Thanks Tim, we don’t have clearpass (we use freeradius and cloudpath). I’ll certainly keep that in mind though for future
-- Jason Cook Technology Services The University of Adelaide, AUSTRALIA 5005 Ph : +61 8 8313 4800 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Cappalli, Tim (Aruba Security) Sent: Thursday, 28 September 2017 1:04 PM To: [email protected] Subject: Re: [WIRELESS-LAN] Wi-Fi Request for University Conference event What are you using for a AAA solution? ClearPass fully supports per-device PSK with Cisco WLC’s with full self-registration. tim From: The EDUCAUSE Wireless Issues Constituent Group Listserv <[email protected]<mailto:[email protected]>> on behalf of Jason Cook <[email protected]<mailto:[email protected]>> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv <[email protected]<mailto:[email protected]>> Date: Wednesday, September 27, 2017 at 9:00 PM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: [WIRELESS-LAN] Wi-Fi Request for University Conference event We currently setup dedicated PSK’s for everything, but that’s such a pain so are currently going through the process of something new. As a short term measure to improve things (since at times we end up with 5 additional PSK’s and cisco’s SSID assignment is a bit crappy) we have a single PSK that rolls over once a week and our service desk hands out the PSK upon requests. We are currently building a registered guest environment in Cloudpath, it’s not set in stone yet but…. Short term visitors will likely connected to an open network with MAC registration while longer term visitors will get a certificate and use our primary SSID with wpa2-enterprise. We’ll enable various groups like service desk and event organisers to be sponsors to create the codes to register with and get users to identify themselves via txt, email or external auth like Google/facebook/linked in. Dedicated PSK’s will be allowed under certain circumstances We would ideally migrate the MAC rego to IPSK “when” it’s ready for such an implementation. -- Jason Cook Technology Services The University of Adelaide, AUSTRALIA 5005 Ph : +61 8 8313 4800 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Trinklein, Jason R Sent: Thursday, 28 September 2017 7:08 AM To: [email protected]<mailto:[email protected]> Subject: Re: [WIRELESS-LAN] Wi-Fi Request for University Conference event We used to set up custom SSIDs for conferences and special events on a subset of our APs with PSKs, and the traffic ended up on a dedicated VLAN with internet-only access. It was cumbersome and made our APs unstable with the frequent configuration changes. We switched to creating a special OU/group in AD for housing temporary self-expiring accounts for use by these events. Then, we hand these credentials over to the event organizer, and the attendees log into our normal secure college wireless SSID with WPA2-Enterprise. Our FreeRADIUS server detects the user’s OU/group as being a guest account, and sets the internet-only guest VLAN dynamically. Same functionality, better security, easier to process, and now we’re in a position to hand off these requests to our IAM team instead of processing them in our wireless or network groups. We are also in the process of switching to Packetfence for managing our guest wireless SSID, which should alleviate some of the demand for these custom accounts since we’ll be able to lift some of our guest network restrictions. -- Jason Trinklein Wireless Engineering Manager College of Charleston 81 St. Philip Street | Office 311D | Charleston, SC 29403 [email protected]<mailto:[email protected]> | (843) 300–8009 From: The EDUCAUSE Wireless Issues Constituent Group Listserv <[email protected]<mailto:[email protected]>> on behalf of James Helzerman <[email protected]<mailto:[email protected]>> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv <[email protected]<mailto:[email protected]>> Date: Wednesday, September 27, 2017 at 4:58 PM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: [WIRELESS-LAN] Wi-Fi Request for University Conference event We have a guest ssid with a click to accept use agreement that works for most conferences we have. On occasion we will need to create a unique PSK for a one time event but that is maybe once or twice a year and usually centered around technology and accessing specific resources either on campus or through ports we normally restrict on the guest network. IMO a guest network that is well designed and implemented should be able to accommodate 95+% of the conferences or events. -Jimmy -- James Helzerman Wireless Network Engineer University of Michigan - ITS On Wed, Sep 27, 2017 at 8:34 AM, Michael Davis <[email protected]<mailto:[email protected]>> wrote: We currently do something similar as Bruce. Normal Self-registration and sponsored registration using clearpass guest, but large and/or multi-day events can get a PSK SSID assigned if given ample time and planning. On 9/27/17 8:07 AM, Osborne, Bruce W (Network Operations) wrote: Our process is not ideal. Where possible, we try to avoid setting up special SSIDs. Our normal Guest SSID allows for self registration for bandwidth-restricted Internet access or sponsored registration for faster Internet access. We utilize our ClearPass Guest management to create an expiring event guest username with unlimited devices ending in “@event” instead of a proper email address. The original plan was for our IT Communications BRMs to create these accounts. Lately, our wireless team has been doing that. Event coordinators need to test access ahead of time, especially if it is “critical”. Otherwise, they are failing their job, IMHO. For major events, with special access we sometimes set up a PSK SSID. In our experience, an open SSID is not good because you will pick up every roaming mobile device, exhausting your DHCP address pool. Bruce Osborne Senior Network Engineer Network Operations - Wireless (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Williams, Mr. Michael [mailto:[email protected]] Sent: Monday, September 25, 2017 4:01 PM Subject: Wi-Fi Request for University Conference event Hello, Here recently, we have received numerous requests for guest WI-FI access during on campus conference events. In order to support these events, we normally create a special open conference SSID that requires a pre-shared key or passcode for authentication. What we struggling with is how to set the level of expectation for WI-FI functionality during these types events. Conference sponsors inform us that Wi-Fi/internet access for conference attendees is critical, or some special app must function flawlessly or their conference event will be a bust. We want to develop a formal conference request process that would detail what type of Wi-Fi support we can offer, what level of user experience to expect and what the sponsor responsibilities would be during these conference events. I am curious to hear how other university handle these types of events. Does anyone have a formal process, that they are willing to share, that addresses some of these concerns? Thanks Mike Michael M. Williams Senior Network Engineer Information Technology Services Tarleton State University 201 St. Felix Str. Box T-0220 Stephenville, TX 76402 Tel: (254) 968-1850 Fax: (254) 968-9658 [email protected]<mailto:[email protected]> “ Tarleton Networks – Connecting people with their potential” Information Technology Services staff will never ask for your password in an email. Don't ever email your password to anyone or share confidential information in emails. Confidentiality Notice: This electronic message, including any attachments, is for the sole use of the intended recipients(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message -- Mike Davis Systems Programmer V NSS - University of Delaware - 302.831.8756 Newark, DE 19716 Email [email protected]<mailto:[email protected]> ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_discuss&d=DwMFaQ&c=7MSSWy9Bs2yocjNQzurxOQ&r=AuveJXIorHW4s-aGSHEbnQZt5LubWGCZik-5HxxaRqU&m=gzLAl03kVJlCWHblaRzCVO8jotpvtejugIeU2Ay6WeU&s=fpDJVETN8JUJrue9uopgSRLkoLrizOoxADn66OyMi1s&e=>. -- James Helzerman Wireless Network Engineer University of Michigan - ITS Phone: 734-615-9541 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_discuss&d=DwMFaQ&c=7MSSWy9Bs2yocjNQzurxOQ&r=AuveJXIorHW4s-aGSHEbnQZt5LubWGCZik-5HxxaRqU&m=gzLAl03kVJlCWHblaRzCVO8jotpvtejugIeU2Ay6WeU&s=fpDJVETN8JUJrue9uopgSRLkoLrizOoxADn66OyMi1s&e=>. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
