2nd that, self guided EAP-PEAP is convenient, but the Evil Twin Attack isn't exactly new or difficult.
In the past I've used a optional layered approach. Give an option on the open SSID captive portal for initial onboarding, or limited Guest access (weekly type) captive portal re-login after student credentials. With open SSID disclaimers that no one reads of course. One place asked for a counter so the user could only do the extended captive portal 3 times. Android 10 now defaulting daily MAC randomization on Open SSIDs is likely going to kill this type of option. If EAP-PEAP on the 802.1x give another optional captive portal that pops back up every so often, once a month or once a semester type deal reminding them they should OnBoard for EAP-TLS. This tends to stagers the more arduous adopters and reduce the help desk calls after password resets. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
