On Tue, Oct 13, 2020 at 1:26 PM Fishel Erps <[email protected]> wrote: > So the issue with advance certificate onboarding is that it requires a > process in advance that most students would have issues with.
I just want to make sure you understand that the alternative is the ability to impersonate the user on the network with little effort. Did you select "Do not validate" on your Android device? Then as long as I am within a few feet of you, or have line of sight, I can get your AD password. That's it! How? I can just broadcast an SSID with the same name as your institution's network, and use a directional antenna to ensure I am the loudest AP so you will try to associate to me. My certificate is totally bunk, but your device doesn't care, so it will just blast your AD password directly to my laptop. We don't even have to be on your campus for me to do this. And, I don't even have to know your username, you will provide me with that too, without your knowledge or intervention. > It doesn’t work well with BYOD clients that have dynamic VLAN placement based > on returned filter-IDs from a RADIUS/NPS server. This hasn't been our experience. We place users based on their username. However, we are using PEAP. > Most vendors walk you through a quick and dirty setup of NPS for 802.1x auth > and VLAN placement, and therefore, they are interested in simple auth at the > expense of security. However, with Android 11 (and possibly a bit further > back), that bypass of “don’t validate”, etc, isn’t an option. I am guessing this is deliberate. I get the temptation to not validate, I do. Android has the worst onboarding options of any mainstream OS right now, and it's embarrassing they haven't fixed it. But this is a step in the right direction, painful as it might be. -- Hunter Fuller (they) Router Jockey VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
