Hi Greg, I’m assuming your customer is using an open network with captive-portal - what’s the “life time” of those passwords? I’m a bit surprised to hear about “smoothing” the process from going from a captive-portal network to an 802.1x Network (there are definitely a few ideas that come to mind where that could definitely be the case) – but password/change issues occur even with 802.1x PEAP-MSCHAPv2 clients – which results in “unhelpful” – “Can’t Connect to the Network” -> Windows 10 Error Message – or “Can’t Connect to Network / Try Moving Closer to the Router” on Mac OS X.
We’re actually starting to move forward with EAP-TLS certificate authentication with Secure W2 onboarding within the next year. I do have some more thoughts I’ll share later, but am curious about that current setup. Christopher Johnson Wireless Network Engineer AT Infrastructure Operations & Networking (ION) Illinois State University (309) 438-8444 Stay connected with ISU IT news and tips with @ISU IT Help on Facebook<https://www.facebook.com/ISUITHelp/> and Twitter<https://twitter.com/ISUITHelp> From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]> On Behalf Of Coehoorn, Joel Sent: Wednesday, November 06, 2019 12:27 PM To: [email protected] Subject: Re: [WIRELESS-LAN] [EXT] [WIRELESS-LAN] Password reset/change guidance [This message came from an external source. If suspicious, report to [email protected]<mailto:[email protected]>] I'd love to "stand up an onboarding system", but so far the cost has been far too much for us relative to the user experience. The UX hasn't been there because the better options want to use sms and 2 of the top 5 cellular carriers have poor coverage on our campus. We can help students and employees work past that, but it makes us unwelcoming to too many guests. With this limitation, I don't see anything better than 1x at the moment. On Wed, Nov 6, 2019, 12:04 PM Sweetser, Frank E. <[email protected]<mailto:[email protected]>> wrote: Personally, I'm a big fan of leveraging certificates for wireless authentication. It completely decouples the username and password once you're past the provisioning process, but you can still tie your RADIUS server into AD to reject people with locked out accounts if you want. Machines on a domain can leverage ADCS, but for BYOD devices you'll need to stand up an onboarding system, like SecureW2 or Clearpass. For setup, we have an open SSID that's dual purposed with guest logins, but also allows access to our onboarding system. This allows users to do it completely self service. Frank Sweetser Director of Network Operations Worcester Polytechnic Institute "For every problem, there is a solution that is simple, elegant, and wrong." - HL Mencken ________________________________ From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]<mailto:[email protected]>> on behalf of Kovich Greg <[email protected]<mailto:[email protected]>> Sent: Wednesday, November 6, 2019 8:41 AM To: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> Subject: [EXT] [WIRELESS-LAN] Password reset/change guidance Hello WLAN Community, A customer of ours has been using a captive portal to authenticate students to WiFi (Alcatel-Lucent branded Aruba gear). When a student forgets or does not reset their password there is a link on the CP to accomplish that… unfortunately, there have been problems with the variety of student device browsers, so they are considering a move to 802.1X authentication in the hope that this smooths out the student experience. What best practice advice do you have for students to deal with password changes/resets when they can’t connect to the campus WiFi? Thank you for any guidance you can provide!! Sincerely, Greg ------- Greg Kovich Director, North America Education Sales Alcatel-Lucent Enterprise ALE USA 3015 Abby Lane | Suite 301-B Schererville, IN 46375 t: +1-818-878-4667<tel:+1-818-878-4667> m: +1-219-276-2320<tel:+1-219-276-2320> e: [email protected]<mailto:[email protected]> w: www.al-enterprise.com<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.al-enterprise.com%2Fen&data=02%7C01%7Cfs%40WPI.EDU%7C8910f04de80845c455f408d762c06e2b%7C589c76f5ca1541f9884b55ec15a0672a%7C0%7C0%7C637086450941454521&sdata=YjEk1reDcRF%2BO10mayOUAtPdg2RSRO6uXzfoKqUOFF4%3D&reserved=0> @ALUEnterprise [LinkedIn]<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Falcatellucententerprise&data=02%7C01%7Cfs%40WPI.EDU%7C8910f04de80845c455f408d762c06e2b%7C589c76f5ca1541f9884b55ec15a0672a%7C0%7C0%7C637086450941464515&sdata=tYaHJTdfbwSXhJLi2NSTx40DJ9Ifb0qSNJ2mrWSMF%2Fk%3D&reserved=0> [Twitter]<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Faluenterprise&data=02%7C01%7Cfs%40WPI.EDU%7C8910f04de80845c455f408d762c06e2b%7C589c76f5ca1541f9884b55ec15a0672a%7C0%7C0%7C637086450941464515&sdata=oQ5rqerUHwLVnHO39ur1IPZE3lYCJLKVC1RTyQ6uZak%3D&reserved=0> [YouTube]<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.youtube.com%2Fuser%2FEnterpriseALU&data=02%7C01%7Cfs%40WPI.EDU%7C8910f04de80845c455f408d762c06e2b%7C589c76f5ca1541f9884b55ec15a0672a%7C0%7C0%7C637086450941474507&sdata=fW%2By5vokedvuqLC3%2BPfw3NHr4d4bzI3p21wqt%2BDuumY%3D&reserved=0> [Facebook]<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2FALUEnterprise&data=02%7C01%7Cfs%40WPI.EDU%7C8910f04de80845c455f408d762c06e2b%7C589c76f5ca1541f9884b55ec15a0672a%7C0%7C0%7C637086450941474507&sdata=0%2FBr3kES1x6Dk2tZzyfbPMXwpSjVBdJMAzQRPFxxG0M%3D&reserved=0> [Rainbow]<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fweb.openrainbow.com%2Fapp%2F1.31.7%2Findex.html%23%2Flogin&data=02%7C01%7Cfs%40WPI.EDU%7C8910f04de80845c455f408d762c06e2b%7C589c76f5ca1541f9884b55ec15a0672a%7C0%7C0%7C637086450941484505&sdata=oi63cJai15dS%2F7KjbeuOxLw%2FaWEtRXD3Rpcx1L2e8XA%3D&reserved=0> [https://www.al-enterprise.com/en/-/media/assets/internet/images/logo.png]<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.al-enterprise.com%2Fen&data=02%7C01%7Cfs%40WPI.EDU%7C8910f04de80845c455f408d762c06e2b%7C589c76f5ca1541f9884b55ec15a0672a%7C0%7C0%7C637086450941484505&sdata=rvO3hu1VaUOP64o7n01%2BDYhLaJveQ5Z12FiO197m4ng%3D&reserved=0> The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE. This communication is intended to be received only by the individual or entity to whom or to which it is addressed and may contain information that is privileged/confidential or subject to copyright. Any unauthorized use, copying, review or disclosure of this communication is strictly prohibited. If you have received this communication in error, please delete this message from your e-mail box and information system (including all files and documents attached) and notify the sender by reply email. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cfs%40WPI.EDU%7C8910f04de80845c455f408d762c06e2b%7C589c76f5ca1541f9884b55ec15a0672a%7C0%7C0%7C637086450941484505&sdata=8D2rONQYxQko1KlyUYabe%2F3N%2FkdpCk4AY%2BiXrI%2FqZ2Q%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
