RE: [WIRELESS-LAN] Non-802.1x devices on wireless...
Tim, How often do you revisit what you restrict? Last year, restricting Facebook would have sufficed to entice students to use 1x. This year, Pinterest. I still think this is the best way to get users to use the most appropriate network though. Now if I could just get the people above me to embrace this. -Brian From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hall, Rand Sent: Thursday, June 06, 2013 6:58 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Non-802.1x devices on wireless... This is an excellent practice. Many of our people have no idea which network they are on and often wonder why the network is crappy. We see clients regularly using both our 802.1x and open networks. Just like other areas of life, one unprotected connection can haunt you for life ;-) Our penicillin prompt urges them to delete the open network profile. Everyone screams about being proactive. This is a win. Rand Rand P. Hall Director, Network Services askIT! Merrimack College 978-837-3532 rand.h...@merrimack.edumailto:rand.h...@merrimack.edu If I had an hour to save the world, I would spend 59 minutes defining the problem and one minute finding solutions. - Einstein On Wed, Jun 5, 2013 at 9:07 AM, Timothy Cappalli cappa...@brandeis.edumailto:cappa...@brandeis.edu wrote: We're also experimenting with the idea of a nag page when a known 802.1x user decides to use open. Each time they connect from a browser-capable device, they would see a page that shows the benefits of using eduroam and what is restricted on open. Tim Cappalli, Network Engineer LTS | Brandeis University x67149 | (617) 701-7149tel:%28617%29%20701-7149 cappa...@brandeis.edumailto:cappa...@brandeis.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Peter P Morrissey Sent: Wednesday, June 05, 2013 8:39 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Non-802.1x devices on wireless... My only suggestion would be to be careful not to err on the side of suck. We did that for a while, but I really had a problem offering a service that sucks. It also struck me that it did not offer a welcoming environment to our visitors. I agree that it is important to have incentives that gently steer non-guests towards the 802.1x service. Logging into a web page each time provides built in incentive. We also found that that limiting the time they are allowed to use the guest service, to the time it takes to get a temporary ID that can get them on 802.1x was the ideal, rather than cripple the service itself so that it was a frustrating experience for those who used it. We usually capture a phone number to cover attribution. The other advantage of the open SSID is that it is a good temporary solution for someone who has issues configuring their device for 1x. Some devices have difficulties (even using Xpressconnect). And when you think about it, maybe it isn't the end of the world if someone who can do 802.1x uses an open SSID. It happens all the time in coffee shops, hotels and airports all across the country. Pete Morrissey From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeff Kell Sent: Tuesday, June 04, 2013 8:29 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Non-802.1x devices on wireless... On 6/4/2013 8:20 PM, Tim Cappalli wrote: We restrict some services on open. Also, as part of the registration process, their device will be configured for eduroam and the open SSID will be removed from their network list. They could hop back on if they want. It's their choice. If you have an open SSID, just be sure to make the service suck just enough that anyone that can use the proper SSIDs, will want to use the proper SSIDs. You can restrict ports, protocols, bandwidth, whatever it takes; but it has to be just adequate to cover the guest demands and just inadequate enough to push your real users to your real SSID. If you don't impose some restrictions, they'll use the easiest connection everytime. Jeff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups
RE: [WIRELESS-LAN] Non-802.1x devices on wireless...
Our guest SSID will prompt every 9 hours with the acceptable use policy and the guest SSID only allows Internet and Internet facing computer services. If our end-users want to be connected all the time we in courage them to use our 802.1x SSID. We do allow just Internet access for non 1x devices on a different SSID with Mac filtering. We don't believe in limiting the end-users experience just protecting the school's sensitive data from attacks. Also what is the difference from a wireless connection and a wired connection these days anyways. --- Nicholas Urrea UC Hastings College of the Law Network and Systems Engineer Information Technology e: urr...@uchastings.edumailto:urr...@uchastings.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Brian Helman Sent: Friday, July 05, 2013 7:25 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Non-802.1x devices on wireless... Tim, How often do you revisit what you restrict? Last year, restricting Facebook would have sufficed to entice students to use 1x. This year, Pinterest. I still think this is the best way to get users to use the most appropriate network though. Now if I could just get the people above me to embrace this. -Brian From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hall, Rand Sent: Thursday, June 06, 2013 6:58 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Non-802.1x devices on wireless... This is an excellent practice. Many of our people have no idea which network they are on and often wonder why the network is crappy. We see clients regularly using both our 802.1x and open networks. Just like other areas of life, one unprotected connection can haunt you for life ;-) Our penicillin prompt urges them to delete the open network profile. Everyone screams about being proactive. This is a win. Rand Rand P. Hall Director, Network Services askIT! Merrimack College 978-837-3532 rand.h...@merrimack.edumailto:rand.h...@merrimack.edu If I had an hour to save the world, I would spend 59 minutes defining the problem and one minute finding solutions. - Einstein On Wed, Jun 5, 2013 at 9:07 AM, Timothy Cappalli cappa...@brandeis.edumailto:cappa...@brandeis.edu wrote: We're also experimenting with the idea of a nag page when a known 802.1x user decides to use open. Each time they connect from a browser-capable device, they would see a page that shows the benefits of using eduroam and what is restricted on open. Tim Cappalli, Network Engineer LTS | Brandeis University x67149 | (617) 701-7149tel:%28617%29%20701-7149 cappa...@brandeis.edumailto:cappa...@brandeis.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Peter P Morrissey Sent: Wednesday, June 05, 2013 8:39 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Non-802.1x devices on wireless... My only suggestion would be to be careful not to err on the side of suck. We did that for a while, but I really had a problem offering a service that sucks. It also struck me that it did not offer a welcoming environment to our visitors. I agree that it is important to have incentives that gently steer non-guests towards the 802.1x service. Logging into a web page each time provides built in incentive. We also found that that limiting the time they are allowed to use the guest service, to the time it takes to get a temporary ID that can get them on 802.1x was the ideal, rather than cripple the service itself so that it was a frustrating experience for those who used it. We usually capture a phone number to cover attribution. The other advantage of the open SSID is that it is a good temporary solution for someone who has issues configuring their device for 1x. Some devices have difficulties (even using Xpressconnect). And when you think about it, maybe it isn't the end of the world if someone who can do 802.1x uses an open SSID. It happens all the time in coffee shops, hotels and airports all across the country. Pete Morrissey From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeff Kell Sent: Tuesday, June 04, 2013 8:29 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Non-802.1x devices on wireless... On 6/4/2013 8:20 PM, Tim Cappalli wrote: We restrict some services on open. Also, as part of the registration process, their device will be configured for eduroam and the open SSID will be removed from their network list. They could hop back on if they want. It's their choice. If you have an open SSID, just be sure to make
RE: [WIRELESS-LAN] Non-802.1x devices on wireless...
There are two distinct items here. I disagree that there is no difference between wired and wireless. A user with a strong connection hitting Netflix could easily kill users with marginal connection-speeds. In that case, whose experience are you protecting? The purpose of limiting is to encourage users to use the correct SSID/authentication/network/etc not to punish, otherwise why not just have one big open network? -Brian From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Urrea, Nick Sent: Friday, July 05, 2013 11:31 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Non-802.1x devices on wireless... Our guest SSID will prompt every 9 hours with the acceptable use policy and the guest SSID only allows Internet and Internet facing computer services. If our end-users want to be connected all the time we in courage them to use our 802.1x SSID. We do allow just Internet access for non 1x devices on a different SSID with Mac filtering. We don't believe in limiting the end-users experience just protecting the school's sensitive data from attacks. Also what is the difference from a wireless connection and a wired connection these days anyways. --- Nicholas Urrea UC Hastings College of the Law Network and Systems Engineer Information Technology e: urr...@uchastings.edumailto:urr...@uchastings.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Brian Helman Sent: Friday, July 05, 2013 7:25 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Non-802.1x devices on wireless... Tim, How often do you revisit what you restrict? Last year, restricting Facebook would have sufficed to entice students to use 1x. This year, Pinterest. I still think this is the best way to get users to use the most appropriate network though. Now if I could just get the people above me to embrace this. -Brian From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hall, Rand Sent: Thursday, June 06, 2013 6:58 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Non-802.1x devices on wireless... This is an excellent practice. Many of our people have no idea which network they are on and often wonder why the network is crappy. We see clients regularly using both our 802.1x and open networks. Just like other areas of life, one unprotected connection can haunt you for life ;-) Our penicillin prompt urges them to delete the open network profile. Everyone screams about being proactive. This is a win. Rand Rand P. Hall Director, Network Services askIT! Merrimack College 978-837-3532 rand.h...@merrimack.edumailto:rand.h...@merrimack.edu If I had an hour to save the world, I would spend 59 minutes defining the problem and one minute finding solutions. - Einstein On Wed, Jun 5, 2013 at 9:07 AM, Timothy Cappalli cappa...@brandeis.edumailto:cappa...@brandeis.edu wrote: We're also experimenting with the idea of a nag page when a known 802.1x user decides to use open. Each time they connect from a browser-capable device, they would see a page that shows the benefits of using eduroam and what is restricted on open. Tim Cappalli, Network Engineer LTS | Brandeis University x67149 | (617) 701-7149tel:%28617%29%20701-7149 cappa...@brandeis.edumailto:cappa...@brandeis.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Peter P Morrissey Sent: Wednesday, June 05, 2013 8:39 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Non-802.1x devices on wireless... My only suggestion would be to be careful not to err on the side of suck. We did that for a while, but I really had a problem offering a service that sucks. It also struck me that it did not offer a welcoming environment to our visitors. I agree that it is important to have incentives that gently steer non-guests towards the 802.1x service. Logging into a web page each time provides built in incentive. We also found that that limiting the time they are allowed to use the guest service, to the time it takes to get a temporary ID that can get them on 802.1x was the ideal, rather than cripple the service itself so that it was a frustrating experience for those who used it. We usually capture a phone number to cover attribution. The other advantage of the open SSID is that it is a good temporary solution for someone who has issues configuring their device for 1x. Some devices have difficulties (even using Xpressconnect). And when you think about it, maybe it isn't the end of the world if someone who can do 802.1x uses an open
Re: [WIRELESS-LAN] Non-802.1x devices on wireless...
On 7/5/2013 2:12 PM, Brian Helman wrote: There are two distinct items here. I disagree that there is no difference between wired and wireless. A user with a strong connection hitting Netflix could easily kill users with marginal connection-speeds. In that case, whose experience are you protecting? The purpose of limiting is to encourage users to use the correct SSID/authentication/network/etc not to punish, otherwise why not just have one big open network? Actually, a user with a marginal connection trying to do Netflix will do infinitely more damage... low-bandwidth data rates eat up orders of magnitude more airtime than a strong MIMO. But I also disagree with the no difference proposition... for the foreseeable future, you're going to get better service on a wired port, and it's better for everyone if you push video streaming / gaming to a wired connection whenever the option is available. Jeff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Non-802.1x devices on wireless...
We have been operating the following for a couple years with reasonable success. Campus wide: - TUguestwireless – open wireless for onboarding and self service account creation via SMS text messaging – no internet access otherwise (via Packet Fence). Will soon add one click mobileconfig provisioning (last piece we are missing to make it awesome). - TUsecurewireless – WPA2 enterprise. Authentication alone gets you access and we use Freeradius to steer staff, students, and guests to different vlans (to get different access privileges). - eduroam Residence Halls only: - TUresnet – WPA2 enterprise authentication and one time registration forces our managed AV - TUresnetextra – WPA2 PSK w/ mac authentication requires device registration via portal. Anything else is a one off case for us (which happens). Next we are adding one click mobileconfig provisioning to ease onboarding (soon) and continuous posture checking (much later). The only complaints are occasionally the folks that just want anyone to connect without providing any credentials. We don’t do it. Either self service and we know the cell phone number or sponsored access. We think we are regulated by HEOA to know who connects anywhere (no small feat when you add NAT into the puzzle). There are plenty of evil doers out there and we hope they will move on to someone else’s open network. a...@temple.edu Temple University – Network Services Join the team! We are looking for a Linux Sys Admin type to support AAA, NAC, Monitoring environments https://hospats.adminsvc.temple.edu/CSS_External/CSSPage_Referred.ASP?Req=TU-16534
Re: [WIRELESS-LAN] Non-802.1x devices on wireless...
This is an excellent practice. Many of our people have no idea which network they are on and often wonder why the network is crappy. We see clients regularly using both our 802.1x and open networks. Just like other areas of life, one unprotected connection can haunt you for life ;-) Our penicillin prompt urges them to delete the open network profile. Everyone screams about being proactive. This is a win. Rand Rand P. Hall Director, Network Services askIT! Merrimack College 978-837-3532 rand.h...@merrimack.edu If I had an hour to save the world, I would spend 59 minutes defining the problem and one minute finding solutions. – Einstein On Wed, Jun 5, 2013 at 9:07 AM, Timothy Cappalli cappa...@brandeis.eduwrote: We’re also experimenting with the idea of a “nag page” when a known 802.1x user decides to use open. Each time they connect from a browser-capable device, they would see a page that shows the benefits of using eduroamand what is restricted on open. * * *Tim Cappalli, *Network Engineer LTS | Brandeis University x67149 | (617) 701-7149 cappa...@brandeis.edu *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Peter P Morrissey *Sent:* Wednesday, June 05, 2013 8:39 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Non-802.1x devices on wireless... My only suggestion would be to be careful not to err on the side of “suck.” We did that for a while, but I really had a problem offering a service that “sucks.” It also struck me that it did not offer a welcoming environment to our visitors. I agree that it is important to have incentives that gently steer non-guests towards the 802.1x service. Logging into a web page each time provides built in incentive. We also found that that limiting the time they are allowed to use the guest service, to the time it takes to get a temporary ID that can get them on 802.1x was the ideal, rather than cripple the service itself so that it was a frustrating experience for those who used it. We usually capture a phone number to cover attribution. The other advantage of the “open” SSID is that it is a good temporary solution for someone who has issues configuring their device for 1x. Some devices have difficulties (even using Xpressconnect). And when you think about it, maybe it isn’t the end of the world if someone who can do 802.1x uses an open SSID. It happens all the time in coffee shops, hotels and airports all across the country. Pete Morrissey *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [ mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUWIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Jeff Kell *Sent:* Tuesday, June 04, 2013 8:29 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Non-802.1x devices on wireless... On 6/4/2013 8:20 PM, Tim Cappalli wrote: We restrict some services on open. Also, as part of the registration process, their device will be configured for eduroam and the open SSID will be removed from their network list. They could hop back on if they want. It's their choice. If you have an open SSID, just be sure to make the service suck just enough that anyone that can use the proper SSIDs, will want to use the proper SSIDs. You can restrict ports, protocols, bandwidth, whatever it takes; but it has to be just adequate to cover the guest demands and just inadequate enough to push your real users to your real SSID. If you don't impose some restrictions, they'll use the easiest connection everytime. Jeff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Non-802.1x devices on wireless...
We are in the process of switching our entire SSID infrastructure around for the same reasons you are asking about. We have a number of devices that don't support 802.1x. For this and a handful of other reasons, we are rolling out 3 brand new SSID's. wustl-2.0 = Open SSID. Authentication is based on a DHCP captive portal from Infoblox (our IPAM system). wustl-guest-2.0 = Guest network. Only ports 80 and 443 are open. The bandwidth is also limited per IP. This is our way of making it painful so normal users won't try to use this. wustl-encrypted-2.0 = 802.1x SSID. Note: we use a version number on our SSID's so we can make major changes without affecting old users during the transition period. Our theory behind the open ssid with captive portal was this... The vast majority of our users are used to coffee shop style wireless. A large number of high visibility servies are using end-to-end (https) encryption. If this does not work for you, we have a SSID with the word encryption in it. The end users can make their own decision for what works best for them. We originally thought about running WPA2 with a common shared key for encrypting the connection, but there are security issues with this. Anyone with the key could decrypt the traffic if they wanted. We felt like we would be giving our users a false sense of security if we offered a shared key WPA2 solution. I would be happy to discuss this further if you want, my phone number is in the sig below. -- Jason E. Murray Sr. Systems Engineer Washington University in St. Louis Phone: 314-935-4865 Email: jemur...@wustl.edu Web: http://nts.wustl.edu/~jemurray/ On Tue, Jun 4, 2013 at 2:37 PM, Danny Eaton dannyea...@rice.edu wrote: I seem to remember seeing some discussion a while ago about non 802.1x capable devices on wireless. We’re a Cisco wireless shop, and currently run 2, about to be 3 (with the addition of eduroam) SSID’s. Is anyone running a specific SSID for these non-802.1x capable devices? Perhaps using WEP and MAC address authentication? Feel free to contact me off list… I’m just trying to get some examples of “best practice” (or at least implemented practices) from other institutions. ** ** ** ** ** ** Respectfully, ** ** Danny Eaton ** ** Snr. Network Architect Networking, Telecommunications, Operations Rice University, IT Mudd Bldg, RM #205 Jones College Associate Staff Advisory Committee Employee Activities Subcommittee Chair Office - 713-348-5233 Cellular - 832-247-7496 dannyea...@rice.edu ** ** Soli Deo Gloria Matt 18:4-6 ** ** G.K. Chesterton, “Christianity has not been tried and found wanting. It’s been found hard and left untried.” ** ** ** ** ** ** ** ** ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- Jason E. Murray jemur...@zweck.net http://www.zweck.net/ ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Non-802.1x devices on wireless...
Easiest and most effective thing to block is your single sign-on page J. * * *Tim Cappalli, *Network Engineer LTS | Brandeis University x67149 | (617) 701-7149 cappa...@brandeis.edu *From:* Jeff Kell [mailto:jeff-k...@utc.edu] *Sent:* Tuesday, June 04, 2013 8:29 PM *To:* The EDUCAUSE Wireless Issues Constituent Group Listserv *Cc:* Tim Cappalli *Subject:* Re: [WIRELESS-LAN] Non-802.1x devices on wireless... On 6/4/2013 8:20 PM, Tim Cappalli wrote: We restrict some services on open. Also, as part of the registration process, their device will be configured for eduroam and the open SSID will be removed from their network list. They could hop back on if they want. It's their choice. If you have an open SSID, just be sure to make the service suck just enough that anyone that can use the proper SSIDs, will want to use the proper SSIDs. You can restrict ports, protocols, bandwidth, whatever it takes; but it has to be just adequate to cover the guest demands and just inadequate enough to push your real users to your real SSID. If you don't impose some restrictions, they'll use the easiest connection everytime. Jeff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Non-802.1x devices on wireless...
My only suggestion would be to be careful not to err on the side of suck. We did that for a while, but I really had a problem offering a service that sucks. It also struck me that it did not offer a welcoming environment to our visitors. I agree that it is important to have incentives that gently steer non-guests towards the 802.1x service. Logging into a web page each time provides built in incentive. We also found that that limiting the time they are allowed to use the guest service, to the time it takes to get a temporary ID that can get them on 802.1x was the ideal, rather than cripple the service itself so that it was a frustrating experience for those who used it. We usually capture a phone number to cover attribution. The other advantage of the open SSID is that it is a good temporary solution for someone who has issues configuring their device for 1x. Some devices have difficulties (even using Xpressconnect). And when you think about it, maybe it isn't the end of the world if someone who can do 802.1x uses an open SSID. It happens all the time in coffee shops, hotels and airports all across the country. Pete Morrissey From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeff Kell Sent: Tuesday, June 04, 2013 8:29 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Non-802.1x devices on wireless... On 6/4/2013 8:20 PM, Tim Cappalli wrote: We restrict some services on open. Also, as part of the registration process, their device will be configured for eduroam and the open SSID will be removed from their network list. They could hop back on if they want. It's their choice. If you have an open SSID, just be sure to make the service suck just enough that anyone that can use the proper SSIDs, will want to use the proper SSIDs. You can restrict ports, protocols, bandwidth, whatever it takes; but it has to be just adequate to cover the guest demands and just inadequate enough to push your real users to your real SSID. If you don't impose some restrictions, they'll use the easiest connection everytime. Jeff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Non-802.1x devices on wireless...
We’re also experimenting with the idea of a “nag page” when a known 802.1x user decides to use open. Each time they connect from a browser-capable device, they would see a page that shows the benefits of using eduroam and what is restricted on open. * * *Tim Cappalli, *Network Engineer LTS | Brandeis University x67149 | (617) 701-7149 cappa...@brandeis.edu *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Peter P Morrissey *Sent:* Wednesday, June 05, 2013 8:39 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Non-802.1x devices on wireless... My only suggestion would be to be careful not to err on the side of “suck.” We did that for a while, but I really had a problem offering a service that “sucks.” It also struck me that it did not offer a welcoming environment to our visitors. I agree that it is important to have incentives that gently steer non-guests towards the 802.1x service. Logging into a web page each time provides built in incentive. We also found that that limiting the time they are allowed to use the guest service, to the time it takes to get a temporary ID that can get them on 802.1x was the ideal, rather than cripple the service itself so that it was a frustrating experience for those who used it. We usually capture a phone number to cover attribution. The other advantage of the “open” SSID is that it is a good temporary solution for someone who has issues configuring their device for 1x. Some devices have difficulties (even using Xpressconnect). And when you think about it, maybe it isn’t the end of the world if someone who can do 802.1x uses an open SSID. It happens all the time in coffee shops, hotels and airports all across the country. Pete Morrissey *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [ mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUWIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Jeff Kell *Sent:* Tuesday, June 04, 2013 8:29 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Non-802.1x devices on wireless... On 6/4/2013 8:20 PM, Tim Cappalli wrote: We restrict some services on open. Also, as part of the registration process, their device will be configured for eduroam and the open SSID will be removed from their network list. They could hop back on if they want. It's their choice. If you have an open SSID, just be sure to make the service suck just enough that anyone that can use the proper SSIDs, will want to use the proper SSIDs. You can restrict ports, protocols, bandwidth, whatever it takes; but it has to be just adequate to cover the guest demands and just inadequate enough to push your real users to your real SSID. If you don't impose some restrictions, they'll use the easiest connection everytime. Jeff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Non-802.1x devices on wireless...
We have split non 802.1x devices into two categories. User devices like kindle's, and non-user/shared/infrastructure devices. We do not provide wireless network for user devices due to a combination security concerns and/or too much management required with solutions like hotspots, open networks, self registering etc. We have not seen a huge number of requests for this, so there's been no real need or push for us to develop a solution in this area. For the rest we do provide a network. These devices might be building monitoring tools (temperature etc), shared devices like PC's on mobile trolleys that get wheeled around and used by anyone. We provide a WPA2-PSK, don't broadcast, only IT staff can enter the PSK and the device also needs to be registered. There is only a handful of these... about 5. It may not be the most scalable solution but it certainly works for what our needs are at this stage. The mobile trolleys were a trial, we'd probably develop something around creating accounts in the dot1x space if that becomes common. Regards Jason -- Jason Cook Technology Services The University of Adelaide, AUSTRALIA 5005 Ph: +61 8 8313 4800 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Danny Eaton Sent: Wednesday, 5 June 2013 5:07 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Non-802.1x devices on wireless... I seem to remember seeing some discussion a while ago about non 802.1x capable devices on wireless. We're a Cisco wireless shop, and currently run 2, about to be 3 (with the addition of eduroam) SSID's. Is anyone running a specific SSID for these non-802.1x capable devices? Perhaps using WEP and MAC address authentication? Feel free to contact me off list... I'm just trying to get some examples of best practice (or at least implemented practices) from other institutions. Respectfully, Danny Eaton Snr. Network Architect Networking, Telecommunications, Operations Rice University, IT Mudd Bldg, RM #205 Jones College Associate Staff Advisory Committee Employee Activities Subcommittee Chair Office - 713-348-5233 Cellular - 832-247-7496 dannyea...@rice.edumailto:dannyea...@rice.edu Soli Deo Gloria Matt 18:4-6 G.K. Chesterton, Christianity has not been tried and found wanting. It's been found hard and left untried. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Non-802.1x devices on wireless...
Starting this fall we will have eduroam and an open SSID for guests and non-8021x capable devices. Those devices will use MAC auth with a registration process. Guests will hit a guest registration system. Tim * * *Tim Cappalli, *Network Engineer LTS | Brandeis University x67149 | (617) 701-7149 cappa...@brandeis.edu *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Danny Eaton *Sent:* Tuesday, June 04, 2013 3:37 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* [WIRELESS-LAN] Non-802.1x devices on wireless... I seem to remember seeing some discussion a while ago about non 802.1x capable devices on wireless. We’re a Cisco wireless shop, and currently run 2, about to be 3 (with the addition of eduroam) SSID’s. Is anyone running a specific SSID for these non-802.1x capable devices? Perhaps using WEP and MAC address authentication? Feel free to contact me off list… I’m just trying to get some examples of “best practice” (or at least implemented practices) from other institutions. Respectfully, Danny Eaton Snr. Network Architect Networking, Telecommunications, Operations Rice University, IT Mudd Bldg, RM #205 Jones College Associate Staff Advisory Committee Employee Activities Subcommittee Chair Office - 713-348-5233 Cellular - 832-247-7496 dannyea...@rice.edu Soli Deo Gloria Matt 18:4-6 G.K. Chesterton, “Christianity has not been tried and found wanting. It’s been found hard and left untried.” ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Non-802.1x devices on wireless...
Tim, In regards to your open SSID, how do you sway everyone from just jumping on that instead of using eduroam? Do you worry at all about someone sniffing the wireless traffic and getting someone else's MAC address and then changing theirs to avoid registration? Andy Poirier Network Administrator North Central University 612-343-4758 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Tim Cappalli Sent: Tuesday, June 04, 2013 2:54 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Non-802.1x devices on wireless... Starting this fall we will have eduroam and an open SSID for guests and non-8021x capable devices. Those devices will use MAC auth with a registration process. Guests will hit a guest registration system. Tim Tim Cappalli, Network Engineer LTS | Brandeis University x67149 | (617) 701-7149 cappa...@brandeis.edumailto:cappa...@brandeis.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Danny Eaton Sent: Tuesday, June 04, 2013 3:37 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Non-802.1x devices on wireless... I seem to remember seeing some discussion a while ago about non 802.1x capable devices on wireless. We're a Cisco wireless shop, and currently run 2, about to be 3 (with the addition of eduroam) SSID's. Is anyone running a specific SSID for these non-802.1x capable devices? Perhaps using WEP and MAC address authentication? Feel free to contact me off list... I'm just trying to get some examples of best practice (or at least implemented practices) from other institutions. Respectfully, Danny Eaton Snr. Network Architect Networking, Telecommunications, Operations Rice University, IT Mudd Bldg, RM #205 Jones College Associate Staff Advisory Committee Employee Activities Subcommittee Chair Office - 713-348-5233 Cellular - 832-247-7496 dannyea...@rice.edumailto:dannyea...@rice.edu Soli Deo Gloria Matt 18:4-6 G.K. Chesterton, Christianity has not been tried and found wanting. It's been found hard and left untried. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Non-802.1x devices on wireless...
We restrict some services on open. Also, as part of the registration process, their device will be configured for eduroam and the open SSID will be removed from their network list. They could hop back on if they want. It's their choice. Tim ** Tim Cappalli*, *Network Engineer LTS | Brandeis University x67149 | (617) 701-7149 cappa...@brandeis.edu On Tue, Jun 4, 2013 at 6:25 PM, Andy Poirier atpoi...@northcentral.eduwrote: Tim, In regards to your open SSID, how do you sway everyone from just jumping on that instead of using eduroam? Do you worry at all about someone sniffing the wireless traffic and getting someone else’s MAC address and then changing theirs to avoid registration? ** ** ** ** Andy Poirier Network Administrator North Central University 612-343-4758 ** ** *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Tim Cappalli *Sent:* Tuesday, June 04, 2013 2:54 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Non-802.1x devices on wireless... ** ** Starting this fall we will have eduroam and an open SSID for guests and non-8021x capable devices. Those devices will use MAC auth with a registration process. Guests will hit a guest registration system. Tim * * *Tim Cappalli, *Network Engineer LTS | Brandeis University x67149 | (617) 701-7149 cappa...@brandeis.edu *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Danny Eaton *Sent:* Tuesday, June 04, 2013 3:37 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* [WIRELESS-LAN] Non-802.1x devices on wireless... I seem to remember seeing some discussion a while ago about non 802.1x capable devices on wireless. We’re a Cisco wireless shop, and currently run 2, about to be 3 (with the addition of eduroam) SSID’s. Is anyone running a specific SSID for these non-802.1x capable devices? Perhaps using WEP and MAC address authentication? Feel free to contact me off list… I’m just trying to get some examples of “best practice” (or at least implemented practices) from other institutions. Respectfully, Danny Eaton Snr. Network Architect Networking, Telecommunications, Operations Rice University, IT Mudd Bldg, RM #205 Jones College Associate Staff Advisory Committee Employee Activities Subcommittee Chair Office - 713-348-5233 Cellular - 832-247-7496 dannyea...@rice.edu Soli Deo Gloria Matt 18:4-6 G.K. Chesterton, “Christianity has not been tried and found wanting. It’s been found hard and left untried.” ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Non-802.1x devices on wireless...
On 6/4/2013 8:20 PM, Tim Cappalli wrote: We restrict some services on open. Also, as part of the registration process, their device will be configured for eduroam and the open SSID will be removed from their network list. They could hop back on if they want. It's their choice. If you have an open SSID, just be sure to make the service suck just enough that anyone that can use the proper SSIDs, will want to use the proper SSIDs. You can restrict ports, protocols, bandwidth, whatever it takes; but it has to be just adequate to cover the guest demands and just inadequate enough to push your real users to your real SSID. If you don't impose some restrictions, they'll use the easiest connection everytime. Jeff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.