Our Residence Halls are handled by an outside ISP. They recently deployed a new Ruckus solution with one AP per every 3 suites (each suite holds 2 people). They have one PSK for the entire network that is posted on the wall when you walk in the Commons area. Not a way that I would have done it, but it works and with them doing it we don't have to mess with DMCA type stuff. Students are not allowed to bring personal routers. So far we have heard nothing but good things.
We briefly talked about how we would have done it internally, and we would have gone the route of Ruckus DPSK which is their version of PPSK. Give one onboarding network that allows DPSK generation for any devices they need, and then the secure network. Steven D Veron Senior Network Analyst- I.T. Infrastructure | Lamar University<http://www.lamar.edu/> – Texas State University System<http://www.tsus.edu/> | [email protected]<mailto:[email protected]> | office - 409.880.2386 [1461864200676_ITlogo.jpg] ________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv <[email protected]> on behalf of Chris Brezil <[email protected]> Sent: Wednesday, March 29, 2017 5:02:10 AM To: [email protected] Subject: Re: [WIRELESS-LAN] Dorm Wireless Authentication Our dormitories are not on our man campus network and have Internet connections through secondary ISPs. So the question of "bad" usage in our case is a bit further complicated. When we spoke to some of our Dorm RAs about our plan to roll out wireless in the spaces, some of the immediate reaction was what would students, who are accustomed to using many wireless consumer based devices with easy "home" setup, have to deal with now if there was a university wireless infrastructure in place. So that is why we are trying to understand what the right balance of security vs. customer service (in this case, the this is "my home" experience...) priorities for this use case. Chris On Tue, Mar 28, 2017 at 12:05 PM, Chris Adams (IT) <[email protected]<mailto:[email protected]>> wrote: We handle our non-802.1x dorm devices using Aerohive’s PPSK implementation. We allow 1 device per key and drop them in a VLAN that is not enforced by our NAC. PPSK are handed our by our ITSD and the keys automatically roll each calendar year. Thanks, Chris Adams, CISSP Director, Network & Telecom Services Division of Information Technology University of North Georgia E-Mail: [email protected]<mailto:[email protected]> | Office: (706) 867-2891 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Lee H Badman Sent: Tuesday, March 28, 2017 11:49 AM To: [email protected]<mailto:[email protected]> Subject: Re: [WIRELESS-LAN] Dorm Wireless Authentication +1 for PPSK. Hopefully it’s an effective implementation on Cisco’s part. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Jeffrey D. Sessler Sent: Tuesday, March 28, 2017 11:43 AM To: [email protected]<mailto:[email protected]> Subject: Re: [WIRELESS-LAN] Dorm Wireless Authentication I’m moving toward this too, although I’m going the PPSK route (once Cisco gets it out of beta). In my opinion it just doesn’t make sense to push more restrictive methods on residential/students. It’s just a huge hassle they have to endure for 4 years and then they’ll never deal with it again. Jeff From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Lee H Badman Sent: Tuesday, March 28, 2017 7:18 AM To: [email protected]<mailto:[email protected]> Subject: Re: [WIRELESS-LAN] Dorm Wireless Authentication Absolutely no device restrictions. No preshare. Get on and go. But zero campus access, that requires using the authenticated network. Lee Badman | Network Architect Adjunct Instructor | CWNE #200 Information Technology Services 206 Machinery Hall 120 Smith Drive Syracuse, New York 13244 t 315.443.3003 f 315.443.4325 e [email protected]<mailto:[email protected]> w its.syr.edu<http://its.syr.edu> SYRACUSE UNIVERSITY syr.edu<http://syr.edu> From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Thomas Carter Sent: Tuesday, March 28, 2017 10:04 AM To: [email protected]<mailto:[email protected]> Subject: Re: [WIRELESS-LAN] Dorm Wireless Authentication Is it restricted to only “gadgets and games”, or is it used for laptops as well? A majority of the services our students use are Internet facing also, so Internet-only access would still give them access to the services they need. I assume there is an authenticated SSID also? Thomas Carter Network & Operations Manager / IT Austin College 900 North Grand Avenue Sherman, TX 75090 Phone: 903-813-2564 www.austincollege.edu<http://www.austincollege.edu/> [http://www.austincollege.edu/images/AusColl_Logo_Email.gif] From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Lee H Badman Sent: Tuesday, March 28, 2017 8:23 AM To: [email protected]<mailto:[email protected]> Subject: Re: [WIRELESS-LAN] Dorm Wireless Authentication After kicking tires on leading classification engines and weighing solution dollars and support costs, we opted to pilot a wide open "gadget and games" SSID in the dorms that only have Internet access for all the oddballs. With almost a full year in, it's been very well used and received and we've been able to answer all of our own security questions that anyone would be contemplating. I think we'll be moving forward with this model. Lee Badman (mobile) On Mar 28, 2017, at 7:48 AM, Osborne, Bruce W (Network Operations) <[email protected]<mailto:[email protected]>> wrote: Here is another vote for ClearPass with Aruba wireless. When an Apple TV is registered, it is also registered as an AirGroup personal device so the owner’s 802.1X Apple device can use AirPlay to display content on the device. We also use Aruba’s Dynamic Multicast Optimization to provide multicast IPTV over wireless. Bruce Osborne Senior Network Engineer Network Operations - Wireless (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Robert Spellman [mailto:[email protected]] Sent: Monday, March 27, 2017 9:33 AM Subject: Re: Dorm Wireless Authentication We use Aruba Clearpass, and have two SSID's on campus, one which is 802.1X, and the other open, doing MAC based authentication. Clearpass allows users to register their own devices for MAC authentication by logging into the Clearpass guest portal. Students can register devices for a year, while guests can register devices for 2 days. Rob Robert Spellman Bates College Information and Library Services On Mon, Mar 27, 2017 at 9:16 AM, Chris Brezil <[email protected]<mailto:[email protected]>> wrote: Good morning everyone, We are planning a larger scale roll out of wireless in our dorms. Currently we mainly just cover some of the common areas and students for the most part bring in their own routers. As most folks can appreciate, this has caused years of technical problems and is also not seen as great customer service. On our main campus wifi, we have people authenticate using 802.1x radius authentication using their university username and password. We have some concerns about doing this in the dormitories however. We know that students bring all sorts of consumer grade devices that require network access into their rooms, such as Apple TV, Amazon Echos, etc. Many of these devices will not work with username and password authentication and we are not looking to Mac exclude these devices on the network, given the overhead of setting this up. So we are looking possibly at doing WPA Personal with a passphrase that would be given to students. What are others doing? Has this come up as an issue for any of you? Best, Chris -- CHRIS BREZIL ASSISTANT VICE PRESIDENT, ENTERPRISE OPERATIONS INFORMATION TECHNOLOGY<http://www.newschool.edu/information-technology> 71 FIFTH AVENUE, 9th FLOOR, NEW YORK, NY 10003 [email protected]<http://www.newschool.edu/marketing-communication/email-signature.html> | 212.229.5300 x4512 [Image removed by sender.] ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. -- CHRIS BREZIL ASSISTANT VICE PRESIDENT, ENTERPRISE OPERATIONS INFORMATION TECHNOLOGY<http://www.newschool.edu/information-technology> 71 FIFTH AVENUE, 9th FLOOR, NEW YORK, NY 10003 [email protected]<http://www.newschool.edu/marketing-communication/email-signature.html#> | 212.229.5300 x4512 <http://www.newschool.edu/information-technology>[https://docs.google.com/uc?export=download&id=0Bz9BzY1rvKW_bDQ4SU1RUmpfMTQ&revid=0Bz9BzY1rvKW_cWtOekJTQ2RIdFFhQ3h1T0h3a3p3Vk9KT2pVPQ] ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. CONFIDENTIALITY: Any information contained in this e-mail (including attachments) is the property of The State of Texas and unauthorized disclosure or use is prohibited. Sending, receiving or forwarding of confidential, proprietary and privileged information is prohibited under Lamar Policy. If you received this e-mail in error, please notify the sender and delete this e-mail from your system. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
