Re: [WIRELESS-LAN] Cisco EAP-TLS fragmentation with active/active firewalls

? From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Tim Cappalli Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv Date: Monday, September 13, 2021 at 12:27 PM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" Subject: Re: [WIRELESS-LAN] Cis

Re: Cisco EAP-TLS fragmentation with active/active firewalls

Switch to RadSec between your controllers and RADIUS server. Should eliminate the issue if you don't have any other config options. From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Lee Weers Date: Monday, September 13, 2021 at 18:25 To:

Re: [WIRELESS-LAN] ISE-NPS-Azure MFA

I'd recommend you use SAML with your VPN solution directly to AAD and not go through ISE. From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of James Andrewartha Sent: Thursday, August 26, 2021 10:50 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

ailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Tim Cappalli Sent: Monday, August 09, 2021 8:05 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root CA policies really have noth

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

eet certain requirements. docs.microsoft.com From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu> Sent: Monday, August 9, 2021 10:31 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.E

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

___ From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu> Sent: Monday, August 9, 2021 8:42 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

cert. Jeff From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu> Date: Monday, August 9, 2021 at 5:42 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert R

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

with but Android went and made it really hard to onboard a private CA and so now people are going back to public certs for EAP to lower their support burden. Sent from my Galaxy Original message From: Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu> Dat

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

EDUCAUSE Wireless Issues Community Group Listserv on behalf of Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu> Date: Monday, August 9, 2021 at 8:31 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root EAP ser

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

CAs. I suppose an alternative is to move to a private CA on the server-side. Thanks! Norman Norman Elton Director W IT Infrastructure wne...@wm.edu<mailto:wne...@wm.edu> / 757-221-7790 From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You should never use different EAP server certificates across a RADIUS cluster. Use the same cert across all nodes (in this case take the other cert with the longest expiry and upload it to all the nodes in the CPPM cluster) From: The EDUCAUSE Wireless Issues

Re: PEAP Username format in Domain Joined machines

big factor in why we’re moving to EAP-TLS and forcing the format instead of trying to accommodate whatever the user decides to type in. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Tim Cappalli <0194c9eca

Re: PEAP Username format in Domain Joined machines

Username format in Domain Joined machines Depending on your RADIUS server you could rewrite the identity to whatever you want. Some are more granular than others with what all you can do. From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Tim Cappalli <0194c9eca

Re: PEAP Username format in Domain Joined machines

No, it cannot. From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Pratik Mehta Date: Tuesday, July 27, 2021 at 11:14 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] PEAP Username format in Domain Joined machines Hello Everyone, On a Windows 10 device,

Re: Aruba and SAML SSO

CPPM will parse out the SAML assertion attributes as long as you add them to the SSO dictionary in CPPM. You can then use them in role mapping or enforcement in an application authorization service. From: The EDUCAUSE Wireless Issues Community Group Listserv

Re: [WIRELESS-LAN] MPSK SSID Names

Easiest way to prevent user-centric devices from actively using your headless device network is to block your identity provider from the headless roles so users can't sign in to resources. From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf

Re: Forcing Client Cert Selection in Windows for EAP-TLS

No, there's really no way to do this with your configuration. Mixing GPO/MDM + a supplicant utility like SecureW2 is not recommended. It becomes a giant unpredictable tug of war. From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Heavrin,

Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

of the employee’s desire, in a voluntary decision, to use that device for company business. Can’t be forced. Jeff From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Tim Cappalli Sent: Thursday, April 22, 2021 9:14 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re

Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

/OWE as campus solution? On 2021-04-21 21:30:53+, Tim Cappalli wrote: > I'd also like to address the comment about post-college experience. > > Most organizations these students are going to work at are going to > require MDM or MAM on their personal devices. So I fundamentall

Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

ampus life. From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu> Sent: Wednesday, April 21, 2021 5:24:25 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WP

Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

Why not take baby steps? One example: So many organizations talk about user experience challenges of onboarding (and trust me, I hear you) but then issue 1 year certs and force the user through it every year. Switch to a 5 year cert (or device specific cred) and use authorization rules to

Re: WPA3/OWE as campus solution?

79442%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=l7sSKIp95iXMYD5uRV%2F%2FbVgSsEaikmLNW%2FhYq1D0u0M%3D=0> SYRACUSE UNIVERSITY syr.edu From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Tim Cappalli Sent: Friday, April 16, 2021 10:16 A

Re: WPA3/OWE as campus solution?

Just keep in mind that OWE does not have an identity layer. From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Lee H Badman <00db5b77bd95-dmarc-requ...@listserv.educause.edu> Sent: Friday, April 16, 2021 10:08 To:

Re: [WIRELESS-LAN] Microsoft Windows 10 CRL Check on 802.1x Authentication

RE OCSP: AFAIK, only Android 11+ supports OCSP stapling for EAP. RE OP: Pratik, I reached out to the Windows team and they are diagnosing the issue to try to pinpoint when this occurs. tim From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf

Re: [WIRELESS-LAN] [EXT] Re: [WIRELESS-LAN] Android 11 Manual Profile Configuration Variable

I didn’t forget  Been a busy few weeks. Will hopefully have something early next week. tim From: Tim Cappalli Date: Thursday, February 11, 2021 at 10:47 To: The EDUCAUSE Wireless Issues Community Group Listserv Subject: Re: [WIRELESS-LAN] [EXT] Re: [WIRELESS-LAN] Android 11 Manual Profile

Re: [WIRELESS-LAN] [EXT] Re: [WIRELESS-LAN] Android 11 Manual Profile Configuration Variable

On Thu, 11 Feb 2021, Tim Cappalli wrote: > Yes, the EAP server certificate subject should be the same eTLD as the > credential realm. I should have used the word realm for clarity sorry, I couldn't quite bring it to mind! > Said differently, if EAP identity is > `t...@capptoso.

Re: [WIRELESS-LAN] [EXT] Re: [WIRELESS-LAN] Android 11 Manual Profile Configuration Variable

Communication Technologies New Mexico State University On Feb 11, 2021, at 8:19 AM, Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>> wrote: WARNING: This email originated external to the NMSU email syst

Re: [WIRELESS-LAN] [EXT] Re: [WIRELESS-LAN] Android 11 Manual Profile Configuration Variable

Variable Am I understanding correctly that if the CN also exists as a SAN then it is accepted? From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Tim Cappalli Sent: Thursday, February 11, 2021 9:20 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] [EXT] Re

Re: [WIRELESS-LAN] [EXT] Re: [WIRELESS-LAN] Android 11 Manual Profile Configuration Variable

Yes, the EAP server certificate subject should be the same eTLD as the credential realm. Said differently, if EAP identity is `t...@capptoso.com`, the server certificate should be `.capptoso.com`. From: The EDUCAUSE Wireless Issues Community Group Listserv on

Re: [WIRELESS-LAN] [EXT] Re: [WIRELESS-LAN] Android 11 Manual Profile Configuration Variable

le Configuration Variable Thanks Tim. Brad From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Tim Cappalli Sent: Wednesday, February 10, 2021 4:07 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.

RE: Android 11 Manual Profile Configuration Variable

On Behalf Of Tim Cappalli Sent: Wednesday, February 10, 2021 3:22 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Android 11 Manual Profile Configuration Variable Which profile are you referring to? Android does not have a generic profile construct. Domain refers to the subject

RE: Android 11 Manual Profile Configuration Variable

Which profile are you referring to? Android does not have a generic profile construct. Domain refers to the subject of the EAP server certificate (e.g. networklogin.mydomain.com) and yes subject matching is required for a proper supplicant configuration. tim From: Floyd, Brad Sent:

RE: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

-configuring the network eliminated the option.   Dom Colangelo Systems Engineer Omada Technologies Cell: (617)-446-3945 dcolang...@omadatechnologies.com   From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Tim Cappalli Sent: Tuesday, February 9, 2021 12:15 To: WIRELESS-LAN

RE: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

> Systems Engineer > Omada Technologies > Cell: (617)-446-3945 > dcolang...@omadatechnologies.com<mailto:dcolang...@omadatechnologies.com> > > From: The EDUCAUSE Wireless Issues Community Group Listserv > mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> > On Behalf Of Tim Cappalli > Se

Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

ssing here? Walter Reynolds Network Architect Information and Technology Services University of Michigan (734) 615-9438 On Sun, Feb 7, 2021 at 3:29 AM Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu&g

Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

I would not expect Pixel 2 and earlier to receive this update as they are end of support. From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Richie Penuela Sent: Friday, February 5, 2021 09:37 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU

Re: android 11 upcoming changes Feb 15th 2021

Samsung has likely not yet picked up the change. Google Pixels are currently the only devices confirmed to have received the update. The change will eventually hit all devices. From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Mathieu

Re: android 11 upcoming changes Feb 15th 2021

too. From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Tim Cappalli Sent: Wednesday, February 3, 2021 4:31 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 For higher ed, you're absolutely right. For all

Re: android 11 upcoming changes Feb 15th 2021

7C1%7C0%7C637479845206817736%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000=JorC3cCWXiPbiFMzHXbR78kCAU0w4BrNqlhZMp2voZM%3D=0> j...@cadinc.com<mailto:j...@cadinc.com> 919.460.1313 Main Office 919.539.2726 Mobile/text [CAD LOGO EMAIL SIG] From: Ti

Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

Feb 2, 2021 at 12:48 PM Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>> wrote: I can scan a QR code with embedded credentials over your shoulder (I think the newest Ga

Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

Feb 2, 2021 at 12:43 PM Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>> wrote: While UX is great with QR codes, security and trust is challenging. You'll start to see more QR-based provisioning with Io

Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

mation Technology The University of Alabama in Huntsville Network Engineering On Tue, Feb 2, 2021 at 12:29 PM Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>> wrote: Well, again, you should be pr

Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

less Issues Community Group Listserv on behalf of Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu> Sent: Tuesday, February 2, 2021 12:54 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 Screens

Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

ERV.EDUCAUSE.EDU>> on behalf of Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>> Sent: Monday, February 1, 2021 6:06:41 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSE

Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

11 on campus and they work with our current eap tls onboard workflow. I wasn’t sure if something else was coming on feb 15th that would cause some issue with this setup From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Tim

Re: android 11 upcoming changes Feb 15th 2021

ing android 11 on campus and they work with our current eap tls onboard workflow. I wasn’t sure if something else was coming on feb 15th that would cause some issue with this setup From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On B

Re: android 11 upcoming changes Feb 15th 2021

This is a bit misleading IMO. There are no further changes in Android 11 after the December update. Seems like this is specific to Secure W2's product. As a general best practice, you should be using a single EAP server certificate, signed using a PKI in your control, across your all your

Re: [EXTERNAL] Re: [WIRELESS-LAN] Android 11 and Cert Verification

eless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Tim Cappalli Sent: Saturday, 16 January 2021 11:33 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Android 11 and Cert V

Re: [EXTERNAL] Re: [WIRELESS-LAN] Android 11 and Cert Verification

9442 1757 Mob. 0424 160 877 From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Tim Cappalli Sent: Saturday, 16 January 2021 11:33 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>

Re: [WIRELESS-LAN] Android 11 and Cert Verification

bedded into a profile in a web-based enrollment flow. tim From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu> Date: Saturday, January 16, 2021 at 11:12 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [

Re: [WIRELESS-LAN] Android 11 and Cert Verification

a Ph. (08) 9442 1757 Mob. 0424 160 877 From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Tim Cappalli Sent: Saturday, 16 January 2021 11:33 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification EAP-TLS is modern, st

Re: [WIRELESS-LAN] Android 11 and Cert Verification

& Projects Engineer Christ Church Grammar School Claremont, Western Australia Ph. (08) 9442 1757 Mob. 0424 160 877 From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Tim Cappalli Sent: Saturday, 16 January 2021 11:24 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Sub

Re: [WIRELESS-LAN] Android 11 and Cert Verification

in Windows? -- James Andrewartha Network & Projects Engineer Christ Church Grammar School Claremont, Western Australia Ph. (08) 9442 1757 Mob. 0424 160 877 From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Tim Cappalli Sent: Saturday, 16 January 2021 6:2

Re: [WIRELESS-LAN] Android 11 and Cert Verification

> “many colleges provided instructions as such.” This is one of the many reasons the change was made. Not just colleges, enterprises as well. These instructions are worse than instructing users to do to this: chrome.exe --ignore-certificate-errors tim From: The EDUCAUSE Wireless Issues

Re: [WIRELESS-LAN] Android 11 and Cert Verification

Please see my previous response. No part of that statement is accurate. tim From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Floyd, Brad Date: Thursday, January 14, 2021 at 18:00 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Android 11 and Cert

Re: [WIRELESS-LAN] Cisco ISE radius proxy service for eduroam?

Why not just terminate EAP in ISE instead of proxying?  From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Drew Ratliff Date: Tuesday, December 8, 2020 at 10:30To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Cisco ISE radius proxy service for eduroam?Hello

Re: Eero Wired OUI if anyone can help

My Eero uses 3c:5c:f1 on the wired ports which is in the list below. tim From: The EDUCAUSE Wireless Issues Community Group Listserv Date: Friday, October 16, 2020 at 17:09 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Eero Wired OUI if anyone can help Thanks much- I did

Re: multi user windows/osx eap tls onboarding

For Windows 10, you can use TEAP with chained machine + user certs (or a mix of cert and legacy cred). For macOS, I’d recommend just using a machine identity, unless you absolutely need user identity for policy. tim From: The EDUCAUSE Wireless Issues Community Group Listserv Date:

Re: [WIRELESS-LAN] Android 11 and Cert Verification

my mobile device ___ On Oct 13, 2020, at 14:00, Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>> wrote:  Just do a quick Google search and you’ll see how many situations instruct users to not validate

Re: [WIRELESS-LAN] Android 11 and Cert Verification

*organizations, not situations. From: The EDUCAUSE Wireless Issues Community Group Listserv Date: Tuesday, October 13, 2020 at 14:00 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification Just do a quick Google search and you’ll see how many

Re: [WIRELESS-LAN] Android 11 and Cert Verification

Just do a quick Google search and you’ll see how many situations instruct users to not validate the server identity (across many operating systems). It is (and has always been) the #1 problem with legacy credentials/auth methods with tunneled EAP. tim From: The EDUCAUSE Wireless Issues

Re: Wireless Device Policy Questions

Network Engineer Information Technology University of Massachusetts Amherst 413-545-9639 michael.dick...@umass.edu<mailto:michael.dick...@umass.edu> PGP: 0x16777D39 On 9/25/20 10:25 AM, Tim Cappalli wrote: If you're using Aruba ClearPass, you can add an account check

Re: [WIRELESS-LAN] Wireless Device Policy Questions

If you're using Aruba ClearPass, you can add an account check during authorization. From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Tristan Gulyas <004c763654fc-dmarc-requ...@listserv.educause.edu> Sent: Thursday, September 24,

Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise

592-2416 E: fe...@sva.edu<mailto:fe...@sva.edu> ___ Please excuse any typographical errors as this e-mail has been sent from my mobile device ___ On Sep 22, 2020, at 15:13, Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.

Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise

Floor New York, NY, 10011 LL: 212-592-2416 E: fe...@sva.edu<mailto:fe...@sva.edu> ___ Please excuse any typographical errors as this e-mail has been sent from my mobile device ___ On Sep 22, 2020, at 12:04, Tim Cappalli &l

Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise

fe...@sva.edu > ___ > > Please excuse any typographical > errors as this e-mail has been sent > from my mobile device > ___ > > > On Sep 22, 2020, at 12:04, Tim Cappalli > <0194c9ecac40-dmarc-requ...@li

Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise

fe...@sva.edu> ___ Please excuse any typographical errors as this e-mail has been sent from my mobile device ___ On Sep 22, 2020, at 12:04, Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educaus

Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise

Can you please provide some basic details? * What exactly is "broken"? * Which EAP method? * Which credential type? * How is/was the supplicant provisioned? * Are only new devices affected or just upgraded devices? From: The EDUCAUSE Wireless

RE: [WIRELESS-LAN] iOS 14 Causing ARP Spoofing Events on Aruba Controllers

Asking users to disable a feature that preserves their privacy for what is really a one time event (after iOS upgrade) on your network seems very drastic and has a longer term impact. From: Cody Ensanian Sent: Monday, September 21, 2020 15:59 To:

Re: [WIRELESS-LAN] MAC authentication bypass on Freeradius

anyone done that with Freeradius and eduroam? Best, Nadim On Fri, Aug 28, 2020 at 9:57 AM Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>> wrote: eduroam is an 802.1X network. You need to use an EAP-based au

Re: [WIRELESS-LAN] MAC authentication bypass on Freeradius

eduroam is an 802.1X network. You need to use an EAP-based authentication method. MAC address can only be used as authorization context (but really shouldn't be). Tim From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Nadim El-Khoury

RE: Aruba Captive Portals and Login Pages

The MAC address is appended to the redirect URL (login-page) as the query parameter “mac” on all Aruba platforms automatically. tim From: Higgins, Benjamin J Sent: Tuesday, August 25, 2020 14:30 To:

Re: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X?

I was saying there are very few organizations that truly have every resource, where the primary password is used, enabled for MFA. From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Scott Bertilson

RE: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X?

tile network and not as a permission to access resouces, at best this person gets free WiFi access. Jeff From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Tim Cappalli Sent: Wednesday, August 19, 2020 10:43 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] New certificat

RE: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X?

ise of one’s provisioning tool, say because of admins using weak passwords and/or no MFA, may present a higher security risk than the use of PEAP. Jeff From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Tim Cappalli Sent: Wednesday, August 19, 2020 9:43 AM To:

RE: [WIRELESS-LAN] [EXTERNAL] Re: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X?

less devices that I see that are at least 3 generations old is still unacceptably high. Todd Smith From: The EDUCAUSE Wireless Issues Community Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Tim Cappalli Sent: Wednesday, August 19, 2020 1:12 PM To: WIRELESS-LAN@LISTSERV.

RE: [WIRELESS-LAN] [EXTERNAL] Re: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X?

RV.EDUCAUSE.EDU>] On Behalf Of Tim Cappalli Sent: Wednesday, August 19, 2020 11:27 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X? Correct, some versions of operatin

RE: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X?

oup Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Tim Cappalli Sent: Wednesday, August 19, 2020 11:27 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] New certificate exp

RE: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X?

rmation Technology University of Notre Dame From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Tim Cappalli Sent: Wednesday, August 19, 2020 11:34 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSER

RE: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X?

gt;> On Behalf Of Tim Cappalli Sent: Wednesday, August 19, 2020 10:38 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X? If you’re already onboarding your users, wh

RE: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X?

If you’re already onboarding your users, why do you continue to use a public cert? A public EAP server cert should only be used when a “walk-up” enter your username/password experience is desired (of course that’s after your organization has decided that credential exposure is not a concern).

Re: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X?

Google’s announcement was for Chrome so it is not clear whether there will be a change in Android. Apple’s announcement is system-wide on macOS and iOS. But keep in mind it does not apply to non-public CAs, which are the only trust chains that should be used for EAP. tim

RE: [WIRELESS-LAN] Openroaming - anyone connected?

we need/want? How much information should we collect? After all, if the service is no different than at Starbucks, what does the collection of more information do for us? Jeff From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Tim Cappalli Sent: Monday, August 17,

RE: [WIRELESS-LAN] Openroaming - anyone connected?

What business are you trying to get out of specifically? OpenRoaming is a way for federations of organizations and/or individual organizations to interconnect. Eduroam would start to mean “less” to end users, as they wouldn’t see an “eduroam” ESSID anymore, but there is still value in a trust

Re: [WIRELESS-LAN] MAC Randomization, a step further...

’s much less distressing, but I’m going to have a beer anyway. Thanks Tim. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Tim Cappalli Sent: Friday, July 10, 2020 5:04 PM To: WIRELESS-LAN@LISTSERV.ED

Re: aruba airplay wired servers

se I have more than 50 wired servers. Trent Hurt University of Louisville From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu> Sent: Wednesday, July 29, 2020

Re: aruba airplay wired servers

Location-based policy is not supported with wired AirGroup servers. From: The EDUCAUSE Wireless Issues Community Group Listserv Date: Wednesday, July 29, 2020 at 16:05 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] aruba airplay wired servers I have setup the shared location by

Re: [WIRELESS-LAN] MAC Randomization, a step further...

stserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Tim Cappalli Sent: Tuesday, July 21, 2020 1:06 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...  Yeah, good catch Chris!

Re: [WIRELESS-LAN] MAC Randomization, a step further...

Re: [WIRELESS-LAN] MAC Randomization, a step further... My point wasn’t to debate Passpoint either. I’m wondering if Apple actually has a plan, and if so, if they’ve bothered to tell anybody. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCA

Re: [WIRELESS-LAN] MAC Randomization, a step further...

further... On 21/7/20 11:04 am, Tim Cappalli wrote: > Both major Wi-Fi vendors have Passpoint offerings that are either > available or in preview. I'm talking about the client side. Intune doesn't even have a CA either (no the short-lived one for conditional access doesn't count). Where's the Mic

Re: [WIRELESS-LAN] MAC Randomization, a step further...

... On 21/7/20 5:21 am, Tim Cappalli wrote: > Passpoint solves all of these issues. Where is the vendor support for it? Autopilot white glove doesn't even support wireless networks at all. -- James Andrewartha Network & Projects Engineer Christ Church Grammar School Claremont, Western Austr

Re: [WIRELESS-LAN] WIRELESS-LAN Digest - 20 Jul 2020 to 21 Jul 2020 - Special issue (#2020-88)

On Jul 20, 2020, at 9:42 PM, Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>> wrote: There has been an exponential increase in Passpoint rollouts in the past 18 months, on both the network infrastruc

Re: [WIRELESS-LAN] WIRELESS-LAN Digest - 20 Jul 2020 to 21 Jul 2020 - Special issue (#2020-88)

There has been an exponential increase in Passpoint rollouts in the past 18 months, on both the network infrastructure side as well as clients. Ping your vendor. The more people talk about it (and ask for it), the faster it will be adopted and rolled out. tim From: The EDUCAUSE Wireless

Re: MAC Randomization, a step further...

Passpoint solves all of these issues. Tim From: The EDUCAUSE Wireless Issues Community Group Listserv Date: Monday, July 20, 2020 at 17:14 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further... For guests, I've been tossing around the idea of

Re: [WIRELESS-LAN] MAC Randomization, a step further...

s Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Tim Cappalli Sent: Friday, July 10, 2020 4:22 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further..

Re: [WIRELESS-LAN] MAC Randomization, a step further...

on the guest side of things. Brad From: The EDUCAUSE Wireless Issues Community Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Tim Cappalli Sent: Friday, July 10, 2020 3:53 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [EXTERNAL]Re: [WIRELESS-LAN] MAC Randomization, a step

Re: [WIRELESS-LAN] MAC Randomization, a step further...

st started a conversation with my SE. Brad From: The EDUCAUSE Wireless Issues Community Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Tim Cappalli Sent: Friday, July 10, 2020 2:07 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Sub

Re: MAC Randomization, a step further...

: [WIRELESS-LAN] MAC Randomization, a step further... My point wasn’t to debate Passpoint either. I’m wondering if Apple actually has a plan, and if so, if they’ve bothered to tell anybody. From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Tim Cappalli Sent: Friday, July 10

Re: MAC Randomization, a step further...

when I try to discuss Passpoint with my contacts at the major cellular providers, so it can’t possibly be a realistic option for most of us. From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Tim Cappalli Sent: Friday, July 10, 2020 4:07 PM To: WIRELESS-LAN

Re: MAC Randomization, a step further...

Not sure I follow. Passpoint is an industry-wide solution for secure Wi-Fi roaming. Passpoint has been supported on iOS and macOS (along with Windows and Android) for a number of years. I definitely don’t follow this comment: “you can’t onboard your Apple to enable identity-based auth.” tim

  1   2   >