Neil - we rolled out these locks to 3 Res Halls this past summer. We have them on the eduroam SSID connecting via PEAP/MSCHAPv2 with a local account on our ClearPass server. We have an enforcement policy that assigns this user account a VLAN ID that is private IP space that is restricted to only be able to communicate with the Lock system database server. We only had 1 complaint that we had to troubleshoot but it was found that a bunch of the lock were not configured to do their nightly check in for updates. The locks can also be set to check for an update upon a failure of proximity card. So if a student is issued a new card and tries to enter their room it will fail, the lock will check for an update and then on the next attempt the student should then have access. We used Assaa Abloy as our vendor.
Chris [cid:[email protected]] Chris Hart Senior Network Engineer From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Johnson, Neil M Sent: Wednesday, November 2, 2016 10:18 AM To: [email protected] Subject: [WIRELESS-LAN] Certificate Expiration and IoT (Door Locks) Our housing department is pushing pretty hard to replace keyed locks on dorm room doors with Wi-Fi connected proximity card locks (a pilot this summer and then eventually rolling out to ~3,000 rooms). The locks would be “offline” locks that cache valid cards locally and only connect to the Wi-Fi network periodically for updates and when presented with a non-cached card. While the locks support multiple methods for authenticating to the wireless network (everything from a PSK to PEAP/MSCHAPv2 to EAP-TLS), I think EAP-TLS is probably the most secure method for these devices. My thinking is to setup a private PKI and generate a client cert for every lock. However, I have two issues concerning EAP-TLS. 1. What should I use for a client certificate expiration date? Our key and access folks don’t want to update the locks client certs very often. (They will have to touch each lock on a regular basis to replace batteries, but don’t want to have to connect a computer to the locks every year). The same question applies for the server certificate expiration. 2. Should I advertise a separate SSID? We currently use eduroam as our primary campus SSID. I would prefer not to have to add an additional SSID just for these devices, but their use case seems different enough to warrant one. If your institution has implemented or thinking about implementing Wi-Fi connected locks, I’d appreciate your feedback. Thanks. -Neil -- Neil Johnson Network Engineer The University of Iowa Phone: 319-384-0938 e-mail: [email protected]<mailto:[email protected]> ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_groups_&d=CwMGaQ&c=yHlS04HhBraes5BQ9ueu5zKhE7rtNXt_d012z2PA6ws&r=CYuLo9E3nFauO_1q7Vz54s0evFy-qRGi6zN4VOktgIw&m=jQN_IkDWmkvRcvH-7FVl2Phvn-yhMGWEx3BuUp1QSbw&s=wqfOHLfpg1wKrXpXJCoL6Dx_jsG8pol4X6a3pySq-xY&e=>. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
