Re: [WIRELESS-LAN] Certificate Expiration and IoT (Door Locks)

2016-11-02 Thread Johnson, Neil M 
Chris,

Thanks for the feedback. What is your expiration time on our RADIUS Server 
certificate?

-Neil

-- 
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
E-Mail: neil-john...@uiowa.edu



> On Nov 2, 2016, at 10:53 AM, Chris Hart  wrote:
> 
> Neil  - we rolled out these locks to 3 Res Halls this past summer.   We have 
> them on the eduroam SSID connecting via PEAP/MSCHAPv2  with a local account 
> on our ClearPass server.   We have an enforcement policy that assigns this 
> user account a VLAN ID that is private IP space that is restricted to only be 
> able to communicate with the Lock system database server.   We only had 1 
> complaint that we had to troubleshoot but it was found that a bunch of the 
> lock were not configured to do their nightly check in for updates.  The locks 
> can also be set to check for an update upon a failure of proximity card.  So 
> if a student is issued a new card and tries to enter their room it will fail, 
> the lock will check for an update and then on the next attempt the student 
> should then have access.   We used Assaa Abloyas our vendor.
>  
>  
> Chris
>  
>  
>  
> 
> Chris Hart
> Senior Network Engineer
>  
>  
> 
>  
>  
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Johnson, Neil M
> Sent: Wednesday, November 2, 2016 10:18 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] Certificate Expiration and IoT (Door Locks)
>  
>  
> Our housing department is pushing pretty hard to replace keyed locks on dorm 
> room doors with Wi-Fi connected proximity card locks (a pilot this summer and 
> then eventually rolling out to ~3,000 rooms).
>  
> The locks would be “offline” locks that cache valid cards locally and only 
> connect to the Wi-Fi network periodically for updates and when presented with 
> a non-cached card.
>  
> While the locks support multiple methods for authenticating to the wireless 
> network (everything from a PSK to PEAP/MSCHAPv2 to EAP-TLS), I think EAP-TLS 
> is probably the most secure method for these devices.
>  
> My thinking is to setup a private PKI and generate a client cert for every 
> lock. However, I have two issues concerning EAP-TLS.
>  
> 1.   What should I use for a client certificate expiration date?
> Our key and access folks don’t want to update the locks client certs very 
> often. (They will have to touch each lock on a regular basis to replace 
> batteries, but don’t want to have to connect a computer to the locks every 
> year).
> The same question applies for the server certificate expiration. 
> 
> 2.   Should I advertise a separate SSID?
> We currently use eduroam as our primary campus SSID.  I would prefer not to 
> have to add an additional SSID just for these devices, but their use case 
> seems different enough to warrant one.
>  
> If your institution has implemented or thinking about implementing Wi-Fi 
> connected locks, I’d appreciate your feedback.
>  
> Thanks.
> -Neil
>  
> -- 
> Neil Johnson
> Network Engineer
> The University of Iowa
> Phone: 319-384-0938
> e-mail: neil-john...@uiowa.edu
>  
>  
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/. 
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: Certificate Expiration and IoT (Door Locks)

2016-11-02 Thread Curtis K. Larsen 
We crossed this bridge already but the quantity of door locks was a lot lower.  
We issued 5 yr certs to the locks and told the dept. that they (or their 
vendor) need to update/patch firmware on devices at least that often so they 
can update the cert at the same time.  Our server cert will expire before then 
(not part of the chain) but the CA cert (part of the chain) will be valid for 
at least 10 years beyond that.  So, as long as the FQDN and CN remain the same 
for the server cert then there is no problem.  We used our existing 1x SSID, 
but a different VLAN and associated security policy.  We used Cloudpath and 
deployed EAP-TLS certs for these - it's not hard.

--
Curtis K. Larsen
Senior Network Engineer
University of Utah IT/CIS


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of Johnson, Neil M 

Sent: Wednesday, November 2, 2016 9:17 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Certificate Expiration and IoT (Door Locks)

Our housing department is pushing pretty hard to replace keyed locks on dorm 
room doors with Wi-Fi connected proximity card locks (a pilot this summer and 
then eventually rolling out to ~3,000 rooms).

The locks would be “offline” locks that cache valid cards locally and only 
connect to the Wi-Fi network periodically for updates and when presented with a 
non-cached card.

While the locks support multiple methods for authenticating to the wireless 
network (everything from a PSK to PEAP/MSCHAPv2 to EAP-TLS), I think EAP-TLS is 
probably the most secure method for these devices.

My thinking is to setup a private PKI and generate a client cert for every 
lock. However, I have two issues concerning EAP-TLS.


1.   What should I use for a client certificate expiration date?
Our key and access folks don’t want to update the locks client certs very 
often. (They will have to touch each lock on a regular basis to replace 
batteries, but don’t want to have to connect a computer to the locks every 
year).
The same question applies for the server certificate expiration.


2.   Should I advertise a separate SSID?
We currently use eduroam as our primary campus SSID.  I would prefer not to 
have to add an additional SSID just for these devices, but their use case seems 
different enough to warrant one.

If your institution has implemented or thinking about implementing Wi-Fi 
connected locks, I’d appreciate your feedback.

Thanks.
-Neil

--
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319-384-0938
e-mail: neil-john...@uiowa.edu


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] TLS Onboarding Vendors

2016-11-02 Thread Turner, Ryan H 
We have a PSK network for devices that don't support advanced EAP methods.  But 
students are our biggest users abroad of eduroam, and we don't push onboarding 
of their devices on PSK.  In fact, we make it more difficult.  They must 
register their devices in advance in order to get DHCP and we change the very 
long PSK each semester.  


Ryan Turner
Manager of Network Operations, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

> On Nov 1, 2016, at 4:42 PM, Jeffrey D. Sessler  
> wrote:
> 
> I guess I should have also added – What about just for students and their 
> devices?
> 
> Jeff
> 
> On 11/1/16, 10:22 AM, "The EDUCAUSE Wireless Issues Constituent Group 
> Listserv on behalf of Turner, Ryan H"  behalf of rhtur...@email.unc.edu> wrote:
> 
>We use eduroam, which necessitates a realm for routing.  No for us.
> 
>-Original Message-
>From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
>Sent: Tuesday, November 1, 2016 10:12 AM
>To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors
> 
>Just curious. If those using or considering TLS had the option of PPSK 
> (personal pre-shared key), would you opt for PPSK instead?
> 
>Jeff
> 
>On 10/31/16, 9:27 AM, "The EDUCAUSE Wireless Issues Constituent Group 
> Listserv on behalf of Bruce Boardman"  behalf of board...@syr.edu> wrote:
> 
>We are using Cloud Path for onboarding, but we are considering other 
> options if and when we go to EAP TLS. We may get it baked in if we use ISE or 
> Clear Pass but I considering other standalone options as well. Anybody have  
> experience or thoughts they'd like to share. Thanks  
> 
>Bruce Boardman Networking Syracuse University 315 412-4156 Skype 
> board...@syr.edu
> 
>**
>Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7Ca2f4c16f59ad46adaffb08d402611875%7C58b3d54f16c942d3af081fcabd095666%7C1=q3lriP9Aerq%2B9gID81bUKP01NKeZviHTxXAS8J%2BT32Y%3D=0.
> 
> 
> 
>**
>Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at 
> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7Ca2f4c16f59ad46adaffb08d402611875%7C58b3d54f16c942d3af081fcabd095666%7C1=q3lriP9Aerq%2B9gID81bUKP01NKeZviHTxXAS8J%2BT32Y%3D=0.
> 
> 
>**
>Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at 
> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7C5fbc2752892e40a7be0408d40297a3a9%7C58b3d54f16c942d3af081fcabd095666%7C1=xH1I9%2BLRhIArx6Mu71dbliUdI4qklig3AfuZqlMCyOM%3D=0.
> 
> 
> 
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at 
> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7C5fbc2752892e40a7be0408d40297a3a9%7C58b3d54f16c942d3af081fcabd095666%7C1=xH1I9%2BLRhIArx6Mu71dbliUdI4qklig3AfuZqlMCyOM%3D=0.
> 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] TLS Onboarding Vendors

2016-11-02 Thread Turner, Ryan H 
Jeff,

I think that actually advanced EAP methods have turned the corner.  
Manufacturers are making onboarding easier.  I think you are under the 
impression that configuring a device for certificates is a big process. It 
takes most people less than 5 minutes, and they do this once a year.  

Just in our area, UNC and NC State, representing over 60,000 students are TLS.  
Duke is moving that way.  

I haven't spoken to anyone recently even remotely considering PPSK.  I've heard 
plenty starting to explore TLS. 

Ryan Turner
Manager of Network Operations, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

> On Nov 1, 2016, at 6:31 PM, Jeffrey D. Sessler  
> wrote:
> 
> I think the distinction between enterprise and residential blurred with the 
> advent of SaaS and the cloud. No longer did an employee need to be “at the 
> office” to enter their hours worked in the time and attendance system, or as 
> an administrator, you no longer had to run the accounting application from 
> your office computer. It’s difficult for me to name anything we’re doing here 
> now that isn’t some form of web-based SaaS model, where the expectation is 
> that an employee (baring overtime rules) can access these systems from any 
> location. If an employee can access these systems from Starbucks for the 16 
> hours a day they aren’t at work, what’s the point of WPA2-ent for the other 
> 8? 
> 
> I’m of the mindset that WAP2-Enterprise may in fact be an endangered species. 
> I think most will come to accept that something like PPSK is “good enough”. 
> Users don’t want significant barriers to getting access to what they need, 
> and once those barriers reach a certain level, the user will absolutely find 
> alternatives i.e. I’ve visited many colleges where it was easier to use my 
> MiFi hotspot then to be forced thru a cumbersome on-boarding system where 
> there are restrictions be it on services available or data rates.
> 
> Taken to the extreme. At the point you no longer have a local data center and 
> everything is SaaS, can an argument for WPA2-ent still be made? 
> 
> Jeff
> 
> On 11/1/16, 3:03 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
> on behalf of Curtis K. Larsen"  of curtis.k.lar...@utah.edu> wrote:
> 
>Well, I think users in general expect that when they connect to the 
> "Secure" wireless network - it is both encrypted, and they are not being 
> impersonated.  If not, maybe you could allow them to opt-out after accepting 
> the risk.  Often these are the same credentials that staff use to login and 
> set the direct deposit for their paycheck, credentials faculty use to post 
> grades, and students use to add/drop classes.  The business could also 
> opt-out if they are willing to accept the risk.  But as the Enterprise 
> Wireless Engineer you should at least make everyone aware that with PPSK 
> there are still risks.  Also, I just think one of these standards was 
> intended to be mostly for residential purposes and the other for mostly 
> enterprise purposes.  When you look at federated authentication as in eduroam 
> or hotspot 2.0, etc. WPA2-Ent. just seems to fit better long-term.  In short, 
> I think the difficult/expensive parts of PKI/EAP-TLS have recently become a 
> lot easier and I think they'll continue to do so.
> 
>-Curtis
> 
>
>From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>  on behalf of Chuck Enfield 
> 
>Sent: Tuesday, November 1, 2016 2:54 PM
>To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors
> 
>"If we can agree that most applications today (including ones that involve
>FERPA or PII) are web-based (let’s toss in cloud too), and a user can 
> access
>them from any location including at home on a PSK protected SSID (or
>cellular connection, or open network at Starbucks), does forcing WPA2-Ent 
> at
>the campus actually result in reduced risk?  Is there cost justification 
> for
>the infrastructure (staff, hardware, software) necessary to implement
>EAP-TLS (or alternatives)?"
> 
>Where's the like button?  FWIW, I still like enterprise encryption and
>authentication for keeping people off of my network.  I's nevertheless
>useful to remind ourselves of precisely what the value is, and it's not
>protecting the data.
> 
>Chuck
> 
>-Original Message-
>From: The EDUCAUSE Wireless Issues Constituent Group Listserv
>[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
>Sent: Tuesday, November 01, 2016 4:41 PM
>To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors
> 
>Curtis,
> 
>If we can agree that most applications today (including ones

Re: [WIRELESS-LAN] 802.1x (eduroam) Win10 - no prompt for new password after credential change

2016-11-02 Thread Mike King 
Way back in the dark ages of Server 2003, Microsoft changed NTLM behavior.
It would not surprise me if they changed something again.

Any ways, take a look at this:
https://support.microsoft.com/en-us/kb/906305

Figure out if has any effect on the behavior.

Mike

On Tue, Nov 1, 2016 at 1:25 PM, Jonathan Miller  wrote:

> We are running into an issue where we have settings for eduroam pushed out
> via GPO (which cert authority is good, user auth only, and a few other
> settings).  The problem that we are running into is that if we check the
> 'cache credentials' option in the GPO, Win10 won't prompt the user for
> their new password after a password change.  Win7 and 8 will both pop up
> and ask the user to re-enter their username and password, it's just Win10
> that won't.
>
> Has anybody else run into this?
>
> TIA,
>
> Jonathan Miller
> Network Analyst
> Franklin and Marshall College
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at http://www.educause.edu/
> groups/.
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Certificate Expiration and IoT (Door Locks)

2016-11-02 Thread Johnson, Neil M 

Our housing department is pushing pretty hard to replace keyed locks on dorm 
room doors with Wi-Fi connected proximity card locks (a pilot this summer and 
then eventually rolling out to ~3,000 rooms).

The locks would be “offline” locks that cache valid cards locally and only 
connect to the Wi-Fi network periodically for updates and when presented with a 
non-cached card.

While the locks support multiple methods for authenticating to the wireless 
network (everything from a PSK to PEAP/MSCHAPv2 to EAP-TLS), I think EAP-TLS is 
probably the most secure method for these devices.

My thinking is to setup a private PKI and generate a client cert for every 
lock. However, I have two issues concerning EAP-TLS.


1.   What should I use for a client certificate expiration date?
Our key and access folks don’t want to update the locks client certs very 
often. (They will have to touch each lock on a regular basis to replace 
batteries, but don’t want to have to connect a computer to the locks every 
year).
The same question applies for the server certificate expiration.


2.   Should I advertise a separate SSID?
We currently use eduroam as our primary campus SSID.  I would prefer not to 
have to add an additional SSID just for these devices, but their use case seems 
different enough to warrant one.

If your institution has implemented or thinking about implementing Wi-Fi 
connected locks, I’d appreciate your feedback.

Thanks.
-Neil

--
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319-384-0938
e-mail: neil-john...@uiowa.edu



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.