Re: [WIRELESS-LAN] MPSK SSID Names
Easiest way to prevent user-centric devices from actively using your headless device network is to block your identity provider from the headless roles so users can't sign in to resources. From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Curtis, Bruce <01dd2279a597-dmarc-requ...@listserv.educause.edu> Sent: Wednesday, June 9, 2021 10:23:22 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] MPSK SSID Names > On Jun 9, 2021, at 8:59 AM, Michael Dickson wrote: > > I'm curious if anyone is doing anything to prevent/discourage 802.1x capable > devices (laptops, tablets, smartphones) from connecting to the IoT network. > We would prefer these things stay on eduroam and currently use device > fingerprinting to deny access to our "devices/IoT" (MAB) network. No. Several IoT devices require that the phone/tablet/computer be on the SSID that the IoT device will be configured to use. (The configuration App looks at what SSID the phone/tablet/computer is on and tells the IoT device to join the same SSID) We require the MAC address of all of the devices that join the IoT SSID be registered so students have to register the MAC address of the phone/tablet/computer before connecting to the IoT SSID. > > Mike > Michael Dickson > Network Engineer > Information Technology > University of Massachusetts Amherst > 413-545-9639 > > michael.dick...@umass.edu > > PGP: 0x16777D39 > > > > On 6/9/21 8:35 AM, Shoebottom, Bryan wrote: >> I took over from our previous wireless admin a few years ago and went >> through an extensive project to consolidate and clean up our SSIDs. Every >> use case seemed to have their own SSID multiplied by each site – it was a >> confusing mess for everyone. After lots of research and consultation with >> our clients, and a mindset of keeping things simple yet accommodating >> policy/requirements, it came down to the following configuration: >> >> >> >> FanshaweCollege802.1x staff/students via >> domain accounts, IoT/non-domain (e.g. shared iPads) items via ISE accounts >> >> FanshaweGuestMac auth click-through portal >> allows 24hrs access, then the portal comes up again >> >> eduroam 802.1x staff/students >> via domain accounts, remote eduroam accounts >> >> >> >> FanshaweDevicesiPSK IoT devices that don’t >> support 802.1x >> >> >> >> >> >> The top 2 SSIDs are broadcast at all our sites. Eduroam is broadcast at all >> our educational based sites. We tried to have eduroam and FanshaweCollege >> combined, but senior management didn’t want to lose the branded SSID. As >> for the FanshaweDevices, to keep airspace clean, we only broadcast this >> where we need it. We are a Cisco shop and almost exclusively on the WLC9800 >> now. We make use of the AP Join profiles and an AP naming standard to >> accomplish this. By changing a character in the AP name, I can have it >> pickup different policies for RF, SSID, etc. Currently we have the iPSK >> network only broadcast in 2 locations to support athletic equipment and >> Nintendo switches. The iPSK auth method allows us have a single SSID, yet >> provide back-end control depending on the device that is connecting, or >> better, the PSK they use. Our Residence networking is provided by a 3rd >> party. >> >> >> >> So far this has worked really well, and I received compliments the September >> following the changes as helpdesk lineups/queues were significantly shorter. >> All SSIDs run on both 5 and 2.4GHz, so if we do decide to split up SSIDs >> based on frequency, I could see some changes here, otherwise it’s ticking >> all our boxes. >> >> >> >> >> >> -- >> >> Regards, >> >> >> >> Bryan Shoebottom >> >> Network & Systems Specialist >> >> >> >> Network Services & Computer Operations >> >> 1001 Fanshawe College Blvd. London, ON N5Y 5R6 >> >> T 519.452.4430 x4904 | F 519.453.3231 >> >> bshoebot...@fanshawec.ca >> >> >> >> >> >> >> From: Patrick McEvilly >> Sent: June 8, 2021 4:37 PM >> Subject: Re: MPSK SSID Names >> >> >> >> Hi Brian >> >> >> >> We are struggling with a name that would work for this. We have “Harvard >> Secure” as our 802.1x SSID, “Harvard Universit
Re: [WIRELESS-LAN] MPSK SSID Names
> On Jun 9, 2021, at 8:59 AM, Michael Dickson wrote: > > I'm curious if anyone is doing anything to prevent/discourage 802.1x capable > devices (laptops, tablets, smartphones) from connecting to the IoT network. > We would prefer these things stay on eduroam and currently use device > fingerprinting to deny access to our "devices/IoT" (MAB) network. No. Several IoT devices require that the phone/tablet/computer be on the SSID that the IoT device will be configured to use. (The configuration App looks at what SSID the phone/tablet/computer is on and tells the IoT device to join the same SSID) We require the MAC address of all of the devices that join the IoT SSID be registered so students have to register the MAC address of the phone/tablet/computer before connecting to the IoT SSID. > > Mike > Michael Dickson > Network Engineer > Information Technology > University of Massachusetts Amherst > 413-545-9639 > > michael.dick...@umass.edu > > PGP: 0x16777D39 > > > > On 6/9/21 8:35 AM, Shoebottom, Bryan wrote: >> I took over from our previous wireless admin a few years ago and went >> through an extensive project to consolidate and clean up our SSIDs. Every >> use case seemed to have their own SSID multiplied by each site – it was a >> confusing mess for everyone. After lots of research and consultation with >> our clients, and a mindset of keeping things simple yet accommodating >> policy/requirements, it came down to the following configuration: >> >> >> >> FanshaweCollege802.1x staff/students via >> domain accounts, IoT/non-domain (e.g. shared iPads) items via ISE accounts >> >> FanshaweGuestMac auth click-through portal >> allows 24hrs access, then the portal comes up again >> >> eduroam 802.1x staff/students >> via domain accounts, remote eduroam accounts >> >> >> >> FanshaweDevicesiPSK IoT devices that don’t >> support 802.1x >> >> >> >> >> >> The top 2 SSIDs are broadcast at all our sites. Eduroam is broadcast at all >> our educational based sites. We tried to have eduroam and FanshaweCollege >> combined, but senior management didn’t want to lose the branded SSID. As >> for the FanshaweDevices, to keep airspace clean, we only broadcast this >> where we need it. We are a Cisco shop and almost exclusively on the WLC9800 >> now. We make use of the AP Join profiles and an AP naming standard to >> accomplish this. By changing a character in the AP name, I can have it >> pickup different policies for RF, SSID, etc. Currently we have the iPSK >> network only broadcast in 2 locations to support athletic equipment and >> Nintendo switches. The iPSK auth method allows us have a single SSID, yet >> provide back-end control depending on the device that is connecting, or >> better, the PSK they use. Our Residence networking is provided by a 3rd >> party. >> >> >> >> So far this has worked really well, and I received compliments the September >> following the changes as helpdesk lineups/queues were significantly shorter. >> All SSIDs run on both 5 and 2.4GHz, so if we do decide to split up SSIDs >> based on frequency, I could see some changes here, otherwise it’s ticking >> all our boxes. >> >> >> >> >> >> -- >> >> Regards, >> >> >> >> Bryan Shoebottom >> >> Network & Systems Specialist >> >> >> >> Network Services & Computer Operations >> >> 1001 Fanshawe College Blvd. London, ON N5Y 5R6 >> >> T 519.452.4430 x4904 | F 519.453.3231 >> >> bshoebot...@fanshawec.ca >> >> >> >> >> >> >> From: Patrick McEvilly >> Sent: June 8, 2021 4:37 PM >> Subject: Re: MPSK SSID Names >> >> >> >> Hi Brian >> >> >> >> We are struggling with a name that would work for this. We have “Harvard >> Secure” as our 802.1x SSID, “Harvard University” as our legacy MAC >> registered SSID and eduroam. We want to use the MPSK SSID to solve for all >> things – IoT, gaming consoles, Alexa, Smart*, AV gear, for both BYOD and for >> infrastructure devices. We are also interested in hearing what others have >> named their SSIDs or suggestions that would represent the general-purpose >> use of such an SSID. >> >> >> >>
Re: [WIRELESS-LAN] MPSK SSID Names
I'm curious if anyone is doing anything to prevent/discourage 802.1x capable devices (laptops, tablets, smartphones) from connecting to the IoT network. We would prefer these things stay on eduroam and currently use device fingerprinting to deny access to our "devices/IoT" (MAB) network. Mike Michael Dickson Network Engineer Information Technology University of Massachusetts Amherst 413-545-9639 michael.dick...@umass.edu PGP: 0x16777D39 On 6/9/21 8:35 AM, Shoebottom, Bryan wrote: > > I took over from our previous wireless admin a few years ago and went > through an extensive project to consolidate and clean up our SSIDs. > Every use case seemed to have their own SSID multiplied by each site – > it was a confusing mess for everyone. After lots of research and > consultation with our clients, and a mindset of keeping things simple > yet accommodating policy/requirements, it came down to the following > configuration: > > > > FanshaweCollege 802.1x staff/students via > domain accounts, IoT/non-domain (e.g. shared iPads) items via ISE accounts > > FanshaweGuest Mac auth click-through portal > allows 24hrs access, then the portal comes up again > > eduroam 802.1x > staff/students via domain accounts, remote eduroam accounts > > > > FanshaweDevices iPSK IoT devices that > don’t support 802.1x > > > > > > The top 2 SSIDs are broadcast at all our sites. Eduroam is broadcast > at all our educational based sites. We tried to have eduroam and > FanshaweCollege combined, but senior management didn’t want to lose > the branded SSID. As for the FanshaweDevices, to keep airspace clean, > we only broadcast this where we need it. We are a Cisco shop and > almost exclusively on the WLC9800 now. We make use of the AP Join > profiles and an AP naming standard to accomplish this. By changing a > character in the AP name, I can have it pickup different policies for > RF, SSID, etc. Currently we have the iPSK network only broadcast in 2 > locations to support athletic equipment and Nintendo switches. The > iPSK auth method allows us have a single SSID, yet provide back-end > control depending on the device that is connecting, or better, the PSK > they use. Our Residence networking is provided by a 3^rd party. > > > > So far this has worked really well, and I received compliments the > September following the changes as helpdesk lineups/queues were > significantly shorter. All SSIDs run on both 5 and 2.4GHz, so if we > do decide to split up SSIDs based on frequency, I could see some > changes here, otherwise it’s ticking all our boxes. > > > > > > -- > > Regards, > > > > *Bryan Shoebottom* > > /Network & Systems Specialist/ > > > > *Network Services & Computer Operations* > > 1001 Fanshawe College Blvd. London, ON N5Y 5R6 > > T 519.452.4430 x4904 | F 519.453.3231 > > bshoebot...@fanshawec.ca <mailto:bshoebot...@fanshawec.ca> > > > > cid:582C4514-D41F-48FA-94E1-89D38DB527CB > > > > *From:*Patrick McEvilly > *Sent:* June 8, 2021 4:37 PM > *Subject:* Re: MPSK SSID Names > > > > Hi Brian > > > > We are struggling with a name that would work for this. We have > “Harvard Secure” as our 802.1x SSID, “Harvard University” as our > legacy MAC registered SSID and eduroam. We want to use the MPSK SSID > to solve for all things – IoT, gaming consoles, Alexa, Smart*, AV > gear, for both BYOD and for infrastructure devices. We are also > interested in hearing what others have named their SSIDs or > suggestions that would represent the general-purpose use of such an SSID. > > > > Patrick > > > > *From: *The EDUCAUSE Wireless Issues Community Group Listserv > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Brian Helman > mailto:bhel...@salemstate.edu>> > *Reply-To: *The EDUCAUSE Wireless Issues Community Group Listserv > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> > *Date: *Tuesday, June 8, 2021 at 3:04 PM > *To: *"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> > *Subject: *[WIRELESS-LAN] MPSK SSID Names > > > > Anyone using Aruba’s (or if other manufacturers have a similar > feature) MPSK service? What did you use for an SSID – looking for > naming ideas. > > > > -Brian > > > > ** > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to
Re: [WIRELESS-LAN] MPSK SSID Names
We kept things simple: Visitor IoT Campus Visitor has a well known password that is posted in various places around campus and emailed to students. IoT has a password distributed to students when they arrive on campus. Campus is a 802.1x linked to their account credentials. On Tue, Jun 8, 2021 at 1:22 PM Christopher H Ressel wrote: > We marketed MPSK as a solution for IOT clients so we named ours UNR-IOT. > It seems to have been self-explanatory enough as we haven’t had much user > confusion. > > > > Chris > > > > *From: *The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Brian Helman < > bhel...@salemstate.edu> > *Reply-To: *The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Date: *Tuesday, June 8, 2021 at 12:04 PM > *To: *"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Subject: *[WIRELESS-LAN] MPSK SSID Names > > > > Anyone using Aruba’s (or if other manufacturers have a similar feature) > MPSK service? What did you use for an SSID – looking for naming ideas. > > > > -Brian > > > > ** > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email reply. > Additional participation and subscription information can be found at > https://www.educause.edu/community > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=04%7C01%7Ccressel%40UNR.EDU%7Cf776b29c68cf44a76e3f08d92ab049fa%7C523b4bfc0ebd4c03b2b96f6a17fd31d8%7C1%7C0%7C637587758913114482%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=24MAjqUG0UXEMhmWBARsevIMtbCE%2B3TqpmhMMWgSfOc%3D=0> > > ** > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email reply. > Additional participation and subscription information can be found at > https://www.educause.edu/community > -- John Rodkey Director of Servers and Networks Westmont College Verification: Unsure if this is a legitimate email to an email list? Make sure it is recorded at https://my.westmont.edu/it_emails "*God-fearing faith... is neither brash nor foolhardy and does not tempt God."* - Martin Luther ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Re: [WIRELESS-LAN] MPSK SSID Names
Hi Brian We are struggling with a name that would work for this. We have “Harvard Secure” as our 802.1x SSID, “Harvard University” as our legacy MAC registered SSID and eduroam. We want to use the MPSK SSID to solve for all things – IoT, gaming consoles, Alexa, Smart*, AV gear, for both BYOD and for infrastructure devices. We are also interested in hearing what others have named their SSIDs or suggestions that would represent the general-purpose use of such an SSID. Patrick From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Brian Helman Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv Date: Tuesday, June 8, 2021 at 3:04 PM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" Subject: [WIRELESS-LAN] MPSK SSID Names Anyone using Aruba’s (or if other manufacturers have a similar feature) MPSK service? What did you use for an SSID – looking for naming ideas. -Brian ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.educause.edu_community=DwMFAg=WO-RGvefibhHBZq3fL85hQ=NEt1bAdOCtalVd4Ws0dvlC8LeF95Hl1p6yYgtTh8luM=Z-onTTxjdDKc-k4dEj-RPbI-ZUeZ3eRy2SdcUDLls8A=AusECaOfdS2huItcu_TWBvzKklJAFyzPUrXjb_-wzvU=> ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
RE: [WIRELESS-LAN] MPSK SSID Names
We did the same using MPSK SSID as SU_IoT for a new dorm connecting all the in room wifi thermostats uploading all their MAC addresses with one password via Clearpass. From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Lee H Badman Sent: Tuesday, June 8, 2021 4:25 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] MPSK SSID Names It’s not MPSK, but we have a similar purpose dorm WLAN called Gadgets Lee Badman (mobile) On Jun 8, 2021, at 4:22 PM, Christopher H Ressel mailto:cres...@unr.edu>> wrote: We marketed MPSK as a solution for IOT clients so we named ours UNR-IOT. It seems to have been self-explanatory enough as we haven’t had much user confusion. Chris From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Brian Helman mailto:bhel...@salemstate.edu>> Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Date: Tuesday, June 8, 2021 at 12:04 PM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: [WIRELESS-LAN] MPSK SSID Names Anyone using Aruba’s (or if other manufacturers have a similar feature) MPSK service? What did you use for an SSID – looking for naming ideas. -Brian ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=04%7C01%7Ccressel%40UNR.EDU%7Cf776b29c68cf44a76e3f08d92ab049fa%7C523b4bfc0ebd4c03b2b96f6a17fd31d8%7C1%7C0%7C637587758913114482%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=24MAjqUG0UXEMhmWBARsevIMtbCE%2B3TqpmhMMWgSfOc%3D=0> ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Re: [WIRELESS-LAN] MPSK SSID Names
It’s not MPSK, but we have a similar purpose dorm WLAN called Gadgets Lee Badman (mobile) On Jun 8, 2021, at 4:22 PM, Christopher H Ressel wrote: We marketed MPSK as a solution for IOT clients so we named ours UNR-IOT. It seems to have been self-explanatory enough as we haven’t had much user confusion. Chris From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Brian Helman Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv Date: Tuesday, June 8, 2021 at 12:04 PM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" Subject: [WIRELESS-LAN] MPSK SSID Names Anyone using Aruba’s (or if other manufacturers have a similar feature) MPSK service? What did you use for an SSID – looking for naming ideas. -Brian ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=04%7C01%7Ccressel%40UNR.EDU%7Cf776b29c68cf44a76e3f08d92ab049fa%7C523b4bfc0ebd4c03b2b96f6a17fd31d8%7C1%7C0%7C637587758913114482%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=24MAjqUG0UXEMhmWBARsevIMtbCE%2B3TqpmhMMWgSfOc%3D=0> ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Re: [WIRELESS-LAN] MPSK SSID Names
We marketed MPSK as a solution for IOT clients so we named ours UNR-IOT. It seems to have been self-explanatory enough as we haven’t had much user confusion. Chris From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Brian Helman Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv Date: Tuesday, June 8, 2021 at 12:04 PM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" Subject: [WIRELESS-LAN] MPSK SSID Names Anyone using Aruba’s (or if other manufacturers have a similar feature) MPSK service? What did you use for an SSID – looking for naming ideas. -Brian ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=04%7C01%7Ccressel%40UNR.EDU%7Cf776b29c68cf44a76e3f08d92ab049fa%7C523b4bfc0ebd4c03b2b96f6a17fd31d8%7C1%7C0%7C637587758913114482%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=24MAjqUG0UXEMhmWBARsevIMtbCE%2B3TqpmhMMWgSfOc%3D=0> ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community