Re: [WIRELESS-LAN] WPA3/OWE as campus solution?
On 2021-04-22 15:03:42-0500, Coehoorn, Joel wrote: > One other thing to keep in mind when considering an open access > environment is it's only the default and doesn't have to be the final > word. If you see a suspicious or malicious device, you can still force > it back behind a captive portal to get or re-up whatever user info you > want before granting (or not) access again, even on an otherwise open > network. How would we identify the device to put it behind a captive portal? This touches on something that does make me nervous. If a device is misbehaving, how do I kick it from the network? And I'm not just talking about fully open networks, either. If I have a network were anyone can walk in off the street and connect (that could be a click-through captive portal, self-sponsored via email/sms, social login, etc), then that person/device can always generate a new ID and reconnect. Today, I can (and do) use the MAC address to block the device. In the current phase of MAC randomization (most modern defaults are a randomized MAC generated per ESSID), that mostly works. But a MAC address is not a globally unique device identifier. It is (ostensibly) a globally unique interface identifier. For a long time that has been close enough to the same thing that the distinction didn't matter. I really think those days are numbered. (And that's why I think MAC auth is going away.) Note that to get around this problem, it does not necessitate that we only accept IDs that we control. Just that we only accept IDs the user can't generate at will (e.g., eduroam federated IDs (if you exclude anyroam)). But then, how do I ensure that _anyone_ can get on? This is a fundamental issue that I've been kicking around the last 18 months or so, wondering if we really can get rid of the captive portal. When we last revamped guest access, letting anyone on was an explicit goal. But that kind of captive portal isn't doing nearly as much as we first assumed in protecting ourselves, so why have it? (For now, the answer is "the business model demands it." I have more hope that will change than for approval from legal.) On 2021-04-22 21:57:30+, Jeffrey D. Sessler wrote: > Chuck, > > The key that you touch on is that this has to do with the > organization's appetite for risk, and what legal says is defensible. I've said it before, and I'll say it again. The challenges to getting rid of a captive portal are not technical. I know it sounds like a bold statement, but I really think we are seeing the beginnings of the end for captive portals and MAC auth. That end might still be 10 years out, but it is coming. -- Jonathan Waldrep Network Engineer Network Infrastructure and Services Virginia Tech ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
RE: [WIRELESS-LAN] WPA3/OWE as campus solution?
Chuck, The key that you touch on is that this has to do with the organization's appetite for risk, and what legal says is defensible. Tell me the rules as you see them and I'll make adjustments accordingly to my Joo Janta 200 Super-Chromatic Peril Sensitive Sunglasses. Jeff From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Enfield, Chuck Sent: Thursday, April 22, 2021 12:29 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? We discussed all those issues, and no doubt it opens a smelly can of worms. Most of these issues come into play simply by allowing employees to use personal devices. If you allow for personal device use, requiring their use didn't create many additional legal issues. I feel like I need to make a disclaimer here. I'm not a lawyer, you may recall me getting things very wrong regarding CALEA a couple years back. I researched your comments and concluded you were right and the university attorney that gave me contradictory information was incorrect. It took me long enough to be sure of that that I never replied to the thread to say so. I could be wrong about this as well, but unlike our guest network access, which was evaluated by one attorney and probably didn't get very much attention from her, this issue was taken very seriously by the controller, HR, Risk, and General Counsel. Outside counsel with expertise in this area was also consulted. I'm confident that whatever our legal team concluded on this issue was defensible. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Jeffrey D. Sessler Sent: Thursday, April 22, 2021 3:04 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? For sure, my lens is based on California law, however, the federal Fair Labor Standards Act and state overtime and wage payment laws also come into play here. Since nonexempt (hourly) workers have ready access to the technology, they will be in a position to respond to e-mails and text messages or to otherwise engage in work activities outside their scheduled work hours. Even if you don't reimburse for the use of the personal device, there is the wage exposure of having to compensate those nonexempt employees because checking their work email is - well - working. When we rolled out DUO, we had to offer all employees a token, and they signed a waiver if they wanted to use the DUO app on their personal phone for their convenience. On the eDiscovery/litigation front, it can be difficult/impossible to ensure that business records stored on an employee's personal device are retained long enough to satisfy discovery requests. There are also risks should that data not be available, and presents a whole other quagmire in the BYOD movement that is beyond this conversation. Jeff From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Enfield, Chuck Sent: Thursday, April 22, 2021 10:54 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? Jeff, It makes sense that you think this is settled law, because in California it is settled law. I don't recall all the details, but I was on a team involved with considering mobile device policies for Penn State, and we discussed a case in California around 2014/2015 that clarified California labor law. The law required that employers reimburse employees for expenses, but said nothing about how those expenses should be calculated. Some employers decided they only needed to reimburse marginal expenses, but the court decision said that's not the case. So if you're required to use your device for work in California you're entitled to reimbursement of some kind. As I recall, no specific reimbursement formula was recommended by the court in that case. I assume there's been some standardization since, even if only de facto. That, however, was a California court interpreting California law. Our institution considered that ruling and concluded that Pennsylvania law was different and that we could discontinue our stipend and require certain employees to provide and use their own phones for work communications. In the end, we stopped the stipend, but never implemented the mandate. I was never informed precisely why we stopped short of the mandate. That decision was made out of committee. I'm confident there was no clear Federal requirement when we were discussing this in 2016, but if there's been case law or US Department of Labor guidance since then I wouldn't necessarily expect to know about it. I'm am curious if anybody
Re: [WIRELESS-LAN] WPA3/OWE as campus solution?
One other thing to keep in mind when considering an open access environment is it's only the default and doesn't have to be the final word. If you see a suspicious or malicious device, you can still force it back behind a captive portal to get or re-up whatever user info you want before granting (or not) access again, even on an otherwise open network. Making people register a device or authenticate a captive portal doesn't stop bad people, infected devices, stolen credentials, etc, from coming to your network, so we need to be prepared to do this anyway. The *only* place an open network leaves us hanging is the one-time event, where someone does a Bad Thing™ and then never comes back. Even then, for lesser events if they never come back it's not so much of a problem. But for those greater events we hope never happen, not being able to say, "It was him, and here are the logs to prove it." can be pretty scary. Joel Coehoorn Director of Information Technology York College of Nebraska On Thu, Apr 22, 2021 at 2:47 PM Floyd, Brad wrote: > We as IT people can discuss the merits of captive portal / no captive > portal, authentication / reasonably knowing if a device is doing something > bad, etc. We are asked all of the time what our recommendations are in > these circumstances and we should weigh in with our opinions. However, it > seems like this discussion comes down to two questions that we should be > asking our organization’s legal team / advisors: > > > >1. If I make this “XYZ decision in providing / maintaining our >infrastructure”, am I considered to have legally exercised “due diligence”? >2. If I implement the decision in #1, are you (as the legal team) able >to reasonably defend the organization against likely legal challenges? > > > > Every organization has different pain levels and will likely make a > decision based on those factors. Just my 2 cents. > > Thanks, > > Brad > > > > *From:* The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Jeffrey D. Sessler > *Sent:* Thursday, April 22, 2021 2:04 PM > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > *Subject:* Re: [WIRELESS-LAN] WPA3/OWE as campus solution? > > > > *[EXTERNAL SENDER]* > > For sure, my lens is based on California law, however, the federal Fair > Labor Standards Act and state overtime and wage payment laws also come into > play here. Since nonexempt (hourly) workers have ready access to the > technology, they will be in a position to respond to e-mails and text > messages or to otherwise engage in work activities outside their scheduled > work hours. Even if you don’t reimburse for the use of the personal device, > there is the wage exposure of having to compensate those nonexempt > employees because checking their work email is – well – working. When we > rolled out DUO, we had to offer all employees a token, and they signed a > waiver if they wanted to use the DUO app on their personal phone for their > convenience. > > > > On the eDiscovery/litigation front, it can be difficult/impossible to > ensure that business records stored on an employee’s personal device are > retained long enough to satisfy discovery requests. There are also risks > should that data not be available, and presents a whole other quagmire in > the BYOD movement that is beyond this conversation. > > > > Jeff > > > > > > *From:* The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Enfield, Chuck > *Sent:* Thursday, April 22, 2021 10:54 AM > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > *Subject:* Re: [WIRELESS-LAN] WPA3/OWE as campus solution? > > > > Jeff, > > > > It makes sense that you think this is settled law, because in California > it is settled law. I don’t recall all the details, but I was on a team > involved with considering mobile device policies for Penn State, and we > discussed a case in California around 2014/2015 that clarified California > labor law. The law required that employers reimburse employees for > expenses, but said nothing about how those expenses should be calculated. > Some employers decided they only needed to reimburse marginal expenses, but > the court decision said that’s not the case. So if you’re required to use > your device for work in California you’re entitled to reimbursement of some > kind. As I recall, no specific reimbursement formula was recommended by > the court in that case. I assume there’s been some standardization since, > even if only de facto. > > > > That, however, was a California court interpreting California law. Our > institution considered that ruling and
RE: [WIRELESS-LAN] WPA3/OWE as campus solution?
I agree. I've been involved with decisions where we ask lawyers what we should do, and we get the easiest, low-risk answer. We should decide what we'd like to do, then ask lawyers how best to do it and what the remaining risks are. All business decisions should be based on risk and reward. We tend to act like the law defines what we must do. That's rarely the case. From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Floyd, Brad Sent: Thursday, April 22, 2021 3:47 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? We as IT people can discuss the merits of captive portal / no captive portal, authentication / reasonably knowing if a device is doing something bad, etc. We are asked all of the time what our recommendations are in these circumstances and we should weigh in with our opinions. However, it seems like this discussion comes down to two questions that we should be asking our organization's legal team / advisors: 1. If I make this "XYZ decision in providing / maintaining our infrastructure", am I considered to have legally exercised "due diligence"? 2. If I implement the decision in #1, are you (as the legal team) able to reasonably defend the organization against likely legal challenges? Every organization has different pain levels and will likely make a decision based on those factors. Just my 2 cents. Thanks, Brad From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Jeffrey D. Sessler Sent: Thursday, April 22, 2021 2:04 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? [EXTERNAL SENDER] For sure, my lens is based on California law, however, the federal Fair Labor Standards Act and state overtime and wage payment laws also come into play here. Since nonexempt (hourly) workers have ready access to the technology, they will be in a position to respond to e-mails and text messages or to otherwise engage in work activities outside their scheduled work hours. Even if you don't reimburse for the use of the personal device, there is the wage exposure of having to compensate those nonexempt employees because checking their work email is - well - working. When we rolled out DUO, we had to offer all employees a token, and they signed a waiver if they wanted to use the DUO app on their personal phone for their convenience. On the eDiscovery/litigation front, it can be difficult/impossible to ensure that business records stored on an employee's personal device are retained long enough to satisfy discovery requests. There are also risks should that data not be available, and presents a whole other quagmire in the BYOD movement that is beyond this conversation. Jeff From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Enfield, Chuck Sent: Thursday, April 22, 2021 10:54 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? Jeff, It makes sense that you think this is settled law, because in California it is settled law. I don't recall all the details, but I was on a team involved with considering mobile device policies for Penn State, and we discussed a case in California around 2014/2015 that clarified California labor law. The law required that employers reimburse employees for expenses, but said nothing about how those expenses should be calculated. Some employers decided they only needed to reimburse marginal expenses, but the court decision said that's not the case. So if you're required to use your device for work in California you're entitled to reimbursement of some kind. As I recall, no specific reimbursement formula was recommended by the court in that case. I assume there's been some standardization since, even if only de facto. That, however, was a California court interpreting California law. Our institution considered that ruling and concluded that Pennsylvania law was different and that we could discontinue our stipend and require certain employees to provide and use their own phones for work communications. In the end, we stopped the stipend, but never implemented the mandate. I was never informed precisely why we stopped short of the mandate. That decision was made out of committee. I'm confident there was no clear Federal requirement when we were discussing this in 2016, but if there's been case law or US Department of Labor guidance since then I wouldn't necessarily expect to know about it. I'm am curious if anybody knows more about it. Chuck From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIR
RE: [WIRELESS-LAN] WPA3/OWE as campus solution?
We as IT people can discuss the merits of captive portal / no captive portal, authentication / reasonably knowing if a device is doing something bad, etc. We are asked all of the time what our recommendations are in these circumstances and we should weigh in with our opinions. However, it seems like this discussion comes down to two questions that we should be asking our organization's legal team / advisors: 1. If I make this "XYZ decision in providing / maintaining our infrastructure", am I considered to have legally exercised "due diligence"? 2. If I implement the decision in #1, are you (as the legal team) able to reasonably defend the organization against likely legal challenges? Every organization has different pain levels and will likely make a decision based on those factors. Just my 2 cents. Thanks, Brad From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Jeffrey D. Sessler Sent: Thursday, April 22, 2021 2:04 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? [EXTERNAL SENDER] For sure, my lens is based on California law, however, the federal Fair Labor Standards Act and state overtime and wage payment laws also come into play here. Since nonexempt (hourly) workers have ready access to the technology, they will be in a position to respond to e-mails and text messages or to otherwise engage in work activities outside their scheduled work hours. Even if you don't reimburse for the use of the personal device, there is the wage exposure of having to compensate those nonexempt employees because checking their work email is - well - working. When we rolled out DUO, we had to offer all employees a token, and they signed a waiver if they wanted to use the DUO app on their personal phone for their convenience. On the eDiscovery/litigation front, it can be difficult/impossible to ensure that business records stored on an employee's personal device are retained long enough to satisfy discovery requests. There are also risks should that data not be available, and presents a whole other quagmire in the BYOD movement that is beyond this conversation. Jeff From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Enfield, Chuck Sent: Thursday, April 22, 2021 10:54 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? Jeff, It makes sense that you think this is settled law, because in California it is settled law. I don't recall all the details, but I was on a team involved with considering mobile device policies for Penn State, and we discussed a case in California around 2014/2015 that clarified California labor law. The law required that employers reimburse employees for expenses, but said nothing about how those expenses should be calculated. Some employers decided they only needed to reimburse marginal expenses, but the court decision said that's not the case. So if you're required to use your device for work in California you're entitled to reimbursement of some kind. As I recall, no specific reimbursement formula was recommended by the court in that case. I assume there's been some standardization since, even if only de facto. That, however, was a California court interpreting California law. Our institution considered that ruling and concluded that Pennsylvania law was different and that we could discontinue our stipend and require certain employees to provide and use their own phones for work communications. In the end, we stopped the stipend, but never implemented the mandate. I was never informed precisely why we stopped short of the mandate. That decision was made out of committee. I'm confident there was no clear Federal requirement when we were discussing this in 2016, but if there's been case law or US Department of Labor guidance since then I wouldn't necessarily expect to know about it. I'm am curious if anybody knows more about it. Chuck From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Jeffrey D. Sessler Sent: Thursday, April 22, 2021 1:06 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? Tim, I would take a look at case law, where it was determined that an employer can not expect an employee to use their own device without compensation. This has resulted in two scenarios now. The first being that the employer provides the employee with a stipend to compensate them for use of their personal device. The second being that employers now provide the necessary devices (tools) to the employee in order to carry out their duties.
RE: [WIRELESS-LAN] WPA3/OWE as campus solution?
We discussed all those issues, and no doubt it opens a smelly can of worms. Most of these issues come into play simply by allowing employees to use personal devices. If you allow for personal device use, requiring their use didn't create many additional legal issues. I feel like I need to make a disclaimer here. I'm not a lawyer, you may recall me getting things very wrong regarding CALEA a couple years back. I researched your comments and concluded you were right and the university attorney that gave me contradictory information was incorrect. It took me long enough to be sure of that that I never replied to the thread to say so. I could be wrong about this as well, but unlike our guest network access, which was evaluated by one attorney and probably didn't get very much attention from her, this issue was taken very seriously by the controller, HR, Risk, and General Counsel. Outside counsel with expertise in this area was also consulted. I'm confident that whatever our legal team concluded on this issue was defensible. From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Jeffrey D. Sessler Sent: Thursday, April 22, 2021 3:04 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? For sure, my lens is based on California law, however, the federal Fair Labor Standards Act and state overtime and wage payment laws also come into play here. Since nonexempt (hourly) workers have ready access to the technology, they will be in a position to respond to e-mails and text messages or to otherwise engage in work activities outside their scheduled work hours. Even if you don't reimburse for the use of the personal device, there is the wage exposure of having to compensate those nonexempt employees because checking their work email is - well - working. When we rolled out DUO, we had to offer all employees a token, and they signed a waiver if they wanted to use the DUO app on their personal phone for their convenience. On the eDiscovery/litigation front, it can be difficult/impossible to ensure that business records stored on an employee's personal device are retained long enough to satisfy discovery requests. There are also risks should that data not be available, and presents a whole other quagmire in the BYOD movement that is beyond this conversation. Jeff From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Enfield, Chuck Sent: Thursday, April 22, 2021 10:54 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? Jeff, It makes sense that you think this is settled law, because in California it is settled law. I don't recall all the details, but I was on a team involved with considering mobile device policies for Penn State, and we discussed a case in California around 2014/2015 that clarified California labor law. The law required that employers reimburse employees for expenses, but said nothing about how those expenses should be calculated. Some employers decided they only needed to reimburse marginal expenses, but the court decision said that's not the case. So if you're required to use your device for work in California you're entitled to reimbursement of some kind. As I recall, no specific reimbursement formula was recommended by the court in that case. I assume there's been some standardization since, even if only de facto. That, however, was a California court interpreting California law. Our institution considered that ruling and concluded that Pennsylvania law was different and that we could discontinue our stipend and require certain employees to provide and use their own phones for work communications. In the end, we stopped the stipend, but never implemented the mandate. I was never informed precisely why we stopped short of the mandate. That decision was made out of committee. I'm confident there was no clear Federal requirement when we were discussing this in 2016, but if there's been case law or US Department of Labor guidance since then I wouldn't necessarily expect to know about it. I'm am curious if anybody knows more about it. Chuck From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Jeffrey D. Sessler Sent: Thursday, April 22, 2021 1:06 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? Tim, I would take a look at case law, where it was determined that an employer can not expect an employee to use their own device without compensation. This has resulted in two scenarios now. The first being that the employer provides the employee with a stipend
RE: [WIRELESS-LAN] WPA3/OWE as campus solution?
For sure, my lens is based on California law, however, the federal Fair Labor Standards Act and state overtime and wage payment laws also come into play here. Since nonexempt (hourly) workers have ready access to the technology, they will be in a position to respond to e-mails and text messages or to otherwise engage in work activities outside their scheduled work hours. Even if you don't reimburse for the use of the personal device, there is the wage exposure of having to compensate those nonexempt employees because checking their work email is - well - working. When we rolled out DUO, we had to offer all employees a token, and they signed a waiver if they wanted to use the DUO app on their personal phone for their convenience. On the eDiscovery/litigation front, it can be difficult/impossible to ensure that business records stored on an employee's personal device are retained long enough to satisfy discovery requests. There are also risks should that data not be available, and presents a whole other quagmire in the BYOD movement that is beyond this conversation. Jeff From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Enfield, Chuck Sent: Thursday, April 22, 2021 10:54 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? Jeff, It makes sense that you think this is settled law, because in California it is settled law. I don't recall all the details, but I was on a team involved with considering mobile device policies for Penn State, and we discussed a case in California around 2014/2015 that clarified California labor law. The law required that employers reimburse employees for expenses, but said nothing about how those expenses should be calculated. Some employers decided they only needed to reimburse marginal expenses, but the court decision said that's not the case. So if you're required to use your device for work in California you're entitled to reimbursement of some kind. As I recall, no specific reimbursement formula was recommended by the court in that case. I assume there's been some standardization since, even if only de facto. That, however, was a California court interpreting California law. Our institution considered that ruling and concluded that Pennsylvania law was different and that we could discontinue our stipend and require certain employees to provide and use their own phones for work communications. In the end, we stopped the stipend, but never implemented the mandate. I was never informed precisely why we stopped short of the mandate. That decision was made out of committee. I'm confident there was no clear Federal requirement when we were discussing this in 2016, but if there's been case law or US Department of Labor guidance since then I wouldn't necessarily expect to know about it. I'm am curious if anybody knows more about it. Chuck From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Jeffrey D. Sessler Sent: Thursday, April 22, 2021 1:06 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? Tim, I would take a look at case law, where it was determined that an employer can not expect an employee to use their own device without compensation. This has resulted in two scenarios now. The first being that the employer provides the employee with a stipend to compensate them for use of their personal device. The second being that employers now provide the necessary devices (tools) to the employee in order to carry out their duties. For example, with COVID, many employers are providing temporary stipends to employees to cover Internet consumption and personal cell use. In no way shape or fashion can an employer compel the user to install or enroll their personal device into their employer's end-point management. The employer could say it's an optional condition of the employee's desire, in a voluntary decision, to use that device for company business. Can't be forced. Jeff From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Tim Cappalli Sent: Thursday, April 22, 2021 9:14 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? Well, I can tell you that is just not the reality. Sorry! From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Jeffrey D. Sessler mailto:j...@scrippscollege.edu>> Sent: Thursday, April 22, 2021 12:04 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-L
RE: [WIRELESS-LAN] WPA3/OWE as campus solution?
Jeff, It makes sense that you think this is settled law, because in California it is settled law. I don't recall all the details, but I was on a team involved with considering mobile device policies for Penn State, and we discussed a case in California around 2014/2015 that clarified California labor law. The law required that employers reimburse employees for expenses, but said nothing about how those expenses should be calculated. Some employers decided they only needed to reimburse marginal expenses, but the court decision said that's not the case. So if you're required to use your device for work in California you're entitled to reimbursement of some kind. As I recall, no specific reimbursement formula was recommended by the court in that case. I assume there's been some standardization since, even if only de facto. That, however, was a California court interpreting California law. Our institution considered that ruling and concluded that Pennsylvania law was different and that we could discontinue our stipend and require certain employees to provide and use their own phones for work communications. In the end, we stopped the stipend, but never implemented the mandate. I was never informed precisely why we stopped short of the mandate. That decision was made out of committee. I'm confident there was no clear Federal requirement when we were discussing this in 2016, but if there's been case law or US Department of Labor guidance since then I wouldn't necessarily expect to know about it. I'm am curious if anybody knows more about it. Chuck From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Jeffrey D. Sessler Sent: Thursday, April 22, 2021 1:06 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? Tim, I would take a look at case law, where it was determined that an employer can not expect an employee to use their own device without compensation. This has resulted in two scenarios now. The first being that the employer provides the employee with a stipend to compensate them for use of their personal device. The second being that employers now provide the necessary devices (tools) to the employee in order to carry out their duties. For example, with COVID, many employers are providing temporary stipends to employees to cover Internet consumption and personal cell use. In no way shape or fashion can an employer compel the user to install or enroll their personal device into their employer's end-point management. The employer could say it's an optional condition of the employee's desire, in a voluntary decision, to use that device for company business. Can't be forced. Jeff From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Tim Cappalli Sent: Thursday, April 22, 2021 9:14 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? Well, I can tell you that is just not the reality. Sorry! From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Jeffrey D. Sessler mailto:j...@scrippscollege.edu>> Sent: Thursday, April 22, 2021 12:04 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? On 2021-04-21 21:30:53+, Tim Cappalli wrote: > I'd also like to address the comment about post-college experience. > > Most organizations these students are going to work at are going to > require MDM or MAM on their personal devices. So I fundamentally > disagree with the comment that they won't deal with "enrollment" post > campus life. On the above specifically. In every business scenario I've encountered, and it's at EDU level now too, unless you are going to compensate the user for access/control of their device, the business has no right to require MDM. This is in the same territory as requiring an employee to check business email from a personal device - it must be only as an employee opt-in convenience, and not a substitute for the business providing that person the tools they need to do their job. That's a long trip version of saying that a business is going to hand their employee a pre-enrolled/managed company-owned device(s) where it is the business' responsibility to handle whatever onboarding they've established for their company assets. The individual will never encounter this activity (nor should they) with a personal device they own. Jeff -Original Message- From: The EDUCAUSE Wireless Issues Community Group Listserv mailto
RE: [WIRELESS-LAN] WPA3/OWE as campus solution?
FWIW, I'm finding all of this very interesting and informative. Lee Badman | Network Architect (CWNE#200) Information Technology Services (NDD Group) 206 Machinery Hall 120 Smith Drive Syracuse, New York 13244 t 315.443.3003 e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w its.syr.edu Campus Wireless Policy: https://answers.syr.edu/display/network/Wireless+Network+and+Systems SYRACUSE UNIVERSITY syr.edu From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Tim Cappalli Sent: Thursday, April 22, 2021 1:09 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? Don't remember saying anything about employees being forced to do anything... We're so far off topic at this point. I'm done. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Jeffrey D. Sessler mailto:j...@scrippscollege.edu>> Sent: Thursday, April 22, 2021 1:05:35 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? Tim, I would take a look at case law, where it was determined that an employer can not expect an employee to use their own device without compensation. This has resulted in two scenarios now. The first being that the employer provides the employee with a stipend to compensate them for use of their personal device. The second being that employers now provide the necessary devices (tools) to the employee in order to carry out their duties. For example, with COVID, many employers are providing temporary stipends to employees to cover Internet consumption and personal cell use. In no way shape or fashion can an employer compel the user to install or enroll their personal device into their employer's end-point management. The employer could say it's an optional condition of the employee's desire, in a voluntary decision, to use that device for company business. Can't be forced. Jeff From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Tim Cappalli Sent: Thursday, April 22, 2021 9:14 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? Well, I can tell you that is just not the reality. Sorry! From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Jeffrey D. Sessler mailto:j...@scrippscollege.edu>> Sent: Thursday, April 22, 2021 12:04 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? On 2021-04-21 21:30:53+, Tim Cappalli wrote: > I'd also like to address the comment about post-college experience. > > Most organizations these students are going to work at are going to > require MDM or MAM on their personal devices. So I fundamentally > disagree with the comment that they won't deal with "enrollment" post > campus life. On the above specifically. In every business scenario I've encountered, and it's at EDU level now too, unless you are going to compensate the user for access/control of their device, the business has no right to require MDM. This is in the same territory as requiring an employee to check business email from a personal device - it must be only as an employee opt-in convenience, and not a substitute for the business providing that person the tools they need to do their job. That's a long trip version of saying that a business is going to hand their employee a pre-enrolled/managed company-owned device(s) where it is the business' responsibility to handle whatever onboarding they've established for their company assets. The individual will never encounter this activity (nor should they) with a personal device they own. Jeff -Original Message- From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Jonathan Waldrep Sent: Wednesday, April 21, 2021 7:27 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? On 2021-04-21 21:24:25+, Tim Cappalli wrote: > Why not take baby steps? One example: So many organizations talk > about user experience challenges of onboarding (and trust me, I hear > you) but then issue 1 year certs and force the user through it every > year. > > Switch to a 5 year cert (or device specific cred) and use > a
Re: [WIRELESS-LAN] WPA3/OWE as campus solution?
Don't remember saying anything about employees being forced to do anything... We're so far off topic at this point. I'm done. From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Jeffrey D. Sessler Sent: Thursday, April 22, 2021 1:05:35 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? Tim, I would take a look at case law, where it was determined that an employer can not expect an employee to use their own device without compensation. This has resulted in two scenarios now. The first being that the employer provides the employee with a stipend to compensate them for use of their personal device. The second being that employers now provide the necessary devices (tools) to the employee in order to carry out their duties. For example, with COVID, many employers are providing temporary stipends to employees to cover Internet consumption and personal cell use. In no way shape or fashion can an employer compel the user to install or enroll their personal device into their employer’s end-point management. The employer could say it’s an optional condition of the employee’s desire, in a voluntary decision, to use that device for company business. Can’t be forced. Jeff From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Tim Cappalli Sent: Thursday, April 22, 2021 9:14 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? Well, I can tell you that is just not the reality. Sorry! From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Jeffrey D. Sessler mailto:j...@scrippscollege.edu>> Sent: Thursday, April 22, 2021 12:04 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? On 2021-04-21 21:30:53+, Tim Cappalli wrote: > I'd also like to address the comment about post-college experience. > > Most organizations these students are going to work at are going to > require MDM or MAM on their personal devices. So I fundamentally > disagree with the comment that they won't deal with "enrollment" post > campus life. On the above specifically. In every business scenario I've encountered, and it's at EDU level now too, unless you are going to compensate the user for access/control of their device, the business has no right to require MDM. This is in the same territory as requiring an employee to check business email from a personal device - it must be only as an employee opt-in convenience, and not a substitute for the business providing that person the tools they need to do their job. That's a long trip version of saying that a business is going to hand their employee a pre-enrolled/managed company-owned device(s) where it is the business' responsibility to handle whatever onboarding they've established for their company assets. The individual will never encounter this activity (nor should they) with a personal device they own. Jeff -Original Message- From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Jonathan Waldrep Sent: Wednesday, April 21, 2021 7:27 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? On 2021-04-21 21:24:25+, Tim Cappalli wrote: > Why not take baby steps? One example: So many organizations talk > about user experience challenges of onboarding (and trust me, I hear > you) but then issue 1 year certs and force the user through it every > year. > > Switch to a 5 year cert (or device specific cred) and use > authorization rules to temporarily (or permanently) revoke access. 100%. Preach. We are kicking off a project to move from PEAP/MSCHAPv2 to EAP-TLS, primarily for usability reasons. There are plenty of other reasons why it is a good change (that I as an admin am personally excited about), but they are not what is pushing things forward that hardest. Right now, because MSCHAPv2 is hot garbage, users have a password used only for network access. We want to get rid of that. Partly because _passwords_ are hot garbage. The intent is to move to per-device certs that will expire after the device is dead from oxidation. The cert/key establishes _authentication_ (who is this?). This is only breaks if the key is compromised or the device changes hands. Everything else is an issue of _authorization_ (is this allowed?). We're considering blurring that line a bit and pretending it is all authorization, but now I'm just rambling. I
RE: [WIRELESS-LAN] WPA3/OWE as campus solution?
Tim, I would take a look at case law, where it was determined that an employer can not expect an employee to use their own device without compensation. This has resulted in two scenarios now. The first being that the employer provides the employee with a stipend to compensate them for use of their personal device. The second being that employers now provide the necessary devices (tools) to the employee in order to carry out their duties. For example, with COVID, many employers are providing temporary stipends to employees to cover Internet consumption and personal cell use. In no way shape or fashion can an employer compel the user to install or enroll their personal device into their employer's end-point management. The employer could say it's an optional condition of the employee's desire, in a voluntary decision, to use that device for company business. Can't be forced. Jeff From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Tim Cappalli Sent: Thursday, April 22, 2021 9:14 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? Well, I can tell you that is just not the reality. Sorry! From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Jeffrey D. Sessler mailto:j...@scrippscollege.edu>> Sent: Thursday, April 22, 2021 12:04 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? On 2021-04-21 21:30:53+, Tim Cappalli wrote: > I'd also like to address the comment about post-college experience. > > Most organizations these students are going to work at are going to > require MDM or MAM on their personal devices. So I fundamentally > disagree with the comment that they won't deal with "enrollment" post > campus life. On the above specifically. In every business scenario I've encountered, and it's at EDU level now too, unless you are going to compensate the user for access/control of their device, the business has no right to require MDM. This is in the same territory as requiring an employee to check business email from a personal device - it must be only as an employee opt-in convenience, and not a substitute for the business providing that person the tools they need to do their job. That's a long trip version of saying that a business is going to hand their employee a pre-enrolled/managed company-owned device(s) where it is the business' responsibility to handle whatever onboarding they've established for their company assets. The individual will never encounter this activity (nor should they) with a personal device they own. Jeff -Original Message- From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Jonathan Waldrep Sent: Wednesday, April 21, 2021 7:27 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? On 2021-04-21 21:24:25+, Tim Cappalli wrote: > Why not take baby steps? One example: So many organizations talk > about user experience challenges of onboarding (and trust me, I hear > you) but then issue 1 year certs and force the user through it every > year. > > Switch to a 5 year cert (or device specific cred) and use > authorization rules to temporarily (or permanently) revoke access. 100%. Preach. We are kicking off a project to move from PEAP/MSCHAPv2 to EAP-TLS, primarily for usability reasons. There are plenty of other reasons why it is a good change (that I as an admin am personally excited about), but they are not what is pushing things forward that hardest. Right now, because MSCHAPv2 is hot garbage, users have a password used only for network access. We want to get rid of that. Partly because _passwords_ are hot garbage. The intent is to move to per-device certs that will expire after the device is dead from oxidation. The cert/key establishes _authentication_ (who is this?). This is only breaks if the key is compromised or the device changes hands. Everything else is an issue of _authorization_ (is this allowed?). We're considering blurring that line a bit and pretending it is all authorization, but now I'm just rambling. I don't think I've said anything until this point that Tim would disagree with. It's here mostly for the broader discussion of the thread. > You don't have to burn the whole forest down. I'm not planning on it. We'll still have a .1X network (eduroam). I just won't care if someone decides to not use it. What I do want to burn down are the dead trees - the captiv
RE: [WIRELESS-LAN] WPA3/OWE as campus solution?
Company-owned devices don't always have the opportunity to be onboarded by staff before the device gets into the hands of the end user, especially in this current environment where everything is drop-shipped from the vendor or service provider and never even touches corporate headquarters. There are also plenty of examples of tools that the employee needs to do their job that are not provided by the business. Office furniture for home offices is the perfect example in this current environment. -Original Message- From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Jeffrey D. Sessler Sent: Thursday, April 22, 2021 12:04 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? On 2021-04-21 21:30:53+, Tim Cappalli wrote: > I'd also like to address the comment about post-college experience. > > Most organizations these students are going to work at are going to > require MDM or MAM on their personal devices. So I fundamentally > disagree with the comment that they won't deal with "enrollment" post > campus life. On the above specifically. In every business scenario I've encountered, and it's at EDU level now too, unless you are going to compensate the user for access/control of their device, the business has no right to require MDM. This is in the same territory as requiring an employee to check business email from a personal device - it must be only as an employee opt-in convenience, and not a substitute for the business providing that person the tools they need to do their job. That's a long trip version of saying that a business is going to hand their employee a pre-enrolled/managed company-owned device(s) where it is the business' responsibility to handle whatever onboarding they've established for their company assets. The individual will never encounter this activity (nor should they) with a personal device they own. Jeff -Original Message- From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Jonathan Waldrep Sent: Wednesday, April 21, 2021 7:27 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? On 2021-04-21 21:24:25+, Tim Cappalli wrote: > Why not take baby steps? One example: So many organizations talk > about user experience challenges of onboarding (and trust me, I hear > you) but then issue 1 year certs and force the user through it every > year. > > Switch to a 5 year cert (or device specific cred) and use > authorization rules to temporarily (or permanently) revoke access. 100%. Preach. We are kicking off a project to move from PEAP/MSCHAPv2 to EAP-TLS, primarily for usability reasons. There are plenty of other reasons why it is a good change (that I as an admin am personally excited about), but they are not what is pushing things forward that hardest. Right now, because MSCHAPv2 is hot garbage, users have a password used only for network access. We want to get rid of that. Partly because _passwords_ are hot garbage. The intent is to move to per-device certs that will expire after the device is dead from oxidation. The cert/key establishes _authentication_ (who is this?). This is only breaks if the key is compromised or the device changes hands. Everything else is an issue of _authorization_ (is this allowed?). We're considering blurring that line a bit and pretending it is all authorization, but now I'm just rambling. I don't think I've said anything until this point that Tim would disagree with. It's here mostly for the broader discussion of the thread. > You don't have to burn the whole forest down. I'm not planning on it. We'll still have a .1X network (eduroam). I just won't care if someone decides to not use it. What I do want to burn down are the dead trees - the captive portal and _mandated_ authentication. And that's not going to happen for a while. EAP-TLS isn't a strict prereq, but it is more urgent, and we don't have the manpower to do both at the same time. > I'm sure your security folks would rather have a guaranteed encrypted > network with user identity, a 5 year cert and full control, than an > open network with no reliable user identity or enforcement mechanism. I've talked to them. They don't care. That's the simplicity zero-trust brings to the table. The _legal_ team on the other hand... that's a conversation that still needs to happen. I've used the term "zero-trust" some already, and I'm about to a lot more, so let's get past the buzz-word and define it. By "zero-trust", I am making the explicit choice to _NOT_: - care who you are - make any assumption about the security posture of the device - make any assumption about the
Re: [WIRELESS-LAN] WPA3/OWE as campus solution?
Well, I can tell you that is just not the reality. Sorry! From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Jeffrey D. Sessler Sent: Thursday, April 22, 2021 12:04 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? On 2021-04-21 21:30:53+, Tim Cappalli wrote: > I'd also like to address the comment about post-college experience. > > Most organizations these students are going to work at are going to > require MDM or MAM on their personal devices. So I fundamentally > disagree with the comment that they won't deal with "enrollment" post > campus life. On the above specifically. In every business scenario I've encountered, and it's at EDU level now too, unless you are going to compensate the user for access/control of their device, the business has no right to require MDM. This is in the same territory as requiring an employee to check business email from a personal device - it must be only as an employee opt-in convenience, and not a substitute for the business providing that person the tools they need to do their job. That's a long trip version of saying that a business is going to hand their employee a pre-enrolled/managed company-owned device(s) where it is the business' responsibility to handle whatever onboarding they've established for their company assets. The individual will never encounter this activity (nor should they) with a personal device they own. Jeff -Original Message- From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Jonathan Waldrep Sent: Wednesday, April 21, 2021 7:27 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? On 2021-04-21 21:24:25+, Tim Cappalli wrote: > Why not take baby steps? One example: So many organizations talk > about user experience challenges of onboarding (and trust me, I hear > you) but then issue 1 year certs and force the user through it every > year. > > Switch to a 5 year cert (or device specific cred) and use > authorization rules to temporarily (or permanently) revoke access. 100%. Preach. We are kicking off a project to move from PEAP/MSCHAPv2 to EAP-TLS, primarily for usability reasons. There are plenty of other reasons why it is a good change (that I as an admin am personally excited about), but they are not what is pushing things forward that hardest. Right now, because MSCHAPv2 is hot garbage, users have a password used only for network access. We want to get rid of that. Partly because _passwords_ are hot garbage. The intent is to move to per-device certs that will expire after the device is dead from oxidation. The cert/key establishes _authentication_ (who is this?). This is only breaks if the key is compromised or the device changes hands. Everything else is an issue of _authorization_ (is this allowed?). We're considering blurring that line a bit and pretending it is all authorization, but now I'm just rambling. I don't think I've said anything until this point that Tim would disagree with. It's here mostly for the broader discussion of the thread. > You don't have to burn the whole forest down. I'm not planning on it. We'll still have a .1X network (eduroam). I just won't care if someone decides to not use it. What I do want to burn down are the dead trees - the captive portal and _mandated_ authentication. And that's not going to happen for a while. EAP-TLS isn't a strict prereq, but it is more urgent, and we don't have the manpower to do both at the same time. > I'm sure your security folks would rather have a guaranteed encrypted > network with user identity, a 5 year cert and full control, than an > open network with no reliable user identity or enforcement mechanism. I've talked to them. They don't care. That's the simplicity zero-trust brings to the table. The _legal_ team on the other hand... that's a conversation that still needs to happen. I've used the term "zero-trust" some already, and I'm about to a lot more, so let's get past the buzz-word and define it. By "zero-trust", I am making the explicit choice to _NOT_: - care who you are - make any assumption about the security posture of the device - make any assumption about the network between us (encrypted, MitM, etc) I _might_ care if your identity is knowable. Subtle but important distinction here: I _might_ care if the question, "Who are you?" has a meaningful answer, for the sake of accountability. I do _not_ care what that answer is. Also, some of these questions obviously need answering somewhere around layer 7. But, layers 1-3 are not designed to answer those questions and are really bad at tryin
RE: [WIRELESS-LAN] WPA3/OWE as campus solution?
On 2021-04-21 21:30:53+, Tim Cappalli wrote: > I'd also like to address the comment about post-college experience. > > Most organizations these students are going to work at are going to > require MDM or MAM on their personal devices. So I fundamentally > disagree with the comment that they won't deal with "enrollment" post > campus life. On the above specifically. In every business scenario I've encountered, and it's at EDU level now too, unless you are going to compensate the user for access/control of their device, the business has no right to require MDM. This is in the same territory as requiring an employee to check business email from a personal device - it must be only as an employee opt-in convenience, and not a substitute for the business providing that person the tools they need to do their job. That's a long trip version of saying that a business is going to hand their employee a pre-enrolled/managed company-owned device(s) where it is the business' responsibility to handle whatever onboarding they've established for their company assets. The individual will never encounter this activity (nor should they) with a personal device they own. Jeff -Original Message- From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Jonathan Waldrep Sent: Wednesday, April 21, 2021 7:27 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? On 2021-04-21 21:24:25+, Tim Cappalli wrote: > Why not take baby steps? One example: So many organizations talk > about user experience challenges of onboarding (and trust me, I hear > you) but then issue 1 year certs and force the user through it every > year. > > Switch to a 5 year cert (or device specific cred) and use > authorization rules to temporarily (or permanently) revoke access. 100%. Preach. We are kicking off a project to move from PEAP/MSCHAPv2 to EAP-TLS, primarily for usability reasons. There are plenty of other reasons why it is a good change (that I as an admin am personally excited about), but they are not what is pushing things forward that hardest. Right now, because MSCHAPv2 is hot garbage, users have a password used only for network access. We want to get rid of that. Partly because _passwords_ are hot garbage. The intent is to move to per-device certs that will expire after the device is dead from oxidation. The cert/key establishes _authentication_ (who is this?). This is only breaks if the key is compromised or the device changes hands. Everything else is an issue of _authorization_ (is this allowed?). We're considering blurring that line a bit and pretending it is all authorization, but now I'm just rambling. I don't think I've said anything until this point that Tim would disagree with. It's here mostly for the broader discussion of the thread. > You don't have to burn the whole forest down. I'm not planning on it. We'll still have a .1X network (eduroam). I just won't care if someone decides to not use it. What I do want to burn down are the dead trees - the captive portal and _mandated_ authentication. And that's not going to happen for a while. EAP-TLS isn't a strict prereq, but it is more urgent, and we don't have the manpower to do both at the same time. > I'm sure your security folks would rather have a guaranteed encrypted > network with user identity, a 5 year cert and full control, than an > open network with no reliable user identity or enforcement mechanism. I've talked to them. They don't care. That's the simplicity zero-trust brings to the table. The _legal_ team on the other hand... that's a conversation that still needs to happen. I've used the term "zero-trust" some already, and I'm about to a lot more, so let's get past the buzz-word and define it. By "zero-trust", I am making the explicit choice to _NOT_: - care who you are - make any assumption about the security posture of the device - make any assumption about the network between us (encrypted, MitM, etc) I _might_ care if your identity is knowable. Subtle but important distinction here: I _might_ care if the question, "Who are you?" has a meaningful answer, for the sake of accountability. I do _not_ care what that answer is. Also, some of these questions obviously need answering somewhere around layer 7. But, layers 1-3 are not designed to answer those questions and are really bad at trying. Zero-trust is specifically layers 1-3. On enforcement, lets take a trip into the nuances of our implementation of zero-trust (told you I was going to use it more). Right now, if you connect on eduroam (VT affiliate or a roaming user), as a sponsored guest, or with a (MAC) registered device, you end up in
Re: [WIRELESS-LAN] WPA3/OWE as campus solution?
On 2021-04-21 21:24:25+, Tim Cappalli wrote: > Why not take baby steps? One example: So many organizations talk > about user experience challenges of onboarding (and trust me, I hear > you) but then issue 1 year certs and force the user through it every > year. > > Switch to a 5 year cert (or device specific cred) and use > authorization rules to temporarily (or permanently) revoke access. 100%. Preach. We are kicking off a project to move from PEAP/MSCHAPv2 to EAP-TLS, primarily for usability reasons. There are plenty of other reasons why it is a good change (that I as an admin am personally excited about), but they are not what is pushing things forward that hardest. Right now, because MSCHAPv2 is hot garbage, users have a password used only for network access. We want to get rid of that. Partly because _passwords_ are hot garbage. The intent is to move to per-device certs that will expire after the device is dead from oxidation. The cert/key establishes _authentication_ (who is this?). This is only breaks if the key is compromised or the device changes hands. Everything else is an issue of _authorization_ (is this allowed?). We're considering blurring that line a bit and pretending it is all authorization, but now I'm just rambling. I don't think I've said anything until this point that Tim would disagree with. It's here mostly for the broader discussion of the thread. > You don't have to burn the whole forest down. I'm not planning on it. We'll still have a .1X network (eduroam). I just won't care if someone decides to not use it. What I do want to burn down are the dead trees - the captive portal and _mandated_ authentication. And that's not going to happen for a while. EAP-TLS isn't a strict prereq, but it is more urgent, and we don't have the manpower to do both at the same time. > I'm sure your security folks would rather have a guaranteed encrypted > network with user identity, a 5 year cert and full control, than an > open network with no reliable user identity or enforcement mechanism. I've talked to them. They don't care. That's the simplicity zero-trust brings to the table. The _legal_ team on the other hand... that's a conversation that still needs to happen. I've used the term "zero-trust" some already, and I'm about to a lot more, so let's get past the buzz-word and define it. By "zero-trust", I am making the explicit choice to _NOT_: - care who you are - make any assumption about the security posture of the device - make any assumption about the network between us (encrypted, MitM, etc) I _might_ care if your identity is knowable. Subtle but important distinction here: I _might_ care if the question, "Who are you?" has a meaningful answer, for the sake of accountability. I do _not_ care what that answer is. Also, some of these questions obviously need answering somewhere around layer 7. But, layers 1-3 are not designed to answer those questions and are really bad at trying. Zero-trust is specifically layers 1-3. On enforcement, lets take a trip into the nuances of our implementation of zero-trust (told you I was going to use it more). Right now, if you connect on eduroam (VT affiliate or a roaming user), as a sponsored guest, or with a (MAC) registered device, you end up in the same network. Lets call it the accountable network. If you connect as a self-sponsored guest, you end up in a different network. Let's call it the unaccountable network. The unaccountable network is a different routing instance, with clearly segmented IP space, where the traffic is basically hairpinned at the border. _Both_ networks are zero-trust. With the accountable network, we are telling sysadmins that we can additionally answer the question, "who is this?" given an IP/timestamp. Those in the unaccountable network should be treated as coming from the villainous wilderness that is the Internet. Among other things, this allows for writing some really coarse ACLs that mostly filter out noise. Let's take another detour on some core considerations for our guest network. We've decided that someone should be able to walk on campus and be able to use the wireless network. Maybe that takes some self-sponsoring, maybe not, but they can get on the network without us providing credentials for them. This means there is an open(ish) network with unreliable or no identity sitting right next to our .1X network. So what does that mean for enforcement? Effectively, reliable authentication is already optional. Adding a captive portal to the open network doesn't change that. Zero-trust and the accountable vs unaccountable network split helps quite a bit here, and I think it's pretty obvious why. On 2021-04-21 21:30:53+, Tim Cappalli wrote: > I'd also like to address the comment about post-college experience. > > Most organizations these students are going to work at are going to > require MDM or MAM on their personal devices. So I fundamentally > disagree with the comment that they
Re: [WIRELESS-LAN] WPA3/OWE as campus solution?
I'd also like to address the comment about post-college experience. Most organizations these students are going to work at are going to require MDM or MAM on their personal devices. So I fundamentally disagree with the comment that they won't deal with "enrollment" post campus life. From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu> Sent: Wednesday, April 21, 2021 5:24:25 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? Why not take baby steps? One example: So many organizations talk about user experience challenges of onboarding (and trust me, I hear you) but then issue 1 year certs and force the user through it every year. Switch to a 5 year cert (or device specific cred) and use authorization rules to temporarily (or permanently) revoke access. You don't have to burn the whole forest down. I'm sure your security folks would rather have a guaranteed encrypted network with user identity, a 5 year cert and full control, than an open network with no reliable user identity or enforcement mechanism. From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Jonathan Waldrep Sent: Wednesday, April 21, 2021 5:15:09 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? I keep trying to reply to this thread with my thoughts and some idea of where we are trying to move on this topic, but inevitably, it ends up rambly and unfinished. Let's see if I can actually keep it short and relevant. If so, there is lots left unsaid; please feel free to ask for details. We don't have a non-BYOD side of the network. There are some traditional institution-managed devices, but they are the exception, and they don't have a special network. Painting with a broad brush lacking some nuance, all of our user facing networks are zero trust. Turns out, this simplifies a great many things. That said, I would love to move to a model where we have eduroam, and a wide open network (preferably with OWE, but that is orthogonal). No captive portal. No PSK. Both of those methods are problematic. Why? And what about device discovery (Chromecasts, airplay, etc)? How do we know who the device belongs to? How do you keep the devices secure without encryption? How do you keep the network secure without authentication? Why have eduroam at all? Great questions, that I'm going to skip right over (see preface). In general, shifting our mindset about network authentication from something that is required for the administrators' sake to something that the user can opt into because it gives _the user_ tangible value opens up a lot of opportunity. The biggest challenges to overcome here are _not_ technical. They are business and legal issues. On that note, I have yet to see a time where a technical solution to a non-technical problem doesn't end up hurting the user. -- Jonathan Waldrep Network Engineer Network Infrastructure and Services Virginia Tech On Wed, Apr 21, 2021 at 3:22 PM Jennifer Minella mailto:j...@cadinc.com>> wrote: Ooh Lee what a great thread! I didn’t have a chance yesterday but catching up now. Here’s what I throw in the mix for consideration… (no recommendations just free flow thoughts) Sorry this is long; WPA3 gets me really excited 😊 1. OWE/Open Enhanced (not technically part of WPA3 but #semantics) ONLY provides OTA encryption; it does nothing for authenticating the user to the network NOR the network to the user. 2. …that means you could use a guest portal experience, with or without user ID, and add encryption vs historically having to use a Pre-Shared Key or 802.1X for key exchanges and encryption. 3. If you care about who the user is, you can still use a portal with self-registration and whatever duration you feel is appropriate. Depending on how much you care, a self-registration portal may (or may not) be sufficient. 4. If you care about protecting the user/device against a MiTM or evil twin attack, then you probably prefer a mechanism that allows some type of authentication, which is typically mutual authentication (e.g. 1X). 5. Under WPA3, security is increased across the board and will be ongoing (not fixed). Including replacing Pre-Shared Key (PSK) with SAE- which looks/feels JUST like PSK to admins/users but further protects assets by using unique key derivations for each endpoint. So… if someone has the passcode they can get on, but they can’t decrypt any other traffic even if the endpoint(s) are using the same key. The list of enhancements goes on and on. 6. Does your organization require traceability of users for any internal or external policies or compliance? This could be for security reasons,
Re: [WIRELESS-LAN] WPA3/OWE as campus solution?
Why not take baby steps? One example: So many organizations talk about user experience challenges of onboarding (and trust me, I hear you) but then issue 1 year certs and force the user through it every year. Switch to a 5 year cert (or device specific cred) and use authorization rules to temporarily (or permanently) revoke access. You don't have to burn the whole forest down. I'm sure your security folks would rather have a guaranteed encrypted network with user identity, a 5 year cert and full control, than an open network with no reliable user identity or enforcement mechanism. From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Jonathan Waldrep Sent: Wednesday, April 21, 2021 5:15:09 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? I keep trying to reply to this thread with my thoughts and some idea of where we are trying to move on this topic, but inevitably, it ends up rambly and unfinished. Let's see if I can actually keep it short and relevant. If so, there is lots left unsaid; please feel free to ask for details. We don't have a non-BYOD side of the network. There are some traditional institution-managed devices, but they are the exception, and they don't have a special network. Painting with a broad brush lacking some nuance, all of our user facing networks are zero trust. Turns out, this simplifies a great many things. That said, I would love to move to a model where we have eduroam, and a wide open network (preferably with OWE, but that is orthogonal). No captive portal. No PSK. Both of those methods are problematic. Why? And what about device discovery (Chromecasts, airplay, etc)? How do we know who the device belongs to? How do you keep the devices secure without encryption? How do you keep the network secure without authentication? Why have eduroam at all? Great questions, that I'm going to skip right over (see preface). In general, shifting our mindset about network authentication from something that is required for the administrators' sake to something that the user can opt into because it gives _the user_ tangible value opens up a lot of opportunity. The biggest challenges to overcome here are _not_ technical. They are business and legal issues. On that note, I have yet to see a time where a technical solution to a non-technical problem doesn't end up hurting the user. -- Jonathan Waldrep Network Engineer Network Infrastructure and Services Virginia Tech On Wed, Apr 21, 2021 at 3:22 PM Jennifer Minella mailto:j...@cadinc.com>> wrote: Ooh Lee what a great thread! I didn’t have a chance yesterday but catching up now. Here’s what I throw in the mix for consideration… (no recommendations just free flow thoughts) Sorry this is long; WPA3 gets me really excited 😊 1. OWE/Open Enhanced (not technically part of WPA3 but #semantics) ONLY provides OTA encryption; it does nothing for authenticating the user to the network NOR the network to the user. 2. …that means you could use a guest portal experience, with or without user ID, and add encryption vs historically having to use a Pre-Shared Key or 802.1X for key exchanges and encryption. 3. If you care about who the user is, you can still use a portal with self-registration and whatever duration you feel is appropriate. Depending on how much you care, a self-registration portal may (or may not) be sufficient. 4. If you care about protecting the user/device against a MiTM or evil twin attack, then you probably prefer a mechanism that allows some type of authentication, which is typically mutual authentication (e.g. 1X). 5. Under WPA3, security is increased across the board and will be ongoing (not fixed). Including replacing Pre-Shared Key (PSK) with SAE- which looks/feels JUST like PSK to admins/users but further protects assets by using unique key derivations for each endpoint. So… if someone has the passcode they can get on, but they can’t decrypt any other traffic even if the endpoint(s) are using the same key. The list of enhancements goes on and on. 6. Does your organization require traceability of users for any internal or external policies or compliance? This could be for security reasons, compliance with IP and digital rights, or other needs. One Uni org I’ve worked with successfully stopped a student from a suicide attempt when the student posted online- they physically located the person and saved them from what they were about to do… There are a lot of things to consider and every org is different. 7. Whether or not portal acceptable use and/or user ID/registration is needed is a hotly-debated topic and has a lot of “it depends”. I recently asked several CISOs, lawyers, auditors, and cyber security friends at the FBI. * The CISOs feel it’s “window dressing” except that per … * …Lawyers
Re: [WIRELESS-LAN] WPA3/OWE as campus solution?
Perhaps a better summary to the question, "Are you contemplating ditching .1X in favor of WPA3/OWE?" Kinda. I want to make .1X optional and burn the captive portal to the ground, but that has nothing to do with WPA3/OWE. And I'm stuck with WPA2 until "3duroam" is a thing. Our security model does not rely on layers 1 and 2, so the federated access is more valuable. -- Jonathan Waldrep Network Engineer Network Infrastructure and Services Virginia Tech On Wed, Apr 21, 2021 at 5:15 PM Jonathan Waldrep wrote: > I keep trying to reply to this thread with my thoughts and some idea of > where we are trying to move on this topic, but inevitably, it ends up > rambly and unfinished. Let's see if I can actually keep it short and > relevant. If so, there is lots left unsaid; please feel free to ask for > details. > > We don't have a non-BYOD side of the network. There are some traditional > institution-managed devices, but they are the exception, and they don't > have a special network. Painting with a broad brush lacking some nuance, > all of our user facing networks are zero trust. Turns out, this simplifies > a great many things. > > That said, I would love to move to a model where we have eduroam, and a > wide open network (preferably with OWE, but that is orthogonal). No captive > portal. No PSK. Both of those methods are problematic. Why? And what about > device discovery (Chromecasts, airplay, etc)? How do we know who the device > belongs to? How do you keep the devices secure without encryption? How do > you keep the network secure without authentication? Why have eduroam at > all? Great questions, that I'm going to skip right over (see preface). > > In general, shifting our mindset about network authentication from > something that is required for the administrators' sake to something that > the user can opt into because it gives _the user_ tangible value opens up a > lot of opportunity. > > The biggest challenges to overcome here are _not_ technical. They are > business and legal issues. On that note, I have yet to see a time where a > technical solution to a non-technical problem doesn't end up hurting the > user. > > -- > Jonathan Waldrep > Network Engineer > Network Infrastructure and Services > Virginia Tech > > > On Wed, Apr 21, 2021 at 3:22 PM Jennifer Minella wrote: > >> Ooh Lee what a great thread! I didn’t have a chance yesterday but >> catching up now. >> >> >> >> Here’s what I throw in the mix for consideration… (no recommendations >> just free flow thoughts) >> >> Sorry this is long; WPA3 gets me really excited 😊 >> >> >> >>1. OWE/Open Enhanced (not technically part of WPA3 but #semantics) *ONLY >>provides OTA encryption*; it does nothing for authenticating the user >>to the network NOR the network to the user. >>2. …that means *you could use a guest portal experience*, *with or >>without user ID*, and add encryption vs historically having to use a >>Pre-Shared Key or 802.1X for key exchanges and encryption. >>3. *If you care about who the user is*, you can still use a portal >>with self-registration and whatever duration you feel is appropriate. >>Depending on how much you care, a self-registration portal may (or may >> not) >>be sufficient. >>4. *If you care about protecting the user/device against a MiTM or >>evil twin attack,* then you probably prefer a mechanism that allows >>some type of authentication, which is typically mutual authentication >> (e.g. >>1X). >>5. Under WPA3, security is increased across the board and will be >>ongoing (not fixed). *Including replacing Pre-Shared Key (PSK) with >>SAE*- which looks/feels JUST like PSK to admins/users but further >>protects assets by using unique key derivations for each endpoint. So… if >>someone has the passcode they can get on, but they can’t decrypt any other >>traffic even if the endpoint(s) are using the same key. The list of >>enhancements goes on and on. >>6. *Does your organization require traceability of users* for any >>internal or external policies or compliance? This could be for security >>reasons, compliance with IP and digital rights, or other needs. One Uni >> org >>I’ve worked with successfully stopped a student from a suicide attempt >> when >>the student posted online- they physically located the person and saved >>them from what they were about to do… There are a lot of things to >> consider >>and every org is different. >>7. Whether or not portal acceptable use and/or user ID/registration >>is needed is *a hotly-debated topic* and has a lot of “it depends”. I >>recently asked several CISOs, lawyers, auditors, and cyber security >> friends >>at the FBI. >> 1. The CISOs feel it’s “window dressing” except that per … >> 2. …Lawyers, there may be some legal protection if a user >> compromised while on your network comes after you (e.g. policy says >> “org >> not re
Re: [WIRELESS-LAN] WPA3/OWE as campus solution?
I keep trying to reply to this thread with my thoughts and some idea of where we are trying to move on this topic, but inevitably, it ends up rambly and unfinished. Let's see if I can actually keep it short and relevant. If so, there is lots left unsaid; please feel free to ask for details. We don't have a non-BYOD side of the network. There are some traditional institution-managed devices, but they are the exception, and they don't have a special network. Painting with a broad brush lacking some nuance, all of our user facing networks are zero trust. Turns out, this simplifies a great many things. That said, I would love to move to a model where we have eduroam, and a wide open network (preferably with OWE, but that is orthogonal). No captive portal. No PSK. Both of those methods are problematic. Why? And what about device discovery (Chromecasts, airplay, etc)? How do we know who the device belongs to? How do you keep the devices secure without encryption? How do you keep the network secure without authentication? Why have eduroam at all? Great questions, that I'm going to skip right over (see preface). In general, shifting our mindset about network authentication from something that is required for the administrators' sake to something that the user can opt into because it gives _the user_ tangible value opens up a lot of opportunity. The biggest challenges to overcome here are _not_ technical. They are business and legal issues. On that note, I have yet to see a time where a technical solution to a non-technical problem doesn't end up hurting the user. -- Jonathan Waldrep Network Engineer Network Infrastructure and Services Virginia Tech On Wed, Apr 21, 2021 at 3:22 PM Jennifer Minella wrote: > Ooh Lee what a great thread! I didn’t have a chance yesterday but catching > up now. > > > > Here’s what I throw in the mix for consideration… (no recommendations just > free flow thoughts) > > Sorry this is long; WPA3 gets me really excited 😊 > > > >1. OWE/Open Enhanced (not technically part of WPA3 but #semantics) *ONLY >provides OTA encryption*; it does nothing for authenticating the user >to the network NOR the network to the user. >2. …that means *you could use a guest portal experience*, *with or >without user ID*, and add encryption vs historically having to use a >Pre-Shared Key or 802.1X for key exchanges and encryption. >3. *If you care about who the user is*, you can still use a portal >with self-registration and whatever duration you feel is appropriate. >Depending on how much you care, a self-registration portal may (or may not) >be sufficient. >4. *If you care about protecting the user/device against a MiTM or >evil twin attack,* then you probably prefer a mechanism that allows >some type of authentication, which is typically mutual authentication (e.g. >1X). >5. Under WPA3, security is increased across the board and will be >ongoing (not fixed). *Including replacing Pre-Shared Key (PSK) with >SAE*- which looks/feels JUST like PSK to admins/users but further >protects assets by using unique key derivations for each endpoint. So… if >someone has the passcode they can get on, but they can’t decrypt any other >traffic even if the endpoint(s) are using the same key. The list of >enhancements goes on and on. >6. *Does your organization require traceability of users* for any >internal or external policies or compliance? This could be for security >reasons, compliance with IP and digital rights, or other needs. One Uni org >I’ve worked with successfully stopped a student from a suicide attempt when >the student posted online- they physically located the person and saved >them from what they were about to do… There are a lot of things to consider >and every org is different. >7. Whether or not portal acceptable use and/or user ID/registration is >needed is *a hotly-debated topic* and has a lot of “it depends”. I >recently asked several CISOs, lawyers, auditors, and cyber security friends >at the FBI. > 1. The CISOs feel it’s “window dressing” except that per … > 2. …Lawyers, there may be some legal protection if a user > compromised while on your network comes after you (e.g. policy says “org > not responsible for anything resulting from use of their network”). > 3. The FBI says they need “something” to open a case and prosecute > (e.g. Acceptable Use clause or access banner). > 4. In Europe (I’m told) orgs providing public internet access fall > under ISP laws, and therefore must be diligent about > registration/acceptable use/etc. By policy/compliance they have stricter > rules for requiring accountability and registration. > > > > ___ > > *Jennifer Minella*, CISSP, HP MASE > > VP of Engineering & Security > > Carolina Advanced Digital, Inc. > > www.cadinc.com > > j...@cadinc.com > > 919.460.1313 Main Of
Re: [WIRELESS-LAN] WPA3/OWE as campus solution?
Just my two Maple-y cents Up here the Copyrights laws require ISPs (under which we are, as “providers” of connectivity on campus) to be have sufficient information to be able to contact users should a copyright violation be recorded. Now there is a lot of blurred lines and room in the law itself and to my understanding nobody really had to go after users for “real” but since as higher ed we are a nice public target we decided we’d rather think twice about opening the valves to just about anyone just yet. We log enough so we can trace and prove due diligence. Oh, and Jennifer thank you for being so passionate about WPA3, thank you for chiming in. Don’t hold back from preaching more on security. Manon Lessard Chargée de programmation et d’analyse CCNP, CWNE #275, AWA 10, ESCE Design Direction des technologies de l'information Pavillon Louis-Jacques-Casault 1055, avenue du Séminaire Bureau 0403 Université Laval, Québec (Québec) G1V 0A6, Canada 418 656-2131, poste 412853 Télécopieur : 418 656-7305 manon.less...@dti.ulaval.ca<mailto:manon.less...@dti.ulaval.ca> www.dti.ulaval.ca<http://www.dti.ulaval.ca/> Avis relatif à la confidentialité | Notice of Confidentiality<http://www.rec.ulaval.ca/lce/securite/confidentialite.htm> From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of "Jeffrey D. Sessler" Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv Date: Wednesday, April 21, 2021 at 4:04 PM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? [Externe UL*] Jennifer, I would hope that the service itself has authorization/admittance controls vs relying on the user’s device and/or the particular network the device is in for permission. I’d also argue that there is enough breadcrumbs about any given device to determine the user without the need for them to authenticate to wireless. Then again, the device could just as easily be stolen, or the user’s account could have been compromised, and the attacker self-enrolls his/her machine/uses the credentials to gain access. Jeff From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Jennifer Minella Sent: Wednesday, April 21, 2021 12:30 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? Oh my goodness. I forgot the biggest one – if you’re going to give that user or device access to internal resources/assets you probably want to know who it is – even if it’s printers, screen casting, etc. If the user or device has access to critical internal resources, then you definitely need to know who it is. From a infosec due diligence standpoint, it would be hard to argue a defense on that one if a significant event were to occur. ___ Jennifer Minella, CISSP, HP MASE VP of Engineering & Security Carolina Advanced Digital, Inc. www.cadinc.com<https://can01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.cadinc.com%2F&data=04%7C01%7CManon.Lessard%40dti.ulaval.ca%7C093a419de6a04bb4b7b308d90500b8f9%7C56778bd56a3f4bd3a26593163e4d5bfe%7C1%7C0%7C637546322922257999%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=7BOh4xeArE0%2Bz3LA%2F0RNRkDIk5eOu8YuYxBTP4V14b4%3D&reserved=0> j...@cadinc.com<mailto:j...@cadinc.com> 919.460.1313 Main Office 919.539.2726 Mobile/text [CAD LOGO EMAIL SIG] From: Jennifer Minella mailto:j...@cadinc.com>> Sent: Wednesday, April 21, 2021 3:22 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: RE: WPA3/OWE as campus solution? Ooh Lee what a great thread! I didn’t have a chance yesterday but catching up now. Here’s what I throw in the mix for consideration… (no recommendations just free flow thoughts) Sorry this is long; WPA3 gets me really excited 😊 1. OWE/Open Enhanced (not technically part of WPA3 but #semantics) ONLY provides OTA encryption; it does nothing for authenticating the user to the network NOR the network to the user. 2. …that means you could use a guest portal experience, with or without user ID, and add encryption vs historically having to use a Pre-Shared Key or 802.1X for key exchanges and encryption. 3. If you care about who the user is, you can still use a portal with self-registration and whatever duration you feel is appropriate. Depending on how much you care, a self-registration portal may (or may not) be sufficient. 4. If you care about protecting the user/device against a MiTM or evil twin attack, then you probably prefer a mechanism that allows some type of authentication, which is typically mutual authentication (e.g. 1X). 5. Under WPA3, security is increased across the board and will be ongoing (not fixed). Including replacing Pre-Shared Key (PSK) with SAE- which looks/feels JUST like PSK to admins/users but further protects assets
Re: [WIRELESS-LAN] WPA3/OWE as campus solution?
Yesterday, I was eating at a restaurant in Greenville, SC (Gorgeous town BTW). My cellular connection was very poor inside that restaurant and the App that I was using needed more throughput. So, I decided to hunt for the restaurant Wi-Fi. I turned on my VPN and picked from a giant list of SSIDs an Open Network that looked like the name of the restaurant. True story, they actually had an unrestricted Open Wi-Fi. That experience reminded me of this post and that the main reason why I like WP2/3-enterprise is more for me as a User than for me as an Operator. When I travel, 802.1X authenticates my relation with the Wi-Fi via the RADIUS infrastructure certificate (if my device doesn’t barf this Wi-Fi is federated!) and hopefully I can trust that Wi-Fi and get some decent amount of Mbps. Philippe Philippe Hanset, CEO www.anyroam.net > On Apr 16, 2021, at 12:46 PM, Jeffrey D. Sessler > wrote: > > I’m all for the connection experience being as simple as possible. We subject > our casual users to often extreme onboarding measures when they’ll never > experience this outside of their 4-years, or even outside the college > community. > > If we consider the forward march to SaaS and other aaS products in higher > education, in the not so distant future, we’ll run almost nothing on-campus. > Wireless will just be a commodity connection-point out to a bunch of Internet > services. If an end user can “do what they need” at the myriad wifi hotspot > locations in the US e.g. starbucks, then we shouldn’t need to ask them to > jump through more hoops just because they are on a college campus. Is there > such a thing as wireless elitism? > > Perhaps the challenge with wireless is that it’s still a service owned and > managed by IT? If the governance was customer focused, with goals centered on > community experience vs enterprise risk, perhaps a happy medium could be > reached between what the consumer of the service desires, and what those > managing it can provide? > If my facilities director told me that the water spigot I wanted installed in > my building required a pass-code or onboarding before use, I’d consider them > crazy. After all, my home version requires a simple turn of the handle. When > I look at what lengths some of us have gone with our college wifi, I wonder > if the pass-code water spigot is far off. 😊 > > Jeff > > From: The EDUCAUSE Wireless Issues Community Group Listserv > On Behalf Of Lee H Badman > Sent: Friday, April 16, 2021 8:29 AM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? > > All good input- again, just thinking free here... thanks for playing the game. > > Lee Badman (mobile) > > > On Apr 16, 2021, at 11:07 AM, David Logan <mailto:tarheeldav...@gmail.com>> wrote: > > > So - truly thinking out loud... > > 1. To Tim's point on lack of identity, the unstated requirement that could be > chosen to be fulfilled or not - there would need to be post-connect, > post-activity monitoring such that "bad activity" could be detected, > mitigated, prevented. Anybody and any device within throw range of the WLAN > could connect and do whatever they want, within the bounds of monitoring and > enforcement at L2/L3/L7. IRL - none of your doors have locks, but you could > choose to implement security cameras if someone you don't know comes in to > take the TV. > > 2. It certainly suggests creating "network segments of one" to ensure that > the ability for a bad actor with a connected device cannot recon nor exploit > the other local connected devices, systems, apps, protocols. Suggests all > local traffic would have to be firewalled or proxied, or else the "network > segment of one" architecture is unenforceable. > > 2a. OR - it suggests a "don't care what happens between non-IT sanctioned > systems" - i.e. if a bad actor on a moderately sized broadcast domain/subnet > co-opts an attached non-IT device (like a smart TV) and "does something bad" > - that's OK. This then suggests that consequences of consumer IT product > vendors implementing poor embedded software systems/exploitable protocols > would trickle down to the end-user and back out to the consumer IT vendor. > > 2b. Also suggests that if the local network segments are not policed using > firewalls of some sort, then the local IT-managed systems (if there ARE any) > - definitely need to be up to date on patch management and support and > vendor-product-software security. > > -- Dave > > > On Fri, Apr 16, 2021 at 10:33 AM Lee H Badman > <00db5b77bd95-dmarc-requ...@listserv.
RE: [WIRELESS-LAN] WPA3/OWE as campus solution?
Note on that link, "After thorough review, the final court decision appears to allow for most, if not all, campus networks to be exempt from compliance." CALEA: It doesn't apply to universities and libraries after all https://library.educause.edu/resources/2007/5/calea-it-doesnt-apply-to-universities-and-libraries-after-all Jeff -Original Message- From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Jonathan Waldrep Sent: Friday, April 16, 2021 4:42 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? On 2021-04-16 22:38:48+, Jeffrey D. Sessler wrote: > Educause did an extensive review of DMCA and concluded there is no > need to "know with reasonable certainty who is using the network." What about for CALEA? I found [this][1] page, but all the FAQs linked are dead links. [1]: https://library.educause.edu/topics/policy-and-law/calea -- Jonathan Waldrep Network Engineer Network Infrastructure and Services Virginia Tech ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Re: [WIRELESS-LAN] WPA3/OWE as campus solution?
On 2021-04-16 22:38:48+, Jeffrey D. Sessler wrote: > Educause did an extensive review of DMCA and concluded there is no > need to "know with reasonable certainty who is using the network." What about for CALEA? I found [this][1] page, but all the FAQs linked are dead links. [1]: https://library.educause.edu/topics/policy-and-law/calea -- Jonathan Waldrep Network Engineer Network Infrastructure and Services Virginia Tech ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community signature.asc Description: PGP signature
RE: [WIRELESS-LAN] WPA3/OWE as campus solution?
Paul, Educause did an extensive review of DMCA and concluded there is no need to “know with reasonable certainty who is using the network.” Colleges have opted to do so for education purposes, but it’s not required. I would recommend reading the FAQ educause put together as you may be spending a lot of time/expense for something you do not need to do. https://www.educause.edu/focus-areas-and-initiatives/policy-and-security/educause-policy/dmca-faq What if I can’t match the IP address and time stamp given in a DMCA notice to an individual? If your institution, after taking reasonable efforts to investigate and match a user to the IP address designated in the DMCA notice, cannot, for technical or other legitimate reasons, match a user to this IP address, the DMCA does not specifically require any other action. 11. Are there different requirements for claims relating to student-owned computers (e.g., in residence halls) than for computers owned by the institution? Most student and guest activity on university networks occurs through personally owned equipment and thus falls under 17 U.S.C. Section 512(a). This section provides immunity to the ISP for information that simply transits the ISP’s networks, with no direction, input, or interference from the ISP itself, and is not stored anywhere on the ISP’s network. Notably, no additional proactive steps are required for an ISP to avail itself of this immunity. However, for a variety of reasons, some institutions have made a policy decision to treat these notices as if they fall under Section 512(c), terminating users from the network unless and until the infringing content is removed. Often such activity is handled through a student affairs process, rather than as a legal or IT matter, so as to seize upon a “teachable moment” for students. And while there may be no legal requirements under this section of the DMCA, the HEOA requirements still apply. See Question 18. Jeff From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Neumann, Paul Sent: Friday, April 16, 2021 1:42 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? I agree that forcing client to jump through hoops unnecessarily is a Bad Thing. Requiring someone to go through a simple self-service onboarding process (or proceed as guest without access to Uni resources) does not seem unreasonable to me. The problem is that we do these measures because we have to. Federal requirements such as DMCA, CALEA force us to know with reasonable certainty who is using the network and to be able to provide those records upon demand – which for DMCA happens regularly. I need to be able to tell the Motion Picture Association of America that student X downloaded Shrek at 10:10pm last night -- by federal law. If there was a federal law requiring you to provide proof of who used the shower last night at 10:10pm at what time, there may also be an onboarding process/logins for your sinks and showers. Universities occupy an interesting niche. We’re very reluctant to do things that most businesses have no problems doing. Corporations have no problem disallowing BYOD, performing posture assessment upon login, forcing you to install certs to allow deep packet inspection or forcing you through extremely restrictive proxies. Requiring only a userid/password and unrestricted Internet would appear crazy to most large corporations. Paul -- Paul Neumann Lead Network Engineer Technology Solutions (Formerly ACCC) Network Services University of Illinois at Chicago E: pa...@uic.edu<mailto:pa...@uic.edu> P: (312) 355-0113 it.uic.edu Visit the new UIC Help Center at help.uic.edu to find IT services, Answers, and Support! From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Jeffrey D. Sessler Sent: Friday, April 16, 2021 11:47 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? I’m all for the connection experience being as simple as possible. We subject our casual users to often extreme onboarding measures when they’ll never experience this outside of their 4-years, or even outside the college community. If we consider the forward march to SaaS and other aaS products in higher education, in the not so distant future, we’ll run almost nothing on-campus. Wireless will just be a commodity connection-point out to a bunch of Internet services. If an end user can “do what they need” at the myriad wifi hotspot locations in the US e.g. starbucks, then we shouldn’t need to ask them to jump through more hoops just because they are on a college campus. Is there such a thing as wireless elitism? Perhaps the challenge with wireless is that it’s still a service owned and managed by IT? If the governance was customer focused, with goals cent
RE: [WIRELESS-LAN] WPA3/OWE as campus solution?
I agree that forcing client to jump through hoops unnecessarily is a Bad Thing. Requiring someone to go through a simple self-service onboarding process (or proceed as guest without access to Uni resources) does not seem unreasonable to me. The problem is that we do these measures because we have to. Federal requirements such as DMCA, CALEA force us to know with reasonable certainty who is using the network and to be able to provide those records upon demand – which for DMCA happens regularly. I need to be able to tell the Motion Picture Association of America that student X downloaded Shrek at 10:10pm last night -- by federal law. If there was a federal law requiring you to provide proof of who used the shower last night at 10:10pm at what time, there may also be an onboarding process/logins for your sinks and showers. Universities occupy an interesting niche. We’re very reluctant to do things that most businesses have no problems doing. Corporations have no problem disallowing BYOD, performing posture assessment upon login, forcing you to install certs to allow deep packet inspection or forcing you through extremely restrictive proxies. Requiring only a userid/password and unrestricted Internet would appear crazy to most large corporations. Paul -- Paul Neumann Lead Network Engineer Technology Solutions (Formerly ACCC) Network Services University of Illinois at Chicago E: pa...@uic.edu P: (312) 355-0113 it.uic.edu Visit the new UIC Help Center at help.uic.edu to find IT services, Answers, and Support! From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Jeffrey D. Sessler Sent: Friday, April 16, 2021 11:47 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? I’m all for the connection experience being as simple as possible. We subject our casual users to often extreme onboarding measures when they’ll never experience this outside of their 4-years, or even outside the college community. If we consider the forward march to SaaS and other aaS products in higher education, in the not so distant future, we’ll run almost nothing on-campus. Wireless will just be a commodity connection-point out to a bunch of Internet services. If an end user can “do what they need” at the myriad wifi hotspot locations in the US e.g. starbucks, then we shouldn’t need to ask them to jump through more hoops just because they are on a college campus. Is there such a thing as wireless elitism? Perhaps the challenge with wireless is that it’s still a service owned and managed by IT? If the governance was customer focused, with goals centered on community experience vs enterprise risk, perhaps a happy medium could be reached between what the consumer of the service desires, and what those managing it can provide? If my facilities director told me that the water spigot I wanted installed in my building required a pass-code or onboarding before use, I’d consider them crazy. After all, my home version requires a simple turn of the handle. When I look at what lengths some of us have gone with our college wifi, I wonder if the pass-code water spigot is far off. 😊 Jeff From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Lee H Badman Sent: Friday, April 16, 2021 8:29 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? All good input- again, just thinking free here... thanks for playing the game. Lee Badman (mobile) On Apr 16, 2021, at 11:07 AM, David Logan mailto:tarheeldav...@gmail.com>> wrote: So - truly thinking out loud... 1. To Tim's point on lack of identity, the unstated requirement that could be chosen to be fulfilled or not - there would need to be post-connect, post-activity monitoring such that "bad activity" could be detected, mitigated, prevented. Anybody and any device within throw range of the WLAN could connect and do whatever they want, within the bounds of monitoring and enforcement at L2/L3/L7. IRL - none of your doors have locks, but you could choose to implement security cameras if someone you don't know comes in to take the TV. 2. It certainly suggests creating "network segments of one" to ensure that the ability for a bad actor with a connected device cannot recon nor exploit the other local connected devices, systems, apps, protocols. Suggests all local traffic would have to be firewalled or proxied, or else the "network segment of one" architecture is unenforceable. 2a. OR - it suggests a "don't care what happens between non-IT sanctioned systems" - i.e. if a bad actor on a moderately sized broadcast domain/subnet co-opts an attached non-IT device (like a smart TV) and "does something bad" - that's OK. This then sugges
Re: [WIRELESS-LAN] WPA3/OWE as campus solution?
> On Apr 16, 2021, at 9:17 AM, Lee H Badman > <00db5b77bd95-dmarc-requ...@listserv.educause.edu> wrote: > > Exactly- hance the notion of simplifying… relying on application security, > 2FA etc for actual security while making simply connecting much, much easier. So with important services protected by 2FA you might also have a record to map identities to devices. For example here our authentication for many important services (including many protected by 2FA) go through a CAS web page which has a record of the ID and IP number and timestamp. So if 80 % of your devices access a LMS like Blackboard or Canvas that require 2FA would that be a high enough percentage of identified devices so satisfy security requirements? If not would 90 or 95 % be high enough? > Lee Badman | Network Architect (CWNE#200) > > Information Technology Services > (NDD Group) > 206 Machinery Hall > 120 Smith Drive > Syracuse, New York 13244 > > t 315.443.3003 e lhbad...@syr.edu w its.syr.edu > > Campus Wireless Policy: > https://answers.syr.edu/display/network/Wireless+Network+and+Systems > > SYRACUSE UNIVERSITY > syr.edu > > > > From: The EDUCAUSE Wireless Issues Community Group Listserv > On Behalf Of Tim Cappalli > Sent: Friday, April 16, 2021 10:16 AM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? > > > > Just keep in mind that OWE does not have an identity layer. > > From: The EDUCAUSE Wireless Issues Community Group Listserv > on behalf of Lee H Badman > <00db5b77bd95-dmarc-requ...@listserv.educause.edu> > Sent: Friday, April 16, 2021 10:08 > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: [WIRELESS-LAN] WPA3/OWE as campus solution? > > > > One more for you all- anyone contemplating ditching 802.1X for the BYOD side > of your WLAN (not managed laptops and “business” clients) and simplifying > with OWE/WPA3? Like… the open network that’s actually moderately secure > leveraging the latest security options? > > > > Thanks, > > > > Lee Badman | Network Architect (CWNE#200) > > Information Technology Services > (NDD Group) > 206 Machinery Hall > 120 Smith Drive > Syracuse, New York 13244 > > t 315.443.3003 e lhbad...@syr.edu w its.syr.edu > > Campus Wireless Policy: > https://answers.syr.edu/display/network/Wireless+Network+and+Systems > > SYRACUSE UNIVERSITY > syr.edu > > > > ** > Replies to EDUCAUSE Community Group emails are sent to the entire community > list. If you want to reply only to the person who sent the message, copy and > paste their email address and forward the email reply. Additional > participation and subscription information can be found at > https://www.educause.edu/community > > ** > Replies to EDUCAUSE Community Group emails are sent to the entire community > list. If you want to reply only to the person who sent the message, copy and > paste their email address and forward the email reply. Additional > participation and subscription information can be found at > https://www.educause.edu/community > > ** > Replies to EDUCAUSE Community Group emails are sent to the entire community > list. If you want to reply only to the person who sent the message, copy and > paste their email address and forward the email reply. Additional > participation and subscription information can be found at > https://www.educause.edu/community > Bruce Curtis Network Engineer / Information Technology NORTH DAKOTA STATE UNIVERSITY phone: 701.231.8527 bruce.cur...@ndsu.edu ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
RE: [EXTERNAL] Re: [WIRELESS-LAN] WPA3/OWE as campus solution?
I’m not sure you’re comparing oranges to oranges. It’s not that your facilities director would tell you a water spigot would require a punch code to install, it’s that “you” would tell the facilities director that it takes too long and is too expensive to install the spigot, so they should just use electrical tape instead of sweating the pipe. We all understand that home networks are simpler (although my home network probably rivals my work-enterprise network). But how many of you are (or should) consider training on building home networks now that untrained staff are working from home and STILL complaining about connectivity problems after previously saying they never have at home? I got into a head-scratching debate with a neighbor a couple years ago because his 2.4GHz router is set to channel 5. I tried to explain what he’s doing to the neighborhood. He then lectured me on how he’s an engineer and knows RF. So yeah, good luck with governance. Sure making things simpler is always better, but just search the archives on the schools that tried the ‘wild west’ in their residence halls and quickly backtracked. And don’t get me started on the failed experiment of the corporatization of academia… -Brian From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Lee H Badman Sent: Friday, April 16, 2021 2:00 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [EXTERNAL] Re: [WIRELESS-LAN] WPA3/OWE as campus solution? CAUTION: This email originated from outside of Salem State University. Do not click links or open attachments unless you recognize the sender and know the content is safe. Well said. Lee Badman (mobile) On Apr 16, 2021, at 12:47 PM, Jeffrey D. Sessler mailto:j...@scrippscollege.edu>> wrote: I’m all for the connection experience being as simple as possible. We subject our casual users to often extreme onboarding measures when they’ll never experience this outside of their 4-years, or even outside the college community. If we consider the forward march to SaaS and other aaS products in higher education, in the not so distant future, we’ll run almost nothing on-campus. Wireless will just be a commodity connection-point out to a bunch of Internet services. If an end user can “do what they need” at the myriad wifi hotspot locations in the US e.g. starbucks, then we shouldn’t need to ask them to jump through more hoops just because they are on a college campus. Is there such a thing as wireless elitism? Perhaps the challenge with wireless is that it’s still a service owned and managed by IT? If the governance was customer focused, with goals centered on community experience vs enterprise risk, perhaps a happy medium could be reached between what the consumer of the service desires, and what those managing it can provide? If my facilities director told me that the water spigot I wanted installed in my building required a pass-code or onboarding before use, I’d consider them crazy. After all, my home version requires a simple turn of the handle. When I look at what lengths some of us have gone with our college wifi, I wonder if the pass-code water spigot is far off. 😊 Jeff From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Lee H Badman Sent: Friday, April 16, 2021 8:29 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? All good input- again, just thinking free here... thanks for playing the game. Lee Badman (mobile) On Apr 16, 2021, at 11:07 AM, David Logan mailto:tarheeldav...@gmail.com>> wrote: So - truly thinking out loud... 1. To Tim's point on lack of identity, the unstated requirement that could be chosen to be fulfilled or not - there would need to be post-connect, post-activity monitoring such that "bad activity" could be detected, mitigated, prevented. Anybody and any device within throw range of the WLAN could connect and do whatever they want, within the bounds of monitoring and enforcement at L2/L3/L7. IRL - none of your doors have locks, but you could choose to implement security cameras if someone you don't know comes in to take the TV. 2. It certainly suggests creating "network segments of one" to ensure that the ability for a bad actor with a connected device cannot recon nor exploit the other local connected devices, systems, apps, protocols. Suggests all local traffic would have to be firewalled or proxied, or else the "network segment of one" architecture is unenforceable. 2a. OR - it suggests a "don't care what happens between non-IT sanctioned systems" - i.e. if a bad actor on a moderately sized broadcast domain/subnet co-opts an attached non-IT device (like a smart TV) and "does something bad" - that's OK. This then suggests
Re: [WIRELESS-LAN] WPA3/OWE as campus solution?
I agree but to one extent. One could say we just open up WiFi like Starbucks. Students, Faculty, Staff, visitors, anyone could just simply hop on, check a box and connect. But wouldn't it better to do it more like we do at home? Have some type of password or method of authenticating who can use the home network? After all, you wouldn't want anyone from the street to come over and open the spigot. Or just park in front of your house and just wardrive. A network with the simplest level of authentication for members of the community is the ideal solution. And if you want, also a "one-click" Guest network. But having students onboard I think it's overkill. My .02... On Fri, Apr 16, 2021 at 12:46 PM Jeffrey D. Sessler wrote: > I’m all for the connection experience being as simple as possible. We > subject our casual users to often extreme onboarding measures when they’ll > never experience this outside of their 4-years, or even outside the college > community. > > > > If we consider the forward march to SaaS and other aaS products in higher > education, in the not so distant future, we’ll run almost nothing > on-campus. Wireless will just be a commodity connection-point out to a > bunch of Internet services. If an end user can “do what they need” at the > myriad wifi hotspot locations in the US e.g. starbucks, then we shouldn’t > need to ask them to jump through more hoops just because they are on a > college campus. Is there such a thing as wireless elitism? > > > > Perhaps the challenge with wireless is that it’s still a service owned and > managed by IT? If the governance was customer focused, with goals centered > on community experience vs enterprise risk, perhaps a happy medium could be > reached between what the consumer of the service desires, and what those > managing it can provide? > > If my facilities director told me that the water spigot I wanted installed > in my building required a pass-code or onboarding before use, I’d consider > them crazy. After all, my home version requires a simple turn of the > handle. When I look at what lengths some of us have gone with our > college wifi, I wonder if the pass-code water spigot is far off. 😊 > > > > Jeff > > > > *From:* The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Lee H Badman > *Sent:* Friday, April 16, 2021 8:29 AM > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > *Subject:* Re: [WIRELESS-LAN] WPA3/OWE as campus solution? > > > > All good input- again, just thinking free here... thanks for playing the > game. > > Lee Badman (mobile) > > > > On Apr 16, 2021, at 11:07 AM, David Logan wrote: > > > > So - truly thinking out loud... > > > > 1. To Tim's point on lack of identity, the unstated requirement that could > be chosen to be fulfilled or not - there would need to be post-connect, > post-activity monitoring such that "bad activity" could be detected, > mitigated, prevented. Anybody and any device within throw range of the > WLAN could connect and do whatever they want, within the bounds of > monitoring and enforcement at L2/L3/L7. IRL - none of your doors have > locks, but you could choose to implement security cameras if someone you > don't know comes in to take the TV. > > > > 2. It certainly suggests creating "network segments of one" to ensure > that the ability for a bad actor with a connected device cannot recon nor > exploit the other local connected devices, systems, apps, protocols. > Suggests all local traffic would have to be firewalled or proxied, or else > the "network segment of one" architecture is unenforceable. > > > > 2a. OR - it suggests a "don't care what happens between non-IT > sanctioned systems" - i.e. if a bad actor on a moderately sized > broadcast domain/subnet co-opts an attached non-IT device (like a smart TV) > and "does something bad" - that's OK. This then suggests that *consequences > *of consumer IT product vendors implementing poor embedded software > systems/exploitable protocols would trickle down to the end-user and back > out to the consumer IT vendor. > > > > 2b. Also suggests that if the local network segments are not policed > using firewalls of some sort, then the local IT-managed systems (if there > ARE any) - definitely need to be up to date on patch management and support > and vendor-product-software security. > > > > -- Dave > > > > > > On Fri, Apr 16, 2021 at 10:33 AM Lee H Badman < > 00db5b77bd95-dmarc-requ...@listserv.educause.edu> wrote: > > Not sure how, or even if you’d need to depending
Re: [WIRELESS-LAN] WPA3/OWE as campus solution?
I have some more detailed thoughts that I'll share when I finish hammering them out. This presentation from Columbia University probably adds more to the conversation than I have to say, though: https://www.youtube.com/watch?v=ihsXATBsLV8 On 2021-04-16 17:59:54+, Lee H Badman wrote: > Well said. > > Lee Badman (mobile) > > On Apr 16, 2021, at 12:47 PM, Jeffrey D. Sessler > wrote: > > > I’m all for the connection experience being as simple as possible. We subject > our casual users to often extreme onboarding measures when they’ll never > experience this outside of their 4-years, or even outside the college > community. > > If we consider the forward march to SaaS and other aaS products in higher > education, in the not so distant future, we’ll run almost nothing on-campus. > Wireless will just be a commodity connection-point out to a bunch of Internet > services. If an end user can “do what they need” at the myriad wifi hotspot > locations in the US e.g. starbucks, then we shouldn’t need to ask them to > jump through more hoops just because they are on a college campus. Is there > such a thing as wireless elitism? > > Perhaps the challenge with wireless is that it’s still a service owned and > managed by IT? If the governance was customer focused, with goals centered on > community experience vs enterprise risk, perhaps a happy medium could be > reached between what the consumer of the service desires, and what those > managing it can provide? > If my facilities director told me that the water spigot I wanted installed in > my building required a pass-code or onboarding before use, I’d consider them > crazy. After all, my home version requires a simple turn of the handle. When > I look at what lengths some of us have gone with our college wifi, I wonder > if the pass-code water spigot is far off. 😊 > > Jeff > > From: The EDUCAUSE Wireless Issues Community Group Listserv > On Behalf Of Lee H Badman > Sent: Friday, April 16, 2021 8:29 AM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? > > All good input- again, just thinking free here... thanks for playing the game. > Lee Badman (mobile) > > > On Apr 16, 2021, at 11:07 AM, David Logan > mailto:tarheeldav...@gmail.com>> wrote: > > So - truly thinking out loud... > > 1. To Tim's point on lack of identity, the unstated requirement that could be > chosen to be fulfilled or not - there would need to be post-connect, > post-activity monitoring such that "bad activity" could be detected, > mitigated, prevented. Anybody and any device within throw range of the WLAN > could connect and do whatever they want, within the bounds of monitoring and > enforcement at L2/L3/L7. IRL - none of your doors have locks, but you could > choose to implement security cameras if someone you don't know comes in to > take the TV. > > 2. It certainly suggests creating "network segments of one" to ensure that > the ability for a bad actor with a connected device cannot recon nor exploit > the other local connected devices, systems, apps, protocols. Suggests all > local traffic would have to be firewalled or proxied, or else the "network > segment of one" architecture is unenforceable. > > 2a. OR - it suggests a "don't care what happens between non-IT sanctioned > systems" - i.e. if a bad actor on a moderately sized broadcast domain/subnet > co-opts an attached non-IT device (like a smart TV) and "does something bad" > - that's OK. This then suggests that consequences of consumer IT product > vendors implementing poor embedded software systems/exploitable protocols > would trickle down to the end-user and back out to the consumer IT vendor. > > 2b. Also suggests that if the local network segments are not policed using > firewalls of some sort, then the local IT-managed systems (if there ARE any) > - definitely need to be up to date on patch management and support and > vendor-product-software security. > > -- Dave > > > On Fri, Apr 16, 2021 at 10:33 AM Lee H Badman > <00db5b77bd95-dmarc-requ...@listserv.educause.edu<mailto:00db5b77bd95-dmarc-requ...@listserv.educause.edu>> > wrote: > Not sure how, or even if you’d need to depending on how it all worked. No > plan here, just discussion.. > > Lee Badman | Network Architect (CWNE#200) > Information Technology Services > (NDD Group) > 206 Machinery Hall > 120 Smith Drive > Syracuse, New York 13244 > t 315.443.3003 e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w > its.syr.edu<http://its.syr.edu> > C
Re: [WIRELESS-LAN] WPA3/OWE as campus solution?
Well said. Lee Badman (mobile) On Apr 16, 2021, at 12:47 PM, Jeffrey D. Sessler wrote: I’m all for the connection experience being as simple as possible. We subject our casual users to often extreme onboarding measures when they’ll never experience this outside of their 4-years, or even outside the college community. If we consider the forward march to SaaS and other aaS products in higher education, in the not so distant future, we’ll run almost nothing on-campus. Wireless will just be a commodity connection-point out to a bunch of Internet services. If an end user can “do what they need” at the myriad wifi hotspot locations in the US e.g. starbucks, then we shouldn’t need to ask them to jump through more hoops just because they are on a college campus. Is there such a thing as wireless elitism? Perhaps the challenge with wireless is that it’s still a service owned and managed by IT? If the governance was customer focused, with goals centered on community experience vs enterprise risk, perhaps a happy medium could be reached between what the consumer of the service desires, and what those managing it can provide? If my facilities director told me that the water spigot I wanted installed in my building required a pass-code or onboarding before use, I’d consider them crazy. After all, my home version requires a simple turn of the handle. When I look at what lengths some of us have gone with our college wifi, I wonder if the pass-code water spigot is far off. 😊 Jeff From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Lee H Badman Sent: Friday, April 16, 2021 8:29 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? All good input- again, just thinking free here... thanks for playing the game. Lee Badman (mobile) On Apr 16, 2021, at 11:07 AM, David Logan mailto:tarheeldav...@gmail.com>> wrote: So - truly thinking out loud... 1. To Tim's point on lack of identity, the unstated requirement that could be chosen to be fulfilled or not - there would need to be post-connect, post-activity monitoring such that "bad activity" could be detected, mitigated, prevented. Anybody and any device within throw range of the WLAN could connect and do whatever they want, within the bounds of monitoring and enforcement at L2/L3/L7. IRL - none of your doors have locks, but you could choose to implement security cameras if someone you don't know comes in to take the TV. 2. It certainly suggests creating "network segments of one" to ensure that the ability for a bad actor with a connected device cannot recon nor exploit the other local connected devices, systems, apps, protocols. Suggests all local traffic would have to be firewalled or proxied, or else the "network segment of one" architecture is unenforceable. 2a. OR - it suggests a "don't care what happens between non-IT sanctioned systems" - i.e. if a bad actor on a moderately sized broadcast domain/subnet co-opts an attached non-IT device (like a smart TV) and "does something bad" - that's OK. This then suggests that consequences of consumer IT product vendors implementing poor embedded software systems/exploitable protocols would trickle down to the end-user and back out to the consumer IT vendor. 2b. Also suggests that if the local network segments are not policed using firewalls of some sort, then the local IT-managed systems (if there ARE any) - definitely need to be up to date on patch management and support and vendor-product-software security. -- Dave On Fri, Apr 16, 2021 at 10:33 AM Lee H Badman <00db5b77bd95-dmarc-requ...@listserv.educause.edu<mailto:00db5b77bd95-dmarc-requ...@listserv.educause.edu>> wrote: Not sure how, or even if you’d need to depending on how it all worked. No plan here, just discussion.. Lee Badman | Network Architect (CWNE#200) Information Technology Services (NDD Group) 206 Machinery Hall 120 Smith Drive Syracuse, New York 13244 t 315.443.3003 e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w its.syr.edu<http://its.syr.edu> Campus Wireless Policy: https://answers.syr.edu/display/network/Wireless+Network+and+Systems SYRACUSE UNIVERSITY syr.edu<http://syr.edu> From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Tim Cappalli Sent: Friday, April 16, 2021 10:23 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? How would you limit local services like printing, screen mirroring, media casting, etc? From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Lee H Badman <00db5b77bd95-dmarc-requ...@listserv.
RE: [WIRELESS-LAN] WPA3/OWE as campus solution?
I’m all for the connection experience being as simple as possible. We subject our casual users to often extreme onboarding measures when they’ll never experience this outside of their 4-years, or even outside the college community. If we consider the forward march to SaaS and other aaS products in higher education, in the not so distant future, we’ll run almost nothing on-campus. Wireless will just be a commodity connection-point out to a bunch of Internet services. If an end user can “do what they need” at the myriad wifi hotspot locations in the US e.g. starbucks, then we shouldn’t need to ask them to jump through more hoops just because they are on a college campus. Is there such a thing as wireless elitism? Perhaps the challenge with wireless is that it’s still a service owned and managed by IT? If the governance was customer focused, with goals centered on community experience vs enterprise risk, perhaps a happy medium could be reached between what the consumer of the service desires, and what those managing it can provide? If my facilities director told me that the water spigot I wanted installed in my building required a pass-code or onboarding before use, I’d consider them crazy. After all, my home version requires a simple turn of the handle. When I look at what lengths some of us have gone with our college wifi, I wonder if the pass-code water spigot is far off. 😊 Jeff From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Lee H Badman Sent: Friday, April 16, 2021 8:29 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? All good input- again, just thinking free here... thanks for playing the game. Lee Badman (mobile) On Apr 16, 2021, at 11:07 AM, David Logan mailto:tarheeldav...@gmail.com>> wrote: So - truly thinking out loud... 1. To Tim's point on lack of identity, the unstated requirement that could be chosen to be fulfilled or not - there would need to be post-connect, post-activity monitoring such that "bad activity" could be detected, mitigated, prevented. Anybody and any device within throw range of the WLAN could connect and do whatever they want, within the bounds of monitoring and enforcement at L2/L3/L7. IRL - none of your doors have locks, but you could choose to implement security cameras if someone you don't know comes in to take the TV. 2. It certainly suggests creating "network segments of one" to ensure that the ability for a bad actor with a connected device cannot recon nor exploit the other local connected devices, systems, apps, protocols. Suggests all local traffic would have to be firewalled or proxied, or else the "network segment of one" architecture is unenforceable. 2a. OR - it suggests a "don't care what happens between non-IT sanctioned systems" - i.e. if a bad actor on a moderately sized broadcast domain/subnet co-opts an attached non-IT device (like a smart TV) and "does something bad" - that's OK. This then suggests that consequences of consumer IT product vendors implementing poor embedded software systems/exploitable protocols would trickle down to the end-user and back out to the consumer IT vendor. 2b. Also suggests that if the local network segments are not policed using firewalls of some sort, then the local IT-managed systems (if there ARE any) - definitely need to be up to date on patch management and support and vendor-product-software security. -- Dave On Fri, Apr 16, 2021 at 10:33 AM Lee H Badman <00db5b77bd95-dmarc-requ...@listserv.educause.edu<mailto:00db5b77bd95-dmarc-requ...@listserv.educause.edu>> wrote: Not sure how, or even if you’d need to depending on how it all worked. No plan here, just discussion.. Lee Badman | Network Architect (CWNE#200) Information Technology Services (NDD Group) 206 Machinery Hall 120 Smith Drive Syracuse, New York 13244 t 315.443.3003 e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w its.syr.edu<http://its.syr.edu> Campus Wireless Policy: https://answers.syr.edu/display/network/Wireless+Network+and+Systems SYRACUSE UNIVERSITY syr.edu<http://syr.edu> From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Tim Cappalli Sent: Friday, April 16, 2021 10:23 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? How would you limit local services like printing, screen mirroring, media casting, etc? From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Lee H Badman <00db5b77bd95-dmarc-requ...@listserv.educause.edu<mailto:00db5b77bd95-dmarc-requ...@listserv.educause.edu>> Sent: Friday, April 16,
Re: [WIRELESS-LAN] WPA3/OWE as campus solution?
All good input- again, just thinking free here... thanks for playing the game. Lee Badman (mobile) On Apr 16, 2021, at 11:07 AM, David Logan wrote: So - truly thinking out loud... 1. To Tim's point on lack of identity, the unstated requirement that could be chosen to be fulfilled or not - there would need to be post-connect, post-activity monitoring such that "bad activity" could be detected, mitigated, prevented. Anybody and any device within throw range of the WLAN could connect and do whatever they want, within the bounds of monitoring and enforcement at L2/L3/L7. IRL - none of your doors have locks, but you could choose to implement security cameras if someone you don't know comes in to take the TV. 2. It certainly suggests creating "network segments of one" to ensure that the ability for a bad actor with a connected device cannot recon nor exploit the other local connected devices, systems, apps, protocols. Suggests all local traffic would have to be firewalled or proxied, or else the "network segment of one" architecture is unenforceable. 2a. OR - it suggests a "don't care what happens between non-IT sanctioned systems" - i.e. if a bad actor on a moderately sized broadcast domain/subnet co-opts an attached non-IT device (like a smart TV) and "does something bad" - that's OK. This then suggests that consequences of consumer IT product vendors implementing poor embedded software systems/exploitable protocols would trickle down to the end-user and back out to the consumer IT vendor. 2b. Also suggests that if the local network segments are not policed using firewalls of some sort, then the local IT-managed systems (if there ARE any) - definitely need to be up to date on patch management and support and vendor-product-software security. -- Dave On Fri, Apr 16, 2021 at 10:33 AM Lee H Badman <00db5b77bd95-dmarc-requ...@listserv.educause.edu<mailto:00db5b77bd95-dmarc-requ...@listserv.educause.edu>> wrote: Not sure how, or even if you’d need to depending on how it all worked. No plan here, just discussion.. Lee Badman | Network Architect (CWNE#200) Information Technology Services (NDD Group) 206 Machinery Hall 120 Smith Drive Syracuse, New York 13244 t 315.443.3003 e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w its.syr.edu<http://its.syr.edu> Campus Wireless Policy: https://answers.syr.edu/display/network/Wireless+Network+and+Systems SYRACUSE UNIVERSITY syr.edu<http://syr.edu> From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Tim Cappalli Sent: Friday, April 16, 2021 10:23 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? How would you limit local services like printing, screen mirroring, media casting, etc? From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Lee H Badman <00db5b77bd95-dmarc-requ...@listserv.educause.edu<mailto:00db5b77bd95-dmarc-requ...@listserv.educause.edu>> Sent: Friday, April 16, 2021 10:17 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? Exactly- hance the notion of simplifying… relying on application security, 2FA etc for actual security while making simply connecting much, much easier. Lee Badman | Network Architect (CWNE#200) Information Technology Services (NDD Group) 206 Machinery Hall 120 Smith Drive Syracuse, New York 13244 t 315.443.3003 e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w its.syr.edu<http://its.syr.edu> Campus Wireless Policy: https://answers.syr.edu/display/network/Wireless+Network+and+Systems<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fanswers.syr.edu%2Fdisplay%2Fnetwork%2FWireless%2BNetwork%2Band%2BSystems&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C27dfc8f182a44aed4cd308d900e27165%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637541794836879442%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=l7sSKIp95iXMYD5uRV%2F%2FbVgSsEaikmLNW%2FhYq1D0u0M%3D&reserved=0> SYRACUSE UNIVERSITY syr.edu<http://syr.edu> From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Tim Cappalli Sent: Friday, April 16, 2021 10:16 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? Just keep in mind that OWE does not have an identity layer. From: The EDUCAUSE Wireles
Re: [WIRELESS-LAN] WPA3/OWE as campus solution?
So - truly thinking out loud... 1. To Tim's point on lack of identity, the unstated requirement that could be chosen to be fulfilled or not - there would need to be post-connect, post-activity monitoring such that "bad activity" could be detected, mitigated, prevented. Anybody and any device within throw range of the WLAN could connect and do whatever they want, within the bounds of monitoring and enforcement at L2/L3/L7. IRL - none of your doors have locks, but you could choose to implement security cameras if someone you don't know comes in to take the TV. 2. It certainly suggests creating "network segments of one" to ensure that the ability for a bad actor with a connected device cannot recon nor exploit the other local connected devices, systems, apps, protocols. Suggests all local traffic would have to be firewalled or proxied, or else the "network segment of one" architecture is unenforceable. 2a. OR - it suggests a "don't care what happens between non-IT sanctioned systems" - i.e. if a bad actor on a moderately sized broadcast domain/subnet co-opts an attached non-IT device (like a smart TV) and "does something bad" - that's OK. This then suggests that *consequences *of consumer IT product vendors implementing poor embedded software systems/exploitable protocols would trickle down to the end-user and back out to the consumer IT vendor. 2b. Also suggests that if the local network segments are not policed using firewalls of some sort, then the local IT-managed systems (if there ARE any) - definitely need to be up to date on patch management and support and vendor-product-software security. -- Dave On Fri, Apr 16, 2021 at 10:33 AM Lee H Badman < 00db5b77bd95-dmarc-requ...@listserv.educause.edu> wrote: > Not sure how, or even if you’d need to depending on how it all worked. No > plan here, just discussion.. > > > > *Lee Badman* | Network Architect (CWNE#200) > > Information Technology Services > (NDD Group) > 206 Machinery Hall > 120 Smith Drive > Syracuse, New York 13244 > > *t* 315.443.3003 * e* lhbad...@syr.edu *w* its.syr.edu > > Campus Wireless Policy: > https://answers.syr.edu/display/network/Wireless+Network+and+Systems > > *SYRACUSE UNIVERSITY* > syr.edu > > > > *From:* The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Tim Cappalli > *Sent:* Friday, April 16, 2021 10:23 AM > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > *Subject:* Re: [WIRELESS-LAN] WPA3/OWE as campus solution? > > > > How would you limit local services like printing, screen mirroring, media > casting, etc? > -- > > *From:* The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Lee H Badman < > 000000db5b77bd95-dmarc-requ...@listserv.educause.edu> > *Sent:* Friday, April 16, 2021 10:17 > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Subject:* Re: [WIRELESS-LAN] WPA3/OWE as campus solution? > > > > Exactly- hance the notion of simplifying… relying on application security, > 2FA etc for actual security while making simply connecting much, much > easier. > > > > *Lee Badman* | Network Architect (CWNE#200) > > Information Technology Services > (NDD Group) > 206 Machinery Hall > 120 Smith Drive > Syracuse, New York 13244 > > *t* 315.443.3003 * e* lhbad...@syr.edu *w* its.syr.edu > > Campus Wireless Policy: > https://answers.syr.edu/display/network/Wireless+Network+and+Systems > <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fanswers.syr.edu%2Fdisplay%2Fnetwork%2FWireless%2BNetwork%2Band%2BSystems&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C27dfc8f182a44aed4cd308d900e27165%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637541794836879442%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=l7sSKIp95iXMYD5uRV%2F%2FbVgSsEaikmLNW%2FhYq1D0u0M%3D&reserved=0> > > *SYRACUSE UNIVERSITY* > syr.edu > > > > *From:* The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Tim Cappalli > *Sent:* Friday, April 16, 2021 10:16 AM > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > *Subject:* Re: [WIRELESS-LAN] WPA3/OWE as campus solution? > > > > Just keep in mind that OWE does not have an identity layer. > -- > > *From:* The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Lee H Badman < > 00db5b77bd95-dmarc-requ...@listserv.educause.edu> > *Sent:* Friday, April 16, 2021 10
RE: [WIRELESS-LAN] WPA3/OWE as campus solution?
Printing has auth, any decent screen mirrorring solution requires a PIN, plus airgroup or similar to limit by location. Sent from my Galaxy Original message From: Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu> Date: 16/4/21 22:22 (GMT+08:00) To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? How would you limit local services like printing, screen mirroring, media casting, etc? From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Lee H Badman <00db5b77bd95-dmarc-requ...@listserv.educause.edu> Sent: Friday, April 16, 2021 10:17 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? Exactly- hance the notion of simplifying… relying on application security, 2FA etc for actual security while making simply connecting much, much easier. Lee Badman | Network Architect (CWNE#200) Information Technology Services (NDD Group) 206 Machinery Hall 120 Smith Drive Syracuse, New York 13244 t 315.443.3003 e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w its.syr.edu Campus Wireless Policy: https://answers.syr.edu/display/network/Wireless+Network+and+Systems<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fanswers.syr.edu%2Fdisplay%2Fnetwork%2FWireless%2BNetwork%2Band%2BSystems&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C27dfc8f182a44aed4cd308d900e27165%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637541794836879442%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=l7sSKIp95iXMYD5uRV%2F%2FbVgSsEaikmLNW%2FhYq1D0u0M%3D&reserved=0> SYRACUSE UNIVERSITY syr.edu From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Tim Cappalli Sent: Friday, April 16, 2021 10:16 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? Just keep in mind that OWE does not have an identity layer. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Lee H Badman <00db5b77bd95-dmarc-requ...@listserv.educause.edu<mailto:00db5b77bd95-dmarc-requ...@listserv.educause.edu>> Sent: Friday, April 16, 2021 10:08 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: [WIRELESS-LAN] WPA3/OWE as campus solution? One more for you all- anyone contemplating ditching 802.1X for the BYOD side of your WLAN (not managed laptops and “business” clients) and simplifying with OWE/WPA3? Like… the open network that’s actually moderately secure leveraging the latest security options? Thanks, Lee Badman | Network Architect (CWNE#200) Information Technology Services (NDD Group) 206 Machinery Hall 120 Smith Drive Syracuse, New York 13244 t 315.443.3003 e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w its.syr.edu Campus Wireless Policy: https://answers.syr.edu/display/network/Wireless+Network+and+Systems<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fanswers.syr.edu%2Fdisplay%2Fnetwork%2FWireless%2BNetwork%2Band%2BSystems&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C27dfc8f182a44aed4cd308d900e27165%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637541794836889399%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=8NCkz0FedufnGUcZpDDnCmeI4Gx4Exz%2ByaIUHso5OJc%3D&reserved=0> SYRACUSE UNIVERSITY syr.edu ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C27dfc8f182a44aed4cd308d900e27165%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637541794836889399%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=AAVmLXrmI9B4sTKHA1yhsOSbNDYDYUz2GHUw71tade8%3D&reserved=0> ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C27dfc8f182a44aed4cd308d900e27165%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6
Re: [WIRELESS-LAN] WPA3/OWE as campus solution?
Identifying the “owner” of a device is a mandatory requirement of the UC-wide IS policy, so we’re heading towards 802.1X, not away. Our dorm networks are currently PSK with SafeConnect for user auth. We’re planning to move to straight up 802.1X, but that means we need a fallback PSK network (iPSK really) for affiliated people to create their own personal PSK for their devices. That way we still satisfy they IS requirements. But we are also rolling out WPA3 on our WiFi-6 APs. Also contemplating switching our Guest network from a registration portal to OpenRoaming,. But that’s just in discussion phase. Also enabling SAE for open auth on WiFi-6 APs. — Michael Usher Network Operations Manager University of California, Santa Cruz mus...@ucsc.edu831-459-3697 > On Apr 16, 2021, at 7:32 AM, Lee H Badman > <00db5b77bd95-dmarc-requ...@listserv.educause.edu> wrote: > > Not sure how, or even if you’d need to depending on how it all worked. No > plan here, just discussion.. > > Lee Badman | Network Architect (CWNE#200) > > Information Technology Services > (NDD Group) > 206 Machinery Hall > 120 Smith Drive > Syracuse, New York 13244 > > t 315.443.3003 e lhbad...@syr.edu <mailto:lhbad...@syr.edu> w its.syr.edu > <http://its.syr.edu/> > Campus Wireless Policy: > https://answers.syr.edu/display/network/Wireless+Network+and+Systems > <https://answers.syr.edu/display/network/Wireless+Network+and+Systems> > SYRACUSE UNIVERSITY > syr.edu <http://syr.edu/> > > From: The EDUCAUSE Wireless Issues Community Group Listserv > On Behalf Of Tim Cappalli > Sent: Friday, April 16, 2021 10:23 AM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? > > How would you limit local services like printing, screen mirroring, media > casting, etc? > From: The EDUCAUSE Wireless Issues Community Group Listserv > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Lee H Badman > <00db5b77bd95-dmarc-requ...@listserv.educause.edu > <mailto:00db5b77bd95-dmarc-requ...@listserv.educause.edu>> > Sent: Friday, April 16, 2021 10:17 > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> > Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? > > Exactly- hance the notion of simplifying… relying on application security, > 2FA etc for actual security while making simply connecting much, much easier. > > Lee Badman | Network Architect (CWNE#200) > > Information Technology Services > (NDD Group) > 206 Machinery Hall > 120 Smith Drive > Syracuse, New York 13244 > > t 315.443.3003 e lhbad...@syr.edu <mailto:lhbad...@syr.edu> w its.syr.edu > Campus Wireless Policy: > https://answers.syr.edu/display/network/Wireless+Network+and+Systems > <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fanswers.syr.edu%2Fdisplay%2Fnetwork%2FWireless%2BNetwork%2Band%2BSystems&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C27dfc8f182a44aed4cd308d900e27165%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637541794836879442%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=l7sSKIp95iXMYD5uRV%2F%2FbVgSsEaikmLNW%2FhYq1D0u0M%3D&reserved=0> > SYRACUSE UNIVERSITY > syr.edu > > > From: The EDUCAUSE Wireless Issues Community Group Listserv > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Tim Cappalli > Sent: Friday, April 16, 2021 10:16 AM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? > > Just keep in mind that OWE does not have an identity layer. > From: The EDUCAUSE Wireless Issues Community Group Listserv > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Lee H Badman > <00db5b77bd95-dmarc-requ...@listserv.educause.edu > <mailto:00db5b77bd95-dmarc-requ...@listserv.educause.edu>> > Sent: Friday, April 16, 2021 10:08 > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> > Subject: [WIRELESS-LAN] WPA3/OWE as campus solution? > > One more for you all- anyone contemplating ditching 802.1X for the BYOD side > of your WLAN (not managed laptops and “business” clients) and simplifying > with OWE/WPA3? Like… the open network that’s actually moderately secure > leveraging the latest security options? > > Thanks, > > Lee Badman | Network Architect (CWNE#200) > > Information Technology Services > (NDD Gr
