RE: [WIRELESS-LAN] Onboarding Android devices
We use Cloudpath and are happy, we allow users to stumble through PEAP/MsChap if they want but really push onboarding EAP-TLS. It's annoying with most androids and all windows to have to download the app but still more consistently successful and easier than other methods quite often when dealing with cheaper import android devices. The profile install method that IOS/OSX has had for ages is awesome, and now available for newer Droids. We want to get to a point of forcing EAP-TLS but have other fish to fry for now. Without onboarding you can be pretty confident most Windows and Android devices are not configured in the most secure way... I think apple is a bit better at auto it but might be wrong -- Jason Cook Information Technology and Digital Services The University of Adelaide, AUSTRALIA 5005 Ph: +61 8 8313 4800 CRICOS Provider Number 00123M --- This email message is intended only for the addressee(s) and contains information which may be confidential and/or copyright. If you are not the intended recipient please do not read, save, forward, disclose, or copy the contents of this email. If this email has been sent to you in error, please notify the sender by reply email and delete this email and any copies or links to this email completely and immediately from your system. No representation is made that this email is free of viruses. Virus scanning is recommended and is the responsibility of the recipient. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv On Behalf Of Norman Elton Sent: Wednesday, 8 August 2018 11:09 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Onboarding Android devices Thanks all. If you're doing PEAP / MSCHAPv2, are you expecting some users to stumble through the process? Or do you somehow encourage all users to use the onboarding tool? Obviously the tool would be required if you're going down the EAP-TLS path. Norman On Wed, Aug 8, 2018 at 7:35 AM Osborne, Bruce W (Network Operations) wrote: > > We changed onboarding tools for non-AD devices to SecureW2 last September and > have been more than happy with their service & support. > > They tend to officially support OS versions before official release, which > can be useful in a Higher-Ed environment. > > Bruce Osborne > Liberty University > > -Original Message- > From: Norman Elton [mailto:normel...@gmail.com] > Sent: Tuesday, August 7, 2018 3:25 PM > Subject: Onboarding Android devices > > We've got an encrypted network with the classic PEAP + MSCHAPv2 combo, > allowing users to connect with their domain credentials. We've shied away > from onboarding tools like SecureW2, especially for student devices, as they > seem more cumbersome than just having the user configure the connection > properly the first time. > > Preparing for the fall, we've noticed that recent versions of Android make > the process a little more cumbersome. It appears that 8.1 & 9.0 allow the > user to validate the certificate by domain, which is great. > Although the steps to get this setup are far from intuitive. > > 8.0 doesn't give that option, instead displaying a scary warning, "This > connection will not be secure". The user is forced to go ahead with "do not > validate certificate", leaving them open to leak their credentials to a rogue > AP. Far from ideal. > > Theoretically, we could ask the user to trust the CA certificate in advance, > and (hopefully) the warning message would go away. But I haven't gotten this > to work. > > Is there a general consensus that these devices are better served with an > onboarding tool that can accommodate the various flavors of Android? Or is > there a recipe for a user to setup 802.1x securely (with some sort of > certificate validation) on Android devices pre-8.1? > > Thanks, > > Norman Elton > > ** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/discuss. > > ** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/discuss. > ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
Re: [WIRELESS-LAN] Onboarding Android devices
That’s the problem with non TLS EAP methods. You cannot guarantee anyone will use the process. It is a huge security issue as far as I am concerned. Ryan Turner Senior Manager of Networking, ITS The University of North Carolina at Chapel Hill +1 919 274 7926 Mobile +1 919 445 0113 Office > On Aug 8, 2018, at 9:39 AM, Norman Elton wrote: > > Thanks all. If you're doing PEAP / MSCHAPv2, are you expecting some > users to stumble through the process? Or do you somehow encourage all > users to use the onboarding tool? Obviously the tool would be required > if you're going down the EAP-TLS path. > > Norman > On Wed, Aug 8, 2018 at 7:35 AM Osborne, Bruce W (Network Operations) > wrote: >> >> We changed onboarding tools for non-AD devices to SecureW2 last September >> and have been more than happy with their service & support. >> >> They tend to officially support OS versions before official release, which >> can be useful in a Higher-Ed environment. >> >> Bruce Osborne >> Liberty University >> >> -Original Message- >> From: Norman Elton [mailto:normel...@gmail.com] >> Sent: Tuesday, August 7, 2018 3:25 PM >> Subject: Onboarding Android devices >> >> We've got an encrypted network with the classic PEAP + MSCHAPv2 combo, >> allowing users to connect with their domain credentials. We've shied away >> from onboarding tools like SecureW2, especially for student devices, as they >> seem more cumbersome than just having the user configure the connection >> properly the first time. >> >> Preparing for the fall, we've noticed that recent versions of Android make >> the process a little more cumbersome. It appears that 8.1 & 9.0 allow the >> user to validate the certificate by domain, which is great. >> Although the steps to get this setup are far from intuitive. >> >> 8.0 doesn't give that option, instead displaying a scary warning, "This >> connection will not be secure". The user is forced to go ahead with "do not >> validate certificate", leaving them open to leak their credentials to a >> rogue AP. Far from ideal. >> >> Theoretically, we could ask the user to trust the CA certificate in advance, >> and (hopefully) the warning message would go away. But I haven't gotten this >> to work. >> >> Is there a general consensus that these devices are better served with an >> onboarding tool that can accommodate the various flavors of Android? Or is >> there a recipe for a user to setup 802.1x securely (with some sort of >> certificate validation) on Android devices pre-8.1? >> >> Thanks, >> >> Norman Elton >> >> ** >> Participation and subscription information for this EDUCAUSE Constituent >> Group discussion list can be found at http://www.educause.edu/discuss. >> >> ** >> Participation and subscription information for this EDUCAUSE Constituent >> Group discussion list can be found at http://www.educause.edu/discuss. >> > > ** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
Re: [WIRELESS-LAN] Onboarding Android devices
Thanks all. If you're doing PEAP / MSCHAPv2, are you expecting some users to stumble through the process? Or do you somehow encourage all users to use the onboarding tool? Obviously the tool would be required if you're going down the EAP-TLS path. Norman On Wed, Aug 8, 2018 at 7:35 AM Osborne, Bruce W (Network Operations) wrote: > > We changed onboarding tools for non-AD devices to SecureW2 last September and > have been more than happy with their service & support. > > They tend to officially support OS versions before official release, which > can be useful in a Higher-Ed environment. > > Bruce Osborne > Liberty University > > -Original Message- > From: Norman Elton [mailto:normel...@gmail.com] > Sent: Tuesday, August 7, 2018 3:25 PM > Subject: Onboarding Android devices > > We've got an encrypted network with the classic PEAP + MSCHAPv2 combo, > allowing users to connect with their domain credentials. We've shied away > from onboarding tools like SecureW2, especially for student devices, as they > seem more cumbersome than just having the user configure the connection > properly the first time. > > Preparing for the fall, we've noticed that recent versions of Android make > the process a little more cumbersome. It appears that 8.1 & 9.0 allow the > user to validate the certificate by domain, which is great. > Although the steps to get this setup are far from intuitive. > > 8.0 doesn't give that option, instead displaying a scary warning, "This > connection will not be secure". The user is forced to go ahead with "do not > validate certificate", leaving them open to leak their credentials to a rogue > AP. Far from ideal. > > Theoretically, we could ask the user to trust the CA certificate in advance, > and (hopefully) the warning message would go away. But I haven't gotten this > to work. > > Is there a general consensus that these devices are better served with an > onboarding tool that can accommodate the various flavors of Android? Or is > there a recipe for a user to setup 802.1x securely (with some sort of > certificate validation) on Android devices pre-8.1? > > Thanks, > > Norman Elton > > ** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/discuss. > > ** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/discuss. > ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
Re: [WIRELESS-LAN] Onboarding Android devices
Having users get the certificate installed is to me more of a hassle than running the onboarding tool. It also helps with some of the less common devices. While those are fewer and farther apart it does save a little time. Walter Reynolds Network Architect Information and Technology Services University of Michigan (734) 615-9438 On Tue, Aug 7, 2018 at 3:38 PM Norman Elton wrote: > We've got an encrypted network with the classic PEAP + MSCHAPv2 combo, > allowing users to connect with their domain credentials. We've shied > away from onboarding tools like SecureW2, especially for student > devices, as they seem more cumbersome than just having the user > configure the connection properly the first time. > > Preparing for the fall, we've noticed that recent versions of Android > make the process a little more cumbersome. It appears that 8.1 & 9.0 > allow the user to validate the certificate by domain, which is great. > Although the steps to get this setup are far from intuitive. > > 8.0 doesn't give that option, instead displaying a scary warning, > "This connection will not be secure". The user is forced to go ahead > with "do not validate certificate", leaving them open to leak their > credentials to a rogue AP. Far from ideal. > > Theoretically, we could ask the user to trust the CA certificate in > advance, and (hopefully) the warning message would go away. But I > haven't gotten this to work. > > Is there a general consensus that these devices are better served with > an onboarding tool that can accommodate the various flavors of > Android? Or is there a recipe for a user to setup 802.1x securely > (with some sort of certificate validation) on Android devices pre-8.1? > > Thanks, > > Norman Elton > > ** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/discuss. > ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
Re: [WIRELESS-LAN] Onboarding Android devices
PEAP is not standardized and was not designed to be used outside a Windows AD-joined, GPO controlled environment. I'm hoping Google's changes (very welcome IMO) and continued restrictions on Apple platforms will steer people away from legacy, deprecated protocols/EAP methods. tim On 8/7/18, 3:25 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Norman Elton" wrote: We've got an encrypted network with the classic PEAP + MSCHAPv2 combo, allowing users to connect with their domain credentials. We've shied away from onboarding tools like SecureW2, especially for student devices, as they seem more cumbersome than just having the user configure the connection properly the first time. Preparing for the fall, we've noticed that recent versions of Android make the process a little more cumbersome. It appears that 8.1 & 9.0 allow the user to validate the certificate by domain, which is great. Although the steps to get this setup are far from intuitive. 8.0 doesn't give that option, instead displaying a scary warning, "This connection will not be secure". The user is forced to go ahead with "do not validate certificate", leaving them open to leak their credentials to a rogue AP. Far from ideal. Theoretically, we could ask the user to trust the CA certificate in advance, and (hopefully) the warning message would go away. But I haven't gotten this to work. Is there a general consensus that these devices are better served with an onboarding tool that can accommodate the various flavors of Android? Or is there a recipe for a user to setup 802.1x securely (with some sort of certificate validation) on Android devices pre-8.1? Thanks, Norman Elton ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
