Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey

[Dan Brisson]

Interesting.  Would you be willing to share what your average user 
consumes per month?


Thanks,
-dan


Dan Brisson
Network Engineer
University of Vermont

On 9/14/2015 7:18 AM, Osborne, Bruce W (Network Services) wrote:

We map username to password and use bandwidth management to limit the amount 
used per month. Users have the option of purchasing additional bandwidth. This 
money helps subsidize our Internet connections.

  
Bruce Osborne

Wireless Engineer
IT Infrastructure & Media Solutions
  
(434) 592-4229
  
LIBERTY UNIVERSITY

Training Champions for Christ since 1971

-Original Message-
From: Danny Eaton [mailto:dannyea...@rice.edu]
Sent: Friday, September 4, 2015 3:04 PM
Subject: Re: Supporting "those other Wi-Fi devices" in the dorms- quick Survey

Just to turn this on it’s ear a bit...

Why not go back to an open network for student devices, with the same EULA as 
they’d get be it at a Starbucks, McDonalds, hotel, or convention center? Why 
are we (my self included) so hell bent on student devices connecting via 
WPA-Ent and all the challenges associated with accommodating devices that can’t?

Here at Rice, we have just that - 1 network (eduroam), 2 network (Rice 
Owls, 802.1X authenticated), and 3 network (Rice Visitor, open, unencrypted, 
with a pop-up welcome page to accept our use policy).  We are not necessarily 
hell-bent on getting a PSK/MAC authenticated network built, but our students 
are.  They want to put their Wii-U, Xbox, AppleTV, Roku, Google Chromecast, 
etc. on the wireless network just like they would at home, their apartment, 
etc.  Obviously, they wouldn't do that at Starbucks, a hotel, or the like.  
They live on campus, so it's their home.

Does data exist that shows all of this overhead we’ve created has had any 
measurable benefit (for the cost), especially when the same users aren’t 
concerned about over-the-air security when at the above mentioned places?

Why do we care so much? Is there some middle-ground that is “good enough” but 
provides almost the same experience as at home?

Would our efforts be better spent implementing other beneficial technologies 
such location-aware WiFi, where after the student connects all their AppleTV, 
TimeMachine, and Chromecast devices, the network is smart enough to provide 
them visibility of only those devices when in/near the same location e.g. 
Location-aware bonjour?



Jeff


On 9/4/15, 7:51 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of 
Lee H Badman" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of lhbad...@syr.edu> 
wrote:


Where it gets interesting- broadcast and single class C required. But- this is 
a great summary of requirements.

Lee Badman | Network Architect
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Johnson, Neil
M
Sent: Friday, September 04, 2015 10:46 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in
the dorms- quick Survey

Here is my first pass at requirements:

1. The service must prevent or discourage devices that ARE capable of using 
802.1x authentication from using the service.

2. The service should provide some sort of traceability of devices back to 
their owners.

3. The service must provide some method to deny access to an individual 
device.

4. The service must be easy enough to use that the average student can 
connect a device to the network in 10-15 minutes without requiring assistance 
from ITS.

5. The service must restrict access to only authorized University customers.

6. In the residence Halls, the service must support most the most common 
consumer devices that students might bring to campus


We are also looking at a “Device Net” for campus for other devices that may not 
do 802.1X (freezer monitors, digital signage, instrumentation, etc.).

For the residence hall device net we are thinking about blocking all access to 
campus resources and just allowing internet access.

For the campus device net we thinking about RFC 1918 space restricting the 
deivces to on campus resources only.

--
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
E-Mail: neil-john...@uiowa.edu




On Sep 4, 2015, at 6:46 AM, Osborne, Bruce W (Network Services) 
<bosbo...@liberty.edu> wrote:

What are you calling a Device Net?

We have an open SSID with a custom captive portal using the ClearPass eTIPS API.

We use this SSID for onboarding to 802.1X with Cloudpath XpressConnect Wizard, 
registering a non-8012.1X device Endpoint in ClearPass (with AirGroup device 
registration for Apple-TV) and for permitting non-802

Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey

[Jeffrey D. Sessler]

I’d curious as to what the break-even is here? The college invests money to 
build and maintain an infrastructure to track users and manage bandwidth, 
charge-back fees, staff time to manage, etc. If instead, those funds were 
invested in just increasing Internet bandwidth, do you come out ahead? What if 
you invest those funds in Internet bandwidth and charge a small technology fee 
to all students?

Jeff



On 9/14/15, 4:18 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
on behalf of Osborne, Bruce W (Network Services)" 
 wrote:

>We map username to password and use bandwidth management to limit the amount 
>used per month. Users have the option of purchasing additional bandwidth. This 
>money helps subsidize our Internet connections.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey

[trent . hurt]

Both ruckus and aerohive offer similar tech with dynamic psk or ppsk.

http://2.bp.blogspot.com/-XhUW84JOJj4/TdZdX3YbIJI/AAA/BpQ7LDfc5Yo/s1600/comparison%2Bbetween%2BPPSK.jpg



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Steve Bohrer
Sent: Thursday, September 10, 2015 6:49 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the 
dorms- quick Survey

I’m assuming “PPSK” is some sort of WPA2-Personal implementation that uses 
individual passwords per user, rather than a single PSK? I think I’ve heard of 
this from Aerohive and Ruckus; are there other vendors who have it?

Steve Bohrer
Network Admin, ITS
Bard College at Simon's Rock
413-528-7645

On Sep 10, 2015, at 11:06 AM, Paul Sedy 
<rps...@masters.edu<mailto:rps...@masters.edu>> wrote:

I will do the same and log a request with Cisco on PPSK type technology… I 
would love to see a simpler solution that we could deploy as well.

Paul Sedy
The Master’s College
Director of IT Operations
21726 Placerita Canyon Rd, Santa Clarita, CA 91321
661.362.2340 | rps...@masters.edu<mailto:rps...@masters.edu>
#private

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jason Cook
Sent: Wednesday, September 09, 2015 11:47 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the 
dorms- quick Survey

I’ve launched a  request at Cisco to implement something like PPSK. Perhaps if 
enough places request this from there vendors we might get something in. I’ve 
logged a TAC case, spoken to the local cisco team and an operations manager, 
not sure what other paths there is.

It does seem to be something that provides a reasonable solution to fall-back 
to when 802.1x isn’t an option. We currently do it with a PSK but I’m waiting 
on that day when the key needs changing. Not so worried about the dorms, I 
think we can manage that as we can contact the users very easily (though PPSK 
would still be a better option).

But the on-campus random devices which is still only a handful could be quite a 
pain to track them all down and there would be a good period of time with 
certain devices not working. There’s nothing major relying on this, but it is 
still work that will need to be done that wouldn’t have to be if they were 
802.1x or we had a PPSK like option.

--
Jason Cook
The University of Adelaide, AUSTRALIA 5005
Ph: +61 8 8313 4800

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
Sent: Saturday, 5 September 2015 6:35 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the 
dorms- quick Survey

Is the student’s “residence” in this case any different than a VP who travels 
and uses hotel WiFi, the hotel being their residence most of the time? Are we 
asking the student to do something we wouldn’t require of the VP in the hotel?

This is why something like Areohive’s PPSK (private pre-shared key) is 
interesting to me, in that it provides something that is “good enough” without 
all the hassles around WPA-ent. We get the user off of an open network, but 
provide easy on-boarding for the user and their devices.

I agree that students may not know they should care, but I’m not sure it’s the 
university’s job to educate them i.e. they are adults, and we don’t go round 
them up to make sure they attend class. Our students only care about connecting 
to the WiFi, and even if we try to explain why it’s better, there is only a 
small percentage that care… the same can be said for staff/faculty.

I also shy away from saying, “…provide the secure option.” since it implies 
everything they do is now secure, which it is not.

I do agree that providing both options is a good idea, but my own evidence 
shows that if the user’s chrome-cast is in the device-net, they will put their 
laptop there to so that they have access to it.

Jeff

From: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
on behalf of "Coehoorn, Joel"
Reply-To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>"
Date: Friday, September 4, 2015 at 1:31 PM
To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>"
Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the 
dorms- quick Survey

The difference between us and a McDonalds or Starbucks is that we are the 
student's residence. They can't as easily just wait or go elsewhere in order to 
do things that really should not be done on an o

RE: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey

[Jason Cook]

I’ve launched a  request at Cisco to implement something like PPSK. Perhaps if 
enough places request this from there vendors we might get something in. I’ve 
logged a TAC case, spoken to the local cisco team and an operations manager, 
not sure what other paths there is.

It does seem to be something that provides a reasonable solution to fall-back 
to when 802.1x isn’t an option. We currently do it with a PSK but I’m waiting 
on that day when the key needs changing. Not so worried about the dorms, I 
think we can manage that as we can contact the users very easily (though PPSK 
would still be a better option).

But the on-campus random devices which is still only a handful could be quite a 
pain to track them all down and there would be a good period of time with 
certain devices not working. There’s nothing major relying on this, but it is 
still work that will need to be done that wouldn’t have to be if they were 
802.1x or we had a PPSK like option.

--
Jason Cook
The University of Adelaide, AUSTRALIA 5005
Ph: +61 8 8313 4800

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
Sent: Saturday, 5 September 2015 6:35 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the 
dorms- quick Survey

Is the student’s “residence” in this case any different than a VP who travels 
and uses hotel WiFi, the hotel being their residence most of the time? Are we 
asking the student to do something we wouldn’t require of the VP in the hotel?

This is why something like Areohive’s PPSK (private pre-shared key) is 
interesting to me, in that it provides something that is “good enough” without 
all the hassles around WPA-ent. We get the user off of an open network, but 
provide easy on-boarding for the user and their devices.

I agree that students may not know they should care, but I’m not sure it’s the 
university’s job to educate them i.e. they are adults, and we don’t go round 
them up to make sure they attend class. Our students only care about connecting 
to the WiFi, and even if we try to explain why it’s better, there is only a 
small percentage that care… the same can be said for staff/faculty.

I also shy away from saying, “…provide the secure option.” since it implies 
everything they do is now secure, which it is not.

I do agree that providing both options is a good idea, but my own evidence 
shows that if the user’s chrome-cast is in the device-net, they will put their 
laptop there to so that they have access to it.

Jeff

From: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
on behalf of "Coehoorn, Joel"
Reply-To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>"
Date: Friday, September 4, 2015 at 1:31 PM
To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>"
Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the 
dorms- quick Survey

The difference between us and a McDonalds or Starbucks is that we are the 
student's residence. They can't as easily just wait or go elsewhere in order to 
do things that really should not be done on an open wifi connection.

Additionally, this is the first encounter with the issue for many students. 
They haven't yet had a chance to know that they should care. Therefore, I do 
believe it is our responsibility to provide the secure option and educate our 
students on the importance of using it.

At the same time, college students are supposedly adults now, and capable of 
making their own decisions, and so I try to provide both options (we really do 
have an completely open SSID), along with some education and a nudge via SSID 
naming that the secure SSID may be "better" in some ephemeral way.




[http://www.york.edu/Portals/0/Images/Logo/YorkCollegeLogoSmall.jpg]


Joel Coehoorn
Director of Information Technology
402.363.5603
jcoeho...@york.edu<mailto:jcoeho...@york.edu>



The mission of York College is to transform lives through Christ-centered 
education and to equip students for lifelong service to God, family, and society

On Fri, Sep 4, 2015 at 2:09 PM, Frans Panken 
<frans.pan...@surfnet.nl<mailto:frans.pan...@surfnet.nl>> wrote:
Jeff,

Jeffrey D. Sessler schreef op 04/09/15 om 20:55:
> Just to turn this on it’s ear a bit...
>
> Why not go back to an open network for student devices, with the same EULA as 
> they’d get be it at a Starbucks, McDonalds, hotel, or convention center? Why 
> are we (my self included) so hell bent on student devices connecting via 
> WPA-Ent and all the challenges associated with accommodating devices that 
> can’t?
Basically, because you do not know who is behind the device if this user
does something that conflicts with any of the policies (e.g

RE: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey

[Paul Sedy]

I will do the same and log a request with Cisco on PPSK type technology… I 
would love to see a simpler solution that we could deploy as well.

Paul Sedy
The Master’s College
Director of IT Operations
21726 Placerita Canyon Rd, Santa Clarita, CA 91321
661.362.2340 | rps...@masters.edu<mailto:rps...@masters.edu>
#private

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jason Cook
Sent: Wednesday, September 09, 2015 11:47 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the 
dorms- quick Survey

I’ve launched a  request at Cisco to implement something like PPSK. Perhaps if 
enough places request this from there vendors we might get something in. I’ve 
logged a TAC case, spoken to the local cisco team and an operations manager, 
not sure what other paths there is.

It does seem to be something that provides a reasonable solution to fall-back 
to when 802.1x isn’t an option. We currently do it with a PSK but I’m waiting 
on that day when the key needs changing. Not so worried about the dorms, I 
think we can manage that as we can contact the users very easily (though PPSK 
would still be a better option).

But the on-campus random devices which is still only a handful could be quite a 
pain to track them all down and there would be a good period of time with 
certain devices not working. There’s nothing major relying on this, but it is 
still work that will need to be done that wouldn’t have to be if they were 
802.1x or we had a PPSK like option.

--
Jason Cook
The University of Adelaide, AUSTRALIA 5005
Ph: +61 8 8313 4800

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
Sent: Saturday, 5 September 2015 6:35 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the 
dorms- quick Survey

Is the student’s “residence” in this case any different than a VP who travels 
and uses hotel WiFi, the hotel being their residence most of the time? Are we 
asking the student to do something we wouldn’t require of the VP in the hotel?

This is why something like Areohive’s PPSK (private pre-shared key) is 
interesting to me, in that it provides something that is “good enough” without 
all the hassles around WPA-ent. We get the user off of an open network, but 
provide easy on-boarding for the user and their devices.

I agree that students may not know they should care, but I’m not sure it’s the 
university’s job to educate them i.e. they are adults, and we don’t go round 
them up to make sure they attend class. Our students only care about connecting 
to the WiFi, and even if we try to explain why it’s better, there is only a 
small percentage that care… the same can be said for staff/faculty.

I also shy away from saying, “…provide the secure option.” since it implies 
everything they do is now secure, which it is not.

I do agree that providing both options is a good idea, but my own evidence 
shows that if the user’s chrome-cast is in the device-net, they will put their 
laptop there to so that they have access to it.

Jeff

From: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
on behalf of "Coehoorn, Joel"
Reply-To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>"
Date: Friday, September 4, 2015 at 1:31 PM
To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>"
Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the 
dorms- quick Survey

The difference between us and a McDonalds or Starbucks is that we are the 
student's residence. They can't as easily just wait or go elsewhere in order to 
do things that really should not be done on an open wifi connection.

Additionally, this is the first encounter with the issue for many students. 
They haven't yet had a chance to know that they should care. Therefore, I do 
believe it is our responsibility to provide the secure option and educate our 
students on the importance of using it.

At the same time, college students are supposedly adults now, and capable of 
making their own decisions, and so I try to provide both options (we really do 
have an completely open SSID), along with some education and a nudge via SSID 
naming that the secure SSID may be "better" in some ephemeral way.




[http://www.york.edu/Portals/0/Images/Logo/YorkCollegeLogoSmall.jpg]


Joel Coehoorn
Director of Information Technology
402.363.5603
jcoeho...@york.edu<mailto:jcoeho...@york.edu>



The mission of York College is to transform lives through Christ-centered 
education and to equip students for lifelong service to God, family, and society

Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey

[Steve Bohrer]

I’m assuming “PPSK” is some sort of WPA2-Personal implementation that uses 
individual passwords per user, rather than a single PSK? I think I’ve heard of 
this from Aerohive and Ruckus; are there other vendors who have it?

Steve Bohrer
Network Admin, ITS
Bard College at Simon's Rock
413-528-7645

> On Sep 10, 2015, at 11:06 AM, Paul Sedy <rps...@masters.edu> wrote:
> 
> I will do the same and log a request with Cisco on PPSK type technology… I 
> would love to see a simpler solution that we could deploy as well.
>  
> Paul Sedy
> The Master’s College
> Director of IT Operations
> 21726 Placerita Canyon Rd, Santa Clarita, CA 91321
> 661.362.2340 | rps...@masters.edu <mailto:rps...@masters.edu>
> #private
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jason Cook
> Sent: Wednesday, September 09, 2015 11:47 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the 
> dorms- quick Survey
>  
> I’ve launched a  request at Cisco to implement something like PPSK. Perhaps 
> if enough places request this from there vendors we might get something in. 
> I’ve logged a TAC case, spoken to the local cisco team and an operations 
> manager, not sure what other paths there is. <>
>  
> It does seem to be something that provides a reasonable solution to fall-back 
> to when 802.1x isn’t an option. We currently do it with a PSK but I’m waiting 
> on that day when the key needs changing. Not so worried about the dorms, I 
> think we can manage that as we can contact the users very easily (though PPSK 
> would still be a better option).
>  
> But the on-campus random devices which is still only a handful could be quite 
> a pain to track them all down and there would be a good period of time with 
> certain devices not working. There’s nothing major relying on this, but it is 
> still work that will need to be done that wouldn’t have to be if they were 
> 802.1x or we had a PPSK like option.
>  
> --
> Jason Cook
> The University of Adelaide, AUSTRALIA 5005
> Ph: +61 8 8313 4800
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Jeffrey D. Sessler
> Sent: Saturday, 5 September 2015 6:35 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the 
> dorms- quick Survey
>  
> Is the student’s “residence” in this case any different than a VP who travels 
> and uses hotel WiFi, the hotel being their residence most of the time? Are we 
> asking the student to do something we wouldn’t require of the VP in the hotel?
>  
> This is why something like Areohive’s PPSK (private pre-shared key) is 
> interesting to me, in that it provides something that is “good enough” 
> without all the hassles around WPA-ent. We get the user off of an open 
> network, but provide easy on-boarding for the user and their devices.
>  
> I agree that students may not know they should care, but I’m not sure it’s 
> the university’s job to educate them i.e. they are adults, and we don’t go 
> round them up to make sure they attend class. Our students only care about 
> connecting to the WiFi, and even if we try to explain why it’s better, there 
> is only a small percentage that care… the same can be said for staff/faculty.
>  
> I also shy away from saying, “…provide the secure option.” since it implies 
> everything they do is now secure, which it is not.
>  
> I do agree that providing both options is a good idea, but my own evidence 
> shows that if the user’s chrome-cast is in the device-net, they will put 
> their laptop there to so that they have access to it.
>  
> Jeff
>  
> From: "wireless-lan@listserv.educause.edu 
> <mailto:wireless-lan@listserv.educause.edu>" on behalf of "Coehoorn, Joel"
> Reply-To: "wireless-lan@listserv.educause.edu 
> <mailto:wireless-lan@listserv.educause.edu>"
> Date: Friday, September 4, 2015 at 1:31 PM
> To: "wireless-lan@listserv.educause.edu 
> <mailto:wireless-lan@listserv.educause.edu>"
> Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the 
> dorms- quick Survey
>  
> The difference between us and a McDonalds or Starbucks is that we are the 
> student's residence. They can't as easily just wait or go elsewhere in order 
> to do things that really should not be done on an open wifi connection. 
>  
> Additionally, this is the first encoun

Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey

[Jeffrey D. Sessler]

 as a legal or IT matter, so as to seize upon a 
>> “teachable moment” for students. 
>> 
>> If you’re interested, here is the link:
>> http://www.educause.edu/focus-areas-and-initiatives/policy-and-security/educause-policy/issues-and-positions/intellectual-property/dmca-faq
>> 
>> 
>> Jeff
>> 
>> 
>> 
>> On 9/4/15, 1:58 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
>> on behalf of Williams, Matthew" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on 
>> behalf of mwill...@kent.edu> wrote:
>> 
>>> Jeff, 
>>> 
>>> Without knowing who is behind the device, how do you handle copyright 
>>> issues?  
>>> 
>>> Respectfully, 
>>> 
>>> Matthew Williams
>>> Manager, Network and Telecommunications Services
>>> Kent State University
>>> Office: (330) 672-7246
>>> Mobile: (330) 469-0445 
>>> 
>>> -Original Message-
>>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
>>> Sent: Friday, September 4, 2015 4:24 PM
>>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>>> Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the 
>>> dorms- quick Survey
>>> 
>>> Frans,
>>> 
>>> Why do you care who’s behind the device? If you were to treat student 
>>> wireless in the same regard as Starbucks treats a device connecting to 
>>> theirs, what possible policies would you be concerned with? If you could 
>>> block the device and be done with it, what else do you want to do?
>>> 
>>> Liability - Risk management is a decision that is higher up the chain, and 
>>> if user’s are satisfied with the risk while at a Starbucks, why would their 
>>> expectation be different when consuming free WiFi at their college? Would 
>>> the college actually be at greater risk if, for example, they promote 
>>> WPA/802.1x enabled SSIDs as “Secure” when it’s adding only one layer?
>>> 
>>> Open Network - I’m not suggesting this, I’m saying, what’s the middle 
>>> ground? Is a modified WPA-PSK system better, where the on boarding is using 
>>> the student’s ID as the WPA-PSK password? Is that “Good Enough” to 
>>> eliminate the hassles of WPA-Ent?
>>> 
>>> So again, I think it’s worth having the conversation. If the process is 
>>> overly complicated or restrictive e.g. My chrome cast is on the device-lan, 
>>> but my laptop isn’t allowed cause it does 802.1x, then what have we solved?
>>> 
>>> Jeff
>>> 
>>> 
>>> 
>>> 
>>> 
>>> On 9/4/15, 12:09 PM, "The EDUCAUSE Wireless Issues Constituent Group 
>>> Listserv on behalf of Frans Panken" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on 
>>> behalf of frans.pan...@surfnet.nl> wrote:
>>> 
>>>> Jeff,
>>>> 
>>>> Jeffrey D. Sessler schreef op 04/09/15 om 20:55:
>>>>> Just to turn this on it’s ear a bit...
>>>>> 
>>>>> Why not go back to an open network for student devices, with the same 
>>>>> EULA as they’d get be it at a Starbucks, McDonalds, hotel, or convention 
>>>>> center? Why are we (my self included) so hell bent on student devices 
>>>>> connecting via WPA-Ent and all the challenges associated with 
>>>>> accommodating devices that can’t?
>>>> Basically, because you do not know who is behind the device if this 
>>>> user does something that conflicts with any of the policies (e.g., 
>>>> security to name one).
>>>>> 
>>>>> 
>>>>> Does data exist that shows all of this overhead we’ve created has had any 
>>>>> measurable benefit (for the cost), especially when the same users aren’t 
>>>>> concerned about over-the-air security when at the above mentioned places?
>>>> Regardless of the numbers, I will tell you it was worth it.
>>>> 
>>>> Inmagine the blames your institute copes with if some one decides to 
>>>> put a rogue access point in between that cathes all kinds of privacy data?
>>>> The end-user will blame the institue because it happended there!
>>>> 
>>>> Note that there are easy out-of-the-box tools that are dedicated for 
>>>> these kind of attacks and easy to set-up, even for a 12 year old. For 
>>>> example, have a look at pineapple: https://www

RE: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey

[Adam T Ferrero]

  A mix of a few recent topics I wanted to comment on (HEOA tracking and Device 
nets).

  Our lawyers and CISO have reviewed HEOA.  We say that we are required to 
block illegal peer to peer and know who is using each IP address.  We block all 
peer to peer with Procera appliances currently.  With ~40,000 wireless clients 
on RFC1918 private IPs and 2 – 3 Gbps of NAT-ed traffic flows tracking to the 
individual user was no trivial task.

  I wasn’t comfortable logging that volume of traffic flow on our Check Point 
firewalls (though they might handle it).  Instead we leveraged netflow on 
multiple boxes to provide the answers.  We’ve also been working with CERT more 
recently to improve our hit rate on identifying the user (we were missing some).

 Our only open wireless is for onboarding (to SMS text message credentials to 
cell phone number we could potentially subpoena for records).  We do this with 
Packet Fence today and Aruba Clearpass tomorrow (though Packet Fence worked 
tremendously for us).  Both have a click here to provision yourself for our 
WPA2 enterprise SSID with proper certificate validations.  The complaints are 
that it takes too long (3 – 5 minutes is average to figure it out), that you 
have to select your cell carrier and some are missing (which we are eliminating 
with an SMS gateway service), or that folks don’t have SMS text capable cell 
phones (but they want their iPad connected).

  In our residence halls we leverage Aruba Clearpass.  There are two SSIDs (one 
WPA2 enterprise and one WPA2 PSK w/ mac authentication requirements).  Students 
can workflow themselves through the process.  We steer them to the WPA2 
enterprise SSID and they just need to have their enterprise ldap credentials.  
If they have a computer (Windows or Mac currently), they are steered to a 
captive portal page serving them the Aruba Onguard agent.  Once they have that 
it steers them to install our managed Symantec Endpoint Protection.  After that 
they are connected (unless either of those requirements stops running).  Smart 
devices like phones and tablets just need to authenticate and they are good.  
They have to hit a Clearpass page to add the mac address of their gaming 
systems before they work on the WPA2 PSK SSID.  We have profiling of devices so 
we don’t allow the computers and smart devices to connect to the PSK network.  
95% of devices are wireless, but we did enable 802.1x for all wired ports.  It 
was a tremendous effort for us, but has been running terribly well with just 
about 1 access point per suite.

  Reach out if you care for more details.

  Adam

[Adam T  Ferrero]

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Coehoorn, Joel
Sent: Tuesday, September 08, 2015 9:51 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the 
dorms- quick Survey

HEOA just requires that we provide an individual notices to students once per 
year that includes an explanation of copyright and our enforcement policies. 
Said policies must include technical measures to limit copyright infringement 
and a policy to promote legal alternatives, but I didn't see anything in there 
about data retention requiring us to keep logs relating IPs/MACs to users.



[http://www.york.edu/Portals/0/Images/Logo/YorkCollegeLogoSmall.jpg]


Joel Coehoorn
Director of Information Technology
402.363.5603
jcoeho...@york.edu<mailto:jcoeho...@york.edu>



The mission of York College is to transform lives through Christ-centered 
education and to equip students for lifelong service to God, family, and society

On Mon, Sep 7, 2015 at 5:38 PM, Steve Bohrer 
<skboh...@simons-rock.edu<mailto:skboh...@simons-rock.edu>> wrote:
Hi Jeff,

Can you comment on how the Higher Education Opportunity Act (HEOA) fits into 
this? Our understanding is that HEOA, in addition to the opportunity of Pell 
grants, now also gives us the opportunity to provide specific annual user 
eduction about copyright, and to get involved with copyright enforcement. IANAL 
enough to discuss whether HEOA compliance requires more or less user identity 
info than DMCA compliance, but HEOA was historically one of the reasons we've 
tried to know who owns the devices on our wired and wireless networks. Are 
there Educause or other resources about HEOA similar to the one you cite for 
DMCA?

Steve Bohrer
Network Admin, ITS
Bard College at Simon's Rock
413-528-7645

> On Sep 4, 2015, at 5:28 PM, Jeffrey D. Sessler 
> <j...@scrippscollege.edu<mailto:j...@scrippscollege.edu>> wrote:
>
> Matthew,
>
> Under the DMCA, the ISP only has to, upon learning of the infringing 
> transmission, act quickly to remove or disable access to the infringing 
> transmission. We can carry that out with no knowledge of who’s behind the 
> device. That said, it only applies to resources owned by t

RE: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey

[Brian Helman]

As I said to a NAC vendor several years ago .. if we could get students to 
adhere to an acceptable use policy, I wouldn't need a NAC, would I?   

As much as I dislike the hoops I have to jump through for 1x and NAC, it serves 
a purpose and protects us against a good deal of activity.  Over the years, 
I've had students running businesses out of their dorm rooms, infecting the 
network with any number of virus's (if you're lucky), DOS attacks (if you're 
not so lucky) and proving free wifi to their neighbors.  Maybe if the resnet is 
completely separate from the rest of the network, I'd be fine with it.  But 
what about when they are in a classroom?  Do you really want to deal with two 
different "experiences"?  If nothing else, I'd rather vet out the problems in 
the res halls so I have fewer issues in the classrooms.

-Brian


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Friday, September 04, 2015 4:15 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the 
dorms- quick Survey

Good questions, and many of us are contemplating the same questions and issues.

Lee Badman | Network Architect
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w its.syr.edu SYRACUSE 
UNIVERSITY syr.edu

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Danny Eaton
Sent: Friday, September 04, 2015 3:04 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the 
dorms- quick Survey

Just to turn this on it’s ear a bit...

Why not go back to an open network for student devices, with the same EULA as 
they’d get be it at a Starbucks, McDonalds, hotel, or convention center? Why 
are we (my self included) so hell bent on student devices connecting via 
WPA-Ent and all the challenges associated with accommodating devices that can’t?

Here at Rice, we have just that - 1 network (eduroam), 2 network (Rice 
Owls, 802.1X authenticated), and 3 network (Rice Visitor, open, unencrypted, 
with a pop-up welcome page to accept our use policy).  We are not necessarily 
hell-bent on getting a PSK/MAC authenticated network built, but our students 
are.  They want to put their Wii-U, Xbox, AppleTV, Roku, Google Chromecast, 
etc. on the wireless network just like they would at home, their apartment, 
etc.  Obviously, they wouldn't do that at Starbucks, a hotel, or the like.  
They live on campus, so it's their home.  

Does data exist that shows all of this overhead we’ve created has had any 
measurable benefit (for the cost), especially when the same users aren’t 
concerned about over-the-air security when at the above mentioned places?

Why do we care so much? Is there some middle-ground that is “good enough” but 
provides almost the same experience as at home?

Would our efforts be better spent implementing other beneficial technologies 
such location-aware WiFi, where after the student connects all their AppleTV, 
TimeMachine, and Chromecast devices, the network is smart enough to provide 
them visibility of only those devices when in/near the same location e.g. 
Location-aware bonjour?



Jeff


On 9/4/15, 7:51 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv on 
behalf of Lee H Badman" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of 
lhbad...@syr.edu> wrote:

>Where it gets interesting- broadcast and single class C required. But- this is 
>a great summary of requirements. 
>
>Lee Badman | Network Architect
>Information Technology Services
>206 Machinery Hall
>120 Smith Drive
>Syracuse, New York 13244
>t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w its.syr.edu
>SYRACUSE UNIVERSITY
>syr.edu
>
>-Original Message-
>From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Johnson, Neil 
>M
>Sent: Friday, September 04, 2015 10:46 AM
>To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in 
>the dorms- quick Survey
>
>Here is my first pass at requirements:
>
>1. The service must prevent or discourage devices that ARE capable of 
>using 802.1x authentication from using the service.
>
>2. The service should provide some sort of traceability of devices back to 
>their owners.
>
>3. The service must provide some method to deny access to an individual 
>device.
>
>4. The service must be easy enough to use that the average student can 
>connect a device to the network in 10-15 minutes without requiring a

Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey

[Coehoorn, Joel]

s Services
> >> Kent State University
> >> Office: (330) 672-7246
> >> Mobile: (330) 469-0445
> >>
> >> -Original Message-
> >> From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
> >> Sent: Friday, September 4, 2015 4:24 PM
> >> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> >> Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in
> the dorms- quick Survey
> >>
> >> Frans,
> >>
> >> Why do you care who’s behind the device? If you were to treat student
> wireless in the same regard as Starbucks treats a device connecting to
> theirs, what possible policies would you be concerned with? If you could
> block the device and be done with it, what else do you want to do?
> >>
> >> Liability - Risk management is a decision that is higher up the chain,
> and if user’s are satisfied with the risk while at a Starbucks, why would
> their expectation be different when consuming free WiFi at their college?
> Would the college actually be at greater risk if, for example, they promote
> WPA/802.1x enabled SSIDs as “Secure” when it’s adding only one layer?
> >>
> >> Open Network - I’m not suggesting this, I’m saying, what’s the middle
> ground? Is a modified WPA-PSK system better, where the on boarding is using
> the student’s ID as the WPA-PSK password? Is that “Good Enough” to
> eliminate the hassles of WPA-Ent?
> >>
> >> So again, I think it’s worth having the conversation. If the process is
> overly complicated or restrictive e.g. My chrome cast is on the device-lan,
> but my laptop isn’t allowed cause it does 802.1x, then what have we solved?
> >>
> >> Jeff
> >>
> >>
> >>
> >>
> >>
> >> On 9/4/15, 12:09 PM, "The EDUCAUSE Wireless Issues Constituent Group
> Listserv on behalf of Frans Panken" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> on behalf of frans.pan...@surfnet.nl> wrote:
> >>
> >>> Jeff,
> >>>
> >>> Jeffrey D. Sessler schreef op 04/09/15 om 20:55:
> >>>> Just to turn this on it’s ear a bit...
> >>>>
> >>>> Why not go back to an open network for student devices, with the same
> EULA as they’d get be it at a Starbucks, McDonalds, hotel, or convention
> center? Why are we (my self included) so hell bent on student devices
> connecting via WPA-Ent and all the challenges associated with accommodating
> devices that can’t?
> >>> Basically, because you do not know who is behind the device if this
> >>> user does something that conflicts with any of the policies (e.g.,
> >>> security to name one).
> >>>>
> >>>>
> >>>> Does data exist that shows all of this overhead we’ve created has had
> any measurable benefit (for the cost), especially when the same users
> aren’t concerned about over-the-air security when at the above mentioned
> places?
> >>> Regardless of the numbers, I will tell you it was worth it.
> >>>
> >>> Inmagine the blames your institute copes with if some one decides to
> >>> put a rogue access point in between that cathes all kinds of privacy
> data?
> >>> The end-user will blame the institue because it happended there!
> >>>
> >>> Note that there are easy out-of-the-box tools that are dedicated for
> >>> these kind of attacks and easy to set-up, even for a 12 year old. For
> >>> example, have a look at pineapple: https://www.wifipineapple.com/
> (very
> >>> usefull to play with!)
> >>>
> >>> Or Nethunter, that uses Linux Kali and is installed on a simple phone
> >>> or tablet (http://www.nethunter.com/).
> >>>
> >>>>
> >>>> Why do we care so much? Is there some middle-ground that is “good
> enough” but provides almost the same experience as at home?
> >>> Seriously, you have an open network at home?? You login with your bank?
> >>> Ever hear of SSL strip (if not, I recommend to Google it and watch that
> >>> little slot in your browser continously)
> >>>
> >>>>
> >>>> Would our efforts be better spent implementing other beneficial
> technologies such location-aware WiFi, where after the student connects all
> their AppleTV, TimeMachine, and Chromecast devices, the network is smart
> enough to provide them visibility of only those devices when in/near the
> same location e.g. Location-aware bonjour?
>

Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey

[Steve Bohrer]

Hi Jeff,

Can you comment on how the Higher Education Opportunity Act (HEOA) fits into 
this? Our understanding is that HEOA, in addition to the opportunity of Pell 
grants, now also gives us the opportunity to provide specific annual user 
eduction about copyright, and to get involved with copyright enforcement. IANAL 
enough to discuss whether HEOA compliance requires more or less user identity 
info than DMCA compliance, but HEOA was historically one of the reasons we've 
tried to know who owns the devices on our wired and wireless networks. Are 
there Educause or other resources about HEOA similar to the one you cite for 
DMCA?

Steve Bohrer
Network Admin, ITS
Bard College at Simon's Rock
413-528-7645

> On Sep 4, 2015, at 5:28 PM, Jeffrey D. Sessler <j...@scrippscollege.edu> 
> wrote:
> 
> Matthew,
> 
> Under the DMCA, the ISP only has to, upon learning of the infringing 
> transmission, act quickly to remove or disable access to the infringing 
> transmission. We can carry that out with no knowledge of who’s behind the 
> device. That said, it only applies to resources owned by the institution. 
> 
> Here is some key info in case you’re interested. Some of it is sourced from 
> from an EDUCAUSE FAQ for DMCA designated agents in higher-ed.
> 
> If your institution, after taking reasonable efforts to investigate and match 
> a user to the IP address designated in the DMCA notice, cannot, for technical 
> or other legitimate reasons, match a user to this IP address, the DMCA does 
> not specifically require any other action.
> 
> The DMCA does not include a records retention requirement for logs. So, if 
> your record retention for radius, dhcp, etc. is only 7 days, and a DMCA 
> notice arrives for something that occurred 14 days ago, then you are under no 
> obligation to do more. 
> 
> Resources owned by an institution—such as faculty, staff, or computer lab 
> computers—fall under 17 U.S.C. Section 512(c). This section provides a safe 
> harbor for an ISP so that it is not liable for monetary damages for 
> infringing materials on its servers provided it does not have “actual 
> knowledge” of the infringing material, does not receive a direct financial 
> benefit from the infringement, and, when notified, responds “expeditiously” 
> to remove the infringing material or disable access to such material.
> 
> Most student and guest activity on university networks occurs through 
> personally owned equipment and thus falls under 17 U.S.C. Section 512(a). 
> This section provides immunity to the ISP for information that simply 
> transits the ISP’s networks, with no direction, input, or interference from 
> the ISP itself, and is not stored anywhere on the ISP’s network. Notably, no 
> additional proactive steps are required for an ISP to avail itself of this 
> immunity. However, for a variety of reasons, some institutions have made a 
> policy decision to treat these notices as if they fall under Section 512(c), 
> terminating users from the network unless and until the infringing content is 
> removed. Often such activity is handled through a student affairs process, 
> rather than as a legal or IT matter, so as to seize upon a “teachable moment” 
> for students. 
> 
> If you’re interested, here is the link:
> http://www.educause.edu/focus-areas-and-initiatives/policy-and-security/educause-policy/issues-and-positions/intellectual-property/dmca-faq
> 
> 
> Jeff
> 
> 
> 
> On 9/4/15, 1:58 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
> on behalf of Williams, Matthew" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf 
> of mwill...@kent.edu> wrote:
> 
>> Jeff, 
>> 
>> Without knowing who is behind the device, how do you handle copyright 
>> issues?  
>> 
>> Respectfully, 
>> 
>> Matthew Williams
>> Manager, Network and Telecommunications Services
>> Kent State University
>> Office: (330) 672-7246
>> Mobile: (330) 469-0445 
>> 
>> -Original Message-----
>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
>> Sent: Friday, September 4, 2015 4:24 PM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the 
>> dorms- quick Survey
>> 
>> Frans,
>> 
>> Why do you care who’s behind the device? If you were to treat student 
>> wireless in the same regard as Starbucks treats a device connecting to 
>> theirs, what possible policies would you be concerned with? If you could 
>> block the device and be done with it, what else do you want to do?
>> 
>> Liability - Risk managemen

Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey

[Johnson, Neil M]

Here is my first pass at requirements:

1. The service must prevent or discourage devices that ARE capable of using 
802.1x authentication from using the service.

2. The service should provide some sort of traceability of devices back to 
their owners.

3. The service must provide some method to deny access to an individual 
device.

4. The service must be easy enough to use that the average student can 
connect a device to the network in 10-15 minutes without requiring assistance 
from ITS.

5. The service must restrict access to only authorized University customers.

6. In the residence Halls, the service must support most the most common 
consumer devices that students might bring to campus


We are also looking at a “Device Net” for campus for other devices that may not 
do 802.1X (freezer monitors, digital signage, instrumentation, etc.).

For the residence hall device net we are thinking about blocking all access to 
campus resources and just allowing internet access.

For the campus device net we thinking about RFC 1918 space restricting the 
deivces to on campus resources only.

-- 
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
E-Mail: neil-john...@uiowa.edu



> On Sep 4, 2015, at 6:46 AM, Osborne, Bruce W (Network Services) 
> <bosbo...@liberty.edu> wrote:
> 
> What are you calling a Device Net?
> 
> We have an open SSID with a custom captive portal using the ClearPass eTIPS 
> API. 
> 
> We use this SSID for onboarding to 802.1X with Cloudpath XpressConnect 
> Wizard, registering a non-8012.1X device Endpoint in ClearPass (with AirGroup 
> device registration for Apple-TV) and for permitting non-802.1X network 
> access, blocking out internal web server & blackboard servers. If devices try 
> to go to these sites, they are redirected to Cloudpath XpressConnect Wizard.
>  
> I am leaving on vacation for a week, so it may take me a while to resond 
> further
> 
> Bruce Osborne
> Wireless Engineer
> IT Infrastructure & Media Solutions
>  
> (434) 592-4229
>  
> LIBERTY UNIVERSITY
> Training Champions for Christ since 1971
> 
> -Original Message-
> From: Johnson, Neil M [mailto:neil-john...@uiowa.edu] 
> Sent: Thursday, September 3, 2015 12:08 PM
> Subject: Re: Supporting "those other Wi-Fi devices" in the dorms- quick Survey
> 
> We are investigating a device net at UofI so,
> 
> I would be interested in hearing from anyone who has implemented a Device Net 
> with Clearpass.
> 
> Thanks.
> -Neil
> 
> -- 
> Neil Johnson
> Network Engineer
> The University of Iowa
> Phone: 319 384-0938
> Fax: 319 335-2951
> E-Mail: neil-john...@uiowa.edu
> 
> 
> 
>> On Sep 3, 2015, at 7:24 AM, Lee H Badman <lhbad...@syr.edu> wrote:
>> 
>> There is an elegance in your wisdom, Chuck.
>> 
>> 
>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Chuck Enfield
>> Sent: Wednesday, September 02, 2015 5:54 PM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the 
>> dorms- quick Survey
>> 
>> Don’t tell me.  Ignorance is bliss.  Man, am I happy!
>> 
>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of David R. Morton
>> Sent: Wednesday, September 02, 2015 5:41 PM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the 
>> dorms- quick Survey
>> 
>> Lee, 
>> 
>> Are you going to share the results of this survey as well?
>> 
>> David
>> 
>> 
>> David Morton
>> 
>> Director, Mobile Communications
>> Service Owner: Wi-Fi, Mobile & HuskyTV
>> University of Washington
>> dmor...@u.washington.edu
>> tel 206.221.7814
>> 
>> On Sep 2, 2015, at 9:50 AM, Lee H Badman <lhbad...@syr.edu> wrote:
>> 
>> As we look forward in how we service our residential spaces for Wi-Fi, I’ve 
>> put together a quick survey  on if/what other schools are doing (and not 
>> doing) for supporting the perplexing gadgets (TVs, games, entertainment 
>> dongles, etc) over Wi-Fi. Please consider contributing at
>> 
>> https://www.quicksurveys.com/s/Wc92H
>> 
>> I’ll run this for two weeks, will post just a couple more invites on each 
>> list in that period (so you know to expect a couple more… kind of advance 
>> spam warning) and will open the results page up for both lists at the end. I 
&g

RE: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey

[Lee H Badman]

Where it gets interesting- broadcast and single class C required. But- this is 
a great summary of requirements. 

Lee Badman | Network Architect
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Johnson, Neil M
Sent: Friday, September 04, 2015 10:46 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the 
dorms- quick Survey

Here is my first pass at requirements:

1. The service must prevent or discourage devices that ARE capable of using 
802.1x authentication from using the service.

2. The service should provide some sort of traceability of devices back to 
their owners.

3. The service must provide some method to deny access to an individual 
device.

4. The service must be easy enough to use that the average student can 
connect a device to the network in 10-15 minutes without requiring assistance 
from ITS.

5. The service must restrict access to only authorized University customers.

6. In the residence Halls, the service must support most the most common 
consumer devices that students might bring to campus


We are also looking at a “Device Net” for campus for other devices that may not 
do 802.1X (freezer monitors, digital signage, instrumentation, etc.).

For the residence hall device net we are thinking about blocking all access to 
campus resources and just allowing internet access.

For the campus device net we thinking about RFC 1918 space restricting the 
deivces to on campus resources only.

-- 
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
E-Mail: neil-john...@uiowa.edu



> On Sep 4, 2015, at 6:46 AM, Osborne, Bruce W (Network Services) 
> <bosbo...@liberty.edu> wrote:
> 
> What are you calling a Device Net?
> 
> We have an open SSID with a custom captive portal using the ClearPass eTIPS 
> API. 
> 
> We use this SSID for onboarding to 802.1X with Cloudpath XpressConnect 
> Wizard, registering a non-8012.1X device Endpoint in ClearPass (with AirGroup 
> device registration for Apple-TV) and for permitting non-802.1X network 
> access, blocking out internal web server & blackboard servers. If devices try 
> to go to these sites, they are redirected to Cloudpath XpressConnect Wizard.
>  
> I am leaving on vacation for a week, so it may take me a while to resond 
> further
> 
> Bruce Osborne
> Wireless Engineer
> IT Infrastructure & Media Solutions
>  
> (434) 592-4229
>  
> LIBERTY UNIVERSITY
> Training Champions for Christ since 1971
> 
> -Original Message-
> From: Johnson, Neil M [mailto:neil-john...@uiowa.edu] 
> Sent: Thursday, September 3, 2015 12:08 PM
> Subject: Re: Supporting "those other Wi-Fi devices" in the dorms- quick Survey
> 
> We are investigating a device net at UofI so,
> 
> I would be interested in hearing from anyone who has implemented a Device Net 
> with Clearpass.
> 
> Thanks.
> -Neil
> 
> -- 
> Neil Johnson
> Network Engineer
> The University of Iowa
> Phone: 319 384-0938
> Fax: 319 335-2951
> E-Mail: neil-john...@uiowa.edu
> 
> 
> 
>> On Sep 3, 2015, at 7:24 AM, Lee H Badman <lhbad...@syr.edu> wrote:
>> 
>> There is an elegance in your wisdom, Chuck.
>> 
>> 
>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Chuck Enfield
>> Sent: Wednesday, September 02, 2015 5:54 PM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the 
>> dorms- quick Survey
>> 
>> Don’t tell me.  Ignorance is bliss.  Man, am I happy!
>> 
>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of David R. Morton
>> Sent: Wednesday, September 02, 2015 5:41 PM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the 
>> dorms- quick Survey
>> 
>> Lee, 
>> 
>> Are you going to share the results of this survey as well?
>> 
>> David
>> 
>> 
>> David Morton
>> 
>> Director, Mobile Communications
>> Service Owner: Wi-Fi, Mobile & HuskyTV
>> University of Washington
>> dmor...@u.washington.edu
>> tel 206.221.7814
>> 
>> On Sep 2, 2015, at 9:50 AM, Lee H Badman <lhbad...@syr.edu>

Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey

[Jeffrey D. Sessler]

Just to turn this on it’s ear a bit...

Why not go back to an open network for student devices, with the same EULA as 
they’d get be it at a Starbucks, McDonalds, hotel, or convention center? Why 
are we (my self included) so hell bent on student devices connecting via 
WPA-Ent and all the challenges associated with accommodating devices that can’t?


Does data exist that shows all of this overhead we’ve created has had any 
measurable benefit (for the cost), especially when the same users aren’t 
concerned about over-the-air security when at the above mentioned places?

Why do we care so much? Is there some middle-ground that is “good enough” but 
provides almost the same experience as at home?

Would our efforts be better spent implementing other beneficial technologies 
such location-aware WiFi, where after the student connects all their AppleTV, 
TimeMachine, and Chromecast devices, the network is smart enough to provide 
them visibility of only those devices when in/near the same location e.g. 
Location-aware bonjour?



Jeff


On 9/4/15, 7:51 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv on 
behalf of Lee H Badman" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of 
lhbad...@syr.edu> wrote:

>Where it gets interesting- broadcast and single class C required. But- this is 
>a great summary of requirements. 
>
>Lee Badman | Network Architect
>Information Technology Services
>206 Machinery Hall
>120 Smith Drive
>Syracuse, New York 13244
>t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w its.syr.edu
>SYRACUSE UNIVERSITY
>syr.edu
>
>-Original Message-
>From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Johnson, Neil M
>Sent: Friday, September 04, 2015 10:46 AM
>To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the 
>dorms- quick Survey
>
>Here is my first pass at requirements:
>
>1. The service must prevent or discourage devices that ARE capable of 
>using 802.1x authentication from using the service.
>
>2. The service should provide some sort of traceability of devices back to 
>their owners.
>
>3. The service must provide some method to deny access to an individual 
>device.
>
>4. The service must be easy enough to use that the average student can 
>connect a device to the network in 10-15 minutes without requiring assistance 
>from ITS.
>
>5. The service must restrict access to only authorized University 
>customers.
>
>6. In the residence Halls, the service must support most the most common 
>consumer devices that students might bring to campus
>
>
>We are also looking at a “Device Net” for campus for other devices that may 
>not do 802.1X (freezer monitors, digital signage, instrumentation, etc.).
>
>For the residence hall device net we are thinking about blocking all access to 
>campus resources and just allowing internet access.
>
>For the campus device net we thinking about RFC 1918 space restricting the 
>deivces to on campus resources only.
>
>-- 
>Neil Johnson
>Network Engineer
>The University of Iowa
>Phone: 319 384-0938
>Fax: 319 335-2951
>E-Mail: neil-john...@uiowa.edu
>
>
>
>> On Sep 4, 2015, at 6:46 AM, Osborne, Bruce W (Network Services) 
>> <bosbo...@liberty.edu> wrote:
>> 
>> What are you calling a Device Net?
>> 
>> We have an open SSID with a custom captive portal using the ClearPass eTIPS 
>> API. 
>> 
>> We use this SSID for onboarding to 802.1X with Cloudpath XpressConnect 
>> Wizard, registering a non-8012.1X device Endpoint in ClearPass (with 
>> AirGroup device registration for Apple-TV) and for permitting non-802.1X 
>> network access, blocking out internal web server & blackboard servers. If 
>> devices try to go to these sites, they are redirected to Cloudpath 
>> XpressConnect Wizard.
>>  
>> I am leaving on vacation for a week, so it may take me a while to resond 
>> further
>> 
>> Bruce Osborne
>> Wireless Engineer
>> IT Infrastructure & Media Solutions
>>  
>> (434) 592-4229
>>  
>> LIBERTY UNIVERSITY
>> Training Champions for Christ since 1971
>> 
>> -Original Message-
>> From: Johnson, Neil M [mailto:neil-john...@uiowa.edu] 
>> Sent: Thursday, September 3, 2015 12:08 PM
>> Subject: Re: Supporting "those other Wi-Fi devices" in the dorms- quick 
>> Survey
>> 
>> We are investigating a device net at UofI so,
>> 
>> I would be interested in hearing from anyone who has implemented a Device 
>> Net with Clearpass.
>> 
>> Thanks.

RE: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey

[Danny Eaton]

Just to turn this on it’s ear a bit...

Why not go back to an open network for student devices, with the same EULA as 
they’d get be it at a Starbucks, McDonalds, hotel, or convention center? Why 
are we (my self included) so hell bent on student devices connecting via 
WPA-Ent and all the challenges associated with accommodating devices that can’t?

Here at Rice, we have just that - 1 network (eduroam), 2 network (Rice 
Owls, 802.1X authenticated), and 3 network (Rice Visitor, open, unencrypted, 
with a pop-up welcome page to accept our use policy).  We are not necessarily 
hell-bent on getting a PSK/MAC authenticated network built, but our students 
are.  They want to put their Wii-U, Xbox, AppleTV, Roku, Google Chromecast, 
etc. on the wireless network just like they would at home, their apartment, 
etc.  Obviously, they wouldn't do that at Starbucks, a hotel, or the like.  
They live on campus, so it's their home.  

Does data exist that shows all of this overhead we’ve created has had any 
measurable benefit (for the cost), especially when the same users aren’t 
concerned about over-the-air security when at the above mentioned places?

Why do we care so much? Is there some middle-ground that is “good enough” but 
provides almost the same experience as at home?

Would our efforts be better spent implementing other beneficial technologies 
such location-aware WiFi, where after the student connects all their AppleTV, 
TimeMachine, and Chromecast devices, the network is smart enough to provide 
them visibility of only those devices when in/near the same location e.g. 
Location-aware bonjour?



Jeff


On 9/4/15, 7:51 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv on 
behalf of Lee H Badman" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of 
lhbad...@syr.edu> wrote:

>Where it gets interesting- broadcast and single class C required. But- this is 
>a great summary of requirements. 
>
>Lee Badman | Network Architect
>Information Technology Services
>206 Machinery Hall
>120 Smith Drive
>Syracuse, New York 13244
>t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w its.syr.edu
>SYRACUSE UNIVERSITY
>syr.edu
>
>-Original Message-
>From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Johnson, Neil 
>M
>Sent: Friday, September 04, 2015 10:46 AM
>To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in 
>the dorms- quick Survey
>
>Here is my first pass at requirements:
>
>1. The service must prevent or discourage devices that ARE capable of 
>using 802.1x authentication from using the service.
>
>2. The service should provide some sort of traceability of devices back to 
>their owners.
>
>3. The service must provide some method to deny access to an individual 
>device.
>
>4. The service must be easy enough to use that the average student can 
>connect a device to the network in 10-15 minutes without requiring assistance 
>from ITS.
>
>5. The service must restrict access to only authorized University 
>customers.
>
>6. In the residence Halls, the service must support most the most common 
>consumer devices that students might bring to campus
>
>
>We are also looking at a “Device Net” for campus for other devices that may 
>not do 802.1X (freezer monitors, digital signage, instrumentation, etc.).
>
>For the residence hall device net we are thinking about blocking all access to 
>campus resources and just allowing internet access.
>
>For the campus device net we thinking about RFC 1918 space restricting the 
>deivces to on campus resources only.
>
>--
>Neil Johnson
>Network Engineer
>The University of Iowa
>Phone: 319 384-0938
>Fax: 319 335-2951
>E-Mail: neil-john...@uiowa.edu
>
>
>
>> On Sep 4, 2015, at 6:46 AM, Osborne, Bruce W (Network Services) 
>> <bosbo...@liberty.edu> wrote:
>> 
>> What are you calling a Device Net?
>> 
>> We have an open SSID with a custom captive portal using the ClearPass eTIPS 
>> API. 
>> 
>> We use this SSID for onboarding to 802.1X with Cloudpath XpressConnect 
>> Wizard, registering a non-8012.1X device Endpoint in ClearPass (with 
>> AirGroup device registration for Apple-TV) and for permitting non-802.1X 
>> network access, blocking out internal web server & blackboard servers. If 
>> devices try to go to these sites, they are redirected to Cloudpath 
>> XpressConnect Wizard.
>>  
>> I am leaving on vacation for a week, so it may take me a while to 
>> resond further
>> 
>> Bruce Osborne
>> Wireless Engineer
>> IT Infrastructure & Media Solutions
>>  
>&

Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey

[Frans Panken]

Jeff,

Jeffrey D. Sessler schreef op 04/09/15 om 20:55:
> Just to turn this on it’s ear a bit...
>
> Why not go back to an open network for student devices, with the same EULA as 
> they’d get be it at a Starbucks, McDonalds, hotel, or convention center? Why 
> are we (my self included) so hell bent on student devices connecting via 
> WPA-Ent and all the challenges associated with accommodating devices that 
> can’t?
Basically, because you do not know who is behind the device if this user
does something that conflicts with any of the policies (e.g., security
to name one).
>
>
> Does data exist that shows all of this overhead we’ve created has had any 
> measurable benefit (for the cost), especially when the same users aren’t 
> concerned about over-the-air security when at the above mentioned places?
Regardless of the numbers, I will tell you it was worth it.

Inmagine the blames your institute copes with if some one decides to put
a rogue access point in between that cathes all kinds of privacy data?
The end-user will blame the institue because it happended there!

Note that there are easy out-of-the-box tools that are dedicated for
these kind of attacks and easy to set-up, even for a 12 year old. For
example, have a look at pineapple: https://www.wifipineapple.com/
(very usefull to play with!)

Or Nethunter, that uses Linux Kali and is installed on a simple phone or
tablet (http://www.nethunter.com/).

>
> Why do we care so much? Is there some middle-ground that is “good enough” but 
> provides almost the same experience as at home?
Seriously, you have an open network at home?? You login with your bank?
Ever hear of SSL strip (if not, I recommend to Google it and watch that
little slot in your browser continously)

>
> Would our efforts be better spent implementing other beneficial technologies 
> such location-aware WiFi, where after the student connects all their AppleTV, 
> TimeMachine, and Chromecast devices, the network is smart enough to provide 
> them visibility of only those devices when in/near the same location e.g. 
> Location-aware bonjour?
I hope the arguments above convinced you. If not, I think I can think of
some more...

-Frans
>
>
>
> Jeff
>
>
> On 9/4/15, 7:51 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
> on behalf of Lee H Badman" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of 
> lhbad...@syr.edu> wrote:
>
>> Where it gets interesting- broadcast and single class C required. But- this 
>> is a great summary of requirements. 
>>
>> Lee Badman | Network Architect
>> Information Technology Services
>> 206 Machinery Hall
>> 120 Smith Drive
>> Syracuse, New York 13244
>> t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w its.syr.edu
>> SYRACUSE UNIVERSITY
>> syr.edu
>>
>> -Original Message-
>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Johnson, Neil M
>> Sent: Friday, September 04, 2015 10:46 AM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the 
>> dorms- quick Survey
>>
>> Here is my first pass at requirements:
>>
>> 1. The service must prevent or discourage devices that ARE capable of 
>> using 802.1x authentication from using the service.
>>
>> 2. The service should provide some sort of traceability of devices back 
>> to their owners.
>>
>> 3. The service must provide some method to deny access to an individual 
>> device.
>>
>> 4. The service must be easy enough to use that the average student can 
>> connect a device to the network in 10-15 minutes without requiring 
>> assistance from ITS.
>>
>> 5. The service must restrict access to only authorized University 
>> customers.
>>
>> 6. In the residence Halls, the service must support most the most common 
>> consumer devices that students might bring to campus
>>
>>
>> We are also looking at a “Device Net” for campus for other devices that may 
>> not do 802.1X (freezer monitors, digital signage, instrumentation, etc.).
>>
>> For the residence hall device net we are thinking about blocking all access 
>> to campus resources and just allowing internet access.
>>
>> For the campus device net we thinking about RFC 1918 space restricting the 
>> deivces to on campus resources only.
>>
>> -- 
>> Neil Johnson
>> Network Engineer
>> The University of Iowa
>> Phone: 319 384-0938
>> Fax: 319 335-2951
>> E-Mail: neil-john...@uiowa.edu
>>
>>
>>
>>> On Sep 

RE: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey

[Williams, Matthew]

Jeff, 

Without knowing who is behind the device, how do you handle copyright issues?  

Respectfully, 

Matthew Williams
Manager, Network and Telecommunications Services
Kent State University
Office: (330) 672-7246
Mobile: (330) 469-0445 

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
Sent: Friday, September 4, 2015 4:24 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the 
dorms- quick Survey

Frans,

Why do you care who’s behind the device? If you were to treat student wireless 
in the same regard as Starbucks treats a device connecting to theirs, what 
possible policies would you be concerned with? If you could block the device 
and be done with it, what else do you want to do?

Liability - Risk management is a decision that is higher up the chain, and if 
user’s are satisfied with the risk while at a Starbucks, why would their 
expectation be different when consuming free WiFi at their college? Would the 
college actually be at greater risk if, for example, they promote WPA/802.1x 
enabled SSIDs as “Secure” when it’s adding only one layer?

Open Network - I’m not suggesting this, I’m saying, what’s the middle ground? 
Is a modified WPA-PSK system better, where the on boarding is using the 
student’s ID as the WPA-PSK password? Is that “Good Enough” to eliminate the 
hassles of WPA-Ent?

So again, I think it’s worth having the conversation. If the process is overly 
complicated or restrictive e.g. My chrome cast is on the device-lan, but my 
laptop isn’t allowed cause it does 802.1x, then what have we solved?

Jeff





On 9/4/15, 12:09 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
on behalf of Frans Panken" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of 
frans.pan...@surfnet.nl> wrote:

>Jeff,
>
>Jeffrey D. Sessler schreef op 04/09/15 om 20:55:
>> Just to turn this on it’s ear a bit...
>>
>> Why not go back to an open network for student devices, with the same EULA 
>> as they’d get be it at a Starbucks, McDonalds, hotel, or convention center? 
>> Why are we (my self included) so hell bent on student devices connecting via 
>> WPA-Ent and all the challenges associated with accommodating devices that 
>> can’t?
>Basically, because you do not know who is behind the device if this 
>user does something that conflicts with any of the policies (e.g., 
>security to name one).
>>
>>
>> Does data exist that shows all of this overhead we’ve created has had any 
>> measurable benefit (for the cost), especially when the same users aren’t 
>> concerned about over-the-air security when at the above mentioned places?
>Regardless of the numbers, I will tell you it was worth it.
>
>Inmagine the blames your institute copes with if some one decides to 
>put a rogue access point in between that cathes all kinds of privacy data?
>The end-user will blame the institue because it happended there!
>
>Note that there are easy out-of-the-box tools that are dedicated for 
>these kind of attacks and easy to set-up, even for a 12 year old. For 
>example, have a look at pineapple: https://www.wifipineapple.com/ (very 
>usefull to play with!)
>
>Or Nethunter, that uses Linux Kali and is installed on a simple phone 
>or tablet (http://www.nethunter.com/).
>
>>
>> Why do we care so much? Is there some middle-ground that is “good enough” 
>> but provides almost the same experience as at home?
>Seriously, you have an open network at home?? You login with your bank?
>Ever hear of SSL strip (if not, I recommend to Google it and watch that 
>little slot in your browser continously)
>
>>
>> Would our efforts be better spent implementing other beneficial technologies 
>> such location-aware WiFi, where after the student connects all their 
>> AppleTV, TimeMachine, and Chromecast devices, the network is smart enough to 
>> provide them visibility of only those devices when in/near the same location 
>> e.g. Location-aware bonjour?
>I hope the arguments above convinced you. If not, I think I can think 
>of some more...
>
>-Frans
>>
>>
>>
>> Jeff
>>
>>
>> On 9/4/15, 7:51 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
>> on behalf of Lee H Badman" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of 
>> lhbad...@syr.edu> wrote:
>>
>>> Where it gets interesting- broadcast and single class C required. But- this 
>>> is a great summary of requirements. 
>>>
>>> Lee Badman | Network Architect
>>> Information Technology Services
>>> 206 Machinery Hall
>>> 120 Sm

RE: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey

[Lee H Badman]

Good questions, and many of us are contemplating the same questions and issues.

Lee Badman | Network Architect
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Danny Eaton
Sent: Friday, September 04, 2015 3:04 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the 
dorms- quick Survey

Just to turn this on it’s ear a bit...

Why not go back to an open network for student devices, with the same EULA as 
they’d get be it at a Starbucks, McDonalds, hotel, or convention center? Why 
are we (my self included) so hell bent on student devices connecting via 
WPA-Ent and all the challenges associated with accommodating devices that can’t?

Here at Rice, we have just that - 1 network (eduroam), 2 network (Rice 
Owls, 802.1X authenticated), and 3 network (Rice Visitor, open, unencrypted, 
with a pop-up welcome page to accept our use policy).  We are not necessarily 
hell-bent on getting a PSK/MAC authenticated network built, but our students 
are.  They want to put their Wii-U, Xbox, AppleTV, Roku, Google Chromecast, 
etc. on the wireless network just like they would at home, their apartment, 
etc.  Obviously, they wouldn't do that at Starbucks, a hotel, or the like.  
They live on campus, so it's their home.  

Does data exist that shows all of this overhead we’ve created has had any 
measurable benefit (for the cost), especially when the same users aren’t 
concerned about over-the-air security when at the above mentioned places?

Why do we care so much? Is there some middle-ground that is “good enough” but 
provides almost the same experience as at home?

Would our efforts be better spent implementing other beneficial technologies 
such location-aware WiFi, where after the student connects all their AppleTV, 
TimeMachine, and Chromecast devices, the network is smart enough to provide 
them visibility of only those devices when in/near the same location e.g. 
Location-aware bonjour?



Jeff


On 9/4/15, 7:51 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv on 
behalf of Lee H Badman" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of 
lhbad...@syr.edu> wrote:

>Where it gets interesting- broadcast and single class C required. But- this is 
>a great summary of requirements. 
>
>Lee Badman | Network Architect
>Information Technology Services
>206 Machinery Hall
>120 Smith Drive
>Syracuse, New York 13244
>t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w its.syr.edu
>SYRACUSE UNIVERSITY
>syr.edu
>
>-Original Message-
>From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Johnson, Neil 
>M
>Sent: Friday, September 04, 2015 10:46 AM
>To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in 
>the dorms- quick Survey
>
>Here is my first pass at requirements:
>
>1. The service must prevent or discourage devices that ARE capable of 
>using 802.1x authentication from using the service.
>
>2. The service should provide some sort of traceability of devices back to 
>their owners.
>
>3. The service must provide some method to deny access to an individual 
>device.
>
>4. The service must be easy enough to use that the average student can 
>connect a device to the network in 10-15 minutes without requiring assistance 
>from ITS.
>
>5. The service must restrict access to only authorized University 
>customers.
>
>6. In the residence Halls, the service must support most the most common 
>consumer devices that students might bring to campus
>
>
>We are also looking at a “Device Net” for campus for other devices that may 
>not do 802.1X (freezer monitors, digital signage, instrumentation, etc.).
>
>For the residence hall device net we are thinking about blocking all access to 
>campus resources and just allowing internet access.
>
>For the campus device net we thinking about RFC 1918 space restricting the 
>deivces to on campus resources only.
>
>--
>Neil Johnson
>Network Engineer
>The University of Iowa
>Phone: 319 384-0938
>Fax: 319 335-2951
>E-Mail: neil-john...@uiowa.edu
>
>
>
>> On Sep 4, 2015, at 6:46 AM, Osborne, Bruce W (Network Services) 
>> <bosbo...@liberty.edu> wrote:
>> 
>> What are you calling a Device Net?
>> 
>> We have an open SSID with a custom captive portal using the ClearPass eTIPS 
>> API. 
>> 
>> We use this 

Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey

[Coehoorn, Joel]

The difference between us and a McDonalds or Starbucks is that we are the
student's residence. They can't as easily just wait or go elsewhere in
order to do things that really should not be done on an open wifi
connection.

Additionally, this is the first encounter with the issue for many students.
They haven't yet had a chance to know that they should care. Therefore, I
do believe it is our responsibility to provide the secure option and
educate our students on the importance of using it.

At the same time, college students are supposedly adults now, and capable
of making their own decisions, and so I try to provide both options (we
really do have an completely open SSID), along with some education and a
nudge via SSID naming that the secure SSID may be "better" in some
ephemeral way.




Joel Coehoorn
Director of Information Technology
402.363.5603
*jcoeho...@york.edu <jcoeho...@york.edu>*

The mission of York College is to transform lives through
Christ-centered education and to equip students for lifelong service to
God, family, and society

On Fri, Sep 4, 2015 at 2:09 PM, Frans Panken <frans.pan...@surfnet.nl>
wrote:

> Jeff,
>
> Jeffrey D. Sessler schreef op 04/09/15 om 20:55:
> > Just to turn this on it’s ear a bit...
> >
> > Why not go back to an open network for student devices, with the same
> EULA as they’d get be it at a Starbucks, McDonalds, hotel, or convention
> center? Why are we (my self included) so hell bent on student devices
> connecting via WPA-Ent and all the challenges associated with accommodating
> devices that can’t?
> Basically, because you do not know who is behind the device if this user
> does something that conflicts with any of the policies (e.g., security
> to name one).
> >
> >
> > Does data exist that shows all of this overhead we’ve created has had
> any measurable benefit (for the cost), especially when the same users
> aren’t concerned about over-the-air security when at the above mentioned
> places?
> Regardless of the numbers, I will tell you it was worth it.
>
> Inmagine the blames your institute copes with if some one decides to put
> a rogue access point in between that cathes all kinds of privacy data?
> The end-user will blame the institue because it happended there!
>
> Note that there are easy out-of-the-box tools that are dedicated for
> these kind of attacks and easy to set-up, even for a 12 year old. For
> example, have a look at pineapple: https://www.wifipineapple.com/
> (very usefull to play with!)
>
> Or Nethunter, that uses Linux Kali and is installed on a simple phone or
> tablet (http://www.nethunter.com/).
>
> >
> > Why do we care so much? Is there some middle-ground that is “good
> enough” but provides almost the same experience as at home?
> Seriously, you have an open network at home?? You login with your bank?
> Ever hear of SSL strip (if not, I recommend to Google it and watch that
> little slot in your browser continously)
>
> >
> > Would our efforts be better spent implementing other beneficial
> technologies such location-aware WiFi, where after the student connects all
> their AppleTV, TimeMachine, and Chromecast devices, the network is smart
> enough to provide them visibility of only those devices when in/near the
> same location e.g. Location-aware bonjour?
> I hope the arguments above convinced you. If not, I think I can think of
> some more...
>
> -Frans
> >
> >
> >
> > Jeff
> >
> >
> > On 9/4/15, 7:51 AM, "The EDUCAUSE Wireless Issues Constituent Group
> Listserv on behalf of Lee H Badman" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> on behalf of lhbad...@syr.edu> wrote:
> >
> >> Where it gets interesting- broadcast and single class C required. But-
> this is a great summary of requirements.
> >>
> >> Lee Badman | Network Architect
> >> Information Technology Services
> >> 206 Machinery Hall
> >> 120 Smith Drive
> >> Syracuse, New York 13244
> >> t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w its.syr.edu
> >> SYRACUSE UNIVERSITY
> >> syr.edu
> >>
> >> -Original Message-
> >> From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Johnson, Neil M
> >> Sent: Friday, September 04, 2015 10:46 AM
> >> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> >> Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in
> the dorms- quick Survey
> >>
> >> Here is my first pass at requirements:
> >>
> >> 1. The service must prevent or discourage devices that ARE capable
> of using 802.1x authenticat

Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey

[Jeffrey D. Sessler]

Frans,

Why do you care who’s behind the device? If you were to treat student wireless 
in the same regard as Starbucks treats a device connecting to theirs, what 
possible policies would you be concerned with? If you could block the device 
and be done with it, what else do you want to do?

Liability - Risk management is a decision that is higher up the chain, and if 
user’s are satisfied with the risk while at a Starbucks, why would their 
expectation be different when consuming free WiFi at their college? Would the 
college actually be at greater risk if, for example, they promote WPA/802.1x 
enabled SSIDs as “Secure” when it’s adding only one layer?

Open Network - I’m not suggesting this, I’m saying, what’s the middle ground? 
Is a modified WPA-PSK system better, where the on boarding is using the 
student’s ID as the WPA-PSK password? Is that “Good Enough” to eliminate the 
hassles of WPA-Ent?

So again, I think it’s worth having the conversation. If the process is overly 
complicated or restrictive e.g. My chrome cast is on the device-lan, but my 
laptop isn’t allowed cause it does 802.1x, then what have we solved?

Jeff





On 9/4/15, 12:09 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
on behalf of Frans Panken" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of 
frans.pan...@surfnet.nl> wrote:

>Jeff,
>
>Jeffrey D. Sessler schreef op 04/09/15 om 20:55:
>> Just to turn this on it’s ear a bit...
>>
>> Why not go back to an open network for student devices, with the same EULA 
>> as they’d get be it at a Starbucks, McDonalds, hotel, or convention center? 
>> Why are we (my self included) so hell bent on student devices connecting via 
>> WPA-Ent and all the challenges associated with accommodating devices that 
>> can’t?
>Basically, because you do not know who is behind the device if this user
>does something that conflicts with any of the policies (e.g., security
>to name one).
>>
>>
>> Does data exist that shows all of this overhead we’ve created has had any 
>> measurable benefit (for the cost), especially when the same users aren’t 
>> concerned about over-the-air security when at the above mentioned places?
>Regardless of the numbers, I will tell you it was worth it.
>
>Inmagine the blames your institute copes with if some one decides to put
>a rogue access point in between that cathes all kinds of privacy data?
>The end-user will blame the institue because it happended there!
>
>Note that there are easy out-of-the-box tools that are dedicated for
>these kind of attacks and easy to set-up, even for a 12 year old. For
>example, have a look at pineapple: https://www.wifipineapple.com/
>(very usefull to play with!)
>
>Or Nethunter, that uses Linux Kali and is installed on a simple phone or
>tablet (http://www.nethunter.com/).
>
>>
>> Why do we care so much? Is there some middle-ground that is “good enough” 
>> but provides almost the same experience as at home?
>Seriously, you have an open network at home?? You login with your bank?
>Ever hear of SSL strip (if not, I recommend to Google it and watch that
>little slot in your browser continously)
>
>>
>> Would our efforts be better spent implementing other beneficial technologies 
>> such location-aware WiFi, where after the student connects all their 
>> AppleTV, TimeMachine, and Chromecast devices, the network is smart enough to 
>> provide them visibility of only those devices when in/near the same location 
>> e.g. Location-aware bonjour?
>I hope the arguments above convinced you. If not, I think I can think of
>some more...
>
>-Frans
>>
>>
>>
>> Jeff
>>
>>
>> On 9/4/15, 7:51 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
>> on behalf of Lee H Badman" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of 
>> lhbad...@syr.edu> wrote:
>>
>>> Where it gets interesting- broadcast and single class C required. But- this 
>>> is a great summary of requirements. 
>>>
>>> Lee Badman | Network Architect
>>> Information Technology Services
>>> 206 Machinery Hall
>>> 120 Smith Drive
>>> Syracuse, New York 13244
>>> t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w its.syr.edu
>>> SYRACUSE UNIVERSITY
>>> syr.edu
>>>
>>> -Original Message-
>>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Johnson, Neil M
>>> Sent: Friday, September 04, 2015 10:46 AM
>>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>>> Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the 
>>&

Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey

[Frank Sweetser]

This sounds almost exactly like what we're planning on doing in a major 
wireless auth overhaul this upcoming year!  Anything you have on how your 
system works that you could share would be greatly appreciated.


thanks!

Frank Sweetser fs at wpi.edu|  For every problem, there is a solution that
Manager of Network Operations   |  is simple, elegant, and wrong.
Worcester Polytechnic Institute |   - HL Mencken

On 09/04/2015 07:46 AM, Osborne, Bruce W (Network Services) wrote:

What are you calling a Device Net?

We have an open SSID with a custom captive portal using the ClearPass eTIPS API.

We use this SSID for onboarding to 802.1X with Cloudpath XpressConnect Wizard, 
registering a non-8012.1X device Endpoint in ClearPass (with AirGroup device 
registration for Apple-TV) and for permitting non-802.1X network access, blocking 
out internal web server & blackboard servers. If devices try to go to these 
sites, they are redirected to Cloudpath XpressConnect Wizard.

I am leaving on vacation for a week, so it may take me a while to resond further

Bruce Osborne
Wireless Engineer
IT Infrastructure & Media Solutions

(434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

-Original Message-
From: Johnson, Neil M [mailto:neil-john...@uiowa.edu]
Sent: Thursday, September 3, 2015 12:08 PM
Subject: Re: Supporting "those other Wi-Fi devices" in the dorms- quick Survey

We are investigating a device net at UofI so,

I would be interested in hearing from anyone who has implemented a Device Net 
with Clearpass.

Thanks.
-Neil



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey

[Jeffrey D. Sessler]

Is the student’s “residence” in this case any different than a VP who travels 
and uses hotel WiFi, the hotel being their residence most of the time? Are we 
asking the student to do something we wouldn’t require of the VP in the hotel?

This is why something like Areohive’s PPSK (private pre-shared key) is 
interesting to me, in that it provides something that is “good enough” without 
all the hassles around WPA-ent. We get the user off of an open network, but 
provide easy on-boarding for the user and their devices.

I agree that students may not know they should care, but I’m not sure it’s the 
university’s job to educate them i.e. they are adults, and we don’t go round 
them up to make sure they attend class. Our students only care about connecting 
to the WiFi, and even if we try to explain why it’s better, there is only a 
small percentage that care… the same can be said for staff/faculty.

I also shy away from saying, “…provide the secure option.” since it implies 
everything they do is now secure, which it is not.

I do agree that providing both options is a good idea, but my own evidence 
shows that if the user’s chrome-cast is in the device-net, they will put their 
laptop there to so that they have access to it.

Jeff

From: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
on behalf of "Coehoorn, Joel"
Reply-To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>"
Date: Friday, September 4, 2015 at 1:31 PM
To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>"
Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the 
dorms- quick Survey

The difference between us and a McDonalds or Starbucks is that we are the 
student's residence. They can't as easily just wait or go elsewhere in order to 
do things that really should not be done on an open wifi connection.

Additionally, this is the first encounter with the issue for many students. 
They haven't yet had a chance to know that they should care. Therefore, I do 
believe it is our responsibility to provide the secure option and educate our 
students on the importance of using it.

At the same time, college students are supposedly adults now, and capable of 
making their own decisions, and so I try to provide both options (we really do 
have an completely open SSID), along with some education and a nudge via SSID 
naming that the secure SSID may be "better" in some ephemeral way.





[http://www.york.edu/Portals/0/Images/Logo/YorkCollegeLogoSmall.jpg]


Joel Coehoorn
Director of Information Technology
402.363.5603
jcoeho...@york.edu<mailto:jcoeho...@york.edu>




The mission of York College is to transform lives through Christ-centered 
education and to equip students for lifelong service to God, family, and society

On Fri, Sep 4, 2015 at 2:09 PM, Frans Panken 
<frans.pan...@surfnet.nl<mailto:frans.pan...@surfnet.nl>> wrote:
Jeff,

Jeffrey D. Sessler schreef op 04/09/15 om 20:55:
> Just to turn this on it’s ear a bit...
>
> Why not go back to an open network for student devices, with the same EULA as 
> they’d get be it at a Starbucks, McDonalds, hotel, or convention center? Why 
> are we (my self included) so hell bent on student devices connecting via 
> WPA-Ent and all the challenges associated with accommodating devices that 
> can’t?
Basically, because you do not know who is behind the device if this user
does something that conflicts with any of the policies (e.g., security
to name one).
>
>
> Does data exist that shows all of this overhead we’ve created has had any 
> measurable benefit (for the cost), especially when the same users aren’t 
> concerned about over-the-air security when at the above mentioned places?
Regardless of the numbers, I will tell you it was worth it.

Inmagine the blames your institute copes with if some one decides to put
a rogue access point in between that cathes all kinds of privacy data?
The end-user will blame the institue because it happended there!

Note that there are easy out-of-the-box tools that are dedicated for
these kind of attacks and easy to set-up, even for a 12 year old. For
example, have a look at pineapple: https://www.wifipineapple.com/
(very usefull to play with!)

Or Nethunter, that uses Linux Kali and is installed on a simple phone or
tablet (http://www.nethunter.com/).

>
> Why do we care so much? Is there some middle-ground that is “good enough” but 
> provides almost the same experience as at home?
Seriously, you have an open network at home?? You login with your bank?
Ever hear of SSL strip (if not, I recommend to Google it and watch that
little slot in your browser continously)

>
> Would our efforts be better spent implementing other beneficial technologies 
> such location-aware WiFi, where after the student connects all their 

Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey

[Jeffrey D. Sessler]

Frans,

Starbucks and other will never implement 802.1x as long as it’s cumbersome to 
onboard a customer. I know from the management of our own WPA-Ent WiFi,  
devices today still have esoteric issues with it, and it’s only because of 
tools like XpressConnect that we get 98% of devices working on the first try. 
Starbucks is interested only in the customer having a great experience, and 
they want nothing to stand in the way of that.

There are many teachable moments for IT yet how effective have we found them to 
be? I know from experience that students/staff/faculty still fall for phishing 
attacks no matter how much education we provide, and when failing on something 
so simple as “don’t click a questionable link about upgrading your email,” I’m 
not sure to what extent users will check certificates, having an SSL 
connection, etc.

People are familiar with clicking a bunch of buttons and entering user/pass for 
a site they know nothing about. When their iOS device prompts them with the SSL 
certificate, they blindly press Install. We (technical/engineers) know better 
(mostly), but the average user only cares about getting on the internet, and 
that it’s an easy process.

Jeff

From: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
on behalf of Frans Panken
Reply-To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>"
Date: Friday, September 4, 2015 at 2:20 PM
To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>"
Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the 
dorms- quick Survey

Instead of following Starbucks' bad example, I would rather choose for 
informing Starbucks and others others to choose for 802.1x instead...
(I observe a growing popularity of using Facebook accounts to login to Wi-Fi 
facilities offered by city Wi-Fi and in malls)

We are part of the education community. I think it is our duty to educate 
students: informing them to check certificates, checking SSL, beign aware of 
the dangers to connect to an open network, etc. etc. The teachers cannot teach 
this in class, if the IT department neglects these rules on the network they 
offer at the institue (regardless of that is a dorm or a classroom).
Frankly speaking, people are familiar with connecting to Wi-Fi securely. Five 
years ago this was still a hassle. Regardsless of the OS, it is now a matter of 
filling in your username and password and you are connected

-Frans


Jeffrey D. Sessler schreef op 04/09/15 om 23:05:
Is the student’s “residence” in this case any different than a VP who travels 
and uses hotel WiFi, the hotel being their residence most of the time? Are we 
asking the student to do something we wouldn’t require of the VP in the hotel?

This is why something like Areohive’s PPSK (private pre-shared key) is 
interesting to me, in that it provides something that is “good enough” without 
all the hassles around WPA-ent. We get the user off of an open network, but 
provide easy on-boarding for the user and their devices.

I agree that students may not know they should care, but I’m not sure it’s the 
university’s job to educate them i.e. they are adults, and we don’t go round 
them up to make sure they attend class. Our students only care about connecting 
to the WiFi, and even if we try to explain why it’s better, there is only a 
small percentage that care… the same can be said for staff/faculty.

I also shy away from saying, “…provide the secure option.” since it implies 
everything they do is now secure, which it is not.

I do agree that providing both options is a good idea, but my own evidence 
shows that if the user’s chrome-cast is in the device-net, they will put their 
laptop there to so that they have access to it.

Jeff

From: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
on behalf of "Coehoorn, Joel"
Reply-To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>"
Date: Friday, September 4, 2015 at 1:31 PM
To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>"
Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the 
dorms- quick Survey

The difference between us and a McDonalds or Starbucks is that we are the 
student's residence. They can't as easily just wait or go elsewhere in order to 
do things that really should not be done on an open wifi connection.

Additionally, this is the first encounter with the issue for many students. 
They haven't yet had a chance to know that they should care. Therefore, I do 
believe it is our responsibility to provide the secure option and educate our 
students on the importance of using it.

At the same time, college students are supposedly adults now, and capable of 
making their own decisions, and so I tr

Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey

[Johnson, Neil M]

We are investigating a device net at UofI so,

I would be interested in hearing from anyone who has implemented a Device Net 
with Clearpass.

Thanks.
-Neil

-- 
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
E-Mail: neil-john...@uiowa.edu



> On Sep 3, 2015, at 7:24 AM, Lee H Badman <lhbad...@syr.edu> wrote:
> 
> There is an elegance in your wisdom, Chuck.
>  
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Chuck Enfield
> Sent: Wednesday, September 02, 2015 5:54 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the 
> dorms- quick Survey
>  
> Don’t tell me.  Ignorance is bliss.  Man, am I happy!
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of David R. Morton
> Sent: Wednesday, September 02, 2015 5:41 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the 
> dorms- quick Survey
>  
> Lee, 
>  
> Are you going to share the results of this survey as well?
>  
> David
>  
>  
> David Morton
>  
> Director, Mobile Communications
> Service Owner: Wi-Fi, Mobile & HuskyTV
> University of Washington
> dmor...@u.washington.edu
> tel 206.221.7814
>  
> On Sep 2, 2015, at 9:50 AM, Lee H Badman <lhbad...@syr.edu> wrote:
>  
> As we look forward in how we service our residential spaces for Wi-Fi, I’ve 
> put together a quick survey  on if/what other schools are doing (and not 
> doing) for supporting the perplexing gadgets (TVs, games, entertainment 
> dongles, etc) over Wi-Fi. Please consider contributing at
>  
> https://www.quicksurveys.com/s/Wc92H
>  
> I’ll run this for two weeks, will post just a couple more invites on each 
> list in that period (so you know to expect a couple more… kind of advance 
> spam warning) and will open the results page up for both lists at the end. I 
> know I’m not the only one contemplating these questions. Should take minutes 
> to sail through, but decent participation could really help others in their 
> own thoughts about this challenging paradigm.
>  
>  
>  
> Thanks in advance!
>  
>  
>  
> Lee Badman | Network Architect
> Information Technology Services
> 206 Machinery Hall
> 120 Smith Drive
> Syracuse, New York 13244
> t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w its.syr.edu
> SYRACUSE UNIVERSITY
> syr.edu
>  
>  
>  
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
>  
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey

[Chuck Enfield]

Don’t tell me.  Ignorance is bliss.  Man, am I happy!



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of David R. Morton
Sent: Wednesday, September 02, 2015 5:41 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the 
dorms- quick Survey



Lee,



Are you going to share the results of this survey as well?



David





David Morton

Director, Mobile Communications

Service Owner: Wi-Fi, Mobile & HuskyTV

University of Washington

dmor...@u.washington.edu <mailto:dmor...@u.washington.edu>

tel 206.221.7814



On Sep 2, 2015, at 9:50 AM, Lee H Badman <lhbad...@syr.edu 
<mailto:lhbad...@syr.edu> > wrote:



As we look forward in how we service our residential spaces for Wi-Fi, I’ve 
put together a quick survey  on if/what other schools are doing (and not 
doing) for supporting the perplexing gadgets (TVs, games, entertainment 
dongles, etc) over Wi-Fi. Please consider contributing at



 <https://www.quicksurveys.com/s/Wc92H> https://www.quicksurveys.com/s/Wc92H



I’ll run this for two weeks, will post just a couple more invites on each 
list in that period (so you know to expect a couple more… kind of advance 
spam warning) and will open the results page up for both lists at the end. I 
know I’m not the only one contemplating these questions. Should take minutes 
to sail through, but decent participation could really help others in their 
own thoughts about this challenging paradigm.







Thanks in advance!







Lee Badman | Network Architect

Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244

t 315.443.3003   f 315.443.4325   e  <mailto:lhbad...@syr.edu> 
lhbad...@syr.edu w its.syr.edu <http://its.syr.edu/>

SYRACUSE UNIVERSITY
syr.edu <http://syr.edu/>







** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
<http://www.educause.edu/groups/> http://www.educause.edu/groups/.



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.