Re: Feasibility of an open SSID for student use

[Green, William C]

I won't argue for or against TLS or for other methods without understanding the 
context and use case…  What fits the risk/benefit/cost profile for a particular 
community or subset?  Observationally, eduroam reports show only 5% of visitors 
to our university utilizing TLS.

We labbed up the MITM in 2006 as part of our  802.1x deployment work (having 
concerns).  I continue to hope for better EAP implementations in the native OS 
(shouts at the heavens).

On other notes, I am disappointed in the slow rollout of WPA3 (I know there 
have been security issues).  Sometimes these features are so slow they are 
overtaken by other solutions.  For example, while we do block some services on 
our open guest SSID to discourage our community from using it, we’ve learned 
how Android will VPN tunnel through Google’s servers (unbeknownst/configured by 
the user) obviating these attempts on our part.  I guess it does secure those 
users on from any threats on those open networks and whoever operate them 
(Google, *deleted*).



William Green, Director of Networking and Telecommunications
The University of Texas at Austin | ITS | 512-475-9295 | 
it.utexas.edu | 
gr...@austin.utexas.edu


“Most need no instructions and figure it out on their own,” may not be the 
virtue you think it is.  How many of these users figuring it out on their own 
are validating your RADIUS server certs?  Self-configuration invites MiM 
attacks that can harvest account credentials.  It’s precisely the security 
weakness of 1x I cautioned about earlier.

Furthermore, providing an onboarding option that configures the devices 
correctly doesn’t prevent users from self-configuring.  A good on-boarding 
solution will be widely used and will reduce the overall risk, but it doesn’t 
eliminate the problem.  TLS is the only EAP type that doesn’t have this 
weakness.

Chuck


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

[Jeffrey D. Sessler]

“Their rationale is that to get the protections afforded to ISP’s under DMCA we 
need to inform users that they’re not allowed to share copyrighted materials 
and that their connection will be blocked if they do.  For account holders we 
make them agree to these terms and more when they activate their account.  But 
if the network doesn’t require an account this notification seems to demand a 
captive portal.”


I don’t think this is correct at all. EDUCAUSE has done extensive research on 
DMCA and college networks, and here is info I’ve supplied before.  HEOA added 
some obligations, such as combating P2P, but that’s a different beast.

Under the DMCA, the ISP only has to, upon learning of the infringing 
transmission, act quickly to remove or disable access to the infringing 
transmission. We can carry that out with no knowledge of who’s behind the 
device. That said, it only applies to resources owned by the institution.
Here is some key info in case you’re interested. Some of it is sourced from an 
EDUCAUSE FAQ for DMCA designated agents in higher-ed.
If you’re interested, here is the link:
https://www.educause.edu/focus-areas-and-initiatives/policy-and-security/educause-policy/dmca-faq
If your institution, after taking reasonable efforts to investigate and match a 
user to the IP address designated in the DMCA notice, cannot, for technical or 
other legitimate reasons, match a user to this IP address, the DMCA does not 
specifically require any other action.
The DMCA does not include a records retention requirement for logs. So, if your 
record retention for radius, dhcp, etc. is only 7 days, and a DMCA notice 
arrives for something that occurred 14 days ago, then you are under no 
obligation to do more.
Resources owned by an institution—such as faculty, staff, or computer lab 
computers—fall under 17 U.S.C. Section 512(c). This section provides a safe 
harbor for an ISP so that it is not liable for monetary damages for infringing 
materials on its servers provided it does not have “actual knowledge” of the 
infringing material, does not receive a direct financial benefit from the 
infringement, and, when notified, responds “expeditiously” to remove the 
infringing material or disable access to such material.
Most student and guest activity on university networks occurs through 
personally owned equipment and thus falls under 17 U.S.C. Section 512(a). This 
section provides immunity to the ISP for information that simply transits the 
ISP’s networks, with no direction, input, or interference from the ISP itself, 
and is not stored anywhere on the ISP’s network. Notably, no additional 
proactive steps are required for an ISP to avail itself of this immunity. 
However, for a variety of reasons, some institutions have made a policy 
decision to treat these notices as if they fall under Section 512(c), 
terminating users from the network unless and until the infringing content is 
removed. Often such activity is handled through a student affairs process, 
rather than as a legal or IT matter, so as to seize upon a “teachable moment” 
for students.

Jeff


From: "wireless-lan@listserv.educause.edu"  
on behalf of "Enfield, Chuck" 
Reply-To: "wireless-lan@listserv.educause.edu" 

Date: Friday, September 13, 2019 at 5:42 AM
To: "wireless-lan@listserv.educause.edu" 
Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

“We run eduroam and a completely open guest SSID. The open SSID has no captive 
portal, no click through terms of services, and no restrictions on Internet 
access for content or speed.”

I’m jealous Felix.  I made a strong push for this approach, but General Counsel 
stopped it.  FWIW, I think they got it right, but life would be easier and 
users would be happier your way.

Their rationale is that to get the protections afforded to ISP’s under DMCA we 
need to inform users that they’re not allowed to share copyrighted materials 
and that their connection will be blocked if they do.  For account holders we 
make them agree to these terms and more when they activate their account.  But 
if the network doesn’t require an account this notification seems to demand a 
captive portal.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Felix Windt
Sent: Friday, September 13, 2019 8:26 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

I’d pay a fair price for an easily administered solution that lets us roll out 
PPSK in the dorms and deploy broadcast/multicast domains scoped to specific 
users.

We run eduroam and a completely open guest SSID. The open SSID has no captive 
portal, no click through terms of services, and no restrictions on Internet 
access for content or speed. That SSID bridges through to VLANs in a DMZ, and 
its only real restriction is that it can only reach proper public IP addresses 
on campus, plus 2-3 applications on private IPs that are specifically 
permitted. That’s 

RE: Samsung S8 DHCP Failure

[King, Ronald A.]

Thanks for the advice and help. We have tried importing the Root cert for WiFi 
with no luck. However we did find something interesting using packet captures. 
For AOS 6, during the DHCP negotiation, we found that both the discover and 
request messages from the S8 are received by the DHCP server but have "don't 
fragment" set to 1. The DHCP server is sending both the offer and ack with 
"don't fragment" set to 0, but the controller doesn't send the ack to the S8. 
For the S4, all messages have "don't fragment" is set to 0. As for AOS 8.5, the 
option "don't fragment" is set the same as above with all messages being sent 
and received by both devices, controller and DHCP server.

Ronald King
Chief Information Security Officer

Office of Information Technology
(757) 823-2916 (Office)
rak...@nsu.edu
www.nsu.edu
@NSUCISO (Twitter)
[NSU_logo_horiz_tag_4c - Smaller]

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of King, Ronald A.
Sent: Wednesday, September 11, 2019 3:02 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Samsung S8 DHCP Failure

Thanks. We will give it a try.

Ronald King
Chief Information Security Officer

Office of Information Technology
(757) 823-2916 (Office)
rak...@nsu.edu
www.nsu.edu
@NSUCISO (Twitter)
[NSU_logo_horiz_tag_4c - Smaller]

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Floyd, Brad
Sent: Wednesday, September 11, 2019 2:59 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Samsung S8 DHCP Failure

Ron,
We had a few issues with Android somewhere around the Oreo or Pie updates where 
devices that did not (by default) trust our CA (InCommon) and were not able to 
connect to our 802.1X network. On those devices, we had to manually install the 
root certificate. Like I said, it was only a few devices that had this issue. 
Other than that, we haven't had major issues with Samsung devices.
Thanks,
Brad

From: The EDUCAUSE Wireless Issues Community Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of King, Ronald A.
Sent: Wednesday, September 11, 2019 12:29 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Samsung S8 DHCP Failure

Anyone else having an issue with connecting to some Samsung Android devices to 
their wireless environment?

We have tested and confirmed that a Samsung S4 authenticates and acquires a 
DHCP address on our Aruba AOS 8 network and Aruba 6 network (in process of mass 
conversion to new AOS). However, for a Samsung S8, we see that the AAA 
authentication succeeds, but, the DHCP response from the DHCP server is either 
not received or not applied. We have confirmed the DHCP server is sending it. 
We are working with Aruba to see what the issue is, but, we have not upgraded 
the APs or code on the AOS6 network, and it doesn't matter the AP. Yes, it was 
working before. The only change was an Android update to the Samsung S8.  We 
have Googled this and found a couple of instances, including one from on this 
Listserver from March 2017.

Thanks,
Ron

Ronald King
Chief Information Security Officer

Office of Information Technology
(757) 823-2916 (Office)
rak...@nsu.edu
www.nsu.edu
@NSUCISO (Twitter)
[NSU_logo_horiz_tag_4c - Smaller]


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] Feasibility of an open SSID for student use

[Enfield, Chuck]

The problem with out of band notifications is that you don’t know who is on an 
unauthenticated network.  Certainly it’s more than just students.

I’m not suggesting you should change to captive portal.  While the statute is 
reasonably clear on how to qualify for the protections, it’s unclear how much 
risk is assumed by operating without those protections.  As long as you made an 
informed choice, I won’t argue with you.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Coehoorn, Joel
Sent: Friday, September 13, 2019 9:47 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

We also run a completely open SSID. There is a captive portal, but it's at the 
gateway rather than the wireless controller, so the same mechanism can also 
handle wired connections, and it's only used for enforcement. New visitors can 
get on the network without seeing the captive page.

>  to get the protections afforded to ISP’s under DMCA we need to inform users 
> that they’re not allowed to share copyrighted materials and that their 
> connection will be blocked if they do.

We handle the notification out-of-band for our students.  We have to notify 
them; we don't necessarily have to use a captive portal to do it right at 
connection time. The information is included with the account activation for 
new students, repeated during orientation, repeated again via e-mail near the 
start of each term, repeated again on the gateway capture page for early 
offenses, and included in the student handbook.

If it were to come to the point of a block, we can give specific devices a 
capture page with no way to click through. But our policy also includes this 
text:

Internet access today is more than a simple privilege, but is now necessary for 
continued successful progress in academic pursuits. Student actions which 
require the Department of Information Technology and the Office of Student 
Development to conclude it is no longer appropriate to allow a student to 
continue using the campus network may therefore result in dismissal of the 
student

[Image removed by sender.]

Joel Coehoorn
Director of Information Technology
402.363.5603
jcoeho...@york.edu
Please contact helpd...@york.edu for technical 
assistance.

The mission of York College is to transform lives through Christ-centered 
education and to equip students for lifelong service to God, family, and society


On Fri, Sep 13, 2019 at 7:42 AM Enfield, Chuck 
mailto:cae...@psu.edu>> wrote:
“We run eduroam and a completely open guest SSID. The open SSID has no captive 
portal, no click through terms of services, and no restrictions on Internet 
access for content or speed.”

I’m jealous Felix.  I made a strong push for this approach, but General Counsel 
stopped it.  FWIW, I think they got it right, but life would be easier and 
users would be happier your way.

Their rationale is that to get the protections afforded to ISP’s under DMCA we 
need to inform users that they’re not allowed to share copyrighted materials 
and that their connection will be blocked if they do.  For account holders we 
make them agree to these terms and more when they activate their account.  But 
if the network doesn’t require an account this notification seems to demand a 
captive portal.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Felix Windt
Sent: Friday, September 13, 2019 8:26 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

I’d pay a fair price for an easily administered solution that lets us roll out 
PPSK in the dorms and deploy broadcast/multicast domains scoped to specific 
users.

We run eduroam and a completely open guest SSID. The open SSID has no captive 
portal, no click through terms of services, and no restrictions on Internet 
access for content or speed. That SSID bridges through to VLANs in a DMZ, and 
its only real restriction is that it can only reach proper public IP addresses 
on campus, plus 2-3 applications on private IPs that are specifically 
permitted. That’s enforced on the firewalls between campus and the DMZ.
We do see quite a lot of students on that SSID permanently. As a huge amount of 
our student applications are either cloud hosted or available on the public 
Internet, that works just fine for them. We’d prefer them on eduroam, but user 
experience trumps our preferences. The only real problem are devices such as 
Sonos sound bars, Google appliances, and other devices that will only support 
PSKs for wireless. For those we don’t have a solution right now.

Once WPA3/OWE is out and widely supported I genuinely don’t know how much we’ll 
care about where devices are. At that point it seems not just more user 
friendly but easier for IT overall to 

Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

[Coehoorn, Joel]

We also run a completely open SSID. There is a captive portal, but it's at
the gateway rather than the wireless controller, so the same mechanism can
also handle wired connections, and it's only used for enforcement. New
visitors can get on the network without seeing the captive page.

*>  to get the protections afforded to ISP’s under DMCA we need to inform
users that they’re not allowed to share copyrighted materials and that
their connection will be blocked if they do.*

We handle the notification out-of-band for our students.  We have to notify
them; we don't necessarily have to use a captive portal to do it right at
connection time. The information is included with the account activation
for new students, repeated during orientation, repeated again via e-mail
near the start of each term, repeated again on the gateway capture page for
early offenses, and included in the student handbook.

If it were to come to the point of a block, we can give specific devices
a capture page with no way to click through. But our policy also includes
this text:

* Internet access today is more than a simple privilege, but is now
necessary for continued successful progress in academic pursuits. Student
actions which require the Department of Information Technology and the
Office of Student Development to conclude it is no longer appropriate to
allow a student to continue using the campus network may therefore result
in dismissal of the student  *

Joel Coehoorn
Director of Information Technology
402.363.5603
*jcoeho...@york.edu *

*Please contact helpd...@york.edu  for technical
assistance.*


The mission of York College is to transform lives through
Christ-centered education and to equip students for lifelong service to
God, family, and society


On Fri, Sep 13, 2019 at 7:42 AM Enfield, Chuck  wrote:

> “We run eduroam and a completely open guest SSID. The open SSID has no
> captive portal, no click through terms of services, and no restrictions on
> Internet access for content or speed.”
>
>
>
> I’m jealous Felix.  I made a strong push for this approach, but General
> Counsel stopped it.  FWIW, I think they got it right, but life would be
> easier and users would be happier your way.
>
>
>
> Their rationale is that to get the protections afforded to ISP’s under
> DMCA we need to inform users that they’re not allowed to share copyrighted
> materials and that their connection will be blocked if they do.  For
> account holders we make them agree to these terms and more when they
> activate their account.  But if the network doesn’t require an account this
> notification seems to demand a captive portal.
>
>
>
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Felix Windt
> *Sent:* Friday, September 13, 2019 8:26 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] Feasibility of an open SSID for student use
>
>
>
> I’d pay a fair price for an easily administered solution that lets us roll
> out PPSK in the dorms and deploy broadcast/multicast domains scoped to
> specific users.
>
>
>
> We run eduroam and a completely open guest SSID. The open SSID has no
> captive portal, no click through terms of services, and no restrictions on
> Internet access for content or speed. That SSID bridges through to VLANs in
> a DMZ, and its only real restriction is that it can only reach proper
> public IP addresses on campus, plus 2-3 applications on private IPs that
> are specifically permitted. That’s enforced on the firewalls between campus
> and the DMZ.
>
> We do see quite a lot of students on that SSID permanently. As a huge
> amount of our student applications are either cloud hosted or available on
> the public Internet, that works just fine for them. We’d prefer them on
> eduroam, but user experience trumps our preferences. The only real problem
> are devices such as Sonos sound bars, Google appliances, and other devices
> that will only support PSKs for wireless. For those we don’t have a
> solution right now.
>
>
>
> Once WPA3/OWE is out and widely supported I genuinely don’t know how much
> we’ll care about where devices are. At that point it seems not just more
> user friendly but easier for IT overall to just throw reasonable security
> in front of web apps that the student and faculty population need to
> access, and let them sit on the SSID that’s easier to get on to.
> Administrative machines under central control would probably be kept on
> properly authenticated networks, but those are easier to solve if you have
> reasonable mass device management options.
>
>
>
> For what it’s worth, we use the eduroam CAT tool for onboarding.
>
>
>
> thx,
>
>
>
> Felix Windt
>
> Dartmouth College
>
>
>
> *From: *The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of "Rumford, Charles" <
> charl...@isc.upenn.edu>
> *Reply-To: *The EDUCAUSE Wireless Issues Community Group Listserv <
> 

RE: [WIRELESS-LAN] Feasibility of an open SSID for student use

[Michael Holden]

Has anyone got the eduroam CAT working with EAP-TLS?

Couldn’t find a good way for loading the certificates.
May have missed the documentation for that portion.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Enfield, Chuck
Sent: Friday, September 13, 2019 8:42 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

“We run eduroam and a completely open guest SSID. The open SSID has no captive 
portal, no click through terms of services, and no restrictions on Internet 
access for content or speed.”

I’m jealous Felix.  I made a strong push for this approach, but General Counsel 
stopped it.  FWIW, I think they got it right, but life would be easier and 
users would be happier your way.

Their rationale is that to get the protections afforded to ISP’s under DMCA we 
need to inform users that they’re not allowed to share copyrighted materials 
and that their connection will be blocked if they do.  For account holders we 
make them agree to these terms and more when they activate their account.  But 
if the network doesn’t require an account this notification seems to demand a 
captive portal.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Felix Windt
Sent: Friday, September 13, 2019 8:26 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

I’d pay a fair price for an easily administered solution that lets us roll out 
PPSK in the dorms and deploy broadcast/multicast domains scoped to specific 
users.

We run eduroam and a completely open guest SSID. The open SSID has no captive 
portal, no click through terms of services, and no restrictions on Internet 
access for content or speed. That SSID bridges through to VLANs in a DMZ, and 
its only real restriction is that it can only reach proper public IP addresses 
on campus, plus 2-3 applications on private IPs that are specifically 
permitted. That’s enforced on the firewalls between campus and the DMZ.
We do see quite a lot of students on that SSID permanently. As a huge amount of 
our student applications are either cloud hosted or available on the public 
Internet, that works just fine for them. We’d prefer them on eduroam, but user 
experience trumps our preferences. The only real problem are devices such as 
Sonos sound bars, Google appliances, and other devices that will only support 
PSKs for wireless. For those we don’t have a solution right now.

Once WPA3/OWE is out and widely supported I genuinely don’t know how much we’ll 
care about where devices are. At that point it seems not just more user 
friendly but easier for IT overall to just throw reasonable security in front 
of web apps that the student and faculty population need to access, and let 
them sit on the SSID that’s easier to get on to. Administrative machines under 
central control would probably be kept on properly authenticated networks, but 
those are easier to solve if you have reasonable mass device management options.

For what it’s worth, we use the eduroam CAT tool for onboarding.

thx,

Felix Windt
Dartmouth College

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "Rumford, Charles" 
mailto:charl...@isc.upenn.edu>>
Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Thursday, September 12, 2019 at 2:26 PM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

I agree that complicated onboarding is the worst from the end user perspective 
and a pain to manage.

I started designing a PPSK/MPSK design to take over our primary 802.1x network. 
The biggest hurdle I ran into with it was the randomization of MAC addresses 
for device. I've been told Android 10 has it on by default,and I know that 
windows support also. I could only see issues from a support issue coming down 
the line. O need to spend some more research time with it.

--
Charles Rumford
IT Architect
ISC Tech Services
University of Pennsylvania
OpenPGP Key ID: 0xF3D8215A
(Sent from Mobile)

From: "Enfield, Chuck" mailto:cae...@psu.edu>>
Sent: Thursday, September 12, 2019 14:11
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

Seconded.

And for those who think that security is more important than the user 
experience in some cases, I wouldn’t argue, but I would point out that an 
improperly configured 1x device puts the user’s credentials at risk.  802.1x 
isn’t all upside from a security perspective either.

Chuck

From: The EDUCAUSE Wireless 

Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

[Joseph Bernard]

We try to steer eduroam capable devices off our guest network by blocking the 
ranges from authenticating to the main services portal.  If students are trying 
to do work, I hope they aren’t reduced to a PS4 web browser.

Thanks,
Joseph B.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of "Enfield, Chuck" 

Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Friday, September 13, 2019 at 8:42 AM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

“We run eduroam and a completely open guest SSID. The open SSID has no captive 
portal, no click through terms of services, and no restrictions on Internet 
access for content or speed.”

I’m jealous Felix.  I made a strong push for this approach, but General Counsel 
stopped it.  FWIW, I think they got it right, but life would be easier and 
users would be happier your way.

Their rationale is that to get the protections afforded to ISP’s under DMCA we 
need to inform users that they’re not allowed to share copyrighted materials 
and that their connection will be blocked if they do.  For account holders we 
make them agree to these terms and more when they activate their account.  But 
if the network doesn’t require an account this notification seems to demand a 
captive portal.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Felix Windt
Sent: Friday, September 13, 2019 8:26 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

I’d pay a fair price for an easily administered solution that lets us roll out 
PPSK in the dorms and deploy broadcast/multicast domains scoped to specific 
users.

We run eduroam and a completely open guest SSID. The open SSID has no captive 
portal, no click through terms of services, and no restrictions on Internet 
access for content or speed. That SSID bridges through to VLANs in a DMZ, and 
its only real restriction is that it can only reach proper public IP addresses 
on campus, plus 2-3 applications on private IPs that are specifically 
permitted. That’s enforced on the firewalls between campus and the DMZ.
We do see quite a lot of students on that SSID permanently. As a huge amount of 
our student applications are either cloud hosted or available on the public 
Internet, that works just fine for them. We’d prefer them on eduroam, but user 
experience trumps our preferences. The only real problem are devices such as 
Sonos sound bars, Google appliances, and other devices that will only support 
PSKs for wireless. For those we don’t have a solution right now.

Once WPA3/OWE is out and widely supported I genuinely don’t know how much we’ll 
care about where devices are. At that point it seems not just more user 
friendly but easier for IT overall to just throw reasonable security in front 
of web apps that the student and faculty population need to access, and let 
them sit on the SSID that’s easier to get on to. Administrative machines under 
central control would probably be kept on properly authenticated networks, but 
those are easier to solve if you have reasonable mass device management options.

For what it’s worth, we use the eduroam CAT tool for onboarding.

thx,

Felix Windt
Dartmouth College

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "Rumford, Charles" 
mailto:charl...@isc.upenn.edu>>
Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Thursday, September 12, 2019 at 2:26 PM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

I agree that complicated onboarding is the worst from the end user perspective 
and a pain to manage.

I started designing a PPSK/MPSK design to take over our primary 802.1x network. 
The biggest hurdle I ran into with it was the randomization of MAC addresses 
for device. I've been told Android 10 has it on by default,and I know that 
windows support also. I could only see issues from a support issue coming down 
the line. O need to spend some more research time with it.

--
Charles Rumford
IT Architect
ISC Tech Services
University of Pennsylvania
OpenPGP Key ID: 0xF3D8215A
(Sent from Mobile)

From: "Enfield, Chuck" mailto:cae...@psu.edu>>
Sent: Thursday, September 12, 2019 14:11
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

Seconded.

And for those who think that security is more important than the user 
experience in some cases, I wouldn’t argue, but I would point out that an 
improperly configured 1x device puts the user’s credentials at risk.  802.1x 
isn’t all upside from a 

Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

[Hurt,Trenton W.]

https://community.arubanetworks.com/t5/Wireless-Access/Android-Q-Randomized-MAC-Address-System-Default/td-p/526263




Trent Hurt

University of Louisville


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Cappalli, Tim (Aruba 
Security) 
Sent: Friday, September 13, 2019 8:37:09 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

Just a clarification. Android 10 generates a MAC address per ESSID for the 
lifetime of the OS instance. It does not change daily.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Felix Windt 

Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Friday, September 13, 2019 at 8:26 AM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

I’d pay a fair price for an easily administered solution that lets us roll out 
PPSK in the dorms and deploy broadcast/multicast domains scoped to specific 
users.

We run eduroam and a completely open guest SSID. The open SSID has no captive 
portal, no click through terms of services, and no restrictions on Internet 
access for content or speed. That SSID bridges through to VLANs in a DMZ, and 
its only real restriction is that it can only reach proper public IP addresses 
on campus, plus 2-3 applications on private IPs that are specifically 
permitted. That’s enforced on the firewalls between campus and the DMZ.
We do see quite a lot of students on that SSID permanently. As a huge amount of 
our student applications are either cloud hosted or available on the public 
Internet, that works just fine for them. We’d prefer them on eduroam, but user 
experience trumps our preferences. The only real problem are devices such as 
Sonos sound bars, Google appliances, and other devices that will only support 
PSKs for wireless. For those we don’t have a solution right now.

Once WPA3/OWE is out and widely supported I genuinely don’t know how much we’ll 
care about where devices are. At that point it seems not just more user 
friendly but easier for IT overall to just throw reasonable security in front 
of web apps that the student and faculty population need to access, and let 
them sit on the SSID that’s easier to get on to. Administrative machines under 
central control would probably be kept on properly authenticated networks, but 
those are easier to solve if you have reasonable mass device management options.

For what it’s worth, we use the eduroam CAT tool for onboarding.

thx,

Felix Windt
Dartmouth College

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of "Rumford, Charles" 

Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Thursday, September 12, 2019 at 2:26 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

I agree that complicated onboarding is the worst from the end user perspective 
and a pain to manage.

I started designing a PPSK/MPSK design to take over our primary 802.1x network. 
The biggest hurdle I ran into with it was the randomization of MAC addresses 
for device. I've been told Android 10 has it on by default,and I know that 
windows support also. I could only see issues from a support issue coming down 
the line. O need to spend some more research time with it.

--
Charles Rumford
IT Architect
ISC Tech Services
University of Pennsylvania
OpenPGP Key ID: 0xF3D8215A
(Sent from Mobile)

From: "Enfield, Chuck" 
Sent: Thursday, September 12, 2019 14:11
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

Seconded.

And for those who think that security is more important than the user 
experience in some cases, I wouldn’t argue, but I would point out that an 
improperly configured 1x device puts the user’s credentials at risk.  802.1x 
isn’t all upside from a security perspective either.

Chuck

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jeffrey D. Sessler
Sent: Thursday, September 12, 2019 1:46 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

I’ve never been a fan of the complicated onboarding. It’s intrusive, and unlike 
any other wireless experience an individual will encounter in their life i.e. 
any other wifi-enabled location/venue.
With the growing trend of EDUs moving to SaaS and other Cloud solutions, 
wireless will be nothing but a gateway to those external services. When it’s 
easier to consume those services via one’s own unlimited-data cellular 
connection, or go to Starbucks, it may be time for us (EDU’s) to reevaluate our 
approach.

Besides a purely open network, the next-best (same?) experience to home would 
be something like PPSK or for the Cisco folks IPSK. You get something slightly 

Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

[Cappalli, Tim (Aruba Security)]

Just a clarification. Android 10 generates a MAC address per ESSID for the 
lifetime of the OS instance. It does not change daily.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Felix Windt 

Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Friday, September 13, 2019 at 8:26 AM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

I’d pay a fair price for an easily administered solution that lets us roll out 
PPSK in the dorms and deploy broadcast/multicast domains scoped to specific 
users.

We run eduroam and a completely open guest SSID. The open SSID has no captive 
portal, no click through terms of services, and no restrictions on Internet 
access for content or speed. That SSID bridges through to VLANs in a DMZ, and 
its only real restriction is that it can only reach proper public IP addresses 
on campus, plus 2-3 applications on private IPs that are specifically 
permitted. That’s enforced on the firewalls between campus and the DMZ.
We do see quite a lot of students on that SSID permanently. As a huge amount of 
our student applications are either cloud hosted or available on the public 
Internet, that works just fine for them. We’d prefer them on eduroam, but user 
experience trumps our preferences. The only real problem are devices such as 
Sonos sound bars, Google appliances, and other devices that will only support 
PSKs for wireless. For those we don’t have a solution right now.

Once WPA3/OWE is out and widely supported I genuinely don’t know how much we’ll 
care about where devices are. At that point it seems not just more user 
friendly but easier for IT overall to just throw reasonable security in front 
of web apps that the student and faculty population need to access, and let 
them sit on the SSID that’s easier to get on to. Administrative machines under 
central control would probably be kept on properly authenticated networks, but 
those are easier to solve if you have reasonable mass device management options.

For what it’s worth, we use the eduroam CAT tool for onboarding.

thx,

Felix Windt
Dartmouth College

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of "Rumford, Charles" 

Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Thursday, September 12, 2019 at 2:26 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

I agree that complicated onboarding is the worst from the end user perspective 
and a pain to manage.

I started designing a PPSK/MPSK design to take over our primary 802.1x network. 
The biggest hurdle I ran into with it was the randomization of MAC addresses 
for device. I've been told Android 10 has it on by default,and I know that 
windows support also. I could only see issues from a support issue coming down 
the line. O need to spend some more research time with it.

--
Charles Rumford
IT Architect
ISC Tech Services
University of Pennsylvania
OpenPGP Key ID: 0xF3D8215A
(Sent from Mobile)

From: "Enfield, Chuck" 
Sent: Thursday, September 12, 2019 14:11
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

Seconded.

And for those who think that security is more important than the user 
experience in some cases, I wouldn’t argue, but I would point out that an 
improperly configured 1x device puts the user’s credentials at risk.  802.1x 
isn’t all upside from a security perspective either.

Chuck

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jeffrey D. Sessler
Sent: Thursday, September 12, 2019 1:46 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

I’ve never been a fan of the complicated onboarding. It’s intrusive, and unlike 
any other wireless experience an individual will encounter in their life i.e. 
any other wifi-enabled location/venue.
With the growing trend of EDUs moving to SaaS and other Cloud solutions, 
wireless will be nothing but a gateway to those external services. When it’s 
easier to consume those services via one’s own unlimited-data cellular 
connection, or go to Starbucks, it may be time for us (EDU’s) to reevaluate our 
approach.

Besides a purely open network, the next-best (same?) experience to home would 
be something like PPSK or for the Cisco folks IPSK. You get something slightly 
better than an open network, but it’s PSK and all of those wonderful IoT 
devices just work. My crystal ball wish is to have that PPSK/IPSK solution then 
group that user’s devices into a private virtual home network, providing 
something that approaches their home experience.

Jeff

From: "wireless-lan@listserv.educause.edu"  
on behalf of Kurtis Olsen 
Reply-To: "wireless-lan@listserv.educause.edu" 

Date: Thursday, September 12, 2019 at 9:27 AM
To: 

Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

[Felix Windt]

I’d pay a fair price for an easily administered solution that lets us roll out 
PPSK in the dorms and deploy broadcast/multicast domains scoped to specific 
users.

We run eduroam and a completely open guest SSID. The open SSID has no captive 
portal, no click through terms of services, and no restrictions on Internet 
access for content or speed. That SSID bridges through to VLANs in a DMZ, and 
its only real restriction is that it can only reach proper public IP addresses 
on campus, plus 2-3 applications on private IPs that are specifically 
permitted. That’s enforced on the firewalls between campus and the DMZ.
We do see quite a lot of students on that SSID permanently. As a huge amount of 
our student applications are either cloud hosted or available on the public 
Internet, that works just fine for them. We’d prefer them on eduroam, but user 
experience trumps our preferences. The only real problem are devices such as 
Sonos sound bars, Google appliances, and other devices that will only support 
PSKs for wireless. For those we don’t have a solution right now.

Once WPA3/OWE is out and widely supported I genuinely don’t know how much we’ll 
care about where devices are. At that point it seems not just more user 
friendly but easier for IT overall to just throw reasonable security in front 
of web apps that the student and faculty population need to access, and let 
them sit on the SSID that’s easier to get on to. Administrative machines under 
central control would probably be kept on properly authenticated networks, but 
those are easier to solve if you have reasonable mass device management options.

For what it’s worth, we use the eduroam CAT tool for onboarding.

thx,

Felix Windt
Dartmouth College

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of "Rumford, Charles" 

Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Thursday, September 12, 2019 at 2:26 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

I agree that complicated onboarding is the worst from the end user perspective 
and a pain to manage.

I started designing a PPSK/MPSK design to take over our primary 802.1x network. 
The biggest hurdle I ran into with it was the randomization of MAC addresses 
for device. I've been told Android 10 has it on by default,and I know that 
windows support also. I could only see issues from a support issue coming down 
the line. O need to spend some more research time with it.

--
Charles Rumford
IT Architect
ISC Tech Services
University of Pennsylvania
OpenPGP Key ID: 0xF3D8215A
(Sent from Mobile)

From: "Enfield, Chuck" 
Sent: Thursday, September 12, 2019 14:11
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

Seconded.

And for those who think that security is more important than the user 
experience in some cases, I wouldn’t argue, but I would point out that an 
improperly configured 1x device puts the user’s credentials at risk.  802.1x 
isn’t all upside from a security perspective either.

Chuck

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jeffrey D. Sessler
Sent: Thursday, September 12, 2019 1:46 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

I’ve never been a fan of the complicated onboarding. It’s intrusive, and unlike 
any other wireless experience an individual will encounter in their life i.e. 
any other wifi-enabled location/venue.
With the growing trend of EDUs moving to SaaS and other Cloud solutions, 
wireless will be nothing but a gateway to those external services. When it’s 
easier to consume those services via one’s own unlimited-data cellular 
connection, or go to Starbucks, it may be time for us (EDU’s) to reevaluate our 
approach.

Besides a purely open network, the next-best (same?) experience to home would 
be something like PPSK or for the Cisco folks IPSK. You get something slightly 
better than an open network, but it’s PSK and all of those wonderful IoT 
devices just work. My crystal ball wish is to have that PPSK/IPSK solution then 
group that user’s devices into a private virtual home network, providing 
something that approaches their home experience.

Jeff

From: "wireless-lan@listserv.educause.edu"  
on behalf of Kurtis Olsen 
Reply-To: "wireless-lan@listserv.educause.edu" 

Date: Thursday, September 12, 2019 at 9:27 AM
To: "wireless-lan@listserv.educause.edu" 
Subject: [WIRELESS-LAN] Feasibility of an open SSID for student use

We have been receiving a lot of complaints about a complicated onboarding 
process and have been asked to look at providing an Open SSID that has little 
to no onboarding.  I see an advantage being the ease of connecting but I have 
some concerns, mainly about providing a secure environment.
Our current onboarding process works like this.