Our housing department is pushing pretty hard to replace keyed locks on dorm room doors with Wi-Fi connected proximity card locks (a pilot this summer and then eventually rolling out to ~3,000 rooms).
The locks would be “offline” locks that cache valid cards locally and only connect to the Wi-Fi network periodically for updates and when presented with a non-cached card. While the locks support multiple methods for authenticating to the wireless network (everything from a PSK to PEAP/MSCHAPv2 to EAP-TLS), I think EAP-TLS is probably the most secure method for these devices. My thinking is to setup a private PKI and generate a client cert for every lock. However, I have two issues concerning EAP-TLS. 1. What should I use for a client certificate expiration date? Our key and access folks don’t want to update the locks client certs very often. (They will have to touch each lock on a regular basis to replace batteries, but don’t want to have to connect a computer to the locks every year). The same question applies for the server certificate expiration. 2. Should I advertise a separate SSID? We currently use eduroam as our primary campus SSID. I would prefer not to have to add an additional SSID just for these devices, but their use case seems different enough to warrant one. If your institution has implemented or thinking about implementing Wi-Fi connected locks, I’d appreciate your feedback. Thanks. -Neil -- Neil Johnson Network Engineer The University of Iowa Phone: 319-384-0938 e-mail: neil-john...@uiowa.edu<mailto:neil-john...@uiowa.edu> ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.