Hi William. “Most need no instructions and figure it out on their own,” may not be the virtue you think it is. How many of these users figuring it out on their own are validating your RADIUS server certs? Self-configuration invites MiM attacks that can harvest account credentials. It’s precisely the security weakness of 1x I cautioned about earlier.
Furthermore, providing an onboarding option that configures the devices correctly doesn’t prevent users from self-configuring. A good on-boarding solution will be widely used and will reduce the overall risk, but it doesn’t eliminate the problem. TLS is the only EAP type that doesn’t have this weakness. Chuck From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]> On Behalf Of Green, William C Sent: Thursday, September 12, 2019 7:27 PM To: [email protected] Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use We’ve found its easier for our community to onboard to our 802.1x SSID with the native supplicant of the device, rather than download and run an installer (are dropping the installer). Most need no instructions and figure it out on their own. While we offer an iPSK SSID, it is not as easy— person must go to web site to enroll a MAC address and get a key. Predominantly in the residence halls so far (TVs, speakers, printers, game consoles, etc). Also a smattering of devices that don’t support 802.1x (making our researchers happy). I’m waiting to hear how iPSK has improved battery life for IOT projects. William Green, Director of Networking and Telecommunications The University of Texas at Austin | ITS | 512-475-9295 | it.utexas.edu<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.utexas.edu&data=02%7C01%7Ccae104%40psu.edu%7C6d269d2a606c488a77f608d737d8c367%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637039276443483530&sdata=mezKyDvV1mTklIc7l9hnHMLNAYE12Q7QJppOQtEpRx8%3D&reserved=0> | [email protected]<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.utexas.edu&data=02%7C01%7Ccae104%40psu.edu%7C6d269d2a606c488a77f608d737d8c367%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637039276443493517&sdata=8SU%2BRdjSka5dTh40LpYMDF%2FPhDeOrnZEVMnZjCD7aNA%3D&reserved=0> [https://bowtie.mailbutler.io/tracking/hit/86e1e4b1-b7df-4ccf-a04b-7e44956f1dac/00a68dc9-0807-49d1-8b76-8f1103242cae/t.gif] ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ccae104%40psu.edu%7C6d269d2a606c488a77f608d737d8c367%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637039276443493517&sdata=Sv1L7lGzk740SMxzok2Zot8E5bXBCRbDMG%2BlSqYU6Mw%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
