We also run a completely open SSID. There is a captive portal, but it's at
the gateway rather than the wireless controller, so the same mechanism can
also handle wired connections, and it's only used for enforcement. New
visitors can get on the network without seeing the captive page.

*>  to get the protections afforded to ISP’s under DMCA we need to inform
users that they’re not allowed to share copyrighted materials and that
their connection will be blocked if they do.*

We handle the notification out-of-band for our students.  We have to notify
them; we don't necessarily have to use a captive portal to do it right at
connection time. The information is included with the account activation
for new students, repeated during orientation, repeated again via e-mail
near the start of each term, repeated again on the gateway capture page for
early offenses, and included in the student handbook.

If it were to come to the point of a block, we can give specific devices
a capture page with no way to click through. But our policy also includes
this text:

* Internet access today is more than a simple privilege, but is now
necessary for continued successful progress in academic pursuits. Student
actions which require the Department of Information Technology and the
Office of Student Development to conclude it is no longer appropriate to
allow a student to continue using the campus network may therefore result
in dismissal of the student  *

Joel Coehoorn
Director of Information Technology
402.363.5603
*jcoeho...@york.edu <jcoeho...@york.edu>*

*Please contact helpd...@york.edu <helpd...@york.edu> for technical
assistance.*


The mission of York College is to transform lives through
Christ-centered education and to equip students for lifelong service to
God, family, and society


On Fri, Sep 13, 2019 at 7:42 AM Enfield, Chuck <cae...@psu.edu> wrote:

> “We run eduroam and a completely open guest SSID. The open SSID has no
> captive portal, no click through terms of services, and no restrictions on
> Internet access for content or speed.”
>
>
>
> I’m jealous Felix.  I made a strong push for this approach, but General
> Counsel stopped it.  FWIW, I think they got it right, but life would be
> easier and users would be happier your way.
>
>
>
> Their rationale is that to get the protections afforded to ISP’s under
> DMCA we need to inform users that they’re not allowed to share copyrighted
> materials and that their connection will be blocked if they do.  For
> account holders we make them agree to these terms and more when they
> activate their account.  But if the network doesn’t require an account this
> notification seems to demand a captive portal.
>
>
>
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Felix Windt
> *Sent:* Friday, September 13, 2019 8:26 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] Feasibility of an open SSID for student use
>
>
>
> I’d pay a fair price for an easily administered solution that lets us roll
> out PPSK in the dorms and deploy broadcast/multicast domains scoped to
> specific users.
>
>
>
> We run eduroam and a completely open guest SSID. The open SSID has no
> captive portal, no click through terms of services, and no restrictions on
> Internet access for content or speed. That SSID bridges through to VLANs in
> a DMZ, and its only real restriction is that it can only reach proper
> public IP addresses on campus, plus 2-3 applications on private IPs that
> are specifically permitted. That’s enforced on the firewalls between campus
> and the DMZ.
>
> We do see quite a lot of students on that SSID permanently. As a huge
> amount of our student applications are either cloud hosted or available on
> the public Internet, that works just fine for them. We’d prefer them on
> eduroam, but user experience trumps our preferences. The only real problem
> are devices such as Sonos sound bars, Google appliances, and other devices
> that will only support PSKs for wireless. For those we don’t have a
> solution right now.
>
>
>
> Once WPA3/OWE is out and widely supported I genuinely don’t know how much
> we’ll care about where devices are. At that point it seems not just more
> user friendly but easier for IT overall to just throw reasonable security
> in front of web apps that the student and faculty population need to
> access, and let them sit on the SSID that’s easier to get on to.
> Administrative machines under central control would probably be kept on
> properly authenticated networks, but those are easier to solve if you have
> reasonable mass device management options.
>
>
>
> For what it’s worth, we use the eduroam CAT tool for onboarding.
>
>
>
> thx,
>
>
>
> Felix Windt
>
> Dartmouth College
>
>
>
> *From: *The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of "Rumford, Charles" <
> charl...@isc.upenn.edu>
> *Reply-To: *The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Date: *Thursday, September 12, 2019 at 2:26 PM
> *To: *"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject: *Re: [WIRELESS-LAN] Feasibility of an open SSID for student use
>
>
>
> I agree that complicated onboarding is the worst from the end user
> perspective and a pain to manage.
>
> I started designing a PPSK/MPSK design to take over our primary 802.1x
> network. The biggest hurdle I ran into with it was the randomization of MAC
> addresses for device. I've been told Android 10 has it on by default,and I
> know that windows support also. I could only see issues from a support
> issue coming down the line. O need to spend some more research time with
> it.
>
>
>
> --
> Charles Rumford
> IT Architect
> ISC Tech Services
> University of Pennsylvania
> OpenPGP Key ID: 0xF3D8215A
> (Sent from Mobile)
> ------------------------------
>
> *From:* "Enfield, Chuck" <cae...@psu.edu>
> *Sent:* Thursday, September 12, 2019 14:11
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] Feasibility of an open SSID for student use
>
>
>
> Seconded.
>
>
>
> And for those who think that security is more important than the user
> experience in some cases, I wouldn’t argue, but I would point out that an
> improperly configured 1x device puts the user’s credentials at risk.
> 802.1x isn’t all upside from a security perspective either.
>
>
>
> Chuck
>
>
>
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Jeffrey D. Sessler
> *Sent:* Thursday, September 12, 2019 1:46 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] Feasibility of an open SSID for student use
>
>
>
> I’ve never been a fan of the complicated onboarding. It’s intrusive, and
> unlike any other wireless experience an individual will encounter in their
> life i.e. any other wifi-enabled location/venue.
>
> With the growing trend of EDUs moving to SaaS and other Cloud solutions,
> wireless will be nothing but a gateway to those external services. When
> it’s easier to consume those services via one’s own unlimited-data cellular
> connection, or go to Starbucks, it may be time for us (EDU’s) to reevaluate
> our approach.
>
>
>
> Besides a purely open network, the next-best (same?) experience to home
> would be something like PPSK or for the Cisco folks IPSK. You get something
> slightly better than an open network, but it’s PSK and all of those
> wonderful IoT devices just work. My crystal ball wish is to have that
> PPSK/IPSK solution then group that user’s devices into a private virtual
> home network, providing something that approaches their home experience.
>
>
>
> Jeff
>
>
>
> *From: *"wireless-lan@listserv.educause.edu" <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Kurtis Olsen <
> kurtis.ol...@uvu.edu>
> *Reply-To: *"wireless-lan@listserv.educause.edu" <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Date: *Thursday, September 12, 2019 at 9:27 AM
> *To: *"wireless-lan@listserv.educause.edu" <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject: *[WIRELESS-LAN] Feasibility of an open SSID for student use
>
>
>
> We have been receiving a lot of complaints about a complicated onboarding
> process and have been asked to look at providing an Open SSID that has
> little to no onboarding.  I see an advantage being the ease of connecting
> but I have some concerns, mainly about providing a secure environment.
> Our current onboarding process works like this.  Users connect to our
> Wolverine-WIFI SSID.  They then authenticate through our NAC solution which
> forces laptops to download a client.  This client scans their device for
> Antivirus and OS updates.  If it fails the scan they have access to get
> these updates.  Once it passes they are moved to our wireless production
> vLan.  There are no clients or scans for cellular devices at this time.
> Users then of the option to join our Wolverine-Secure which authenticates
> by cert using SecureW2’s services.
>
>
>
> I am curious if anyone else is using a completely open network for their
> general population or any other suggestions of how this can be simplified.
>
>
>
> Kurtis Olsen
>
> Director – Network & Telecom
>
> Utah Valley University
>
> 800 W University Prkway
>
> Orem, UT 84058
>
> 801-863-8000
>
>
>
>
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
> <https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ccae104%40psu.edu%7C357013709f6347e7044308d738458f1b%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637039743734885881&sdata=76E%2FCPI0YU43zQxhuK2SD0DEi7DUhgo4FNNtCuuYngM%3D&reserved=0>
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
> <https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ccae104%40psu.edu%7C357013709f6347e7044308d738458f1b%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637039743734885881&sdata=76E%2FCPI0YU43zQxhuK2SD0DEi7DUhgo4FNNtCuuYngM%3D&reserved=0>
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
> <https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ccae104%40psu.edu%7C357013709f6347e7044308d738458f1b%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637039743734895878&sdata=DPKJD%2FWJeokOKRydv0zMi7QRKo8RktnII9%2FhPXpzSns%3D&reserved=0>
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
> <https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ccae104%40psu.edu%7C357013709f6347e7044308d738458f1b%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637039743734895878&sdata=DPKJD%2FWJeokOKRydv0zMi7QRKo8RktnII9%2FhPXpzSns%3D&reserved=0>
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
> <https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ccae104%40psu.edu%7C357013709f6347e7044308d738458f1b%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637039743734905870&sdata=OqAw9nM1jOdA9Lx5meFc6ybRM507A9XJ367LDyXNKqY%3D&reserved=0>
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Reply via email to