Instead of following Starbucks' bad example, I would rather choose for informing Starbucks and others others to choose for 802.1x instead... (I observe a growing popularity of using Facebook accounts to login to Wi-Fi facilities offered by city Wi-Fi and in malls)
We are part of the education community. I think it is our duty to educate students: informing them to check certificates, checking SSL, beign aware of the dangers to connect to an open network, etc. etc. The teachers cannot teach this in class, if the IT department neglects these rules on the network they offer at the institue (regardless of that is a dorm or a classroom). Frankly speaking, people are familiar with connecting to Wi-Fi securely. Five years ago this was still a hassle. Regardsless of the OS, it is now a matter of filling in your username and password and you are connected.... -Frans Jeffrey D. Sessler schreef op 04/09/15 om 23:05: > Is the student’s “residence” in this case any different than a VP who > travels and uses hotel WiFi, the hotel being their residence most of > the time? Are we asking the student to do something we wouldn’t > require of the VP in the hotel? > > This is why something like Areohive’s PPSK (private pre-shared key) is > interesting to me, in that it provides something that is “good enough” > without all the hassles around WPA-ent. We get the user off of an open > network, but provide easy on-boarding for the user and their devices. > > I agree that students may not know they should care, but I’m not sure > it’s the university’s job to educate them i.e. they are adults, and we > don’t go round them up to make sure they attend class. Our students > only care about connecting to the WiFi, and even if we try to explain > why it’s better, there is only a small percentage that care… the same > can be said for staff/faculty. > > I also shy away from saying, “…provide the secure option.” since it > implies everything they do is now secure, which it is not. > > I do agree that providing both options is a good idea, but my own > evidence shows that if the user’s chrome-cast is in the device-net, > they will put their laptop there to so that they have access to it. > > Jeff > > From: "wireless-lan@listserv.educause.edu > <mailto:wireless-lan@listserv.educause.edu>" on behalf of "Coehoorn, Joel" > Reply-To: "wireless-lan@listserv.educause.edu > <mailto:wireless-lan@listserv.educause.edu>" > Date: Friday, September 4, 2015 at 1:31 PM > To: "wireless-lan@listserv.educause.edu > <mailto:wireless-lan@listserv.educause.edu>" > Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in > the dorms- quick Survey > > The difference between us and a McDonalds or Starbucks is that we are > the student's residence. They can't as easily just wait or go > elsewhere in order to do things that really should not be done on an > open wifi connection. > > Additionally, this is the first encounter with the issue for many > students. They haven't yet had a chance to know that they should care. > Therefore, I do believe it is our responsibility to provide the secure > option and educate our students on the importance of using it. > > At the same time, college students are supposedly adults now, and > capable of making their own decisions, and so I try to provide both > options (we really do have an completely open SSID), along with some > education and a nudge via SSID naming that the secure SSID may be > "better" in some ephemeral way. > > > > > > > Joel Coehoorn > Director of Information Technology > 402.363.5603 > *jcoeho...@york.edu <mailto:jcoeho...@york.edu>* > > > > > The mission of York College is to transform lives through > Christ-centered education and to equip students for lifelong service > to God, family, and society > > On Fri, Sep 4, 2015 at 2:09 PM, Frans Panken <frans.pan...@surfnet.nl > <mailto:frans.pan...@surfnet.nl>> wrote: > > Jeff, > > Jeffrey D. Sessler schreef op 04/09/15 om 20:55: > > Just to turn this on it’s ear a bit... > > > > Why not go back to an open network for student devices, with the > same EULA as they’d get be it at a Starbucks, McDonalds, hotel, or > convention center? Why are we (my self included) so hell bent on > student devices connecting via WPA-Ent and all the challenges > associated with accommodating devices that can’t? > Basically, because you do not know who is behind the device if > this user > does something that conflicts with any of the policies (e.g., security > to name one). > > > > > > Does data exist that shows all of this overhead we’ve created > has had any measurable benefit (for the cost), especially when the > same users aren’t concerned about over-the-air security when at > the above mentioned places? > Regardless of the numbers, I will tell you it was worth it. > > Inmagine the blames your institute copes with if some one decides > to put > a rogue access point in between that cathes all kinds of privacy data? > The end-user will blame the institue because it happended there! > > Note that there are easy out-of-the-box tools that are dedicated for > these kind of attacks and easy to set-up, even for a 12 year old. For > example, have a look at pineapple: https://www.wifipineapple.com/ > <https://www.wifipineapple.com/> > (very usefull to play with!) > > Or Nethunter, that uses Linux Kali and is installed on a simple > phone or > tablet (http://www.nethunter.com/). > > > > > Why do we care so much? Is there some middle-ground that is > “good enough” but provides almost the same experience as at home? > Seriously, you have an open network at home?? You login with your > bank? > Ever hear of SSL strip (if not, I recommend to Google it and watch > that > little slot in your browser continously) > > > > > Would our efforts be better spent implementing other beneficial > technologies such location-aware WiFi, where after the student > connects all their AppleTV, TimeMachine, and Chromecast devices, > the network is smart enough to provide them visibility of only > those devices when in/near the same location e.g. Location-aware > bonjour? > I hope the arguments above convinced you. If not, I think I can > think of > some more... > > -Frans > > > > > > > > Jeff > > > > > > On 9/4/15, 7:51 AM, "The EDUCAUSE Wireless Issues Constituent > Group Listserv on behalf of Lee H Badman" > <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of > lhbad...@syr.edu <mailto:lhbad...@syr.edu>> wrote: > > > >> Where it gets interesting- broadcast and single class C > required. But- this is a great summary of requirements. > >> > >> Lee Badman | Network Architect > >> Information Technology Services > >> 206 Machinery Hall > >> 120 Smith Drive > >> Syracuse, New York 13244 > >> t 315.443.3003 <tel:315.443.3003> f 315.443.4325 > <tel:315.443.4325> e lhbad...@syr.edu <mailto:lhbad...@syr.edu> > w its.syr.edu <http://its.syr.edu> > >> SYRACUSE UNIVERSITY > >> syr.edu <http://syr.edu> > >> > >> -----Original Message----- > >> From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Johnson, > Neil M > >> Sent: Friday, September 04, 2015 10:46 AM > >> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > >> Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi > devices" in the dorms- quick Survey > >> > >> Here is my first pass at requirements: > >> > >> 1. The service must prevent or discourage devices that ARE > capable of using 802.1x authentication from using the service. > >> > >> 2. The service should provide some sort of traceability of > devices back to their owners. > >> > >> 3. The service must provide some method to deny access to > an individual device. > >> > >> 4. The service must be easy enough to use that the average > student can connect a device to the network in 10-15 minutes > without requiring assistance from ITS. > >> > >> 5. The service must restrict access to only authorized > University customers. > >> > >> 6. In the residence Halls, the service must support most > the most common consumer devices that students might bring to campus > >> > >> > >> We are also looking at a “Device Net” for campus for other > devices that may not do 802.1X (freezer monitors, digital signage, > instrumentation, etc.). > >> > >> For the residence hall device net we are thinking about > blocking all access to campus resources and just allowing internet > access. > >> > >> For the campus device net we thinking about RFC 1918 space > restricting the deivces to on campus resources only. > >> > >> -- > >> Neil Johnson > >> Network Engineer > >> The University of Iowa > >> Phone: 319 384-0938 > >> Fax: 319 335-2951 > >> E-Mail: neil-john...@uiowa.edu <mailto:neil-john...@uiowa.edu> > >> > >> > >> > >>> On Sep 4, 2015, at 6:46 AM, Osborne, Bruce W (Network > Services) <bosbo...@liberty.edu <mailto:bosbo...@liberty.edu>> wrote: > >>> > >>> What are you calling a Device Net? > >>> > >>> We have an open SSID with a custom captive portal using the > ClearPass eTIPS API. > >>> > >>> We use this SSID for onboarding to 802.1X with Cloudpath > XpressConnect Wizard, registering a non-8012.1X device Endpoint in > ClearPass (with AirGroup device registration for Apple-TV) and for > permitting non-802.1X network access, blocking out internal web > server & blackboard servers. If devices try to go to these sites, > they are redirected to Cloudpath XpressConnect Wizard. > >>> > >>> I am leaving on vacation for a week, so it may take me a while > to resond further > >>> > >>> Bruce Osborne > >>> Wireless Engineer > >>> IT Infrastructure & Media Solutions > >>> > >>> (434) 592-4229 <tel:%28434%29%20592-4229> > >>> > >>> LIBERTY UNIVERSITY > >>> Training Champions for Christ since 1971 > >>> > >>> -----Original Message----- > >>> From: Johnson, Neil M [mailto:neil-john...@uiowa.edu > <mailto:neil-john...@uiowa.edu>] > >>> Sent: Thursday, September 3, 2015 12:08 PM > >>> Subject: Re: Supporting "those other Wi-Fi devices" in the > dorms- quick Survey > >>> > >>> We are investigating a device net at UofI so, > >>> > >>> I would be interested in hearing from anyone who has > implemented a Device Net with Clearpass. > >>> > >>> Thanks. > >>> -Neil > >>> > >>> -- > >>> Neil Johnson > >>> Network Engineer > >>> The University of Iowa > >>> Phone: 319 384-0938 <tel:319%20384-0938> > >>> Fax: 319 335-2951 <tel:319%20335-2951> > >>> E-Mail: neil-john...@uiowa.edu <mailto:neil-john...@uiowa.edu> > >>> > >>> > >>> > >>>> On Sep 3, 2015, at 7:24 AM, Lee H Badman <lhbad...@syr.edu > <mailto:lhbad...@syr.edu>> wrote: > >>>> > >>>> There is an elegance in your wisdom, Chuck. > >>>> > >>>> > >>>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Chuck > Enfield > >>>> Sent: Wednesday, September 02, 2015 5:54 PM > >>>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > >>>> Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi > devices" in the dorms- quick Survey > >>>> > >>>> Don’t tell me. Ignorance is bliss. Man, am I happy! > >>>> > >>>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of David R. > Morton > >>>> Sent: Wednesday, September 02, 2015 5:41 PM > >>>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > >>>> Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi > devices" in the dorms- quick Survey > >>>> > >>>> Lee, > >>>> > >>>> Are you going to share the results of this survey as well? > >>>> > >>>> David > >>>> > >>>> > >>>> David Morton > >>>> > >>>> Director, Mobile Communications > >>>> Service Owner: Wi-Fi, Mobile & HuskyTV > >>>> University of Washington > >>>> dmor...@u.washington.edu <mailto:dmor...@u.washington.edu> > >>>> tel 206.221.7814 <tel:206.221.7814> > >>>> > >>>> On Sep 2, 2015, at 9:50 AM, Lee H Badman <lhbad...@syr.edu > <mailto:lhbad...@syr.edu>> wrote: > >>>> > >>>> As we look forward in how we service our residential spaces > for Wi-Fi, I’ve put together a quick survey on if/what other > schools are doing (and not doing) for supporting the perplexing > gadgets (TVs, games, entertainment dongles, etc) over Wi-Fi. > Please consider contributing at > >>>> > >>>> https://www.quicksurveys.com/s/Wc92H > <https://www.quicksurveys.com/s/Wc92H> > >>>> > >>>> I’ll run this for two weeks, will post just a couple more > invites on each list in that period (so you know to expect a > couple more… kind of advance spam warning) and will open the > results page up for both lists at the end. I know I’m not the only > one contemplating these questions. Should take minutes to sail > through, but decent participation could really help others in > their own thoughts about this challenging paradigm. > >>>> > >>>> > >>>> > >>>> Thanks in advance! > >>>> > >>>> > >>>> > >>>> Lee Badman | Network Architect > >>>> Information Technology Services > >>>> 206 Machinery Hall > >>>> 120 Smith Drive > >>>> Syracuse, New York 13244 > >>>> t 315.443.3003 <tel:315.443.3003> f 315.443.4325 > <tel:315.443.4325> e lhbad...@syr.edu <mailto:lhbad...@syr.edu> > w its.syr.edu <http://its.syr.edu> > >>>> SYRACUSE UNIVERSITY > >>>> syr.edu <http://syr.edu> > >>>> > >>>> > >>>> > >>>> ********** Participation and subscription information for > this EDUCAUSE Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > >>>> > >>>> ********** Participation and subscription information for > this EDUCAUSE Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > >>>> ********** Participation and subscription information for > this EDUCAUSE Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > >>>> ********** Participation and subscription information for > this EDUCAUSE Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > >>> > >>> ********** > >>> Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > >>> > >>> > >>> ********** > >>> Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > >>> > >> > >> ********** > >> Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > >> > >> > >> ********** > >> Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > >> > > ********** > > Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > > > ********** > Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > > ********** Participation and subscription information for this > EDUCAUSE Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > ********** Participation and subscription information for this > EDUCAUSE Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
