subject:"RE\: WPA3\/OWE as campus solution\?"

RE: WPA3/OWE as campus solution?

2021-04-22 Thread Jeffrey D. Sessler

My experience may be different that others, but with tools like netflow, SIEM, 
location, and other assurance tools, a operator of a network service generally 
has a pretty good picture of what’s happening, and can rapidly pinpoint 
problematic devices. These tools also allow for rapid retrospective analysis of 
what said device has been up to, allowing containment at multiple levels, 
without the need to know who is at the other end of the device.

Jeff

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jennifer Minella
Sent: Wednesday, April 21, 2021 2:22 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

Jeff – Yes, that’s exactly right for connections to apps/services - but what if 
we’re talking about an infected machine or malicious user? They’re not 
necessarily connecting to anything specific in terms of an application that 
would further auth them. That’s actually why I’m saying if it’s Internet-only 
and inter-station blocking is on then let them have at it, as long as the org’s 
legal team is OK with it. Otherwise, if they could access internal resources at 
the network level then those non-app based connections (L1-4) should be given 
some consideration and protection.

I don’t agree that there are enough breadcrumbs from the network admin side to 
identify a user on a device with anonymous login/auth. You’d need to either 
access data or artifacts on the device for that, or have some other means of 
traffic analysis on-network to try and piece that together. And some kind of 
extra special magic is needed if they’re on a device with private/randomized 
MAC.

Very valid point of course on the stolen creds or stolen device with device 
certs. That’s just a risk but from a compliance/audit standpoint that’s a 
different risk than an open network.

___
Jennifer Minella, CISSP, HP MASE
VP of Engineering & Security
Carolina Advanced Digital, Inc.
www.cadinc.com<http://www.cadinc.com/>
j...@cadinc.com<mailto:j...@cadinc.com>
919.460.1313 Main Office
919.539.2726 Mobile/text
[CAD LOGO EMAIL SIG]

From: Jeffrey D. Sessler 
mailto:j...@scrippscollege.edu>>
Sent: Wednesday, April 21, 2021 4:05 PM
Subject: Re: WPA3/OWE as campus solution?

Jennifer,

I would hope that the service itself has authorization/admittance controls vs 
relying on the user’s device and/or the particular network the device is in for 
permission.

I’d also argue that there is enough breadcrumbs about any given device to 
determine the user without the need for them to authenticate to wireless. Then 
again, the device could just as easily be stolen, or the user’s account could 
have been compromised, and the attacker self-enrolls his/her machine/uses the 
credentials to gain access.

Jeff

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Jennifer Minella
Sent: Wednesday, April 21, 2021 12:30 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

Oh my goodness. I forgot the biggest one – if you’re going to give that user or 
device access to internal resources/assets you probably want to know who it is 
– even if it’s printers, screen casting, etc. If the user or device has access 
to critical internal resources, then you definitely need to know who it is. 
From a infosec due diligence standpoint, it would be hard to argue a defense on 
that one if a significant event were to occur.

___
Jennifer Minella, CISSP, HP MASE
VP of Engineering & Security
Carolina Advanced Digital, Inc.
www.cadinc.com<http://www.cadinc.com/>
j...@cadinc.com<mailto:j...@cadinc.com>
919.460.1313 Main Office
919.539.2726 Mobile/text
[CAD LOGO EMAIL SIG]

From: Jennifer Minella mailto:j...@cadinc.com>>
Sent: Wednesday, April 21, 2021 3:22 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: RE: WPA3/OWE as campus solution?

Ooh Lee what a great thread! I didn’t have a chance yesterday but catching up 
now.

Here’s what I throw in the mix for consideration… (no recommendations just free 
flow thoughts)
Sorry this is long; WPA3 gets me really excited 


  1.  OWE/Open Enhanced (not technically part of WPA3 but #semantics) ONLY 
provides OTA encryption; it does nothing for authenticating the user to the 
network NOR the network to the user.
  2.  …that means you could use a guest portal experience, with or without user 
ID, and add encryption vs historically having to use a Pre-Shared Key or 802.1X 
for key exchanges and encryption.
  3.  If you care about who the user is, you can still use a portal with 
self-registration and whatever duration you feel is appropriate. Depending on 
how much you care, a self-registration portal may (or may not) be sufficient.
  4.  If you care about protecting the user/device

RE: WPA3/OWE as campus solution?

2021-04-21 Thread Jennifer Minella

Jeff – Yes, that’s exactly right for connections to apps/services - but what if 
we’re talking about an infected machine or malicious user? They’re not 
necessarily connecting to anything specific in terms of an application that 
would further auth them. That’s actually why I’m saying if it’s Internet-only 
and inter-station blocking is on then let them have at it, as long as the org’s 
legal team is OK with it. Otherwise, if they could access internal resources at 
the network level then those non-app based connections (L1-4) should be given 
some consideration and protection.

I don’t agree that there are enough breadcrumbs from the network admin side to 
identify a user on a device with anonymous login/auth. You’d need to either 
access data or artifacts on the device for that, or have some other means of 
traffic analysis on-network to try and piece that together. And some kind of 
extra special magic is needed if they’re on a device with private/randomized 
MAC.

Very valid point of course on the stolen creds or stolen device with device 
certs. That’s just a risk but from a compliance/audit standpoint that’s a 
different risk than an open network.

___
Jennifer Minella, CISSP, HP MASE
VP of Engineering & Security
Carolina Advanced Digital, Inc.
www.cadinc.com<http://www.cadinc.com/>
j...@cadinc.com<mailto:j...@cadinc.com>
919.460.1313 Main Office
919.539.2726 Mobile/text
[CAD LOGO EMAIL SIG]

From: Jeffrey D. Sessler 
Sent: Wednesday, April 21, 2021 4:05 PM
Subject: Re: WPA3/OWE as campus solution?

Jennifer,

I would hope that the service itself has authorization/admittance controls vs 
relying on the user’s device and/or the particular network the device is in for 
permission.

I’d also argue that there is enough breadcrumbs about any given device to 
determine the user without the need for them to authenticate to wireless. Then 
again, the device could just as easily be stolen, or the user’s account could 
have been compromised, and the attacker self-enrolls his/her machine/uses the 
credentials to gain access.

Jeff

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Jennifer Minella
Sent: Wednesday, April 21, 2021 12:30 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

Oh my goodness. I forgot the biggest one – if you’re going to give that user or 
device access to internal resources/assets you probably want to know who it is 
– even if it’s printers, screen casting, etc. If the user or device has access 
to critical internal resources, then you definitely need to know who it is. 
From a infosec due diligence standpoint, it would be hard to argue a defense on 
that one if a significant event were to occur.

___
Jennifer Minella, CISSP, HP MASE
VP of Engineering & Security
Carolina Advanced Digital, Inc.
www.cadinc.com<http://www.cadinc.com/>
j...@cadinc.com<mailto:j...@cadinc.com>
919.460.1313 Main Office
919.539.2726 Mobile/text
[CAD LOGO EMAIL SIG]

From: Jennifer Minella mailto:j...@cadinc.com>>
Sent: Wednesday, April 21, 2021 3:22 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: RE: WPA3/OWE as campus solution?

Ooh Lee what a great thread! I didn’t have a chance yesterday but catching up 
now.

Here’s what I throw in the mix for consideration… (no recommendations just free 
flow thoughts)
Sorry this is long; WPA3 gets me really excited 


  1.  OWE/Open Enhanced (not technically part of WPA3 but #semantics) ONLY 
provides OTA encryption; it does nothing for authenticating the user to the 
network NOR the network to the user.
  2.  …that means you could use a guest portal experience, with or without user 
ID, and add encryption vs historically having to use a Pre-Shared Key or 802.1X 
for key exchanges and encryption.
  3.  If you care about who the user is, you can still use a portal with 
self-registration and whatever duration you feel is appropriate. Depending on 
how much you care, a self-registration portal may (or may not) be sufficient.
  4.  If you care about protecting the user/device against a MiTM or evil twin 
attack, then you probably prefer a mechanism that allows some type of 
authentication, which is typically mutual authentication (e.g. 1X).
  5.  Under WPA3, security is increased across the board and will be ongoing 
(not fixed). Including replacing Pre-Shared Key (PSK) with SAE- which 
looks/feels JUST like PSK to admins/users but further protects assets by using 
unique key derivations for each endpoint. So… if someone has the passcode they 
can get on, but they can’t decrypt any other traffic even if the endpoint(s) 
are using the same key. The list of enhancements goes on and on.
  6.  Does your organization require traceability of users for any internal or 
external policies or compliance?

RE: WPA3/OWE as campus solution?

2021-04-21 Thread Jeffrey D. Sessler

Jennifer,

I would hope that the service itself has authorization/admittance controls vs 
relying on the user’s device and/or the particular network the device is in for 
permission.

I’d also argue that there is enough breadcrumbs about any given device to 
determine the user without the need for them to authenticate to wireless. Then 
again, the device could just as easily be stolen, or the user’s account could 
have been compromised, and the attacker self-enrolls his/her machine/uses the 
credentials to gain access.

Jeff

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jennifer Minella
Sent: Wednesday, April 21, 2021 12:30 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

Oh my goodness. I forgot the biggest one – if you’re going to give that user or 
device access to internal resources/assets you probably want to know who it is 
– even if it’s printers, screen casting, etc. If the user or device has access 
to critical internal resources, then you definitely need to know who it is. 
From a infosec due diligence standpoint, it would be hard to argue a defense on 
that one if a significant event were to occur.

___
Jennifer Minella, CISSP, HP MASE
VP of Engineering & Security
Carolina Advanced Digital, Inc.
www.cadinc.com<http://www.cadinc.com/>
j...@cadinc.com<mailto:j...@cadinc.com>
919.460.1313 Main Office
919.539.2726 Mobile/text
[CAD LOGO EMAIL SIG]

From: Jennifer Minella mailto:j...@cadinc.com>>
Sent: Wednesday, April 21, 2021 3:22 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: RE: WPA3/OWE as campus solution?

Ooh Lee what a great thread! I didn’t have a chance yesterday but catching up 
now.

Here’s what I throw in the mix for consideration… (no recommendations just free 
flow thoughts)
Sorry this is long; WPA3 gets me really excited 


  1.  OWE/Open Enhanced (not technically part of WPA3 but #semantics) ONLY 
provides OTA encryption; it does nothing for authenticating the user to the 
network NOR the network to the user.
  2.  …that means you could use a guest portal experience, with or without user 
ID, and add encryption vs historically having to use a Pre-Shared Key or 802.1X 
for key exchanges and encryption.
  3.  If you care about who the user is, you can still use a portal with 
self-registration and whatever duration you feel is appropriate. Depending on 
how much you care, a self-registration portal may (or may not) be sufficient.
  4.  If you care about protecting the user/device against a MiTM or evil twin 
attack, then you probably prefer a mechanism that allows some type of 
authentication, which is typically mutual authentication (e.g. 1X).
  5.  Under WPA3, security is increased across the board and will be ongoing 
(not fixed). Including replacing Pre-Shared Key (PSK) with SAE- which 
looks/feels JUST like PSK to admins/users but further protects assets by using 
unique key derivations for each endpoint. So… if someone has the passcode they 
can get on, but they can’t decrypt any other traffic even if the endpoint(s) 
are using the same key. The list of enhancements goes on and on.
  6.  Does your organization require traceability of users for any internal or 
external policies or compliance? This could be for security reasons, compliance 
with IP and digital rights, or other needs. One Uni org I’ve worked with 
successfully stopped a student from a suicide attempt when the student posted 
online- they physically located the person and saved them from what they were 
about to do… There are a lot of things to consider and every org is different.
  7.  Whether or not portal acceptable use and/or user ID/registration is 
needed is a hotly-debated topic and has a lot of “it depends”. I recently asked 
several CISOs, lawyers, auditors, and cyber security friends at the FBI.
 *   The CISOs feel it’s “window dressing” except that per …
 *   …Lawyers, there may be some legal protection if a user compromised 
while on your network comes after you (e.g. policy says “org not responsible 
for anything resulting from use of their network”).
 *   The FBI says they need “something” to open a case and prosecute (e.g. 
Acceptable Use clause or access banner).
 *   In Europe (I’m told) orgs providing public internet access fall under 
ISP laws, and therefore must be diligent about registration/acceptable use/etc. 
By policy/compliance they have stricter rules for requiring accountability and 
registration.

___
Jennifer Minella, CISSP, HP MASE
VP of Engineering & Security
Carolina Advanced Digital, Inc.
www.cadinc.com<http://www.cadinc.com/>
j...@cadinc.com<mailto:j...@cadinc.com>
919.460.1313 Main Office
919.539.2726 Mobile/text
[CAD LOGO EMAIL SIG]

From: Enfield, Chuck mailto:cae...@psu.edu>>
Sent: Friday, April 16, 2021 4:57 PM
Subject: Re: WPA3/OWE as campus solution?

I’ve

RE: WPA3/OWE as campus solution?

2021-04-21 Thread Jennifer Minella

Oh my goodness. I forgot the biggest one – if you’re going to give that user or 
device access to internal resources/assets you probably want to know who it is 
– even if it’s printers, screen casting, etc. If the user or device has access 
to critical internal resources, then you definitely need to know who it is. 
From a infosec due diligence standpoint, it would be hard to argue a defense on 
that one if a significant event were to occur.

___
Jennifer Minella, CISSP, HP MASE
VP of Engineering & Security
Carolina Advanced Digital, Inc.
www.cadinc.com<http://www.cadinc.com/>
j...@cadinc.com<mailto:j...@cadinc.com>
919.460.1313 Main Office
919.539.2726 Mobile/text
[CAD LOGO EMAIL SIG]

From: Jennifer Minella 
Sent: Wednesday, April 21, 2021 3:22 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: RE: WPA3/OWE as campus solution?

Ooh Lee what a great thread! I didn’t have a chance yesterday but catching up 
now.

Here’s what I throw in the mix for consideration… (no recommendations just free 
flow thoughts)
Sorry this is long; WPA3 gets me really excited 


  1.  OWE/Open Enhanced (not technically part of WPA3 but #semantics) ONLY 
provides OTA encryption; it does nothing for authenticating the user to the 
network NOR the network to the user.
  2.  …that means you could use a guest portal experience, with or without user 
ID, and add encryption vs historically having to use a Pre-Shared Key or 802.1X 
for key exchanges and encryption.
  3.  If you care about who the user is, you can still use a portal with 
self-registration and whatever duration you feel is appropriate. Depending on 
how much you care, a self-registration portal may (or may not) be sufficient.
  4.  If you care about protecting the user/device against a MiTM or evil twin 
attack, then you probably prefer a mechanism that allows some type of 
authentication, which is typically mutual authentication (e.g. 1X).
  5.  Under WPA3, security is increased across the board and will be ongoing 
(not fixed). Including replacing Pre-Shared Key (PSK) with SAE- which 
looks/feels JUST like PSK to admins/users but further protects assets by using 
unique key derivations for each endpoint. So… if someone has the passcode they 
can get on, but they can’t decrypt any other traffic even if the endpoint(s) 
are using the same key. The list of enhancements goes on and on.
  6.  Does your organization require traceability of users for any internal or 
external policies or compliance? This could be for security reasons, compliance 
with IP and digital rights, or other needs. One Uni org I’ve worked with 
successfully stopped a student from a suicide attempt when the student posted 
online- they physically located the person and saved them from what they were 
about to do… There are a lot of things to consider and every org is different.
  7.  Whether or not portal acceptable use and/or user ID/registration is 
needed is a hotly-debated topic and has a lot of “it depends”. I recently asked 
several CISOs, lawyers, auditors, and cyber security friends at the FBI.
 *   The CISOs feel it’s “window dressing” except that per …
 *   …Lawyers, there may be some legal protection if a user compromised 
while on your network comes after you (e.g. policy says “org not responsible 
for anything resulting from use of their network”).
 *   The FBI says they need “something” to open a case and prosecute (e.g. 
Acceptable Use clause or access banner).
 *   In Europe (I’m told) orgs providing public internet access fall under 
ISP laws, and therefore must be diligent about registration/acceptable use/etc. 
By policy/compliance they have stricter rules for requiring accountability and 
registration.

___
Jennifer Minella, CISSP, HP MASE
VP of Engineering & Security
Carolina Advanced Digital, Inc.
www.cadinc.com<http://www.cadinc.com/>
j...@cadinc.com<mailto:j...@cadinc.com>
919.460.1313 Main Office
919.539.2726 Mobile/text
[CAD LOGO EMAIL SIG]

From: Enfield, Chuck mailto:cae...@psu.edu>>
Sent: Friday, April 16, 2021 4:57 PM
Subject: Re: WPA3/OWE as campus solution?

I’ve been floating this idea to IT leadership for years, with no interest on 
their part.  We implemented an open guest network with no rate limiting about 
18 months ago, so now any student who doesn’t want to onboard doesn’t have to.  
I figured that would get the bosses asking why we bother to authenticate on the 
other SSID, but still no.  It’s ironic that the people who constantly stress 
the importance of customer experience and regularly complain to me about the 
onboarding experience can’t be bothered to consider obvious alternatives.  I 
wouldn’t be so disappointed if we discussed the pros and cons and they came to 
a different conclusion than I have, but it sounds so radical to them that they 
don’t even care to discuss it.

Chuck

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE

RE: WPA3/OWE as campus solution?

2021-04-21 Thread Jennifer Minella

Ooh Lee what a great thread! I didn’t have a chance yesterday but catching up 
now.

Here’s what I throw in the mix for consideration… (no recommendations just free 
flow thoughts)
Sorry this is long; WPA3 gets me really excited 


  1.  OWE/Open Enhanced (not technically part of WPA3 but #semantics) ONLY 
provides OTA encryption; it does nothing for authenticating the user to the 
network NOR the network to the user.
  2.  …that means you could use a guest portal experience, with or without user 
ID, and add encryption vs historically having to use a Pre-Shared Key or 802.1X 
for key exchanges and encryption.
  3.  If you care about who the user is, you can still use a portal with 
self-registration and whatever duration you feel is appropriate. Depending on 
how much you care, a self-registration portal may (or may not) be sufficient.
  4.  If you care about protecting the user/device against a MiTM or evil twin 
attack, then you probably prefer a mechanism that allows some type of 
authentication, which is typically mutual authentication (e.g. 1X).
  5.  Under WPA3, security is increased across the board and will be ongoing 
(not fixed). Including replacing Pre-Shared Key (PSK) with SAE- which 
looks/feels JUST like PSK to admins/users but further protects assets by using 
unique key derivations for each endpoint. So… if someone has the passcode they 
can get on, but they can’t decrypt any other traffic even if the endpoint(s) 
are using the same key. The list of enhancements goes on and on.
  6.  Does your organization require traceability of users for any internal or 
external policies or compliance? This could be for security reasons, compliance 
with IP and digital rights, or other needs. One Uni org I’ve worked with 
successfully stopped a student from a suicide attempt when the student posted 
online- they physically located the person and saved them from what they were 
about to do… There are a lot of things to consider and every org is different.
  7.  Whether or not portal acceptable use and/or user ID/registration is 
needed is a hotly-debated topic and has a lot of “it depends”. I recently asked 
several CISOs, lawyers, auditors, and cyber security friends at the FBI.
 *   The CISOs feel it’s “window dressing” except that per …
 *   …Lawyers, there may be some legal protection if a user compromised 
while on your network comes after you (e.g. policy says “org not responsible 
for anything resulting from use of their network”).
 *   The FBI says they need “something” to open a case and prosecute (e.g. 
Acceptable Use clause or access banner).
 *   In Europe (I’m told) orgs providing public internet access fall under 
ISP laws, and therefore must be diligent about registration/acceptable use/etc. 
By policy/compliance they have stricter rules for requiring accountability and 
registration.

___
Jennifer Minella, CISSP, HP MASE
VP of Engineering & Security
Carolina Advanced Digital, Inc.
www.cadinc.com<http://www.cadinc.com/>
j...@cadinc.com<mailto:j...@cadinc.com>
919.460.1313 Main Office
919.539.2726 Mobile/text
[CAD LOGO EMAIL SIG]

From: Enfield, Chuck 
Sent: Friday, April 16, 2021 4:57 PM
Subject: Re: WPA3/OWE as campus solution?

I’ve been floating this idea to IT leadership for years, with no interest on 
their part.  We implemented an open guest network with no rate limiting about 
18 months ago, so now any student who doesn’t want to onboard doesn’t have to.  
I figured that would get the bosses asking why we bother to authenticate on the 
other SSID, but still no.  It’s ironic that the people who constantly stress 
the importance of customer experience and regularly complain to me about the 
onboarding experience can’t be bothered to consider obvious alternatives.  I 
wouldn’t be so disappointed if we discussed the pros and cons and they came to 
a different conclusion than I have, but it sounds so radical to them that they 
don’t even care to discuss it.

Chuck

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Lee H Badman
Sent: Friday, April 16, 2021 10:09 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] WPA3/OWE as campus solution?

One more for you all- anyone contemplating ditching 802.1X for the BYOD side of 
your WLAN (not managed laptops and “business” clients) and simplifying with 
OWE/WPA3? Like… the open network that’s actually moderately secure leveraging 
the latest security options?

Thanks,

Lee Badman | Network Architect (CWNE#200)
Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w its.syr.edu
Campus Wireless Policy: 
https://answers.syr.edu/display/network/Wireless+Network+and+Systems<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fanswers.s

RE: WPA3/OWE as campus solution?

2021-04-16 Thread Enfield, Chuck

I've been floating this idea to IT leadership for years, with no interest on 
their part.  We implemented an open guest network with no rate limiting about 
18 months ago, so now any student who doesn't want to onboard doesn't have to.  
I figured that would get the bosses asking why we bother to authenticate on the 
other SSID, but still no.  It's ironic that the people who constantly stress 
the importance of customer experience and regularly complain to me about the 
onboarding experience can't be bothered to consider obvious alternatives.  I 
wouldn't be so disappointed if we discussed the pros and cons and they came to 
a different conclusion than I have, but it sounds so radical to them that they 
don't even care to discuss it.

Chuck

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Lee H Badman
Sent: Friday, April 16, 2021 10:09 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] WPA3/OWE as campus solution?

One more for you all- anyone contemplating ditching 802.1X for the BYOD side of 
your WLAN (not managed laptops and "business" clients) and simplifying with 
OWE/WPA3? Like... the open network that's actually moderately secure leveraging 
the latest security options?

Thanks,

Lee Badman | Network Architect (CWNE#200)
Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   e lhbad...@syr.edu w its.syr.edu
Campus Wireless Policy: 
https://answers.syr.edu/display/network/Wireless+Network+and+Systems
SYRACUSE UNIVERSITY
syr.edu


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: WPA3/OWE as campus solution?

2021-04-16 Thread Lee H Badman

Not sure how, or even if you'd need to depending on how it all worked. No plan 
here, just discussion..

Lee Badman | Network Architect (CWNE#200)
Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   e lhbad...@syr.edu w its.syr.edu
Campus Wireless Policy: 
https://answers.syr.edu/display/network/Wireless+Network+and+Systems
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Tim Cappalli
Sent: Friday, April 16, 2021 10:23 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

How would you limit local services like printing, screen mirroring, media 
casting, etc?

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Lee H Badman 
<00db5b77bd95-dmarc-requ...@listserv.educause.edu>
Sent: Friday, April 16, 2021 10:17
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?


Exactly- hance the notion of simplifying... relying on application security, 
2FA etc for actual security while making simply connecting much, much easier.



Lee Badman | Network Architect (CWNE#200)

Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244

t 315.443.3003   e lhbad...@syr.edu w its.syr.edu

Campus Wireless Policy: 
https://answers.syr.edu/display/network/Wireless+Network+and+Systems

SYRACUSE UNIVERSITY
syr.edu



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tim Cappalli
Sent: Friday, April 16, 2021 10:16 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?



Just keep in mind that OWE does not have an identity layer.



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Lee H Badman 
<00db5b77bd95-dmarc-requ...@listserv.educause.edu>
Sent: Friday, April 16, 2021 10:08
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] WPA3/OWE as campus solution?



One more for you all- anyone contemplating ditching 802.1X for the BYOD side of 
your WLAN (not managed laptops and "business" clients) and simplifying with 
OWE/WPA3? Like... the open network that's actually moderately secure leveraging 
the latest security options?



Thanks,



Lee Badman | Network Architect (CWNE#200)

Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244

t 315.443.3003   e lhbad...@syr.edu w its.syr.edu

Campus Wireless Policy: 
https://answers.syr.edu/display/network/Wireless+Network+and+Systems

SYRACUSE UNIVERSITY
syr.edu



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the

Re: WPA3/OWE as campus solution?

2021-04-16 Thread Tim Cappalli

How would you limit local services like printing, screen mirroring, media 
casting, etc?

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Lee H Badman 
<00db5b77bd95-dmarc-requ...@listserv.educause.edu>
Sent: Friday, April 16, 2021 10:17
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

Exactly- hance the notion of simplifying… relying on application security, 2FA 
etc for actual security while making simply connecting much, much easier.

Lee Badman | Network Architect (CWNE#200)

Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244

t 315.443.3003   e lhbad...@syr.edu w its.syr.edu

Campus Wireless Policy: 
https://answers.syr.edu/display/network/Wireless+Network+and+Systems

SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Tim Cappalli
Sent: Friday, April 16, 2021 10:16 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

Just keep in mind that OWE does not have an identity layer.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Lee H Badman 
<00db5b77bd95-dmarc-requ...@listserv.educause.edu>
Sent: Friday, April 16, 2021 10:08
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] WPA3/OWE as campus solution?

One more for you all- anyone contemplating ditching 802.1X for the BYOD side of 
your WLAN (not managed laptops and “business” clients) and simplifying with 
OWE/WPA3? Like… the open network that’s actually moderately secure leveraging 
the latest security options?

Thanks,

Lee Badman | Network Architect (CWNE#200)

Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244

t 315.443.3003   e lhbad...@syr.edu w its.syr.edu

Campus Wireless Policy: 
https://answers.syr.edu/display/network/Wireless+Network+and+Systems

SYRACUSE UNIVERSITY
syr.edu

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at

RE: WPA3/OWE as campus solution?

2021-04-16 Thread Lee H Badman

Exactly- hance the notion of simplifying... relying on application security, 
2FA etc for actual security while making simply connecting much, much easier.

Lee Badman | Network Architect (CWNE#200)
Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   e lhbad...@syr.edu w its.syr.edu
Campus Wireless Policy: 
https://answers.syr.edu/display/network/Wireless+Network+and+Systems
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Tim Cappalli
Sent: Friday, April 16, 2021 10:16 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

Just keep in mind that OWE does not have an identity layer.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Lee H Badman 
<00db5b77bd95-dmarc-requ...@listserv.educause.edu>
Sent: Friday, April 16, 2021 10:08
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] WPA3/OWE as campus solution?


One more for you all- anyone contemplating ditching 802.1X for the BYOD side of 
your WLAN (not managed laptops and "business" clients) and simplifying with 
OWE/WPA3? Like... the open network that's actually moderately secure leveraging 
the latest security options?



Thanks,



Lee Badman | Network Architect (CWNE#200)

Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244

t 315.443.3003   e lhbad...@syr.edu w its.syr.edu

Campus Wireless Policy: 
https://answers.syr.edu/display/network/Wireless+Network+and+Systems

SYRACUSE UNIVERSITY
syr.edu



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: WPA3/OWE as campus solution?

2021-04-16 Thread Tim Cappalli

Just keep in mind that OWE does not have an identity layer.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Lee H Badman 
<00db5b77bd95-dmarc-requ...@listserv.educause.edu>
Sent: Friday, April 16, 2021 10:08
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: [WIRELESS-LAN] WPA3/OWE as campus solution?

One more for you all- anyone contemplating ditching 802.1X for the BYOD side of 
your WLAN (not managed laptops and “business” clients) and simplifying with 
OWE/WPA3? Like… the open network that’s actually moderately secure leveraging 
the latest security options?

Thanks,

Lee Badman | Network Architect (CWNE#200)

Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244

t 315.443.3003   e lhbad...@syr.edu w its.syr.edu

Campus Wireless Policy: 
https://answers.syr.edu/display/network/Wireless+Network+and+Systems

SYRACUSE UNIVERSITY
syr.edu

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: WPA3/OWE as campus solution?

RE: WPA3/OWE as campus solution?

RE: WPA3/OWE as campus solution?

RE: WPA3/OWE as campus solution?

RE: WPA3/OWE as campus solution?

RE: WPA3/OWE as campus solution?

RE: WPA3/OWE as campus solution?

Re: WPA3/OWE as campus solution?

RE: WPA3/OWE as campus solution?

Re: WPA3/OWE as campus solution?

10 matches

Site Navigation

Mail list logo

Footer information