Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

[Tim Cappalli]

I'd also like to address the comment about post-college experience.

Most organizations these students are going to work at are going to require MDM 
or MAM on their personal devices. So I fundamentally disagree with the comment 
that they won't deal with "enrollment" post campus life.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Sent: Wednesday, April 21, 2021 5:24:25 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

Why not take baby steps? One example: So many organizations talk about user 
experience challenges of onboarding (and trust me, I hear you) but then issue 1 
year certs and force the user through it every year.

Switch to a 5 year cert (or device specific cred) and use authorization rules 
to temporarily (or permanently) revoke access.

You don't have to burn the whole forest down.

I'm sure your security folks would rather have a guaranteed encrypted network 
with user identity, a 5 year cert and full control, than an open network with 
no reliable user identity or enforcement mechanism.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Jonathan Waldrep 

Sent: Wednesday, April 21, 2021 5:15:09 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

I keep trying to reply to this thread with my thoughts and some idea of where 
we are trying to move on this topic, but inevitably, it ends up rambly and 
unfinished. Let's see if I can actually keep it short and relevant. If so, 
there is lots left unsaid; please feel free to ask for details.

We don't have a non-BYOD side of the network. There are some traditional 
institution-managed devices, but they are the exception, and they don't have a 
special network. Painting with a broad brush lacking some nuance, all of our 
user facing networks are zero trust. Turns out, this simplifies a great many 
things.

That said, I would love to move to a model where we have eduroam, and a wide 
open network (preferably with OWE, but that is orthogonal). No captive portal. 
No PSK. Both of those methods are problematic. Why? And what about device 
discovery (Chromecasts, airplay, etc)? How do we know who the device belongs 
to? How do you keep the devices secure without encryption? How do you keep the 
network secure without authentication? Why have eduroam at all? Great 
questions, that I'm going to skip right over (see preface).

In general, shifting our mindset about network authentication from something 
that is required for the administrators' sake to something that the user can 
opt into because it gives _the user_ tangible value opens up a lot of 
opportunity.

The biggest challenges to overcome here are _not_ technical. They are business 
and legal issues. On that note, I have yet to see a time where a technical 
solution to a non-technical problem doesn't end up hurting the user.

--
Jonathan Waldrep
Network Engineer
Network Infrastructure and Services
Virginia Tech


On Wed, Apr 21, 2021 at 3:22 PM Jennifer Minella 
mailto:j...@cadinc.com>> wrote:

Ooh Lee what a great thread! I didn’t have a chance yesterday but catching up 
now.



Here’s what I throw in the mix for consideration… (no recommendations just free 
flow thoughts)

Sorry this is long; WPA3 gets me really excited 



  1.  OWE/Open Enhanced (not technically part of WPA3 but #semantics) ONLY 
provides OTA encryption; it does nothing for authenticating the user to the 
network NOR the network to the user.
  2.  …that means you could use a guest portal experience, with or without user 
ID, and add encryption vs historically having to use a Pre-Shared Key or 802.1X 
for key exchanges and encryption.
  3.  If you care about who the user is, you can still use a portal with 
self-registration and whatever duration you feel is appropriate. Depending on 
how much you care, a self-registration portal may (or may not) be sufficient.
  4.  If you care about protecting the user/device against a MiTM or evil twin 
attack, then you probably prefer a mechanism that allows some type of 
authentication, which is typically mutual authentication (e.g. 1X).
  5.  Under WPA3, security is increased across the board and will be ongoing 
(not fixed). Including replacing Pre-Shared Key (PSK) with SAE- which 
looks/feels JUST like PSK to admins/users but further protects assets by using 
unique key derivations for each endpoint. So… if someone has the passcode they 
can get on, but they can’t decrypt any other traffic even if the endpoint(s) 
are using the same key. The list of enhancements goes on and on.
  6.  Does your organization require traceability of users for any internal or 
external policies or compliance? This could be for security reasons, compliance 
with IP and digital rights, or other needs. One Uni org I’ve 

Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

[Tim Cappalli]

Why not take baby steps? One example: So many organizations talk about user 
experience challenges of onboarding (and trust me, I hear you) but then issue 1 
year certs and force the user through it every year.

Switch to a 5 year cert (or device specific cred) and use authorization rules 
to temporarily (or permanently) revoke access.

You don't have to burn the whole forest down.

I'm sure your security folks would rather have a guaranteed encrypted network 
with user identity, a 5 year cert and full control, than an open network with 
no reliable user identity or enforcement mechanism.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Jonathan Waldrep 

Sent: Wednesday, April 21, 2021 5:15:09 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

I keep trying to reply to this thread with my thoughts and some idea of where 
we are trying to move on this topic, but inevitably, it ends up rambly and 
unfinished. Let's see if I can actually keep it short and relevant. If so, 
there is lots left unsaid; please feel free to ask for details.

We don't have a non-BYOD side of the network. There are some traditional 
institution-managed devices, but they are the exception, and they don't have a 
special network. Painting with a broad brush lacking some nuance, all of our 
user facing networks are zero trust. Turns out, this simplifies a great many 
things.

That said, I would love to move to a model where we have eduroam, and a wide 
open network (preferably with OWE, but that is orthogonal). No captive portal. 
No PSK. Both of those methods are problematic. Why? And what about device 
discovery (Chromecasts, airplay, etc)? How do we know who the device belongs 
to? How do you keep the devices secure without encryption? How do you keep the 
network secure without authentication? Why have eduroam at all? Great 
questions, that I'm going to skip right over (see preface).

In general, shifting our mindset about network authentication from something 
that is required for the administrators' sake to something that the user can 
opt into because it gives _the user_ tangible value opens up a lot of 
opportunity.

The biggest challenges to overcome here are _not_ technical. They are business 
and legal issues. On that note, I have yet to see a time where a technical 
solution to a non-technical problem doesn't end up hurting the user.

--
Jonathan Waldrep
Network Engineer
Network Infrastructure and Services
Virginia Tech


On Wed, Apr 21, 2021 at 3:22 PM Jennifer Minella 
mailto:j...@cadinc.com>> wrote:

Ooh Lee what a great thread! I didn’t have a chance yesterday but catching up 
now.



Here’s what I throw in the mix for consideration… (no recommendations just free 
flow thoughts)

Sorry this is long; WPA3 gets me really excited 



  1.  OWE/Open Enhanced (not technically part of WPA3 but #semantics) ONLY 
provides OTA encryption; it does nothing for authenticating the user to the 
network NOR the network to the user.
  2.  …that means you could use a guest portal experience, with or without user 
ID, and add encryption vs historically having to use a Pre-Shared Key or 802.1X 
for key exchanges and encryption.
  3.  If you care about who the user is, you can still use a portal with 
self-registration and whatever duration you feel is appropriate. Depending on 
how much you care, a self-registration portal may (or may not) be sufficient.
  4.  If you care about protecting the user/device against a MiTM or evil twin 
attack, then you probably prefer a mechanism that allows some type of 
authentication, which is typically mutual authentication (e.g. 1X).
  5.  Under WPA3, security is increased across the board and will be ongoing 
(not fixed). Including replacing Pre-Shared Key (PSK) with SAE- which 
looks/feels JUST like PSK to admins/users but further protects assets by using 
unique key derivations for each endpoint. So… if someone has the passcode they 
can get on, but they can’t decrypt any other traffic even if the endpoint(s) 
are using the same key. The list of enhancements goes on and on.
  6.  Does your organization require traceability of users for any internal or 
external policies or compliance? This could be for security reasons, compliance 
with IP and digital rights, or other needs. One Uni org I’ve worked with 
successfully stopped a student from a suicide attempt when the student posted 
online- they physically located the person and saved them from what they were 
about to do… There are a lot of things to consider and every org is different.
  7.  Whether or not portal acceptable use and/or user ID/registration is 
needed is a hotly-debated topic and has a lot of “it depends”. I recently asked 
several CISOs, lawyers, auditors, and cyber security friends at the FBI.
 *   The CISOs feel it’s “window dressing” except that per …
 *   …Lawyers, there may be some legal protection if a user 

Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

[Jonathan Waldrep]

Perhaps a better summary to the question, "Are you contemplating ditching
.1X in favor of WPA3/OWE?"

Kinda. I want to make .1X optional and burn the captive portal to the
ground, but that has nothing to do with WPA3/OWE. And I'm stuck with WPA2
until "3duroam" is a thing. Our security model does not rely on layers 1
and 2, so the federated access is more valuable.
--
Jonathan Waldrep
Network Engineer
Network Infrastructure and Services
Virginia Tech


On Wed, Apr 21, 2021 at 5:15 PM Jonathan Waldrep  wrote:

> I keep trying to reply to this thread with my thoughts and some idea of
> where we are trying to move on this topic, but inevitably, it ends up
> rambly and unfinished. Let's see if I can actually keep it short and
> relevant. If so, there is lots left unsaid; please feel free to ask for
> details.
>
> We don't have a non-BYOD side of the network. There are some traditional
> institution-managed devices, but they are the exception, and they don't
> have a special network. Painting with a broad brush lacking some nuance,
> all of our user facing networks are zero trust. Turns out, this simplifies
> a great many things.
>
> That said, I would love to move to a model where we have eduroam, and a
> wide open network (preferably with OWE, but that is orthogonal). No captive
> portal. No PSK. Both of those methods are problematic. Why? And what about
> device discovery (Chromecasts, airplay, etc)? How do we know who the device
> belongs to? How do you keep the devices secure without encryption? How do
> you keep the network secure without authentication? Why have eduroam at
> all? Great questions, that I'm going to skip right over (see preface).
>
> In general, shifting our mindset about network authentication from
> something that is required for the administrators' sake to something that
> the user can opt into because it gives _the user_ tangible value opens up a
> lot of opportunity.
>
> The biggest challenges to overcome here are _not_ technical. They are
> business and legal issues. On that note, I have yet to see a time where a
> technical solution to a non-technical problem doesn't end up hurting the
> user.
>
> --
> Jonathan Waldrep
> Network Engineer
> Network Infrastructure and Services
> Virginia Tech
>
>
> On Wed, Apr 21, 2021 at 3:22 PM Jennifer Minella  wrote:
>
>> Ooh Lee what a great thread! I didn’t have a chance yesterday but
>> catching up now.
>>
>>
>>
>> Here’s what I throw in the mix for consideration… (no recommendations
>> just free flow thoughts)
>>
>> Sorry this is long; WPA3 gets me really excited 
>>
>>
>>
>>1. OWE/Open Enhanced (not technically part of WPA3 but #semantics) *ONLY
>>provides OTA encryption*; it does nothing for authenticating the user
>>to the network NOR the network to the user.
>>2. …that means *you could use a guest portal experience*, *with or
>>without user ID*, and add encryption vs historically having to use a
>>Pre-Shared Key or 802.1X for key exchanges and encryption.
>>3. *If you care about who the user is*, you can still use a portal
>>with self-registration and whatever duration you feel is appropriate.
>>Depending on how much you care, a self-registration portal may (or may 
>> not)
>>be sufficient.
>>4. *If you care about protecting the user/device against a MiTM or
>>evil twin attack,* then you probably prefer a mechanism that allows
>>some type of authentication, which is typically mutual authentication 
>> (e.g.
>>1X).
>>5. Under WPA3, security is increased across the board and will be
>>ongoing (not fixed). *Including replacing Pre-Shared Key (PSK) with
>>SAE*- which looks/feels JUST like PSK to admins/users but further
>>protects assets by using unique key derivations for each endpoint. So… if
>>someone has the passcode they can get on, but they can’t decrypt any other
>>traffic even if the endpoint(s) are using the same key. The list of
>>enhancements goes on and on.
>>6. *Does your organization require traceability of users* for any
>>internal or external policies or compliance? This could be for security
>>reasons, compliance with IP and digital rights, or other needs. One Uni 
>> org
>>I’ve worked with successfully stopped a student from a suicide attempt 
>> when
>>the student posted online- they physically located the person and saved
>>them from what they were about to do… There are a lot of things to 
>> consider
>>and every org is different.
>>7. Whether or not portal acceptable use and/or user ID/registration
>>is needed is *a hotly-debated topic* and has a lot of “it depends”. I
>>recently asked several CISOs, lawyers, auditors, and cyber security 
>> friends
>>at the FBI.
>>   1. The CISOs feel it’s “window dressing” except that per …
>>   2. …Lawyers, there may be some legal protection if a user
>>   compromised while on your network comes after you (e.g. policy says 
>> “org
>>   not 

RE: WPA3/OWE as campus solution?

[Jennifer Minella]

Jeff – Yes, that’s exactly right for connections to apps/services - but what if 
we’re talking about an infected machine or malicious user? They’re not 
necessarily connecting to anything specific in terms of an application that 
would further auth them. That’s actually why I’m saying if it’s Internet-only 
and inter-station blocking is on then let them have at it, as long as the org’s 
legal team is OK with it. Otherwise, if they could access internal resources at 
the network level then those non-app based connections (L1-4) should be given 
some consideration and protection.

I don’t agree that there are enough breadcrumbs from the network admin side to 
identify a user on a device with anonymous login/auth. You’d need to either 
access data or artifacts on the device for that, or have some other means of 
traffic analysis on-network to try and piece that together. And some kind of 
extra special magic is needed if they’re on a device with private/randomized 
MAC.

Very valid point of course on the stolen creds or stolen device with device 
certs. That’s just a risk but from a compliance/audit standpoint that’s a 
different risk than an open network.

___
Jennifer Minella, CISSP, HP MASE
VP of Engineering & Security
Carolina Advanced Digital, Inc.
www.cadinc.com
j...@cadinc.com
919.460.1313 Main Office
919.539.2726 Mobile/text
[CAD LOGO EMAIL SIG]

From: Jeffrey D. Sessler 
Sent: Wednesday, April 21, 2021 4:05 PM
Subject: Re: WPA3/OWE as campus solution?

Jennifer,

I would hope that the service itself has authorization/admittance controls vs 
relying on the user’s device and/or the particular network the device is in for 
permission.

I’d also argue that there is enough breadcrumbs about any given device to 
determine the user without the need for them to authenticate to wireless. Then 
again, the device could just as easily be stolen, or the user’s account could 
have been compromised, and the attacker self-enrolls his/her machine/uses the 
credentials to gain access.

Jeff

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Jennifer Minella
Sent: Wednesday, April 21, 2021 12:30 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

Oh my goodness. I forgot the biggest one – if you’re going to give that user or 
device access to internal resources/assets you probably want to know who it is 
– even if it’s printers, screen casting, etc. If the user or device has access 
to critical internal resources, then you definitely need to know who it is. 
From a infosec due diligence standpoint, it would be hard to argue a defense on 
that one if a significant event were to occur.

___
Jennifer Minella, CISSP, HP MASE
VP of Engineering & Security
Carolina Advanced Digital, Inc.
www.cadinc.com
j...@cadinc.com
919.460.1313 Main Office
919.539.2726 Mobile/text
[CAD LOGO EMAIL SIG]

From: Jennifer Minella mailto:j...@cadinc.com>>
Sent: Wednesday, April 21, 2021 3:22 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: RE: WPA3/OWE as campus solution?

Ooh Lee what a great thread! I didn’t have a chance yesterday but catching up 
now.

Here’s what I throw in the mix for consideration… (no recommendations just free 
flow thoughts)
Sorry this is long; WPA3 gets me really excited 


  1.  OWE/Open Enhanced (not technically part of WPA3 but #semantics) ONLY 
provides OTA encryption; it does nothing for authenticating the user to the 
network NOR the network to the user.
  2.  …that means you could use a guest portal experience, with or without user 
ID, and add encryption vs historically having to use a Pre-Shared Key or 802.1X 
for key exchanges and encryption.
  3.  If you care about who the user is, you can still use a portal with 
self-registration and whatever duration you feel is appropriate. Depending on 
how much you care, a self-registration portal may (or may not) be sufficient.
  4.  If you care about protecting the user/device against a MiTM or evil twin 
attack, then you probably prefer a mechanism that allows some type of 
authentication, which is typically mutual authentication (e.g. 1X).
  5.  Under WPA3, security is increased across the board and will be ongoing 
(not fixed). Including replacing Pre-Shared Key (PSK) with SAE- which 
looks/feels JUST like PSK to admins/users but further protects assets by using 
unique key derivations for each endpoint. So… if someone has the passcode they 
can get on, but they can’t decrypt any other traffic even if the endpoint(s) 
are using the same key. The list of enhancements goes on and on.
  6.  Does your organization require traceability of users for any internal or 
external policies or compliance? This could be for security reasons, compliance 
with IP 

Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

[Jonathan Waldrep]

I keep trying to reply to this thread with my thoughts and some idea of
where we are trying to move on this topic, but inevitably, it ends up
rambly and unfinished. Let's see if I can actually keep it short and
relevant. If so, there is lots left unsaid; please feel free to ask for
details.

We don't have a non-BYOD side of the network. There are some traditional
institution-managed devices, but they are the exception, and they don't
have a special network. Painting with a broad brush lacking some nuance,
all of our user facing networks are zero trust. Turns out, this simplifies
a great many things.

That said, I would love to move to a model where we have eduroam, and a
wide open network (preferably with OWE, but that is orthogonal). No captive
portal. No PSK. Both of those methods are problematic. Why? And what about
device discovery (Chromecasts, airplay, etc)? How do we know who the device
belongs to? How do you keep the devices secure without encryption? How do
you keep the network secure without authentication? Why have eduroam at
all? Great questions, that I'm going to skip right over (see preface).

In general, shifting our mindset about network authentication from
something that is required for the administrators' sake to something that
the user can opt into because it gives _the user_ tangible value opens up a
lot of opportunity.

The biggest challenges to overcome here are _not_ technical. They are
business and legal issues. On that note, I have yet to see a time where a
technical solution to a non-technical problem doesn't end up hurting the
user.

--
Jonathan Waldrep
Network Engineer
Network Infrastructure and Services
Virginia Tech


On Wed, Apr 21, 2021 at 3:22 PM Jennifer Minella  wrote:

> Ooh Lee what a great thread! I didn’t have a chance yesterday but catching
> up now.
>
>
>
> Here’s what I throw in the mix for consideration… (no recommendations just
> free flow thoughts)
>
> Sorry this is long; WPA3 gets me really excited 
>
>
>
>1. OWE/Open Enhanced (not technically part of WPA3 but #semantics) *ONLY
>provides OTA encryption*; it does nothing for authenticating the user
>to the network NOR the network to the user.
>2. …that means *you could use a guest portal experience*, *with or
>without user ID*, and add encryption vs historically having to use a
>Pre-Shared Key or 802.1X for key exchanges and encryption.
>3. *If you care about who the user is*, you can still use a portal
>with self-registration and whatever duration you feel is appropriate.
>Depending on how much you care, a self-registration portal may (or may not)
>be sufficient.
>4. *If you care about protecting the user/device against a MiTM or
>evil twin attack,* then you probably prefer a mechanism that allows
>some type of authentication, which is typically mutual authentication (e.g.
>1X).
>5. Under WPA3, security is increased across the board and will be
>ongoing (not fixed). *Including replacing Pre-Shared Key (PSK) with
>SAE*- which looks/feels JUST like PSK to admins/users but further
>protects assets by using unique key derivations for each endpoint. So… if
>someone has the passcode they can get on, but they can’t decrypt any other
>traffic even if the endpoint(s) are using the same key. The list of
>enhancements goes on and on.
>6. *Does your organization require traceability of users* for any
>internal or external policies or compliance? This could be for security
>reasons, compliance with IP and digital rights, or other needs. One Uni org
>I’ve worked with successfully stopped a student from a suicide attempt when
>the student posted online- they physically located the person and saved
>them from what they were about to do… There are a lot of things to consider
>and every org is different.
>7. Whether or not portal acceptable use and/or user ID/registration is
>needed is *a hotly-debated topic* and has a lot of “it depends”. I
>recently asked several CISOs, lawyers, auditors, and cyber security friends
>at the FBI.
>   1. The CISOs feel it’s “window dressing” except that per …
>   2. …Lawyers, there may be some legal protection if a user
>   compromised while on your network comes after you (e.g. policy says “org
>   not responsible for anything resulting from use of their network”).
>   3. The FBI says they need “something” to open a case and prosecute
>   (e.g. Acceptable Use clause or access banner).
>   4. In Europe (I’m told) orgs providing public internet access fall
>   under ISP laws, and therefore must be diligent about
>   registration/acceptable use/etc. By policy/compliance they have stricter
>   rules for requiring accountability and registration.
>
>
>
> ___
>
> *Jennifer Minella*, CISSP, HP MASE
>
> VP of Engineering & Security
>
> Carolina Advanced Digital, Inc.
>
> www.cadinc.com
>
> j...@cadinc.com
>
> 919.460.1313 Main 

Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

[Manon Lessard]

Just my two Maple-y cents

Up here the Copyrights laws require ISPs (under which we are, as “providers” of 
connectivity on campus) to be have sufficient information to be able to contact 
users should a copyright violation be recorded. Now there is a lot of blurred 
lines and room in the law itself and to my understanding nobody really had to 
go after users for “real” but since as higher ed we are a nice public target we 
decided we’d rather think twice about opening the valves to just about anyone 
just yet. We log enough so we can trace and prove due diligence.

Oh, and Jennifer thank you for being so passionate about WPA3, thank you for 
chiming in. Don’t hold back from preaching more on security.

Manon Lessard
Chargée de programmation et d’analyse
CCNP, CWNE #275, AWA 10, ESCE Design
Direction des technologies de l'information
Pavillon Louis-Jacques-Casault
1055, avenue du Séminaire
Bureau 0403
Université Laval, Québec (Québec)
G1V 0A6, Canada
418 656-2131, poste 412853
Télécopieur : 418 656-7305
manon.less...@dti.ulaval.ca
www.dti.ulaval.ca
Avis relatif à la confidentialité | Notice of 
Confidentiality


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of "Jeffrey D. Sessler" 

Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Wednesday, April 21, 2021 at 4:04 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

[Externe UL*]
Jennifer,

I would hope that the service itself has authorization/admittance controls vs 
relying on the user’s device and/or the particular network the device is in for 
permission.

I’d also argue that there is enough breadcrumbs about any given device to 
determine the user without the need for them to authenticate to wireless. Then 
again, the device could just as easily be stolen, or the user’s account could 
have been compromised, and the attacker self-enrolls his/her machine/uses the 
credentials to gain access.

Jeff

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jennifer Minella
Sent: Wednesday, April 21, 2021 12:30 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

Oh my goodness. I forgot the biggest one – if you’re going to give that user or 
device access to internal resources/assets you probably want to know who it is 
– even if it’s printers, screen casting, etc. If the user or device has access 
to critical internal resources, then you definitely need to know who it is. 
From a infosec due diligence standpoint, it would be hard to argue a defense on 
that one if a significant event were to occur.

___
Jennifer Minella, CISSP, HP MASE
VP of Engineering & Security
Carolina Advanced Digital, Inc.
www.cadinc.com
j...@cadinc.com
919.460.1313 Main Office
919.539.2726 Mobile/text
[CAD LOGO EMAIL SIG]

From: Jennifer Minella mailto:j...@cadinc.com>>
Sent: Wednesday, April 21, 2021 3:22 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: RE: WPA3/OWE as campus solution?

Ooh Lee what a great thread! I didn’t have a chance yesterday but catching up 
now.

Here’s what I throw in the mix for consideration… (no recommendations just free 
flow thoughts)
Sorry this is long; WPA3 gets me really excited 


  1.  OWE/Open Enhanced (not technically part of WPA3 but #semantics) ONLY 
provides OTA encryption; it does nothing for authenticating the user to the 
network NOR the network to the user.
  2.  …that means you could use a guest portal experience, with or without user 
ID, and add encryption vs historically having to use a Pre-Shared Key or 802.1X 
for key exchanges and encryption.
  3.  If you care about who the user is, you can still use a portal with 
self-registration and whatever duration you feel is appropriate. Depending on 
how much you care, a self-registration portal may (or may not) be sufficient.
  4.  If you care about protecting the user/device against a MiTM or evil twin 
attack, then you probably prefer a mechanism that allows some type of 
authentication, which is typically mutual authentication (e.g. 1X).
  5.  Under WPA3, security is increased across the board and will be ongoing 
(not fixed). Including replacing Pre-Shared Key (PSK) with SAE- which 
looks/feels JUST like PSK to admins/users but further protects assets by using 
unique key derivations for each endpoint. So… if someone has the passcode they 
can get on, but 

RE: WPA3/OWE as campus solution?

[Jeffrey D. Sessler]

Jennifer,

I would hope that the service itself has authorization/admittance controls vs 
relying on the user’s device and/or the particular network the device is in for 
permission.

I’d also argue that there is enough breadcrumbs about any given device to 
determine the user without the need for them to authenticate to wireless. Then 
again, the device could just as easily be stolen, or the user’s account could 
have been compromised, and the attacker self-enrolls his/her machine/uses the 
credentials to gain access.

Jeff

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jennifer Minella
Sent: Wednesday, April 21, 2021 12:30 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

Oh my goodness. I forgot the biggest one – if you’re going to give that user or 
device access to internal resources/assets you probably want to know who it is 
– even if it’s printers, screen casting, etc. If the user or device has access 
to critical internal resources, then you definitely need to know who it is. 
From a infosec due diligence standpoint, it would be hard to argue a defense on 
that one if a significant event were to occur.

___
Jennifer Minella, CISSP, HP MASE
VP of Engineering & Security
Carolina Advanced Digital, Inc.
www.cadinc.com
j...@cadinc.com
919.460.1313 Main Office
919.539.2726 Mobile/text
[CAD LOGO EMAIL SIG]

From: Jennifer Minella mailto:j...@cadinc.com>>
Sent: Wednesday, April 21, 2021 3:22 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: RE: WPA3/OWE as campus solution?

Ooh Lee what a great thread! I didn’t have a chance yesterday but catching up 
now.

Here’s what I throw in the mix for consideration… (no recommendations just free 
flow thoughts)
Sorry this is long; WPA3 gets me really excited 


  1.  OWE/Open Enhanced (not technically part of WPA3 but #semantics) ONLY 
provides OTA encryption; it does nothing for authenticating the user to the 
network NOR the network to the user.
  2.  …that means you could use a guest portal experience, with or without user 
ID, and add encryption vs historically having to use a Pre-Shared Key or 802.1X 
for key exchanges and encryption.
  3.  If you care about who the user is, you can still use a portal with 
self-registration and whatever duration you feel is appropriate. Depending on 
how much you care, a self-registration portal may (or may not) be sufficient.
  4.  If you care about protecting the user/device against a MiTM or evil twin 
attack, then you probably prefer a mechanism that allows some type of 
authentication, which is typically mutual authentication (e.g. 1X).
  5.  Under WPA3, security is increased across the board and will be ongoing 
(not fixed). Including replacing Pre-Shared Key (PSK) with SAE- which 
looks/feels JUST like PSK to admins/users but further protects assets by using 
unique key derivations for each endpoint. So… if someone has the passcode they 
can get on, but they can’t decrypt any other traffic even if the endpoint(s) 
are using the same key. The list of enhancements goes on and on.
  6.  Does your organization require traceability of users for any internal or 
external policies or compliance? This could be for security reasons, compliance 
with IP and digital rights, or other needs. One Uni org I’ve worked with 
successfully stopped a student from a suicide attempt when the student posted 
online- they physically located the person and saved them from what they were 
about to do… There are a lot of things to consider and every org is different.
  7.  Whether or not portal acceptable use and/or user ID/registration is 
needed is a hotly-debated topic and has a lot of “it depends”. I recently asked 
several CISOs, lawyers, auditors, and cyber security friends at the FBI.
 *   The CISOs feel it’s “window dressing” except that per …
 *   …Lawyers, there may be some legal protection if a user compromised 
while on your network comes after you (e.g. policy says “org not responsible 
for anything resulting from use of their network”).
 *   The FBI says they need “something” to open a case and prosecute (e.g. 
Acceptable Use clause or access banner).
 *   In Europe (I’m told) orgs providing public internet access fall under 
ISP laws, and therefore must be diligent about registration/acceptable use/etc. 
By policy/compliance they have stricter rules for requiring accountability and 
registration.

___
Jennifer Minella, CISSP, HP MASE
VP of Engineering & Security
Carolina Advanced Digital, Inc.
www.cadinc.com
j...@cadinc.com
919.460.1313 Main Office
919.539.2726 Mobile/text
[CAD LOGO EMAIL SIG]

From: Enfield, Chuck mailto:cae...@psu.edu>>
Sent: Friday, April 16, 2021 4:57 PM
Subject: Re: WPA3/OWE as campus solution?

I’ve been floating this idea to IT leadership for years, with no 

RE: WPA3/OWE as campus solution?

[Jennifer Minella]

Oh my goodness. I forgot the biggest one – if you’re going to give that user or 
device access to internal resources/assets you probably want to know who it is 
– even if it’s printers, screen casting, etc. If the user or device has access 
to critical internal resources, then you definitely need to know who it is. 
From a infosec due diligence standpoint, it would be hard to argue a defense on 
that one if a significant event were to occur.

___
Jennifer Minella, CISSP, HP MASE
VP of Engineering & Security
Carolina Advanced Digital, Inc.
www.cadinc.com
j...@cadinc.com
919.460.1313 Main Office
919.539.2726 Mobile/text
[CAD LOGO EMAIL SIG]

From: Jennifer Minella 
Sent: Wednesday, April 21, 2021 3:22 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: RE: WPA3/OWE as campus solution?

Ooh Lee what a great thread! I didn’t have a chance yesterday but catching up 
now.

Here’s what I throw in the mix for consideration… (no recommendations just free 
flow thoughts)
Sorry this is long; WPA3 gets me really excited 


  1.  OWE/Open Enhanced (not technically part of WPA3 but #semantics) ONLY 
provides OTA encryption; it does nothing for authenticating the user to the 
network NOR the network to the user.
  2.  …that means you could use a guest portal experience, with or without user 
ID, and add encryption vs historically having to use a Pre-Shared Key or 802.1X 
for key exchanges and encryption.
  3.  If you care about who the user is, you can still use a portal with 
self-registration and whatever duration you feel is appropriate. Depending on 
how much you care, a self-registration portal may (or may not) be sufficient.
  4.  If you care about protecting the user/device against a MiTM or evil twin 
attack, then you probably prefer a mechanism that allows some type of 
authentication, which is typically mutual authentication (e.g. 1X).
  5.  Under WPA3, security is increased across the board and will be ongoing 
(not fixed). Including replacing Pre-Shared Key (PSK) with SAE- which 
looks/feels JUST like PSK to admins/users but further protects assets by using 
unique key derivations for each endpoint. So… if someone has the passcode they 
can get on, but they can’t decrypt any other traffic even if the endpoint(s) 
are using the same key. The list of enhancements goes on and on.
  6.  Does your organization require traceability of users for any internal or 
external policies or compliance? This could be for security reasons, compliance 
with IP and digital rights, or other needs. One Uni org I’ve worked with 
successfully stopped a student from a suicide attempt when the student posted 
online- they physically located the person and saved them from what they were 
about to do… There are a lot of things to consider and every org is different.
  7.  Whether or not portal acceptable use and/or user ID/registration is 
needed is a hotly-debated topic and has a lot of “it depends”. I recently asked 
several CISOs, lawyers, auditors, and cyber security friends at the FBI.
 *   The CISOs feel it’s “window dressing” except that per …
 *   …Lawyers, there may be some legal protection if a user compromised 
while on your network comes after you (e.g. policy says “org not responsible 
for anything resulting from use of their network”).
 *   The FBI says they need “something” to open a case and prosecute (e.g. 
Acceptable Use clause or access banner).
 *   In Europe (I’m told) orgs providing public internet access fall under 
ISP laws, and therefore must be diligent about registration/acceptable use/etc. 
By policy/compliance they have stricter rules for requiring accountability and 
registration.

___
Jennifer Minella, CISSP, HP MASE
VP of Engineering & Security
Carolina Advanced Digital, Inc.
www.cadinc.com
j...@cadinc.com
919.460.1313 Main Office
919.539.2726 Mobile/text
[CAD LOGO EMAIL SIG]

From: Enfield, Chuck mailto:cae...@psu.edu>>
Sent: Friday, April 16, 2021 4:57 PM
Subject: Re: WPA3/OWE as campus solution?

I’ve been floating this idea to IT leadership for years, with no interest on 
their part.  We implemented an open guest network with no rate limiting about 
18 months ago, so now any student who doesn’t want to onboard doesn’t have to.  
I figured that would get the bosses asking why we bother to authenticate on the 
other SSID, but still no.  It’s ironic that the people who constantly stress 
the importance of customer experience and regularly complain to me about the 
onboarding experience can’t be bothered to consider obvious alternatives.  I 
wouldn’t be so disappointed if we discussed the pros and cons and they came to 
a different conclusion than I have, but it sounds so radical to them that they 
don’t even care to discuss it.

Chuck

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Lee H Badman
Sent: 

RE: WPA3/OWE as campus solution?

[Jennifer Minella]

Ooh Lee what a great thread! I didn’t have a chance yesterday but catching up 
now.

Here’s what I throw in the mix for consideration… (no recommendations just free 
flow thoughts)
Sorry this is long; WPA3 gets me really excited 


  1.  OWE/Open Enhanced (not technically part of WPA3 but #semantics) ONLY 
provides OTA encryption; it does nothing for authenticating the user to the 
network NOR the network to the user.
  2.  …that means you could use a guest portal experience, with or without user 
ID, and add encryption vs historically having to use a Pre-Shared Key or 802.1X 
for key exchanges and encryption.
  3.  If you care about who the user is, you can still use a portal with 
self-registration and whatever duration you feel is appropriate. Depending on 
how much you care, a self-registration portal may (or may not) be sufficient.
  4.  If you care about protecting the user/device against a MiTM or evil twin 
attack, then you probably prefer a mechanism that allows some type of 
authentication, which is typically mutual authentication (e.g. 1X).
  5.  Under WPA3, security is increased across the board and will be ongoing 
(not fixed). Including replacing Pre-Shared Key (PSK) with SAE- which 
looks/feels JUST like PSK to admins/users but further protects assets by using 
unique key derivations for each endpoint. So… if someone has the passcode they 
can get on, but they can’t decrypt any other traffic even if the endpoint(s) 
are using the same key. The list of enhancements goes on and on.
  6.  Does your organization require traceability of users for any internal or 
external policies or compliance? This could be for security reasons, compliance 
with IP and digital rights, or other needs. One Uni org I’ve worked with 
successfully stopped a student from a suicide attempt when the student posted 
online- they physically located the person and saved them from what they were 
about to do… There are a lot of things to consider and every org is different.
  7.  Whether or not portal acceptable use and/or user ID/registration is 
needed is a hotly-debated topic and has a lot of “it depends”. I recently asked 
several CISOs, lawyers, auditors, and cyber security friends at the FBI.
 *   The CISOs feel it’s “window dressing” except that per …
 *   …Lawyers, there may be some legal protection if a user compromised 
while on your network comes after you (e.g. policy says “org not responsible 
for anything resulting from use of their network”).
 *   The FBI says they need “something” to open a case and prosecute (e.g. 
Acceptable Use clause or access banner).
 *   In Europe (I’m told) orgs providing public internet access fall under 
ISP laws, and therefore must be diligent about registration/acceptable use/etc. 
By policy/compliance they have stricter rules for requiring accountability and 
registration.

___
Jennifer Minella, CISSP, HP MASE
VP of Engineering & Security
Carolina Advanced Digital, Inc.
www.cadinc.com
j...@cadinc.com
919.460.1313 Main Office
919.539.2726 Mobile/text
[CAD LOGO EMAIL SIG]

From: Enfield, Chuck 
Sent: Friday, April 16, 2021 4:57 PM
Subject: Re: WPA3/OWE as campus solution?

I’ve been floating this idea to IT leadership for years, with no interest on 
their part.  We implemented an open guest network with no rate limiting about 
18 months ago, so now any student who doesn’t want to onboard doesn’t have to.  
I figured that would get the bosses asking why we bother to authenticate on the 
other SSID, but still no.  It’s ironic that the people who constantly stress 
the importance of customer experience and regularly complain to me about the 
onboarding experience can’t be bothered to consider obvious alternatives.  I 
wouldn’t be so disappointed if we discussed the pros and cons and they came to 
a different conclusion than I have, but it sounds so radical to them that they 
don’t even care to discuss it.

Chuck

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Lee H Badman
Sent: Friday, April 16, 2021 10:09 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] WPA3/OWE as campus solution?

One more for you all- anyone contemplating ditching 802.1X for the BYOD side of 
your WLAN (not managed laptops and “business” clients) and simplifying with 
OWE/WPA3? Like… the open network that’s actually moderately secure leveraging 
the latest security options?

Thanks,

Lee Badman | Network Architect (CWNE#200)
Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   e lhbad...@syr.edu w its.syr.edu
Campus Wireless Policy: