We have a multi-purpose unencrypted SSID available across campus. When an unregistered device connects, it's dropped into a highly restricted firewall role on the Aruba controller and redirected to a splash page where they can choose the guest option (either self-serve pass creation, or log in with a pre-existing pass) or go to our SecureW2 onboarding URL.
Frank Sweetser Director of Network Operations Worcester Polytechnic Institute "For every problem, there is a solution that is simple, elegant, and wrong." - HL Mencken -----Original Message----- From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> On Behalf Of Chris Ressel Sent: Tuesday, October 13, 2020 6:51 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Android 11 and Cert Verification I am curious, for those who are onboarding, how are clients provided restricted connectivity to download the onboarding installer/agent (secureW2, CAT, etc)? Do you have a provisioning SSID? Do you ask users to join your guest network? From a user experience perspective, I think it is unreasonable to assume that users will have some sort of fall back connectivity that will allow them to visit a download source so I am curious what has been successful for others. Cheers, Chris On 10/13/20, 11:37 AM, "The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Hunter Fuller" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of hf0...@uah.edu> wrote: On Tue, Oct 13, 2020 at 1:26 PM Fishel Erps <00000030ecf871d2-dmarc-requ...@listserv.educause.edu> wrote: > So the issue with advance certificate onboarding is that it requires a process in advance that most students would have issues with. I just want to make sure you understand that the alternative is the ability to impersonate the user on the network with little effort. Did you select "Do not validate" on your Android device? Then as long as I am within a few feet of you, or have line of sight, I can get your AD password. That's it! How? I can just broadcast an SSID with the same name as your institution's network, and use a directional antenna to ensure I am the loudest AP so you will try to associate to me. My certificate is totally bunk, but your device doesn't care, so it will just blast your AD password directly to my laptop. We don't even have to be on your campus for me to do this. And, I don't even have to know your username, you will provide me with that too, without your knowledge or intervention. > It doesn’t work well with BYOD clients that have dynamic VLAN placement based on returned filter-IDs from a RADIUS/NPS server. This hasn't been our experience. We place users based on their username. However, we are using PEAP. > Most vendors walk you through a quick and dirty setup of NPS for 802.1x auth and VLAN placement, and therefore, they are interested in simple auth at the expense of security. However, with Android 11 (and possibly a bit further back), that bypass of “don’t validate”, etc, isn’t an option. I am guessing this is deliberate. I get the temptation to not validate, I do. Android has the worst onboarding options of any mainstream OS right now, and it's embarrassing they haven't fixed it. But this is a step in the right direction, painful as it might be. -- Hunter Fuller (they) Router Jockey VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cfs%40WPI.EDU%7C7f69e4c7e1064cc703f108d86fca6d77%7C589c76f5ca1541f9884b55ec15a0672a%7C0%7C0%7C637382262495271694&sdata=te%2B%2BZjXsbS8faWX1xv93LuXWGK2aGeXiBpj2wHjPneg%3D&reserved=0 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cfs%40WPI.EDU%7C7f69e4c7e1064cc703f108d86fca6d77%7C589c76f5ca1541f9884b55ec15a0672a%7C0%7C0%7C637382262495281694&sdata=SZCjDXKRkD%2BKdq7b5Qa5eAYhSO8zsKa%2FiAbOCTkBTKY%3D&reserved=0 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community