> > WPA2-enterprise (eduroam or not) has three main benefits and a cool side > effect: > > 1) You know who is on, one user at a time. > > How do you know this? You know that the device is using a particular user’s > id/pass and/or was on-boarded using their account. You have no way to verify > that the device belongs to the actual owner. One could make the same claim of > PPSK (I know who you are based on your PPSK passphrase), but just like > WPA2-ent, there is nothing to prevent another user from on-boarding a device > for a friend.
If needed be you can find the user behind the authentication. And since we are also talking about EAP-TLS you can lock the profile to a specific device. No sharing. In this particular case EAP-TLS is ideal to prevent credentials sharing. > > 2) the user knows what network it is (since the infrastructure certificate is > verified) > > It’s been demonstrated over and over that most users will simply click past > prompts, even when the prompt clearly shows something is wrong i.e. a user > presented with a bad certificate is likely to just accept it (or disable the > verification of the cert). If you use profile based authentication, not letting users configure by just entering username/password when selecting the SSID (e.g. using the CAT tool or other profile creation apps) the infrastructure certificate cannot be bypassed easily. Or use EAP- TLS to totally prevent any risk. > > 3) It’s automatic..no pesky portal to deal with > > This is also a case for PPSK and/or an open network. Of course, with my little bias toward roaming I should ask: how do you roam with PPSK? ;-) How does PPSK size up for large campuses? I seem to remember from this list that beyond a certain number of users there are some limitations. And finally with WPA2-ent you can separate users based on domains if you wish to do so ( e.g. @students.domain VS @faculty.domain) I'm sure that PPSK has great applications for specific cases but it doesn't have the overall breadth of WPA2-enterprise. Philippe www.eduroam.us > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
