We have a multi-purpose unencrypted SSID available across campus. When an
unregistered device connects, it's dropped into a highly restricted firewall
role on the Aruba controller and redirected to a splash page where they can
choose the guest option (either self-serve pass creation, or log in with a
pre-existing pass) or go to our SecureW2 onboarding URL.
Frank Sweetser
Director of Network Operations
Worcester Polytechnic Institute
"For every problem, there is a solution that is simple, elegant, and wrong." -
HL Mencken
-----Original Message-----
From: The EDUCAUSE Wireless Issues Community Group Listserv
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> On Behalf Of Chris Ressel
Sent: Tuesday, October 13, 2020 6:51 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Android 11 and Cert
Verification
I am curious, for those who are onboarding, how are clients provided restricted
connectivity to download the onboarding installer/agent (secureW2, CAT, etc)?
Do you have a provisioning SSID? Do you ask users to join your guest network?
From a user experience perspective, I think it is unreasonable to assume that
users will have some sort of fall back connectivity that will allow them to
visit a download source so I am curious what has been successful for others.
Cheers,
Chris
On 10/13/20, 11:37 AM, "The EDUCAUSE Wireless Issues Community Group Listserv
on behalf of Hunter Fuller" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of
hf0...@uah.edu> wrote:
On Tue, Oct 13, 2020 at 1:26 PM Fishel Erps
<00000030ecf871d2-dmarc-requ...@listserv.educause.edu> wrote:
> So the issue with advance certificate onboarding is that it requires a
process in advance that most students would have issues with.
I just want to make sure you understand that the alternative is the
ability to impersonate the user on the network with little effort.
Did you select "Do not validate" on your Android device? Then as long
as I am within a few feet of you, or have line of sight, I can get
your AD password. That's it!
How? I can just broadcast an SSID with the same name as your
institution's network, and use a directional antenna to ensure I am
the loudest AP so you will try to associate to me. My certificate is
totally bunk, but your device doesn't care, so it will just blast your
AD password directly to my laptop.
We don't even have to be on your campus for me to do this. And, I
don't even have to know your username, you will provide me with that
too, without your knowledge or intervention.
> It doesn’t work well with BYOD clients that have dynamic VLAN placement
based on returned filter-IDs from a RADIUS/NPS server.
This hasn't been our experience. We place users based on their
username. However, we are using PEAP.
> Most vendors walk you through a quick and dirty setup of NPS for 802.1x
auth and VLAN placement, and therefore, they are interested in simple auth at
the expense of security. However, with Android 11 (and possibly a bit further
back), that bypass of “don’t validate”, etc, isn’t an option.
I am guessing this is deliberate.
I get the temptation to not validate, I do. Android has the worst
onboarding options of any mainstream OS right now, and it's
embarrassing they haven't fixed it. But this is a step in the right
direction, painful as it might be.
--
Hunter Fuller (they)
Router Jockey
VBH Annex B-5
+1 256 824 5331
Office of Information Technology
The University of Alabama in Huntsville
Network Engineering
**********
Replies to EDUCAUSE Community Group emails are sent to the entire community
list. If you want to reply only to the person who sent the message, copy and
paste their email address and forward the email reply. Additional participation
and subscription information can be found at
https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cfs%40WPI.EDU%7C7f69e4c7e1064cc703f108d86fca6d77%7C589c76f5ca1541f9884b55ec15a0672a%7C0%7C0%7C637382262495271694&sdata=te%2B%2BZjXsbS8faWX1xv93LuXWGK2aGeXiBpj2wHjPneg%3D&reserved=0
**********
Replies to EDUCAUSE Community Group emails are sent to the entire community
list. If you want to reply only to the person who sent the message, copy and
paste their email address and forward the email reply. Additional participation
and subscription information can be found at
https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cfs%40WPI.EDU%7C7f69e4c7e1064cc703f108d86fca6d77%7C589c76f5ca1541f9884b55ec15a0672a%7C0%7C0%7C637382262495281694&sdata=SZCjDXKRkD%2BKdq7b5Qa5eAYhSO8zsKa%2FiAbOCTkBTKY%3D&reserved=0
**********
Replies to EDUCAUSE Community Group emails are sent to the entire community
list. If you want to reply only to the person who sent the message, copy and
paste their email address and forward the email reply. Additional participation
and subscription information can be found at https://www.educause.edu/community
