To offer a different perspective, we are an Aerohive wireless shop.
For our dorm wireless, we offer two SSIDs – one that is 802.1x for general consumption, and a second for media devices. On the media device SSID, we have employed an Aerohive proprietary system called PPSK – private pre-shared key. We use this to generate several thousand keys once a year, and our service desk uses a web portal to assign the keys, 1 per device, for each media device. To the end user it looks just like WPA2-PSK, but each key is unique and can be revoked without affecting anyone else. With the exception of the high demand for keys at the beginning of the semester, this has worked very well for us and has allowed us to avoid getting into the realm of mac registrations. Having a unique PSK per device allows us to meet audit and identification requirements but offers compatibility with devices that don’t support PKI. Thanks, Chris Adams, CISSP Director, Network & Telecom Services Division of Information Technology University of North Georgia E-Mail: <mailto:[email protected]> [email protected] | Office: (706) 867-2891 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Shayne Ghere Sent: Tuesday, August 2, 2016 12:08 PM To: [email protected] Subject: Re: [WIRELESS-LAN] Cisco ISE Bruce, It was a consultant that recommended it, but for gaming/non-802.1x capable devices. I may have stated it incorrectly. Our problem is that we have more and more devices that are non-standard Windows/Mac OS so the certificate don’t work. Most are Engineering/IT students and it’s an uphill battle for us. We’re currently looking at Apogee to take over our Dorm wired/wireless network, but we can do the same thing with our own equipment. The question we’re asking ourselves is..do we want to create an open network in the dorms, firewall them from everything unless they’re using secure wireless, or continue to fight the certificate issues. We have a homegrown registration system, but we’re quickly outgrowing it and need to move to something that’s all encompassing. We used ACS a few years ago, but our CIO (at the time) wanted to move to all open source and that’s caused more headaches than anything. I do have a conference call with Cisco deployment on Wednesday, but just wanted to get a feel how others in our field like the product, and what real world issues you’ve had. Unfortunately, we don’t get that kind of feedback from the manufacturer. I appreciate all the e-mails and responses! Shayne From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected] <mailto:[email protected]> ] On Behalf Of Osborne, Bruce W (Network Services) Sent: Tuesday, August 02, 2016 6:33 AM To: [email protected] <mailto:[email protected]> Subject: Re: [WIRELESS-LAN] Cisco ISE I am surprised ( and appalled) that Cisco would recommend *WPA2-Personal* (aka WPA2-PSK) in an Enterprise environment. We are currently using PEAP-MSCHAPv2 with our WPAs-Enterprise (aka 802.1X) wireless network. For self-registration on devices that cannot use 802.1X, we are using a custom portal with the ClearPass APIs. We are currently using an open network for mac authentication. We block our website & Blackboard system to “encourage” users to use our secure network for laptops instead of registering for mac auth. We are considering moving to using certs with ClearPass Onbiard, but have not yet imp;lemented. We are currently using CloudPath Wizard for onboarding 802.1X devices. Bruce Osborne Wireless Engineer IT Network Services - Wireless (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: T. Shayne Ghere [mailto:[email protected]] Sent: Monday, August 1, 2016 10:06 AM Subject: Cisco ISE Good morning, Currently we have a home grown wireless registration system in place that is becoming obsolete. We are getting ready to refresh our Cisco AP’s, and I’m writing to see if anyone has any positive/negative issues in using Cisco ISE for individual “self” registration on your wireless network. We also use WPA2/AES Certificate based security, but that is problematic because of compatibility issues and devices that have no way of accepting certs. In talking with some Cisco Wireless Engineers, they recommend WPA2/AES-PSK but we don’t have the manpower to set that up on every device. We also do not NAT any devices. If you have any suggestions, or comments on using ISE and moving away from Certs, I would greatly appreciate them. Thanks Shayne ---------------------------------- T. Shayne Ghere Bradley University Wireless/Lan Network Engineer 1501 W. Bradley Ave, Jobst 224A <mailto:[email protected]> [email protected] FBI CA Graduate2011 Alumni FBI InfraGard Member ---------------------------------- UPCOMING OUT OF OFFICE None ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at <http://www.educause.edu/groups/> http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at <http://www.educause.edu/groups/> http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at <http://www.educause.edu/groups/> http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
smime.p7s
Description: S/MIME cryptographic signature
