Re: [WIRELESS-LAN] Feasibility of an open SSID for student use
“Their rationale is that to get the protections afforded to ISP’s under DMCA we need to inform users that they’re not allowed to share copyrighted materials and that their connection will be blocked if they do. For account holders we make them agree to these terms and more when they activate their account. But if the network doesn’t require an account this notification seems to demand a captive portal.” I don’t think this is correct at all. EDUCAUSE has done extensive research on DMCA and college networks, and here is info I’ve supplied before. HEOA added some obligations, such as combating P2P, but that’s a different beast. Under the DMCA, the ISP only has to, upon learning of the infringing transmission, act quickly to remove or disable access to the infringing transmission. We can carry that out with no knowledge of who’s behind the device. That said, it only applies to resources owned by the institution. Here is some key info in case you’re interested. Some of it is sourced from an EDUCAUSE FAQ for DMCA designated agents in higher-ed. If you’re interested, here is the link: https://www.educause.edu/focus-areas-and-initiatives/policy-and-security/educause-policy/dmca-faq If your institution, after taking reasonable efforts to investigate and match a user to the IP address designated in the DMCA notice, cannot, for technical or other legitimate reasons, match a user to this IP address, the DMCA does not specifically require any other action. The DMCA does not include a records retention requirement for logs. So, if your record retention for radius, dhcp, etc. is only 7 days, and a DMCA notice arrives for something that occurred 14 days ago, then you are under no obligation to do more. Resources owned by an institution—such as faculty, staff, or computer lab computers—fall under 17 U.S.C. Section 512(c). This section provides a safe harbor for an ISP so that it is not liable for monetary damages for infringing materials on its servers provided it does not have “actual knowledge” of the infringing material, does not receive a direct financial benefit from the infringement, and, when notified, responds “expeditiously” to remove the infringing material or disable access to such material. Most student and guest activity on university networks occurs through personally owned equipment and thus falls under 17 U.S.C. Section 512(a). This section provides immunity to the ISP for information that simply transits the ISP’s networks, with no direction, input, or interference from the ISP itself, and is not stored anywhere on the ISP’s network. Notably, no additional proactive steps are required for an ISP to avail itself of this immunity. However, for a variety of reasons, some institutions have made a policy decision to treat these notices as if they fall under Section 512(c), terminating users from the network unless and until the infringing content is removed. Often such activity is handled through a student affairs process, rather than as a legal or IT matter, so as to seize upon a “teachable moment” for students. Jeff From: "wireless-lan@listserv.educause.edu" on behalf of "Enfield, Chuck" Reply-To: "wireless-lan@listserv.educause.edu" Date: Friday, September 13, 2019 at 5:42 AM To: "wireless-lan@listserv.educause.edu" Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use “We run eduroam and a completely open guest SSID. The open SSID has no captive portal, no click through terms of services, and no restrictions on Internet access for content or speed.” I’m jealous Felix. I made a strong push for this approach, but General Counsel stopped it. FWIW, I think they got it right, but life would be easier and users would be happier your way. Their rationale is that to get the protections afforded to ISP’s under DMCA we need to inform users that they’re not allowed to share copyrighted materials and that their connection will be blocked if they do. For account holders we make them agree to these terms and more when they activate their account. But if the network doesn’t require an account this notification seems to demand a captive portal. From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Felix Windt Sent: Friday, September 13, 2019 8:26 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use I’d pay a fair price for an easily administered solution that lets us roll out PPSK in the dorms and deploy broadcast/multicast domains scoped to specific users. We run eduroam and a completely open guest SSID. The open SSID has no captive portal, no click through terms of services, and no restrictions on Internet access for content or speed. That SSID bridges through to VLANs in a DMZ, and its only real restriction is that it can only reach proper public IP addresses on campus, plus 2-3 applications on private IPs
RE: [WIRELESS-LAN] Feasibility of an open SSID for student use
The problem with out of band notifications is that you don’t know who is on an unauthenticated network. Certainly it’s more than just students. I’m not suggesting you should change to captive portal. While the statute is reasonably clear on how to qualify for the protections, it’s unclear how much risk is assumed by operating without those protections. As long as you made an informed choice, I won’t argue with you. From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Coehoorn, Joel Sent: Friday, September 13, 2019 9:47 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use We also run a completely open SSID. There is a captive portal, but it's at the gateway rather than the wireless controller, so the same mechanism can also handle wired connections, and it's only used for enforcement. New visitors can get on the network without seeing the captive page. > to get the protections afforded to ISP’s under DMCA we need to inform users > that they’re not allowed to share copyrighted materials and that their > connection will be blocked if they do. We handle the notification out-of-band for our students. We have to notify them; we don't necessarily have to use a captive portal to do it right at connection time. The information is included with the account activation for new students, repeated during orientation, repeated again via e-mail near the start of each term, repeated again on the gateway capture page for early offenses, and included in the student handbook. If it were to come to the point of a block, we can give specific devices a capture page with no way to click through. But our policy also includes this text: Internet access today is more than a simple privilege, but is now necessary for continued successful progress in academic pursuits. Student actions which require the Department of Information Technology and the Office of Student Development to conclude it is no longer appropriate to allow a student to continue using the campus network may therefore result in dismissal of the student [Image removed by sender.] Joel Coehoorn Director of Information Technology 402.363.5603 jcoeho...@york.edu<mailto:jcoeho...@york.edu> Please contact helpd...@york.edu<mailto:helpd...@york.edu> for technical assistance. The mission of York College is to transform lives through Christ-centered education and to equip students for lifelong service to God, family, and society On Fri, Sep 13, 2019 at 7:42 AM Enfield, Chuck mailto:cae...@psu.edu>> wrote: “We run eduroam and a completely open guest SSID. The open SSID has no captive portal, no click through terms of services, and no restrictions on Internet access for content or speed.” I’m jealous Felix. I made a strong push for this approach, but General Counsel stopped it. FWIW, I think they got it right, but life would be easier and users would be happier your way. Their rationale is that to get the protections afforded to ISP’s under DMCA we need to inform users that they’re not allowed to share copyrighted materials and that their connection will be blocked if they do. For account holders we make them agree to these terms and more when they activate their account. But if the network doesn’t require an account this notification seems to demand a captive portal. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Felix Windt Sent: Friday, September 13, 2019 8:26 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use I’d pay a fair price for an easily administered solution that lets us roll out PPSK in the dorms and deploy broadcast/multicast domains scoped to specific users. We run eduroam and a completely open guest SSID. The open SSID has no captive portal, no click through terms of services, and no restrictions on Internet access for content or speed. That SSID bridges through to VLANs in a DMZ, and its only real restriction is that it can only reach proper public IP addresses on campus, plus 2-3 applications on private IPs that are specifically permitted. That’s enforced on the firewalls between campus and the DMZ. We do see quite a lot of students on that SSID permanently. As a huge amount of our student applications are either cloud hosted or available on the public Internet, that works just fine for them. We’d prefer them on eduroam, but user experience trumps our preferences. The only real problem are devices such as Sonos sound bars, Google appliances, and other devices that will only support PSKs for wireless. For those we don’t have a solution right now. Once WPA3/OWE is out and widely supported I genuinely don’t know how much we’ll care about where devices are. At that point it seems not
Re: [WIRELESS-LAN] Feasibility of an open SSID for student use
We also run a completely open SSID. There is a captive portal, but it's at the gateway rather than the wireless controller, so the same mechanism can also handle wired connections, and it's only used for enforcement. New visitors can get on the network without seeing the captive page. *> to get the protections afforded to ISP’s under DMCA we need to inform users that they’re not allowed to share copyrighted materials and that their connection will be blocked if they do.* We handle the notification out-of-band for our students. We have to notify them; we don't necessarily have to use a captive portal to do it right at connection time. The information is included with the account activation for new students, repeated during orientation, repeated again via e-mail near the start of each term, repeated again on the gateway capture page for early offenses, and included in the student handbook. If it were to come to the point of a block, we can give specific devices a capture page with no way to click through. But our policy also includes this text: * Internet access today is more than a simple privilege, but is now necessary for continued successful progress in academic pursuits. Student actions which require the Department of Information Technology and the Office of Student Development to conclude it is no longer appropriate to allow a student to continue using the campus network may therefore result in dismissal of the student * Joel Coehoorn Director of Information Technology 402.363.5603 *jcoeho...@york.edu * *Please contact helpd...@york.edu for technical assistance.* The mission of York College is to transform lives through Christ-centered education and to equip students for lifelong service to God, family, and society On Fri, Sep 13, 2019 at 7:42 AM Enfield, Chuck wrote: > “We run eduroam and a completely open guest SSID. The open SSID has no > captive portal, no click through terms of services, and no restrictions on > Internet access for content or speed.” > > > > I’m jealous Felix. I made a strong push for this approach, but General > Counsel stopped it. FWIW, I think they got it right, but life would be > easier and users would be happier your way. > > > > Their rationale is that to get the protections afforded to ISP’s under > DMCA we need to inform users that they’re not allowed to share copyrighted > materials and that their connection will be blocked if they do. For > account holders we make them agree to these terms and more when they > activate their account. But if the network doesn’t require an account this > notification seems to demand a captive portal. > > > > *From:* The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Felix Windt > *Sent:* Friday, September 13, 2019 8:26 AM > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > *Subject:* Re: [WIRELESS-LAN] Feasibility of an open SSID for student use > > > > I’d pay a fair price for an easily administered solution that lets us roll > out PPSK in the dorms and deploy broadcast/multicast domains scoped to > specific users. > > > > We run eduroam and a completely open guest SSID. The open SSID has no > captive portal, no click through terms of services, and no restrictions on > Internet access for content or speed. That SSID bridges through to VLANs in > a DMZ, and its only real restriction is that it can only reach proper > public IP addresses on campus, plus 2-3 applications on private IPs that > are specifically permitted. That’s enforced on the firewalls between campus > and the DMZ. > > We do see quite a lot of students on that SSID permanently. As a huge > amount of our student applications are either cloud hosted or available on > the public Internet, that works just fine for them. We’d prefer them on > eduroam, but user experience trumps our preferences. The only real problem > are devices such as Sonos sound bars, Google appliances, and other devices > that will only support PSKs for wireless. For those we don’t have a > solution right now. > > > > Once WPA3/OWE is out and widely supported I genuinely don’t know how much > we’ll care about where devices are. At that point it seems not just more > user friendly but easier for IT overall to just throw reasonable security > in front of web apps that the student and faculty population need to > access, and let them sit on the SSID that’s easier to get on to. > Administrative machines under central control would probably be kept on > properly authenticated networks, but those are easier to solve if you have > reasonable mass device management options. > > > > For what it’s worth, we use the eduroam CAT tool for onboarding. > > > > thx, > > > > Felix Windt > > Dartmo
RE: [WIRELESS-LAN] Feasibility of an open SSID for student use
Has anyone got the eduroam CAT working with EAP-TLS? Couldn’t find a good way for loading the certificates. May have missed the documentation for that portion. From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Enfield, Chuck Sent: Friday, September 13, 2019 8:42 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use “We run eduroam and a completely open guest SSID. The open SSID has no captive portal, no click through terms of services, and no restrictions on Internet access for content or speed.” I’m jealous Felix. I made a strong push for this approach, but General Counsel stopped it. FWIW, I think they got it right, but life would be easier and users would be happier your way. Their rationale is that to get the protections afforded to ISP’s under DMCA we need to inform users that they’re not allowed to share copyrighted materials and that their connection will be blocked if they do. For account holders we make them agree to these terms and more when they activate their account. But if the network doesn’t require an account this notification seems to demand a captive portal. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Felix Windt Sent: Friday, September 13, 2019 8:26 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use I’d pay a fair price for an easily administered solution that lets us roll out PPSK in the dorms and deploy broadcast/multicast domains scoped to specific users. We run eduroam and a completely open guest SSID. The open SSID has no captive portal, no click through terms of services, and no restrictions on Internet access for content or speed. That SSID bridges through to VLANs in a DMZ, and its only real restriction is that it can only reach proper public IP addresses on campus, plus 2-3 applications on private IPs that are specifically permitted. That’s enforced on the firewalls between campus and the DMZ. We do see quite a lot of students on that SSID permanently. As a huge amount of our student applications are either cloud hosted or available on the public Internet, that works just fine for them. We’d prefer them on eduroam, but user experience trumps our preferences. The only real problem are devices such as Sonos sound bars, Google appliances, and other devices that will only support PSKs for wireless. For those we don’t have a solution right now. Once WPA3/OWE is out and widely supported I genuinely don’t know how much we’ll care about where devices are. At that point it seems not just more user friendly but easier for IT overall to just throw reasonable security in front of web apps that the student and faculty population need to access, and let them sit on the SSID that’s easier to get on to. Administrative machines under central control would probably be kept on properly authenticated networks, but those are easier to solve if you have reasonable mass device management options. For what it’s worth, we use the eduroam CAT tool for onboarding. thx, Felix Windt Dartmouth College From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of "Rumford, Charles" mailto:charl...@isc.upenn.edu>> Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Date: Thursday, September 12, 2019 at 2:26 PM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use I agree that complicated onboarding is the worst from the end user perspective and a pain to manage. I started designing a PPSK/MPSK design to take over our primary 802.1x network. The biggest hurdle I ran into with it was the randomization of MAC addresses for device. I've been told Android 10 has it on by default,and I know that windows support also. I could only see issues from a support issue coming down the line. O need to spend some more research time with it. -- Charles Rumford IT Architect ISC Tech Services University of Pennsylvania OpenPGP Key ID: 0xF3D8215A (Sent from Mobile) From: "Enfield, Chuck" mailto:cae...@psu.edu>> Sent: Thursday, September 12, 2019 14:11 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use Seconded. And for those who think that security is more important than the user experience in some cases, I wouldn’t argue, but I would point out that an improperly configured 1x device puts the user’s credentials at risk. 802.1x
Re: [WIRELESS-LAN] Feasibility of an open SSID for student use
We try to steer eduroam capable devices off our guest network by blocking the ranges from authenticating to the main services portal. If students are trying to do work, I hope they aren’t reduced to a PS4 web browser. Thanks, Joseph B. From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of "Enfield, Chuck" Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv Date: Friday, September 13, 2019 at 8:42 AM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use “We run eduroam and a completely open guest SSID. The open SSID has no captive portal, no click through terms of services, and no restrictions on Internet access for content or speed.” I’m jealous Felix. I made a strong push for this approach, but General Counsel stopped it. FWIW, I think they got it right, but life would be easier and users would be happier your way. Their rationale is that to get the protections afforded to ISP’s under DMCA we need to inform users that they’re not allowed to share copyrighted materials and that their connection will be blocked if they do. For account holders we make them agree to these terms and more when they activate their account. But if the network doesn’t require an account this notification seems to demand a captive portal. From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Felix Windt Sent: Friday, September 13, 2019 8:26 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use I’d pay a fair price for an easily administered solution that lets us roll out PPSK in the dorms and deploy broadcast/multicast domains scoped to specific users. We run eduroam and a completely open guest SSID. The open SSID has no captive portal, no click through terms of services, and no restrictions on Internet access for content or speed. That SSID bridges through to VLANs in a DMZ, and its only real restriction is that it can only reach proper public IP addresses on campus, plus 2-3 applications on private IPs that are specifically permitted. That’s enforced on the firewalls between campus and the DMZ. We do see quite a lot of students on that SSID permanently. As a huge amount of our student applications are either cloud hosted or available on the public Internet, that works just fine for them. We’d prefer them on eduroam, but user experience trumps our preferences. The only real problem are devices such as Sonos sound bars, Google appliances, and other devices that will only support PSKs for wireless. For those we don’t have a solution right now. Once WPA3/OWE is out and widely supported I genuinely don’t know how much we’ll care about where devices are. At that point it seems not just more user friendly but easier for IT overall to just throw reasonable security in front of web apps that the student and faculty population need to access, and let them sit on the SSID that’s easier to get on to. Administrative machines under central control would probably be kept on properly authenticated networks, but those are easier to solve if you have reasonable mass device management options. For what it’s worth, we use the eduroam CAT tool for onboarding. thx, Felix Windt Dartmouth College From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of "Rumford, Charles" mailto:charl...@isc.upenn.edu>> Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Date: Thursday, September 12, 2019 at 2:26 PM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use I agree that complicated onboarding is the worst from the end user perspective and a pain to manage. I started designing a PPSK/MPSK design to take over our primary 802.1x network. The biggest hurdle I ran into with it was the randomization of MAC addresses for device. I've been told Android 10 has it on by default,and I know that windows support also. I could only see issues from a support issue coming down the line. O need to spend some more research time with it. -- Charles Rumford IT Architect ISC Tech Services University of Pennsylvania OpenPGP Key ID: 0xF3D8215A (Sent from Mobile) From: "Enfield, Chuck" mailto:cae...@psu.edu>> Sent: Thursday, September 12, 2019 14:11 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use Seconded. And for those who think that security is more important than the user experience in some cases, I wouldn’t argue, but I would point out that an impr
RE: [WIRELESS-LAN] Feasibility of an open SSID for student use
“We run eduroam and a completely open guest SSID. The open SSID has no captive portal, no click through terms of services, and no restrictions on Internet access for content or speed.” I’m jealous Felix. I made a strong push for this approach, but General Counsel stopped it. FWIW, I think they got it right, but life would be easier and users would be happier your way. Their rationale is that to get the protections afforded to ISP’s under DMCA we need to inform users that they’re not allowed to share copyrighted materials and that their connection will be blocked if they do. For account holders we make them agree to these terms and more when they activate their account. But if the network doesn’t require an account this notification seems to demand a captive portal. From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Felix Windt Sent: Friday, September 13, 2019 8:26 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use I’d pay a fair price for an easily administered solution that lets us roll out PPSK in the dorms and deploy broadcast/multicast domains scoped to specific users. We run eduroam and a completely open guest SSID. The open SSID has no captive portal, no click through terms of services, and no restrictions on Internet access for content or speed. That SSID bridges through to VLANs in a DMZ, and its only real restriction is that it can only reach proper public IP addresses on campus, plus 2-3 applications on private IPs that are specifically permitted. That’s enforced on the firewalls between campus and the DMZ. We do see quite a lot of students on that SSID permanently. As a huge amount of our student applications are either cloud hosted or available on the public Internet, that works just fine for them. We’d prefer them on eduroam, but user experience trumps our preferences. The only real problem are devices such as Sonos sound bars, Google appliances, and other devices that will only support PSKs for wireless. For those we don’t have a solution right now. Once WPA3/OWE is out and widely supported I genuinely don’t know how much we’ll care about where devices are. At that point it seems not just more user friendly but easier for IT overall to just throw reasonable security in front of web apps that the student and faculty population need to access, and let them sit on the SSID that’s easier to get on to. Administrative machines under central control would probably be kept on properly authenticated networks, but those are easier to solve if you have reasonable mass device management options. For what it’s worth, we use the eduroam CAT tool for onboarding. thx, Felix Windt Dartmouth College From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of "Rumford, Charles" mailto:charl...@isc.upenn.edu>> Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Date: Thursday, September 12, 2019 at 2:26 PM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use I agree that complicated onboarding is the worst from the end user perspective and a pain to manage. I started designing a PPSK/MPSK design to take over our primary 802.1x network. The biggest hurdle I ran into with it was the randomization of MAC addresses for device. I've been told Android 10 has it on by default,and I know that windows support also. I could only see issues from a support issue coming down the line. O need to spend some more research time with it. -- Charles Rumford IT Architect ISC Tech Services University of Pennsylvania OpenPGP Key ID: 0xF3D8215A (Sent from Mobile) From: "Enfield, Chuck" mailto:cae...@psu.edu>> Sent: Thursday, September 12, 2019 14:11 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use Seconded. And for those who think that security is more important than the user experience in some cases, I wouldn’t argue, but I would point out that an improperly configured 1x device puts the user’s credentials at risk. 802.1x isn’t all upside from a security perspective either. Chuck From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Jeffrey D. Sessler Sent: Thursday, September 12, 2019 1:46 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use I’ve never been a fan of the complicated onboarding. It’s intrusive, and unlike any other wi
Re: [WIRELESS-LAN] Feasibility of an open SSID for student use
https://community.arubanetworks.com/t5/Wireless-Access/Android-Q-Randomized-MAC-Address-System-Default/td-p/526263 Trent Hurt University of Louisville From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Cappalli, Tim (Aruba Security) Sent: Friday, September 13, 2019 8:37:09 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use Just a clarification. Android 10 generates a MAC address per ESSID for the lifetime of the OS instance. It does not change daily. From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Felix Windt Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv Date: Friday, September 13, 2019 at 8:26 AM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use I’d pay a fair price for an easily administered solution that lets us roll out PPSK in the dorms and deploy broadcast/multicast domains scoped to specific users. We run eduroam and a completely open guest SSID. The open SSID has no captive portal, no click through terms of services, and no restrictions on Internet access for content or speed. That SSID bridges through to VLANs in a DMZ, and its only real restriction is that it can only reach proper public IP addresses on campus, plus 2-3 applications on private IPs that are specifically permitted. That’s enforced on the firewalls between campus and the DMZ. We do see quite a lot of students on that SSID permanently. As a huge amount of our student applications are either cloud hosted or available on the public Internet, that works just fine for them. We’d prefer them on eduroam, but user experience trumps our preferences. The only real problem are devices such as Sonos sound bars, Google appliances, and other devices that will only support PSKs for wireless. For those we don’t have a solution right now. Once WPA3/OWE is out and widely supported I genuinely don’t know how much we’ll care about where devices are. At that point it seems not just more user friendly but easier for IT overall to just throw reasonable security in front of web apps that the student and faculty population need to access, and let them sit on the SSID that’s easier to get on to. Administrative machines under central control would probably be kept on properly authenticated networks, but those are easier to solve if you have reasonable mass device management options. For what it’s worth, we use the eduroam CAT tool for onboarding. thx, Felix Windt Dartmouth College From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of "Rumford, Charles" Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv Date: Thursday, September 12, 2019 at 2:26 PM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use I agree that complicated onboarding is the worst from the end user perspective and a pain to manage. I started designing a PPSK/MPSK design to take over our primary 802.1x network. The biggest hurdle I ran into with it was the randomization of MAC addresses for device. I've been told Android 10 has it on by default,and I know that windows support also. I could only see issues from a support issue coming down the line. O need to spend some more research time with it. -- Charles Rumford IT Architect ISC Tech Services University of Pennsylvania OpenPGP Key ID: 0xF3D8215A (Sent from Mobile) From: "Enfield, Chuck" Sent: Thursday, September 12, 2019 14:11 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use Seconded. And for those who think that security is more important than the user experience in some cases, I wouldn’t argue, but I would point out that an improperly configured 1x device puts the user’s credentials at risk. 802.1x isn’t all upside from a security perspective either. Chuck From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Jeffrey D. Sessler Sent: Thursday, September 12, 2019 1:46 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use I’ve never been a fan of the complicated onboarding. It’s intrusive, and unlike any other wireless experience an individual will encounter in their life i.e. any other wifi-enabled location/venue. With the growing trend of EDUs moving to SaaS and other Cloud solutions, wireless will be nothing but a gateway to those external services. When it’s easier to consume those services via one’s own unlimited-data cellular connection, or go to Starbucks, it may be time for us (EDU’s) to reevaluate our approach. Besides a purely open network, the next-best (same?) experience to home would be something like PPSK or for the
Re: [WIRELESS-LAN] Feasibility of an open SSID for student use
Just a clarification. Android 10 generates a MAC address per ESSID for the lifetime of the OS instance. It does not change daily. From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Felix Windt Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv Date: Friday, September 13, 2019 at 8:26 AM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use I’d pay a fair price for an easily administered solution that lets us roll out PPSK in the dorms and deploy broadcast/multicast domains scoped to specific users. We run eduroam and a completely open guest SSID. The open SSID has no captive portal, no click through terms of services, and no restrictions on Internet access for content or speed. That SSID bridges through to VLANs in a DMZ, and its only real restriction is that it can only reach proper public IP addresses on campus, plus 2-3 applications on private IPs that are specifically permitted. That’s enforced on the firewalls between campus and the DMZ. We do see quite a lot of students on that SSID permanently. As a huge amount of our student applications are either cloud hosted or available on the public Internet, that works just fine for them. We’d prefer them on eduroam, but user experience trumps our preferences. The only real problem are devices such as Sonos sound bars, Google appliances, and other devices that will only support PSKs for wireless. For those we don’t have a solution right now. Once WPA3/OWE is out and widely supported I genuinely don’t know how much we’ll care about where devices are. At that point it seems not just more user friendly but easier for IT overall to just throw reasonable security in front of web apps that the student and faculty population need to access, and let them sit on the SSID that’s easier to get on to. Administrative machines under central control would probably be kept on properly authenticated networks, but those are easier to solve if you have reasonable mass device management options. For what it’s worth, we use the eduroam CAT tool for onboarding. thx, Felix Windt Dartmouth College From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of "Rumford, Charles" Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv Date: Thursday, September 12, 2019 at 2:26 PM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use I agree that complicated onboarding is the worst from the end user perspective and a pain to manage. I started designing a PPSK/MPSK design to take over our primary 802.1x network. The biggest hurdle I ran into with it was the randomization of MAC addresses for device. I've been told Android 10 has it on by default,and I know that windows support also. I could only see issues from a support issue coming down the line. O need to spend some more research time with it. -- Charles Rumford IT Architect ISC Tech Services University of Pennsylvania OpenPGP Key ID: 0xF3D8215A (Sent from Mobile) From: "Enfield, Chuck" Sent: Thursday, September 12, 2019 14:11 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use Seconded. And for those who think that security is more important than the user experience in some cases, I wouldn’t argue, but I would point out that an improperly configured 1x device puts the user’s credentials at risk. 802.1x isn’t all upside from a security perspective either. Chuck From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Jeffrey D. Sessler Sent: Thursday, September 12, 2019 1:46 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use I’ve never been a fan of the complicated onboarding. It’s intrusive, and unlike any other wireless experience an individual will encounter in their life i.e. any other wifi-enabled location/venue. With the growing trend of EDUs moving to SaaS and other Cloud solutions, wireless will be nothing but a gateway to those external services. When it’s easier to consume those services via one’s own unlimited-data cellular connection, or go to Starbucks, it may be time for us (EDU’s) to reevaluate our approach. Besides a purely open network, the next-best (same?) experience to home would be something like PPSK or for the Cisco folks IPSK. You get something slightly better than an open network, but it’s PSK and all of those wonderful IoT devices just work. My crystal ball wish is to have that PPSK/IPSK solution then group that user’s devices into a private virtual home network, providing something that approaches their home experience. Jeff From: "wireless-lan@listserv.educause.edu" on behalf of Kurtis Olsen Reply-To: "wireless-lan@listserv.educ
Re: [WIRELESS-LAN] Feasibility of an open SSID for student use
I’d pay a fair price for an easily administered solution that lets us roll out PPSK in the dorms and deploy broadcast/multicast domains scoped to specific users. We run eduroam and a completely open guest SSID. The open SSID has no captive portal, no click through terms of services, and no restrictions on Internet access for content or speed. That SSID bridges through to VLANs in a DMZ, and its only real restriction is that it can only reach proper public IP addresses on campus, plus 2-3 applications on private IPs that are specifically permitted. That’s enforced on the firewalls between campus and the DMZ. We do see quite a lot of students on that SSID permanently. As a huge amount of our student applications are either cloud hosted or available on the public Internet, that works just fine for them. We’d prefer them on eduroam, but user experience trumps our preferences. The only real problem are devices such as Sonos sound bars, Google appliances, and other devices that will only support PSKs for wireless. For those we don’t have a solution right now. Once WPA3/OWE is out and widely supported I genuinely don’t know how much we’ll care about where devices are. At that point it seems not just more user friendly but easier for IT overall to just throw reasonable security in front of web apps that the student and faculty population need to access, and let them sit on the SSID that’s easier to get on to. Administrative machines under central control would probably be kept on properly authenticated networks, but those are easier to solve if you have reasonable mass device management options. For what it’s worth, we use the eduroam CAT tool for onboarding. thx, Felix Windt Dartmouth College From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of "Rumford, Charles" Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv Date: Thursday, September 12, 2019 at 2:26 PM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use I agree that complicated onboarding is the worst from the end user perspective and a pain to manage. I started designing a PPSK/MPSK design to take over our primary 802.1x network. The biggest hurdle I ran into with it was the randomization of MAC addresses for device. I've been told Android 10 has it on by default,and I know that windows support also. I could only see issues from a support issue coming down the line. O need to spend some more research time with it. -- Charles Rumford IT Architect ISC Tech Services University of Pennsylvania OpenPGP Key ID: 0xF3D8215A (Sent from Mobile) From: "Enfield, Chuck" Sent: Thursday, September 12, 2019 14:11 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use Seconded. And for those who think that security is more important than the user experience in some cases, I wouldn’t argue, but I would point out that an improperly configured 1x device puts the user’s credentials at risk. 802.1x isn’t all upside from a security perspective either. Chuck From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Jeffrey D. Sessler Sent: Thursday, September 12, 2019 1:46 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use I’ve never been a fan of the complicated onboarding. It’s intrusive, and unlike any other wireless experience an individual will encounter in their life i.e. any other wifi-enabled location/venue. With the growing trend of EDUs moving to SaaS and other Cloud solutions, wireless will be nothing but a gateway to those external services. When it’s easier to consume those services via one’s own unlimited-data cellular connection, or go to Starbucks, it may be time for us (EDU’s) to reevaluate our approach. Besides a purely open network, the next-best (same?) experience to home would be something like PPSK or for the Cisco folks IPSK. You get something slightly better than an open network, but it’s PSK and all of those wonderful IoT devices just work. My crystal ball wish is to have that PPSK/IPSK solution then group that user’s devices into a private virtual home network, providing something that approaches their home experience. Jeff From: "wireless-lan@listserv.educause.edu" on behalf of Kurtis Olsen Reply-To: "wireless-lan@listserv.educause.edu" Date: Thursday, September 12, 2019 at 9:27 AM To: "wireless-lan@listserv.educause.edu" Subject: [WIRELESS-LAN] Feasibility of an open SSID for student use We have been receiving a lot of complaints about a complicated onboarding process and have been asked to look at providing an Open SSID that has little to no onboarding. I see an advantage being the ease of connecting but I have some concerns, mainly about providing a s
Re: [WIRELESS-LAN] Feasibility of an open SSID for student use
2nd that, self guided EAP-PEAP is convenient, but the Evil Twin Attack isn't exactly new or difficult. In the past I've used a optional layered approach. Give an option on the open SSID captive portal for initial onboarding, or limited Guest access (weekly type) captive portal re-login after student credentials. With open SSID disclaimers that no one reads of course. One place asked for a counter so the user could only do the extended captive portal 3 times. Android 10 now defaulting daily MAC randomization on Open SSIDs is likely going to kill this type of option. If EAP-PEAP on the 802.1x give another optional captive portal that pops back up every so often, once a month or once a semester type deal reminding them they should OnBoard for EAP-TLS. This tends to stagers the more arduous adopters and reduce the help desk calls after password resets. ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Re: [WIRELESS-LAN] Feasibility of an open SSID for student use
> My crystal ball wish is to have that PPSK/IPSK solution then group that > user’s devices into a private virtual home network, providing something that > approaches their home experience. Cisco introduced “private groups” to iPSK in 8.8: https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-8/b_Identity_PSK_Feature_Deployment_Guide.html#ariaid-title13 We don’t have any controllers on 8.8 yet, so I haven’t had an opportunity to experiment with it. If I had to guess, based on the fact they rolled this feature into peer to peer blocking, it only affects unicast traffic. There is no indication it would convert broadcast/multicast to unicast and forward it to members of the same group. For that reason, I suspect this is not exactly what you had in mind… but it may be the closest thing we get for a while. -- Doug Hoffman Network Specialist Office of Technology Bloomsburg University of Pennsylvania ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Re: [WIRELESS-LAN] Feasibility of an open SSID for student use
I agree that complicated onboarding is the worst from the end user perspective and a pain to manage. I started designing a PPSK/MPSK design to take over our primary 802.1x network. The biggest hurdle I ran into with it was the randomization of MAC addresses for device. I've been told Android 10 has it on by default,and I know that windows support also. I could only see issues from a support issue coming down the line. O need to spend some more research time with it. -- Charles Rumford IT Architect ISC Tech Services University of Pennsylvania OpenPGP Key ID: 0xF3D8215A (Sent from Mobile) From: "Enfield, Chuck" Sent: Thursday, September 12, 2019 14:11 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use Seconded. And for those who think that security is more important than the user experience in some cases, I wouldn’t argue, but I would point out that an improperly configured 1x device puts the user’s credentials at risk. 802.1x isn’t all upside from a security perspective either. Chuck From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Jeffrey D. Sessler Sent: Thursday, September 12, 2019 1:46 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use I’ve never been a fan of the complicated onboarding. It’s intrusive, and unlike any other wireless experience an individual will encounter in their life i.e. any other wifi-enabled location/venue. With the growing trend of EDUs moving to SaaS and other Cloud solutions, wireless will be nothing but a gateway to those external services. When it’s easier to consume those services via one’s own unlimited-data cellular connection, or go to Starbucks, it may be time for us (EDU’s) to reevaluate our approach. Besides a purely open network, the next-best (same?) experience to home would be something like PPSK or for the Cisco folks IPSK. You get something slightly better than an open network, but it’s PSK and all of those wonderful IoT devices just work. My crystal ball wish is to have that PPSK/IPSK solution then group that user’s devices into a private virtual home network, providing something that approaches their home experience. Jeff From: "wireless-lan@listserv.educause.edu" on behalf of Kurtis Olsen Reply-To: "wireless-lan@listserv.educause.edu" Date: Thursday, September 12, 2019 at 9:27 AM To: "wireless-lan@listserv.educause.edu" Subject: [WIRELESS-LAN] Feasibility of an open SSID for student use We have been receiving a lot of complaints about a complicated onboarding process and have been asked to look at providing an Open SSID that has little to no onboarding. I see an advantage being the ease of connecting but I have some concerns, mainly about providing a secure environment. Our current onboarding process works like this. Users connect to our Wolverine-WIFI SSID. They then authenticate through our NAC solution which forces laptops to download a client. This client scans their device for Antivirus and OS updates. If it fails the scan they have access to get these updates. Once it passes they are moved to our wireless production vLan. There are no clients or scans for cellular devices at this time. Users then of the option to join our Wolverine-Secure which authenticates by cert using SecureW2’s services. I am curious if anyone else is using a completely open network for their general population or any other suggestions of how this can be simplified. Kurtis Olsen Director – Network & Telecom Utah Valley University 800 W University Prkway Orem, UT 84058 801-863-8000 ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ccae104%40psu.edu%7C14cdb0c9204a4ee54bc708d737a9132f%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637039071619717616&sdata=%2Ba8ybkmSiB0UgAtm75tG3IsPWCswIVjWQD0glWE3LNs%3D&reserved=0> ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ccae104%40psu.edu%7C14cdb0c9204a4ee54bc708d737a9132f%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637039071619717616&sdata=%2Ba8ybkmSiB0UgAtm75tG3I
RE: [WIRELESS-LAN] Feasibility of an open SSID for student use
Seconded. And for those who think that security is more important than the user experience in some cases, I wouldn’t argue, but I would point out that an improperly configured 1x device puts the user’s credentials at risk. 802.1x isn’t all upside from a security perspective either. Chuck From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Jeffrey D. Sessler Sent: Thursday, September 12, 2019 1:46 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use I’ve never been a fan of the complicated onboarding. It’s intrusive, and unlike any other wireless experience an individual will encounter in their life i.e. any other wifi-enabled location/venue. With the growing trend of EDUs moving to SaaS and other Cloud solutions, wireless will be nothing but a gateway to those external services. When it’s easier to consume those services via one’s own unlimited-data cellular connection, or go to Starbucks, it may be time for us (EDU’s) to reevaluate our approach. Besides a purely open network, the next-best (same?) experience to home would be something like PPSK or for the Cisco folks IPSK. You get something slightly better than an open network, but it’s PSK and all of those wonderful IoT devices just work. My crystal ball wish is to have that PPSK/IPSK solution then group that user’s devices into a private virtual home network, providing something that approaches their home experience. Jeff From: "wireless-lan@listserv.educause.edu" on behalf of Kurtis Olsen Reply-To: "wireless-lan@listserv.educause.edu" Date: Thursday, September 12, 2019 at 9:27 AM To: "wireless-lan@listserv.educause.edu" Subject: [WIRELESS-LAN] Feasibility of an open SSID for student use We have been receiving a lot of complaints about a complicated onboarding process and have been asked to look at providing an Open SSID that has little to no onboarding. I see an advantage being the ease of connecting but I have some concerns, mainly about providing a secure environment. Our current onboarding process works like this. Users connect to our Wolverine-WIFI SSID. They then authenticate through our NAC solution which forces laptops to download a client. This client scans their device for Antivirus and OS updates. If it fails the scan they have access to get these updates. Once it passes they are moved to our wireless production vLan. There are no clients or scans for cellular devices at this time. Users then of the option to join our Wolverine-Secure which authenticates by cert using SecureW2’s services. I am curious if anyone else is using a completely open network for their general population or any other suggestions of how this can be simplified. Kurtis Olsen Director – Network & Telecom Utah Valley University 800 W University Prkway Orem, UT 84058 801-863-8000 ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ccae104%40psu.edu%7C14cdb0c9204a4ee54bc708d737a9132f%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637039071619717616&sdata=%2Ba8ybkmSiB0UgAtm75tG3IsPWCswIVjWQD0glWE3LNs%3D&reserved=0> ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ccae104%40psu.edu%7C14cdb0c9204a4ee54bc708d737a9132f%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637039071619717616&sdata=%2Ba8ybkmSiB0UgAtm75tG3IsPWCswIVjWQD0glWE3LNs%3D&reserved=0> ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Re: [WIRELESS-LAN] Feasibility of an open SSID for student use
I’ve never been a fan of the complicated onboarding. It’s intrusive, and unlike any other wireless experience an individual will encounter in their life i.e. any other wifi-enabled location/venue. With the growing trend of EDUs moving to SaaS and other Cloud solutions, wireless will be nothing but a gateway to those external services. When it’s easier to consume those services via one’s own unlimited-data cellular connection, or go to Starbucks, it may be time for us (EDU’s) to reevaluate our approach. Besides a purely open network, the next-best (same?) experience to home would be something like PPSK or for the Cisco folks IPSK. You get something slightly better than an open network, but it’s PSK and all of those wonderful IoT devices just work. My crystal ball wish is to have that PPSK/IPSK solution then group that user’s devices into a private virtual home network, providing something that approaches their home experience. Jeff From: "wireless-lan@listserv.educause.edu" on behalf of Kurtis Olsen Reply-To: "wireless-lan@listserv.educause.edu" Date: Thursday, September 12, 2019 at 9:27 AM To: "wireless-lan@listserv.educause.edu" Subject: [WIRELESS-LAN] Feasibility of an open SSID for student use We have been receiving a lot of complaints about a complicated onboarding process and have been asked to look at providing an Open SSID that has little to no onboarding. I see an advantage being the ease of connecting but I have some concerns, mainly about providing a secure environment. Our current onboarding process works like this. Users connect to our Wolverine-WIFI SSID. They then authenticate through our NAC solution which forces laptops to download a client. This client scans their device for Antivirus and OS updates. If it fails the scan they have access to get these updates. Once it passes they are moved to our wireless production vLan. There are no clients or scans for cellular devices at this time. Users then of the option to join our Wolverine-Secure which authenticates by cert using SecureW2’s services. I am curious if anyone else is using a completely open network for their general population or any other suggestions of how this can be simplified. Kurtis Olsen Director – Network & Telecom Utah Valley University 800 W University Prkway Orem, UT 84058 801-863-8000 ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Re: [WIRELESS-LAN] Feasibility of an open SSID for student use
On 9/12/19 12:36 PM, Lee H Badman wrote: > We currently use an open network with private IP addressing that is very > limited > on where it can go. Connect to SSID, open browser, go to our Cloudpath wizard > (has been replaced with appliance, but we haven’t decided if we are > interested > in that). Get configured for 802.1X, have a few settings tweaked, and off you > go > to the secure network automatically. Has worked well for years. We do something similar, but with SecureW2 for EAP-TTLS/PAP. We had issues with the workflow for TLS. > -Lee > > *Lee Badman*| Network Architect (CWNE#200) > > Information Technology Services > (NDD Group) > 206 Machinery Hall > 120 Smith Drive > Syracuse, New York 13244 > > *t*315.443.3003 *e* lhbad...@syr.edu <mailto:lhbad...@syr.edu> *w* its.syr.edu > > *SYRACUSE UNIVERSITY* > syr.edu > > *From:* The EDUCAUSE Wireless Issues Community Group Listserv > *On Behalf Of *Kurtis Olsen > *Sent:* Thursday, September 12, 2019 12:18 PM > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > *Subject:* [WIRELESS-LAN] Feasibility of an open SSID for student use > > We have been receiving a lot of complaints about a complicated onboarding > process and have been asked to look at providing an Open SSID that has little > to > no onboarding. I see an advantage being the ease of connecting but I have > some > concerns, mainly about providing a secure environment. > Our current onboarding process works like this. Users connect to our > Wolverine-WIFI SSID. They then authenticate through our NAC solution which > forces laptops to download a client. This client scans their device for > Antivirus and OS updates. If it fails the scan they have access to get these > updates. Once it passes they are moved to our wireless production vLan. > There > are no clients or scans for cellular devices at this time. Users then of the > option to join our Wolverine-Secure which authenticates by cert using > SecureW2’s > services. > > I am curious if anyone else is using a completely open network for their > general > population or any other suggestions of how this can be simplified. > > Kurtis Olsen > > Director – Network & Telecom > > Utah Valley University > > 800 W University Prkway > > Orem, UT 84058 > > 801-863-8000 > > ** > Replies to EDUCAUSE Community Group emails are sent to the entire community > list. If you want to reply only to the person who sent the message, copy and > paste their email address and forward the email reply. Additional > participation > and subscription information can be found at > https://www.educause.edu/community > > ** > Replies to EDUCAUSE Community Group emails are sent to the entire community > list. If you want to reply only to the person who sent the message, copy and > paste their email address and forward the email reply. Additional > participation > and subscription information can be found at > https://www.educause.edu/community > -- Charles Rumford IT Architect ISC Tech Services University of Pennsylvania OpenPGP Key ID: 0x173F5F3A (2018/07/05) ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community