RE: [EXT] [WIRELESS-LAN] WLAN onboarding

[Johnston, Ryan]

Lee,

We are using SecureW2 for both EAP-PEAP (when necessary) and EAP-TLS (our 
default and preferred) configuration.  SecureW2 is also our PKI for EAP-TLS.  
We've been a user for multiple years so we do not have experience with other 
tools although we did look at the CAT tool and considered its use years ago for 
EAP-PEAP config.  We're generally happy our current solution and echo the 
comments around Android 11 headaches recently.  Be aware of them.  We also use 
Eduroam as our main 802.1X SSID, but obviously are not using the CAT tool for 
it.



Ryan

--
Ryan Johnston he/him/his
Associate Director of Infrastructure
DePaul University
55 E Jackson Blvd | Chicago, Illinois 60604
https://www.depaul.edu |  https://helpdesk.depaul.edu

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Lee H Badman
Sent: Wednesday, April 7, 2021 9:06 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [EXT] [WIRELESS-LAN] WLAN onboarding

Hello everyone, hope your semesters are going along smoothly and that you are 
all staying healthy. As always- this message is not an invite for vendors to 
contact me.

Looking out down our short timeline, we need to make a number of decisions 
about various aspects of our WLAN operations. One of these decision points is 
if/how to do the 802.1X onboarding after our current solution goes End of 
Everything at year's end. To that end, I'm looking for any and all feedback on 
these questions:

- If you are using PEAP/MS-CHAP v2, what is your onboarder of choice (even if 
none, with manual config as methodology)?
-If you are doing PEAP-TLS, what is your onboarder of choice?
-Have you recently piloted any onboarders that you just hate for any reason?
-For those using eduroam as your 802.1X environment, have you found the free 
configuration tool to be reliable? Any downsides to using it at scale?

Interested in 3rd party, native, whatever.

Thanks as always,

Lee Badman

Lee Badman | Network Architect (CWNE#200)
Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   e lhbad...@syr.edu w its.syr.edu
Campus Wireless Policy: 
https://answers.syr.edu/display/network/Wireless+Network+and+Systems
SYRACUSE UNIVERSITY
syr.edu


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] [EXT] [WIRELESS-LAN] Outdoor WLANs?

[Johnston, Ryan]

I guess I should also add that our Guest network is not open registration.  You 
must be sponsored by fac/staff or be a part of an event/conference and be given 
a time-based code.  Our campuses are located in dense urban areas and would not 
be able to service the numbers of users looking for “free wifi”.

Ryan

--
Ryan Johnston he/him/his
Associate Director of Infrastructure
DePaul University
55 E Jackson Blvd | Chicago, Illinois 60604
https://www.depaul.edu<https://www.depaul.edu/> |  https://helpdesk.depaul.edu

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Ricardo Stella
Sent: Friday, February 19, 2021 2:15 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [EXT] [WIRELESS-LAN] Outdoor WLANs?


We don't broadcast our Guest network outdoors except for special events. Last 
fall we had to add several access points because tents were being installed at 
the last minute for students and potential academic use.  We have older AP-275s 
but the ones added the last 2 years have been AP-365 or AP-367 depending on the 
model.  It also helped when Aruba was running the buy 3 get 2 free promos on 
these...

On Fri, Feb 19, 2021 at 10:33 AM Johnston, Ryan 
mailto:ryan.johns...@depaul.edu>> wrote:
We broadcast the same SSID’s inside and outside as well.  Branded (onboarding 
and Generic Guest) and Eduroam (main dox1x and University guests).  Aruba AP 
36X units mostly with some standard AP315’s hidden in aesthetic bollards.

Ryan

--
Ryan Johnston he/him/his
Associate Director of Infrastructure
DePaul University
55 E Jackson Blvd | Chicago, Illinois 60604
https://www.depaul.edu<https://www.depaul.edu/> |  https://helpdesk.depaul.edu

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Mike Atkins
Sent: Thursday, February 18, 2021 4:53 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [EXT] [WIRELESS-LAN] Outdoor WLANs?

For those of you running outdoor Wi-Fi covering public space, do you broadcast 
the same WLANs as in building?  Do you have a specific strategy for why or why 
not?



TLDR:
Being a Northern Indiana campus, the demand for outdoor Wi-Fi during the school 
year has been fairly low.  Last year has changed this for all of us.  We face 
the same challenges as everyone else with cost/aesthetics vs return on 
investment.  We are looking to provide some legit coverage this year and get 
out of the "temporary" outdoor setups.  We are a two SSID campus with eduroam 
being our dot1X secure network and ND-guest being open unauthenticated Internet 
access only "guest" network. The question came up out of a discussion related 
to ensuring performance for faculty/staff/students in the public outdoor spaces 
but my other concern is for our Information Security group.  An open guest 
network might be okay in a building where we can track your device down fairly 
quickly but outdoors might complicate this.  I think the campus user 
expectation is both SSID's everywhere.  Trying to get some thoughts from around 
the block.


--




Mike Atkins
Infrastructure Architect
Office of Information Technology
University of Notre Dame
Phone: 574-631-7210



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


--
°(((=((===°°°(((

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [EXT] [WIRELESS-LAN] Outdoor WLANs?

[Johnston, Ryan]

We broadcast the same SSID’s inside and outside as well.  Branded (onboarding 
and Generic Guest) and Eduroam (main dox1x and University guests).  Aruba AP 
36X units mostly with some standard AP315’s hidden in aesthetic bollards.

Ryan

--
Ryan Johnston he/him/his
Associate Director of Infrastructure
DePaul University
55 E Jackson Blvd | Chicago, Illinois 60604
https://www.depaul.edu |  https://helpdesk.depaul.edu

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Mike Atkins
Sent: Thursday, February 18, 2021 4:53 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [EXT] [WIRELESS-LAN] Outdoor WLANs?

For those of you running outdoor Wi-Fi covering public space, do you broadcast 
the same WLANs as in building?  Do you have a specific strategy for why or why 
not?



TLDR:
Being a Northern Indiana campus, the demand for outdoor Wi-Fi during the school 
year has been fairly low.  Last year has changed this for all of us.  We face 
the same challenges as everyone else with cost/aesthetics vs return on 
investment.  We are looking to provide some legit coverage this year and get 
out of the "temporary" outdoor setups.  We are a two SSID campus with eduroam 
being our dot1X secure network and ND-guest being open unauthenticated Internet 
access only "guest" network. The question came up out of a discussion related 
to ensuring performance for faculty/staff/students in the public outdoor spaces 
but my other concern is for our Information Security group.  An open guest 
network might be okay in a building where we can track your device down fairly 
quickly but outdoors might complicate this.  I think the campus user 
expectation is both SSID's everywhere.  Trying to get some thoughts from around 
the block.


--




Mike Atkins
Infrastructure Architect
Office of Information Technology
University of Notre Dame
Phone: 574-631-7210



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [EXT] Re: [WIRELESS-LAN] Openroaming - anyone connected?

[Johnston, Ryan]

Jeff,

For some of us the Starbucks equivalency statement doesn’t fit.  I’m 
specifically in a situation where I do not want to give anyone and everyone 
easy access to our network.  Half of our campus is situated in downtown Chicago 
amongst all the high-rises and tourist locations.  I do not want our network 
used by the multitude of Chicago tourists or business neighbors that can hear 
my network.  Our fear is that having that many unsolicited users would degrade 
the network quality significantly.  I hope the future of network access still 
leaves room for those that need that control over a guest network.  I would 
have a completely different outlook if I was located in a remote college town.


Ryan

--
Ryan Johnston he/him/his
Associate Director of Infrastructure
DePaul University
55 E Jackson Blvd | Chicago, Illinois 60604
https://www.depaul.edu |  https://helpdesk.depaul.edu

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jeffrey D. Sessler
Sent: Monday, August 17, 2020 11:46 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [EXT] Re: [WIRELESS-LAN] Openroaming - anyone connected?

I’m not trying to get out of a business, but Internet2 could eventually get out 
of the radius/eduroam business. Unless I’m mistaken, at the point an 
institution federates directly with openroaming, the need for eduroam 
diminishes. Obviously it’s going to take time, but if there is a push to adopt 
openroaming in EDU, then in say five years, does eduroam have a future?

On the identity front… As we march toward a cloud-based future, and our WiFi 
networks transformed into simple gateways to the internet, how much information 
do we need/want? How much information should we collect? After all, if the 
service is no different than at Starbucks, what does the collection of more 
information do for us?

Jeff

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tim Cappalli
Sent: Monday, August 17, 2020 9:09 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Openroaming - anyone connected?

What business are you trying to get out of specifically? OpenRoaming is a way 
for federations of organizations and/or individual organizations to 
interconnect. Eduroam would start to mean “less” to end users, as they wouldn’t 
see an “eduroam” ESSID anymore, but there is still value in a trust framework 
for educational organizations, especially when it comes to identity.

If you decide not to provision users with your university identity, you will 
likely have no access to that users real identity. I imagine you still want 
access to identity for your own users and devices?

At its core, OR is simply a few extra elements in the profile that gets put on 
the device provisioning. OR itself, also does not provide client provisioning. 
You still need to do that, or pay for a service that will do it.

I think, personally, that there is a major lack of understanding throughout the 
industry of what OR actually is.

tim

From: Jeffrey D. Sessler
Sent: Monday, August 17, 2020 11:56
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Openroaming - anyone connected?

Why not the other way around, and standardize on OpenRoaming, and have 
everything else become a member of it? Do we still need eduroam at that point? 
Do we care if the client device is using their ATT, Spectrum, or college 
credentials?

I’m reminded that in EDU we often fix problems nobody cared much about at the 
time e.g. eduroam, but as the world matures, and there are perhaps better 
alternatives, why not get out of the business?  There are costs to operate 
eduroam, and if it’s no longer strategic or different from other services e.g. 
OpenRoaming, why not put those resources into something that is strategic and a 
differentiator?  Why wouldn’t Internet2 and its members focus on adoption of 
OpenRoaming rather than a new and possibly duplicative service like anyroam?

Jeff



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Philippe Hanset
Sent: Sunday, August 16, 2020 7:20 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Openroaming - anyone connected?

At least for the US, we plan to have an Open-Roaming gateway at ANYROAM.
We became member of the WBA for that purpose back in May 2020.

The idea is to simplify connectivity for schools:  you have one connection with 
ANYROAM, and all your roaming traffic
is sorted by us (Open-Roaming, eduroam, Govroam, …). No need to be turn your 
school’s RADIUS server into a complex gateway.

We are working on a document that we will post at 

RE: [EXT] [WIRELESS-LAN] NAC/authentication implementations

[Johnston, Ryan]

  1.  If you have a NAC solution do you do port based auth?
 *   Yes.  We use Clearpass to implement.
  2.  If you have a NAC solution do you do eap-tls? If so how are you handling 
the certification “push” to devices?
 *   Yes our primary preferred authentication protocol is EAP-TLS, however 
we do offer and support EAP-PEAP and PSK methods for devices that do not 
support tls certificates or have a bad user experience with them (looking at 
you chromebooks!).  We use a product called SecureW2 for self-service user 
onboarding to WiFi which inserts the certificate into the device.
  3.  What were the major pain points during implementation?
 *   Client onboarding via a local captive portal.  Client captive portal 
browsers are volatile and can their behavior can severely affect the client 
experience.
  4.  What were the major use cases you were resolving/resolved?
 *   We were looking to move away from EAP-PEAP largely for security and 
convenience reasons.  One particular pain point was the regularly scheduled 
expiration of user account passwords.  This in turn would knock a device with 
saved EAP-PEAP credentials off of the network.  Our client certificates are 
valid for a longer period of time and largely avoid this issue.  Network access 
is tied to a combination of valid certificate and valid account lifecycle check.
  5.  Anything you would do differently if you do it again?
 *   I would have liked to have spent more time polishing the onboarding 
experience.  Our deployment timeline however did not allow for it.  As other 
threads on this list have mentioned, if you go down this road you will be 
served well by testing your workflow extensively and often.  Each device type 
has different behaviors of captive portal behavior as well as the possibility 
of application changes with new device software updates.


Ryan

--
Ryan Johnston he/him/his
Associate Director of Infrastructure
DePaul University
55 E Jackson Blvd | Chicago, Illinois 60604
https://www.depaul.edu |  https://helpdesk.depaul.edu

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Brady J. Ballstadt
Sent: Monday, April 13, 2020 9:24 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [EXT] [WIRELESS-LAN] NAC/authentication implementations

Hello everyone,

Have a few questions as we do some research to add on to our NAC implementation 
and trying to avoid issues or at least minimize them.


  1.  If you have a NAC solution do you do port based auth?
  2.  If you have a NAC solution do you do eap-tls? If so how are you handling 
the certification “push” to devices?
  3.  What were the major pain points during implementation?
  4.  What were the major use cases you were resolving/resolved?
  5.  Anything you would do differently if you do it again?

Any extra information would be great as well.

Thank you,

Brady Ballstadt
University of Arkansas

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] Nyansa Conference Call Poll

[Johnston, Ryan]

Thanks Chuck.  Some folks from DePaul University plan to hop on the call also.


Ryan

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Chuck Enfield
Sent: Friday, February 17, 2017 7:27 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Nyansa Conference Call Poll

Good Morning,

The Nyansa conference call will be on Tuesday, 2/21, from 3:00om to 4:00pm 
Easter Time.  The bridge number is +1 (712) 770-4700, Access Code 846605.

Thanks,

Chuck

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Chuck Enfield
Sent: Wednesday, February 15, 2017 5:29 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Nyansa Conference Call Poll

Sorry folks, but yesterday go away from me. Against all odds, I got a girl to 
marry me, so I have to do something on Valentine's day to keep her around.

I don't think there are a lot of days left to do this in the near future.  The 
remainder of this week will be short notice, and a lot of you will be traveling 
for WLPC staring next Wednesday, so I'm only offering times for next Monday and 
Tuesday.  Please respond to the doodle poll at the link below by the end of the 
day tomorrow, 2/16.  The most widely accepted time slot will win.  The bridge 
details appear on the poll page, but I'll also send them to the list along with 
the winning time slot.  The call will be recorded, so anybody who can't make it 
live can listen to it later.

Thanks,

Chuck

http://doodle.com/poll/6dvnufgaqb4q9yuy
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.