Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the headaches?

2016-03-02 Thread Bruce Curtis 

> On Mar 1, 2016, at 4:43 PM, Dale W. Carder <dwcar...@wisc.edu> wrote:
> 
> Thus spake Jeffrey D. Sessler (j...@scrippscollege.edu) on Tue, Mar 01, 2016 
> at 07:04:11PM +:
>> Dale,
>> 
>> For the malware blacklist, I’s suggest taking a look at OpenDNS Umbrella. I 
>> asked about it here about a year back, and we implemented about three months 
>> ago. You send all your client DNS requests through OpenDNS (directly, or 
>> have your DNS servers forward to OpenDNS), and they block sites based on 
>> categories, with the default covering security threats e.g. Malware, Bots, 
>> etc. For the user, when they hit a blocked site they are redirected to a 
>> page explaining what happened and why. 
>> 
>> It was terrifying to see what our endpoints were visiting, but comforting to 
>> have the added layer of protection, especially for guest or IoT devices that 
>> don’t have protection by default. It’s licensed based on staff/faculty FTE 
>> and students come along for free. It also has an optional agent that extends 
>> the protection to devices operating off-campus e.g. User traveling with a 
>> laptop.
> 
> Putting an agent on anyone's device here is typically out of the question.
> Many are personally owned as well.
> 
> Did I mention I was skeptical? ;-)  Maybe the technology is amazing, but 
> with approx 22k FTE on just this one campus and about another 20k across
> the others, it's hard to make a budget justification to use taxpayer money 
> to "protect" machines for 8 hours a day when they will just get infected at 
> home.  These are sort of the constraints we face, and in a threat based
> model are not at the top of the list for the general population.  (our
> restricted environments are a whole different world, just very small in 
> scope)
> 
> For anyone who is actually interested in these sorts of things, I would
> recommend starting here (from 2007):
> https://collaboration.opengroup.org/jericho/commandments_v1.2.pdf
> 
> Dale

Google’s BeyondCorp and the Cloud Security Alliance’s Software Defined 
Perimeter are also interesting.  Keep in mind that the “Gateway” function in 
the SDP info below is shown a separate box but can also be a function 
implemented on a end host.

http://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43231.pdf

https://www.usenix.org/conference/lisa13/enterprise-architecture-beyond-perimeter

https://meetings.internet2.edu/media/medialibrary/2015/10/05/20151005-ISLAM-SoftwareDefinedPerimeter.pdf

https://www.sdxcentral.com/articles/news/software-defined-perimeter-remains-undefeated-in-hackathon/2015/08/

https://downloads.cloudsecurityalliance.org/initiatives/sdp/Software_Defined_Perimeter.pdf

https://www.vidder.com/resources/sdp-technology/sdp-architecture.html

https://en.wikipedia.org/wiki/Software_Defined_Perimeter

https://www.youtube.com/watch?v=jCRxSualmuo

https://www.youtube.com/watch?v=UVT6BsPzKEU

> On 3/1/16, 10:42 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
> on behalf of Dale W. Carder" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of 
> dwcar...@wisc.edu> wrote:
>> 
>>> Thus spake Lee H Badman (lhbad...@syr.edu) on Tue, Mar 01, 2016 at 
>>> 06:19:55PM +:
>>>> Interesting discussion- so on the free and open WLAN, do you send them off 
>>>> to only the Internet, and deny important apps on campus? Do you require 
>>>> VPN or 2-factor for  bursar account access etc from that network?
>>> 
>>> We do block things that I would characterize as ddos amplification 
>>> vectors, and we block inbound SYN so discourage (unintentional) servers.  
>>> We have started to look into some filtering capabilities on a firewall
>>> where there is some sort of blacklist for known malware sites (I am
>>> highly skeptical of such things, but if we can do it for low cost and
>>> provide a high value to our users, so be it).  
>>> 
>>> VPN is pretty much not used in the general case.  Security is handled
>>> at the application layer.  Your IP address is not an authorization token,
>>> and none of the few hundred virtual firewalls we run blindly allow much
>>> of anything through be it from wireless or from dept 'a' to dept 'b'.
>>> 
>>> Dale 
>>> 
>>> 
>>> 
>>>> -Original Message-
>>>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>>>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dale W. Carder
>>>> Sent: Tuesday, March 01, 2016 1:06 PM
>>>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>>>> Subject: Re:

Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the headaches?

2016-03-01 Thread Jeffrey D. Sessler 
In the case of this service, there is nothing to install. It’s DNS based, so 
the clients by virtue of being on your network and using the DNS you hand out 
are protected.

There is an optional client - for the traveling/at home part. I expect a lot of 
our users will install it, especially given the number of students we have that 
travel abroad, subject to restrictions or monitoring in other countries. It 
will become a default on all college-owned systems. 

The security threat model today is all about the endpoint. If you can build a 
reasonable cocoon around your endpoints, you stand a better chance of 
preventing really problematic issues such as ransomware. This is especially 
true in our mobile landscape when user devices such as laptops are going 
home/traveling. I for one want to protect against that scenario since that 
device will be walking back into my ecosystem everyday.

Oh, and you’re not protecting the the machine, you’re protecting the 
institution, including its data, heritage, and reputation.

Jeff





On 3/1/16, 2:43 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv on 
behalf of Dale W. Carder" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of 
dwcar...@wisc.edu> wrote:

>Thus spake Jeffrey D. Sessler (j...@scrippscollege.edu) on Tue, Mar 01, 2016 
>at 07:04:11PM +:
>> Dale,
>> 
>> For the malware blacklist, I’s suggest taking a look at OpenDNS Umbrella. I 
>> asked about it here about a year back, and we implemented about three months 
>> ago. You send all your client DNS requests through OpenDNS (directly, or 
>> have your DNS servers forward to OpenDNS), and they block sites based on 
>> categories, with the default covering security threats e.g. Malware, Bots, 
>> etc. For the user, when they hit a blocked site they are redirected to a 
>> page explaining what happened and why. 
>> 
>> It was terrifying to see what our endpoints were visiting, but comforting to 
>> have the added layer of protection, especially for guest or IoT devices that 
>> don’t have protection by default. It’s licensed based on staff/faculty FTE 
>> and students come along for free. It also has an optional agent that extends 
>> the protection to devices operating off-campus e.g. User traveling with a 
>> laptop.
>
>Putting an agent on anyone's device here is typically out of the question.
>Many are personally owned as well.
>
>Did I mention I was skeptical? ;-)  Maybe the technology is amazing, but 
>with approx 22k FTE on just this one campus and about another 20k across
>the others, it's hard to make a budget justification to use taxpayer money 
>to "protect" machines for 8 hours a day when they will just get infected at 
>home.  These are sort of the constraints we face, and in a threat based
>model are not at the top of the list for the general population.  (our
>restricted environments are a whole different world, just very small in 
>scope)
>
>For anyone who is actually interested in these sorts of things, I would
>recommend starting here (from 2007):
>https://collaboration.opengroup.org/jericho/commandments_v1.2.pdf
>
>Dale
>
> 
> 
> 
>> On 3/1/16, 10:42 AM, "The EDUCAUSE Wireless Issues Constituent Group 
>> Listserv on behalf of Dale W. Carder" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on 
>> behalf of dwcar...@wisc.edu> wrote:
>> 
>> >Thus spake Lee H Badman (lhbad...@syr.edu) on Tue, Mar 01, 2016 at 
>> >06:19:55PM +:
>> >> Interesting discussion- so on the free and open WLAN, do you send them 
>> >> off to only the Internet, and deny important apps on campus? Do you 
>> >> require VPN or 2-factor for  bursar account access etc from that network?
>> >
>> >We do block things that I would characterize as ddos amplification 
>> >vectors, and we block inbound SYN so discourage (unintentional) servers.  
>> >We have started to look into some filtering capabilities on a firewall
>> >where there is some sort of blacklist for known malware sites (I am
>> >highly skeptical of such things, but if we can do it for low cost and
>> >provide a high value to our users, so be it).  
>> >
>> >VPN is pretty much not used in the general case.  Security is handled
>> >at the application layer.  Your IP address is not an authorization token,
>> >and none of the few hundred virtual firewalls we run blindly allow much
>> >of anything through be it from wireless or from dept 'a' to dept 'b'.
>> >
>> >Dale 
>> > 
>> > 
>> > 
>> >> -Original Message-
>> >> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>> >> [

Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the headaches?

2016-03-01 Thread Dale W. Carder 
Thus spake Jeffrey D. Sessler (j...@scrippscollege.edu) on Tue, Mar 01, 2016 at 
07:04:11PM +:
> Dale,
> 
> For the malware blacklist, I’s suggest taking a look at OpenDNS Umbrella. I 
> asked about it here about a year back, and we implemented about three months 
> ago. You send all your client DNS requests through OpenDNS (directly, or have 
> your DNS servers forward to OpenDNS), and they block sites based on 
> categories, with the default covering security threats e.g. Malware, Bots, 
> etc. For the user, when they hit a blocked site they are redirected to a page 
> explaining what happened and why. 
> 
> It was terrifying to see what our endpoints were visiting, but comforting to 
> have the added layer of protection, especially for guest or IoT devices that 
> don’t have protection by default. It’s licensed based on staff/faculty FTE 
> and students come along for free. It also has an optional agent that extends 
> the protection to devices operating off-campus e.g. User traveling with a 
> laptop.

Putting an agent on anyone's device here is typically out of the question.
Many are personally owned as well.

Did I mention I was skeptical? ;-)  Maybe the technology is amazing, but 
with approx 22k FTE on just this one campus and about another 20k across
the others, it's hard to make a budget justification to use taxpayer money 
to "protect" machines for 8 hours a day when they will just get infected at 
home.  These are sort of the constraints we face, and in a threat based
model are not at the top of the list for the general population.  (our
restricted environments are a whole different world, just very small in 
scope)

For anyone who is actually interested in these sorts of things, I would
recommend starting here (from 2007):
https://collaboration.opengroup.org/jericho/commandments_v1.2.pdf

Dale

 
 
 
> On 3/1/16, 10:42 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
> on behalf of Dale W. Carder" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of 
> dwcar...@wisc.edu> wrote:
> 
> >Thus spake Lee H Badman (lhbad...@syr.edu) on Tue, Mar 01, 2016 at 
> >06:19:55PM +:
> >> Interesting discussion- so on the free and open WLAN, do you send them off 
> >> to only the Internet, and deny important apps on campus? Do you require 
> >> VPN or 2-factor for  bursar account access etc from that network?
> >
> >We do block things that I would characterize as ddos amplification 
> >vectors, and we block inbound SYN so discourage (unintentional) servers.  
> >We have started to look into some filtering capabilities on a firewall
> >where there is some sort of blacklist for known malware sites (I am
> >highly skeptical of such things, but if we can do it for low cost and
> >provide a high value to our users, so be it).  
> >
> >VPN is pretty much not used in the general case.  Security is handled
> >at the application layer.  Your IP address is not an authorization token,
> >and none of the few hundred virtual firewalls we run blindly allow much
> >of anything through be it from wireless or from dept 'a' to dept 'b'.
> >
> >Dale 
> > 
> > 
> > 
> >> -Original Message-
> >> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> >> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dale W. Carder
> >> Sent: Tuesday, March 01, 2016 1:06 PM
> >> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> >> Subject: Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the 
> >> headaches?
> >> 
> >> There are of course lots of vendors selling lots of products to solve 
> >> lots of "problems".  
> >> 
> >> I will also echo everything that Jeff has said below.  We read what our
> >> requirements were and the educause community at the time was quite
> >> active on this front, leading to the excellent summary on their site.
> >> 
> >> So, yes, we operate one of these big open wireless love fests. ;-)
> >> 
> >> Dale
> >> 
> >> Thus spake Lee H Badman (lhbad...@syr.edu) on Tue, Mar 01, 2016 at 
> >> 05:45:18PM +:
> >> > ​So... you open up a big wireless free love ranch, and let everything 
> >> > and everything on. How to keep 10K users off of each others devices? I'm 
> >> > not poo-pooing, just asking!
> >> > 
> >> > 
> >> > -Lee
> >> > 
> >> > From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> >> > <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Jeffrey D. Sessler 
> >> > <j...@scripps

RE: [WIRELESS-LAN] Self-registered MAC device bypass- worth the headaches?

2016-03-01 Thread Chuck Enfield 
I’m curious how PPSK scales.  What are the limits on the number and span of 
a PPSK?



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Coehoorn, Joel
Sent: Tuesday, March 01, 2016 12:02 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the 
headaches?



Ruckus supports a PPSK variant, as well.



I'm just gonna put this out there. I have this idea in my head for an ideal 
wifi service. It starts with personal pre-shared key (PPSK), but it's 
something I don't believe is possible yet with any vendor.



Step one is to create a unique key prefix for each user, effectively 
embedding a username value (the prefix) into the same field as the 
key/password. The prefix would be as short as possible, perhaps as small as 
three characters, in order to keep entry into devices simple. The purpose of 
this prefix is to allow users to choose their own wifi password, while still 
ensuring that each PSK value is unique and identifiable to a given user. If 
we don't value allowing users to choose their own wifi passwords, we could 
instead generate and assign them, and just map back the assigned key to the 
user.. but I believe there is value in this.



Users would onboard by first connecting to a portal available via 
open/limited ssid to claim their key. They would have to log in with their 
traditional username/password. The portal would then prompt them for a key 
suffix (their wifi password), and then show them the complete key (prefix + 
suffix), which would be registered with our system. It would also have 
options to show them history for devices authenticated using their key, 
expire an old/create a new key using the same prefix, and other typical 
account management options. Once created, that key could be used with 
anything that supports traditional PSK connections.



One important feature that I'd like to see as part of this, and what I think 
helps make this idea unique, is that devices authenticated with the same 
PPSK should always end up with the same vlan id. In this way, a student 
would be able to, for example, connect to a desktop in his room from the 
phone/tablet he brought to class and grab a file he forget to show an 
instructor. It also makes things like wireless printers, long the bane or 
our existence, almost reasonable in terms of setup and support.



By keeping a prefix that's unique to each user, or mapping all key 
assignments back to the user, we can still always know who is responsible 
for a given device. We could do things like get a report of keys that 
authenticate more than, say, 6 devices to monitor for key abuse, expire keys 
when there is a problem, engage a known user when expiring old keys is not 
enough, and even map users to specific vlan pools for network policy 
enforcement. We could also create keys for events or specially classes of 
device (security cameras, door locks, wifi phones, etc). Additionally, 
per-user keys means each user's over-the-air signals have different 
encryption keys, preventing things like firesheep from working. This is just 
about all the things we do with 802.1x today, but in a form that's much 
friendlier to the consumer devices we have to support.



This plan effectively embeds a username (the prefix) and a password (suffix) 
into the same value, with our without the prefix, so some of the same 
security concerns apply, but these are solvable problems. We just need to 
get vendors on board with the idea.







  <http://www.york.edu/Portals/0/Images/Logo/YorkCollegeLogoSmall.jpg>

Joel Coehoorn
Director of Information Technology
402.363.5603
jcoeho...@york.edu <mailto:jcoeho...@york.edu>




The mission of York College is to transform lives through Christ-centered 
education and to equip students for lifelong service to God, family, and 
society



On Tue, Mar 1, 2016 at 10:20 AM, David R. Morton <dmor...@uw.edu 
<mailto:dmor...@uw.edu> > wrote:

Matt, Bill and others,



You’d indicated that you have instructions for most common devices, is this 
something that you can share. Like others, we have a manual registration 
process (built on ClearPass), but it does require the MAC in order to 
complete the registration. The Amazon Echo is now relatively 
straightforward, as it shows up in the Alexa app after you’ve connected your 
phone to the Echo. To find it, users open the Alexa app, go to settings, 
choose the device and scroll all the way down to the bottom of the screen. 
There it will show you the software version, serial number and MAC address. 
All of that said, I haven’t been able to test the latest versions to see if 
you can do all of this without needing to connect to the Internet. If you 
aren’t we are back at square one and have to take it off site to get through 
the initial setup, which is a real pain.



Another device we’ve had a lot of issues with is the newest A

RE: [WIRELESS-LAN] Self-registered MAC device bypass- worth the headaches?

2016-03-01 Thread Thomas Carter 
This may be getting a bit off topic for the wireless discussion, but we use the 
"Security Risk" category of web filtering on our Fortigate firewall 
(http://www.fortiguard.com/webfilter). It works very well; it even alerted a 
faculty member to a hijack of their personal web site when they couldn't access 
it from campus and got the "malicious site" warning from our firewall.

Thomas Carter
Network & Operations Manager
Austin College

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dale W. Carder
Sent: Tuesday, March 1, 2016 12:43 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the 
headaches?

Thus spake Lee H Badman (lhbad...@syr.edu) on Tue, Mar 01, 2016 at 06:19:55PM 
+:
> Interesting discussion- so on the free and open WLAN, do you send them off to 
> only the Internet, and deny important apps on campus? Do you require VPN or 
> 2-factor for  bursar account access etc from that network?

We do block things that I would characterize as ddos amplification vectors, and 
we block inbound SYN so discourage (unintentional) servers.  
We have started to look into some filtering capabilities on a firewall where 
there is some sort of blacklist for known malware sites (I am highly skeptical 
of such things, but if we can do it for low cost and provide a high value to 
our users, so be it).  

VPN is pretty much not used in the general case.  Security is handled at the 
application layer.  Your IP address is not an authorization token, and none of 
the few hundred virtual firewalls we run blindly allow much of anything through 
be it from wireless or from dept 'a' to dept 'b'.

Dale 
 
 
 
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dale W. 
> Carder
> Sent: Tuesday, March 01, 2016 1:06 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the 
> headaches?
> 
> There are of course lots of vendors selling lots of products to solve 
> lots of "problems".
> 
> I will also echo everything that Jeff has said below.  We read what 
> our requirements were and the educause community at the time was quite 
> active on this front, leading to the excellent summary on their site.
> 
> So, yes, we operate one of these big open wireless love fests. ;-)
> 
> Dale
> 
> Thus spake Lee H Badman (lhbad...@syr.edu) on Tue, Mar 01, 2016 at 05:45:18PM 
> +:
> > ​So... you open up a big wireless free love ranch, and let everything and 
> > everything on. How to keep 10K users off of each others devices? I'm not 
> > poo-pooing, just asking!
> > 
> > 
> > -Lee
> > 
> > From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> > <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Jeffrey D. Sessler 
> > <j...@scrippscollege.edu>
> > Sent: Tuesday, March 1, 2016 12:37 PM
> > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> > Subject: Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the 
> > headaches?
> > 
> > I think your legal needs to revisit their position. There are a number of 
> > great articles about the EDU requirements of DMCA. A university is every 
> > bit the ISP, and in fact, there is no legal obligation under the DMCA for 
> > student enforcement as you are but the transit for their data. Most all 
> > campuses use it as a teaching moment, but it’s not a requirement. You also 
> > have no obligation to identify someone – If you rotate logs every 15 days 
> > and the request comes in on the 16th day, you can respond that you have no 
> > data. This is also no obligation to match an IP with a person.
> > 
> > Jeff
> > 
> > From: 
> > "wireless-lan@listserv.educause.edu<mailto:wireless-...@listserv.edu
> > cause.edu>" 
> > <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:wireless-...@listserv.edu
> > CAUSE.EDU>> on behalf of Mike Cunningham 
> > <mike.cunning...@pct.edu<mailto:mike.cunning...@pct.edu>>
> > Reply-To: 
> > "wireless-lan@listserv.educause.edu<mailto:wireless-...@listserv.edu
> > cause.edu>" 
> > <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:wireless-...@listserv.edu
> > CAUSE.EDU>>
> > Date: Tuesday, March 1, 2016 at 9:31 AM
> > To: 
> > "wireless-lan@listserv.educause.edu<mailto:wireless-...@listserv.edu
> > cause.edu>" 
> > <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:wireless-...@listserv

Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the headaches?

2016-03-01 Thread Jeffrey D. Sessler 
Dale,

For the malware blacklist, I’s suggest taking a look at OpenDNS Umbrella. I 
asked about it here about a year back, and we implemented about three months 
ago. You send all your client DNS requests through OpenDNS (directly, or have 
your DNS servers forward to OpenDNS), and they block sites based on categories, 
with the default covering security threats e.g. Malware, Bots, etc. For the 
user, when they hit a blocked site they are redirected to a page explaining 
what happened and why. 

It was terrifying to see what our endpoints were visiting, but comforting to 
have the added layer of protection, especially for guest or IoT devices that 
don’t have protection by default. It’s licensed based on staff/faculty FTE and 
students come along for free. It also has an optional agent that extends the 
protection to devices operating off-campus e.g. User traveling with a laptop.


Jeff



On 3/1/16, 10:42 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
on behalf of Dale W. Carder" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of 
dwcar...@wisc.edu> wrote:

>Thus spake Lee H Badman (lhbad...@syr.edu) on Tue, Mar 01, 2016 at 06:19:55PM 
>+:
>> Interesting discussion- so on the free and open WLAN, do you send them off 
>> to only the Internet, and deny important apps on campus? Do you require VPN 
>> or 2-factor for  bursar account access etc from that network?
>
>We do block things that I would characterize as ddos amplification 
>vectors, and we block inbound SYN so discourage (unintentional) servers.  
>We have started to look into some filtering capabilities on a firewall
>where there is some sort of blacklist for known malware sites (I am
>highly skeptical of such things, but if we can do it for low cost and
>provide a high value to our users, so be it).  
>
>VPN is pretty much not used in the general case.  Security is handled
>at the application layer.  Your IP address is not an authorization token,
>and none of the few hundred virtual firewalls we run blindly allow much
>of anything through be it from wireless or from dept 'a' to dept 'b'.
>
>Dale 
> 
> 
> 
>> -Original Message-
>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dale W. Carder
>> Sent: Tuesday, March 01, 2016 1:06 PM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> Subject: Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the 
>> headaches?
>> 
>> There are of course lots of vendors selling lots of products to solve 
>> lots of "problems".  
>> 
>> I will also echo everything that Jeff has said below.  We read what our
>> requirements were and the educause community at the time was quite
>> active on this front, leading to the excellent summary on their site.
>> 
>> So, yes, we operate one of these big open wireless love fests. ;-)
>> 
>> Dale
>> 
>> Thus spake Lee H Badman (lhbad...@syr.edu) on Tue, Mar 01, 2016 at 
>> 05:45:18PM +:
>> > ​So... you open up a big wireless free love ranch, and let everything and 
>> > everything on. How to keep 10K users off of each others devices? I'm not 
>> > poo-pooing, just asking!
>> > 
>> > 
>> > -Lee
>> > ________
>> > From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>> > <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Jeffrey D. Sessler 
>> > <j...@scrippscollege.edu>
>> > Sent: Tuesday, March 1, 2016 12:37 PM
>> > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> > Subject: Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the 
>> > headaches?
>> > 
>> > I think your legal needs to revisit their position. There are a number of 
>> > great articles about the EDU requirements of DMCA. A university is every 
>> > bit the ISP, and in fact, there is no legal obligation under the DMCA for 
>> > student enforcement as you are but the transit for their data. Most all 
>> > campuses use it as a teaching moment, but it’s not a requirement. You also 
>> > have no obligation to identify someone – If you rotate logs every 15 days 
>> > and the request comes in on the 16th day, you can respond that you have no 
>> > data. This is also no obligation to match an IP with a person.
>> > 
>> > Jeff
>> > 
>> > From: 
>> > "wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>"
>> >  
>> > <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
>> >  on behalf of Mike Cunnin

RE: [WIRELESS-LAN] Self-registered MAC device bypass- worth the headaches?

2016-03-01 Thread Lee H Badman 
Interesting discussion- so on the free and open WLAN, do you send them off to 
only the Internet, and deny important apps on campus? Do you require VPN or 
2-factor for  bursar account access etc from that network?




-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dale W. Carder
Sent: Tuesday, March 01, 2016 1:06 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the 
headaches?

There are of course lots of vendors selling lots of products to solve 
lots of "problems".  

I will also echo everything that Jeff has said below.  We read what our
requirements were and the educause community at the time was quite
active on this front, leading to the excellent summary on their site.

So, yes, we operate one of these big open wireless love fests. ;-)

Dale

Thus spake Lee H Badman (lhbad...@syr.edu) on Tue, Mar 01, 2016 at 05:45:18PM 
+:
> ​So... you open up a big wireless free love ranch, and let everything and 
> everything on. How to keep 10K users off of each others devices? I'm not 
> poo-pooing, just asking!
> 
> 
> -Lee
> 
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Jeffrey D. Sessler 
> <j...@scrippscollege.edu>
> Sent: Tuesday, March 1, 2016 12:37 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the 
> headaches?
> 
> I think your legal needs to revisit their position. There are a number of 
> great articles about the EDU requirements of DMCA. A university is every bit 
> the ISP, and in fact, there is no legal obligation under the DMCA for student 
> enforcement as you are but the transit for their data. Most all campuses use 
> it as a teaching moment, but it’s not a requirement. You also have no 
> obligation to identify someone – If you rotate logs every 15 days and the 
> request comes in on the 16th day, you can respond that you have no data. This 
> is also no obligation to match an IP with a person.
> 
> Jeff
> 
> From: 
> "wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>"
>  
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
>  on behalf of Mike Cunningham 
> <mike.cunning...@pct.edu<mailto:mike.cunning...@pct.edu>>
> Reply-To: 
> "wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>"
>  
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
> Date: Tuesday, March 1, 2016 at 9:31 AM
> To: 
> "wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>"
>  
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
> Subject: Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the 
> headaches?
> 
> Talk to your campus legal office before opening your wifi to the world. We 
> asked ours about this and were strongly advised against it. Contracting with 
> a local telecom company to provide free wifi would be better. A college or 
> university is not an ISP like a Verizon or AT or Comcast is. If someone is 
> abusing the campus network you’re responsible for their action. If law 
> enforcement comes knocking on your door asking about network traffic 
> originating from you campus you need to be able to point to a person or at 
> least a room and say “there”. If it was a guest on campus for a short period 
> of time you still need to be able to identify who that guest was. At least 
> that is the interpretation of current law according to our legal office.
> 
> Mike Cunningham
> Pennsylvania College of Technology
> 
> 
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of David R. Morton
> Sent: Tuesday, March 01, 2016 12:21 PM
> To: 
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Subject: Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the 
> headaches?
> 
> Joel, thanks for the detailed reply. I agree that Personal PSK is an 
> interesting idea, but it may fall apart at scale (we see 200k+ devices per 
> week), security, implementation or other burdens. My thoughts about on 
> boarding, user name as part of the credential/password have been along the 
> same lines as yours. While we wouldn’t put all of their devices on the same 
> VLAN, I would see them being able to access their printers, chrome cast, 
> AppleTV, etc. The later is already possib

Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the headaches?

2016-03-01 Thread Dale W. Carder 
There are of course lots of vendors selling lots of products to solve 
lots of "problems".  

I will also echo everything that Jeff has said below.  We read what our
requirements were and the educause community at the time was quite
active on this front, leading to the excellent summary on their site.

So, yes, we operate one of these big open wireless love fests. ;-)

Dale

Thus spake Lee H Badman (lhbad...@syr.edu) on Tue, Mar 01, 2016 at 05:45:18PM 
+:
> ​So... you open up a big wireless free love ranch, and let everything and 
> everything on. How to keep 10K users off of each others devices? I'm not 
> poo-pooing, just asking!
> 
> 
> -Lee
> 
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Jeffrey D. Sessler 
> <j...@scrippscollege.edu>
> Sent: Tuesday, March 1, 2016 12:37 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the 
> headaches?
> 
> I think your legal needs to revisit their position. There are a number of 
> great articles about the EDU requirements of DMCA. A university is every bit 
> the ISP, and in fact, there is no legal obligation under the DMCA for student 
> enforcement as you are but the transit for their data. Most all campuses use 
> it as a teaching moment, but it’s not a requirement. You also have no 
> obligation to identify someone – If you rotate logs every 15 days and the 
> request comes in on the 16th day, you can respond that you have no data. This 
> is also no obligation to match an IP with a person.
> 
> Jeff
> 
> From: 
> "wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>"
>  
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
>  on behalf of Mike Cunningham 
> <mike.cunning...@pct.edu<mailto:mike.cunning...@pct.edu>>
> Reply-To: 
> "wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>"
>  
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
> Date: Tuesday, March 1, 2016 at 9:31 AM
> To: 
> "wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>"
>  
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
> Subject: Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the 
> headaches?
> 
> Talk to your campus legal office before opening your wifi to the world. We 
> asked ours about this and were strongly advised against it. Contracting with 
> a local telecom company to provide free wifi would be better. A college or 
> university is not an ISP like a Verizon or AT or Comcast is. If someone is 
> abusing the campus network you’re responsible for their action. If law 
> enforcement comes knocking on your door asking about network traffic 
> originating from you campus you need to be able to point to a person or at 
> least a room and say “there”. If it was a guest on campus for a short period 
> of time you still need to be able to identify who that guest was. At least 
> that is the interpretation of current law according to our legal office.
> 
> Mike Cunningham
> Pennsylvania College of Technology
> 
> 
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of David R. Morton
> Sent: Tuesday, March 01, 2016 12:21 PM
> To: 
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Subject: Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the 
> headaches?
> 
> Joel, thanks for the detailed reply. I agree that Personal PSK is an 
> interesting idea, but it may fall apart at scale (we see 200k+ devices per 
> week), security, implementation or other burdens. My thoughts about on 
> boarding, user name as part of the credential/password have been along the 
> same lines as yours. While we wouldn’t put all of their devices on the same 
> VLAN, I would see them being able to access their printers, chrome cast, 
> AppleTV, etc. The later is already possible using something like ClearPass 
> and AirGroup.
> 
> We’ve been engaged in some conversations with our vendor about how to solve 
> this problem, but so far there isn’t anything to report.
> 
> As an aside, we are also keeping an eye on MAC randomization and how this 
> might impact systems based on MAC for authentication and other headaches.
> 
> David
> 
> 
> 
> 
> 
> David Morton
> Director, Mobile Communications
> Service Owner: Wi-Fi, Mobile & HuskyTV
> University of Washington
&

RE: [WIRELESS-LAN] Self-registered MAC device bypass- worth the headaches?

2016-03-01 Thread Thomas Carter 
Not really. That why I qualified it as a small school perspective. The 
on-boarding cost is mostly inconvenience for users and some help desk time. 
Unfortunately, that can’t be translated into dollars that can be shifted to 
bandwidth. And we currently use free, open source solutions for wireless 
(PacketFence).

Additionally, there is the legal obligation, and there is the internal 
requirement. If “Something Happens”, we may be asked to track down 
student/faculty/staff doing “Something.” It’s not required by law, but there 
would be reluctance from leadership to lose that ability. For example, (I have 
not had this come up yet here) in my past life in the corporate world, I was 
asked to trace down someone sharing insider information as part of an SEC 
investigation into insider trading.

Thomas Carter
Network & Operations Manager
Austin College

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
Sent: Tuesday, March 1, 2016 11:46 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the 
headaches?

If you get rid of the cost of on-boarding or all the other barriers to getting 
someone on WiFi, then could you put that money into more bandwidth?
DMCA – Read this, it’s enlightening as to the real obligations e.g. That you 
don’t have to know who is responsible for a particular device.

 
http://www.educause.edu/focus-areas-and-initiatives/policy-and-security/educause-policy/issues-and-positions/intellectual-property/dmca-faq

Jeff

From: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Thomas Carter 
<tcar...@austincollege.edu<mailto:tcar...@austincollege.edu>>
Reply-To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Tuesday, March 1, 2016 at 8:59 AM
To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the 
headaches?

From the perspective of a small school:

· Bandwidth; we barely have enough as it is. Should I pay more for more 
bandwidth for a marginal amount of simplicity?

· We do not have free wifi in our library. We do have a guest account 
process, but that is generally limited to someone with campus business. The 
general public doesn’t get access. As a side note, Sr. Leadership does not want 
free wifi. From a campus security perspective, do you want something to attract 
the public at large to come spend time in campus buildings?

· As a small school, I don’t want to have to fight a DMCA battle with 
the MPAA/RIAA. Right now we theoretically know who is responsible for a 
particular device.

· I don’t think free wifi is a good comparison – the service is usually 
mediocre to pathetic at most places I go. They just accept that it’s worth what 
they paid for it. Our students have an expectation of better performance in 
their dorm room than using free wifi in McDonalds.

· “Would the resident prefer a weaker signal from our WAPs over their 
local WiFi?” Yes, because they would realize they can cancel their internet 
service and prefer our weaker signal over a bill from the cable company.

Thomas Carter
Network & Operations Manager
Austin College

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
Sent: Tuesday, March 1, 2016 10:38 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the 
headaches?

I struggle with this all the time, and I have a distinct feeling that we’ve got 
it wrong.

Who made the decision to limit the campus WiFi to the campus community only? 
That’s really a Sr. Leadership question and not IT, and would it simplify the 
operation of the network if it was more open?

Is potential free guest access for the surrounding neighborhoods a terrible 
idea? We allow community use of our Library, and they get free WiFi when 
visiting, so is it that much of a stretch?

Why do we care if smart devices aren’t using a secure network? Sure, you can 
desire that state for say a college-owned device, but if everyone in the world 
is OK with Starbucks free WiFi, Hotel/Convention WiFi, etc. will enforcement 
within one ecosystem impact the overall safety of the device? Does it have an 
impact on the safety of the WAN?

We’re surrounded by residential, and we’re asking the same q

Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the headaches?

2016-03-01 Thread Jeffrey D. Sessler 
Lee, that’s the magic question. Again, if you have something like PPSK, then 
your authorized campus community will get a particular service with very little 
work (equivalent to on-boarding at home). How those users are then grouped (or 
not grouped) is up to you. For everyone else (including those too lazy to get 
their code), then you have lots of interesting technical options such as the 
scorched-earth no P2P activity for the “love ranch.” :)

Extended to the future, there are a lot of interesting location-aware 
possibilities. Pool/isolate devices within X AP of each other – in a 
residential hall, you only see your neighbors (and your devices). Pool 
identified user devices together (same PPSK, username, etc) e.g. Always see my 
TiVo and Chromecast in my room. The possibilities are endless.


Jeff

From: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "lhbad...@syr.edu<mailto:lhbad...@syr.edu>" 
<lhbad...@syr.edu<mailto:lhbad...@syr.edu>>
Reply-To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Tuesday, March 1, 2016 at 9:45 AM
To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the 
headaches?


​So... you open up a big wireless free love ranch, and let everything and 
everything on. How to keep 10K users off of each others devices? I'm not 
poo-pooing, just asking!


-Lee

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Jeffrey D. Sessler 
<j...@scrippscollege.edu<mailto:j...@scrippscollege.edu>>
Sent: Tuesday, March 1, 2016 12:37 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the 
headaches?

I think your legal needs to revisit their position. There are a number of great 
articles about the EDU requirements of DMCA. A university is every bit the ISP, 
and in fact, there is no legal obligation under the DMCA for student 
enforcement as you are but the transit for their data. Most all campuses use it 
as a teaching moment, but it’s not a requirement. You also have no obligation 
to identify someone – If you rotate logs every 15 days and the request comes in 
on the 16th day, you can respond that you have no data. This is also no 
obligation to match an IP with a person.

Jeff

From: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Mike Cunningham 
<mike.cunning...@pct.edu<mailto:mike.cunning...@pct.edu>>
Reply-To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Tuesday, March 1, 2016 at 9:31 AM
To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the 
headaches?

Talk to your campus legal office before opening your wifi to the world. We 
asked ours about this and were strongly advised against it. Contracting with a 
local telecom company to provide free wifi would be better. A college or 
university is not an ISP like a Verizon or AT or Comcast is. If someone is 
abusing the campus network you’re responsible for their action. If law 
enforcement comes knocking on your door asking about network traffic 
originating from you campus you need to be able to point to a person or at 
least a room and say “there”. If it was a guest on campus for a short period of 
time you still need to be able to identify who that guest was. At least that is 
the interpretation of current law according to our legal office.

Mike Cunningham
Pennsylvania College of Technology


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of David R. Morton
Sent: Tuesday, March 01, 2016 12:21 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the 
headaches?

Joel, thanks for the detailed reply. I agree that Personal PSK is an 
interesti

Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the headaches?

2016-03-01 Thread Coehoorn, Joel 
att, Bill and others,
>
>
>
> You’d indicated that you have instructions for most common devices, is
> this something that you can share. Like others, we have a manual
> registration process (built on ClearPass), but it does require the MAC in
> order to complete the registration. The Amazon Echo is now relatively
> straightforward, as it shows up in the Alexa app after you’ve connected
> your phone to the Echo. To find it, users open the Alexa app, go to
> settings, choose the device and scroll all the way down to the bottom of
> the screen. There it will show you the software version, serial number and
> MAC address. All of that said, I haven’t been able to test the latest
> versions to see if you can do all of this without needing to connect to the
> Internet. If you aren’t we are back at square one and have to take it off
> site to get through the initial setup, which is a real pain.
>
>
>
> Another device we’ve had a lot of issues with is the newest AppleTV. Again
> I haven’t checked the latest update so this may have changed, but when it
> first came out, you had to do a little dance to get the MAC. The dance had
> you connect it to wired, navigate to the network settings when the MAC
> address and then remove the wired cable. This would put the device back
> into Wi-Fi mode and would display the Wi-Fi MAC. Then you are able to
> manually register it and go through the complete process.
>
>
>
> Chromecast has had a few other issues, mostly related to dropping sessions
> and making poor AP choices.
>
>
>
> This whole discussion has got me thinking and brings up a topic that I
> think that the industry needs to address. There is a growing number of
> devices that don’t support 802.1x and the number those devices will
> continue to as Internet of Things and more consumer devices make it onto
> our campuses. We need a better, easier way for our students, faculty and
> staff to connect appropriate devices to the network. Using a captive portal
> is one way to try to get around these restrictions and get the devices on
> the network, but as this thread demonstrates it brings other difficulties.
> Some schools use a PSK network to onboard non-802.1x devices, but this too
> has problems. While it makes it easy for the user to get devices on the
> network, there isn’t a good way to track the owner of that device. It also
> raises and issue of why anyone would go through the 802.1x process when
> they can just put their devices on the PSK network. Putting restrictions on
> the PSK network will help, but still not a great solution.  \
>
>
>
> David
>
>
>
>
>
>
>
>
>
> David Morton
>
> Director, Mobile Communications
>
> Service Owner: Wi-Fi, Mobile & HuskyTV
>
> University of Washington
>
> dmor...@u.washington.edu
>
> tel 206.221.7814
>
>
>
> On Mar 1, 2016, at 7:21 AM, Williams, Matthew <mwill...@kent.edu
> <mwill...@kent.edu>> wrote:
>
>
>
> Our helpdesk folks sat down and wrote up documents on how to find the MAC
> addresses for as many devices as they could.  We haven’t done any
> instructions for the Amazon Echoes yet.  We hit the most common devices and
> are waiting to see what tickets we get for devices that we missed so we can
> build them into our registration page.  Our registration page was written
> in-house and the developers set it up to display the instructions for
> finding the MAC address, including screen shots, based on the device that
> you selected in the drop down.
>
>
>
> Respectfully,
>
>
>
> Matt
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [
> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] *On Behalf Of *Thomas Carter
>
> *Sent:* Tuesday, March 1, 2016 10:01 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> <WIRELESS-LAN@listserv.educause.edu>
> *Subject:* Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth
> the headaches?
>
>
>
> This is something we struggle with, especially being a small school.
> Keeping up with the latest Chromecast/Roku/Amazon Echo, etc devices is near
> impossible. A big thank you to product designers who put the MAC on a label
> on the outside.
>
>
>
> Thomas Carter
>
> Network & Operations Manager
>
> Austin College
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [
> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] *On Behalf Of *Lee H Badman
> *Sent:* Tuesday, March 1, 2016 8:12 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* [WIRELESS-LAN] Self-registered MAC device bypass- worth the
> headaches?

Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the headaches?

2016-03-01 Thread Philippe Hanset 
Mike,

What is the view of your legal department with a federated
identity like eduroam or an guest identity in the cloud like ANYROAM. These 
systems provide a point of contact in case of abuse and can in the end find the 
responsible user.

Would that be satisfactory?

Yesterday I announced on the eduroam-US admin list that
the Smithsonian Museums are carrying the eduroam SSID.
I was in DC for a meeting and tested it out. Between 10 and 20 Mbps down and 
6-14 Mbps up. Even though Carriers are increasing their quotas, it was nice to 
join automagically 
an encrypted network with no afterthoughts on "will this video destroy my 
monthly allowance" ;-)


Best,

Philippe

Philippe Hanset
www.eduroam.us

> On Mar 1, 2016, at 12:31 PM, Mike Cunningham <mike.cunning...@pct.edu> wrote:
> 
> Talk to your campus legal office before opening your wifi to the world. We 
> asked ours about this and were strongly advised against it. Contracting with 
> a local telecom company to provide free wifi would be better. A college or 
> university is not an ISP like a Verizon or AT or Comcast is. If someone is 
> abusing the campus network you’re responsible for their action. If law 
> enforcement comes knocking on your door asking about network traffic 
> originating from you campus you need to be able to point to a person or at 
> least a room and say “there”. If it was a guest on campus for a short period 
> of time you still need to be able to identify who that guest was. At least 
> that is the interpretation of current law according to our legal office.
>  
> Mike Cunningham
> Pennsylvania College of Technology
>  
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of David R. Morton
> Sent: Tuesday, March 01, 2016 12:21 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the 
> headaches?
>  
> Joel, thanks for the detailed reply. I agree that Personal PSK is an 
> interesting idea, but it may fall apart at scale (we see 200k+ devices per 
> week), security, implementation or other burdens. My thoughts about on 
> boarding, user name as part of the credential/password have been along the 
> same lines as yours. While we wouldn’t put all of their devices on the same 
> VLAN, I would see them being able to access their printers, chrome cast, 
> AppleTV, etc. The later is already possible using something like ClearPass 
> and AirGroup. 
>  
> We’ve been engaged in some conversations with our vendor about how to solve 
> this problem, but so far there isn’t anything to report. 
>  
> As an aside, we are also keeping an eye on MAC randomization and how this 
> might impact systems based on MAC for authentication and other headaches.
>  
> David
>  
>  
>  
>  
>  
> 
> David Morton
> Director, Mobile Communications
> Service Owner: Wi-Fi, Mobile & HuskyTV
> University of Washington
> dmor...@u.washington.edu
> tel 206.221.7814
>  
> On Mar 1, 2016, at 9:02 AM, Coehoorn, Joel <jcoeho...@york.edu> wrote:
>  
> Ruckus supports a PPSK variant, as well.
>  
> I'm just gonna put this out there. I have this idea in my head for an ideal 
> wifi service. It starts with personal pre-shared key (PPSK), but it's 
> something I don't believe is possible yet with any vendor.
>  
> Step one is to create a unique key prefix for each user, effectively 
> embedding a username value (the prefix) into the same field as the 
> key/password. The prefix would be as short as possible, perhaps as small as 
> three characters, in order to keep entry into devices simple. The purpose of 
> this prefix is to allow users to choose their own wifi password, while still 
> ensuring that each PSK value is unique and identifiable to a given user. If 
> we don't value allowing users to choose their own wifi passwords, we could 
> instead generate and assign them, and just map back the assigned key to the 
> user.. but I believe there is value in this.
>  
> Users would onboard by first connecting to a portal available via 
> open/limited ssid to claim their key. They would have to log in with their 
> traditional username/password. The portal would then prompt them for a key 
> suffix (their wifi password), and then show them the complete key (prefix + 
> suffix), which would be registered with our system. It would also have 
> options to show them history for devices authenticated using their key, 
> expire an old/create a new key using the same prefix, and other typical 
> account management options. Once created, that key could be used with 
> anything that supports traditional PSK connections. 
>  
> One important feature that I'd like to see as part

Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the headaches?

2016-03-01 Thread Jeffrey D. Sessler 
If you get rid of the cost of on-boarding or all the other barriers to getting 
someone on WiFi, then could you put that money into more bandwidth?
DMCA – Read this, it’s enlightening as to the real obligations e.g. That you 
don’t have to know who is responsible for a particular device.

 
http://www.educause.edu/focus-areas-and-initiatives/policy-and-security/educause-policy/issues-and-positions/intellectual-property/dmca-faq

Jeff

From: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Thomas Carter 
<tcar...@austincollege.edu<mailto:tcar...@austincollege.edu>>
Reply-To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Tuesday, March 1, 2016 at 8:59 AM
To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the 
headaches?

From the perspective of a small school:

· Bandwidth; we barely have enough as it is. Should I pay more for more 
bandwidth for a marginal amount of simplicity?

· We do not have free wifi in our library. We do have a guest account 
process, but that is generally limited to someone with campus business. The 
general public doesn’t get access. As a side note, Sr. Leadership does not want 
free wifi. From a campus security perspective, do you want something to attract 
the public at large to come spend time in campus buildings?

· As a small school, I don’t want to have to fight a DMCA battle with 
the MPAA/RIAA. Right now we theoretically know who is responsible for a 
particular device.

· I don’t think free wifi is a good comparison – the service is usually 
mediocre to pathetic at most places I go. They just accept that it’s worth what 
they paid for it. Our students have an expectation of better performance in 
their dorm room than using free wifi in McDonalds.

· “Would the resident prefer a weaker signal from our WAPs over their 
local WiFi?” Yes, because they would realize they can cancel their internet 
service and prefer our weaker signal over a bill from the cable company.

Thomas Carter
Network & Operations Manager
Austin College

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
Sent: Tuesday, March 1, 2016 10:38 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the 
headaches?

I struggle with this all the time, and I have a distinct feeling that we’ve got 
it wrong.

Who made the decision to limit the campus WiFi to the campus community only? 
That’s really a Sr. Leadership question and not IT, and would it simplify the 
operation of the network if it was more open?

Is potential free guest access for the surrounding neighborhoods a terrible 
idea? We allow community use of our Library, and they get free WiFi when 
visiting, so is it that much of a stretch?

Why do we care if smart devices aren’t using a secure network? Sure, you can 
desire that state for say a college-owned device, but if everyone in the world 
is OK with Starbucks free WiFi, Hotel/Convention WiFi, etc. will enforcement 
within one ecosystem impact the overall safety of the device? Does it have an 
impact on the safety of the WAN?

We’re surrounded by residential, and we’re asking the same questions. With tens 
of thousands of “authorized” devices on our wireless, will the few 
hundred/thousand from the surrounding residential really have an impact? Would 
the resident prefer a weaker signal from our WAPs over their local WiFi?

As for PPSK – I suspect we will see alternative solutions from other vendors… ;)

Jeff

From: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "lhbad...@syr.edu<mailto:lhbad...@syr.edu>" 
<lhbad...@syr.edu<mailto:lhbad...@syr.edu>>
Reply-To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Tuesday, March 1, 2016 at 8:10 AM
To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the 
headaches?

Fair

Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the headaches?

2016-03-01 Thread Jeffrey D. Sessler 
I think your legal needs to revisit their position. There are a number of great 
articles about the EDU requirements of DMCA. A university is every bit the ISP, 
and in fact, there is no legal obligation under the DMCA for student 
enforcement as you are but the transit for their data. Most all campuses use it 
as a teaching moment, but it’s not a requirement. You also have no obligation 
to identify someone – If you rotate logs every 15 days and the request comes in 
on the 16th day, you can respond that you have no data. This is also no 
obligation to match an IP with a person.

Jeff

From: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Mike Cunningham 
<mike.cunning...@pct.edu<mailto:mike.cunning...@pct.edu>>
Reply-To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Tuesday, March 1, 2016 at 9:31 AM
To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the 
headaches?

Talk to your campus legal office before opening your wifi to the world. We 
asked ours about this and were strongly advised against it. Contracting with a 
local telecom company to provide free wifi would be better. A college or 
university is not an ISP like a Verizon or AT or Comcast is. If someone is 
abusing the campus network you’re responsible for their action. If law 
enforcement comes knocking on your door asking about network traffic 
originating from you campus you need to be able to point to a person or at 
least a room and say “there”. If it was a guest on campus for a short period of 
time you still need to be able to identify who that guest was. At least that is 
the interpretation of current law according to our legal office.

Mike Cunningham
Pennsylvania College of Technology


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of David R. Morton
Sent: Tuesday, March 01, 2016 12:21 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the 
headaches?

Joel, thanks for the detailed reply. I agree that Personal PSK is an 
interesting idea, but it may fall apart at scale (we see 200k+ devices per 
week), security, implementation or other burdens. My thoughts about on 
boarding, user name as part of the credential/password have been along the same 
lines as yours. While we wouldn’t put all of their devices on the same VLAN, I 
would see them being able to access their printers, chrome cast, AppleTV, etc. 
The later is already possible using something like ClearPass and AirGroup.

We’ve been engaged in some conversations with our vendor about how to solve 
this problem, but so far there isn’t anything to report.

As an aside, we are also keeping an eye on MAC randomization and how this might 
impact systems based on MAC for authentication and other headaches.

David





David Morton
Director, Mobile Communications
Service Owner: Wi-Fi, Mobile & HuskyTV
University of Washington
dmor...@u.washington.edu<mailto:dmor...@u.washington.edu>
tel 206.221.7814

On Mar 1, 2016, at 9:02 AM, Coehoorn, Joel 
<jcoeho...@york.edu<mailto:jcoeho...@york.edu>> wrote:

Ruckus supports a PPSK variant, as well.

I'm just gonna put this out there. I have this idea in my head for an ideal 
wifi service. It starts with personal pre-shared key (PPSK), but it's something 
I don't believe is possible yet with any vendor.

Step one is to create a unique key prefix for each user, effectively embedding 
a username value (the prefix) into the same field as the key/password. The 
prefix would be as short as possible, perhaps as small as three characters, in 
order to keep entry into devices simple. The purpose of this prefix is to allow 
users to choose their own wifi password, while still ensuring that each PSK 
value is unique and identifiable to a given user. If we don't value allowing 
users to choose their own wifi passwords, we could instead generate and assign 
them, and just map back the assigned key to the user.. but I believe there is 
value in this.

Users would onboard by first connecting to a portal available via open/limited 
ssid to claim their key. They would have to log in with their traditional 
username/password. The portal would then prompt them for a key suffix (their 
wifi password), and then show them the complete key (prefix + suffix), which 
would be registered with our system. It would also have options to show them 
history

RE: [WIRELESS-LAN] Self-registered MAC device bypass- worth the headaches?

2016-03-01 Thread Mike Cunningham 
Talk to your campus legal office before opening your wifi to the world. We 
asked ours about this and were strongly advised against it. Contracting with a 
local telecom company to provide free wifi would be better. A college or 
university is not an ISP like a Verizon or AT or Comcast is. If someone is 
abusing the campus network you’re responsible for their action. If law 
enforcement comes knocking on your door asking about network traffic 
originating from you campus you need to be able to point to a person or at 
least a room and say “there”. If it was a guest on campus for a short period of 
time you still need to be able to identify who that guest was. At least that is 
the interpretation of current law according to our legal office.

Mike Cunningham
Pennsylvania College of Technology


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of David R. Morton
Sent: Tuesday, March 01, 2016 12:21 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the 
headaches?

Joel, thanks for the detailed reply. I agree that Personal PSK is an 
interesting idea, but it may fall apart at scale (we see 200k+ devices per 
week), security, implementation or other burdens. My thoughts about on 
boarding, user name as part of the credential/password have been along the same 
lines as yours. While we wouldn’t put all of their devices on the same VLAN, I 
would see them being able to access their printers, chrome cast, AppleTV, etc. 
The later is already possible using something like ClearPass and AirGroup.

We’ve been engaged in some conversations with our vendor about how to solve 
this problem, but so far there isn’t anything to report.

As an aside, we are also keeping an eye on MAC randomization and how this might 
impact systems based on MAC for authentication and other headaches.

David





David Morton
Director, Mobile Communications
Service Owner: Wi-Fi, Mobile & HuskyTV
University of Washington
dmor...@u.washington.edu<mailto:dmor...@u.washington.edu>
tel 206.221.7814

On Mar 1, 2016, at 9:02 AM, Coehoorn, Joel 
<jcoeho...@york.edu<mailto:jcoeho...@york.edu>> wrote:

Ruckus supports a PPSK variant, as well.

I'm just gonna put this out there. I have this idea in my head for an ideal 
wifi service. It starts with personal pre-shared key (PPSK), but it's something 
I don't believe is possible yet with any vendor.

Step one is to create a unique key prefix for each user, effectively embedding 
a username value (the prefix) into the same field as the key/password. The 
prefix would be as short as possible, perhaps as small as three characters, in 
order to keep entry into devices simple. The purpose of this prefix is to allow 
users to choose their own wifi password, while still ensuring that each PSK 
value is unique and identifiable to a given user. If we don't value allowing 
users to choose their own wifi passwords, we could instead generate and assign 
them, and just map back the assigned key to the user.. but I believe there is 
value in this.

Users would onboard by first connecting to a portal available via open/limited 
ssid to claim their key. They would have to log in with their traditional 
username/password. The portal would then prompt them for a key suffix (their 
wifi password), and then show them the complete key (prefix + suffix), which 
would be registered with our system. It would also have options to show them 
history for devices authenticated using their key, expire an old/create a new 
key using the same prefix, and other typical account management options. Once 
created, that key could be used with anything that supports traditional PSK 
connections.

One important feature that I'd like to see as part of this, and what I think 
helps make this idea unique, is that devices authenticated with the same PPSK 
should always end up with the same vlan id. In this way, a student would be 
able to, for example, connect to a desktop in his room from the phone/tablet he 
brought to class and grab a file he forget to show an instructor. It also makes 
things like wireless printers, long the bane or our existence, almost 
reasonable in terms of setup and support.

By keeping a prefix that's unique to each user, or mapping all key assignments 
back to the user, we can still always know who is responsible for a given 
device. We could do things like get a report of keys that authenticate more 
than, say, 6 devices to monitor for key abuse, expire keys when there is a 
problem, engage a known user when expiring old keys is not enough, and even map 
users to specific vlan pools for network policy enforcement. We could also 
create keys for events or specially classes of device (security cameras, door 
locks, wifi phones, etc). Additionally, per-user keys means each user's 
over-the-air signals have different encryption keys, preventing things like 
firesheep from

Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the headaches?

2016-03-01 Thread Coehoorn, Joel 
a few other issues, mostly related to dropping sessions
> and making poor AP choices.
>
> This whole discussion has got me thinking and brings up a topic that I
> think that the industry needs to address. There is a growing number of
> devices that don’t support 802.1x and the number those devices will
> continue to as Internet of Things and more consumer devices make it onto
> our campuses. We need a better, easier way for our students, faculty and
> staff to connect appropriate devices to the network. Using a captive portal
> is one way to try to get around these restrictions and get the devices on
> the network, but as this thread demonstrates it brings other difficulties.
> Some schools use a PSK network to onboard non-802.1x devices, but this too
> has problems. While it makes it easy for the user to get devices on the
> network, there isn’t a good way to track the owner of that device. It also
> raises and issue of why anyone would go through the 802.1x process when
> they can just put their devices on the PSK network. Putting restrictions on
> the PSK network will help, but still not a great solution.  \
>
> David
>
>
>
>
> David Morton
> Director, Mobile Communications
> Service Owner: Wi-Fi, Mobile & HuskyTV
> University of Washington
> dmor...@u.washington.edu
> tel 206.221.7814
>
> On Mar 1, 2016, at 7:21 AM, Williams, Matthew <mwill...@kent.edu
> <mwill...@kent.edu>> wrote:
>
> Our helpdesk folks sat down and wrote up documents on how to find the MAC
> addresses for as many devices as they could.  We haven’t done any
> instructions for the Amazon Echoes yet.  We hit the most common devices and
> are waiting to see what tickets we get for devices that we missed so we can
> build them into our registration page.  Our registration page was written
> in-house and the developers set it up to display the instructions for
> finding the MAC address, including screen shots, based on the device that
> you selected in the drop down.
>
> Respectfully,
>
> Matt
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [
> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] *On Behalf Of *Thomas Carter
> *Sent:* Tuesday, March 1, 2016 10:01 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> <WIRELESS-LAN@listserv.educause.edu>
> *Subject:* Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth
> the headaches?
>
> This is something we struggle with, especially being a small school.
> Keeping up with the latest Chromecast/Roku/Amazon Echo, etc devices is near
> impossible. A big thank you to product designers who put the MAC on a label
> on the outside.
>
> Thomas Carter
> Network & Operations Manager
> Austin College
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [
> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] *On Behalf Of *Lee H Badman
> *Sent:* Tuesday, March 1, 2016 8:12 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* [WIRELESS-LAN] Self-registered MAC device bypass- worth the
> headaches?
>
> Hi Everyone,
>
> Not looking for a lot of input on all of the things you CAN do- just
> asking a focused question for those that are doing it.
>
> We're piloting the ability for students to self-register games, TVs, Roku,
> etc. but am astounded at how hard some devices are to find MAC addresses
> for from the user side. Amazon Echo is notorious, also fighting with a Roku
> 2. No labels, not easy to find in menu. Sure, you can find all of this on
> APs, but that isn't "self-service" for self-registration.
>
> Anyone have thoughts, comments, scars, suggestions? I know Clearpass and
> ISE can fingerprint, but I'm finding that's far from accurate at times, and
> again- doesn't help with "register YOUR device by MAC" for users that can't
> see what network admins use.
>
> -Lee Badman
>
> Lee H. Badman
> Network Architect/Wireless TME
> ITS, Syracuse University
> 315.443.3003
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the headaches?

2016-03-01 Thread Jeffrey D. Sessler 
I struggle with this all the time, and I have a distinct feeling that we’ve got 
it wrong.

Who made the decision to limit the campus WiFi to the campus community only? 
That’s really a Sr. Leadership question and not IT, and would it simplify the 
operation of the network if it was more open?

Is potential free guest access for the surrounding neighborhoods a terrible 
idea? We allow community use of our Library, and they get free WiFi when 
visiting, so is it that much of a stretch?

Why do we care if smart devices aren’t using a secure network? Sure, you can 
desire that state for say a college-owned device, but if everyone in the world 
is OK with Starbucks free WiFi, Hotel/Convention WiFi, etc. will enforcement 
within one ecosystem impact the overall safety of the device? Does it have an 
impact on the safety of the WAN?

We’re surrounded by residential, and we’re asking the same questions. With tens 
of thousands of “authorized” devices on our wireless, will the few 
hundred/thousand from the surrounding residential really have an impact? Would 
the resident prefer a weaker signal from our WAPs over their local WiFi?

As for PPSK – I suspect we will see alternative solutions from other vendors… ;)

Jeff

From: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "lhbad...@syr.edu<mailto:lhbad...@syr.edu>" 
<lhbad...@syr.edu<mailto:lhbad...@syr.edu>>
Reply-To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Tuesday, March 1, 2016 at 8:10 AM
To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the 
headaches?

Fair questions. Main thing is to only allow games, etc- disallow smart devices 
that ought to be using secure network. And... To make sure that only legit 
campus users are adding the devices because we bleed out into lots of 
neighborhoods.

Not PPSK option outside of Aerohive.

Lee



On Mar 1, 2016, at 11:03 AM, Jeffrey D. Sessler 
<j...@scrippscollege.edu<mailto:j...@scrippscollege.edu>> wrote:

Playing devils advocate, I have to ask the opposite, which is why put up a 
barrier in the first place to the student on-boarding their device(s)? Is there 
sufficient history to suggest that having to register/on-board the device has a 
positive impact on the operation of the network? Should the goal be to have the 
experience be as close to what they had at home?

I continue to focus on BYOD and IoT, where implementing something like PPSK 
(personal pre-shared key) is probably “good enough.” I imagine a state where 
the student gets their key via the student portal and then uses it for all of 
their devices.

Jeff

From: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "lhbad...@syr.edu<mailto:lhbad...@syr.edu>" 
<lhbad...@syr.edu<mailto:lhbad...@syr.edu>>
Reply-To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Tuesday, March 1, 2016 at 6:11 AM
To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] Self-registered MAC device bypass- worth the headaches?

Hi Everyone,

Not looking for a lot of input on all of the things you CAN do- just asking a 
focused question for those that are doing it.

We're piloting the ability for students to self-register games, TVs, Roku, etc. 
but am astounded at how hard some devices are to find MAC addresses for from 
the user side. Amazon Echo is notorious, also fighting with a Roku 2. No 
labels, not easy to find in menu. Sure, you can find all of this on APs, but 
that isn't "self-service" for self-registration.

Anyone have thoughts, comments, scars, suggestions? I know Clearpass and ISE 
can fingerprint, but I'm finding that's far from accurate at times, and again- 
doesn't help with "register YOUR device by MAC" for users that can't see what 
network admins use.

-Lee Badman

Lee H. Badman
Network Architect/Wireless TME
ITS, Syracuse University
315.443.3003
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

***

Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the headaches?

2016-03-01 Thread David R. Morton 
Matt, Bill and others,

You’d indicated that you have instructions for most common devices, is this 
something that you can share. Like others, we have a manual registration 
process (built on ClearPass), but it does require the MAC in order to complete 
the registration. The Amazon Echo is now relatively straightforward, as it 
shows up in the Alexa app after you’ve connected your phone to the Echo. To 
find it, users open the Alexa app, go to settings, choose the device and scroll 
all the way down to the bottom of the screen. There it will show you the 
software version, serial number and MAC address. All of that said, I haven’t 
been able to test the latest versions to see if you can do all of this without 
needing to connect to the Internet. If you aren’t we are back at square one and 
have to take it off site to get through the initial setup, which is a real pain.

Another device we’ve had a lot of issues with is the newest AppleTV. Again I 
haven’t checked the latest update so this may have changed, but when it first 
came out, you had to do a little dance to get the MAC. The dance had you 
connect it to wired, navigate to the network settings when the MAC address and 
then remove the wired cable. This would put the device back into Wi-Fi mode and 
would display the Wi-Fi MAC. Then you are able to manually register it and go 
through the complete process.

Chromecast has had a few other issues, mostly related to dropping sessions and 
making poor AP choices.

This whole discussion has got me thinking and brings up a topic that I think 
that the industry needs to address. There is a growing number of devices that 
don’t support 802.1x and the number those devices will continue to as Internet 
of Things and more consumer devices make it onto our campuses. We need a 
better, easier way for our students, faculty and staff to connect appropriate 
devices to the network. Using a captive portal is one way to try to get around 
these restrictions and get the devices on the network, but as this thread 
demonstrates it brings other difficulties. Some schools use a PSK network to 
onboard non-802.1x devices, but this too has problems. While it makes it easy 
for the user to get devices on the network, there isn’t a good way to track the 
owner of that device. It also raises and issue of why anyone would go through 
the 802.1x process when they can just put their devices on the PSK network. 
Putting restrictions on the PSK network will help, but still not a great 
solution.  \

David




David Morton
Director, Mobile Communications
Service Owner: Wi-Fi, Mobile & HuskyTV
University of Washington
dmor...@u.washington.edu<mailto:dmor...@u.washington.edu>
tel 206.221.7814

On Mar 1, 2016, at 7:21 AM, Williams, Matthew 
<mwill...@kent.edu<mailto:mwill...@kent.edu>> wrote:

Our helpdesk folks sat down and wrote up documents on how to find the MAC 
addresses for as many devices as they could.  We haven’t done any instructions 
for the Amazon Echoes yet.  We hit the most common devices and are waiting to 
see what tickets we get for devices that we missed so we can build them into 
our registration page.  Our registration page was written in-house and the 
developers set it up to display the instructions for finding the MAC address, 
including screen shots, based on the device that you selected in the drop down.

Respectfully,

Matt

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Thomas Carter
Sent: Tuesday, March 1, 2016 10:01 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@listserv.educause.edu>
Subject: Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the 
headaches?

This is something we struggle with, especially being a small school. Keeping up 
with the latest Chromecast/Roku/Amazon Echo, etc devices is near impossible. A 
big thank you to product designers who put the MAC on a label on the outside.

Thomas Carter
Network & Operations Manager
Austin College

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Tuesday, March 1, 2016 8:12 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Self-registered MAC device bypass- worth the headaches?

Hi Everyone,

Not looking for a lot of input on all of the things you CAN do- just asking a 
focused question for those that are doing it.

We're piloting the ability for students to self-register games, TVs, Roku, etc. 
but am astounded at how hard some devices are to find MAC addresses for from 
the user side. Amazon Echo is notorious, also fighting with a Roku 2. No 
labels, not easy to find in menu. Sure, you can find all of this on APs, but 
that isn't "self-service" for self-registration.

Anyone have thoughts, comments, scars, suggestions? I know Clearpass and ISE 
can finge

Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the headaches?

2016-03-01 Thread Frank Sweetser 

We keep the registration barrier up here for two main reasons.

First is that without some kind of authentication, you can too easily become 
the free neighborhood ISP.  We already have complaints now and then from 
students living two or three doors down from our buildings that the -80 signal 
they can hear with the windows open doesn't provide good enough service. 
We're heavily embedded enough in residential neighborhoods that without any 
registration, we'd quickly become overwhelmed with clients.


Second is that we use it to enforce tracking some point of 
ownership/responsibility for non university issued devices.  That way when it 
gets hacked, starts spamming, or gets hit with DMCA, we know whose door to 
knock on.  We've toyed with the idea of letting go of MAC registration for 
EAP-TLS authenticated devices, but that wouldn't be an option with PSK.


Frank Sweetser fs at wpi.edu|  For every problem, there is a solution that
Manager of Network Operations   |  is simple, elegant, and wrong.
Worcester Polytechnic Institute |   - HL Mencken

On 03/01/2016 11:02 AM, Jeffrey D. Sessler wrote:

Playing devils advocate, I have to ask the opposite, which is why put up a
barrier in the first place to the student on-boarding their device(s)? Is
there sufficient history to suggest that having to register/on-board the
device has a positive impact on the operation of the network? Should the goal
be to have the experience be as close to what they had at home?

I continue to focus on BYOD and IoT, where implementing something like PPSK
(personal pre-shared key) is probably “good enough.” I imagine a state where
the student gets their key via the student portal and then uses it for all of
their devices.

Jeff

From: "wireless-lan@listserv.educause.edu
"
> on behalf of "lhbad...@syr.edu
" >
Reply-To: "wireless-lan@listserv.educause.edu
"
>
Date: Tuesday, March 1, 2016 at 6:11 AM
To: "wireless-lan@listserv.educause.edu
"
>
Subject: [WIRELESS-LAN] Self-registered MAC device bypass- worth the headaches?

Hi Everyone,

Not looking for a lot of input on all of the things you CAN do- just asking a
focused question for those that are doing it.

We're piloting the ability for students to self-register games, TVs, Roku,
etc. but am astounded at how hard some devices are to find MAC addresses for
from the user side. Amazon Echo is notorious, also fighting with a Roku 2. No
labels, not easy to find in menu. Sure, you can find all of this on APs, but
that isn't "self-service" for self-registration.

Anyone have thoughts, comments, scars, suggestions? I know Clearpass and ISE
can fingerprint, but I'm finding that's far from accurate at times, and again-
doesn't help with "register YOUR device by MAC" for users that can't see what
network admins use.

-Lee Badman

Lee H. Badman
Network Architect/Wireless TME
ITS, Syracuse University
315.443.3003
** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the headaches?

2016-03-01 Thread Lee H Badman 
Fair questions. Main thing is to only allow games, etc- disallow smart devices 
that ought to be using secure network. And... To make sure that only legit 
campus users are adding the devices because we bleed out into lots of 
neighborhoods.

Not PPSK option outside of Aerohive.

Lee



On Mar 1, 2016, at 11:03 AM, Jeffrey D. Sessler 
> wrote:

Playing devils advocate, I have to ask the opposite, which is why put up a 
barrier in the first place to the student on-boarding their device(s)? Is there 
sufficient history to suggest that having to register/on-board the device has a 
positive impact on the operation of the network? Should the goal be to have the 
experience be as close to what they had at home?

I continue to focus on BYOD and IoT, where implementing something like PPSK 
(personal pre-shared key) is probably "good enough." I imagine a state where 
the student gets their key via the student portal and then uses it for all of 
their devices.

Jeff

From: 
"wireless-lan@listserv.educause.edu" 
> 
on behalf of "lhbad...@syr.edu" 
>
Reply-To: 
"wireless-lan@listserv.educause.edu" 
>
Date: Tuesday, March 1, 2016 at 6:11 AM
To: 
"wireless-lan@listserv.educause.edu" 
>
Subject: [WIRELESS-LAN] Self-registered MAC device bypass- worth the headaches?

Hi Everyone,

Not looking for a lot of input on all of the things you CAN do- just asking a 
focused question for those that are doing it.

We're piloting the ability for students to self-register games, TVs, Roku, etc. 
but am astounded at how hard some devices are to find MAC addresses for from 
the user side. Amazon Echo is notorious, also fighting with a Roku 2. No 
labels, not easy to find in menu. Sure, you can find all of this on APs, but 
that isn't "self-service" for self-registration.

Anyone have thoughts, comments, scars, suggestions? I know Clearpass and ISE 
can fingerprint, but I'm finding that's far from accurate at times, and again- 
doesn't help with "register YOUR device by MAC" for users that can't see what 
network admins use.

-Lee Badman

Lee H. Badman
Network Architect/Wireless TME
ITS, Syracuse University
315.443.3003
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Self-registered MAC device bypass- worth the headaches?

2016-03-01 Thread Thomas Carter 
My biggest issue is to avoid being the ISP for the neighborhood around the 
school and a place where everyone comes and camps at the library or student 
center for free wifi. If it’s as simple as a PSK, that will get out to the 
community at large

Thomas Carter
Network & Operations Manager
Austin College

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
Sent: Tuesday, March 1, 2016 10:03 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the 
headaches?

Playing devils advocate, I have to ask the opposite, which is why put up a 
barrier in the first place to the student on-boarding their device(s)? Is there 
sufficient history to suggest that having to register/on-board the device has a 
positive impact on the operation of the network? Should the goal be to have the 
experience be as close to what they had at home?

I continue to focus on BYOD and IoT, where implementing something like PPSK 
(personal pre-shared key) is probably “good enough.” I imagine a state where 
the student gets their key via the student portal and then uses it for all of 
their devices.

Jeff

From: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "lhbad...@syr.edu<mailto:lhbad...@syr.edu>" 
<lhbad...@syr.edu<mailto:lhbad...@syr.edu>>
Reply-To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Tuesday, March 1, 2016 at 6:11 AM
To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] Self-registered MAC device bypass- worth the headaches?

Hi Everyone,

Not looking for a lot of input on all of the things you CAN do- just asking a 
focused question for those that are doing it.

We're piloting the ability for students to self-register games, TVs, Roku, etc. 
but am astounded at how hard some devices are to find MAC addresses for from 
the user side. Amazon Echo is notorious, also fighting with a Roku 2. No 
labels, not easy to find in menu. Sure, you can find all of this on APs, but 
that isn't "self-service" for self-registration.

Anyone have thoughts, comments, scars, suggestions? I know Clearpass and ISE 
can fingerprint, but I'm finding that's far from accurate at times, and again- 
doesn't help with "register YOUR device by MAC" for users that can't see what 
network admins use.

-Lee Badman

Lee H. Badman
Network Architect/Wireless TME
ITS, Syracuse University
315.443.3003
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the headaches?

2016-03-01 Thread Jeffrey D. Sessler 
Playing devils advocate, I have to ask the opposite, which is why put up a 
barrier in the first place to the student on-boarding their device(s)? Is there 
sufficient history to suggest that having to register/on-board the device has a 
positive impact on the operation of the network? Should the goal be to have the 
experience be as close to what they had at home?

I continue to focus on BYOD and IoT, where implementing something like PPSK 
(personal pre-shared key) is probably “good enough.” I imagine a state where 
the student gets their key via the student portal and then uses it for all of 
their devices.

Jeff

From: 
"wireless-lan@listserv.educause.edu" 
> 
on behalf of "lhbad...@syr.edu" 
>
Reply-To: 
"wireless-lan@listserv.educause.edu" 
>
Date: Tuesday, March 1, 2016 at 6:11 AM
To: 
"wireless-lan@listserv.educause.edu" 
>
Subject: [WIRELESS-LAN] Self-registered MAC device bypass- worth the headaches?

Hi Everyone,

Not looking for a lot of input on all of the things you CAN do- just asking a 
focused question for those that are doing it.

We're piloting the ability for students to self-register games, TVs, Roku, etc. 
but am astounded at how hard some devices are to find MAC addresses for from 
the user side. Amazon Echo is notorious, also fighting with a Roku 2. No 
labels, not easy to find in menu. Sure, you can find all of this on APs, but 
that isn't "self-service" for self-registration.

Anyone have thoughts, comments, scars, suggestions? I know Clearpass and ISE 
can fingerprint, but I'm finding that's far from accurate at times, and again- 
doesn't help with "register YOUR device by MAC" for users that can't see what 
network admins use.

-Lee Badman

Lee H. Badman
Network Architect/Wireless TME
ITS, Syracuse University
315.443.3003
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Self-registered MAC device bypass- worth the headaches?

2016-03-01 Thread Ian McDonald 
Hi,

We captive portal, and have the portal pull the mac out of the adjacency table 
on the router for the IP that the device spoke to the portal with (and then 
populate db etc.).

--
ian

Sent from my phone, please excuse brevity and/or misspelling.

From: Seward, Bill<mailto:bill.sew...@pfeiffer.edu>
Sent: ‎01/‎03/‎2016 14:25
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the 
headaches?

It takes some time and effort on IT’s part each semester, but we put how-to 
instructions with screen shots on all the common devices on the student portal. 
 We then refer callers to the help desk to the portal first with instructions 
to call back if they continue to have difficulties.  That seems to handle the 
vast majority of cases.

Bill Seward   |   Director of Information Technology

Office of Information Technology
P.O. Box 960   |   48380 US Hwy 52
Misenheimer, NC  28109
Office  704-463-3066   |   Fax  704-463-1363
pfeiffer.edu<http://www.pfeiffer.edu/>   |   
facebook.com/PfeifferUniversity<http://www.facebook.com/pfeifferuniversity>   | 
  @Pfeiffer1885<http://www.twitter.com/pfeiffer1885>
instagram/PfeifferUniversity  <http://www.instagram.com/pfeifferuniversity>  |  
 
youtube.com/PfeifferUniversity<http://www.youtube.com/channel/UClrggh7TvtboLiHdS-kKHzQ>

For assistance with an IT-related issue, call Tech Support at 704-463-3002 or 
email us at techsupp...@pfeiffer.edu
[advancement:public:GARY:stationary:Pfeiffer BB color logo email sig 
logo.jpg]<http://www.pfeiffer.edu/>

This email, including attachments, is intended for the person(s) or company 
named and may contain legally privileged information. Unauthorized disclosure, 
copying or use of this information is prohibited. If you are not an intended 
recipient, you may not review, copy or distribute this message. If you received 
this communication in error, please notify the sender immediately by email and 
delete the original message.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Tuesday, March 1, 2016 9:12 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Self-registered MAC device bypass- worth the headaches?

Hi Everyone,

Not looking for a lot of input on all of the things you CAN do- just asking a 
focused question for those that are doing it.

We're piloting the ability for students to self-register games, TVs, Roku, etc. 
but am astounded at how hard some devices are to find MAC addresses for from 
the user side. Amazon Echo is notorious, also fighting with a Roku 2. No 
labels, not easy to find in menu. Sure, you can find all of this on APs, but 
that isn't "self-service" for self-registration.

Anyone have thoughts, comments, scars, suggestions? I know Clearpass and ISE 
can fingerprint, but I'm finding that's far from accurate at times, and again- 
doesn't help with "register YOUR device by MAC" for users that can't see what 
network admins use.

-Lee Badman

Lee H. Badman
Network Architect/Wireless TME
ITS, Syracuse University
315.443.3003
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the headaches?

2016-03-01 Thread Jerry Bucklaew 



On 03/01/2016 09:11 AM, Lee H Badman wrote:

Hi Everyone,

Not looking for a lot of input on all of the things you CAN do- just 
asking a focused question for those that are doing it.


We're piloting the ability for students to self-register games, TVs, 
Roku, etc. but am astounded at how hard some devices are to find MAC 
addresses for from the user side. Amazon Echo is notorious, also 
fighting with a Roku 2. No labels, not easy to find in menu. Sure, you 
can find all of this on APs, but that isn't "self-service" for 
self-registration.


Anyone have thoughts, comments, scars, suggestions? I know Clearpass 
and ISE can fingerprint, but I'm finding that's far from accurate at 
times, and again- doesn't help with "register YOUR device by MAC" for 
users that can't see what network admins use.



Lee,

   We use clearpass to register the devices via a captive portal. The 
captive portal has the ability to pick up the mac address and 
automatically fill it in on the registration page for the user, it is 
pretty slick.  This of course does not help with devices that do not 
have web browsers (IE you can not register from the device itself).
For those we still require users to fill in the mac address, which as 
you point out can be hard to find.  I am not sure what you can do there 
as if you are not coming from the devices and don't know the mac or IP, 
any backend system would have no way to identify it anyway.  The best we 
do is put up web pages on "how to find the mac".


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Self-registered MAC device bypass- worth the headaches?

2016-03-01 Thread Tim Tyler 
Lee,

  We leverage our Guest wifi network for mac registration via Clearpass.
We do this for the obvious reason to support devices that don’t support
802.1x.   The process is easy enough, but we are lacking in the
communication of this service.  We are learning that many students are just
going out and getting their own rogue AP to support their devices because
they simply don’t know that we can support them.  To this point, the only
device that I am aware of that doesn’t worked on our network is
Chromecast.  Our difficulty next year will be to educate students that
there is an option for getting their non-enterprise devices to work on our
network.  This has created a debate about cracking down on rogue AP’s as
part of the educational process.   I like our solution, but our
communication is lacking and needs to be addressed  by next Fall.

  Tim



*From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Lee H Badman
*Sent:* Tuesday, March 01, 2016 8:12 AM
*To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
*Subject:* [WIRELESS-LAN] Self-registered MAC device bypass- worth the
headaches?



Hi Everyone,

Not looking for a lot of input on all of the things you CAN do- just asking
a focused question for those that are doing it.

We're piloting the ability for students to self-register games, TVs, Roku,
etc. but am astounded at how hard some devices are to find MAC addresses
for from the user side. Amazon Echo is notorious, also fighting with a Roku
2. No labels, not easy to find in menu. Sure, you can find all of this on
APs, but that isn't "self-service" for self-registration.

Anyone have thoughts, comments, scars, suggestions? I know Clearpass and
ISE can fingerprint, but I'm finding that's far from accurate at times, and
again- doesn't help with "register YOUR device by MAC" for users that can't
see what network admins use.

-Lee Badman

Lee H. Badman
Network Architect/Wireless TME
ITS, Syracuse University
315.443.3003

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.