Re: [WIRELESS-LAN] To RFC1918 or Not RFC1918?

2019-09-12 Thread Robert Schneider
BUILT FOR HOME Apple TV is fine, I guess they trust their other security measures sufficiently A little off topic, but we found that Apple will use any and everything to get AirPlay to work. Mainly it will connect through bluetooth or even it's own wireless network that works in the

Feasibility of an open SSID for student use

2019-09-12 Thread Kurtis Olsen
We have been receiving a lot of complaints about a complicated onboarding process and have been asked to look at providing an Open SSID that has little to no onboarding. I see an advantage being the ease of connecting but I have some concerns, mainly about providing a secure environment. Our

Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

2019-09-12 Thread Rumford, Charles
I agree that complicated onboarding is the worst from the end user perspective and a pain to manage. I started designing a PPSK/MPSK design to take over our primary 802.1x network. The biggest hurdle I ran into with it was the randomization of MAC addresses for device. I've been told Android

Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

2019-09-12 Thread Hoffman, Douglas
> My crystal ball wish is to have that PPSK/IPSK solution then group that > user’s devices into a private virtual home network, providing something that > approaches their home experience. Cisco introduced “private groups” to iPSK in 8.8:

Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

2019-09-12 Thread Rumford, Charles
On 9/12/19 12:36 PM, Lee H Badman wrote: > We currently use an open network with private IP addressing that is very > limited > on where it can go. Connect to SSID, open browser, go to our Cloudpath wizard > (has been replaced with appliance, but we haven’t decided if we are > interested > in

RE: Feasibility of an open SSID for student use

2019-09-12 Thread Floyd, Brad
Kurtis, If students are using an open SSID as a general purpose wireless network, you may want to require them to fire up a VPN session to get to trusted resources (LMS, scheduling, bursar, etc). Thanks, Brad From: The EDUCAUSE Wireless Issues Community Group Listserv

RE: Feasibility of an open SSID for student use

2019-09-12 Thread Turner, Ryan H
I think your problem is the NAC solution... I was one of the first to deploy campus wide NAC (2006) and then we pushed agents a few years after. The time for NAC agents has come and gone in my mind. We have removed it from practically every place that has it. There is one large school that

Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

2019-09-12 Thread Jeffrey D. Sessler
I’ve never been a fan of the complicated onboarding. It’s intrusive, and unlike any other wireless experience an individual will encounter in their life i.e. any other wifi-enabled location/venue. With the growing trend of EDUs moving to SaaS and other Cloud solutions, wireless will be nothing

RE: [WIRELESS-LAN] Feasibility of an open SSID for student use

2019-09-12 Thread Enfield, Chuck
Seconded. And for those who think that security is more important than the user experience in some cases, I wouldn’t argue, but I would point out that an improperly configured 1x device puts the user’s credentials at risk. 802.1x isn’t all upside from a security perspective either. Chuck

RE: Feasibility of an open SSID for student use

2019-09-12 Thread Lee H Badman
Amen- NAC is often a solution to problems that either don't exist or that don't warrant the weight of the NAC. These solutions are not without value per se, but at onboarding time? Nah. Lee Badman | Network Architect (CWNE#200) Information Technology Services (NDD Group) 206 Machinery Hall 120

RE: Feasibility of an open SSID for student use

2019-09-12 Thread Lee H Badman
We currently use an open network with private IP addressing that is very limited on where it can go. Connect to SSID, open browser, go to our Cloudpath wizard (has been replaced with appliance, but we haven't decided if we are interested in that). Get configured for 802.1X, have a few settings

RE: Feasibility of an open SSID for student use

2019-09-12 Thread Enfield, Chuck
Hi William. “Most need no instructions and figure it out on their own,” may not be the virtue you think it is. How many of these users figuring it out on their own are validating your RADIUS server certs? Self-configuration invites MiM attacks that can harvest account credentials. It’s

Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

2019-09-12 Thread Michael Holden
2nd that, self guided EAP-PEAP is convenient, but the Evil Twin Attack isn't exactly new or difficult. In the past I've used a optional layered approach. Give an option on the open SSID captive portal for initial onboarding, or limited Guest access (weekly type) captive portal re-login after

Re: Feasibility of an open SSID for student use

2019-09-12 Thread Green, William C
We’ve found its easier for our community to onboard to our 802.1x SSID with the native supplicant of the device, rather than download and run an installer (are dropping the installer). Most need no instructions and figure it out on their own. While we offer an iPSK SSID, it is not as easy—