I'd also like to address the comment about post-college experience.
Most organizations these students are going to work at are going to require MDM
or MAM on their personal devices. So I fundamentally disagree with the comment
that they won't deal with "enrollment" post campus life.
Why not take baby steps? One example: So many organizations talk about user
experience challenges of onboarding (and trust me, I hear you) but then issue 1
year certs and force the user through it every year.
Switch to a 5 year cert (or device specific cred) and use authorization rules
to
Perhaps a better summary to the question, "Are you contemplating ditching
.1X in favor of WPA3/OWE?"
Kinda. I want to make .1X optional and burn the captive portal to the
ground, but that has nothing to do with WPA3/OWE. And I'm stuck with WPA2
until "3duroam" is a thing. Our security model does
Jeff – Yes, that’s exactly right for connections to apps/services - but what if
we’re talking about an infected machine or malicious user? They’re not
necessarily connecting to anything specific in terms of an application that
would further auth them. That’s actually why I’m saying if it’s
I keep trying to reply to this thread with my thoughts and some idea of
where we are trying to move on this topic, but inevitably, it ends up
rambly and unfinished. Let's see if I can actually keep it short and
relevant. If so, there is lots left unsaid; please feel free to ask for
details.
We
Just my two Maple-y cents
Up here the Copyrights laws require ISPs (under which we are, as “providers” of
connectivity on campus) to be have sufficient information to be able to contact
users should a copyright violation be recorded. Now there is a lot of blurred
lines and room in the law
Jennifer,
I would hope that the service itself has authorization/admittance controls vs
relying on the user’s device and/or the particular network the device is in for
permission.
I’d also argue that there is enough breadcrumbs about any given device to
determine the user without the need for
Oh my goodness. I forgot the biggest one – if you’re going to give that user or
device access to internal resources/assets you probably want to know who it is
– even if it’s printers, screen casting, etc. If the user or device has access
to critical internal resources, then you definitely need
Ooh Lee what a great thread! I didn’t have a chance yesterday but catching up
now.
Here’s what I throw in the mix for consideration… (no recommendations just free
flow thoughts)
Sorry this is long; WPA3 gets me really excited
1. OWE/Open Enhanced (not technically part of WPA3 but
