Hi, We're considering this approach, however we need a way to die this in with AD account status/expiry which needs to be near-instant, i.e. if an AD account/identity for a user is disabled, we need to immediately deregister or suspend ALL devices they have registered to their identity, otherwise things get ugly from an infosec perspective.
I'm assuming freeradius+web-based front end for registration? How do you perform the device fingerprinting? That's a very cool solution! Cheers, Tristan -- TRISTAN GULYAS Senior Network Engineer Technology Services, eSolutions Monash University 738 Blackburn Road Clayton 3168 Australia E: tristan.gul...@monash.edu <mailto:tristan.gul...@monash.edu> monash.edu <http://monash.edu/> > On 25 Sep 2020, at 3:11 am, Michael Dickson <mdick...@nic.umass.edu> wrote: > > We created a PSK SSID with MAC auth registration for devices. We limit device > types to essentially the "consumer grade entertainment devices" genre. We use > device fingerprinting to accomplish this. We started from a "deny all then > allow" paradigm. Only game consoles during pilot. Then added video streaming > devices then AppleTV, Echo, SmartTVs, etc. Easier to add device types then > take away. 802.1x capable devices get denied. We also limit number of devices > a user can register. All helps to mitigate the flood of industrial IT devices > coming in from campus wide vendors, some of which may fall into the > life-safety genre. Vendors get stuck and end up asking how they can add "a > lot" of sensors (e.g. HVAC) to our wireless. We have a discussion, give it a > thumbs up or down, and create rules/policies/networks as needed. Good but not > perfect. But starting off closed then letting out the line has helped. Having > a PSK network also solves the issue of devices that can't connect to open > SSIDs. And if we end up just allowing all on the devices network at least we > have a sponsor to tie the devices back to. > > Mike Dickson > Michael Dickson > Network Engineer > Information Technology > University of Massachusetts Amherst > 413-545-9639 > michael.dick...@umass.edu <mailto:michael.dick...@umass.edu> > PGP: 0x16777D39 > On 9/24/20 11:33 AM, Lee H Badman wrote: >> We created an open SSID for the dorms that has Internet access only. It >> helps with maybe ¾ of the consumer devices, but there are still some home >> gadgets that need more- Chromecast is one example. Some speakers as well. >> Then there are devices that will ONLY join PSK networks (like TP-Link power >> strip) so the open won’t work there. I have seen one Nanoleaf light >> controller that will not work in 2.4 if it sees 5 GHz, and it only works in >> 2.4 despite the ability to sense 5. The unholy and expensive things needed >> to make these high end enterprise systems work like home Wi-Fi is really >> fairly astounding. >> >> If you go this route, expect to occasionally buy and try consumer gear to >> verify what works and what doesn’t, and to play whack a mole with students >> wireless hotspots when whatever you attempt doesn’t immediately work. >> >> Or… let them use their own hotspots and be done with it. (If only…) >> >> Lee Badman >> >> >> >> Lee Badman | Network Architect (CWNE#200) >> >> Information Technology Services >> (NDD Group) >> 206 Machinery Hall >> 120 Smith Drive >> Syracuse, New York 13244 >> >> t 315.443.3003 e lhbad...@syr.edu <mailto:lhbad...@syr.edu> w its.syr.edu >> Campus Wireless Policy: >> https://answers.syr.edu/display/network/Wireless+Network+and+Systems >> <https://answers.syr.edu/display/network/Wireless+Network+and+Systems> >> SYRACUSE UNIVERSITY >> syr.edu >> >> >> From: The EDUCAUSE Wireless Issues Community Group Listserv >> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> >> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> On Behalf Of Gernannt, Bill >> Sent: Thursday, September 24, 2020 10:54 AM >> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU >> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> >> Subject: [WIRELESS-LAN] Wireless Device Policy Questions >> >> All – >> >> From a residence hall perspective, Young Harris College is a wireless only >> campus. We are currently seeing a 40% increase in wireless devices over last >> Fall. This has placed a bit of a strain on our wireless network and, by >> extension, our tiny IT department. This has prompted several internal >> discussions as to what expectations our end users should have related to >> wireless support. >> >> Obviously, our core responsibility is to provide the resources necessary to >> have a successful educational experience. But, we also recognize there is a >> need for our students to have access to online recreational activities like >> gaming and streaming media. As we look to strike a balance, we wanted to >> reach out to other institutions for insight and guidance. >> >> Have any institutions implemented a restrictive policy that prohibits >> specific wireless devices? If so, how did you determine what was acceptable >> and what was not? How did you get leadership to support the initiative? How >> do you go about enforcing the policy? >> >> Have any institutions developed policies that set expectations for wireless >> performance? What does the policy consider to be necessary versus desirable? >> >> Any examples or ideas would be most welcome. Feel free to reach out to me >> directly, if preferred. >> >> Regards, >> >> Bill Gernannt >> Network Administrator >> Information Technology Services >> 1 College Street | Young Harris, Georgia 30582 >> (706) 379-5206 | wegerna...@yhc.edu <mailto:wegerna...@yhc.edu> | yhc.edu >> <http://www.yhc.edu/> >> <image001.png> >> >> ********** >> Replies to EDUCAUSE Community Group emails are sent to the entire community >> list. If you want to reply only to the person who sent the message, copy and >> paste their email address and forward the email reply. Additional >> participation and subscription information can be found at >> https://www.educause.edu/community <https://www.educause.edu/community> >> ********** >> Replies to EDUCAUSE Community Group emails are sent to the entire community >> list. If you want to reply only to the person who sent the message, copy and >> paste their email address and forward the email reply. Additional >> participation and subscription information can be found at >> https://www.educause.edu/community <https://www.educause.edu/community> > ********** > Replies to EDUCAUSE Community Group emails are sent to the entire community > list. If you want to reply only to the person who sent the message, copy and > paste their email address and forward the email reply. Additional > participation and subscription information can be found at > https://www.educause.edu/community <https://www.educause.edu/community> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
