Easiest way to prevent user-centric devices from actively using your headless device network is to block your identity provider from the headless roles so users can't sign in to resources.
________________________________ From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]> on behalf of Curtis, Bruce <[email protected]> Sent: Wednesday, June 9, 2021 10:23:22 AM To: [email protected] <[email protected]> Subject: Re: [WIRELESS-LAN] MPSK SSID Names > On Jun 9, 2021, at 8:59 AM, Michael Dickson <[email protected]> wrote: > > I'm curious if anyone is doing anything to prevent/discourage 802.1x capable > devices (laptops, tablets, smartphones) from connecting to the IoT network. > We would prefer these things stay on eduroam and currently use device > fingerprinting to deny access to our "devices/IoT" (MAB) network. No. Several IoT devices require that the phone/tablet/computer be on the SSID that the IoT device will be configured to use. (The configuration App looks at what SSID the phone/tablet/computer is on and tells the IoT device to join the same SSID) We require the MAC address of all of the devices that join the IoT SSID be registered so students have to register the MAC address of the phone/tablet/computer before connecting to the IoT SSID. > > Mike > Michael Dickson > Network Engineer > Information Technology > University of Massachusetts Amherst > 413-545-9639 > > [email protected] > > PGP: 0x16777D39 > > > > On 6/9/21 8:35 AM, Shoebottom, Bryan wrote: >> I took over from our previous wireless admin a few years ago and went >> through an extensive project to consolidate and clean up our SSIDs. Every >> use case seemed to have their own SSID multiplied by each site – it was a >> confusing mess for everyone. After lots of research and consultation with >> our clients, and a mindset of keeping things simple yet accommodating >> policy/requirements, it came down to the following configuration: >> >> >> >> FanshaweCollege 802.1x staff/students via >> domain accounts, IoT/non-domain (e.g. shared iPads) items via ISE accounts >> >> FanshaweGuest Mac auth click-through portal >> allows 24hrs access, then the portal comes up again >> >> eduroam 802.1x staff/students >> via domain accounts, remote eduroam accounts >> >> >> >> FanshaweDevices iPSK IoT devices that don’t >> support 802.1x >> >> >> >> >> >> The top 2 SSIDs are broadcast at all our sites. Eduroam is broadcast at all >> our educational based sites. We tried to have eduroam and FanshaweCollege >> combined, but senior management didn’t want to lose the branded SSID. As >> for the FanshaweDevices, to keep airspace clean, we only broadcast this >> where we need it. We are a Cisco shop and almost exclusively on the WLC9800 >> now. We make use of the AP Join profiles and an AP naming standard to >> accomplish this. By changing a character in the AP name, I can have it >> pickup different policies for RF, SSID, etc. Currently we have the iPSK >> network only broadcast in 2 locations to support athletic equipment and >> Nintendo switches. The iPSK auth method allows us have a single SSID, yet >> provide back-end control depending on the device that is connecting, or >> better, the PSK they use. Our Residence networking is provided by a 3rd >> party. >> >> >> >> So far this has worked really well, and I received compliments the September >> following the changes as helpdesk lineups/queues were significantly shorter. >> All SSIDs run on both 5 and 2.4GHz, so if we do decide to split up SSIDs >> based on frequency, I could see some changes here, otherwise it’s ticking >> all our boxes. >> >> >> >> >> >> -- >> >> Regards, >> >> >> >> Bryan Shoebottom >> >> Network & Systems Specialist >> >> >> >> Network Services & Computer Operations >> >> 1001 Fanshawe College Blvd. London, ON N5Y 5R6 >> >> T 519.452.4430 x4904 | F 519.453.3231 >> >> [email protected] >> >> >> >> <image001.png> >> >> >> From: Patrick McEvilly <[email protected]> >> Sent: June 8, 2021 4:37 PM >> Subject: Re: MPSK SSID Names >> >> >> >> Hi Brian >> >> >> >> We are struggling with a name that would work for this. We have “Harvard >> Secure” as our 802.1x SSID, “Harvard University” as our legacy MAC >> registered SSID and eduroam. We want to use the MPSK SSID to solve for all >> things – IoT, gaming consoles, Alexa, Smart*, AV gear, for both BYOD and for >> infrastructure devices. We are also interested in hearing what others have >> named their SSIDs or suggestions that would represent the general-purpose >> use of such an SSID. >> >> >> >> Patrick >> >> >> >> From: The EDUCAUSE Wireless Issues Community Group Listserv >> <[email protected]> on behalf of Brian Helman >> <[email protected]> >> Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv >> <[email protected]> >> Date: Tuesday, June 8, 2021 at 3:04 PM >> To: "[email protected]" <[email protected]> >> Subject: [WIRELESS-LAN] MPSK SSID Names >> >> >> >> Anyone using Aruba’s (or if other manufacturers have a similar feature) MPSK >> service? What did you use for an SSID – looking for naming ideas. >> >> >> >> -Brian >> >> >> >> ********** >> Replies to EDUCAUSE Community Group emails are sent to the entire community >> list. If you want to reply only to the person who sent the message, copy and >> paste their email address and forward the email reply. Additional >> participation and subscription information can be found at >> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C472e9942878649831eb208d92b52252f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637588454101172765%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=WNxqf7WTu9Ob8tDZ4cK0QDwjXxj%2Bss0idd01WFAcuto%3D&reserved=0 >> >> ********** >> Replies to EDUCAUSE Community Group emails are sent to the entire community >> list. If you want to reply only to the person who sent the message, copy and >> paste their email address and forward the email reply. Additional >> participation and subscription information can be found at >> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C472e9942878649831eb208d92b52252f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637588454101172765%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=WNxqf7WTu9Ob8tDZ4cK0QDwjXxj%2Bss0idd01WFAcuto%3D&reserved=0 >> >> ********** >> Replies to EDUCAUSE Community Group emails are sent to the entire community >> list. If you want to reply only to the person who sent the message, copy and >> paste their email address and forward the email reply. Additional >> participation and subscription information can be found at >> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C472e9942878649831eb208d92b52252f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637588454101172765%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=WNxqf7WTu9Ob8tDZ4cK0QDwjXxj%2Bss0idd01WFAcuto%3D&reserved=0 >> > > ********** > Replies to EDUCAUSE Community Group emails are sent to the entire community > list. If you want to reply only to the person who sent the message, copy and > paste their email address and forward the email reply. Additional > participation and subscription information can be found at > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C472e9942878649831eb208d92b52252f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637588454101172765%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=WNxqf7WTu9Ob8tDZ4cK0QDwjXxj%2Bss0idd01WFAcuto%3D&reserved=0 > Bruce Curtis Network Engineer / Information Technology NORTH DAKOTA STATE UNIVERSITY phone: 701.231.8527 [email protected] ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C472e9942878649831eb208d92b52252f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637588454101182720%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=%2FbqK%2FUpxPrMlgnL15wx72QH8G%2F0zP2zwYiRw4p71%2BpQ%3D&reserved=0 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
