE as campus solution?

WPA3/OWE as campus solution?

20 matches

Site Navigation

Mail list logo

Footer information