BUILT FOR HOME
Apple TV is fine, I guess they trust their other security measures
A little off topic, but we found that Apple will use any and everything to get
AirPlay to work. Mainly it will connect through bluetooth or even it's own
wireless network that works in the
We have been receiving a lot of complaints about a complicated onboarding
process and have been asked to look at providing an Open SSID that has little
to no onboarding. I see an advantage being the ease of connecting but I have
some concerns, mainly about providing a secure environment.
I agree that complicated onboarding is the worst from the end user perspective
and a pain to manage.
I started designing a PPSK/MPSK design to take over our primary 802.1x network.
The biggest hurdle I ran into with it was the randomization of MAC addresses
for device. I've been told Android
> My crystal ball wish is to have that PPSK/IPSK solution then group that
> user’s devices into a private virtual home network, providing something that
> approaches their home experience.
Cisco introduced “private groups” to iPSK in 8.8:
On 9/12/19 12:36 PM, Lee H Badman wrote:
> We currently use an open network with private IP addressing that is very
> on where it can go. Connect to SSID, open browser, go to our Cloudpath wizard
> (has been replaced with appliance, but we haven’t decided if we are
If students are using an open SSID as a general purpose wireless network, you
may want to require them to fire up a VPN session to get to trusted resources
(LMS, scheduling, bursar, etc).
From: The EDUCAUSE Wireless Issues Community Group Listserv
I think your problem is the NAC solution... I was one of the first to deploy
campus wide NAC (2006) and then we pushed agents a few years after. The time
for NAC agents has come and gone in my mind. We have removed it from
practically every place that has it. There is one large school that
I’ve never been a fan of the complicated onboarding. It’s intrusive, and unlike
any other wireless experience an individual will encounter in their life i.e.
any other wifi-enabled location/venue.
With the growing trend of EDUs moving to SaaS and other Cloud solutions,
wireless will be nothing
And for those who think that security is more important than the user
experience in some cases, I wouldn’t argue, but I would point out that an
improperly configured 1x device puts the user’s credentials at risk. 802.1x
isn’t all upside from a security perspective either.
Amen- NAC is often a solution to problems that either don't exist or that don't
warrant the weight of the NAC. These solutions are not without value per se,
but at onboarding time? Nah.
Lee Badman | Network Architect (CWNE#200)
Information Technology Services
206 Machinery Hall
We currently use an open network with private IP addressing that is very
limited on where it can go. Connect to SSID, open browser, go to our Cloudpath
wizard (has been replaced with appliance, but we haven't decided if we are
interested in that). Get configured for 802.1X, have a few settings
“Most need no instructions and figure it out on their own,” may not be the
virtue you think it is. How many of these users figuring it out on their own
are validating your RADIUS server certs? Self-configuration invites MiM
attacks that can harvest account credentials. It’s
2nd that, self guided EAP-PEAP is convenient, but the Evil Twin Attack isn't
exactly new or difficult.
In the past I've used a optional layered approach.
Give an option on the open SSID captive portal for initial onboarding, or
limited Guest access (weekly type) captive portal re-login after
We’ve found its easier for our community to onboard to our 802.1x SSID with the
native supplicant of the device, rather than download and run an installer (are
dropping the installer). Most need no instructions and figure it out on their
While we offer an iPSK SSID, it is not as easy—
Mail list logo