Can you elaborate on this comment? “whereas with eduroam we were kind of locked-in to the PEAP model.”
Eduroam is EAP agnostic. On 4/27/17, 10:57 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Curtis K. Larsen" <[email protected] on behalf of [email protected]> wrote: We also use eduroam and a university SSID and one benefit I've seen is that when our CISO decided to deprecate PEAP due to the "fake AP/MITM - exposed password" issue and favor EAP-TLS - we could easily control our own destiny with our own SSID whereas with eduroam we were kind of locked-in to the PEAP model. Lesser security will often result when universal compatibility is the goal. I mean we could force our own users to use EAP-TLS at home and abroad but in my opinion we could not truly say that we've done everything possible to mitigate the PEAP vulnerability while still propping up a PEAP SSID org-wide even if PEAP only ends up being used by visitors. We currently offer long-term EAP-TLS connections on our university SSID to any guest willing to provide an SMS number (Cloudpath Feature). It turns out that the SMS-capable phone carrying population is much larger than those with eduroam credentials so far, and phone numbers are possibly more valuable to administrators than AD credentials of participating institutions in resolving issues. In my opinion, as onboarding solutions mature the SSID becomes less important, and who knows maybe with Hotspot 2.0 completely irrelevant? Something to consider at least when making that decision anyway. -- Curtis K. Larsen Senior Network Engineer University of Utah IT/CIS Office 801-587-1313 ___________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv <[email protected]> on behalf of Les Ridgley <[email protected]> Sent: Thursday, April 27, 2017 10:10 PM To: [email protected] Subject: Re: [WIRELESS-LAN] Eduroam adoption (and migration process) We retained both the eduroam SSID and the university one for the reasons of branding and more importantly for us, to ensure that our users on a site that has multiple institutions broadcasting the eduroam SSID we could guarantee connection to our network by using the university SSID. Had we only broadcast the eduroam SSID there was the possibility that the user could unknowingly connect to another institutions eduroam SSID and then not have the same access to system resources that they would experience had they connected to our SSID. We have not experienced significant support difficulties and allow the users to use either SSID at their own discretion. HTH, Les. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Brian Helman Sent: Friday, 28 April 2017 1:26 PM To: [email protected] Subject: Re: [WIRELESS-LAN] Eduroam adoption (and migration process) A related question came up today when discussing whether or not to get rid of our branded SSID or not once eduroam is up and running on our network. Specifically: For those who decided to keep both the branded and eduroam SSID's (and assuming they are identical in terms of access for your institutional users) -- have there been any issues in doing so? For example, does it cause confusion to users or doesn't it matter to them? Any support issues either with the people directly supporting the users and/or managing the wireless network? If you decided to keep both .. do you regret this decision or are you happy/neutral with it? Conversely, if you DID decide to go with only the eduroam SSID, has anyone regretted this decision? We're just trying to get a fuller understanding before we decide to remove the branded SSID. We do think that's what people will look for .. especially those not familiar with eduroam. Thanks! -Brian ________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [[email protected]] on behalf of Brian Helman [[email protected]] Sent: Tuesday, April 25, 2017 1:57 PM To: [email protected] Subject: Re: [WIRELESS-LAN] Eduroam adoption (and migration process) Ahh, I see. They are separate networks. We are using a NAC to place users in their proper vlan, so there’s no differentiation between our current university ssid and eduroam. By the way, I keep writing “EDUROAM”. I know it’s “eduroam” .. it’s just habit from typing “EDUCAUSE”. Thanks! -Brian From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of John Heartlein Sent: Tuesday, April 25, 2017 1:52 PM To: [email protected] Subject: Re: [WIRELESS-LAN] Eduroam adoption (and migration process) Hello Brian. SLU-users has more direct access to internal services like file and print services that we didn't want to provide to eduroam users. If we were ever to lock down SLU-users more to require VPN access to all internal resources, I think we'd recommend re-evaluating our SSIDs. On Mon, Apr 24, 2017 at 8:14 AM, Brian Helman <[email protected]<mailto:[email protected]>> wrote: John, Do you know what the thought process was behind maintaining both an EDUROAM SSID as well as your SLU-users? I’m just firing up our SSID for EDUROAM university-wide this week, so it would be the summer before our legacy SSID would go away. If there is a compelling reason that we haven’t discovered for keeping the legacy SSID, I certainly don’t want to get rid of it. -Brian From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]<mailto:[email protected]>] On Behalf Of John Heartlein Sent: Friday, April 21, 2017 5:08 PM To: [email protected]<mailto:[email protected]> Subject: Re: [WIRELESS-LAN] Eduroam adoption (and migration process) Saint Louis University deployed eduroam in late 2015. Besides eduroam we have an 802.1x SSID SLU-users for our students, faculty, and staff. We also have SLUguest for guests and legacy devices. Here's a link to more information: https://www.slu.edu/its/services-and-products/internet-and-network-services/wireless-networks-at-slu On Fri, Apr 21, 2017 at 12:30 PM, Brian Helman <[email protected]<mailto:[email protected]>> wrote: We have moved into the “testing” phase of our EDUROAM connectivity. I’m hoping to fire up the EDUROAM SSID university-wide next week. Currently, we have a .1x SSID that will stay through the summer. Once EDUROAM is fully pushed, we’ll start our advertisement campaign to get people to log in to it. I would have waited until the summer to fire up EDUROAM so it is just available when everyone returns in the fall, but there’s such a strong benefit for our students, staff and faculty if they are traveling over the summer that I want to get it to them. There will be no “force move”, but the old .1x SSID won’t be available in the fall, so it benefits them to change their config now. One note, we don’t currently support devices that do not support WPA/2 Enterprise (.1x) on our wireless network. Essentially, we’re talking about gaming consoles (whether they support .1x or not), smart tv’s and media devices. Students are told those devices need to be Ethernet-capable. I suspect we’re at least another year away from supporting non-WPA/2 Ent devices on our wireless network. From what I have seen and it my discussions with our peers at other institutions, unless there is a marketing reason the .1x auths are via EDUROAM and the branded SSID’s are either specialized or they go away. -Brian From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Bucklaew, Jerry Sent: Friday, April 21, 2017 8:35 AM To: [email protected]<mailto:[email protected]> Subject: Re: [WIRELESS-LAN] Eduroam adoption (and migration process) We are currently moving to eduraom as the primary ssid. We are doing a communication campaign and will retire the old 802.1x ssid at some point. We do have a non802.1x ssid for “other” devices. It is a “start here” ssid that will also configure you for 802.1x. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Marcelo Maraboli Sent: Thursday, April 20, 2017 5:17 PM To: [email protected]<mailto:[email protected]> Subject: [WIRELESS-LAN] Eduroam adoption (and migration process) Hello everyone. We are finally adopting EduROAM in our University and we currently have one SSID with MAC-based authentication, so moving to EduROAM is also a 802.1x upgrade for us as well. Would you be so kind to respond a couple of questions?: If you adopted EduROAM as your primary SSID: - Did you leave an SSID for legacy devices ? (What AUTH mechanism for this SSID?) - How did you "force-move" your users to EdoROAM from your old SSID ? If you added EduROAM as just another SSID: - why not adopt EduROAM as your primary SSID ? (Branding or no interest? ) - Is your primary SSID also 802.1x o MAC-based ? - if 802.1x, why have 2 SSIDs with 802.1x ? thank you all, -- Marcelo Maraboli Rosselott Subdirector de Redes y Seguridad Dirección de Informática Pontificia Universidad Católica de Chile http://informatica.uc.cl/<https://urldefense.proofpoint.com/v2/url?u=http-3A__informatica.uc.cl_&d=DwMGaQ&c=Pk_HpaIpE_jAoEC9PLIWoQ&r=irT60-I-yL1W4SGW22eq3Q&m=b4OwnNC5GQ_5JzNqfo9xV_eIQpeNn1TLjXNDkysa6Ao&s=W7T1LWTYU_vQnYw0nOAnrzqdqHQLBeKLGDI_pknEjdU&e=> -- Campus San Joaquín, Av. Vicuña Mackenna 4860, Macul Santiago, Chile Teléfono: (56) 22354 1341 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_discuss&d=DwMGaQ&c=Pk_HpaIpE_jAoEC9PLIWoQ&r=irT60-I-yL1W4SGW22eq3Q&m=b4OwnNC5GQ_5JzNqfo9xV_eIQpeNn1TLjXNDkysa6Ao&s=rn0F6ESIotiVL131yKhw_PqTou4PLW1_SCuxJuNFGh8&e=>. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_discuss&d=DwMGaQ&c=Pk_HpaIpE_jAoEC9PLIWoQ&r=irT60-I-yL1W4SGW22eq3Q&m=b4OwnNC5GQ_5JzNqfo9xV_eIQpeNn1TLjXNDkysa6Ao&s=rn0F6ESIotiVL131yKhw_PqTou4PLW1_SCuxJuNFGh8&e=>. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_discuss&d=DwMGaQ&c=Pk_HpaIpE_jAoEC9PLIWoQ&r=irT60-I-yL1W4SGW22eq3Q&m=b4OwnNC5GQ_5JzNqfo9xV_eIQpeNn1TLjXNDkysa6Ao&s=rn0F6ESIotiVL131yKhw_PqTou4PLW1_SCuxJuNFGh8&e=>. -- John Heartlein | Manager - ITS Infrastructure Operations | Saint Louis University<http://www.slu.edu/> 3545 Lindell Boulevard, The Marvin and Harlene Wool Center | T 314-977-5025<tel:314-977-5025> [Image removed by sender. www.slu.edu] <http://www.slu.edu/> Do you like our work? Let us know @ http://www.slu.edu/its/about-its/its-recognition Check the University's network and telecomm status @ https://itsnoc.slustatus.org<https://urldefense.proofpoint.com/v2/url?u=https-3A__itsnoc.slustatus.org&d=DwMGaQ&c=Pk_HpaIpE_jAoEC9PLIWoQ&r=irT60-I-yL1W4SGW22eq3Q&m=vrfhAYIG4zroOXqPTrUhCb7g4hr6Wt-NQisdrXkWUHQ&s=KCyLt_h1P3rSbXGkeDWSTXPbzZASDeMcsh7xr1Get9Y&e=> ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_discuss&d=DwMGaQ&c=Pk_HpaIpE_jAoEC9PLIWoQ&r=irT60-I-yL1W4SGW22eq3Q&m=vrfhAYIG4zroOXqPTrUhCb7g4hr6Wt-NQisdrXkWUHQ&s=1pf_ZCgI_Y6HRtJNqQYJ8wM9xuPA8XsEUyPm9z_3mbo&e=>. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_discuss&d=DwMGaQ&c=Pk_HpaIpE_jAoEC9PLIWoQ&r=irT60-I-yL1W4SGW22eq3Q&m=vrfhAYIG4zroOXqPTrUhCb7g4hr6Wt-NQisdrXkWUHQ&s=1pf_ZCgI_Y6HRtJNqQYJ8wM9xuPA8XsEUyPm9z_3mbo&e=>. -- John Heartlein | Manager - ITS Infrastructure Operations | Saint Louis University<http://www.slu.edu/> 3545 Lindell Boulevard, The Marvin and Harlene Wool Center | T 314-977-5025<tel:314-977-5025> [Image removed by sender. www.slu.edu] <http://www.slu.edu/> Do you like our work? Let us know @ http://www.slu.edu/its/about-its/its-recognition Check the University's network and telecomm status @ https://itsnoc.slustatus.org ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
