I've seen a range from "no lifeguard on duty" aka "good luck" with a basic low-security Internet-only network to managing specific device registrations tied to the user; typically the personal device registrations are going to be MAC -based, and I've seen several unis with home-grown MAC registration systems tied to user accounts and of course as Tim and Mike mentioned, ClearPass also does this. There are some caveats (or specific requirements) with ClearPass though, if you want it (the MAC-registered device) tied to the user's account then you need to be using a user-based authentication at the SSID profile level; meaning, last I saw in POCs, there wasn't a way to have a self-registration portal within CPPM that allowed a user to enter those credentials on something like the portal, then tie a MAC-registration to it. Other products like FortiNAC do meet that specific use case, as possibly other products as well.
Most schools we've worked with do have some type of limit for devices that can be registered but those do all have some type of self-service portal so the students can add/remove their devices. The allowed number of devices ranges. ___________ Jennifer Minella, CISSP, HP MASE VP of Engineering & Security Carolina Advanced Digital, Inc. www.cadinc.com<http://www.cadinc.com/> j...@cadinc.com<mailto:j...@cadinc.com> 919.460.1313 Main Office 919.539.2726 Mobile/text [CAD LOGO EMAIL SIG] From: Michael Dickson <mdick...@nic.umass.edu> Sent: Friday, September 25, 2020 10:29 AM Subject: Re: Wireless Device Policy Questions We use Clearpass for user MAC reg portal and for device fingerprinting. We have a special bit set in LDAP (AD) that we check for when a device seeks to auth onto a wireless network. If we need to prevent all user devices from getting connected we disable the bit. A relatively short reauth interval will prevent reauths. Mike Michael Dickson Network Engineer Information Technology University of Massachusetts Amherst 413-545-9639 michael.dick...@umass.edu<mailto:michael.dick...@umass.edu> PGP: 0x16777D39 On 9/25/20 10:25 AM, Tim Cappalli wrote: If you're using Aruba ClearPass, you can add an account check during authorization. ________________________________ From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU><mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Tristan Gulyas <0000004c763654fc-dmarc-requ...@listserv.educause.edu><mailto:0000004c763654fc-dmarc-requ...@listserv.educause.edu> Sent: Thursday, September 24, 2020 20:34 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU><mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Wireless Device Policy Questions Hi, We're considering this approach, however we need a way to die this in with AD account status/expiry which needs to be near-instant, i.e. if an AD account/identity for a user is disabled, we need to immediately deregister or suspend ALL devices they have registered to their identity, otherwise things get ugly from an infosec perspective. I'm assuming freeradius+web-based front end for registration? How do you perform the device fingerprinting? That's a very cool solution! Cheers, Tristan -- TRISTAN GULYAS Senior Network Engineer Technology Services, eSolutions Monash University 738 Blackburn Road Clayton 3168 Australia E: tristan.gul...@monash.edu<mailto:tristan.gul...@monash.edu> monash.edu<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmonash.edu%2F&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C93dbd1aacb044bf22b1f08d860eacbbc%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637365908850239992&sdata=p0%2B%2F96rVjy7eQmjgdCJb6kbDbhtUMBZko6r0fYOm5WM%3D&reserved=0> On 25 Sep 2020, at 3:11 am, Michael Dickson <mdick...@nic.umass.edu<mailto:mdick...@nic.umass.edu>> wrote: We created a PSK SSID with MAC auth registration for devices. We limit device types to essentially the "consumer grade entertainment devices" genre. We use device fingerprinting to accomplish this. We started from a "deny all then allow" paradigm. Only game consoles during pilot. Then added video streaming devices then AppleTV, Echo, SmartTVs, etc. Easier to add device types then take away. 802.1x capable devices get denied. We also limit number of devices a user can register. All helps to mitigate the flood of industrial IT devices coming in from campus wide vendors, some of which may fall into the life-safety genre. Vendors get stuck and end up asking how they can add "a lot" of sensors (e.g. HVAC) to our wireless. We have a discussion, give it a thumbs up or down, and create rules/policies/networks as needed. Good but not perfect. But starting off closed then letting out the line has helped. Having a PSK network also solves the issue of devices that can't connect to open SSIDs. And if we end up just allowing all on the devices network at least we have a sponsor to tie the devices back to. Mike Dickson Michael Dickson Network Engineer Information Technology University of Massachusetts Amherst 413-545-9639 michael.dick...@umass.edu<mailto:michael.dick...@umass.edu> PGP: 0x16777D39 On 9/24/20 11:33 AM, Lee H Badman wrote: We created an open SSID for the dorms that has Internet access only. It helps with maybe ¾ of the consumer devices, but there are still some home gadgets that need more- Chromecast is one example. Some speakers as well. Then there are devices that will ONLY join PSK networks (like TP-Link power strip) so the open won't work there. I have seen one Nanoleaf light controller that will not work in 2.4 if it sees 5 GHz, and it only works in 2.4 despite the ability to sense 5. The unholy and expensive things needed to make these high end enterprise systems work like home Wi-Fi is really fairly astounding. If you go this route, expect to occasionally buy and try consumer gear to verify what works and what doesn't, and to play whack a mole with students wireless hotspots when whatever you attempt doesn't immediately work. Or... let them use their own hotspots and be done with it. (If only...) Lee Badman Lee Badman | Network Architect (CWNE#200) Information Technology Services (NDD Group) 206 Machinery Hall 120 Smith Drive Syracuse, New York 13244 t 315.443.3003 e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w its.syr.edu<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fits.syr.edu%2F&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C93dbd1aacb044bf22b1f08d860eacbbc%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637365908850239992&sdata=EHQAL8LNydoJ%2FA8tKIlFwd6Tw5iTNPk512fAYtpW6IY%3D&reserved=0> Campus Wireless Policy: https://answers.syr.edu/display/network/Wireless+Network+and+Systems<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fanswers.syr.edu%2Fdisplay%2Fnetwork%2FWireless%2BNetwork%2Band%2BSystems&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C93dbd1aacb044bf22b1f08d860eacbbc%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637365908850249985&sdata=R6UbBhPEobuLtrTxlcuijJdVEaZnkidRG%2FnvVdVkGHs%3D&reserved=0> SYRACUSE UNIVERSITY syr.edu<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsyr.edu%2F&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C93dbd1aacb044bf22b1f08d860eacbbc%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637365908850249985&sdata=XtN5C1ML%2BhmHwOPlWeHpEQnzCudkNs1wOcjkUGagntU%3D&reserved=0> From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU><mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> On Behalf Of Gernannt, Bill Sent: Thursday, September 24, 2020 10:54 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [WIRELESS-LAN] Wireless Device Policy Questions All - >From a residence hall perspective, Young Harris College is a wireless only >campus. We are currently seeing a 40% increase in wireless devices over last >Fall. This has placed a bit of a strain on our wireless network and, by >extension, our tiny IT department. This has prompted several internal >discussions as to what expectations our end users should have related to >wireless support. Obviously, our core responsibility is to provide the resources necessary to have a successful educational experience. But, we also recognize there is a need for our students to have access to online recreational activities like gaming and streaming media. As we look to strike a balance, we wanted to reach out to other institutions for insight and guidance. Have any institutions implemented a restrictive policy that prohibits specific wireless devices? If so, how did you determine what was acceptable and what was not? How did you get leadership to support the initiative? How do you go about enforcing the policy? Have any institutions developed policies that set expectations for wireless performance? What does the policy consider to be necessary versus desirable? Any examples or ideas would be most welcome. Feel free to reach out to me directly, if preferred. Regards, Bill Gernannt Network Administrator Information Technology Services 1 College Street | Young Harris, Georgia 30582 (706) 379-5206 | wegerna...@yhc.edu<mailto:wegerna...@yhc.edu> | yhc.edu<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.yhc.edu%2F&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C93dbd1aacb044bf22b1f08d860eacbbc%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637365908850259981&sdata=aQ19Yd4SKIq0eBwC6WAgIaSioeI7ZAz8UW0XNvRMvKE%3D&reserved=0> <image001.png> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C93dbd1aacb044bf22b1f08d860eacbbc%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637365908850269980&sdata=XEKiloDEmyIDC5Yo7pUrX9VyhL3gcs2Fn1w3fL7Nwcs%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C93dbd1aacb044bf22b1f08d860eacbbc%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637365908850269980&sdata=XEKiloDEmyIDC5Yo7pUrX9VyhL3gcs2Fn1w3fL7Nwcs%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C93dbd1aacb044bf22b1f08d860eacbbc%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637365908850279970&sdata=Pc%2BSVoUrkGwmJKP8lAtqbE3zbig%2BhNiZtYMjqbUxQRk%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C93dbd1aacb044bf22b1f08d860eacbbc%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637365908850279970&sdata=Pc%2BSVoUrkGwmJKP8lAtqbE3zbig%2BhNiZtYMjqbUxQRk%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
