Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey
Interesting. Would you be willing to share what your average user consumes per month? Thanks, -dan Dan Brisson Network Engineer University of Vermont On 9/14/2015 7:18 AM, Osborne, Bruce W (Network Services) wrote: We map username to password and use bandwidth management to limit the amount used per month. Users have the option of purchasing additional bandwidth. This money helps subsidize our Internet connections. Bruce Osborne Wireless Engineer IT Infrastructure & Media Solutions (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 -Original Message- From: Danny Eaton [mailto:dannyea...@rice.edu] Sent: Friday, September 4, 2015 3:04 PM Subject: Re: Supporting "those other Wi-Fi devices" in the dorms- quick Survey Just to turn this on it’s ear a bit... Why not go back to an open network for student devices, with the same EULA as they’d get be it at a Starbucks, McDonalds, hotel, or convention center? Why are we (my self included) so hell bent on student devices connecting via WPA-Ent and all the challenges associated with accommodating devices that can’t? Here at Rice, we have just that - 1 network (eduroam), 2 network (Rice Owls, 802.1X authenticated), and 3 network (Rice Visitor, open, unencrypted, with a pop-up welcome page to accept our use policy). We are not necessarily hell-bent on getting a PSK/MAC authenticated network built, but our students are. They want to put their Wii-U, Xbox, AppleTV, Roku, Google Chromecast, etc. on the wireless network just like they would at home, their apartment, etc. Obviously, they wouldn't do that at Starbucks, a hotel, or the like. They live on campus, so it's their home. Does data exist that shows all of this overhead we’ve created has had any measurable benefit (for the cost), especially when the same users aren’t concerned about over-the-air security when at the above mentioned places? Why do we care so much? Is there some middle-ground that is “good enough” but provides almost the same experience as at home? Would our efforts be better spent implementing other beneficial technologies such location-aware WiFi, where after the student connects all their AppleTV, TimeMachine, and Chromecast devices, the network is smart enough to provide them visibility of only those devices when in/near the same location e.g. Location-aware bonjour? Jeff On 9/4/15, 7:51 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Lee H Badman" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of lhbad...@syr.edu> wrote: Where it gets interesting- broadcast and single class C required. But- this is a great summary of requirements. Lee Badman | Network Architect Information Technology Services 206 Machinery Hall 120 Smith Drive Syracuse, New York 13244 t 315.443.3003 f 315.443.4325 e lhbad...@syr.edu w its.syr.edu SYRACUSE UNIVERSITY syr.edu -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Johnson, Neil M Sent: Friday, September 04, 2015 10:46 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey Here is my first pass at requirements: 1. The service must prevent or discourage devices that ARE capable of using 802.1x authentication from using the service. 2. The service should provide some sort of traceability of devices back to their owners. 3. The service must provide some method to deny access to an individual device. 4. The service must be easy enough to use that the average student can connect a device to the network in 10-15 minutes without requiring assistance from ITS. 5. The service must restrict access to only authorized University customers. 6. In the residence Halls, the service must support most the most common consumer devices that students might bring to campus We are also looking at a “Device Net” for campus for other devices that may not do 802.1X (freezer monitors, digital signage, instrumentation, etc.). For the residence hall device net we are thinking about blocking all access to campus resources and just allowing internet access. For the campus device net we thinking about RFC 1918 space restricting the deivces to on campus resources only. -- Neil Johnson Network Engineer The University of Iowa Phone: 319 384-0938 Fax: 319 335-2951 E-Mail: neil-john...@uiowa.edu On Sep 4, 2015, at 6:46 AM, Osborne, Bruce W (Network Services) <bosbo...@liberty.edu> wrote: What are you calling a Device Net? We have an open SSID with a custom captive portal using the ClearPass eTIPS API. We use this SSID for onboarding to 802.1X with Cloudpath XpressConnect Wizard, registering a non-8012.1X device Endpoint in ClearPass (with AirGroup device registration for Apple-TV) and for permitting non-802
Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey
I’d curious as to what the break-even is here? The college invests money to build and maintain an infrastructure to track users and manage bandwidth, charge-back fees, staff time to manage, etc. If instead, those funds were invested in just increasing Internet bandwidth, do you come out ahead? What if you invest those funds in Internet bandwidth and charge a small technology fee to all students? Jeff On 9/14/15, 4:18 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Osborne, Bruce W (Network Services)"wrote: >We map username to password and use bandwidth management to limit the amount >used per month. Users have the option of purchasing additional bandwidth. This >money helps subsidize our Internet connections. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey
Both ruckus and aerohive offer similar tech with dynamic psk or ppsk. http://2.bp.blogspot.com/-XhUW84JOJj4/TdZdX3YbIJI/AAA/BpQ7LDfc5Yo/s1600/comparison%2Bbetween%2BPPSK.jpg From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Steve Bohrer Sent: Thursday, September 10, 2015 6:49 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey I’m assuming “PPSK” is some sort of WPA2-Personal implementation that uses individual passwords per user, rather than a single PSK? I think I’ve heard of this from Aerohive and Ruckus; are there other vendors who have it? Steve Bohrer Network Admin, ITS Bard College at Simon's Rock 413-528-7645 On Sep 10, 2015, at 11:06 AM, Paul Sedy <rps...@masters.edu<mailto:rps...@masters.edu>> wrote: I will do the same and log a request with Cisco on PPSK type technology… I would love to see a simpler solution that we could deploy as well. Paul Sedy The Master’s College Director of IT Operations 21726 Placerita Canyon Rd, Santa Clarita, CA 91321 661.362.2340 | rps...@masters.edu<mailto:rps...@masters.edu> #private From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jason Cook Sent: Wednesday, September 09, 2015 11:47 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey I’ve launched a request at Cisco to implement something like PPSK. Perhaps if enough places request this from there vendors we might get something in. I’ve logged a TAC case, spoken to the local cisco team and an operations manager, not sure what other paths there is. It does seem to be something that provides a reasonable solution to fall-back to when 802.1x isn’t an option. We currently do it with a PSK but I’m waiting on that day when the key needs changing. Not so worried about the dorms, I think we can manage that as we can contact the users very easily (though PPSK would still be a better option). But the on-campus random devices which is still only a handful could be quite a pain to track them all down and there would be a good period of time with certain devices not working. There’s nothing major relying on this, but it is still work that will need to be done that wouldn’t have to be if they were 802.1x or we had a PPSK like option. -- Jason Cook The University of Adelaide, AUSTRALIA 5005 Ph: +61 8 8313 4800 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler Sent: Saturday, 5 September 2015 6:35 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey Is the student’s “residence” in this case any different than a VP who travels and uses hotel WiFi, the hotel being their residence most of the time? Are we asking the student to do something we wouldn’t require of the VP in the hotel? This is why something like Areohive’s PPSK (private pre-shared key) is interesting to me, in that it provides something that is “good enough” without all the hassles around WPA-ent. We get the user off of an open network, but provide easy on-boarding for the user and their devices. I agree that students may not know they should care, but I’m not sure it’s the university’s job to educate them i.e. they are adults, and we don’t go round them up to make sure they attend class. Our students only care about connecting to the WiFi, and even if we try to explain why it’s better, there is only a small percentage that care… the same can be said for staff/faculty. I also shy away from saying, “…provide the secure option.” since it implies everything they do is now secure, which it is not. I do agree that providing both options is a good idea, but my own evidence shows that if the user’s chrome-cast is in the device-net, they will put their laptop there to so that they have access to it. Jeff From: "wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" on behalf of "Coehoorn, Joel" Reply-To: "wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" Date: Friday, September 4, 2015 at 1:31 PM To: "wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey The difference between us and a McDonalds or Starbucks is that we are the student's residence. They can't as easily just wait or go elsewhere in order to do things that really should not be done on an o
RE: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey
I’ve launched a request at Cisco to implement something like PPSK. Perhaps if enough places request this from there vendors we might get something in. I’ve logged a TAC case, spoken to the local cisco team and an operations manager, not sure what other paths there is. It does seem to be something that provides a reasonable solution to fall-back to when 802.1x isn’t an option. We currently do it with a PSK but I’m waiting on that day when the key needs changing. Not so worried about the dorms, I think we can manage that as we can contact the users very easily (though PPSK would still be a better option). But the on-campus random devices which is still only a handful could be quite a pain to track them all down and there would be a good period of time with certain devices not working. There’s nothing major relying on this, but it is still work that will need to be done that wouldn’t have to be if they were 802.1x or we had a PPSK like option. -- Jason Cook The University of Adelaide, AUSTRALIA 5005 Ph: +61 8 8313 4800 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler Sent: Saturday, 5 September 2015 6:35 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey Is the student’s “residence” in this case any different than a VP who travels and uses hotel WiFi, the hotel being their residence most of the time? Are we asking the student to do something we wouldn’t require of the VP in the hotel? This is why something like Areohive’s PPSK (private pre-shared key) is interesting to me, in that it provides something that is “good enough” without all the hassles around WPA-ent. We get the user off of an open network, but provide easy on-boarding for the user and their devices. I agree that students may not know they should care, but I’m not sure it’s the university’s job to educate them i.e. they are adults, and we don’t go round them up to make sure they attend class. Our students only care about connecting to the WiFi, and even if we try to explain why it’s better, there is only a small percentage that care… the same can be said for staff/faculty. I also shy away from saying, “…provide the secure option.” since it implies everything they do is now secure, which it is not. I do agree that providing both options is a good idea, but my own evidence shows that if the user’s chrome-cast is in the device-net, they will put their laptop there to so that they have access to it. Jeff From: "wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" on behalf of "Coehoorn, Joel" Reply-To: "wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" Date: Friday, September 4, 2015 at 1:31 PM To: "wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey The difference between us and a McDonalds or Starbucks is that we are the student's residence. They can't as easily just wait or go elsewhere in order to do things that really should not be done on an open wifi connection. Additionally, this is the first encounter with the issue for many students. They haven't yet had a chance to know that they should care. Therefore, I do believe it is our responsibility to provide the secure option and educate our students on the importance of using it. At the same time, college students are supposedly adults now, and capable of making their own decisions, and so I try to provide both options (we really do have an completely open SSID), along with some education and a nudge via SSID naming that the secure SSID may be "better" in some ephemeral way. [http://www.york.edu/Portals/0/Images/Logo/YorkCollegeLogoSmall.jpg] Joel Coehoorn Director of Information Technology 402.363.5603 jcoeho...@york.edu<mailto:jcoeho...@york.edu> The mission of York College is to transform lives through Christ-centered education and to equip students for lifelong service to God, family, and society On Fri, Sep 4, 2015 at 2:09 PM, Frans Panken <frans.pan...@surfnet.nl<mailto:frans.pan...@surfnet.nl>> wrote: Jeff, Jeffrey D. Sessler schreef op 04/09/15 om 20:55: > Just to turn this on it’s ear a bit... > > Why not go back to an open network for student devices, with the same EULA as > they’d get be it at a Starbucks, McDonalds, hotel, or convention center? Why > are we (my self included) so hell bent on student devices connecting via > WPA-Ent and all the challenges associated with accommodating devices that > can’t? Basically, because you do not know who is behind the device if this user does something that conflicts with any of the policies (e.g
RE: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey
I will do the same and log a request with Cisco on PPSK type technology… I would love to see a simpler solution that we could deploy as well. Paul Sedy The Master’s College Director of IT Operations 21726 Placerita Canyon Rd, Santa Clarita, CA 91321 661.362.2340 | rps...@masters.edu<mailto:rps...@masters.edu> #private From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jason Cook Sent: Wednesday, September 09, 2015 11:47 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey I’ve launched a request at Cisco to implement something like PPSK. Perhaps if enough places request this from there vendors we might get something in. I’ve logged a TAC case, spoken to the local cisco team and an operations manager, not sure what other paths there is. It does seem to be something that provides a reasonable solution to fall-back to when 802.1x isn’t an option. We currently do it with a PSK but I’m waiting on that day when the key needs changing. Not so worried about the dorms, I think we can manage that as we can contact the users very easily (though PPSK would still be a better option). But the on-campus random devices which is still only a handful could be quite a pain to track them all down and there would be a good period of time with certain devices not working. There’s nothing major relying on this, but it is still work that will need to be done that wouldn’t have to be if they were 802.1x or we had a PPSK like option. -- Jason Cook The University of Adelaide, AUSTRALIA 5005 Ph: +61 8 8313 4800 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler Sent: Saturday, 5 September 2015 6:35 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey Is the student’s “residence” in this case any different than a VP who travels and uses hotel WiFi, the hotel being their residence most of the time? Are we asking the student to do something we wouldn’t require of the VP in the hotel? This is why something like Areohive’s PPSK (private pre-shared key) is interesting to me, in that it provides something that is “good enough” without all the hassles around WPA-ent. We get the user off of an open network, but provide easy on-boarding for the user and their devices. I agree that students may not know they should care, but I’m not sure it’s the university’s job to educate them i.e. they are adults, and we don’t go round them up to make sure they attend class. Our students only care about connecting to the WiFi, and even if we try to explain why it’s better, there is only a small percentage that care… the same can be said for staff/faculty. I also shy away from saying, “…provide the secure option.” since it implies everything they do is now secure, which it is not. I do agree that providing both options is a good idea, but my own evidence shows that if the user’s chrome-cast is in the device-net, they will put their laptop there to so that they have access to it. Jeff From: "wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" on behalf of "Coehoorn, Joel" Reply-To: "wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" Date: Friday, September 4, 2015 at 1:31 PM To: "wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey The difference between us and a McDonalds or Starbucks is that we are the student's residence. They can't as easily just wait or go elsewhere in order to do things that really should not be done on an open wifi connection. Additionally, this is the first encounter with the issue for many students. They haven't yet had a chance to know that they should care. Therefore, I do believe it is our responsibility to provide the secure option and educate our students on the importance of using it. At the same time, college students are supposedly adults now, and capable of making their own decisions, and so I try to provide both options (we really do have an completely open SSID), along with some education and a nudge via SSID naming that the secure SSID may be "better" in some ephemeral way. [http://www.york.edu/Portals/0/Images/Logo/YorkCollegeLogoSmall.jpg] Joel Coehoorn Director of Information Technology 402.363.5603 jcoeho...@york.edu<mailto:jcoeho...@york.edu> The mission of York College is to transform lives through Christ-centered education and to equip students for lifelong service to God, family, and society
Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey
I’m assuming “PPSK” is some sort of WPA2-Personal implementation that uses individual passwords per user, rather than a single PSK? I think I’ve heard of this from Aerohive and Ruckus; are there other vendors who have it? Steve Bohrer Network Admin, ITS Bard College at Simon's Rock 413-528-7645 > On Sep 10, 2015, at 11:06 AM, Paul Sedy <rps...@masters.edu> wrote: > > I will do the same and log a request with Cisco on PPSK type technology… I > would love to see a simpler solution that we could deploy as well. > > Paul Sedy > The Master’s College > Director of IT Operations > 21726 Placerita Canyon Rd, Santa Clarita, CA 91321 > 661.362.2340 | rps...@masters.edu <mailto:rps...@masters.edu> > #private > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jason Cook > Sent: Wednesday, September 09, 2015 11:47 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the > dorms- quick Survey > > I’ve launched a request at Cisco to implement something like PPSK. Perhaps > if enough places request this from there vendors we might get something in. > I’ve logged a TAC case, spoken to the local cisco team and an operations > manager, not sure what other paths there is. <> > > It does seem to be something that provides a reasonable solution to fall-back > to when 802.1x isn’t an option. We currently do it with a PSK but I’m waiting > on that day when the key needs changing. Not so worried about the dorms, I > think we can manage that as we can contact the users very easily (though PPSK > would still be a better option). > > But the on-campus random devices which is still only a handful could be quite > a pain to track them all down and there would be a good period of time with > certain devices not working. There’s nothing major relying on this, but it is > still work that will need to be done that wouldn’t have to be if they were > 802.1x or we had a PPSK like option. > > -- > Jason Cook > The University of Adelaide, AUSTRALIA 5005 > Ph: +61 8 8313 4800 > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Jeffrey D. Sessler > Sent: Saturday, 5 September 2015 6:35 AM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the > dorms- quick Survey > > Is the student’s “residence” in this case any different than a VP who travels > and uses hotel WiFi, the hotel being their residence most of the time? Are we > asking the student to do something we wouldn’t require of the VP in the hotel? > > This is why something like Areohive’s PPSK (private pre-shared key) is > interesting to me, in that it provides something that is “good enough” > without all the hassles around WPA-ent. We get the user off of an open > network, but provide easy on-boarding for the user and their devices. > > I agree that students may not know they should care, but I’m not sure it’s > the university’s job to educate them i.e. they are adults, and we don’t go > round them up to make sure they attend class. Our students only care about > connecting to the WiFi, and even if we try to explain why it’s better, there > is only a small percentage that care… the same can be said for staff/faculty. > > I also shy away from saying, “…provide the secure option.” since it implies > everything they do is now secure, which it is not. > > I do agree that providing both options is a good idea, but my own evidence > shows that if the user’s chrome-cast is in the device-net, they will put > their laptop there to so that they have access to it. > > Jeff > > From: "wireless-lan@listserv.educause.edu > <mailto:wireless-lan@listserv.educause.edu>" on behalf of "Coehoorn, Joel" > Reply-To: "wireless-lan@listserv.educause.edu > <mailto:wireless-lan@listserv.educause.edu>" > Date: Friday, September 4, 2015 at 1:31 PM > To: "wireless-lan@listserv.educause.edu > <mailto:wireless-lan@listserv.educause.edu>" > Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the > dorms- quick Survey > > The difference between us and a McDonalds or Starbucks is that we are the > student's residence. They can't as easily just wait or go elsewhere in order > to do things that really should not be done on an open wifi connection. > > Additionally, this is the first encoun
Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey
as a legal or IT matter, so as to seize upon a >> “teachable moment” for students. >> >> If you’re interested, here is the link: >> http://www.educause.edu/focus-areas-and-initiatives/policy-and-security/educause-policy/issues-and-positions/intellectual-property/dmca-faq >> >> >> Jeff >> >> >> >> On 9/4/15, 1:58 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv >> on behalf of Williams, Matthew" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on >> behalf of mwill...@kent.edu> wrote: >> >>> Jeff, >>> >>> Without knowing who is behind the device, how do you handle copyright >>> issues? >>> >>> Respectfully, >>> >>> Matthew Williams >>> Manager, Network and Telecommunications Services >>> Kent State University >>> Office: (330) 672-7246 >>> Mobile: (330) 469-0445 >>> >>> -Original Message- >>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv >>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler >>> Sent: Friday, September 4, 2015 4:24 PM >>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU >>> Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the >>> dorms- quick Survey >>> >>> Frans, >>> >>> Why do you care who’s behind the device? If you were to treat student >>> wireless in the same regard as Starbucks treats a device connecting to >>> theirs, what possible policies would you be concerned with? If you could >>> block the device and be done with it, what else do you want to do? >>> >>> Liability - Risk management is a decision that is higher up the chain, and >>> if user’s are satisfied with the risk while at a Starbucks, why would their >>> expectation be different when consuming free WiFi at their college? Would >>> the college actually be at greater risk if, for example, they promote >>> WPA/802.1x enabled SSIDs as “Secure” when it’s adding only one layer? >>> >>> Open Network - I’m not suggesting this, I’m saying, what’s the middle >>> ground? Is a modified WPA-PSK system better, where the on boarding is using >>> the student’s ID as the WPA-PSK password? Is that “Good Enough” to >>> eliminate the hassles of WPA-Ent? >>> >>> So again, I think it’s worth having the conversation. If the process is >>> overly complicated or restrictive e.g. My chrome cast is on the device-lan, >>> but my laptop isn’t allowed cause it does 802.1x, then what have we solved? >>> >>> Jeff >>> >>> >>> >>> >>> >>> On 9/4/15, 12:09 PM, "The EDUCAUSE Wireless Issues Constituent Group >>> Listserv on behalf of Frans Panken" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on >>> behalf of frans.pan...@surfnet.nl> wrote: >>> >>>> Jeff, >>>> >>>> Jeffrey D. Sessler schreef op 04/09/15 om 20:55: >>>>> Just to turn this on it’s ear a bit... >>>>> >>>>> Why not go back to an open network for student devices, with the same >>>>> EULA as they’d get be it at a Starbucks, McDonalds, hotel, or convention >>>>> center? Why are we (my self included) so hell bent on student devices >>>>> connecting via WPA-Ent and all the challenges associated with >>>>> accommodating devices that can’t? >>>> Basically, because you do not know who is behind the device if this >>>> user does something that conflicts with any of the policies (e.g., >>>> security to name one). >>>>> >>>>> >>>>> Does data exist that shows all of this overhead we’ve created has had any >>>>> measurable benefit (for the cost), especially when the same users aren’t >>>>> concerned about over-the-air security when at the above mentioned places? >>>> Regardless of the numbers, I will tell you it was worth it. >>>> >>>> Inmagine the blames your institute copes with if some one decides to >>>> put a rogue access point in between that cathes all kinds of privacy data? >>>> The end-user will blame the institue because it happended there! >>>> >>>> Note that there are easy out-of-the-box tools that are dedicated for >>>> these kind of attacks and easy to set-up, even for a 12 year old. For >>>> example, have a look at pineapple: https://www
RE: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey
A mix of a few recent topics I wanted to comment on (HEOA tracking and Device nets). Our lawyers and CISO have reviewed HEOA. We say that we are required to block illegal peer to peer and know who is using each IP address. We block all peer to peer with Procera appliances currently. With ~40,000 wireless clients on RFC1918 private IPs and 2 – 3 Gbps of NAT-ed traffic flows tracking to the individual user was no trivial task. I wasn’t comfortable logging that volume of traffic flow on our Check Point firewalls (though they might handle it). Instead we leveraged netflow on multiple boxes to provide the answers. We’ve also been working with CERT more recently to improve our hit rate on identifying the user (we were missing some). Our only open wireless is for onboarding (to SMS text message credentials to cell phone number we could potentially subpoena for records). We do this with Packet Fence today and Aruba Clearpass tomorrow (though Packet Fence worked tremendously for us). Both have a click here to provision yourself for our WPA2 enterprise SSID with proper certificate validations. The complaints are that it takes too long (3 – 5 minutes is average to figure it out), that you have to select your cell carrier and some are missing (which we are eliminating with an SMS gateway service), or that folks don’t have SMS text capable cell phones (but they want their iPad connected). In our residence halls we leverage Aruba Clearpass. There are two SSIDs (one WPA2 enterprise and one WPA2 PSK w/ mac authentication requirements). Students can workflow themselves through the process. We steer them to the WPA2 enterprise SSID and they just need to have their enterprise ldap credentials. If they have a computer (Windows or Mac currently), they are steered to a captive portal page serving them the Aruba Onguard agent. Once they have that it steers them to install our managed Symantec Endpoint Protection. After that they are connected (unless either of those requirements stops running). Smart devices like phones and tablets just need to authenticate and they are good. They have to hit a Clearpass page to add the mac address of their gaming systems before they work on the WPA2 PSK SSID. We have profiling of devices so we don’t allow the computers and smart devices to connect to the PSK network. 95% of devices are wireless, but we did enable 802.1x for all wired ports. It was a tremendous effort for us, but has been running terribly well with just about 1 access point per suite. Reach out if you care for more details. Adam [Adam T Ferrero] From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Coehoorn, Joel Sent: Tuesday, September 08, 2015 9:51 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey HEOA just requires that we provide an individual notices to students once per year that includes an explanation of copyright and our enforcement policies. Said policies must include technical measures to limit copyright infringement and a policy to promote legal alternatives, but I didn't see anything in there about data retention requiring us to keep logs relating IPs/MACs to users. [http://www.york.edu/Portals/0/Images/Logo/YorkCollegeLogoSmall.jpg] Joel Coehoorn Director of Information Technology 402.363.5603 jcoeho...@york.edu<mailto:jcoeho...@york.edu> The mission of York College is to transform lives through Christ-centered education and to equip students for lifelong service to God, family, and society On Mon, Sep 7, 2015 at 5:38 PM, Steve Bohrer <skboh...@simons-rock.edu<mailto:skboh...@simons-rock.edu>> wrote: Hi Jeff, Can you comment on how the Higher Education Opportunity Act (HEOA) fits into this? Our understanding is that HEOA, in addition to the opportunity of Pell grants, now also gives us the opportunity to provide specific annual user eduction about copyright, and to get involved with copyright enforcement. IANAL enough to discuss whether HEOA compliance requires more or less user identity info than DMCA compliance, but HEOA was historically one of the reasons we've tried to know who owns the devices on our wired and wireless networks. Are there Educause or other resources about HEOA similar to the one you cite for DMCA? Steve Bohrer Network Admin, ITS Bard College at Simon's Rock 413-528-7645 > On Sep 4, 2015, at 5:28 PM, Jeffrey D. Sessler > <j...@scrippscollege.edu<mailto:j...@scrippscollege.edu>> wrote: > > Matthew, > > Under the DMCA, the ISP only has to, upon learning of the infringing > transmission, act quickly to remove or disable access to the infringing > transmission. We can carry that out with no knowledge of who’s behind the > device. That said, it only applies to resources owned by t
RE: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey
As I said to a NAC vendor several years ago .. if we could get students to adhere to an acceptable use policy, I wouldn't need a NAC, would I? As much as I dislike the hoops I have to jump through for 1x and NAC, it serves a purpose and protects us against a good deal of activity. Over the years, I've had students running businesses out of their dorm rooms, infecting the network with any number of virus's (if you're lucky), DOS attacks (if you're not so lucky) and proving free wifi to their neighbors. Maybe if the resnet is completely separate from the rest of the network, I'd be fine with it. But what about when they are in a classroom? Do you really want to deal with two different "experiences"? If nothing else, I'd rather vet out the problems in the res halls so I have fewer issues in the classrooms. -Brian -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman Sent: Friday, September 04, 2015 4:15 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey Good questions, and many of us are contemplating the same questions and issues. Lee Badman | Network Architect Information Technology Services 206 Machinery Hall 120 Smith Drive Syracuse, New York 13244 t 315.443.3003 f 315.443.4325 e lhbad...@syr.edu w its.syr.edu SYRACUSE UNIVERSITY syr.edu -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Danny Eaton Sent: Friday, September 04, 2015 3:04 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey Just to turn this on it’s ear a bit... Why not go back to an open network for student devices, with the same EULA as they’d get be it at a Starbucks, McDonalds, hotel, or convention center? Why are we (my self included) so hell bent on student devices connecting via WPA-Ent and all the challenges associated with accommodating devices that can’t? Here at Rice, we have just that - 1 network (eduroam), 2 network (Rice Owls, 802.1X authenticated), and 3 network (Rice Visitor, open, unencrypted, with a pop-up welcome page to accept our use policy). We are not necessarily hell-bent on getting a PSK/MAC authenticated network built, but our students are. They want to put their Wii-U, Xbox, AppleTV, Roku, Google Chromecast, etc. on the wireless network just like they would at home, their apartment, etc. Obviously, they wouldn't do that at Starbucks, a hotel, or the like. They live on campus, so it's their home. Does data exist that shows all of this overhead we’ve created has had any measurable benefit (for the cost), especially when the same users aren’t concerned about over-the-air security when at the above mentioned places? Why do we care so much? Is there some middle-ground that is “good enough” but provides almost the same experience as at home? Would our efforts be better spent implementing other beneficial technologies such location-aware WiFi, where after the student connects all their AppleTV, TimeMachine, and Chromecast devices, the network is smart enough to provide them visibility of only those devices when in/near the same location e.g. Location-aware bonjour? Jeff On 9/4/15, 7:51 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Lee H Badman" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of lhbad...@syr.edu> wrote: >Where it gets interesting- broadcast and single class C required. But- this is >a great summary of requirements. > >Lee Badman | Network Architect >Information Technology Services >206 Machinery Hall >120 Smith Drive >Syracuse, New York 13244 >t 315.443.3003 f 315.443.4325 e lhbad...@syr.edu w its.syr.edu >SYRACUSE UNIVERSITY >syr.edu > >-Original Message- >From: The EDUCAUSE Wireless Issues Constituent Group Listserv >[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Johnson, Neil >M >Sent: Friday, September 04, 2015 10:46 AM >To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU >Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in >the dorms- quick Survey > >Here is my first pass at requirements: > >1. The service must prevent or discourage devices that ARE capable of >using 802.1x authentication from using the service. > >2. The service should provide some sort of traceability of devices back to >their owners. > >3. The service must provide some method to deny access to an individual >device. > >4. The service must be easy enough to use that the average student can >connect a device to the network in 10-15 minutes without requiring a
Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey
s Services > >> Kent State University > >> Office: (330) 672-7246 > >> Mobile: (330) 469-0445 > >> > >> -Original Message- > >> From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler > >> Sent: Friday, September 4, 2015 4:24 PM > >> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > >> Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in > the dorms- quick Survey > >> > >> Frans, > >> > >> Why do you care who’s behind the device? If you were to treat student > wireless in the same regard as Starbucks treats a device connecting to > theirs, what possible policies would you be concerned with? If you could > block the device and be done with it, what else do you want to do? > >> > >> Liability - Risk management is a decision that is higher up the chain, > and if user’s are satisfied with the risk while at a Starbucks, why would > their expectation be different when consuming free WiFi at their college? > Would the college actually be at greater risk if, for example, they promote > WPA/802.1x enabled SSIDs as “Secure” when it’s adding only one layer? > >> > >> Open Network - I’m not suggesting this, I’m saying, what’s the middle > ground? Is a modified WPA-PSK system better, where the on boarding is using > the student’s ID as the WPA-PSK password? Is that “Good Enough” to > eliminate the hassles of WPA-Ent? > >> > >> So again, I think it’s worth having the conversation. If the process is > overly complicated or restrictive e.g. My chrome cast is on the device-lan, > but my laptop isn’t allowed cause it does 802.1x, then what have we solved? > >> > >> Jeff > >> > >> > >> > >> > >> > >> On 9/4/15, 12:09 PM, "The EDUCAUSE Wireless Issues Constituent Group > Listserv on behalf of Frans Panken" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > on behalf of frans.pan...@surfnet.nl> wrote: > >> > >>> Jeff, > >>> > >>> Jeffrey D. Sessler schreef op 04/09/15 om 20:55: > >>>> Just to turn this on it’s ear a bit... > >>>> > >>>> Why not go back to an open network for student devices, with the same > EULA as they’d get be it at a Starbucks, McDonalds, hotel, or convention > center? Why are we (my self included) so hell bent on student devices > connecting via WPA-Ent and all the challenges associated with accommodating > devices that can’t? > >>> Basically, because you do not know who is behind the device if this > >>> user does something that conflicts with any of the policies (e.g., > >>> security to name one). > >>>> > >>>> > >>>> Does data exist that shows all of this overhead we’ve created has had > any measurable benefit (for the cost), especially when the same users > aren’t concerned about over-the-air security when at the above mentioned > places? > >>> Regardless of the numbers, I will tell you it was worth it. > >>> > >>> Inmagine the blames your institute copes with if some one decides to > >>> put a rogue access point in between that cathes all kinds of privacy > data? > >>> The end-user will blame the institue because it happended there! > >>> > >>> Note that there are easy out-of-the-box tools that are dedicated for > >>> these kind of attacks and easy to set-up, even for a 12 year old. For > >>> example, have a look at pineapple: https://www.wifipineapple.com/ > (very > >>> usefull to play with!) > >>> > >>> Or Nethunter, that uses Linux Kali and is installed on a simple phone > >>> or tablet (http://www.nethunter.com/). > >>> > >>>> > >>>> Why do we care so much? Is there some middle-ground that is “good > enough” but provides almost the same experience as at home? > >>> Seriously, you have an open network at home?? You login with your bank? > >>> Ever hear of SSL strip (if not, I recommend to Google it and watch that > >>> little slot in your browser continously) > >>> > >>>> > >>>> Would our efforts be better spent implementing other beneficial > technologies such location-aware WiFi, where after the student connects all > their AppleTV, TimeMachine, and Chromecast devices, the network is smart > enough to provide them visibility of only those devices when in/near the > same location e.g. Location-aware bonjour? >
Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey
Hi Jeff, Can you comment on how the Higher Education Opportunity Act (HEOA) fits into this? Our understanding is that HEOA, in addition to the opportunity of Pell grants, now also gives us the opportunity to provide specific annual user eduction about copyright, and to get involved with copyright enforcement. IANAL enough to discuss whether HEOA compliance requires more or less user identity info than DMCA compliance, but HEOA was historically one of the reasons we've tried to know who owns the devices on our wired and wireless networks. Are there Educause or other resources about HEOA similar to the one you cite for DMCA? Steve Bohrer Network Admin, ITS Bard College at Simon's Rock 413-528-7645 > On Sep 4, 2015, at 5:28 PM, Jeffrey D. Sessler <j...@scrippscollege.edu> > wrote: > > Matthew, > > Under the DMCA, the ISP only has to, upon learning of the infringing > transmission, act quickly to remove or disable access to the infringing > transmission. We can carry that out with no knowledge of who’s behind the > device. That said, it only applies to resources owned by the institution. > > Here is some key info in case you’re interested. Some of it is sourced from > from an EDUCAUSE FAQ for DMCA designated agents in higher-ed. > > If your institution, after taking reasonable efforts to investigate and match > a user to the IP address designated in the DMCA notice, cannot, for technical > or other legitimate reasons, match a user to this IP address, the DMCA does > not specifically require any other action. > > The DMCA does not include a records retention requirement for logs. So, if > your record retention for radius, dhcp, etc. is only 7 days, and a DMCA > notice arrives for something that occurred 14 days ago, then you are under no > obligation to do more. > > Resources owned by an institution—such as faculty, staff, or computer lab > computers—fall under 17 U.S.C. Section 512(c). This section provides a safe > harbor for an ISP so that it is not liable for monetary damages for > infringing materials on its servers provided it does not have “actual > knowledge” of the infringing material, does not receive a direct financial > benefit from the infringement, and, when notified, responds “expeditiously” > to remove the infringing material or disable access to such material. > > Most student and guest activity on university networks occurs through > personally owned equipment and thus falls under 17 U.S.C. Section 512(a). > This section provides immunity to the ISP for information that simply > transits the ISP’s networks, with no direction, input, or interference from > the ISP itself, and is not stored anywhere on the ISP’s network. Notably, no > additional proactive steps are required for an ISP to avail itself of this > immunity. However, for a variety of reasons, some institutions have made a > policy decision to treat these notices as if they fall under Section 512(c), > terminating users from the network unless and until the infringing content is > removed. Often such activity is handled through a student affairs process, > rather than as a legal or IT matter, so as to seize upon a “teachable moment” > for students. > > If you’re interested, here is the link: > http://www.educause.edu/focus-areas-and-initiatives/policy-and-security/educause-policy/issues-and-positions/intellectual-property/dmca-faq > > > Jeff > > > > On 9/4/15, 1:58 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv > on behalf of Williams, Matthew" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf > of mwill...@kent.edu> wrote: > >> Jeff, >> >> Without knowing who is behind the device, how do you handle copyright >> issues? >> >> Respectfully, >> >> Matthew Williams >> Manager, Network and Telecommunications Services >> Kent State University >> Office: (330) 672-7246 >> Mobile: (330) 469-0445 >> >> -Original Message----- >> From: The EDUCAUSE Wireless Issues Constituent Group Listserv >> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler >> Sent: Friday, September 4, 2015 4:24 PM >> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU >> Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the >> dorms- quick Survey >> >> Frans, >> >> Why do you care who’s behind the device? If you were to treat student >> wireless in the same regard as Starbucks treats a device connecting to >> theirs, what possible policies would you be concerned with? If you could >> block the device and be done with it, what else do you want to do? >> >> Liability - Risk managemen
Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey
Here is my first pass at requirements: 1. The service must prevent or discourage devices that ARE capable of using 802.1x authentication from using the service. 2. The service should provide some sort of traceability of devices back to their owners. 3. The service must provide some method to deny access to an individual device. 4. The service must be easy enough to use that the average student can connect a device to the network in 10-15 minutes without requiring assistance from ITS. 5. The service must restrict access to only authorized University customers. 6. In the residence Halls, the service must support most the most common consumer devices that students might bring to campus We are also looking at a “Device Net” for campus for other devices that may not do 802.1X (freezer monitors, digital signage, instrumentation, etc.). For the residence hall device net we are thinking about blocking all access to campus resources and just allowing internet access. For the campus device net we thinking about RFC 1918 space restricting the deivces to on campus resources only. -- Neil Johnson Network Engineer The University of Iowa Phone: 319 384-0938 Fax: 319 335-2951 E-Mail: neil-john...@uiowa.edu > On Sep 4, 2015, at 6:46 AM, Osborne, Bruce W (Network Services) > <bosbo...@liberty.edu> wrote: > > What are you calling a Device Net? > > We have an open SSID with a custom captive portal using the ClearPass eTIPS > API. > > We use this SSID for onboarding to 802.1X with Cloudpath XpressConnect > Wizard, registering a non-8012.1X device Endpoint in ClearPass (with AirGroup > device registration for Apple-TV) and for permitting non-802.1X network > access, blocking out internal web server & blackboard servers. If devices try > to go to these sites, they are redirected to Cloudpath XpressConnect Wizard. > > I am leaving on vacation for a week, so it may take me a while to resond > further > > Bruce Osborne > Wireless Engineer > IT Infrastructure & Media Solutions > > (434) 592-4229 > > LIBERTY UNIVERSITY > Training Champions for Christ since 1971 > > -Original Message- > From: Johnson, Neil M [mailto:neil-john...@uiowa.edu] > Sent: Thursday, September 3, 2015 12:08 PM > Subject: Re: Supporting "those other Wi-Fi devices" in the dorms- quick Survey > > We are investigating a device net at UofI so, > > I would be interested in hearing from anyone who has implemented a Device Net > with Clearpass. > > Thanks. > -Neil > > -- > Neil Johnson > Network Engineer > The University of Iowa > Phone: 319 384-0938 > Fax: 319 335-2951 > E-Mail: neil-john...@uiowa.edu > > > >> On Sep 3, 2015, at 7:24 AM, Lee H Badman <lhbad...@syr.edu> wrote: >> >> There is an elegance in your wisdom, Chuck. >> >> >> From: The EDUCAUSE Wireless Issues Constituent Group Listserv >> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Chuck Enfield >> Sent: Wednesday, September 02, 2015 5:54 PM >> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU >> Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the >> dorms- quick Survey >> >> Don’t tell me. Ignorance is bliss. Man, am I happy! >> >> From: The EDUCAUSE Wireless Issues Constituent Group Listserv >> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of David R. Morton >> Sent: Wednesday, September 02, 2015 5:41 PM >> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU >> Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the >> dorms- quick Survey >> >> Lee, >> >> Are you going to share the results of this survey as well? >> >> David >> >> >> David Morton >> >> Director, Mobile Communications >> Service Owner: Wi-Fi, Mobile & HuskyTV >> University of Washington >> dmor...@u.washington.edu >> tel 206.221.7814 >> >> On Sep 2, 2015, at 9:50 AM, Lee H Badman <lhbad...@syr.edu> wrote: >> >> As we look forward in how we service our residential spaces for Wi-Fi, I’ve >> put together a quick survey on if/what other schools are doing (and not >> doing) for supporting the perplexing gadgets (TVs, games, entertainment >> dongles, etc) over Wi-Fi. Please consider contributing at >> >> https://www.quicksurveys.com/s/Wc92H >> >> I’ll run this for two weeks, will post just a couple more invites on each >> list in that period (so you know to expect a couple more… kind of advance >> spam warning) and will open the results page up for both lists at the end. I &g
RE: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey
Where it gets interesting- broadcast and single class C required. But- this is a great summary of requirements. Lee Badman | Network Architect Information Technology Services 206 Machinery Hall 120 Smith Drive Syracuse, New York 13244 t 315.443.3003 f 315.443.4325 e lhbad...@syr.edu w its.syr.edu SYRACUSE UNIVERSITY syr.edu -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Johnson, Neil M Sent: Friday, September 04, 2015 10:46 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey Here is my first pass at requirements: 1. The service must prevent or discourage devices that ARE capable of using 802.1x authentication from using the service. 2. The service should provide some sort of traceability of devices back to their owners. 3. The service must provide some method to deny access to an individual device. 4. The service must be easy enough to use that the average student can connect a device to the network in 10-15 minutes without requiring assistance from ITS. 5. The service must restrict access to only authorized University customers. 6. In the residence Halls, the service must support most the most common consumer devices that students might bring to campus We are also looking at a “Device Net” for campus for other devices that may not do 802.1X (freezer monitors, digital signage, instrumentation, etc.). For the residence hall device net we are thinking about blocking all access to campus resources and just allowing internet access. For the campus device net we thinking about RFC 1918 space restricting the deivces to on campus resources only. -- Neil Johnson Network Engineer The University of Iowa Phone: 319 384-0938 Fax: 319 335-2951 E-Mail: neil-john...@uiowa.edu > On Sep 4, 2015, at 6:46 AM, Osborne, Bruce W (Network Services) > <bosbo...@liberty.edu> wrote: > > What are you calling a Device Net? > > We have an open SSID with a custom captive portal using the ClearPass eTIPS > API. > > We use this SSID for onboarding to 802.1X with Cloudpath XpressConnect > Wizard, registering a non-8012.1X device Endpoint in ClearPass (with AirGroup > device registration for Apple-TV) and for permitting non-802.1X network > access, blocking out internal web server & blackboard servers. If devices try > to go to these sites, they are redirected to Cloudpath XpressConnect Wizard. > > I am leaving on vacation for a week, so it may take me a while to resond > further > > Bruce Osborne > Wireless Engineer > IT Infrastructure & Media Solutions > > (434) 592-4229 > > LIBERTY UNIVERSITY > Training Champions for Christ since 1971 > > -Original Message- > From: Johnson, Neil M [mailto:neil-john...@uiowa.edu] > Sent: Thursday, September 3, 2015 12:08 PM > Subject: Re: Supporting "those other Wi-Fi devices" in the dorms- quick Survey > > We are investigating a device net at UofI so, > > I would be interested in hearing from anyone who has implemented a Device Net > with Clearpass. > > Thanks. > -Neil > > -- > Neil Johnson > Network Engineer > The University of Iowa > Phone: 319 384-0938 > Fax: 319 335-2951 > E-Mail: neil-john...@uiowa.edu > > > >> On Sep 3, 2015, at 7:24 AM, Lee H Badman <lhbad...@syr.edu> wrote: >> >> There is an elegance in your wisdom, Chuck. >> >> >> From: The EDUCAUSE Wireless Issues Constituent Group Listserv >> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Chuck Enfield >> Sent: Wednesday, September 02, 2015 5:54 PM >> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU >> Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the >> dorms- quick Survey >> >> Don’t tell me. Ignorance is bliss. Man, am I happy! >> >> From: The EDUCAUSE Wireless Issues Constituent Group Listserv >> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of David R. Morton >> Sent: Wednesday, September 02, 2015 5:41 PM >> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU >> Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the >> dorms- quick Survey >> >> Lee, >> >> Are you going to share the results of this survey as well? >> >> David >> >> >> David Morton >> >> Director, Mobile Communications >> Service Owner: Wi-Fi, Mobile & HuskyTV >> University of Washington >> dmor...@u.washington.edu >> tel 206.221.7814 >> >> On Sep 2, 2015, at 9:50 AM, Lee H Badman <lhbad...@syr.edu>
Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey
Just to turn this on it’s ear a bit... Why not go back to an open network for student devices, with the same EULA as they’d get be it at a Starbucks, McDonalds, hotel, or convention center? Why are we (my self included) so hell bent on student devices connecting via WPA-Ent and all the challenges associated with accommodating devices that can’t? Does data exist that shows all of this overhead we’ve created has had any measurable benefit (for the cost), especially when the same users aren’t concerned about over-the-air security when at the above mentioned places? Why do we care so much? Is there some middle-ground that is “good enough” but provides almost the same experience as at home? Would our efforts be better spent implementing other beneficial technologies such location-aware WiFi, where after the student connects all their AppleTV, TimeMachine, and Chromecast devices, the network is smart enough to provide them visibility of only those devices when in/near the same location e.g. Location-aware bonjour? Jeff On 9/4/15, 7:51 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Lee H Badman" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of lhbad...@syr.edu> wrote: >Where it gets interesting- broadcast and single class C required. But- this is >a great summary of requirements. > >Lee Badman | Network Architect >Information Technology Services >206 Machinery Hall >120 Smith Drive >Syracuse, New York 13244 >t 315.443.3003 f 315.443.4325 e lhbad...@syr.edu w its.syr.edu >SYRACUSE UNIVERSITY >syr.edu > >-Original Message- >From: The EDUCAUSE Wireless Issues Constituent Group Listserv >[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Johnson, Neil M >Sent: Friday, September 04, 2015 10:46 AM >To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU >Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the >dorms- quick Survey > >Here is my first pass at requirements: > >1. The service must prevent or discourage devices that ARE capable of >using 802.1x authentication from using the service. > >2. The service should provide some sort of traceability of devices back to >their owners. > >3. The service must provide some method to deny access to an individual >device. > >4. The service must be easy enough to use that the average student can >connect a device to the network in 10-15 minutes without requiring assistance >from ITS. > >5. The service must restrict access to only authorized University >customers. > >6. In the residence Halls, the service must support most the most common >consumer devices that students might bring to campus > > >We are also looking at a “Device Net” for campus for other devices that may >not do 802.1X (freezer monitors, digital signage, instrumentation, etc.). > >For the residence hall device net we are thinking about blocking all access to >campus resources and just allowing internet access. > >For the campus device net we thinking about RFC 1918 space restricting the >deivces to on campus resources only. > >-- >Neil Johnson >Network Engineer >The University of Iowa >Phone: 319 384-0938 >Fax: 319 335-2951 >E-Mail: neil-john...@uiowa.edu > > > >> On Sep 4, 2015, at 6:46 AM, Osborne, Bruce W (Network Services) >> <bosbo...@liberty.edu> wrote: >> >> What are you calling a Device Net? >> >> We have an open SSID with a custom captive portal using the ClearPass eTIPS >> API. >> >> We use this SSID for onboarding to 802.1X with Cloudpath XpressConnect >> Wizard, registering a non-8012.1X device Endpoint in ClearPass (with >> AirGroup device registration for Apple-TV) and for permitting non-802.1X >> network access, blocking out internal web server & blackboard servers. If >> devices try to go to these sites, they are redirected to Cloudpath >> XpressConnect Wizard. >> >> I am leaving on vacation for a week, so it may take me a while to resond >> further >> >> Bruce Osborne >> Wireless Engineer >> IT Infrastructure & Media Solutions >> >> (434) 592-4229 >> >> LIBERTY UNIVERSITY >> Training Champions for Christ since 1971 >> >> -Original Message- >> From: Johnson, Neil M [mailto:neil-john...@uiowa.edu] >> Sent: Thursday, September 3, 2015 12:08 PM >> Subject: Re: Supporting "those other Wi-Fi devices" in the dorms- quick >> Survey >> >> We are investigating a device net at UofI so, >> >> I would be interested in hearing from anyone who has implemented a Device >> Net with Clearpass. >> >> Thanks.
RE: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey
Just to turn this on it’s ear a bit... Why not go back to an open network for student devices, with the same EULA as they’d get be it at a Starbucks, McDonalds, hotel, or convention center? Why are we (my self included) so hell bent on student devices connecting via WPA-Ent and all the challenges associated with accommodating devices that can’t? Here at Rice, we have just that - 1 network (eduroam), 2 network (Rice Owls, 802.1X authenticated), and 3 network (Rice Visitor, open, unencrypted, with a pop-up welcome page to accept our use policy). We are not necessarily hell-bent on getting a PSK/MAC authenticated network built, but our students are. They want to put their Wii-U, Xbox, AppleTV, Roku, Google Chromecast, etc. on the wireless network just like they would at home, their apartment, etc. Obviously, they wouldn't do that at Starbucks, a hotel, or the like. They live on campus, so it's their home. Does data exist that shows all of this overhead we’ve created has had any measurable benefit (for the cost), especially when the same users aren’t concerned about over-the-air security when at the above mentioned places? Why do we care so much? Is there some middle-ground that is “good enough” but provides almost the same experience as at home? Would our efforts be better spent implementing other beneficial technologies such location-aware WiFi, where after the student connects all their AppleTV, TimeMachine, and Chromecast devices, the network is smart enough to provide them visibility of only those devices when in/near the same location e.g. Location-aware bonjour? Jeff On 9/4/15, 7:51 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Lee H Badman" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of lhbad...@syr.edu> wrote: >Where it gets interesting- broadcast and single class C required. But- this is >a great summary of requirements. > >Lee Badman | Network Architect >Information Technology Services >206 Machinery Hall >120 Smith Drive >Syracuse, New York 13244 >t 315.443.3003 f 315.443.4325 e lhbad...@syr.edu w its.syr.edu >SYRACUSE UNIVERSITY >syr.edu > >-Original Message- >From: The EDUCAUSE Wireless Issues Constituent Group Listserv >[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Johnson, Neil >M >Sent: Friday, September 04, 2015 10:46 AM >To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU >Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in >the dorms- quick Survey > >Here is my first pass at requirements: > >1. The service must prevent or discourage devices that ARE capable of >using 802.1x authentication from using the service. > >2. The service should provide some sort of traceability of devices back to >their owners. > >3. The service must provide some method to deny access to an individual >device. > >4. The service must be easy enough to use that the average student can >connect a device to the network in 10-15 minutes without requiring assistance >from ITS. > >5. The service must restrict access to only authorized University >customers. > >6. In the residence Halls, the service must support most the most common >consumer devices that students might bring to campus > > >We are also looking at a “Device Net” for campus for other devices that may >not do 802.1X (freezer monitors, digital signage, instrumentation, etc.). > >For the residence hall device net we are thinking about blocking all access to >campus resources and just allowing internet access. > >For the campus device net we thinking about RFC 1918 space restricting the >deivces to on campus resources only. > >-- >Neil Johnson >Network Engineer >The University of Iowa >Phone: 319 384-0938 >Fax: 319 335-2951 >E-Mail: neil-john...@uiowa.edu > > > >> On Sep 4, 2015, at 6:46 AM, Osborne, Bruce W (Network Services) >> <bosbo...@liberty.edu> wrote: >> >> What are you calling a Device Net? >> >> We have an open SSID with a custom captive portal using the ClearPass eTIPS >> API. >> >> We use this SSID for onboarding to 802.1X with Cloudpath XpressConnect >> Wizard, registering a non-8012.1X device Endpoint in ClearPass (with >> AirGroup device registration for Apple-TV) and for permitting non-802.1X >> network access, blocking out internal web server & blackboard servers. If >> devices try to go to these sites, they are redirected to Cloudpath >> XpressConnect Wizard. >> >> I am leaving on vacation for a week, so it may take me a while to >> resond further >> >> Bruce Osborne >> Wireless Engineer >> IT Infrastructure & Media Solutions >> >&
Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey
Jeff, Jeffrey D. Sessler schreef op 04/09/15 om 20:55: > Just to turn this on it’s ear a bit... > > Why not go back to an open network for student devices, with the same EULA as > they’d get be it at a Starbucks, McDonalds, hotel, or convention center? Why > are we (my self included) so hell bent on student devices connecting via > WPA-Ent and all the challenges associated with accommodating devices that > can’t? Basically, because you do not know who is behind the device if this user does something that conflicts with any of the policies (e.g., security to name one). > > > Does data exist that shows all of this overhead we’ve created has had any > measurable benefit (for the cost), especially when the same users aren’t > concerned about over-the-air security when at the above mentioned places? Regardless of the numbers, I will tell you it was worth it. Inmagine the blames your institute copes with if some one decides to put a rogue access point in between that cathes all kinds of privacy data? The end-user will blame the institue because it happended there! Note that there are easy out-of-the-box tools that are dedicated for these kind of attacks and easy to set-up, even for a 12 year old. For example, have a look at pineapple: https://www.wifipineapple.com/ (very usefull to play with!) Or Nethunter, that uses Linux Kali and is installed on a simple phone or tablet (http://www.nethunter.com/). > > Why do we care so much? Is there some middle-ground that is “good enough” but > provides almost the same experience as at home? Seriously, you have an open network at home?? You login with your bank? Ever hear of SSL strip (if not, I recommend to Google it and watch that little slot in your browser continously) > > Would our efforts be better spent implementing other beneficial technologies > such location-aware WiFi, where after the student connects all their AppleTV, > TimeMachine, and Chromecast devices, the network is smart enough to provide > them visibility of only those devices when in/near the same location e.g. > Location-aware bonjour? I hope the arguments above convinced you. If not, I think I can think of some more... -Frans > > > > Jeff > > > On 9/4/15, 7:51 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv > on behalf of Lee H Badman" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of > lhbad...@syr.edu> wrote: > >> Where it gets interesting- broadcast and single class C required. But- this >> is a great summary of requirements. >> >> Lee Badman | Network Architect >> Information Technology Services >> 206 Machinery Hall >> 120 Smith Drive >> Syracuse, New York 13244 >> t 315.443.3003 f 315.443.4325 e lhbad...@syr.edu w its.syr.edu >> SYRACUSE UNIVERSITY >> syr.edu >> >> -Original Message- >> From: The EDUCAUSE Wireless Issues Constituent Group Listserv >> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Johnson, Neil M >> Sent: Friday, September 04, 2015 10:46 AM >> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU >> Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the >> dorms- quick Survey >> >> Here is my first pass at requirements: >> >> 1. The service must prevent or discourage devices that ARE capable of >> using 802.1x authentication from using the service. >> >> 2. The service should provide some sort of traceability of devices back >> to their owners. >> >> 3. The service must provide some method to deny access to an individual >> device. >> >> 4. The service must be easy enough to use that the average student can >> connect a device to the network in 10-15 minutes without requiring >> assistance from ITS. >> >> 5. The service must restrict access to only authorized University >> customers. >> >> 6. In the residence Halls, the service must support most the most common >> consumer devices that students might bring to campus >> >> >> We are also looking at a “Device Net” for campus for other devices that may >> not do 802.1X (freezer monitors, digital signage, instrumentation, etc.). >> >> For the residence hall device net we are thinking about blocking all access >> to campus resources and just allowing internet access. >> >> For the campus device net we thinking about RFC 1918 space restricting the >> deivces to on campus resources only. >> >> -- >> Neil Johnson >> Network Engineer >> The University of Iowa >> Phone: 319 384-0938 >> Fax: 319 335-2951 >> E-Mail: neil-john...@uiowa.edu >> >> >> >>> On Sep
RE: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey
Jeff, Without knowing who is behind the device, how do you handle copyright issues? Respectfully, Matthew Williams Manager, Network and Telecommunications Services Kent State University Office: (330) 672-7246 Mobile: (330) 469-0445 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler Sent: Friday, September 4, 2015 4:24 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey Frans, Why do you care who’s behind the device? If you were to treat student wireless in the same regard as Starbucks treats a device connecting to theirs, what possible policies would you be concerned with? If you could block the device and be done with it, what else do you want to do? Liability - Risk management is a decision that is higher up the chain, and if user’s are satisfied with the risk while at a Starbucks, why would their expectation be different when consuming free WiFi at their college? Would the college actually be at greater risk if, for example, they promote WPA/802.1x enabled SSIDs as “Secure” when it’s adding only one layer? Open Network - I’m not suggesting this, I’m saying, what’s the middle ground? Is a modified WPA-PSK system better, where the on boarding is using the student’s ID as the WPA-PSK password? Is that “Good Enough” to eliminate the hassles of WPA-Ent? So again, I think it’s worth having the conversation. If the process is overly complicated or restrictive e.g. My chrome cast is on the device-lan, but my laptop isn’t allowed cause it does 802.1x, then what have we solved? Jeff On 9/4/15, 12:09 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Frans Panken" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of frans.pan...@surfnet.nl> wrote: >Jeff, > >Jeffrey D. Sessler schreef op 04/09/15 om 20:55: >> Just to turn this on it’s ear a bit... >> >> Why not go back to an open network for student devices, with the same EULA >> as they’d get be it at a Starbucks, McDonalds, hotel, or convention center? >> Why are we (my self included) so hell bent on student devices connecting via >> WPA-Ent and all the challenges associated with accommodating devices that >> can’t? >Basically, because you do not know who is behind the device if this >user does something that conflicts with any of the policies (e.g., >security to name one). >> >> >> Does data exist that shows all of this overhead we’ve created has had any >> measurable benefit (for the cost), especially when the same users aren’t >> concerned about over-the-air security when at the above mentioned places? >Regardless of the numbers, I will tell you it was worth it. > >Inmagine the blames your institute copes with if some one decides to >put a rogue access point in between that cathes all kinds of privacy data? >The end-user will blame the institue because it happended there! > >Note that there are easy out-of-the-box tools that are dedicated for >these kind of attacks and easy to set-up, even for a 12 year old. For >example, have a look at pineapple: https://www.wifipineapple.com/ (very >usefull to play with!) > >Or Nethunter, that uses Linux Kali and is installed on a simple phone >or tablet (http://www.nethunter.com/). > >> >> Why do we care so much? Is there some middle-ground that is “good enough” >> but provides almost the same experience as at home? >Seriously, you have an open network at home?? You login with your bank? >Ever hear of SSL strip (if not, I recommend to Google it and watch that >little slot in your browser continously) > >> >> Would our efforts be better spent implementing other beneficial technologies >> such location-aware WiFi, where after the student connects all their >> AppleTV, TimeMachine, and Chromecast devices, the network is smart enough to >> provide them visibility of only those devices when in/near the same location >> e.g. Location-aware bonjour? >I hope the arguments above convinced you. If not, I think I can think >of some more... > >-Frans >> >> >> >> Jeff >> >> >> On 9/4/15, 7:51 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv >> on behalf of Lee H Badman" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of >> lhbad...@syr.edu> wrote: >> >>> Where it gets interesting- broadcast and single class C required. But- this >>> is a great summary of requirements. >>> >>> Lee Badman | Network Architect >>> Information Technology Services >>> 206 Machinery Hall >>> 120 Sm
RE: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey
Good questions, and many of us are contemplating the same questions and issues. Lee Badman | Network Architect Information Technology Services 206 Machinery Hall 120 Smith Drive Syracuse, New York 13244 t 315.443.3003 f 315.443.4325 e lhbad...@syr.edu w its.syr.edu SYRACUSE UNIVERSITY syr.edu -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Danny Eaton Sent: Friday, September 04, 2015 3:04 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey Just to turn this on it’s ear a bit... Why not go back to an open network for student devices, with the same EULA as they’d get be it at a Starbucks, McDonalds, hotel, or convention center? Why are we (my self included) so hell bent on student devices connecting via WPA-Ent and all the challenges associated with accommodating devices that can’t? Here at Rice, we have just that - 1 network (eduroam), 2 network (Rice Owls, 802.1X authenticated), and 3 network (Rice Visitor, open, unencrypted, with a pop-up welcome page to accept our use policy). We are not necessarily hell-bent on getting a PSK/MAC authenticated network built, but our students are. They want to put their Wii-U, Xbox, AppleTV, Roku, Google Chromecast, etc. on the wireless network just like they would at home, their apartment, etc. Obviously, they wouldn't do that at Starbucks, a hotel, or the like. They live on campus, so it's their home. Does data exist that shows all of this overhead we’ve created has had any measurable benefit (for the cost), especially when the same users aren’t concerned about over-the-air security when at the above mentioned places? Why do we care so much? Is there some middle-ground that is “good enough” but provides almost the same experience as at home? Would our efforts be better spent implementing other beneficial technologies such location-aware WiFi, where after the student connects all their AppleTV, TimeMachine, and Chromecast devices, the network is smart enough to provide them visibility of only those devices when in/near the same location e.g. Location-aware bonjour? Jeff On 9/4/15, 7:51 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Lee H Badman" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of lhbad...@syr.edu> wrote: >Where it gets interesting- broadcast and single class C required. But- this is >a great summary of requirements. > >Lee Badman | Network Architect >Information Technology Services >206 Machinery Hall >120 Smith Drive >Syracuse, New York 13244 >t 315.443.3003 f 315.443.4325 e lhbad...@syr.edu w its.syr.edu >SYRACUSE UNIVERSITY >syr.edu > >-Original Message- >From: The EDUCAUSE Wireless Issues Constituent Group Listserv >[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Johnson, Neil >M >Sent: Friday, September 04, 2015 10:46 AM >To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU >Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in >the dorms- quick Survey > >Here is my first pass at requirements: > >1. The service must prevent or discourage devices that ARE capable of >using 802.1x authentication from using the service. > >2. The service should provide some sort of traceability of devices back to >their owners. > >3. The service must provide some method to deny access to an individual >device. > >4. The service must be easy enough to use that the average student can >connect a device to the network in 10-15 minutes without requiring assistance >from ITS. > >5. The service must restrict access to only authorized University >customers. > >6. In the residence Halls, the service must support most the most common >consumer devices that students might bring to campus > > >We are also looking at a “Device Net” for campus for other devices that may >not do 802.1X (freezer monitors, digital signage, instrumentation, etc.). > >For the residence hall device net we are thinking about blocking all access to >campus resources and just allowing internet access. > >For the campus device net we thinking about RFC 1918 space restricting the >deivces to on campus resources only. > >-- >Neil Johnson >Network Engineer >The University of Iowa >Phone: 319 384-0938 >Fax: 319 335-2951 >E-Mail: neil-john...@uiowa.edu > > > >> On Sep 4, 2015, at 6:46 AM, Osborne, Bruce W (Network Services) >> <bosbo...@liberty.edu> wrote: >> >> What are you calling a Device Net? >> >> We have an open SSID with a custom captive portal using the ClearPass eTIPS >> API. >> >> We use this
Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey
The difference between us and a McDonalds or Starbucks is that we are the student's residence. They can't as easily just wait or go elsewhere in order to do things that really should not be done on an open wifi connection. Additionally, this is the first encounter with the issue for many students. They haven't yet had a chance to know that they should care. Therefore, I do believe it is our responsibility to provide the secure option and educate our students on the importance of using it. At the same time, college students are supposedly adults now, and capable of making their own decisions, and so I try to provide both options (we really do have an completely open SSID), along with some education and a nudge via SSID naming that the secure SSID may be "better" in some ephemeral way. Joel Coehoorn Director of Information Technology 402.363.5603 *jcoeho...@york.edu <jcoeho...@york.edu>* The mission of York College is to transform lives through Christ-centered education and to equip students for lifelong service to God, family, and society On Fri, Sep 4, 2015 at 2:09 PM, Frans Panken <frans.pan...@surfnet.nl> wrote: > Jeff, > > Jeffrey D. Sessler schreef op 04/09/15 om 20:55: > > Just to turn this on it’s ear a bit... > > > > Why not go back to an open network for student devices, with the same > EULA as they’d get be it at a Starbucks, McDonalds, hotel, or convention > center? Why are we (my self included) so hell bent on student devices > connecting via WPA-Ent and all the challenges associated with accommodating > devices that can’t? > Basically, because you do not know who is behind the device if this user > does something that conflicts with any of the policies (e.g., security > to name one). > > > > > > Does data exist that shows all of this overhead we’ve created has had > any measurable benefit (for the cost), especially when the same users > aren’t concerned about over-the-air security when at the above mentioned > places? > Regardless of the numbers, I will tell you it was worth it. > > Inmagine the blames your institute copes with if some one decides to put > a rogue access point in between that cathes all kinds of privacy data? > The end-user will blame the institue because it happended there! > > Note that there are easy out-of-the-box tools that are dedicated for > these kind of attacks and easy to set-up, even for a 12 year old. For > example, have a look at pineapple: https://www.wifipineapple.com/ > (very usefull to play with!) > > Or Nethunter, that uses Linux Kali and is installed on a simple phone or > tablet (http://www.nethunter.com/). > > > > > Why do we care so much? Is there some middle-ground that is “good > enough” but provides almost the same experience as at home? > Seriously, you have an open network at home?? You login with your bank? > Ever hear of SSL strip (if not, I recommend to Google it and watch that > little slot in your browser continously) > > > > > Would our efforts be better spent implementing other beneficial > technologies such location-aware WiFi, where after the student connects all > their AppleTV, TimeMachine, and Chromecast devices, the network is smart > enough to provide them visibility of only those devices when in/near the > same location e.g. Location-aware bonjour? > I hope the arguments above convinced you. If not, I think I can think of > some more... > > -Frans > > > > > > > > Jeff > > > > > > On 9/4/15, 7:51 AM, "The EDUCAUSE Wireless Issues Constituent Group > Listserv on behalf of Lee H Badman" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > on behalf of lhbad...@syr.edu> wrote: > > > >> Where it gets interesting- broadcast and single class C required. But- > this is a great summary of requirements. > >> > >> Lee Badman | Network Architect > >> Information Technology Services > >> 206 Machinery Hall > >> 120 Smith Drive > >> Syracuse, New York 13244 > >> t 315.443.3003 f 315.443.4325 e lhbad...@syr.edu w its.syr.edu > >> SYRACUSE UNIVERSITY > >> syr.edu > >> > >> -Original Message- > >> From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Johnson, Neil M > >> Sent: Friday, September 04, 2015 10:46 AM > >> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > >> Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in > the dorms- quick Survey > >> > >> Here is my first pass at requirements: > >> > >> 1. The service must prevent or discourage devices that ARE capable > of using 802.1x authenticat
Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey
Frans, Why do you care who’s behind the device? If you were to treat student wireless in the same regard as Starbucks treats a device connecting to theirs, what possible policies would you be concerned with? If you could block the device and be done with it, what else do you want to do? Liability - Risk management is a decision that is higher up the chain, and if user’s are satisfied with the risk while at a Starbucks, why would their expectation be different when consuming free WiFi at their college? Would the college actually be at greater risk if, for example, they promote WPA/802.1x enabled SSIDs as “Secure” when it’s adding only one layer? Open Network - I’m not suggesting this, I’m saying, what’s the middle ground? Is a modified WPA-PSK system better, where the on boarding is using the student’s ID as the WPA-PSK password? Is that “Good Enough” to eliminate the hassles of WPA-Ent? So again, I think it’s worth having the conversation. If the process is overly complicated or restrictive e.g. My chrome cast is on the device-lan, but my laptop isn’t allowed cause it does 802.1x, then what have we solved? Jeff On 9/4/15, 12:09 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Frans Panken" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of frans.pan...@surfnet.nl> wrote: >Jeff, > >Jeffrey D. Sessler schreef op 04/09/15 om 20:55: >> Just to turn this on it’s ear a bit... >> >> Why not go back to an open network for student devices, with the same EULA >> as they’d get be it at a Starbucks, McDonalds, hotel, or convention center? >> Why are we (my self included) so hell bent on student devices connecting via >> WPA-Ent and all the challenges associated with accommodating devices that >> can’t? >Basically, because you do not know who is behind the device if this user >does something that conflicts with any of the policies (e.g., security >to name one). >> >> >> Does data exist that shows all of this overhead we’ve created has had any >> measurable benefit (for the cost), especially when the same users aren’t >> concerned about over-the-air security when at the above mentioned places? >Regardless of the numbers, I will tell you it was worth it. > >Inmagine the blames your institute copes with if some one decides to put >a rogue access point in between that cathes all kinds of privacy data? >The end-user will blame the institue because it happended there! > >Note that there are easy out-of-the-box tools that are dedicated for >these kind of attacks and easy to set-up, even for a 12 year old. For >example, have a look at pineapple: https://www.wifipineapple.com/ >(very usefull to play with!) > >Or Nethunter, that uses Linux Kali and is installed on a simple phone or >tablet (http://www.nethunter.com/). > >> >> Why do we care so much? Is there some middle-ground that is “good enough” >> but provides almost the same experience as at home? >Seriously, you have an open network at home?? You login with your bank? >Ever hear of SSL strip (if not, I recommend to Google it and watch that >little slot in your browser continously) > >> >> Would our efforts be better spent implementing other beneficial technologies >> such location-aware WiFi, where after the student connects all their >> AppleTV, TimeMachine, and Chromecast devices, the network is smart enough to >> provide them visibility of only those devices when in/near the same location >> e.g. Location-aware bonjour? >I hope the arguments above convinced you. If not, I think I can think of >some more... > >-Frans >> >> >> >> Jeff >> >> >> On 9/4/15, 7:51 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv >> on behalf of Lee H Badman" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of >> lhbad...@syr.edu> wrote: >> >>> Where it gets interesting- broadcast and single class C required. But- this >>> is a great summary of requirements. >>> >>> Lee Badman | Network Architect >>> Information Technology Services >>> 206 Machinery Hall >>> 120 Smith Drive >>> Syracuse, New York 13244 >>> t 315.443.3003 f 315.443.4325 e lhbad...@syr.edu w its.syr.edu >>> SYRACUSE UNIVERSITY >>> syr.edu >>> >>> -Original Message- >>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv >>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Johnson, Neil M >>> Sent: Friday, September 04, 2015 10:46 AM >>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU >>> Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the >>&
Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey
This sounds almost exactly like what we're planning on doing in a major wireless auth overhaul this upcoming year! Anything you have on how your system works that you could share would be greatly appreciated. thanks! Frank Sweetser fs at wpi.edu| For every problem, there is a solution that Manager of Network Operations | is simple, elegant, and wrong. Worcester Polytechnic Institute | - HL Mencken On 09/04/2015 07:46 AM, Osborne, Bruce W (Network Services) wrote: What are you calling a Device Net? We have an open SSID with a custom captive portal using the ClearPass eTIPS API. We use this SSID for onboarding to 802.1X with Cloudpath XpressConnect Wizard, registering a non-8012.1X device Endpoint in ClearPass (with AirGroup device registration for Apple-TV) and for permitting non-802.1X network access, blocking out internal web server & blackboard servers. If devices try to go to these sites, they are redirected to Cloudpath XpressConnect Wizard. I am leaving on vacation for a week, so it may take me a while to resond further Bruce Osborne Wireless Engineer IT Infrastructure & Media Solutions (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 -Original Message- From: Johnson, Neil M [mailto:neil-john...@uiowa.edu] Sent: Thursday, September 3, 2015 12:08 PM Subject: Re: Supporting "those other Wi-Fi devices" in the dorms- quick Survey We are investigating a device net at UofI so, I would be interested in hearing from anyone who has implemented a Device Net with Clearpass. Thanks. -Neil ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey
Is the student’s “residence” in this case any different than a VP who travels and uses hotel WiFi, the hotel being their residence most of the time? Are we asking the student to do something we wouldn’t require of the VP in the hotel? This is why something like Areohive’s PPSK (private pre-shared key) is interesting to me, in that it provides something that is “good enough” without all the hassles around WPA-ent. We get the user off of an open network, but provide easy on-boarding for the user and their devices. I agree that students may not know they should care, but I’m not sure it’s the university’s job to educate them i.e. they are adults, and we don’t go round them up to make sure they attend class. Our students only care about connecting to the WiFi, and even if we try to explain why it’s better, there is only a small percentage that care… the same can be said for staff/faculty. I also shy away from saying, “…provide the secure option.” since it implies everything they do is now secure, which it is not. I do agree that providing both options is a good idea, but my own evidence shows that if the user’s chrome-cast is in the device-net, they will put their laptop there to so that they have access to it. Jeff From: "wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" on behalf of "Coehoorn, Joel" Reply-To: "wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" Date: Friday, September 4, 2015 at 1:31 PM To: "wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey The difference between us and a McDonalds or Starbucks is that we are the student's residence. They can't as easily just wait or go elsewhere in order to do things that really should not be done on an open wifi connection. Additionally, this is the first encounter with the issue for many students. They haven't yet had a chance to know that they should care. Therefore, I do believe it is our responsibility to provide the secure option and educate our students on the importance of using it. At the same time, college students are supposedly adults now, and capable of making their own decisions, and so I try to provide both options (we really do have an completely open SSID), along with some education and a nudge via SSID naming that the secure SSID may be "better" in some ephemeral way. [http://www.york.edu/Portals/0/Images/Logo/YorkCollegeLogoSmall.jpg] Joel Coehoorn Director of Information Technology 402.363.5603 jcoeho...@york.edu<mailto:jcoeho...@york.edu> The mission of York College is to transform lives through Christ-centered education and to equip students for lifelong service to God, family, and society On Fri, Sep 4, 2015 at 2:09 PM, Frans Panken <frans.pan...@surfnet.nl<mailto:frans.pan...@surfnet.nl>> wrote: Jeff, Jeffrey D. Sessler schreef op 04/09/15 om 20:55: > Just to turn this on it’s ear a bit... > > Why not go back to an open network for student devices, with the same EULA as > they’d get be it at a Starbucks, McDonalds, hotel, or convention center? Why > are we (my self included) so hell bent on student devices connecting via > WPA-Ent and all the challenges associated with accommodating devices that > can’t? Basically, because you do not know who is behind the device if this user does something that conflicts with any of the policies (e.g., security to name one). > > > Does data exist that shows all of this overhead we’ve created has had any > measurable benefit (for the cost), especially when the same users aren’t > concerned about over-the-air security when at the above mentioned places? Regardless of the numbers, I will tell you it was worth it. Inmagine the blames your institute copes with if some one decides to put a rogue access point in between that cathes all kinds of privacy data? The end-user will blame the institue because it happended there! Note that there are easy out-of-the-box tools that are dedicated for these kind of attacks and easy to set-up, even for a 12 year old. For example, have a look at pineapple: https://www.wifipineapple.com/ (very usefull to play with!) Or Nethunter, that uses Linux Kali and is installed on a simple phone or tablet (http://www.nethunter.com/). > > Why do we care so much? Is there some middle-ground that is “good enough” but > provides almost the same experience as at home? Seriously, you have an open network at home?? You login with your bank? Ever hear of SSL strip (if not, I recommend to Google it and watch that little slot in your browser continously) > > Would our efforts be better spent implementing other beneficial technologies > such location-aware WiFi, where after the student connects all their
Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey
Frans, Starbucks and other will never implement 802.1x as long as it’s cumbersome to onboard a customer. I know from the management of our own WPA-Ent WiFi, devices today still have esoteric issues with it, and it’s only because of tools like XpressConnect that we get 98% of devices working on the first try. Starbucks is interested only in the customer having a great experience, and they want nothing to stand in the way of that. There are many teachable moments for IT yet how effective have we found them to be? I know from experience that students/staff/faculty still fall for phishing attacks no matter how much education we provide, and when failing on something so simple as “don’t click a questionable link about upgrading your email,” I’m not sure to what extent users will check certificates, having an SSL connection, etc. People are familiar with clicking a bunch of buttons and entering user/pass for a site they know nothing about. When their iOS device prompts them with the SSL certificate, they blindly press Install. We (technical/engineers) know better (mostly), but the average user only cares about getting on the internet, and that it’s an easy process. Jeff From: "wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" on behalf of Frans Panken Reply-To: "wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" Date: Friday, September 4, 2015 at 2:20 PM To: "wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey Instead of following Starbucks' bad example, I would rather choose for informing Starbucks and others others to choose for 802.1x instead... (I observe a growing popularity of using Facebook accounts to login to Wi-Fi facilities offered by city Wi-Fi and in malls) We are part of the education community. I think it is our duty to educate students: informing them to check certificates, checking SSL, beign aware of the dangers to connect to an open network, etc. etc. The teachers cannot teach this in class, if the IT department neglects these rules on the network they offer at the institue (regardless of that is a dorm or a classroom). Frankly speaking, people are familiar with connecting to Wi-Fi securely. Five years ago this was still a hassle. Regardsless of the OS, it is now a matter of filling in your username and password and you are connected -Frans Jeffrey D. Sessler schreef op 04/09/15 om 23:05: Is the student’s “residence” in this case any different than a VP who travels and uses hotel WiFi, the hotel being their residence most of the time? Are we asking the student to do something we wouldn’t require of the VP in the hotel? This is why something like Areohive’s PPSK (private pre-shared key) is interesting to me, in that it provides something that is “good enough” without all the hassles around WPA-ent. We get the user off of an open network, but provide easy on-boarding for the user and their devices. I agree that students may not know they should care, but I’m not sure it’s the university’s job to educate them i.e. they are adults, and we don’t go round them up to make sure they attend class. Our students only care about connecting to the WiFi, and even if we try to explain why it’s better, there is only a small percentage that care… the same can be said for staff/faculty. I also shy away from saying, “…provide the secure option.” since it implies everything they do is now secure, which it is not. I do agree that providing both options is a good idea, but my own evidence shows that if the user’s chrome-cast is in the device-net, they will put their laptop there to so that they have access to it. Jeff From: "wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" on behalf of "Coehoorn, Joel" Reply-To: "wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" Date: Friday, September 4, 2015 at 1:31 PM To: "wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey The difference between us and a McDonalds or Starbucks is that we are the student's residence. They can't as easily just wait or go elsewhere in order to do things that really should not be done on an open wifi connection. Additionally, this is the first encounter with the issue for many students. They haven't yet had a chance to know that they should care. Therefore, I do believe it is our responsibility to provide the secure option and educate our students on the importance of using it. At the same time, college students are supposedly adults now, and capable of making their own decisions, and so I tr
Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey
We are investigating a device net at UofI so, I would be interested in hearing from anyone who has implemented a Device Net with Clearpass. Thanks. -Neil -- Neil Johnson Network Engineer The University of Iowa Phone: 319 384-0938 Fax: 319 335-2951 E-Mail: neil-john...@uiowa.edu > On Sep 3, 2015, at 7:24 AM, Lee H Badman <lhbad...@syr.edu> wrote: > > There is an elegance in your wisdom, Chuck. > > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Chuck Enfield > Sent: Wednesday, September 02, 2015 5:54 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the > dorms- quick Survey > > Don’t tell me. Ignorance is bliss. Man, am I happy! > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of David R. Morton > Sent: Wednesday, September 02, 2015 5:41 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the > dorms- quick Survey > > Lee, > > Are you going to share the results of this survey as well? > > David > > > David Morton > > Director, Mobile Communications > Service Owner: Wi-Fi, Mobile & HuskyTV > University of Washington > dmor...@u.washington.edu > tel 206.221.7814 > > On Sep 2, 2015, at 9:50 AM, Lee H Badman <lhbad...@syr.edu> wrote: > > As we look forward in how we service our residential spaces for Wi-Fi, I’ve > put together a quick survey on if/what other schools are doing (and not > doing) for supporting the perplexing gadgets (TVs, games, entertainment > dongles, etc) over Wi-Fi. Please consider contributing at > > https://www.quicksurveys.com/s/Wc92H > > I’ll run this for two weeks, will post just a couple more invites on each > list in that period (so you know to expect a couple more… kind of advance > spam warning) and will open the results page up for both lists at the end. I > know I’m not the only one contemplating these questions. Should take minutes > to sail through, but decent participation could really help others in their > own thoughts about this challenging paradigm. > > > > Thanks in advance! > > > > Lee Badman | Network Architect > Information Technology Services > 206 Machinery Hall > 120 Smith Drive > Syracuse, New York 13244 > t 315.443.3003 f 315.443.4325 e lhbad...@syr.edu w its.syr.edu > SYRACUSE UNIVERSITY > syr.edu > > > > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey
Don’t tell me. Ignorance is bliss. Man, am I happy! From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of David R. Morton Sent: Wednesday, September 02, 2015 5:41 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey Lee, Are you going to share the results of this survey as well? David David Morton Director, Mobile Communications Service Owner: Wi-Fi, Mobile & HuskyTV University of Washington dmor...@u.washington.edu <mailto:dmor...@u.washington.edu> tel 206.221.7814 On Sep 2, 2015, at 9:50 AM, Lee H Badman <lhbad...@syr.edu <mailto:lhbad...@syr.edu> > wrote: As we look forward in how we service our residential spaces for Wi-Fi, I’ve put together a quick survey on if/what other schools are doing (and not doing) for supporting the perplexing gadgets (TVs, games, entertainment dongles, etc) over Wi-Fi. Please consider contributing at <https://www.quicksurveys.com/s/Wc92H> https://www.quicksurveys.com/s/Wc92H I’ll run this for two weeks, will post just a couple more invites on each list in that period (so you know to expect a couple more… kind of advance spam warning) and will open the results page up for both lists at the end. I know I’m not the only one contemplating these questions. Should take minutes to sail through, but decent participation could really help others in their own thoughts about this challenging paradigm. Thanks in advance! Lee Badman | Network Architect Information Technology Services 206 Machinery Hall 120 Smith Drive Syracuse, New York 13244 t 315.443.3003 f 315.443.4325 e <mailto:lhbad...@syr.edu> lhbad...@syr.edu w its.syr.edu <http://its.syr.edu/> SYRACUSE UNIVERSITY syr.edu <http://syr.edu/> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at <http://www.educause.edu/groups/> http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.