Re: [WIRELESS-LAN] TLS Onboarding Vendors

[Jeffrey D. Sessler]

The key is just as easily compromised as is the user account. If the user 
account is compromised, then presumably so is the PPSK and/or TLS, since the 
user account is likely the gateway to getting that information or on-boarding 
the device.

Taken a step further, unless you put a limit on the number of devices a user 
can have, all of them are vulnerable to the user on-boarding other people’s 
devices. This would be more likely in situations where one limits/allocates 
bandwidth per user i.e. you create an underground of account sharing to work 
around the restrictions. 

Jeff

On 11/8/16, 4:48 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
on behalf of Osborne, Bruce W (Network Operations)" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of bosbo...@liberty.edu> wrote:

Here is another thought on PPSK per user. If the key is (unknowingly) 
compromised, then somebody else can masquerade as the user. This is especially 
a concern if you allocate or manage Internet bandwidth per user. 

If EAP-PEAP-MSCHAPv2 or EAP-TLS are used, the user login credentials need 
to be compromised or the device stolen.


Bruce Osborne
Wireless Engineer
IT Network Operations - Wireless
 (434) 592-4229
 
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

-Original Message-
From: Jeffrey D. Sessler [mailto:j...@scrippscollege.edu] 
Sent: Monday, November 7, 2016 12:54 PM
Subject: Re: TLS Onboarding Vendors

The idea of using PPSK is that for a given user (student), all their 
devices would be together and the on-boarding would be the same be it a laptop 
or Wii. Right now, devices that support WPA2-Ent are in one SSID (and use 
Cloudpath for onboarding), and the others are connected to a PSK SSID.

I’ve also looked back at years of helpdesk data, and I’m hard pressed to 
find situations where we’ve had to disable a user’s account because of a 
misbehaving device. We’ve certainly used device exclusion on the controller for 
enforcing DMCA violations (no compliance), but I’m not had to do that in years.

Again, there are interesting pluses to TLS, but how often do they come into 
play, and is the extra work justified. I don’t know the answer, thus why I’m 
asking all of these questions.

Jeff

On 11/7/16, 5:07 AM, "The EDUCAUSE Wireless Issues Constituent Group 
Listserv on behalf of Osborne, Bruce W (Network Operations)" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of bosbo...@liberty.edu> wrote:

If you are going to use one key per user, you might as well use PEAP 
MSCHAPv2. 
Either way you cut off all user access due to one of their devices 
misbehaving. 
With TLS you can disable access at a device level.


Bruce Osborne
Wireless Engineer
IT Network Operations - Wireless
 (434) 592-4229
 
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

-Original Message-
From: Jeffrey D. Sessler [mailto:j...@scrippscollege.edu] 
Sent: Friday, November 4, 2016 7:57 PM
Subject: Re: TLS Onboarding Vendors

Curtis,

Curtis, I'm just asking questions and thinking out loud.

Of course there will be infrastructure, but in my mind, a student 
logging into our student portal to get their personal key _once_, which they 
then use on all of their devices, is intrinsically less overhead (and less time 
spent) then TLS even if an experienced IT person only needs 1:08 on an iOS 
device. Unlike PPSK, TLS requires the on-boarding of every device.

I'm not knocking TLS, but in practice it still sounds like more work 
then what a user is subjected to at home. The closer I get the experience to 
home (which PPSK seems to try and do), the happier I think the users will be. 
IT will be considered a partner rather than an adversary. 

And by users I mean Students. It's very likely that a college may 
choose to treat college-owned assets differently.

Jeff


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Curtis K. Larsen
Sent: Friday, November 04, 2016 1:51 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
        Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors

Hi Jeff,

I'm wondering what product you have found that facilitates PPSK to 
group levels with no administrative overhead and no infrastructure 
requirements.  I mean assuming you don't want every user in the organization to 
be using the same key and every device in the same VLAN - there has to be 
active directory integration, RADIUS infrastructure, policies defined, and at 
at least a webserver for faci

Re: [WIRELESS-LAN] TLS Onboarding Vendors

[Jeffrey D. Sessler]

The idea of using PPSK is that for a given user (student), all their devices 
would be together and the on-boarding would be the same be it a laptop or Wii. 
Right now, devices that support WPA2-Ent are in one SSID (and use Cloudpath for 
onboarding), and the others are connected to a PSK SSID.

I’ve also looked back at years of helpdesk data, and I’m hard pressed to find 
situations where we’ve had to disable a user’s account because of a misbehaving 
device. We’ve certainly used device exclusion on the controller for enforcing 
DMCA violations (no compliance), but I’m not had to do that in years.

Again, there are interesting pluses to TLS, but how often do they come into 
play, and is the extra work justified. I don’t know the answer, thus why I’m 
asking all of these questions.

Jeff

On 11/7/16, 5:07 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
on behalf of Osborne, Bruce W (Network Operations)" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of bosbo...@liberty.edu> wrote:

If you are going to use one key per user, you might as well use PEAP 
MSCHAPv2. 
Either way you cut off all user access due to one of their devices 
misbehaving. 
With TLS you can disable access at a device level.


Bruce Osborne
Wireless Engineer
IT Network Operations - Wireless
 (434) 592-4229
 
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

-Original Message-
From: Jeffrey D. Sessler [mailto:j...@scrippscollege.edu] 
Sent: Friday, November 4, 2016 7:57 PM
Subject: Re: TLS Onboarding Vendors

Curtis,

Curtis, I'm just asking questions and thinking out loud.

Of course there will be infrastructure, but in my mind, a student logging 
into our student portal to get their personal key _once_, which they then use 
on all of their devices, is intrinsically less overhead (and less time spent) 
then TLS even if an experienced IT person only needs 1:08 on an iOS device. 
Unlike PPSK, TLS requires the on-boarding of every device.

I'm not knocking TLS, but in practice it still sounds like more work then 
what a user is subjected to at home. The closer I get the experience to home 
(which PPSK seems to try and do), the happier I think the users will be. IT 
will be considered a partner rather than an adversary. 

And by users I mean Students. It's very likely that a college may choose to 
treat college-owned assets differently.

Jeff


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Curtis K. Larsen
Sent: Friday, November 04, 2016 1:51 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
    Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors

Hi Jeff,

I'm wondering what product you have found that facilitates PPSK to group 
levels with no administrative overhead and no infrastructure requirements.  I 
mean assuming you don't want every user in the organization to be using the 
same key and every device in the same VLAN - there has to be active directory 
integration, RADIUS infrastructure, policies defined, and at at least a 
webserver for facilitating this onboarding process.  The management overhead 
between the two choices seems nearly identical.  I mean we're talking about 
spinning up a couple of VM's configuring a few policies and updating certs 
every few years in both cases.  

Ryan,

Why does this process take 5 min?  You should have stuck with Cloudpath 
(haha).  I just timed it and it takes me 1:08 with iOS  - our most popular 
device.

I know we're all sensitive to BYOD, but don't forget the managed devices - 
in our testing EAP-TLS with GPO is easier than both PEAP and PPSK because the 
user literally does nothing but login to the machine.  Will you push out PSK's 
to the managed devices?  I think both solutions have their place - it's in 
applying either too broadly that you shoot yourself in the foot.

-Curtis


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Jeffrey D. Sessler 
<j...@scrippscollege.edu>
Sent: Friday, November 4, 2016 11:15 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
    Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors

Based on your data, this is what I ran in my head.

58,000 devices on TLS - Say 5 minutes each to provision based on your 
comments.

WAP2-Ent TLS:
5 minutes x 58000 clients = 4833 hours spent by the community connecting to 
WiFi.
4833 hours each and every year given the expiration on the cert.

Open WiFi:
10 seconds to pick SSID x 58000 clients = 161 hours.
No additional hours in subsequent years other than new clients.

PSK/PPSK WiFi:
30 seconds to pick SSID and ente

RE: [WIRELESS-LAN] TLS Onboarding Vendors

[Jeffrey D. Sessler]

Curtis,

Curtis, I'm just asking questions and thinking out loud.

Of course there will be infrastructure, but in my mind, a student logging into 
our student portal to get their personal key _once_, which they then use on all 
of their devices, is intrinsically less overhead (and less time spent) then TLS 
even if an experienced IT person only needs 1:08 on an iOS device. Unlike PPSK, 
TLS requires the on-boarding of every device.

I'm not knocking TLS, but in practice it still sounds like more work then what 
a user is subjected to at home. The closer I get the experience to home (which 
PPSK seems to try and do), the happier I think the users will be. IT will be 
considered a partner rather than an adversary. 

And by users I mean Students. It's very likely that a college may choose to 
treat college-owned assets differently.

Jeff


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Curtis K. Larsen
Sent: Friday, November 04, 2016 1:51 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors

Hi Jeff,

I'm wondering what product you have found that facilitates PPSK to group levels 
with no administrative overhead and no infrastructure requirements.  I mean 
assuming you don't want every user in the organization to be using the same key 
and every device in the same VLAN - there has to be active directory 
integration, RADIUS infrastructure, policies defined, and at at least a 
webserver for facilitating this onboarding process.  The management overhead 
between the two choices seems nearly identical.  I mean we're talking about 
spinning up a couple of VM's configuring a few policies and updating certs 
every few years in both cases.  

Ryan,

Why does this process take 5 min?  You should have stuck with Cloudpath (haha). 
 I just timed it and it takes me 1:08 with iOS  - our most popular device.

I know we're all sensitive to BYOD, but don't forget the managed devices - in 
our testing EAP-TLS with GPO is easier than both PEAP and PPSK because the user 
literally does nothing but login to the machine.  Will you push out PSK's to 
the managed devices?  I think both solutions have their place - it's in 
applying either too broadly that you shoot yourself in the foot.

-Curtis


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Jeffrey D. Sessler 
<j...@scrippscollege.edu>
Sent: Friday, November 4, 2016 11:15 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors

Based on your data, this is what I ran in my head.

58,000 devices on TLS - Say 5 minutes each to provision based on your comments.

WAP2-Ent TLS:
5 minutes x 58000 clients = 4833 hours spent by the community connecting to 
WiFi.
4833 hours each and every year given the expiration on the cert.

Open WiFi:
10 seconds to pick SSID x 58000 clients = 161 hours.
No additional hours in subsequent years other than new clients.

PSK/PPSK WiFi:
30 seconds to pick SSID and enter passphrase x 58000 clients = 483 hours.
No additional hours in subsequent years other than when adding a new client.


For all of them:
How many IT admin hours are spent managing it?
How many IT user support hours responding to questions/problems?
Yearly cost for infrastructure to support each?
What are the risks associated with each?

In the case of TLS, does the loss of over 4000 hours per year on just the user 
side justify its use over the alternatives? Is it that much better? Does IT 
save 4000 hours in other areas?

That's why I asked about PPSK as an alternative. When one scales up to tens of 
thousands of devices, five minutes starts to matter.

Jeff



On 11/4/16, 6:18 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
on behalf of Turner, Ryan H" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of 
rhtur...@email.unc.edu> wrote:

We do, too.  I really wasn't even thinking of those types of devices in the 
initial response because our belief has been for any device that doesn't 
support TLS to just use PSK.

Yesterday we had 58,000 devices on eduroam (using TLS) and 9000 on our PSK 
network.

Ryan

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W 
(Network Operations)
Sent: Friday, November 4, 2016 7:51 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
    Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors

Those devices do not support 802.1X. That is why we currently have a 
separate SSID for those devices.

PPSK *may* be a more secure solution for those devices that do not support 
TLS much like WPA2-Personal (PSK) is currently a solution for devices that do 
not support WPA2-Enterprise (802.1X).


Bruce Osborne
Wire

Re: [WIRELESS-LAN] TLS Onboarding Vendors

[Turner, Ryan H]

Curtis,

Yeah, 5 minutes was my nonprecise way of saying it doesn't take long :).  For 
Windows and iPhones, it is lightening fast.  For OSX, it is pretty quick (but 
the user is annoyingly asked to enter their root credentials multiple times) 
with android being the most problematic.  I am sure it's similar to yours.  

Ryan Turner
Manager of Network Operations, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

> On Nov 4, 2016, at 4:50 PM, Curtis K. Larsen <curtis.k.lar...@utah.edu> wrote:
> 
> Hi Jeff,
> 
> I'm wondering what product you have found that facilitates PPSK to group 
> levels with no administrative overhead and no infrastructure requirements.  I 
> mean assuming you don't want every user in the organization to be using the 
> same key and every device in the same VLAN - there has to be active directory 
> integration, RADIUS infrastructure, policies defined, and at at least a 
> webserver for facilitating this onboarding process.  The management overhead 
> between the two choices seems nearly identical.  I mean we're talking about 
> spinning up a couple of VM's configuring a few policies and updating certs 
> every few years in both cases.  
> 
> Ryan,
> 
> Why does this process take 5 min?  You should have stuck with Cloudpath 
> (haha).  I just timed it and it takes me 1:08 with iOS  - our most popular 
> device.
> 
> I know we're all sensitive to BYOD, but don't forget the managed devices - in 
> our testing EAP-TLS with GPO is easier than both PEAP and PPSK because the 
> user literally does nothing but login to the machine.  Will you push out 
> PSK's to the managed devices?  I think both solutions have their place - it's 
> in applying either too broadly that you shoot yourself in the foot.
> 
> -Curtis
> 
> 
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Jeffrey D. Sessler 
> <j...@scrippscollege.edu>
> Sent: Friday, November 4, 2016 11:15 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors
> 
> Based on your data, this is what I ran in my head.
> 
> 58,000 devices on TLS – Say 5 minutes each to provision based on your 
> comments.
> 
> WAP2-Ent TLS:
> 5 minutes x 58000 clients = 4833 hours spent by the community connecting to 
> WiFi.
> 4833 hours each and every year given the expiration on the cert.
> 
> Open WiFi:
> 10 seconds to pick SSID x 58000 clients = 161 hours.
> No additional hours in subsequent years other than new clients.
> 
> PSK/PPSK WiFi:
> 30 seconds to pick SSID and enter passphrase x 58000 clients = 483 hours.
> No additional hours in subsequent years other than when adding a new client.
> 
> 
> For all of them:
> How many IT admin hours are spent managing it?
> How many IT user support hours responding to questions/problems?
> Yearly cost for infrastructure to support each?
> What are the risks associated with each?
> 
> In the case of TLS, does the loss of over 4000 hours per year on just the 
> user side justify its use over the alternatives? Is it that much better? Does 
> IT save 4000 hours in other areas?
> 
> That’s why I asked about PPSK as an alternative. When one scales up to tens 
> of thousands of devices, five minutes starts to matter.
> 
> Jeff
> 
> 
> 
> On 11/4/16, 6:18 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
> on behalf of Turner, Ryan H" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of 
> rhtur...@email.unc.edu> wrote:
> 
>We do, too.  I really wasn’t even thinking of those types of devices in 
> the initial response because our belief has been for any device that doesn’t 
> support TLS to just use PSK.
> 
>Yesterday we had 58,000 devices on eduroam (using TLS) and 9000 on our PSK 
> network.
> 
>Ryan
> 
>-Original Message-----
>From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W 
> (Network Operations)
>Sent: Friday, November 4, 2016 7:51 AM
>To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors
> 
>Those devices do not support 802.1X. That is why we currently have a 
> separate SSID for those devices.
> 
>PPSK *may* be a more secure solution for those devices that do not support 
> TLS much like WPA2-Personal (PSK) is currently a solution for devices that do 
> not support WPA2-Enterprise (802.1X).
> 
> 
>Bruce Osborne
>Wireless Engineer
>IT Network Operations - Wireless
> (434) 592-4229
>

Re: [WIRELESS-LAN] TLS Onboarding Vendors

[Curtis K. Larsen]

Hi Jeff,

I'm wondering what product you have found that facilitates PPSK to group levels 
with no administrative overhead and no infrastructure requirements.  I mean 
assuming you don't want every user in the organization to be using the same key 
and every device in the same VLAN - there has to be active directory 
integration, RADIUS infrastructure, policies defined, and at at least a 
webserver for facilitating this onboarding process.  The management overhead 
between the two choices seems nearly identical.  I mean we're talking about 
spinning up a couple of VM's configuring a few policies and updating certs 
every few years in both cases.  

Ryan,

Why does this process take 5 min?  You should have stuck with Cloudpath (haha). 
 I just timed it and it takes me 1:08 with iOS  - our most popular device.

I know we're all sensitive to BYOD, but don't forget the managed devices - in 
our testing EAP-TLS with GPO is easier than both PEAP and PPSK because the user 
literally does nothing but login to the machine.  Will you push out PSK's to 
the managed devices?  I think both solutions have their place - it's in 
applying either too broadly that you shoot yourself in the foot.

-Curtis


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Jeffrey D. Sessler 
<j...@scrippscollege.edu>
Sent: Friday, November 4, 2016 11:15 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors

Based on your data, this is what I ran in my head.

58,000 devices on TLS – Say 5 minutes each to provision based on your comments.

WAP2-Ent TLS:
5 minutes x 58000 clients = 4833 hours spent by the community connecting to 
WiFi.
4833 hours each and every year given the expiration on the cert.

Open WiFi:
10 seconds to pick SSID x 58000 clients = 161 hours.
No additional hours in subsequent years other than new clients.

PSK/PPSK WiFi:
30 seconds to pick SSID and enter passphrase x 58000 clients = 483 hours.
No additional hours in subsequent years other than when adding a new client.


For all of them:
How many IT admin hours are spent managing it?
How many IT user support hours responding to questions/problems?
Yearly cost for infrastructure to support each?
What are the risks associated with each?

In the case of TLS, does the loss of over 4000 hours per year on just the user 
side justify its use over the alternatives? Is it that much better? Does IT 
save 4000 hours in other areas?

That’s why I asked about PPSK as an alternative. When one scales up to tens of 
thousands of devices, five minutes starts to matter.

Jeff



On 11/4/16, 6:18 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
on behalf of Turner, Ryan H" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of 
rhtur...@email.unc.edu> wrote:

We do, too.  I really wasn’t even thinking of those types of devices in the 
initial response because our belief has been for any device that doesn’t 
support TLS to just use PSK.

Yesterday we had 58,000 devices on eduroam (using TLS) and 9000 on our PSK 
network.

Ryan

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W 
(Network Operations)
Sent: Friday, November 4, 2016 7:51 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
    Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors

Those devices do not support 802.1X. That is why we currently have a 
separate SSID for those devices.

PPSK *may* be a more secure solution for those devices that do not support 
TLS much like WPA2-Personal (PSK) is currently a solution for devices that do 
not support WPA2-Enterprise (802.1X).


Bruce Osborne
Wireless Engineer
IT Network Operations - Wireless
 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

-Original Message-
From: Jeffrey D. Sessler [mailto:j...@scrippscollege.edu]
Sent: Thursday, November 3, 2016 4:45 PM
Subject: Re: TLS Onboarding Vendors

Really? So Wii U, Playstation 3 &4, Amazon Fire TV, and Xbox 360/One now 
support TLS?

Jeff


On 11/3/16, 11:52 AM, "The EDUCAUSE Wireless Issues Constituent Group 
Listserv on behalf of Turner, Ryan H" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on 
behalf of rhtur...@email.unc.edu> wrote:

Right now the only things that don't play well with TLS are Windows 
phones and blackberries.  If they run Linux, it is also not great (although we 
have instructions on how to do this and many people configure manually without 
issue).

Ryan

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
Sent: Thursday, November 3, 2016 11:15 AM
To: WI

RE: [WIRELESS-LAN] TLS Onboarding Vendors

[Turner, Ryan H]

Interesting enough, just with eduroam, I have probably reduced my onboarding 
time just in the past year by a factor of 6 because so many places I go to are 
eduroam enabled.  So, the initial time onboarding for a federated SSID will be 
more than made up for the time they would either 1) not have access at a 
foreign institution (loss of productivity) or 2) have to onboard with some 
guest version of PPSK at every institution they visit because they don’t use 
WPA2-Ent.  We can slice this many different ways.

Ryan

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Turner, Ryan H
Sent: Friday, November 4, 2016 4:01 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors

Numbers at scale can be misleading.  I am not going to be concerned about the 5 
minutes once a year for onboarding any more than I am going to worried about 
the bathroom breaks my employees take, or the 5 minutes they take multiple 
times in the day to get a coffee.  Managing productivity at that level is 
actually really unproductive and counter effective.  Put another way, am I 
going to be concerned that putting a user through a process that uses .00045% 
of their work time in a year (based on 1800 hours)?The individuals would be 
on campus for 6.5B hours each year.  So, no, not concerned about 4500 hours.

I manage the entire onboarding process on my end.  Breaking down the process 
into little pieces is tedious.   The majority of my issues have nothing to do 
with the certificates, but back end radius infrastructure.  That is probably my 
biggest time suck.  The help desk that we have staffed, once we learned some 
hard lessons (which I try to share with my powerpoint) has stated that the 
burden on them for client onboarding issues isn't a concern.

In the end, there probably is nothing wrong with PPSK, but I just wouldn't 
adopt it.  Eduroam has been so widely praised and adopted in this area.  Your 
PPSK doesn't address that.

Ryan




-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
Sent: Friday, November 4, 2016 1:16 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors

Based on your data, this is what I ran in my head.

58,000 devices on TLS – Say 5 minutes each to provision based on your comments.

WAP2-Ent TLS:
5 minutes x 58000 clients = 4833 hours spent by the community connecting to 
WiFi.
4833 hours each and every year given the expiration on the cert.

Open WiFi:
10 seconds to pick SSID x 58000 clients = 161 hours.
No additional hours in subsequent years other than new clients.

PSK/PPSK WiFi:
30 seconds to pick SSID and enter passphrase x 58000 clients = 483 hours.
No additional hours in subsequent years other than when adding a new client.


For all of them:
How many IT admin hours are spent managing it?
How many IT user support hours responding to questions/problems?
Yearly cost for infrastructure to support each?
What are the risks associated with each?

In the case of TLS, does the loss of over 4000 hours per year on just the user 
side justify its use over the alternatives? Is it that much better? Does IT 
save 4000 hours in other areas?  

That’s why I asked about PPSK as an alternative. When one scales up to tens of 
thousands of devices, five minutes starts to matter. 

Jeff



On 11/4/16, 6:18 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
on behalf of Turner, Ryan H" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of 
rhtur...@email.unc.edu> wrote:

We do, too.  I really wasn’t even thinking of those types of devices in the 
initial response because our belief has been for any device that doesn’t 
support TLS to just use PSK.

Yesterday we had 58,000 devices on eduroam (using TLS) and 9000 on our PSK 
network.

Ryan

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W 
(Network Operations)
Sent: Friday, November 4, 2016 7:51 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
    Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors

Those devices do not support 802.1X. That is why we currently have a 
separate SSID for those devices. 

PPSK *may* be a more secure solution for those devices that do not support 
TLS much like WPA2-Personal (PSK) is currently a solution for devices that do 
not support WPA2-Enterprise (802.1X).


Bruce Osborne
Wireless Engineer
IT Network Operations - Wireless
 (434) 592-4229
 
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

-Original Message-
From: Jeffrey D. Sessler [mailto:j...@scrippscollege.edu] 
Sent: Thursday, November

RE: [WIRELESS-LAN] TLS Onboarding Vendors

[Turner, Ryan H]

Numbers at scale can be misleading.  I am not going to be concerned about the 5 
minutes once a year for onboarding any more than I am going to worried about 
the bathroom breaks my employees take, or the 5 minutes they take multiple 
times in the day to get a coffee.  Managing productivity at that level is 
actually really unproductive and counter effective.  Put another way, am I 
going to be concerned that putting a user through a process that uses .00045% 
of their work time in a year (based on 1800 hours)?The individuals would be 
on campus for 6.5B hours each year.  So, no, not concerned about 4500 hours.

I manage the entire onboarding process on my end.  Breaking down the process 
into little pieces is tedious.   The majority of my issues have nothing to do 
with the certificates, but back end radius infrastructure.  That is probably my 
biggest time suck.  The help desk that we have staffed, once we learned some 
hard lessons (which I try to share with my powerpoint) has stated that the 
burden on them for client onboarding issues isn't a concern.

In the end, there probably is nothing wrong with PPSK, but I just wouldn't 
adopt it.  Eduroam has been so widely praised and adopted in this area.  Your 
PPSK doesn't address that.

Ryan




-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
Sent: Friday, November 4, 2016 1:16 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors

Based on your data, this is what I ran in my head.

58,000 devices on TLS – Say 5 minutes each to provision based on your comments.

WAP2-Ent TLS:
5 minutes x 58000 clients = 4833 hours spent by the community connecting to 
WiFi.
4833 hours each and every year given the expiration on the cert.

Open WiFi:
10 seconds to pick SSID x 58000 clients = 161 hours.
No additional hours in subsequent years other than new clients.

PSK/PPSK WiFi:
30 seconds to pick SSID and enter passphrase x 58000 clients = 483 hours.
No additional hours in subsequent years other than when adding a new client.


For all of them:
How many IT admin hours are spent managing it?
How many IT user support hours responding to questions/problems?
Yearly cost for infrastructure to support each?
What are the risks associated with each?

In the case of TLS, does the loss of over 4000 hours per year on just the user 
side justify its use over the alternatives? Is it that much better? Does IT 
save 4000 hours in other areas?  

That’s why I asked about PPSK as an alternative. When one scales up to tens of 
thousands of devices, five minutes starts to matter. 

Jeff



On 11/4/16, 6:18 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
on behalf of Turner, Ryan H" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of 
rhtur...@email.unc.edu> wrote:

We do, too.  I really wasn’t even thinking of those types of devices in the 
initial response because our belief has been for any device that doesn’t 
support TLS to just use PSK.

Yesterday we had 58,000 devices on eduroam (using TLS) and 9000 on our PSK 
network.

Ryan

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W 
(Network Operations)
Sent: Friday, November 4, 2016 7:51 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
    Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors

Those devices do not support 802.1X. That is why we currently have a 
separate SSID for those devices. 

PPSK *may* be a more secure solution for those devices that do not support 
TLS much like WPA2-Personal (PSK) is currently a solution for devices that do 
not support WPA2-Enterprise (802.1X).


Bruce Osborne
Wireless Engineer
IT Network Operations - Wireless
 (434) 592-4229
 
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

-Original Message-
From: Jeffrey D. Sessler [mailto:j...@scrippscollege.edu] 
Sent: Thursday, November 3, 2016 4:45 PM
Subject: Re: TLS Onboarding Vendors

Really? So Wii U, Playstation 3 &4, Amazon Fire TV, and Xbox 360/One now 
support TLS? 

Jeff


On 11/3/16, 11:52 AM, "The EDUCAUSE Wireless Issues Constituent Group 
Listserv on behalf of Turner, Ryan H" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on 
behalf of rhtur...@email.unc.edu> wrote:

Right now the only things that don't play well with TLS are Windows 
phones and blackberries.  If they run Linux, it is also not great (although we 
have instructions on how to do this and many people configure manually without 
issue).

Ryan

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.

Re: [WIRELESS-LAN] TLS Onboarding Vendors

[Jeffrey D. Sessler]

Based on your data, this is what I ran in my head.

58,000 devices on TLS – Say 5 minutes each to provision based on your comments.

WAP2-Ent TLS:
5 minutes x 58000 clients = 4833 hours spent by the community connecting to 
WiFi.
4833 hours each and every year given the expiration on the cert.

Open WiFi:
10 seconds to pick SSID x 58000 clients = 161 hours.
No additional hours in subsequent years other than new clients.

PSK/PPSK WiFi:
30 seconds to pick SSID and enter passphrase x 58000 clients = 483 hours.
No additional hours in subsequent years other than when adding a new client.


For all of them:
How many IT admin hours are spent managing it?
How many IT user support hours responding to questions/problems?
Yearly cost for infrastructure to support each?
What are the risks associated with each?

In the case of TLS, does the loss of over 4000 hours per year on just the user 
side justify its use over the alternatives? Is it that much better? Does IT 
save 4000 hours in other areas?  

That’s why I asked about PPSK as an alternative. When one scales up to tens of 
thousands of devices, five minutes starts to matter. 

Jeff



On 11/4/16, 6:18 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
on behalf of Turner, Ryan H" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of 
rhtur...@email.unc.edu> wrote:

We do, too.  I really wasn’t even thinking of those types of devices in the 
initial response because our belief has been for any device that doesn’t 
support TLS to just use PSK.

Yesterday we had 58,000 devices on eduroam (using TLS) and 9000 on our PSK 
network.

Ryan

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W 
(Network Operations)
Sent: Friday, November 4, 2016 7:51 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
    Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors

Those devices do not support 802.1X. That is why we currently have a 
separate SSID for those devices. 

PPSK *may* be a more secure solution for those devices that do not support 
TLS much like WPA2-Personal (PSK) is currently a solution for devices that do 
not support WPA2-Enterprise (802.1X).


Bruce Osborne
Wireless Engineer
IT Network Operations - Wireless
 (434) 592-4229
 
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

-Original Message-
From: Jeffrey D. Sessler [mailto:j...@scrippscollege.edu] 
Sent: Thursday, November 3, 2016 4:45 PM
Subject: Re: TLS Onboarding Vendors

Really? So Wii U, Playstation 3 &4, Amazon Fire TV, and Xbox 360/One now 
support TLS? 

Jeff


On 11/3/16, 11:52 AM, "The EDUCAUSE Wireless Issues Constituent Group 
Listserv on behalf of Turner, Ryan H" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on 
behalf of rhtur...@email.unc.edu> wrote:

Right now the only things that don't play well with TLS are Windows 
phones and blackberries.  If they run Linux, it is also not great (although we 
have instructions on how to do this and many people configure manually without 
issue).

Ryan

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
Sent: Thursday, November 3, 2016 11:15 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
    Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors

Ryan,

No doubt we’re seeing better support, my question about PPSK was just 
that… a question. I’m looking at options going forward to solve the ongoing 
divide between the devices that do and do not support these advanced methods. 
For students (which is my focus), the advantages/disadvantages between the 
options don’t matter when their devices have to be dealt with differently.

On face value, PPSK appears to solve the problem for the user, removing 
barriers at the college that don’t exist at their home. While I agree that TLS 
configuration isn’t difficult, it’s still far harder than just entering a PPSK, 
and not everything supports TLS. We’ve been wishing for better support from 
device makers for a decade, and each year we take a few steps forward, and then 
a few backward.

Our vendor is rumored to be adding enterprise-scalable PPSK support 
early next year, so I was really curious to know if others had this option, 
would it influence the deployment of TLS. Right or wrong, it’s influenced mine, 
so I wasn’t sure if I was an outlier or were others of the same mindset. 

Jeff

On 11/2/16, 3:49 PM, "The EDUCAUSE Wireless Issues Constituent Group 
Listserv on behalf of Turner, Ryan H" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on 
behalf of rhtur..

RE: [WIRELESS-LAN] TLS Onboarding Vendors

[Turner, Ryan H]

Well, in truth I was referring to portable devices.  Of your list, I guess I 
forgot about the fire.  We run a PSK network for those devices.

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
Sent: Thursday, November 3, 2016 4:45 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors

Really? So Wii U, Playstation 3 &4, Amazon Fire TV, and Xbox 360/One now 
support TLS? 

Jeff


On 11/3/16, 11:52 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
on behalf of Turner, Ryan H" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of 
rhtur...@email.unc.edu> wrote:

Right now the only things that don't play well with TLS are Windows phones 
and blackberries.  If they run Linux, it is also not great (although we have 
instructions on how to do this and many people configure manually without 
issue).

Ryan

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
Sent: Thursday, November 3, 2016 11:15 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors

Ryan,

No doubt we’re seeing better support, my question about PPSK was just that… 
a question. I’m looking at options going forward to solve the ongoing divide 
between the devices that do and do not support these advanced methods. For 
students (which is my focus), the advantages/disadvantages between the options 
don’t matter when their devices have to be dealt with differently.

On face value, PPSK appears to solve the problem for the user, removing 
barriers at the college that don’t exist at their home. While I agree that TLS 
configuration isn’t difficult, it’s still far harder than just entering a PPSK, 
and not everything supports TLS. We’ve been wishing for better support from 
device makers for a decade, and each year we take a few steps forward, and then 
a few backward.

Our vendor is rumored to be adding enterprise-scalable PPSK support early 
next year, so I was really curious to know if others had this option, would it 
influence the deployment of TLS. Right or wrong, it’s influenced mine, so I 
wasn’t sure if I was an outlier or were others of the same mindset. 

Jeff

On 11/2/16, 3:49 PM, "The EDUCAUSE Wireless Issues Constituent Group 
Listserv on behalf of Turner, Ryan H" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on 
behalf of rhtur...@email.unc.edu> wrote:

Jeff,

I think that actually advanced EAP methods have turned the corner.  
Manufacturers are making onboarding easier.  I think you are under the 
impression that configuring a device for certificates is a big process. It 
takes most people less than 5 minutes, and they do this once a year.  

Just in our area, UNC and NC State, representing over 60,000 students 
are TLS.  Duke is moving that way.  

I haven't spoken to anyone recently even remotely considering PPSK.  
I've heard plenty starting to explore TLS. 

Ryan Turner
Manager of Network Operations, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

> On Nov 1, 2016, at 6:31 PM, Jeffrey D. Sessler 
<j...@scrippscollege.edu> wrote:
> 
> I think the distinction between enterprise and residential blurred 
with the advent of SaaS and the cloud. No longer did an employee need to be “at 
the office” to enter their hours worked in the time and attendance system, or 
as an administrator, you no longer had to run the accounting application from 
your office computer. It’s difficult for me to name anything we’re doing here 
now that isn’t some form of web-based SaaS model, where the expectation is that 
an employee (baring overtime rules) can access these systems from any location. 
If an employee can access these systems from Starbucks for the 16 hours a day 
they aren’t at work, what’s the point of WPA2-ent for the other 8? 
> 
> I’m of the mindset that WAP2-Enterprise may in fact be an endangered 
species. I think most will come to accept that something like PPSK is “good 
enough”. Users don’t want significant barriers to getting access to what they 
need, and once those barriers reach a certain level, the user will absolutely 
find alternatives i.e. I’ve visited many colleges where it was easier to use my 
MiFi hotspot then to be forced thru a cumbersome on-boarding system where there 
are restrictions be it on services available or data rates.
> 
> Taken to the extreme. At the point you no longer have a local data 
center and everything is SaaS, can an argument for WPA2-ent still

Re: [WIRELESS-LAN] TLS Onboarding Vendors

[Jeffrey D. Sessler]

Really? So Wii U, Playstation 3 &4, Amazon Fire TV, and Xbox 360/One now 
support TLS? 

Jeff


On 11/3/16, 11:52 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
on behalf of Turner, Ryan H" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of 
rhtur...@email.unc.edu> wrote:

Right now the only things that don't play well with TLS are Windows phones 
and blackberries.  If they run Linux, it is also not great (although we have 
instructions on how to do this and many people configure manually without 
issue).

Ryan

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
Sent: Thursday, November 3, 2016 11:15 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors

Ryan,

No doubt we’re seeing better support, my question about PPSK was just that… 
a question. I’m looking at options going forward to solve the ongoing divide 
between the devices that do and do not support these advanced methods. For 
students (which is my focus), the advantages/disadvantages between the options 
don’t matter when their devices have to be dealt with differently.

On face value, PPSK appears to solve the problem for the user, removing 
barriers at the college that don’t exist at their home. While I agree that TLS 
configuration isn’t difficult, it’s still far harder than just entering a PPSK, 
and not everything supports TLS. We’ve been wishing for better support from 
device makers for a decade, and each year we take a few steps forward, and then 
a few backward.

Our vendor is rumored to be adding enterprise-scalable PPSK support early 
next year, so I was really curious to know if others had this option, would it 
influence the deployment of TLS. Right or wrong, it’s influenced mine, so I 
wasn’t sure if I was an outlier or were others of the same mindset. 

Jeff

On 11/2/16, 3:49 PM, "The EDUCAUSE Wireless Issues Constituent Group 
Listserv on behalf of Turner, Ryan H" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on 
behalf of rhtur...@email.unc.edu> wrote:

Jeff,

I think that actually advanced EAP methods have turned the corner.  
Manufacturers are making onboarding easier.  I think you are under the 
impression that configuring a device for certificates is a big process. It 
takes most people less than 5 minutes, and they do this once a year.  

Just in our area, UNC and NC State, representing over 60,000 students 
are TLS.  Duke is moving that way.  

I haven't spoken to anyone recently even remotely considering PPSK.  
I've heard plenty starting to explore TLS. 

Ryan Turner
Manager of Network Operations, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

> On Nov 1, 2016, at 6:31 PM, Jeffrey D. Sessler 
<j...@scrippscollege.edu> wrote:
> 
> I think the distinction between enterprise and residential blurred 
with the advent of SaaS and the cloud. No longer did an employee need to be “at 
the office” to enter their hours worked in the time and attendance system, or 
as an administrator, you no longer had to run the accounting application from 
your office computer. It’s difficult for me to name anything we’re doing here 
now that isn’t some form of web-based SaaS model, where the expectation is that 
an employee (baring overtime rules) can access these systems from any location. 
If an employee can access these systems from Starbucks for the 16 hours a day 
they aren’t at work, what’s the point of WPA2-ent for the other 8? 
> 
> I’m of the mindset that WAP2-Enterprise may in fact be an endangered 
species. I think most will come to accept that something like PPSK is “good 
enough”. Users don’t want significant barriers to getting access to what they 
need, and once those barriers reach a certain level, the user will absolutely 
find alternatives i.e. I’ve visited many colleges where it was easier to use my 
MiFi hotspot then to be forced thru a cumbersome on-boarding system where there 
are restrictions be it on services available or data rates.
> 
> Taken to the extreme. At the point you no longer have a local data 
center and everything is SaaS, can an argument for WPA2-ent still be made? 
> 
> Jeff
> 
> On 11/1/16, 3:03 PM, "The EDUCAUSE Wireless Issues Constituent Group 
Listserv on behalf of Curtis K. Larsen" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on 
behalf of curtis.k.lar...@utah.edu> wrote:
> 
>Well, I think users in general expect that when they connect to 
the "Secure" wireless network - it is both encrypted, and

RE: [WIRELESS-LAN] TLS Onboarding Vendors

[Turner, Ryan H]

Right now the only things that don't play well with TLS are Windows phones and 
blackberries.  If they run Linux, it is also not great (although we have 
instructions on how to do this and many people configure manually without 
issue).

Ryan

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
Sent: Thursday, November 3, 2016 11:15 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors

Ryan,

No doubt we’re seeing better support, my question about PPSK was just that… a 
question. I’m looking at options going forward to solve the ongoing divide 
between the devices that do and do not support these advanced methods. For 
students (which is my focus), the advantages/disadvantages between the options 
don’t matter when their devices have to be dealt with differently.

On face value, PPSK appears to solve the problem for the user, removing 
barriers at the college that don’t exist at their home. While I agree that TLS 
configuration isn’t difficult, it’s still far harder than just entering a PPSK, 
and not everything supports TLS. We’ve been wishing for better support from 
device makers for a decade, and each year we take a few steps forward, and then 
a few backward.

Our vendor is rumored to be adding enterprise-scalable PPSK support early next 
year, so I was really curious to know if others had this option, would it 
influence the deployment of TLS. Right or wrong, it’s influenced mine, so I 
wasn’t sure if I was an outlier or were others of the same mindset. 

Jeff

On 11/2/16, 3:49 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
on behalf of Turner, Ryan H" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of 
rhtur...@email.unc.edu> wrote:

Jeff,

I think that actually advanced EAP methods have turned the corner.  
Manufacturers are making onboarding easier.  I think you are under the 
impression that configuring a device for certificates is a big process. It 
takes most people less than 5 minutes, and they do this once a year.  

Just in our area, UNC and NC State, representing over 60,000 students are 
TLS.  Duke is moving that way.  

I haven't spoken to anyone recently even remotely considering PPSK.  I've 
heard plenty starting to explore TLS. 

Ryan Turner
Manager of Network Operations, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

> On Nov 1, 2016, at 6:31 PM, Jeffrey D. Sessler <j...@scrippscollege.edu> 
wrote:
> 
> I think the distinction between enterprise and residential blurred with 
the advent of SaaS and the cloud. No longer did an employee need to be “at the 
office” to enter their hours worked in the time and attendance system, or as an 
administrator, you no longer had to run the accounting application from your 
office computer. It’s difficult for me to name anything we’re doing here now 
that isn’t some form of web-based SaaS model, where the expectation is that an 
employee (baring overtime rules) can access these systems from any location. If 
an employee can access these systems from Starbucks for the 16 hours a day they 
aren’t at work, what’s the point of WPA2-ent for the other 8? 
> 
> I’m of the mindset that WAP2-Enterprise may in fact be an endangered 
species. I think most will come to accept that something like PPSK is “good 
enough”. Users don’t want significant barriers to getting access to what they 
need, and once those barriers reach a certain level, the user will absolutely 
find alternatives i.e. I’ve visited many colleges where it was easier to use my 
MiFi hotspot then to be forced thru a cumbersome on-boarding system where there 
are restrictions be it on services available or data rates.
> 
> Taken to the extreme. At the point you no longer have a local data center 
and everything is SaaS, can an argument for WPA2-ent still be made? 
> 
> Jeff
> 
> On 11/1/16, 3:03 PM, "The EDUCAUSE Wireless Issues Constituent Group 
Listserv on behalf of Curtis K. Larsen" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on 
behalf of curtis.k.lar...@utah.edu> wrote:
> 
>Well, I think users in general expect that when they connect to the 
"Secure" wireless network - it is both encrypted, and they are not being 
impersonated.  If not, maybe you could allow them to opt-out after accepting 
the risk.  Often these are the same credentials that staff use to login and set 
the direct deposit for their paycheck, credentials faculty use to post grades, 
and students use to add/drop classes.  The business could also opt-out if they 
are willing to accept the risk.  But as the Enterprise Wireless Engineer you 
should at least make everyone aware that with PPSK there are still risks.  
Also, 

Re: [WIRELESS-LAN] TLS Onboarding Vendors

[Jeffrey D. Sessler]

ituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Chuck Enfield <chu...@psu.edu>
>Sent: Tuesday, November 1, 2016 2:54 PM
>To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors
> 
>"If we can agree that most applications today (including ones that 
involve
>FERPA or PII) are web-based (let’s toss in cloud too), and a user can 
access
>them from any location including at home on a PSK protected SSID (or
>cellular connection, or open network at Starbucks), does forcing 
WPA2-Ent at
>the campus actually result in reduced risk?  Is there cost 
justification for
>the infrastructure (staff, hardware, software) necessary to implement
>EAP-TLS (or alternatives)?"
> 
>Where's the like button?  FWIW, I still like enterprise encryption and
>authentication for keeping people off of my network.  I's nevertheless
>useful to remind ourselves of precisely what the value is, and it's not
>protecting the data.
> 
>Chuck
> 
>-Original Message-
>From: The EDUCAUSE Wireless Issues Constituent Group Listserv
>[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. 
Sessler
>Sent: Tuesday, November 01, 2016 4:41 PM
>To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors
> 
>Curtis,
> 
>If we can agree that most applications today (including ones that 
involve
>FERPA or PII) are web-based (let’s toss in cloud too), and a user can 
access
>them from any location including at home on a PSK protected SSID (or
>cellular connection, or open network at Starbucks), does forcing 
WPA2-Ent at
>the campus actually result in reduced risk?  Is there cost 
justification for
>the infrastructure (staff, hardware, software) necessary to implement
>EAP-TLS (or alternatives)?
> 
>Our Admissions process starts with getting Common App (filled out by
>student/parents at home on a website and includes a lot of sensitive 
info),
>that data feeds into Slate (another cloud-based Admissions package), 
then
>feeds into financial-aid and the SiS (again web-based for the users). 
The
>bulk of the PII/FERPA items have then been collected outside of the 
college
>envirnoment, from connections that may have Starbucks level of 
protection. I’m
>trying to see the justification of WPA2-Ent, but it’s a hard sell – 
sure, I
>know there can be advantages, but are they necessary and/or justified? 
Is
>PPSK good enough for everyone. Is it good enough for students and their
>devices?
> 
>Jeff
> 
>On 11/1/16, 8:56 AM, "The EDUCAUSE Wireless Issues Constituent Group
>Listserv on behalf of Curtis K. Larsen" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>on behalf of curtis.k.lar...@utah.edu> wrote:
> 
>I personally would *not* prefer PPSK for devices that are WPA2-Ent.
>(EAP-TLS) capable.  PPSK has a nice niche in the IoT device category 
for
>devices that do not support WPA2-Ent. (EAP-TLS) in my opinion, and 
we'll be
>anxious to use it there when our vendor delivers ...but the same
>vulnerabilities around a regular WPA2-PSK are still there (de-auths, 
brute
>forcing).  So, for IoT in student housing (game consoles, and roku 
devices
>that only do PSK) maybe PPSK is the appropriate new level of security
>because sensitive data is unlikely, but for the most common devices 
(Phone,
>Laptop, Tablet, etc.) where users are more likely to access and 
transmit
>FERPA, PHI, etc. WPA2-Enterprise with EAP-TLS seems more appropriate.  
From
>what I can tell it is probably easier to implement EAP-TLS than PPSK 
amongst
>the fully-managed portion of that device class anyway (thinking GPO 
here).
>In my ideal world I would have 3 SSID's  One Guest SSID unencrypted, 
One
>PPSK SSID that accommodates all of the non-dot1x capable devices that 
are
>not guest users, and one dot1x WPA2-Ent (EAP-TLS) SSID for traditional
>Student/Faculty/Staff devices (Phone, Laptop, Tablet).  Then someday 
in the
>future Hotspot 2.0/802.11u would convert many of the un-encrypted 
guests
>over to encrypted without any captive portal interaction.
> 
> 
>--
>Curtis K. Larsen
>Senior Network Engineer
>University of Utah IT/CIS
    > 
    >    _______

Re: [WIRELESS-LAN] TLS Onboarding Vendors

[Turner, Ryan H]

Jeff,

I think that actually advanced EAP methods have turned the corner.  
Manufacturers are making onboarding easier.  I think you are under the 
impression that configuring a device for certificates is a big process. It 
takes most people less than 5 minutes, and they do this once a year.  

Just in our area, UNC and NC State, representing over 60,000 students are TLS.  
Duke is moving that way.  

I haven't spoken to anyone recently even remotely considering PPSK.  I've heard 
plenty starting to explore TLS. 

Ryan Turner
Manager of Network Operations, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

> On Nov 1, 2016, at 6:31 PM, Jeffrey D. Sessler <j...@scrippscollege.edu> 
> wrote:
> 
> I think the distinction between enterprise and residential blurred with the 
> advent of SaaS and the cloud. No longer did an employee need to be “at the 
> office” to enter their hours worked in the time and attendance system, or as 
> an administrator, you no longer had to run the accounting application from 
> your office computer. It’s difficult for me to name anything we’re doing here 
> now that isn’t some form of web-based SaaS model, where the expectation is 
> that an employee (baring overtime rules) can access these systems from any 
> location. If an employee can access these systems from Starbucks for the 16 
> hours a day they aren’t at work, what’s the point of WPA2-ent for the other 
> 8? 
> 
> I’m of the mindset that WAP2-Enterprise may in fact be an endangered species. 
> I think most will come to accept that something like PPSK is “good enough”. 
> Users don’t want significant barriers to getting access to what they need, 
> and once those barriers reach a certain level, the user will absolutely find 
> alternatives i.e. I’ve visited many colleges where it was easier to use my 
> MiFi hotspot then to be forced thru a cumbersome on-boarding system where 
> there are restrictions be it on services available or data rates.
> 
> Taken to the extreme. At the point you no longer have a local data center and 
> everything is SaaS, can an argument for WPA2-ent still be made? 
> 
> Jeff
> 
> On 11/1/16, 3:03 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
> on behalf of Curtis K. Larsen" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf 
> of curtis.k.lar...@utah.edu> wrote:
> 
>Well, I think users in general expect that when they connect to the 
> "Secure" wireless network - it is both encrypted, and they are not being 
> impersonated.  If not, maybe you could allow them to opt-out after accepting 
> the risk.  Often these are the same credentials that staff use to login and 
> set the direct deposit for their paycheck, credentials faculty use to post 
> grades, and students use to add/drop classes.  The business could also 
> opt-out if they are willing to accept the risk.  But as the Enterprise 
> Wireless Engineer you should at least make everyone aware that with PPSK 
> there are still risks.  Also, I just think one of these standards was 
> intended to be mostly for residential purposes and the other for mostly 
> enterprise purposes.  When you look at federated authentication as in eduroam 
> or hotspot 2.0, etc. WPA2-Ent. just seems to fit better long-term.  In short, 
> I think the difficult/expensive parts of PKI/EAP-TLS have recently become a 
> lot easier and I think they'll continue to do so.
> 
>-Curtis
> 
>
>From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Chuck Enfield 
> <chu...@psu.edu>
>Sent: Tuesday, November 1, 2016 2:54 PM
>To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors
> 
>"If we can agree that most applications today (including ones that involve
>FERPA or PII) are web-based (let’s toss in cloud too), and a user can 
> access
>them from any location including at home on a PSK protected SSID (or
>cellular connection, or open network at Starbucks), does forcing WPA2-Ent 
> at
>the campus actually result in reduced risk?  Is there cost justification 
> for
>the infrastructure (staff, hardware, software) necessary to implement
>EAP-TLS (or alternatives)?"
> 
>Where's the like button?  FWIW, I still like enterprise encryption and
>authentication for keeping people off of my network.  I's nevertheless
>useful to remind ourselves of precisely what the value is, and it's not
>protecting the data.
> 
>Chuck
> 
>-Original Message-----
>    From: The EDUCAUSE Wireless Issues Constituent Group Listserv
>[mailto:WIRELESS-LAN@

Re: [WIRELESS-LAN] TLS Onboarding Vendors

[Turner, Ryan H]

We have a PSK network for devices that don't support advanced EAP methods.  But 
students are our biggest users abroad of eduroam, and we don't push onboarding 
of their devices on PSK.  In fact, we make it more difficult.  They must 
register their devices in advance in order to get DHCP and we change the very 
long PSK each semester.  


Ryan Turner
Manager of Network Operations, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

> On Nov 1, 2016, at 4:42 PM, Jeffrey D. Sessler <j...@scrippscollege.edu> 
> wrote:
> 
> I guess I should have also added – What about just for students and their 
> devices?
> 
> Jeff
> 
> On 11/1/16, 10:22 AM, "The EDUCAUSE Wireless Issues Constituent Group 
> Listserv on behalf of Turner, Ryan H" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on 
> behalf of rhtur...@email.unc.edu> wrote:
> 
>We use eduroam, which necessitates a realm for routing.  No for us.
> 
>-Original Message-
>From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
>Sent: Tuesday, November 1, 2016 10:12 AM
>    To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors
> 
>Just curious. If those using or considering TLS had the option of PPSK 
> (personal pre-shared key), would you opt for PPSK instead?
> 
>Jeff
> 
>On 10/31/16, 9:27 AM, "The EDUCAUSE Wireless Issues Constituent Group 
> Listserv on behalf of Bruce Boardman" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on 
> behalf of board...@syr.edu> wrote:
> 
>We are using Cloud Path for onboarding, but we are considering other 
> options if and when we go to EAP TLS. We may get it baked in if we use ISE or 
> Clear Pass but I considering other standalone options as well. Anybody have  
> experience or thoughts they'd like to share. Thanks  
> 
>Bruce Boardman Networking Syracuse University 315 412-4156 Skype 
> board...@syr.edu
> 
>**
>Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7Ca2f4c16f59ad46adaffb08d402611875%7C58b3d54f16c942d3af081fcabd095666%7C1=q3lriP9Aerq%2B9gID81bUKP01NKeZviHTxXAS8J%2BT32Y%3D=0.
> 
> 
> 
>**
>Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at 
> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7Ca2f4c16f59ad46adaffb08d402611875%7C58b3d54f16c942d3af081fcabd095666%7C1=q3lriP9Aerq%2B9gID81bUKP01NKeZviHTxXAS8J%2BT32Y%3D=0.
> 
> 
>**
>Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at 
> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7C5fbc2752892e40a7be0408d40297a3a9%7C58b3d54f16c942d3af081fcabd095666%7C1=xH1I9%2BLRhIArx6Mu71dbliUdI4qklig3AfuZqlMCyOM%3D=0.
> 
> 
> 
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at 
> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7C5fbc2752892e40a7be0408d40297a3a9%7C58b3d54f16c942d3af081fcabd095666%7C1=xH1I9%2BLRhIArx6Mu71dbliUdI4qklig3AfuZqlMCyOM%3D=0.
> 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] TLS Onboarding Vendors

[Philippe Hanset]

Jeff, 

I agree with you. My ultimate model would be even open WiFi everywhere with 
bullet proof applications and a set bandwidth per user (and locations agreeing 
on IP roaming).

While I'm writing this I'm waiting for my son at a free public electric car 
charging station. Out of 6 parking places one is taken by an electric car and 
all others are non-electric cars using the slots because it is close to the 
sport facility Enforcement is no where to be seen (quite amazing BTW on a 
campus ;-). Human nature! 

Network engineers need and like a few control knobs to control chaos. MAC 
addresses do not seem to be enough anymore.

At the moment WPA2-enterprise seems to fit a certain need and as EAP-TLS 
becomes better supported in OSes many of us have bitten the PKI bullet without 
too much pain.

I see EAP-TLS as a soft SIM card for Wifi. Very powerful and unlike a SIM card, 
it doesn't need to be controlled by a specific provider.

Philippe
www.eduroam.us

> On Nov 1, 2016, at 6:31 PM, Jeffrey D. Sessler <j...@scrippscollege.edu> 
> wrote:
> 
> I think the distinction between enterprise and residential blurred with the 
> advent of SaaS and the cloud. No longer did an employee need to be “at the 
> office” to enter their hours worked in the time and attendance system, or as 
> an administrator, you no longer had to run the accounting application from 
> your office computer. It’s difficult for me to name anything we’re doing here 
> now that isn’t some form of web-based SaaS model, where the expectation is 
> that an employee (baring overtime rules) can access these systems from any 
> location. If an employee can access these systems from Starbucks for the 16 
> hours a day they aren’t at work, what’s the point of WPA2-ent for the other 
> 8? 
> 
> I’m of the mindset that WAP2-Enterprise may in fact be an endangered species. 
> I think most will come to accept that something like PPSK is “good enough”. 
> Users don’t want significant barriers to getting access to what they need, 
> and once those barriers reach a certain level, the user will absolutely find 
> alternatives i.e. I’ve visited many colleges where it was easier to use my 
> MiFi hotspot then to be forced thru a cumbersome on-boarding system where 
> there are restrictions be it on services available or data rates.
> 
> Taken to the extreme. At the point you no longer have a local data center and 
> everything is SaaS, can an argument for WPA2-ent still be made? 
> 
> Jeff
> 
> On 11/1/16, 3:03 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
> on behalf of Curtis K. Larsen" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf 
> of curtis.k.lar...@utah.edu> wrote:
> 
>Well, I think users in general expect that when they connect to the 
> "Secure" wireless network - it is both encrypted, and they are not being 
> impersonated.  If not, maybe you could allow them to opt-out after accepting 
> the risk.  Often these are the same credentials that staff use to login and 
> set the direct deposit for their paycheck, credentials faculty use to post 
> grades, and students use to add/drop classes.  The business could also 
> opt-out if they are willing to accept the risk.  But as the Enterprise 
> Wireless Engineer you should at least make everyone aware that with PPSK 
> there are still risks.  Also, I just think one of these standards was 
> intended to be mostly for residential purposes and the other for mostly 
> enterprise purposes.  When you look at federated authentication as in eduroam 
> or hotspot 2.0, etc. WPA2-Ent. just seems to fit better long-term.  In short, 
> I think the difficult/expensive parts of PKI/EAP-TLS have recently become a 
> lot easier and I think they'll continue to do so.
> 
>-Curtis
> 
>
>From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Chuck Enfield 
> <chu...@psu.edu>
>Sent: Tuesday, November 1, 2016 2:54 PM
>To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors
> 
>"If we can agree that most applications today (including ones that involve
>FERPA or PII) are web-based (let’s toss in cloud too), and a user can 
> access
>them from any location including at home on a PSK protected SSID (or
>cellular connection, or open network at Starbucks), does forcing WPA2-Ent 
> at
>the campus actually result in reduced risk?  Is there cost justification 
> for
>the infrastructure (staff, hardware, software) necessary to implement
>EAP-TLS (or alternatives)?"
> 
>Where's the like button?  FWIW, I still like enterprise encryption and
>authentication for keeping p

Re: [WIRELESS-LAN] TLS Onboarding Vendors

[Philippe Hanset]

>  
> WPA2-enterprise (eduroam or not) has three main benefits and a cool side 
> effect:
> 
> 1) You know who is on, one user at a time.
>  
> How do you know this? You know that the device is using a particular user’s 
> id/pass and/or was on-boarded using their account. You have no way to verify 
> that the device belongs to the actual owner. One could make the same claim of 
> PPSK (I know who you are based on your PPSK passphrase), but just like 
> WPA2-ent, there is nothing to prevent another user from on-boarding a device 
> for a friend.

If needed be you can find the user behind the authentication. And since we are 
also talking about EAP-TLS you can lock the profile to a specific device. No 
sharing. In this particular case EAP-TLS is ideal to prevent credentials 
sharing.

> 
> 2) the user knows what network it is (since the infrastructure certificate is 
> verified)
> 
> It’s been demonstrated over and over that most users will simply click past 
> prompts, even when the prompt clearly shows something is wrong i.e. a user 
> presented with a bad certificate is likely to just accept it (or disable the 
> verification of the cert).

If you use profile based authentication, not letting users configure by just 
entering username/password when selecting the SSID (e.g. using the CAT tool or 
other profile creation apps) the infrastructure certificate cannot be bypassed 
easily. Or use EAP- TLS to totally prevent any risk.
>  
> 3) It’s automatic..no pesky portal to deal with
>  
> This is also a case for PPSK and/or an open network.

Of course, with my little bias toward roaming I should ask: how do you roam 
with PPSK? ;-)

How does PPSK size up for large campuses? I seem to remember from this list 
that beyond a certain number of users there are some limitations.

And finally with WPA2-ent you can separate users based on domains if you wish 
to do so ( e.g. @students.domain VS @faculty.domain)

I'm sure that PPSK has great applications for specific cases but it doesn't 
have the overall breadth of WPA2-enterprise. 

Philippe
www.eduroam.us
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] TLS Onboarding Vendors

[Curtis K. Larsen]

Today disk encryption is built-in and enabled by default for my smartphone 
without me doing a thing.  One day I believe I'll un-box a smartphone that 
already has a certificate probably provided by my carrier that allows me to 
seamlessly roam (because of some already established peering agreement) to my 
WPA2-Ent. University WLAN.  I won't think about Wi-Fi roaming any more then 
than I think about cellular roaming today.  PPSK will likely still require 
onboarding.  In the meantime, ANYROAM, and eduroam are getting us close.  You 
might be surprised how many guest users are already choosing encryption when 
given the choice at a simple captive portal.

-Curtis


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Jeffrey D. Sessler 
<j...@scrippscollege.edu>
Sent: Tuesday, November 1, 2016 4:31 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors

I think the distinction between enterprise and residential blurred with the 
advent of SaaS and the cloud. No longer did an employee need to be “at the 
office” to enter their hours worked in the time and attendance system, or as an 
administrator, you no longer had to run the accounting application from your 
office computer. It’s difficult for me to name anything we’re doing here now 
that isn’t some form of web-based SaaS model, where the expectation is that an 
employee (baring overtime rules) can access these systems from any location. If 
an employee can access these systems from Starbucks for the 16 hours a day they 
aren’t at work, what’s the point of WPA2-ent for the other 8?

I’m of the mindset that WAP2-Enterprise may in fact be an endangered species. I 
think most will come to accept that something like PPSK is “good enough”. Users 
don’t want significant barriers to getting access to what they need, and once 
those barriers reach a certain level, the user will absolutely find 
alternatives i.e. I’ve visited many colleges where it was easier to use my MiFi 
hotspot then to be forced thru a cumbersome on-boarding system where there are 
restrictions be it on services available or data rates.

Taken to the extreme. At the point you no longer have a local data center and 
everything is SaaS, can an argument for WPA2-ent still be made?

Jeff

On 11/1/16, 3:03 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
on behalf of Curtis K. Larsen" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of 
curtis.k.lar...@utah.edu> wrote:

Well, I think users in general expect that when they connect to the 
"Secure" wireless network - it is both encrypted, and they are not being 
impersonated.  If not, maybe you could allow them to opt-out after accepting 
the risk.  Often these are the same credentials that staff use to login and set 
the direct deposit for their paycheck, credentials faculty use to post grades, 
and students use to add/drop classes.  The business could also opt-out if they 
are willing to accept the risk.  But as the Enterprise Wireless Engineer you 
should at least make everyone aware that with PPSK there are still risks.  
Also, I just think one of these standards was intended to be mostly for 
residential purposes and the other for mostly enterprise purposes.  When you 
look at federated authentication as in eduroam or hotspot 2.0, etc. WPA2-Ent. 
just seems to fit better long-term.  In short, I think the difficult/expensive 
parts of PKI/EAP-TLS have recently become a lot easier and I think they'll 
continue to do so.

-Curtis


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Chuck Enfield <chu...@psu.edu>
Sent: Tuesday, November 1, 2016 2:54 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors

"If we can agree that most applications today (including ones that involve
FERPA or PII) are web-based (let’s toss in cloud too), and a user can access
them from any location including at home on a PSK protected SSID (or
cellular connection, or open network at Starbucks), does forcing WPA2-Ent at
the campus actually result in reduced risk?  Is there cost justification for
the infrastructure (staff, hardware, software) necessary to implement
EAP-TLS (or alternatives)?"

Where's the like button?  FWIW, I still like enterprise encryption and
authentication for keeping people off of my network.  I's nevertheless
useful to remind ourselves of precisely what the value is, and it's not
protecting the data.

Chuck

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
Sent: Tuesday, November 01, 2016 4:41 P

Re: [WIRELESS-LAN] TLS Onboarding Vendors

[Jeffrey D. Sessler]

WPA2-enterprise (eduroam or not) has three main benefits and a cool side effect:

1) You know who is on, one user at a time.

How do you know this? You know that the device is using a particular user’s 
id/pass and/or was on-boarded using their account. You have no way to verify 
that the device belongs to the actual owner. One could make the same claim of 
PPSK (I know who you are based on your PPSK passphrase), but just like 
WPA2-ent, there is nothing to prevent another user from on-boarding a device 
for a friend.

2) the user knows what network it is (since the infrastructure certificate is 
verified)

It’s been demonstrated over and over that most users will simply click past 
prompts, even when the prompt clearly shows something is wrong i.e. a user 
presented with a bad certificate is likely to just accept it (or disable the 
verification of the cert).

3) It’s automatic..no pesky portal to deal with

This is also a case for PPSK and/or an open network.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] TLS Onboarding Vendors

[Jeffrey D. Sessler]

I think the distinction between enterprise and residential blurred with the 
advent of SaaS and the cloud. No longer did an employee need to be “at the 
office” to enter their hours worked in the time and attendance system, or as an 
administrator, you no longer had to run the accounting application from your 
office computer. It’s difficult for me to name anything we’re doing here now 
that isn’t some form of web-based SaaS model, where the expectation is that an 
employee (baring overtime rules) can access these systems from any location. If 
an employee can access these systems from Starbucks for the 16 hours a day they 
aren’t at work, what’s the point of WPA2-ent for the other 8? 

I’m of the mindset that WAP2-Enterprise may in fact be an endangered species. I 
think most will come to accept that something like PPSK is “good enough”. Users 
don’t want significant barriers to getting access to what they need, and once 
those barriers reach a certain level, the user will absolutely find 
alternatives i.e. I’ve visited many colleges where it was easier to use my MiFi 
hotspot then to be forced thru a cumbersome on-boarding system where there are 
restrictions be it on services available or data rates.

Taken to the extreme. At the point you no longer have a local data center and 
everything is SaaS, can an argument for WPA2-ent still be made? 

Jeff

On 11/1/16, 3:03 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
on behalf of Curtis K. Larsen" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of 
curtis.k.lar...@utah.edu> wrote:

Well, I think users in general expect that when they connect to the 
"Secure" wireless network - it is both encrypted, and they are not being 
impersonated.  If not, maybe you could allow them to opt-out after accepting 
the risk.  Often these are the same credentials that staff use to login and set 
the direct deposit for their paycheck, credentials faculty use to post grades, 
and students use to add/drop classes.  The business could also opt-out if they 
are willing to accept the risk.  But as the Enterprise Wireless Engineer you 
should at least make everyone aware that with PPSK there are still risks.  
Also, I just think one of these standards was intended to be mostly for 
residential purposes and the other for mostly enterprise purposes.  When you 
look at federated authentication as in eduroam or hotspot 2.0, etc. WPA2-Ent. 
just seems to fit better long-term.  In short, I think the difficult/expensive 
parts of PKI/EAP-TLS have recently become a lot easier and I think they'll 
continue to do so.

-Curtis
 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Chuck Enfield <chu...@psu.edu>
Sent: Tuesday, November 1, 2016 2:54 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors

"If we can agree that most applications today (including ones that involve
FERPA or PII) are web-based (let’s toss in cloud too), and a user can access
them from any location including at home on a PSK protected SSID (or
cellular connection, or open network at Starbucks), does forcing WPA2-Ent at
the campus actually result in reduced risk?  Is there cost justification for
the infrastructure (staff, hardware, software) necessary to implement
EAP-TLS (or alternatives)?"

Where's the like button?  FWIW, I still like enterprise encryption and
authentication for keeping people off of my network.  I's nevertheless
useful to remind ourselves of precisely what the value is, and it's not
protecting the data.

Chuck

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
Sent: Tuesday, November 01, 2016 4:41 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors

Curtis,

If we can agree that most applications today (including ones that involve
FERPA or PII) are web-based (let’s toss in cloud too), and a user can access
them from any location including at home on a PSK protected SSID (or
cellular connection, or open network at Starbucks), does forcing WPA2-Ent at
the campus actually result in reduced risk?  Is there cost justification for
the infrastructure (staff, hardware, software) necessary to implement
EAP-TLS (or alternatives)?

Our Admissions process starts with getting Common App (filled out by
student/parents at home on a website and includes a lot of sensitive info),
that data feeds into Slate (another cloud-based Admissions package), then
feeds into financial-aid and the SiS (again web-based for the users). The
bulk of the PII/FERPA items have then been collec

Re: [WIRELESS-LAN] TLS Onboarding Vendors

[Philippe Hanset]

WPA2-enterprise (eduroam or not) has three main benefits and a cool side effect:

1) You know who is on, one user at a time
2) the user knows what network it is (since the infrastructure certificate is 
verified)
3) It’s automatic..no pesky portal to deal with

and the cool benefit is encryption over the air!

EAP-TLS has an edge over PEAP etc..  because you don’t use sensitive passwords 
for a thing as simple as joining a network.
And you can revoke/manage one device at a time…not revoke a password that 
controls everything in your University life.

If you want to try EAP-TLS and you are using eduroam, here is an easy way:
Head to www.eduroam.us <http://www.eduroam.us/> and login as admin. Turn on 
“enable ANYROAM”. 
This will allow ANYROAM identities just for your campus.
Then head to http://anyroam.cloupath.net <http://anyroam.cloupath.net/> to be 
configured to join ANYROAM (it is using your existing eduroam SSID).
When you are done, erase the ANYROAM profile because it will take over your 
existing eduroam config on your device.
Go back to www.eduroam.us <http://www.eduroam.us/> and turn “enable ANYROAM” 
off when you are done, or leave it on as a cloud based guest access!
BTW, any guest can use this if you decide to!

Philippe

Philippe Hanset
www.eduroam.us <http://www.eduroam.us/>
> On Nov 1, 2016, at 4:54 PM, Chuck Enfield <chu...@psu.edu> wrote:
> 
> "If we can agree that most applications today (including ones that involve 
> FERPA or PII) are web-based (let’s toss in cloud too), and a user can access 
> them from any location including at home on a PSK protected SSID (or 
> cellular connection, or open network at Starbucks), does forcing WPA2-Ent at 
> the campus actually result in reduced risk?  Is there cost justification for 
> the infrastructure (staff, hardware, software) necessary to implement 
> EAP-TLS (or alternatives)?"
> 
> Where's the like button?  FWIW, I still like enterprise encryption and 
> authentication for keeping people off of my network.  I's nevertheless 
> useful to remind ourselves of precisely what the value is, and it's not 
> protecting the data.
> 
> Chuck
> 
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
> Sent: Tuesday, November 01, 2016 4:41 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors
> 
> Curtis,
> 
> If we can agree that most applications today (including ones that involve 
> FERPA or PII) are web-based (let’s toss in cloud too), and a user can access 
> them from any location including at home on a PSK protected SSID (or 
> cellular connection, or open network at Starbucks), does forcing WPA2-Ent at 
> the campus actually result in reduced risk?  Is there cost justification for 
> the infrastructure (staff, hardware, software) necessary to implement 
> EAP-TLS (or alternatives)?
> 
> Our Admissions process starts with getting Common App (filled out by 
> student/parents at home on a website and includes a lot of sensitive info), 
> that data feeds into Slate (another cloud-based Admissions package), then 
> feeds into financial-aid and the SiS (again web-based for the users). The 
> bulk of the PII/FERPA items have then been collected outside of the college 
> envirnoment, from connections that may have Starbucks level of protection. 
> I’m 
> trying to see the justification of WPA2-Ent, but it’s a hard sell – sure, I 
> know there can be advantages, but are they necessary and/or justified? Is 
> PPSK good enough for everyone. Is it good enough for students and their 
> devices?
> 
> Jeff
> 
> On 11/1/16, 8:56 AM, "The EDUCAUSE Wireless Issues Constituent Group 
> Listserv on behalf of Curtis K. Larsen" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> on behalf of curtis.k.lar...@utah.edu> wrote:
> 
>I personally would *not* prefer PPSK for devices that are WPA2-Ent. 
> (EAP-TLS) capable.  PPSK has a nice niche in the IoT device category for 
> devices that do not support WPA2-Ent. (EAP-TLS) in my opinion, and we'll be 
> anxious to use it there when our vendor delivers ...but the same 
> vulnerabilities around a regular WPA2-PSK are still there (de-auths, brute 
> forcing).  So, for IoT in student housing (game consoles, and roku devices 
> that only do PSK) maybe PPSK is the appropriate new level of security 
> because sensitive data is unlikely, but for the most common devices (Phone, 
> Laptop, Tablet, etc.) where users are more likely to access and transmit 
> FERPA, PHI, etc. WPA2-Enterprise with EAP-TLS seems more appropriate.  From 
> what I can tell it is probably easier to implement EAP-TLS than PPSK amongst 
> the fully-managed port

Re: [WIRELESS-LAN] TLS Onboarding Vendors

[Johnson, Neil M]

Reminds of this quote for Eugene Stafford:

"Secure web servers [cryptographically enabled web servers] are the equivalent 
of heavy armored cars. The problem is, they are being used to transfer rolls of 
coins and checks written in crayon by people on park benches to merchants doing 
business in cardboard boxes from beneath highway bridges. Further, the roads 
are subject to random detours, anyone with a screwdriver can control the 
traffic lights, and there are no police."

-- 
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
E-Mail: neil-john...@uiowa.edu



> On Nov 1, 2016, at 3:54 PM, Chuck Enfield <chu...@psu.edu> wrote:
> 
> "If we can agree that most applications today (including ones that involve 
> FERPA or PII) are web-based (let’s toss in cloud too), and a user can access 
> them from any location including at home on a PSK protected SSID (or 
> cellular connection, or open network at Starbucks), does forcing WPA2-Ent at 
> the campus actually result in reduced risk?  Is there cost justification for 
> the infrastructure (staff, hardware, software) necessary to implement 
> EAP-TLS (or alternatives)?"
> 
> Where's the like button?  FWIW, I still like enterprise encryption and 
> authentication for keeping people off of my network.  I's nevertheless 
> useful to remind ourselves of precisely what the value is, and it's not 
> protecting the data.
> 
> Chuck
> 
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
> Sent: Tuesday, November 01, 2016 4:41 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors
> 
> Curtis,
> 
> If we can agree that most applications today (including ones that involve 
> FERPA or PII) are web-based (let’s toss in cloud too), and a user can access 
> them from any location including at home on a PSK protected SSID (or 
> cellular connection, or open network at Starbucks), does forcing WPA2-Ent at 
> the campus actually result in reduced risk?  Is there cost justification for 
> the infrastructure (staff, hardware, software) necessary to implement 
> EAP-TLS (or alternatives)?
> 
> Our Admissions process starts with getting Common App (filled out by 
> student/parents at home on a website and includes a lot of sensitive info), 
> that data feeds into Slate (another cloud-based Admissions package), then 
> feeds into financial-aid and the SiS (again web-based for the users). The 
> bulk of the PII/FERPA items have then been collected outside of the college 
> envirnoment, from connections that may have Starbucks level of protection. 
> I’m 
> trying to see the justification of WPA2-Ent, but it’s a hard sell – sure, I 
> know there can be advantages, but are they necessary and/or justified? Is 
> PPSK good enough for everyone. Is it good enough for students and their 
> devices?
> 
> Jeff
> 
> On 11/1/16, 8:56 AM, "The EDUCAUSE Wireless Issues Constituent Group 
> Listserv on behalf of Curtis K. Larsen" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> on behalf of curtis.k.lar...@utah.edu> wrote:
> 
>I personally would *not* prefer PPSK for devices that are WPA2-Ent. 
> (EAP-TLS) capable.  PPSK has a nice niche in the IoT device category for 
> devices that do not support WPA2-Ent. (EAP-TLS) in my opinion, and we'll be 
> anxious to use it there when our vendor delivers ...but the same 
> vulnerabilities around a regular WPA2-PSK are still there (de-auths, brute 
> forcing).  So, for IoT in student housing (game consoles, and roku devices 
> that only do PSK) maybe PPSK is the appropriate new level of security 
> because sensitive data is unlikely, but for the most common devices (Phone, 
> Laptop, Tablet, etc.) where users are more likely to access and transmit 
> FERPA, PHI, etc. WPA2-Enterprise with EAP-TLS seems more appropriate.  From 
> what I can tell it is probably easier to implement EAP-TLS than PPSK amongst 
> the fully-managed portion of that device class anyway (thinking GPO here). 
> In my ideal world I would have 3 SSID's  One Guest SSID unencrypted, One 
> PPSK SSID that accommodates all of the non-dot1x capable devices that are 
> not guest users, and one dot1x WPA2-Ent (EAP-TLS) SSID for traditional 
> Student/Faculty/Staff devices (Phone, Laptop, Tablet).  Then someday in the 
> future Hotspot 2.0/802.11u would convert many of the un-encrypted guests 
> over to encrypted without any captive portal interaction.
> 
> 
>--
>Curtis K. Larsen
>Senior Network Engineer
>University of Utah IT/CIS
> 
>
>    From: The EDUCAUSE 

RE: [WIRELESS-LAN] TLS Onboarding Vendors

[Chuck Enfield]

"If we can agree that most applications today (including ones that involve 
FERPA or PII) are web-based (let’s toss in cloud too), and a user can access 
them from any location including at home on a PSK protected SSID (or 
cellular connection, or open network at Starbucks), does forcing WPA2-Ent at 
the campus actually result in reduced risk?  Is there cost justification for 
the infrastructure (staff, hardware, software) necessary to implement 
EAP-TLS (or alternatives)?"

Where's the like button?  FWIW, I still like enterprise encryption and 
authentication for keeping people off of my network.  I's nevertheless 
useful to remind ourselves of precisely what the value is, and it's not 
protecting the data.

Chuck

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
Sent: Tuesday, November 01, 2016 4:41 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors

Curtis,

If we can agree that most applications today (including ones that involve 
FERPA or PII) are web-based (let’s toss in cloud too), and a user can access 
them from any location including at home on a PSK protected SSID (or 
cellular connection, or open network at Starbucks), does forcing WPA2-Ent at 
the campus actually result in reduced risk?  Is there cost justification for 
the infrastructure (staff, hardware, software) necessary to implement 
EAP-TLS (or alternatives)?

Our Admissions process starts with getting Common App (filled out by 
student/parents at home on a website and includes a lot of sensitive info), 
that data feeds into Slate (another cloud-based Admissions package), then 
feeds into financial-aid and the SiS (again web-based for the users). The 
bulk of the PII/FERPA items have then been collected outside of the college 
envirnoment, from connections that may have Starbucks level of protection. I’m 
trying to see the justification of WPA2-Ent, but it’s a hard sell – sure, I 
know there can be advantages, but are they necessary and/or justified? Is 
PPSK good enough for everyone. Is it good enough for students and their 
devices?

Jeff

On 11/1/16, 8:56 AM, "The EDUCAUSE Wireless Issues Constituent Group 
Listserv on behalf of Curtis K. Larsen" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
on behalf of curtis.k.lar...@utah.edu> wrote:

I personally would *not* prefer PPSK for devices that are WPA2-Ent. 
(EAP-TLS) capable.  PPSK has a nice niche in the IoT device category for 
devices that do not support WPA2-Ent. (EAP-TLS) in my opinion, and we'll be 
anxious to use it there when our vendor delivers ...but the same 
vulnerabilities around a regular WPA2-PSK are still there (de-auths, brute 
forcing).  So, for IoT in student housing (game consoles, and roku devices 
that only do PSK) maybe PPSK is the appropriate new level of security 
because sensitive data is unlikely, but for the most common devices (Phone, 
Laptop, Tablet, etc.) where users are more likely to access and transmit 
FERPA, PHI, etc. WPA2-Enterprise with EAP-TLS seems more appropriate.  From 
what I can tell it is probably easier to implement EAP-TLS than PPSK amongst 
the fully-managed portion of that device class anyway (thinking GPO here). 
In my ideal world I would have 3 SSID's  One Guest SSID unencrypted, One 
PPSK SSID that accommodates all of the non-dot1x capable devices that are 
not guest users, and one dot1x WPA2-Ent (EAP-TLS) SSID for traditional 
Student/Faculty/Staff devices (Phone, Laptop, Tablet).  Then someday in the 
future Hotspot 2.0/802.11u would convert many of the un-encrypted guests 
over to encrypted without any captive portal interaction.


--
Curtis K. Larsen
Senior Network Engineer
University of Utah IT/CIS


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Coehoorn, Joel 
<jcoeho...@york.edu>
Sent: Tuesday, November 1, 2016 8:33 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors

> If those using or considering TLS had the option of PPSK (personal 
pre-shared key), would you opt for PPSK instead?

Definitely. I think it's a much more user-friendly option, while 
providing similar control and security as TLS.




[http://www.york.edu/Portals/0/Images/Logo/YorkCollegeLogoSmall.jpg]


Joel Coehoorn
Director of Information Technology
402.363.5603
jcoeho...@york.edu<mailto:jcoeho...@york.edu>




The mission of York College is to transform lives through 
Christ-centered education and to equip students for lifelong service to God, 
family, and society

On Tue, Nov 1, 2016 at 9:12 AM, Jeffrey D. Sessler 
<j...@scrippscollege.edu<mailto:j...@scrippscollege.edu>> wrote:
Just curious. If those using or considering T

Re: [WIRELESS-LAN] TLS Onboarding Vendors

[Jeffrey D. Sessler]

I guess I should have also added – What about just for students and their 
devices?

Jeff

On 11/1/16, 10:22 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
on behalf of Turner, Ryan H" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of 
rhtur...@email.unc.edu> wrote:

We use eduroam, which necessitates a realm for routing.  No for us.

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
Sent: Tuesday, November 1, 2016 10:12 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
    Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors

Just curious. If those using or considering TLS had the option of PPSK 
(personal pre-shared key), would you opt for PPSK instead?

Jeff

On 10/31/16, 9:27 AM, "The EDUCAUSE Wireless Issues Constituent Group 
Listserv on behalf of Bruce Boardman" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on 
behalf of board...@syr.edu> wrote:

We are using Cloud Path for onboarding, but we are considering other 
options if and when we go to EAP TLS. We may get it baked in if we use ISE or 
Clear Pass but I considering other standalone options as well. Anybody have  
experience or thoughts they'd like to share. Thanks  

Bruce Boardman Networking Syracuse University 315 412-4156 Skype 
board...@syr.edu

**
Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7Ca2f4c16f59ad46adaffb08d402611875%7C58b3d54f16c942d3af081fcabd095666%7C1=q3lriP9Aerq%2B9gID81bUKP01NKeZviHTxXAS8J%2BT32Y%3D=0.



**
Participation and subscription information for this EDUCAUSE Constituent 
Group discussion list can be found at 
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7Ca2f4c16f59ad46adaffb08d402611875%7C58b3d54f16c942d3af081fcabd095666%7C1=q3lriP9Aerq%2B9gID81bUKP01NKeZviHTxXAS8J%2BT32Y%3D=0.


**
Participation and subscription information for this EDUCAUSE Constituent 
Group discussion list can be found at http://www.educause.edu/groups/.




**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] TLS Onboarding Vendors

[Jeffrey D. Sessler]

Curtis,

If we can agree that most applications today (including ones that involve FERPA 
or PII) are web-based (let’s toss in cloud too), and a user can access them 
from any location including at home on a PSK protected SSID (or cellular 
connection, or open network at Starbucks), does forcing WPA2-Ent at the campus 
actually result in reduced risk?  Is there cost justification for the 
infrastructure (staff, hardware, software) necessary to implement EAP-TLS (or 
alternatives)?

Our Admissions process starts with getting Common App (filled out by 
student/parents at home on a website and includes a lot of sensitive info), 
that data feeds into Slate (another cloud-based Admissions package), then feeds 
into financial-aid and the SiS (again web-based for the users). The bulk of the 
PII/FERPA items have then been collected outside of the college envirnoment, 
from connections that may have Starbucks level of protection. I’m trying to see 
the justification of WPA2-Ent, but it’s a hard sell – sure, I know there can be 
advantages, but are they necessary and/or justified? Is PPSK good enough for 
everyone. Is it good enough for students and their devices? 

Jeff 

On 11/1/16, 8:56 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
on behalf of Curtis K. Larsen" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of 
curtis.k.lar...@utah.edu> wrote:

I personally would *not* prefer PPSK for devices that are WPA2-Ent. 
(EAP-TLS) capable.  PPSK has a nice niche in the IoT device category for 
devices that do not support WPA2-Ent. (EAP-TLS) in my opinion, and we'll be 
anxious to use it there when our vendor delivers ...but the same 
vulnerabilities around a regular WPA2-PSK are still there (de-auths, brute 
forcing).  So, for IoT in student housing (game consoles, and roku devices that 
only do PSK) maybe PPSK is the appropriate new level of security because 
sensitive data is unlikely, but for the most common devices (Phone, Laptop, 
Tablet, etc.) where users are more likely to access and transmit FERPA, PHI, 
etc. WPA2-Enterprise with EAP-TLS seems more appropriate.  From what I can tell 
it is probably easier to implement EAP-TLS than PPSK amongst the fully-managed 
portion of that device class anyway (thinking GPO here).  In my ideal world I 
would have 3 SSID's  One Guest SSID unencrypted, One PPSK SSID that 
accommodates all of the non-dot1x capable devices that are not guest users, and 
one dot1x WPA2-Ent (EAP-TLS) SSID for traditional Student/Faculty/Staff devices 
(Phone, Laptop, Tablet).  Then someday in the future Hotspot 2.0/802.11u would 
convert many of the un-encrypted guests over to encrypted without any captive 
portal interaction.


--
Curtis K. Larsen
Senior Network Engineer
University of Utah IT/CIS


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Coehoorn, Joel 
<jcoeho...@york.edu>
Sent: Tuesday, November 1, 2016 8:33 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
    Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors

> If those using or considering TLS had the option of PPSK (personal 
pre-shared key), would you opt for PPSK instead?

Definitely. I think it's a much more user-friendly option, while providing 
similar control and security as TLS.




[http://www.york.edu/Portals/0/Images/Logo/YorkCollegeLogoSmall.jpg]


Joel Coehoorn
Director of Information Technology
402.363.5603
jcoeho...@york.edu<mailto:jcoeho...@york.edu>




The mission of York College is to transform lives through Christ-centered 
education and to equip students for lifelong service to God, family, and society

On Tue, Nov 1, 2016 at 9:12 AM, Jeffrey D. Sessler 
<j...@scrippscollege.edu<mailto:j...@scrippscollege.edu>> wrote:
Just curious. If those using or considering TLS had the option of PPSK 
(personal pre-shared key), would you opt for PPSK instead?

Jeff

On 10/31/16, 9:27 AM, "The EDUCAUSE Wireless Issues Constituent Group 
Listserv on behalf of Bruce Boardman" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
on behalf of board...@syr.edu<mailto:board...@syr.edu>> wrote:

We are using Cloud Path for onboarding, but we are considering other 
options if and when we go to EAP TLS. We may get it baked in if we use ISE or 
Clear Pass but I considering other standalone options as well. Anybody have  
experience or thoughts they'd like to share. Thanks

Bruce Boardman Networking Syracuse University 315 
412-4156<tel:315%20412-4156> Skype board...@syr.edu<mailto:board...@syr.edu>

**
Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be f

RE: [WIRELESS-LAN] TLS Onboarding Vendors

[Turner, Ryan H]

We use eduroam, which necessitates a realm for routing.  No for us.

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
Sent: Tuesday, November 1, 2016 10:12 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors

Just curious. If those using or considering TLS had the option of PPSK 
(personal pre-shared key), would you opt for PPSK instead?

Jeff

On 10/31/16, 9:27 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
on behalf of Bruce Boardman" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of 
board...@syr.edu> wrote:

We are using Cloud Path for onboarding, but we are considering other 
options if and when we go to EAP TLS. We may get it baked in if we use ISE or 
Clear Pass but I considering other standalone options as well. Anybody have  
experience or thoughts they'd like to share. Thanks  

Bruce Boardman Networking Syracuse University 315 412-4156 Skype 
board...@syr.edu

**
Participation and subscription information for this EDUCAUSE Constituent 
Group discussion list can be found at 
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7Ca2f4c16f59ad46adaffb08d402611875%7C58b3d54f16c942d3af081fcabd095666%7C1=q3lriP9Aerq%2B9gID81bUKP01NKeZviHTxXAS8J%2BT32Y%3D=0.



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at 
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7Ca2f4c16f59ad46adaffb08d402611875%7C58b3d54f16c942d3af081fcabd095666%7C1=q3lriP9Aerq%2B9gID81bUKP01NKeZviHTxXAS8J%2BT32Y%3D=0.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] TLS Onboarding Vendors

[Curtis K. Larsen]

I personally would *not* prefer PPSK for devices that are WPA2-Ent. (EAP-TLS) 
capable.  PPSK has a nice niche in the IoT device category for devices that do 
not support WPA2-Ent. (EAP-TLS) in my opinion, and we'll be anxious to use it 
there when our vendor delivers ...but the same vulnerabilities around a regular 
WPA2-PSK are still there (de-auths, brute forcing).  So, for IoT in student 
housing (game consoles, and roku devices that only do PSK) maybe PPSK is the 
appropriate new level of security because sensitive data is unlikely, but for 
the most common devices (Phone, Laptop, Tablet, etc.) where users are more 
likely to access and transmit FERPA, PHI, etc. WPA2-Enterprise with EAP-TLS 
seems more appropriate.  From what I can tell it is probably easier to 
implement EAP-TLS than PPSK amongst the fully-managed portion of that device 
class anyway (thinking GPO here).  In my ideal world I would have 3 SSID's  One 
Guest SSID unencrypted, One PPSK SSID that accommodates all of the non-dot1x 
capable devices that are not guest users, and one dot1x WPA2-Ent (EAP-TLS) SSID 
for traditional Student/Faculty/Staff devices (Phone, Laptop, Tablet).  Then 
someday in the future Hotspot 2.0/802.11u would convert many of the 
un-encrypted guests over to encrypted without any captive portal interaction.


--
Curtis K. Larsen
Senior Network Engineer
University of Utah IT/CIS


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Coehoorn, Joel 
<jcoeho...@york.edu>
Sent: Tuesday, November 1, 2016 8:33 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors

> If those using or considering TLS had the option of PPSK (personal pre-shared 
> key), would you opt for PPSK instead?

Definitely. I think it's a much more user-friendly option, while providing 
similar control and security as TLS.




[http://www.york.edu/Portals/0/Images/Logo/YorkCollegeLogoSmall.jpg]


Joel Coehoorn
Director of Information Technology
402.363.5603
jcoeho...@york.edu<mailto:jcoeho...@york.edu>




The mission of York College is to transform lives through Christ-centered 
education and to equip students for lifelong service to God, family, and society

On Tue, Nov 1, 2016 at 9:12 AM, Jeffrey D. Sessler 
<j...@scrippscollege.edu<mailto:j...@scrippscollege.edu>> wrote:
Just curious. If those using or considering TLS had the option of PPSK 
(personal pre-shared key), would you opt for PPSK instead?

Jeff

On 10/31/16, 9:27 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
on behalf of Bruce Boardman" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
on behalf of board...@syr.edu<mailto:board...@syr.edu>> wrote:

We are using Cloud Path for onboarding, but we are considering other 
options if and when we go to EAP TLS. We may get it baked in if we use ISE or 
Clear Pass but I considering other standalone options as well. Anybody have  
experience or thoughts they'd like to share. Thanks

Bruce Boardman Networking Syracuse University 315 
412-4156<tel:315%20412-4156> Skype board...@syr.edu<mailto:board...@syr.edu>

**
Participation and subscription information for this EDUCAUSE Constituent 
Group discussion list can be found at http://www.educause.edu/groups/.



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] TLS Onboarding Vendors

[Lee H Badman]

I'd have to see how the vendor implemented it first, but PPSK could be huge.



Lee Badman | Network Architect (CWDP, CWNA, CWSP, CWAP, Mobility+)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w its.syr.edu
SYRACUSE UNIVERSITY
syr.edu


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
Sent: Tuesday, November 01, 2016 10:12 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors

Just curious. If those using or considering TLS had the option of PPSK 
(personal pre-shared key), would you opt for PPSK instead?

Jeff

On 10/31/16, 9:27 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
on behalf of Bruce Boardman" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of 
board...@syr.edu> wrote:

We are using Cloud Path for onboarding, but we are considering other 
options if and when we go to EAP TLS. We may get it baked in if we use ISE or 
Clear Pass but I considering other standalone options as well. Anybody have  
experience or thoughts they'd like to share. Thanks  

Bruce Boardman Networking Syracuse University 315 412-4156 Skype 
board...@syr.edu

**
Participation and subscription information for this EDUCAUSE Constituent 
Group discussion list can be found at http://www.educause.edu/groups/.



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] TLS Onboarding Vendors

[Coehoorn, Joel]

> If those using or considering TLS had the option of PPSK (personal
pre-shared key), would you opt for PPSK instead?

Definitely. I think it's a much more user-friendly option, while providing
similar control and security as TLS.



Joel Coehoorn
Director of Information Technology
402.363.5603
*jcoeho...@york.edu *

The mission of York College is to transform lives through
Christ-centered education and to equip students for lifelong service to
God, family, and society

On Tue, Nov 1, 2016 at 9:12 AM, Jeffrey D. Sessler 
wrote:

> Just curious. If those using or considering TLS had the option of PPSK
> (personal pre-shared key), would you opt for PPSK instead?
>
> Jeff
>
> On 10/31/16, 9:27 AM, "The EDUCAUSE Wireless Issues Constituent Group
> Listserv on behalf of Bruce Boardman"  on behalf of board...@syr.edu> wrote:
>
> We are using Cloud Path for onboarding, but we are considering other
> options if and when we go to EAP TLS. We may get it baked in if we use ISE
> or Clear Pass but I considering other standalone options as well. Anybody
> have  experience or thoughts they'd like to share. Thanks
>
> Bruce Boardman Networking Syracuse University 315 412-4156 Skype
> board...@syr.edu
>
> **
> Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at http://www.educause.edu/
> groups/.
>
>
>
> **
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/groups/.
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] TLS Onboarding Vendors

[Jeffrey D. Sessler]

Just curious. If those using or considering TLS had the option of PPSK 
(personal pre-shared key), would you opt for PPSK instead?

Jeff

On 10/31/16, 9:27 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
on behalf of Bruce Boardman"  wrote:

We are using Cloud Path for onboarding, but we are considering other 
options if and when we go to EAP TLS. We may get it baked in if we use ISE or 
Clear Pass but I considering other standalone options as well. Anybody have  
experience or thoughts they'd like to share. Thanks  

Bruce Boardman Networking Syracuse University 315 412-4156 Skype 
board...@syr.edu

**
Participation and subscription information for this EDUCAUSE Constituent 
Group discussion list can be found at http://www.educause.edu/groups/.



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] TLS Onboarding Vendors

[Ian McDonald]

The three digits on the back of the card wouldn't go amiss. 

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: 01 November 2016 13:43
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors

and a fingerprint...




From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of John York <yo...@brcc.edu>
Sent: Tuesday, November 1, 2016 9:35 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors

We could still use a major credit card number, though ;-) John

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Turner, Ryan H
Sent: Monday, October 31, 2016 9:06 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors

Apparently it is just a notification being slapped on from our email server.  
No one else is seeing it.

Ryan Turner
Manager of Network Operations, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

> On Oct 31, 2016, at 6:21 PM, Lee H Badman <lhbad...@syr.edu> wrote:
>
> We're going to need a major credit card number for verification.
>
>> On Oct 31, 2016, at 6:12 PM, Turner, Ryan H <rhtur...@email.unc.edu> wrote:
>>
>> I don't know what changed for the stupid listserv to mark me as 
>> potential spoof.  Unfortunately I am the real deal ;)
>>
>> Ryan Turner
>> Manager of Network Operations, ITS
>> The University of North Carolina at Chapel Hill
>> +1 919 274 7926 Mobile
>> +1 919 445 0113 Office
>>
>>> On Oct 31, 2016, at 5:44 PM, Turner, Ryan H <rhtur...@email.unc.edu> wrote:
>>>
>>> This sender failed our fraud detection checks and may not be who 
>>> they appear to be. Learn about spoofing at 
>>> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Faka.
>>> ms%2FLearnAboutSpoofing=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7Cf7
>>> 991f8eddeb4f3ebd2008d401dc3ac5%7C58b3d54f16c942d3af081fcabd095666%7C
>>> 1=rodikUTF9aA58T6ooPA1J%2FaOMwgKQVpZ%2F6LN1K97qmI%3D=
>>> 0
>>>
>>> We have been doing TLS as primary for almost 5 years.  We started on 
>>> Cloudpath.  We have migrated to SecureW2 and are very pleased.   Feel free 
>>> to contact me directly.
>>>
>>> Ryan Turner
>>> Manager of Network Operations, ITS
>>> The University of North Carolina at Chapel Hill
>>> +1 919 274 7926 Mobile
>>> +1 919 445 0113 Office
>>>
>>>> On Oct 31, 2016, at 1:37 PM, Casey Kendall <ckend...@ithaca.edu> wrote:
>>>>
>>>> We had significant challenges trying to do 802.1x TLS and TTLS with 
>>>> Macintosh devices. We ended up having to use EAP-PEAP.
>>>>
>>>> -Original Message-
>>>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>>>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Bruce 
>>>> Boardman
>>>> Sent: Monday, October 31, 2016 12:28 PM
>>>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>>>> Subject: [WIRELESS-LAN] TLS Onboarding Vendors
>>>>
>>>> We are using Cloud Path for onboarding, but we are considering 
>>>> other options if and when we go to EAP TLS. We may get it baked in 
>>>> if we use ISE or Clear Pass but I considering other standalone 
>>>> options as well. Anybody have  experience or thoughts they'd like 
>>>> to share. Thanks
>>>>
>>>> Bruce Boardman Networking Syracuse University 315 412-4156 Skype 
>>>> board...@syr.edu
>>>>
>>>> **
>>>> Participation and subscription information for this EDUCAUSE Constituent 
>>>> Group discussion list can be found at 
>>>> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7Cb72f341a11144d716b4808d401b49c35%7C58b3d54f16c942d3af081fcabd095666%7C1=%2BUVUdEhnh10kD6dEv3Li2Dy5dYsyU4wKPdAnrpdhUV0%3D=0.
>>>>
>>>> **
>>>> Participation and subscription information for this EDUCAUSE Constituent 
>>>> Group discussion list can be found at 
>>>> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7Cb72f341a11144d716b4808d401b49c35%7C58b3d54f16c942d3af081fc

Re: [WIRELESS-LAN] TLS Onboarding Vendors

[Lee H Badman]

and a fingerprint...




From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of John York <yo...@brcc.edu>
Sent: Tuesday, November 1, 2016 9:35 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors

We could still use a major credit card number, though ;-)
John

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Turner, Ryan H
Sent: Monday, October 31, 2016 9:06 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors

Apparently it is just a notification being slapped on from our email server.  
No one else is seeing it.

Ryan Turner
Manager of Network Operations, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

> On Oct 31, 2016, at 6:21 PM, Lee H Badman <lhbad...@syr.edu> wrote:
>
> We're going to need a major credit card number for verification.
>
>> On Oct 31, 2016, at 6:12 PM, Turner, Ryan H <rhtur...@email.unc.edu> wrote:
>>
>> I don't know what changed for the stupid listserv to mark me as potential 
>> spoof.  Unfortunately I am the real deal ;)
>>
>> Ryan Turner
>> Manager of Network Operations, ITS
>> The University of North Carolina at Chapel Hill
>> +1 919 274 7926 Mobile
>> +1 919 445 0113 Office
>>
>>> On Oct 31, 2016, at 5:44 PM, Turner, Ryan H <rhtur...@email.unc.edu> wrote:
>>>
>>> This sender failed our fraud detection checks and may not be who they 
>>> appear to be. Learn about spoofing at 
>>> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Faka.ms%2FLearnAboutSpoofing=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7Cf7991f8eddeb4f3ebd2008d401dc3ac5%7C58b3d54f16c942d3af081fcabd095666%7C1=rodikUTF9aA58T6ooPA1J%2FaOMwgKQVpZ%2F6LN1K97qmI%3D=0
>>>
>>> We have been doing TLS as primary for almost 5 years.  We started on 
>>> Cloudpath.  We have migrated to SecureW2 and are very pleased.   Feel free 
>>> to contact me directly.
>>>
>>> Ryan Turner
>>> Manager of Network Operations, ITS
>>> The University of North Carolina at Chapel Hill
>>> +1 919 274 7926 Mobile
>>> +1 919 445 0113 Office
>>>
>>>> On Oct 31, 2016, at 1:37 PM, Casey Kendall <ckend...@ithaca.edu> wrote:
>>>>
>>>> We had significant challenges trying to do 802.1x TLS and TTLS with 
>>>> Macintosh devices. We ended up having to use EAP-PEAP.
>>>>
>>>> -Original Message-
>>>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>>>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Bruce Boardman
>>>> Sent: Monday, October 31, 2016 12:28 PM
>>>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>>>> Subject: [WIRELESS-LAN] TLS Onboarding Vendors
>>>>
>>>> We are using Cloud Path for onboarding, but we are considering other 
>>>> options if and when we go to EAP TLS. We may get it baked in if we use ISE 
>>>> or Clear Pass but I considering other standalone options as well. Anybody 
>>>> have  experience or thoughts they'd like to share. Thanks
>>>>
>>>> Bruce Boardman Networking Syracuse University 315 412-4156 Skype 
>>>> board...@syr.edu
>>>>
>>>> **
>>>> Participation and subscription information for this EDUCAUSE Constituent 
>>>> Group discussion list can be found at 
>>>> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7Cb72f341a11144d716b4808d401b49c35%7C58b3d54f16c942d3af081fcabd095666%7C1=%2BUVUdEhnh10kD6dEv3Li2Dy5dYsyU4wKPdAnrpdhUV0%3D=0.
>>>>
>>>> **
>>>> Participation and subscription information for this EDUCAUSE Constituent 
>>>> Group discussion list can be found at 
>>>> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7Cb72f341a11144d716b4808d401b49c35%7C58b3d54f16c942d3af081fcabd095666%7C1=%2BUVUdEhnh10kD6dEv3Li2Dy5dYsyU4wKPdAnrpdhUV0%3D=0.
>>>
>>> **
>>> Participation and subscription information for this EDUCAUSE Constituent 
>>> Group discussion list can be found at 
>>> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7Cf6719d6cbd5d4e8359c808d401d71e07%7C58b3d54f16c942d3af081fcab

RE: [WIRELESS-LAN] TLS Onboarding Vendors

[John York]

We could still use a major credit card number, though ;-)
John

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Turner, Ryan H
Sent: Monday, October 31, 2016 9:06 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors

Apparently it is just a notification being slapped on from our email server.  
No one else is seeing it. 

Ryan Turner
Manager of Network Operations, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

> On Oct 31, 2016, at 6:21 PM, Lee H Badman <lhbad...@syr.edu> wrote:
> 
> We're going to need a major credit card number for verification.
> 
>> On Oct 31, 2016, at 6:12 PM, Turner, Ryan H <rhtur...@email.unc.edu> wrote:
>> 
>> I don't know what changed for the stupid listserv to mark me as potential 
>> spoof.  Unfortunately I am the real deal ;)
>> 
>> Ryan Turner
>> Manager of Network Operations, ITS
>> The University of North Carolina at Chapel Hill
>> +1 919 274 7926 Mobile
>> +1 919 445 0113 Office
>> 
>>> On Oct 31, 2016, at 5:44 PM, Turner, Ryan H <rhtur...@email.unc.edu> wrote:
>>> 
>>> This sender failed our fraud detection checks and may not be who they 
>>> appear to be. Learn about spoofing at 
>>> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Faka.ms%2FLearnAboutSpoofing=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7Cf7991f8eddeb4f3ebd2008d401dc3ac5%7C58b3d54f16c942d3af081fcabd095666%7C1=rodikUTF9aA58T6ooPA1J%2FaOMwgKQVpZ%2F6LN1K97qmI%3D=0
>>> 
>>> We have been doing TLS as primary for almost 5 years.  We started on 
>>> Cloudpath.  We have migrated to SecureW2 and are very pleased.   Feel free 
>>> to contact me directly.
>>> 
>>> Ryan Turner
>>> Manager of Network Operations, ITS
>>> The University of North Carolina at Chapel Hill
>>> +1 919 274 7926 Mobile
>>> +1 919 445 0113 Office
>>> 
>>>> On Oct 31, 2016, at 1:37 PM, Casey Kendall <ckend...@ithaca.edu> wrote:
>>>> 
>>>> We had significant challenges trying to do 802.1x TLS and TTLS with 
>>>> Macintosh devices. We ended up having to use EAP-PEAP.
>>>> 
>>>> -Original Message-
>>>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>>>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Bruce Boardman
>>>> Sent: Monday, October 31, 2016 12:28 PM
>>>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>>>> Subject: [WIRELESS-LAN] TLS Onboarding Vendors
>>>> 
>>>> We are using Cloud Path for onboarding, but we are considering other 
>>>> options if and when we go to EAP TLS. We may get it baked in if we use ISE 
>>>> or Clear Pass but I considering other standalone options as well. Anybody 
>>>> have  experience or thoughts they'd like to share. Thanks
>>>> 
>>>> Bruce Boardman Networking Syracuse University 315 412-4156 Skype 
>>>> board...@syr.edu
>>>> 
>>>> **
>>>> Participation and subscription information for this EDUCAUSE Constituent 
>>>> Group discussion list can be found at 
>>>> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7Cb72f341a11144d716b4808d401b49c35%7C58b3d54f16c942d3af081fcabd095666%7C1=%2BUVUdEhnh10kD6dEv3Li2Dy5dYsyU4wKPdAnrpdhUV0%3D=0.
>>>> 
>>>> **
>>>> Participation and subscription information for this EDUCAUSE Constituent 
>>>> Group discussion list can be found at 
>>>> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7Cb72f341a11144d716b4808d401b49c35%7C58b3d54f16c942d3af081fcabd095666%7C1=%2BUVUdEhnh10kD6dEv3Li2Dy5dYsyU4wKPdAnrpdhUV0%3D=0.
>>> 
>>> **
>>> Participation and subscription information for this EDUCAUSE Constituent 
>>> Group discussion list can be found at 
>>> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7Cf6719d6cbd5d4e8359c808d401d71e07%7C58b3d54f16c942d3af081fcabd095666%7C1=MI%2BNZ0ThSYL7wyrmvXCUC7%2B23EOFexlTISDiaVTkep4%3D=0.
>> 
>> **
>> Participation and subscription information for this EDUCAUSE Constituent 
>> Group discussion list can be found at 
>> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F=0

Re: [WIRELESS-LAN] TLS Onboarding Vendors

[Turner, Ryan H]

Apparently it is just a notification being slapped on from our email server.  
No one else is seeing it. 

Ryan Turner
Manager of Network Operations, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

> On Oct 31, 2016, at 6:21 PM, Lee H Badman <lhbad...@syr.edu> wrote:
> 
> We're going to need a major credit card number for verification.
> 
>> On Oct 31, 2016, at 6:12 PM, Turner, Ryan H <rhtur...@email.unc.edu> wrote:
>> 
>> I don't know what changed for the stupid listserv to mark me as potential 
>> spoof.  Unfortunately I am the real deal ;)
>> 
>> Ryan Turner
>> Manager of Network Operations, ITS
>> The University of North Carolina at Chapel Hill
>> +1 919 274 7926 Mobile
>> +1 919 445 0113 Office
>> 
>>> On Oct 31, 2016, at 5:44 PM, Turner, Ryan H <rhtur...@email.unc.edu> wrote:
>>> 
>>> This sender failed our fraud detection checks and may not be who they 
>>> appear to be. Learn about spoofing at 
>>> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Faka.ms%2FLearnAboutSpoofing=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7Cf7991f8eddeb4f3ebd2008d401dc3ac5%7C58b3d54f16c942d3af081fcabd095666%7C1=rodikUTF9aA58T6ooPA1J%2FaOMwgKQVpZ%2F6LN1K97qmI%3D=0
>>> 
>>> We have been doing TLS as primary for almost 5 years.  We started on 
>>> Cloudpath.  We have migrated to SecureW2 and are very pleased.   Feel free 
>>> to contact me directly.
>>> 
>>> Ryan Turner
>>> Manager of Network Operations, ITS
>>> The University of North Carolina at Chapel Hill
>>> +1 919 274 7926 Mobile
>>> +1 919 445 0113 Office
>>> 
>>>> On Oct 31, 2016, at 1:37 PM, Casey Kendall <ckend...@ithaca.edu> wrote:
>>>> 
>>>> We had significant challenges trying to do 802.1x TLS and TTLS with 
>>>> Macintosh devices. We ended up having to use EAP-PEAP.
>>>> 
>>>> -Original Message-
>>>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>>>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Bruce Boardman
>>>> Sent: Monday, October 31, 2016 12:28 PM
>>>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>>>> Subject: [WIRELESS-LAN] TLS Onboarding Vendors
>>>> 
>>>> We are using Cloud Path for onboarding, but we are considering other 
>>>> options if and when we go to EAP TLS. We may get it baked in if we use ISE 
>>>> or Clear Pass but I considering other standalone options as well. Anybody 
>>>> have  experience or thoughts they'd like to share. Thanks
>>>> 
>>>> Bruce Boardman Networking Syracuse University 315 412-4156 Skype 
>>>> board...@syr.edu
>>>> 
>>>> **
>>>> Participation and subscription information for this EDUCAUSE Constituent 
>>>> Group discussion list can be found at 
>>>> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7Cb72f341a11144d716b4808d401b49c35%7C58b3d54f16c942d3af081fcabd095666%7C1=%2BUVUdEhnh10kD6dEv3Li2Dy5dYsyU4wKPdAnrpdhUV0%3D=0.
>>>> 
>>>> **
>>>> Participation and subscription information for this EDUCAUSE Constituent 
>>>> Group discussion list can be found at 
>>>> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7Cb72f341a11144d716b4808d401b49c35%7C58b3d54f16c942d3af081fcabd095666%7C1=%2BUVUdEhnh10kD6dEv3Li2Dy5dYsyU4wKPdAnrpdhUV0%3D=0.
>>> 
>>> **
>>> Participation and subscription information for this EDUCAUSE Constituent 
>>> Group discussion list can be found at 
>>> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7Cf6719d6cbd5d4e8359c808d401d71e07%7C58b3d54f16c942d3af081fcabd095666%7C1=MI%2BNZ0ThSYL7wyrmvXCUC7%2B23EOFexlTISDiaVTkep4%3D=0.
>> 
>> **
>> Participation and subscription information for this EDUCAUSE Constituent 
>> Group discussion list can be found at 
>> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7Cf7991f8eddeb4f3ebd2008d401dc3ac5%7C58b3d54f16c942d3af081fcabd095666%7C1=4zt4nIvHqnqrY1xm5GOEoeqARawEEEPdj60J%2FfakgLM%3D=0.
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at 
> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7Cf7991f8eddeb4f3ebd2008d401dc3ac5%7C58b3d54f16c942d3af081fcabd095666%7C1=4zt4nIvHqnqrY1xm5GOEoeqARawEEEPdj60J%2FfakgLM%3D=0.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] TLS Onboarding Vendors

[Lee H Badman]

We're going to need a major credit card number for verification.

> On Oct 31, 2016, at 6:12 PM, Turner, Ryan H <rhtur...@email.unc.edu> wrote:
> 
> I don't know what changed for the stupid listserv to mark me as potential 
> spoof.  Unfortunately I am the real deal ;)
> 
> Ryan Turner
> Manager of Network Operations, ITS
> The University of North Carolina at Chapel Hill
> +1 919 274 7926 Mobile
> +1 919 445 0113 Office
> 
>> On Oct 31, 2016, at 5:44 PM, Turner, Ryan H <rhtur...@email.unc.edu> wrote:
>> 
>> This sender failed our fraud detection checks and may not be who they appear 
>> to be. Learn about spoofing at http://aka.ms/LearnAboutSpoofing
>> 
>> We have been doing TLS as primary for almost 5 years.  We started on 
>> Cloudpath.  We have migrated to SecureW2 and are very pleased.   Feel free 
>> to contact me directly.
>> 
>> Ryan Turner
>> Manager of Network Operations, ITS
>> The University of North Carolina at Chapel Hill
>> +1 919 274 7926 Mobile
>> +1 919 445 0113 Office
>> 
>>> On Oct 31, 2016, at 1:37 PM, Casey Kendall <ckend...@ithaca.edu> wrote:
>>> 
>>> We had significant challenges trying to do 802.1x TLS and TTLS with 
>>> Macintosh devices. We ended up having to use EAP-PEAP.
>>> 
>>> -Original Message-
>>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Bruce Boardman
>>> Sent: Monday, October 31, 2016 12:28 PM
>>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>>> Subject: [WIRELESS-LAN] TLS Onboarding Vendors
>>> 
>>> We are using Cloud Path for onboarding, but we are considering other 
>>> options if and when we go to EAP TLS. We may get it baked in if we use ISE 
>>> or Clear Pass but I considering other standalone options as well. Anybody 
>>> have  experience or thoughts they'd like to share. Thanks
>>> 
>>> Bruce Boardman Networking Syracuse University 315 412-4156 Skype 
>>> board...@syr.edu
>>> 
>>> **
>>> Participation and subscription information for this EDUCAUSE Constituent 
>>> Group discussion list can be found at 
>>> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7Cb72f341a11144d716b4808d401b49c35%7C58b3d54f16c942d3af081fcabd095666%7C1=%2BUVUdEhnh10kD6dEv3Li2Dy5dYsyU4wKPdAnrpdhUV0%3D=0.
>>> 
>>> **
>>> Participation and subscription information for this EDUCAUSE Constituent 
>>> Group discussion list can be found at 
>>> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7Cb72f341a11144d716b4808d401b49c35%7C58b3d54f16c942d3af081fcabd095666%7C1=%2BUVUdEhnh10kD6dEv3Li2Dy5dYsyU4wKPdAnrpdhUV0%3D=0.
>> 
>> **
>> Participation and subscription information for this EDUCAUSE Constituent 
>> Group discussion list can be found at 
>> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7Cf6719d6cbd5d4e8359c808d401d71e07%7C58b3d54f16c942d3af081fcabd095666%7C1=MI%2BNZ0ThSYL7wyrmvXCUC7%2B23EOFexlTISDiaVTkep4%3D=0.
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] TLS Onboarding Vendors

[Turner, Ryan H]

I don't know what changed for the stupid listserv to mark me as potential 
spoof.  Unfortunately I am the real deal ;)

Ryan Turner
Manager of Network Operations, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

> On Oct 31, 2016, at 5:44 PM, Turner, Ryan H <rhtur...@email.unc.edu> wrote:
> 
> This sender failed our fraud detection checks and may not be who they appear 
> to be. Learn about spoofing at http://aka.ms/LearnAboutSpoofing
> 
> We have been doing TLS as primary for almost 5 years.  We started on 
> Cloudpath.  We have migrated to SecureW2 and are very pleased.   Feel free to 
> contact me directly.
> 
> Ryan Turner
> Manager of Network Operations, ITS
> The University of North Carolina at Chapel Hill
> +1 919 274 7926 Mobile
> +1 919 445 0113 Office
> 
>> On Oct 31, 2016, at 1:37 PM, Casey Kendall <ckend...@ithaca.edu> wrote:
>> 
>> We had significant challenges trying to do 802.1x TLS and TTLS with 
>> Macintosh devices. We ended up having to use EAP-PEAP.
>> 
>> -Original Message-
>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Bruce Boardman
>> Sent: Monday, October 31, 2016 12:28 PM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> Subject: [WIRELESS-LAN] TLS Onboarding Vendors
>> 
>> We are using Cloud Path for onboarding, but we are considering other options 
>> if and when we go to EAP TLS. We may get it baked in if we use ISE or Clear 
>> Pass but I considering other standalone options as well. Anybody have  
>> experience or thoughts they'd like to share. Thanks
>> 
>> Bruce Boardman Networking Syracuse University 315 412-4156 Skype 
>> board...@syr.edu
>> 
>> **
>> Participation and subscription information for this EDUCAUSE Constituent 
>> Group discussion list can be found at 
>> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7Cb72f341a11144d716b4808d401b49c35%7C58b3d54f16c942d3af081fcabd095666%7C1=%2BUVUdEhnh10kD6dEv3Li2Dy5dYsyU4wKPdAnrpdhUV0%3D=0.
>> 
>> **
>> Participation and subscription information for this EDUCAUSE Constituent 
>> Group discussion list can be found at 
>> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7Cb72f341a11144d716b4808d401b49c35%7C58b3d54f16c942d3af081fcabd095666%7C1=%2BUVUdEhnh10kD6dEv3Li2Dy5dYsyU4wKPdAnrpdhUV0%3D=0.
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at 
> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7Cf6719d6cbd5d4e8359c808d401d71e07%7C58b3d54f16c942d3af081fcabd095666%7C1=MI%2BNZ0ThSYL7wyrmvXCUC7%2B23EOFexlTISDiaVTkep4%3D=0.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] TLS Onboarding Vendors

[Curtis K. Larsen]

We're pleased with the Cloudpath onboarding experience for EAP-TLS for the 
traditional supported platforms including  iOS, Android, Windows, OSX, ChromeOS 
and Linux.  One pleasant surprise was that we were able to delegate onboarding 
of several IoT devices with non- traditional operating systems to various IT 
staff.  I'm not sure this work would be off-loaded so easily with other 
well-known solutions.  I understand PacketFence also may be doing EAP-TLS 
onboarding now too and I haven't tried that but we've been happy with them for 
other RADIUS services in general.


--
Curtis K. Larsen
Senior Network Engineer
University of Utah IT/CIS

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Eric Brewer 
<ebre...@smith.edu>
Sent: Monday, October 31, 2016 11:41 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors

Even though we DO use Clearpass, we're using Cloudpath for onboarding to EAP 
TLS.  We like the Cloudpath user experience and ease of 
configuration/troubleshooting.

- Eric

On Mon, Oct 31, 2016 at 12:27 PM, Bruce Boardman 
<board...@syr.edu<mailto:board...@syr.edu>> wrote:
We are using Cloud Path for onboarding, but we are considering other options if 
and when we go to EAP TLS. We may get it baked in if we use ISE or Clear Pass 
but I considering other standalone options as well. Anybody have  experience or 
thoughts they'd like to share. Thanks

Bruce Boardman Networking Syracuse University 315 412-4156<tel:315%20412-4156> 
Skype board...@syr.edu<mailto:board...@syr.edu>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.