Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

[Michael Holden]

2nd that, self guided EAP-PEAP is convenient, but the Evil Twin Attack isn't 
exactly new or difficult.

 In the past I've used a optional layered approach.

 Give an option on the open SSID captive portal for initial onboarding, or 
limited Guest access (weekly type) captive portal re-login after student 
credentials.
With open SSID disclaimers that no one reads of course. One place asked for a 
counter so the user could only do the extended captive portal 3 times.

Android 10 now defaulting daily MAC randomization on Open SSIDs is likely going 
to kill this type of option.

 If EAP-PEAP on the 802.1x give another optional captive portal that pops back 
up every so often, once a month or once a semester type deal reminding them 
they should OnBoard for EAP-TLS.

This tends to stagers the more arduous adopters and reduce the help desk calls 
after password resets.


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: Feasibility of an open SSID for student use

[Enfield, Chuck]

Hi William.

“Most need no instructions and figure it out on their own,” may not be the 
virtue you think it is.  How many of these users figuring it out on their own 
are validating your RADIUS server certs?  Self-configuration invites MiM 
attacks that can harvest account credentials.  It’s precisely the security 
weakness of 1x I cautioned about earlier.

Furthermore, providing an onboarding option that configures the devices 
correctly doesn’t prevent users from self-configuring.  A good on-boarding 
solution will be widely used and will reduce the overall risk, but it doesn’t 
eliminate the problem.  TLS is the only EAP type that doesn’t have this 
weakness.

Chuck

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Green, William C
Sent: Thursday, September 12, 2019 7:27 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

We’ve found its easier for our community to onboard to our 802.1x SSID with the 
native supplicant of the device, rather than download and run an installer (are 
dropping the installer).  Most need no instructions and figure it out on their 
own.

While we offer an iPSK SSID, it is not as easy— person must go to web site to 
enroll a MAC address and get a key.  Predominantly in the residence halls so 
far (TVs, speakers, printers, game consoles, etc).  Also a smattering of 
devices that don’t support 802.1x (making our researchers happy).  I’m waiting 
to hear how iPSK has improved battery life for IOT projects.


William Green, Director of Networking and Telecommunications
The University of Texas at Austin | ITS | 512-475-9295 | 
it.utexas.edu
 | 
gr...@austin.utexas.edu

[https://bowtie.mailbutler.io/tracking/hit/86e1e4b1-b7df-4ccf-a04b-7e44956f1dac/00a68dc9-0807-49d1-8b76-8f1103242cae/t.gif]

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: Feasibility of an open SSID for student use

[Green, William C]

We’ve found its easier for our community to onboard to our 802.1x SSID with the 
native supplicant of the device, rather than download and run an installer (are 
dropping the installer).  Most need no instructions and figure it out on their 
own.

While we offer an iPSK SSID, it is not as easy— person must go to web site to 
enroll a MAC address and get a key.  Predominantly in the residence halls so 
far (TVs, speakers, printers, game consoles, etc).  Also a smattering of 
devices that don’t support 802.1x (making our researchers happy).  I’m waiting 
to hear how iPSK has improved battery life for IOT projects.



William Green, Director of Networking and Telecommunications
The University of Texas at Austin | ITS | 512-475-9295 | 
it.utexas.edu | 
gr...@austin.utexas.edu



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

[Hoffman, Douglas]

> My crystal ball wish is to have that PPSK/IPSK solution then group that 
> user’s devices into a private virtual home network, providing something that 
> approaches their home experience.

Cisco introduced “private groups” to iPSK in 8.8: 
https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-8/b_Identity_PSK_Feature_Deployment_Guide.html#ariaid-title13

We don’t have any controllers on 8.8 yet, so I haven’t had an opportunity to 
experiment with it. If I had to guess, based on the fact they rolled this 
feature into peer to peer blocking, it only affects unicast traffic. There is 
no indication it would convert broadcast/multicast to unicast and forward it to 
members of the same group. For that reason, I suspect this is not exactly what 
you had in mind… but it may be the closest thing we get for a while.

-- 
Doug Hoffman
Network Specialist
Office of Technology
Bloomsburg University of Pennsylvania
 


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

[Rumford, Charles]

I agree that complicated onboarding is the worst from the end user perspective 
and a pain to manage.

I started designing a PPSK/MPSK design to take over our primary 802.1x network. 
The biggest hurdle I ran into with it was the randomization of MAC addresses 
for device. I've been told Android 10 has it on by default,and I know that 
windows support also. I could only see issues from a support issue coming down 
the line. O need to spend some more research time with it.

--
Charles Rumford
IT Architect
ISC Tech Services
University of Pennsylvania
OpenPGP Key ID: 0xF3D8215A
(Sent from Mobile)

From: "Enfield, Chuck" 
Sent: Thursday, September 12, 2019 14:11
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

Seconded.

And for those who think that security is more important than the user 
experience in some cases, I wouldn’t argue, but I would point out that an 
improperly configured 1x device puts the user’s credentials at risk.  802.1x 
isn’t all upside from a security perspective either.

Chuck

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jeffrey D. Sessler
Sent: Thursday, September 12, 2019 1:46 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

I’ve never been a fan of the complicated onboarding. It’s intrusive, and unlike 
any other wireless experience an individual will encounter in their life i.e. 
any other wifi-enabled location/venue.
With the growing trend of EDUs moving to SaaS and other Cloud solutions, 
wireless will be nothing but a gateway to those external services. When it’s 
easier to consume those services via one’s own unlimited-data cellular 
connection, or go to Starbucks, it may be time for us (EDU’s) to reevaluate our 
approach.

Besides a purely open network, the next-best (same?) experience to home would 
be something like PPSK or for the Cisco folks IPSK. You get something slightly 
better than an open network, but it’s PSK and all of those wonderful IoT 
devices just work. My crystal ball wish is to have that PPSK/IPSK solution then 
group that user’s devices into a private virtual home network, providing 
something that approaches their home experience.

Jeff

From: "wireless-lan@listserv.educause.edu"  
on behalf of Kurtis Olsen 
Reply-To: "wireless-lan@listserv.educause.edu" 

Date: Thursday, September 12, 2019 at 9:27 AM
To: "wireless-lan@listserv.educause.edu" 
Subject: [WIRELESS-LAN] Feasibility of an open SSID for student use

We have been receiving a lot of complaints about a complicated onboarding 
process and have been asked to look at providing an Open SSID that has little 
to no onboarding.  I see an advantage being the ease of connecting but I have 
some concerns, mainly about providing a secure environment.
Our current onboarding process works like this.  Users connect to our 
Wolverine-WIFI SSID.  They then authenticate through our NAC solution which 
forces laptops to download a client.  This client scans their device for 
Antivirus and OS updates.  If it fails the scan they have access to get these 
updates.  Once it passes they are moved to our wireless production vLan.  There 
are no clients or scans for cellular devices at this time.  Users then of the 
option to join our Wolverine-Secure which authenticates by cert using 
SecureW2’s services.

I am curious if anyone else is using a completely open network for their 
general population or any other suggestions of how this can be simplified.

Kurtis Olsen
Director – Network & Telecom
Utah Valley University
800 W University Prkway
Orem, UT 84058
801-863-8000



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Grou

RE: [WIRELESS-LAN] Feasibility of an open SSID for student use

[Enfield, Chuck]

Seconded.

And for those who think that security is more important than the user 
experience in some cases, I wouldn’t argue, but I would point out that an 
improperly configured 1x device puts the user’s credentials at risk.  802.1x 
isn’t all upside from a security perspective either.

Chuck

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jeffrey D. Sessler
Sent: Thursday, September 12, 2019 1:46 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

I’ve never been a fan of the complicated onboarding. It’s intrusive, and unlike 
any other wireless experience an individual will encounter in their life i.e. 
any other wifi-enabled location/venue.
With the growing trend of EDUs moving to SaaS and other Cloud solutions, 
wireless will be nothing but a gateway to those external services. When it’s 
easier to consume those services via one’s own unlimited-data cellular 
connection, or go to Starbucks, it may be time for us (EDU’s) to reevaluate our 
approach.

Besides a purely open network, the next-best (same?) experience to home would 
be something like PPSK or for the Cisco folks IPSK. You get something slightly 
better than an open network, but it’s PSK and all of those wonderful IoT 
devices just work. My crystal ball wish is to have that PPSK/IPSK solution then 
group that user’s devices into a private virtual home network, providing 
something that approaches their home experience.

Jeff

From: "wireless-lan@listserv.educause.edu"  
on behalf of Kurtis Olsen 
Reply-To: "wireless-lan@listserv.educause.edu" 

Date: Thursday, September 12, 2019 at 9:27 AM
To: "wireless-lan@listserv.educause.edu" 
Subject: [WIRELESS-LAN] Feasibility of an open SSID for student use

We have been receiving a lot of complaints about a complicated onboarding 
process and have been asked to look at providing an Open SSID that has little 
to no onboarding.  I see an advantage being the ease of connecting but I have 
some concerns, mainly about providing a secure environment.
Our current onboarding process works like this.  Users connect to our 
Wolverine-WIFI SSID.  They then authenticate through our NAC solution which 
forces laptops to download a client.  This client scans their device for 
Antivirus and OS updates.  If it fails the scan they have access to get these 
updates.  Once it passes they are moved to our wireless production vLan.  There 
are no clients or scans for cellular devices at this time.  Users then of the 
option to join our Wolverine-Secure which authenticates by cert using 
SecureW2’s services.

I am curious if anyone else is using a completely open network for their 
general population or any other suggestions of how this can be simplified.

Kurtis Olsen
Director – Network & Telecom
Utah Valley University
800 W University Prkway
Orem, UT 84058
801-863-8000



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

[Jeffrey D. Sessler]

I’ve never been a fan of the complicated onboarding. It’s intrusive, and unlike 
any other wireless experience an individual will encounter in their life i.e. 
any other wifi-enabled location/venue.
With the growing trend of EDUs moving to SaaS and other Cloud solutions, 
wireless will be nothing but a gateway to those external services. When it’s 
easier to consume those services via one’s own unlimited-data cellular 
connection, or go to Starbucks, it may be time for us (EDU’s) to reevaluate our 
approach.

Besides a purely open network, the next-best (same?) experience to home would 
be something like PPSK or for the Cisco folks IPSK. You get something slightly 
better than an open network, but it’s PSK and all of those wonderful IoT 
devices just work. My crystal ball wish is to have that PPSK/IPSK solution then 
group that user’s devices into a private virtual home network, providing 
something that approaches their home experience.

Jeff

From: "wireless-lan@listserv.educause.edu"  
on behalf of Kurtis Olsen 
Reply-To: "wireless-lan@listserv.educause.edu" 

Date: Thursday, September 12, 2019 at 9:27 AM
To: "wireless-lan@listserv.educause.edu" 
Subject: [WIRELESS-LAN] Feasibility of an open SSID for student use

We have been receiving a lot of complaints about a complicated onboarding 
process and have been asked to look at providing an Open SSID that has little 
to no onboarding.  I see an advantage being the ease of connecting but I have 
some concerns, mainly about providing a secure environment.
Our current onboarding process works like this.  Users connect to our 
Wolverine-WIFI SSID.  They then authenticate through our NAC solution which 
forces laptops to download a client.  This client scans their device for 
Antivirus and OS updates.  If it fails the scan they have access to get these 
updates.  Once it passes they are moved to our wireless production vLan.  There 
are no clients or scans for cellular devices at this time.  Users then of the 
option to join our Wolverine-Secure which authenticates by cert using 
SecureW2’s services.

I am curious if anyone else is using a completely open network for their 
general population or any other suggestions of how this can be simplified.

Kurtis Olsen
Director – Network & Telecom
Utah Valley University
800 W University Prkway
Orem, UT 84058
801-863-8000



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: Feasibility of an open SSID for student use

[Turner, Ryan H]

I think your problem is the NAC solution...  I was one of the first to deploy 
campus wide NAC (2006) and then we pushed agents a few years after.  The time 
for NAC agents has come and gone in my mind.  We have removed it from 
practically every place that has it.  There is one large school that still uses 
it, but I am a semester away from telling them I am deprecating the service 
entirely.  In my mind, it is a check the box solution that has stayed way past 
its expiration date.  These agents are clumsy, often fail to find any real 
problems, report false positives, and add a whole lot of headaches to users and 
support staff without any benefit.

I do support a login approach the first time to get the users registered, 
however.  It is a simple process.  But at that point, you should hand them off 
to SecureW2 to onboard for your network.

Strip the NAC agent, push them directly to SecureW2, and see how that works.   
I wouldn't throw out the baby with the bathwater.

Ryan


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Kurtis Olsen
Sent: Thursday, September 12, 2019 12:18 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Feasibility of an open SSID for student use

We have been receiving a lot of complaints about a complicated onboarding 
process and have been asked to look at providing an Open SSID that has little 
to no onboarding.  I see an advantage being the ease of connecting but I have 
some concerns, mainly about providing a secure environment.
Our current onboarding process works like this.  Users connect to our 
Wolverine-WIFI SSID.  They then authenticate through our NAC solution which 
forces laptops to download a client.  This client scans their device for 
Antivirus and OS updates.  If it fails the scan they have access to get these 
updates.  Once it passes they are moved to our wireless production vLan.  There 
are no clients or scans for cellular devices at this time.  Users then of the 
option to join our Wolverine-Secure which authenticates by cert using 
SecureW2's services.

I am curious if anyone else is using a completely open network for their 
general population or any other suggestions of how this can be simplified.

Kurtis Olsen
Director - Network & Telecom
Utah Valley University
800 W University Prkway
Orem, UT 84058
801-863-8000



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: Feasibility of an open SSID for student use

[Lee H Badman]

Amen- NAC is often a solution to problems that either don't exist or that don't 
warrant the weight of the NAC. These solutions are not without value per se, 
but at onboarding time? Nah.

Lee Badman | Network Architect (CWNE#200)
Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   e lhbad...@syr.edu w its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Turner, Ryan H
Sent: Thursday, September 12, 2019 12:59 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

I think your problem is the NAC solution...  I was one of the first to deploy 
campus wide NAC (2006) and then we pushed agents a few years after.  The time 
for NAC agents has come and gone in my mind.  We have removed it from 
practically every place that has it.  There is one large school that still uses 
it, but I am a semester away from telling them I am deprecating the service 
entirely.  In my mind, it is a check the box solution that has stayed way past 
its expiration date.  These agents are clumsy, often fail to find any real 
problems, report false positives, and add a whole lot of headaches to users and 
support staff without any benefit.

I do support a login approach the first time to get the users registered, 
however.  It is a simple process.  But at that point, you should hand them off 
to SecureW2 to onboard for your network.

Strip the NAC agent, push them directly to SecureW2, and see how that works.   
I wouldn't throw out the baby with the bathwater.

Ryan



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Kurtis Olsen
Sent: Thursday, September 12, 2019 12:18 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Feasibility of an open SSID for student use

We have been receiving a lot of complaints about a complicated onboarding 
process and have been asked to look at providing an Open SSID that has little 
to no onboarding.  I see an advantage being the ease of connecting but I have 
some concerns, mainly about providing a secure environment.
Our current onboarding process works like this.  Users connect to our 
Wolverine-WIFI SSID.  They then authenticate through our NAC solution which 
forces laptops to download a client.  This client scans their device for 
Antivirus and OS updates.  If it fails the scan they have access to get these 
updates.  Once it passes they are moved to our wireless production vLan.  There 
are no clients or scans for cellular devices at this time.  Users then of the 
option to join our Wolverine-Secure which authenticates by cert using 
SecureW2's services.

I am curious if anyone else is using a completely open network for their 
general population or any other suggestions of how this can be simplified.

Kurtis Olsen
Director - Network & Telecom
Utah Valley University
800 W University Prkway
Orem, UT 84058
801-863-8000



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: Feasibility of an open SSID for student use

[Floyd, Brad]

Kurtis,
If students are using an open SSID as a general purpose wireless network, you 
may want to require them to fire up a VPN session to get to trusted resources 
(LMS, scheduling, bursar, etc).
Thanks,
Brad

From: The EDUCAUSE Wireless Issues Community Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Kurtis Olsen
Sent: Thursday, September 12, 2019 11:18 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Feasibility of an open SSID for student use

We have been receiving a lot of complaints about a complicated onboarding 
process and have been asked to look at providing an Open SSID that has little 
to no onboarding.  I see an advantage being the ease of connecting but I have 
some concerns, mainly about providing a secure environment.
Our current onboarding process works like this.  Users connect to our 
Wolverine-WIFI SSID.  They then authenticate through our NAC solution which 
forces laptops to download a client.  This client scans their device for 
Antivirus and OS updates.  If it fails the scan they have access to get these 
updates.  Once it passes they are moved to our wireless production vLan.  There 
are no clients or scans for cellular devices at this time.  Users then of the 
option to join our Wolverine-Secure which authenticates by cert using 
SecureW2's services.

I am curious if anyone else is using a completely open network for their 
general population or any other suggestions of how this can be simplified.

Kurtis Olsen
Director - Network & Telecom
Utah Valley University
800 W University Prkway
Orem, UT 84058
801-863-8000



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

[Rumford, Charles]

On 9/12/19 12:36 PM, Lee H Badman wrote:
> We currently use an open network with private IP addressing that is very 
> limited 
> on where it can go. Connect to SSID, open browser, go to our Cloudpath wizard 
> (has been replaced with appliance, but we haven’t decided if we are 
> interested 
> in that). Get configured for 802.1X, have a few settings tweaked, and off you 
> go 
> to the secure network automatically. Has worked well for years.

We do something similar, but with SecureW2 for EAP-TTLS/PAP. We had issues with 
the workflow for TLS.

> -Lee
> 
> *Lee Badman*| Network Architect (CWNE#200)
> 
> Information Technology Services
> (NDD Group)
> 206 Machinery Hall
> 120 Smith Drive
> Syracuse, New York 13244
> 
> *t*315.443.3003 *e* lhbad...@syr.edu  *w* its.syr.edu
> 
> *SYRACUSE UNIVERSITY*
> syr.edu
> 
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv 
>  *On Behalf Of *Kurtis Olsen
> *Sent:* Thursday, September 12, 2019 12:18 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* [WIRELESS-LAN] Feasibility of an open SSID for student use
> 
> We have been receiving a lot of complaints about a complicated onboarding 
> process and have been asked to look at providing an Open SSID that has little 
> to 
> no onboarding.  I see an advantage being the ease of connecting but I have 
> some 
> concerns, mainly about providing a secure environment.
> Our current onboarding process works like this.  Users connect to our 
> Wolverine-WIFI SSID.  They then authenticate through our NAC solution which 
> forces laptops to download a client.  This client scans their device for 
> Antivirus and OS updates.  If it fails the scan they have access to get these 
> updates.  Once it passes they are moved to our wireless production vLan.  
> There 
> are no clients or scans for cellular devices at this time.  Users then of the 
> option to join our Wolverine-Secure which authenticates by cert using 
> SecureW2’s 
> services.
> 
> I am curious if anyone else is using a completely open network for their 
> general 
> population or any other suggestions of how this can be simplified.
> 
> Kurtis Olsen
> 
> Director – Network & Telecom
> 
> Utah Valley University
> 
> 800 W University Prkway
> 
> Orem, UT 84058
> 
> 801-863-8000
> 
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation 
> and subscription information can be found at 
> https://www.educause.edu/community
> 
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation 
> and subscription information can be found at 
> https://www.educause.edu/community
> 


-- 
Charles Rumford
IT Architect
ISC Tech Services
University of Pennsylvania
OpenPGP Key ID: 0x173F5F3A (2018/07/05)

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: Feasibility of an open SSID for student use

[Lee H Badman]

We currently use an open network with private IP addressing that is very 
limited on where it can go. Connect to SSID, open browser, go to our Cloudpath 
wizard (has been replaced with appliance, but we haven't decided if we are 
interested in that). Get configured for 802.1X, have a few settings tweaked, 
and off you go to the secure network automatically. Has worked well for years.

-Lee

Lee Badman | Network Architect (CWNE#200)
Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   e lhbad...@syr.edu w its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Kurtis Olsen
Sent: Thursday, September 12, 2019 12:18 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Feasibility of an open SSID for student use

We have been receiving a lot of complaints about a complicated onboarding 
process and have been asked to look at providing an Open SSID that has little 
to no onboarding.  I see an advantage being the ease of connecting but I have 
some concerns, mainly about providing a secure environment.
Our current onboarding process works like this.  Users connect to our 
Wolverine-WIFI SSID.  They then authenticate through our NAC solution which 
forces laptops to download a client.  This client scans their device for 
Antivirus and OS updates.  If it fails the scan they have access to get these 
updates.  Once it passes they are moved to our wireless production vLan.  There 
are no clients or scans for cellular devices at this time.  Users then of the 
option to join our Wolverine-Secure which authenticates by cert using 
SecureW2's services.

I am curious if anyone else is using a completely open network for their 
general population or any other suggestions of how this can be simplified.

Kurtis Olsen
Director - Network & Telecom
Utah Valley University
800 W University Prkway
Orem, UT 84058
801-863-8000



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Feasibility of an open SSID for student use

[Kurtis Olsen]

We have been receiving a lot of complaints about a complicated onboarding 
process and have been asked to look at providing an Open SSID that has little 
to no onboarding.  I see an advantage being the ease of connecting but I have 
some concerns, mainly about providing a secure environment.
Our current onboarding process works like this.  Users connect to our 
Wolverine-WIFI SSID.  They then authenticate through our NAC solution which 
forces laptops to download a client.  This client scans their device for 
Antivirus and OS updates.  If it fails the scan they have access to get these 
updates.  Once it passes they are moved to our wireless production vLan.  There 
are no clients or scans for cellular devices at this time.  Users then of the 
option to join our Wolverine-Secure which authenticates by cert using 
SecureW2's services.

I am curious if anyone else is using a completely open network for their 
general population or any other suggestions of how this can be simplified.

Kurtis Olsen
Director - Network & Telecom
Utah Valley University
800 W University Prkway
Orem, UT 84058
801-863-8000



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] To RFC1918 or Not RFC1918?

[Robert Schneider]

BUILT FOR HOME
Apple TV is fine, I guess they trust their other security measures 
sufficiently

A little off topic, but we found that Apple will use any and everything to get 
AirPlay to work. Mainly it will connect through bluetooth or even it's own 
wireless network that works in the background. You have to force it to use the 
network only.

Robert Schneider
Network Engineer
Information Technology | Rollins College
407.628.6380 | rschnei...@rollins.edu

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Jason Cook 
mailto:jason.c...@adelaide.edu.au>>
Sent: Thursday, September 12, 2019 0:56
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] To RFC1918 or Not RFC1918?

* External Email *


We had a job come in for this so I decided to have a bit of a play.

Chromecast and Windows Chrome Browser on same Public range - Yes had to enable 
flag to allow casting. Android could cast fine in this situation
Outside of that though, I cannot cast to a chromecast from a public IP if it's 
not in the same IP range as the chromecast. The chromecast can be public or 
private, but the caster must be a private IP.

BUILT FOR HOME
Apple TV is fine, I guess they trust their other security measures 
sufficiently

Cisco TAC Comment " The TCP handshake is getting completed between client and 
chromecast, but as soon as the handshake is complete the chromecast is sending 
out FIN,ACK which is terminating the session."

Google Support Comment "This is kinda interesting. To answer that, Chromecast 
is programmed to only work with a private IP address to avoid other devices 
within that address from interacting to the Chromecast. So in order for other 
devices to interact with the Chromecast, the devices must be on the same 
private IP address."

We are looking into these quite seriously I believe. They seem pretty good and 
simple. Of course they aren't $60
https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.vivi.io&data=02%7C01%7Cilyons%40ROLLINS.EDU%7C70767e1980b6480f104508d7373d8e50%7Cb8e8d71a947d41dd81dd8401dcc51007%7C0%7C0%7C637038609842277321&sdata=H0r28dVdES%2B9BPRsNM1nxi58ESw2gnJ4GsCZoymv8oY%3D&reserved=0


--
Jason Cook
Information Technology and Digital Services
The University of Adelaide, AUSTRALIA 5005
---
This email message is intended only for the addressee(s) and contains 
information which may be confidential and/or copyright.  If you are not the 
intended recipient please do not read, save, forward, disclose, or copy the 
contents of this email. If this email has been sent to you in error, please 
notify the sender by reply email and delete this email and any copies or links 
to this email completely and immediately from your system.  No representation 
is made that this email is free of viruses.  Virus scanning is recommended and 
is the responsibility of the recipient.

-Original Message-
From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tomo
Sent: Tuesday, 23 April 2019 11:50 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] To RFC1918 or Not RFC1918?

I've not tried to replicate anything in practice but this discussion does seem 
quite relevant to the issue

https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.google.com%2Fchromecast%2Fforum%2Ft7PFQG4ZDyxDR791W8%2F%3Fhl%3Den%26gpf%3D%2523!topic%252Fchromecast%252FZDyxDR791W8%253Bcontext-place%253Dtopicsearchin%252Fchromecast%252Fpublic%252420ip&data=02%7C01%7Cilyons%40ROLLINS.EDU%7C70767e1980b6480f104508d7373d8e50%7Cb8e8d71a947d41dd81dd8401dcc51007%7C0%7C0%7C637038609842277321&sdata=bhApwNxcqsZoFFCURCr%2FwYDDMy4JRLCZC4BXZv8UDh4%3D&reserved=0

which points to this flag in now being enabled in Chrome browsers - so there's 
an admission that casting has been limited to RFC1918, and you can turn that 
off, albeit for browsers.

chrome://flags/#media-router-cast-allow-all-ips


Tomo | Infrastructure Archit