re: EAP-TLS

[Richard Nedwich]

Hi,

This is in no way a sales pitch, just want to share a few thoughts from Kevin 
Koster, Chief Architect and Founder of Cloudpath, who is still at Ruckus, and 
LB said this would be OK.

Thank you,
Rich Nedwich
Dir of Product Marketing, Education
Ruckus

 Kevin K. =
"To address the ‘open vs secure’ question, I would suggest that this topic be a 
roundtable at EDUCAUSE annual.  This discussion should really start with a 
reevaluation of the value prop of student/guest Wi-Fi to the university’s 
mission.  If the value prop is no greater than coffee shop Wi-Fi, it may be 
time to think of the network as a smart city-type deployment, which may 
possibly benefit from inviting something like LinkNYC onto campus to serve the 
students’ & guests’ Wi-Fi needs.  If the value prop is greater, the HEDU 
community should probably come together to ensure the industry moves in a 
manner that benefits HEDU (similar to service provider’s defining Passpoint).  
 
To clear up the confusion on EOL of the Wizard:
1. “XpressConnect Wizard” is moving toward end-of-support on December 30, 2019. 
 This is the client-side executables managed via xpc.cloudpath.net.  The 
migration path for wizard customers is to move to Cloudpath ES.  
2. “Cloudpath ES” is the path forward for all Cloudpath functionality, and 
currently on ver 5.1.  It contains the wizard’s client functionality as well as 
server-side functionality (like reporting, mac reg, CA, etc).  It is managed 
either in your own VM or via onboard*.cloudpath.net.  
 
Most customers are currently on Cloudpath ES, but if you have questions, please 
contact Trish (sa...@cloudpath.net).

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: Android phones having strange issues

[Richard Nedwich]

FWIW,

http://www.siliconbeat.com/2017/08/21/google-will-launch-new-android-version-solar-eclipse/?doing_wp_cron=1503346654.674446105957031250

Maybe some change had an effect on your users?

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: Android phones having strange issues

[Richard Nedwich]

Hi Bruce,

Yes, our Wizard and Cloudpath ES products do officially support Oreo.

Thanks,
Rich

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: Android phones having strange issues

[Richard Nedwich]

Hi Lee,

Cloudpath ES 5.1 is the current version of Cloudpath software (a major upgrade 
from previous versions).  Regarding the older Wizard product, please see below.

Thanks,
Rich

Yes, as posted originally on 8-15-17 on this forum:

To clear up the confusion on EOL of the Wizard:
1.  “XpressConnect Wizard” is moving toward end-of-support on December 30, 
2019.  This is the client-side executables managed via xpc.cloudpath.net.  The 
migration path for wizard customers is to move to Cloudpath ES.  
2.  “Cloudpath ES” is the path forward for all Cloudpath functionality.  It 
contains the wizard’s client functionality as well as server-side functionality 
(like reporting, mac reg, CA, etc).  It is managed either in your own VM or via 
onboard*.cloudpath.net.  

Most customers are currently on Cloudpath ES, but if you have questions, please 
contact Trish (sa...@cloudpath.net).

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

ITDRC disaster relief donations

[Richard Nedwich]

Folks,

With so many people impacted by Hurricane Harvey, and potentially soon by 
Hurricane Irma,  I hope this group would welcome notice of an opportunity for 
your IT organizations to help provide relief. ITDR is a 501 (c) non-profit 
organization made up of professionals from the IT community who donate their 
time to assisting with telecom needs for disaster recovery. You can learn more 
about them here: https://itdrc.org/about.  If any EDUCAUSE Listserv community 
members (or your reseller partners) would like to donate old WLAN gear they can 
send it here: 

NRG/ITDRC
Attn: Tom Jewell
12307 Kurland Dr.
Houston, TX 77034

Doesn’t matter how old it is, ITDRC will take anything. If they drop us a note, 
we’ll make sure anything they send is fully licensed and upgraded and can help 
with setup.

Last time I checked, we’re up to about 140 APs that Ruckus will be shipping in 
addition to hosting them on a virtual SmartZone (vSZ).  
Thanks in advance to everyone who chooses to contribute relief one way or 
another!

Best,
Rich
P.S. all vendor models are accepted, not just Ruckus, so a good chance to clean 
out the closets and hallways!
P.P.S. equipment will be collected and re-used after Harvey relief, and could 
be used again where needed!!

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: ITDRC disaster relief donations

[Richard Nedwich]

All,

Three storms in the Atlantic, holy cow!

A quick update- the folks at ITDRC would like to provide the following address 
for your WLAN donations:

ITDRC/LSTTS
ATTN: Dianne Cargill
10211 FM 156
Ft. Worth, TX 76131

Thank you all, and good luck to those institutions in the Southeast impacted by 
these storms!

Best,
Rich

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: UT Austin Biennial Network Report

[Richard Nedwich]

Hi William,

This report is insanely great!  Is this a private URL, or would you allow us to 
share?

Best,
Rich

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: CloudPath Xpressconnect - accessibility support?

[Richard Nedwich]

Bruce, et al,

I just wanted to convey some information from our engineering team.

Thanks,
Rich

Windows 10 PEAP/TTLS Issues:  In Windows 10 Creators Update, Microsoft 
introduced new bugs for PEAP and TTLS.  While it took a while to find 
work-arounds for these issues, we were able to publish work-arounds.  Microsoft 
has chosen to not fix these issues in the Fall Update and we’ll publish a new 
wizard to provide the same work-around to the Fall Update before it is publicly 
released.  Based on this experience, it appears that Microsoft is 
reducing/removing its testing support for password-based Wi-Fi.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: Defeating Android 8.X Captive Portal detection

[Richard Nedwich]

Hi Thomas, et al,

Just wanted to provide a quick update regarding Android support in the 
industry, and in Cloudpath ES, in hopes this information is helpful.

Best,
Rich

Android:  Starting with Android Oreo, Android is recommending that 
manufacturers include a standard module (provided by Google) to allow app-less 
configuration.  While manufacturers are not required to include it, the 
expectation is that they will.  This module will allow Cloudpath to configure 
Android devices in a manner similar to IOS and without an app.  In addition, we 
are currently testing Passpoint R2 functionality with Android developers, which 
allows auto-provisioning directly from the wireless manager (rather than the 
browser+xmlDocument).
 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: Big flaw in WPA2

[Richard Nedwich]

Ruckus is providing a response today.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: Big flaw in WPA2

[Richard Nedwich]

Ruckus has posted an official response in a Blog Post here: 

https://theruckusroom.ruckuswireless.com/wi-fi/2017/10/16/commonsense-approach-uncommon-problem/

Further, please find a Cloudpath KB article on the Ruckus support site here:
https://support.ruckuswireless.com/documents/2039-faq-security-advisory-cp-101617-802-11r-vulnerability

-Rich

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Cloudpath Wizard build 764 released (Windows Creator, JAWS, Android)

[Richard Nedwich]

FYI,

Cloudpath Wizard build 764, released yesterday, includes the following:
•   Fixed an issue on Android where the default outer identity caused a 
PEAP authentication failure.
•   Added support for the Fall Update of the Windows 10 Creators Edition.
•   Updated support for JAWS accessibility software and keyboard navigation 
for the application on all OSes.

Lee's heads-up on Windows 10 Creators Edition was the trigger/reminder to post 
this, given it adds support for this release.

Best,
Rich

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: Big flaw in WPA2

[Richard Nedwich]

FYI,

As it seems relevant here, below is excerpted from 'Cloudpath FAQ Security 
Advisory 10-16-17_v2', which posted yesterday.

Best,
Rich
-=-=-=-=-=

How can Cloudpath help?
While this issue is severe and must be remediated, please note that there are 
much easier ways to compromise the network. Below are the steps we recommend 
you take: 

1)  If you are using Cloudpath to onboard devices, do redirect users to the 
portal page that gives them more information about this weakness and urge them 
to upgrade their BYOD and guest devices to the latest firmware (generating 
awareness is the important)
2)  Via Cloudpath’s device configuration settings, enforce OS auto-upgrade 
on all IT-owned devices. 
3)  Via Cloudpath’s workflow branches, identify and redirect more risky 
devices (Android, Linux etc.) to portal page to perform OS upgrade. You can 
also check for the firmware version on those devices and limit/block access if 
the firmware is old. Alternatively, you can put affected devices on a limited 
guest VLAN or role and even block plain HTTP for those devices.
4)  If on a EAP-TLS network, enable server side certificate validation to 
make sure your clients join the ‘correct’ SSID or network and they do not join 
a spoofed AP. 

Do I need to revoke the certificates, are keys compromised?

The weakness allows a man in the middle to overwrite the keys in the WAP2 4-way 
handshake which enables for data visibility and the original keys themselves 
are not compromised. Because of this we do not think it is necessary to revoke 
the certificates, however revoking the certificates does force the users to 
re-onboard and that forces users to accept terms and conditions and also view 
any notification that you put on the captive portal including limiting access 
to severely affected devices.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: Radius certificate length vs. onboarding opinions

[Richard Nedwich]

Hi Craig,

I'm not sure if anyone from Cloudpath already advised you, but I did forward 
your question to Kevin Koster, Cloudpath Founder and Chief Architect, for his 
opinion of the pros/cons of these options.  I thought I would share them, in 
case this forum found it useful.

Best,
Rich
-=-=-=-=-=-=-=

Option 1: Using a self-signed/private PKI and a 10 year cert. Onboard with 
"verify server certificate" enabled
Pros:  You control the issuing CA, so you control if/when you change the 
issuing CA.  Client will validate the RADIUS server certificate, thereby 
protecting the user’s password and prevent device from connecting to 
man-in-the-middle.  
Cons:  Need to generate the private CA (ie need CA tool or openssl skills).  
Need to install private CA on end-user devices (ie need onboarding tool).  
 
Option 2: Removing all traces of “verify server certificate” from OnBoard 
configuration and use 2-year certs from CAs
Pros:  “It just works.”
Cons.  This disables all security built into WPA2-Enterprise.  Device will give 
the password to any network, real or fake.  Device will join evil twins.  
Commentary:  With validation disabled, credentials are so at-risk that the 
network’s attempt to authenticate wifi users becomes moot.  If you use this 
model, you would do less damage to your end-users by using PSK (or even better, 
Dynamic PSK) or having everyone use a static password (like “password”).  

Option 3: Use 2-year CA certificates, enable “verify server certificates” and 
educate/prepare every two years for connection issues.
Commentary:  This is essentially “use a public CA and be prepared to deal with 
issues when issuer chain changes”.  This normally occurs when protocols become 
obsolete (1024 to 2048, SHA-1 to SHA-2, etc), but can potentially occur 
anytime.  For 802.1X, these changes are impactful to (properly configured) 
end-users.  Unfortunately, most revenue for public CAs is from web server 
certificates (which are not affected by issuing CA changes), so they don’t 
always see chain changes as something to be avoided.  
Pros:  Like #1, credentials are protected.
Cons:  Requires client configuration.  If CA changes its chain, the network 
will break for the device.  
Work-Around:  The impact of this can be reduced by buying 2-year certificates 
every 12 months.  Then, if the chain does change, you have a 12 month window to 
transition.  This doesn’t change the need to transition, but it does provide a 
window to make life easier.  

Option 4 (probably the best long-term answer): Move to private PKI and EAP-TLS.
Commentary:  While EAP-TLS has benefits beyond this particular issue, EAP-TLS 
does not change this particular issue.  The following scenarios with EAP-TLS 
would map to 1-3 above:  
- Using EAP-TLS with a RADIUS cert from private CA would be similar to #1.  
- Using EAP-TLS with a RADIUS cert from public CA would be similar to #3.  
- Using EAP-TLS with server cert validation disabled would be similar to #2 
(user would be still exposed to connecting to evil twins but the cleartext 
password wouldn’t be leaked).

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: devices not connecting to open network

[Richard Nedwich]

Question for the group:

Is gaming station support a good use case for wall-plate access points?  Most 
enterprise vendors offer wall-plate APs with a number of physical ports 
available for gaming stations, or printer, or AppleTV, etc.  Ruckus H510 for 
example.  Ideally, this means you could instruct the student to plug in (and 
get that device off the resnet wireless).

Thoughts?

-Rich

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: devices not connecting to open network

[Richard Nedwich]

Hi Bruce,

I am glad to hear your reshall network is working well.  Note: Aruba's 
residence hall VRD also recommends using an AP with integrated four-port, 
managed Ethernet switch to connect wired devices, such as an Ethernet-enabled 
HDTV, gaming device, VoIP phone, or any wired device.  I do believe most 
enterprise WLAN vendors will agree on this.  But to answer your question, we 
have many happy Ruckus customers using ceiling or wall mounted APs, rather than 
wall-plate AP in the residence halls, too.  I guess in my view, it's an option 
which some use and others choose not to use based on their particular design 
preference or the specific set of needs.

Hopefully having another tool in the tool belt is a good thing :)

Best,
Rich

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: Wall plate AP and Coax line sharing box

[Richard Nedwich]

Hi Alan,

I am not certain if this would fit the bill, but in case it helps please see 
this link to the Ruckus C110 wall plate AP with a built-in DOCSIS cable modem.  
Coax in, dual Ethernet ports out, plus 2x2:2 802.11ac Wave 2 Wi-Fi.  Note: you 
will need a CMTS in the building.

https://s3.amazonaws.com/ruckus-www/pdf/solution-briefs/sb-docsis-c110.pdf 

Designed for hospitality and multi-dwelling units such as residence halls.

Hope that helps,
Rich

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Fortinet-Meru

[Richard Nedwich]

All:

While we understand and respect that this forum exists for Educause 
constituents, without any unsolicited marketing information from vendors, I 
felt the need to comment on the recent Meru Networks acquisition by Fortinet.

I am excited to announce that Meru Networks has now officially been acquired by 
Fortinet.  For more details, you can refer to the Press 
Release.

With all mergers and acquisitions, questions arise.  First, I want to assure 
this community that Meru's product roadmap and support processes are still in 
place.  We will continue to invest in Meru's unique "Network In Control" 
platform with Virtual Cell, Channel Layering and SDN Wi-Fi, providing a true 
end-to-end, deterministic, wireless user experience.  And we expect the 
combined company to be only stronger.   Fortinet is an innovation leader, with 
a product and technology focus, a track record of success, a Worldwide customer 
base, and over $1B in annual sales and over $1B in cash with no debt.

Our people, technology and products will begin integrating in the coming 
months, benefitting existing Fortinet and Meru customers, and future customers. 
As we move through the transition, our branding will change immediately, with 
product and solution enhancements coming soon.

Best regards,

Rich Nedwich
Sr. Director, Education Business
Fortinet

If you no longer wish to receive these emails you may unsubscribe at any time 
by sending email to 
unsubscr...@merunetworks.com


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.