We currently are using PEAP/MSCHAPv2 but plan to move to EAP-TLS We used
CloudPath / CloudPath Wizard for many years but found the product support wane
severely as Ruckus transformed Cloudpath from a company to a product brand.
Last summer we started evaluation for onboarding vendors. We ended up with
SecureW2. Their support philosophy reminds us of the excellent early CloudPath
support, They are proactive in officially supporting upcoming OS releases too.
After experiencing SecureW2, we could not go back to CloudPath ES or Wizard (We
evaluated both.) Although we are heavily invested in Aruba ClearPass,
ClearPass Onboard licensing at that time made them far too expensive.
The above are my personal experiences and opinions. They may not exactly match
those of Liberty University.
Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
(434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971
-Original Message-
From: Jason Cook [mailto:jason.c...@adelaide.edu.au]
Sent: Wednesday, August 8, 2018 7:28 PM
Subject: Re: Onboarding Android devices
We use Cloudpath and are happy, we allow users to stumble through PEAP/MsChap
if they want but really push onboarding EAP-TLS. It's annoying with most
androids and all windows to have to download the app but still more
consistently successful and easier than other methods quite often when dealing
with cheaper import android devices. The profile install method that IOS/OSX
has had for ages is awesome, and now available for newer Droids.
We want to get to a point of forcing EAP-TLS but have other fish to fry for
now. Without onboarding you can be pretty confident most Windows and Android
devices are not configured in the most secure way... I think apple is a bit
better at auto it but might be wrong
--
Jason Cook
Information Technology and Digital Services The University of Adelaide,
AUSTRALIA 5005
Ph: +61 8 8313 4800
CRICOS Provider Number 00123M
---
This email message is intended only for the addressee(s) and contains
information which may be confidential and/or copyright. If you are not the
intended recipient please do not read, save, forward, disclose, or copy the
contents of this email. If this email has been sent to you in error, please
notify the sender by reply email and delete this email and any copies or links
to this email completely and immediately from your system. No representation
is made that this email is free of viruses. Virus scanning is recommended and
is the responsibility of the recipient.
-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
On Behalf Of Norman Elton
Sent: Wednesday, 8 August 2018 11:09 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Onboarding Android devices
Thanks all. If you're doing PEAP / MSCHAPv2, are you expecting some users to
stumble through the process? Or do you somehow encourage all users to use the
onboarding tool? Obviously the tool would be required if you're going down the
EAP-TLS path.
Norman
On Wed, Aug 8, 2018 at 7:35 AM Osborne, Bruce W (Network Operations)
wrote:
>
> We changed onboarding tools for non-AD devices to SecureW2 last September and
> have been more than happy with their service & support.
>
> They tend to officially support OS versions before official release, which
> can be useful in a Higher-Ed environment.
>
> Bruce Osborne
> Liberty University
>
> -Original Message-
> From: Norman Elton [mailto:normel...@gmail.com]
> Sent: Tuesday, August 7, 2018 3:25 PM
> Subject: Onboarding Android devices
>
> We've got an encrypted network with the classic PEAP + MSCHAPv2 combo,
> allowing users to connect with their domain credentials. We've shied away
> from onboarding tools like SecureW2, especially for student devices, as they
> seem more cumbersome than just having the user configure the connection
> properly the first time.
>
> Preparing for the fall, we've noticed that recent versions of Android make
> the process a little more cumbersome. It appears that 8.1 & 9.0 allow the
> user to validate the certificate by domain, which is great.
> Although the steps to get this setup are far from intuitive.
>
> 8.0 doesn't give that option, instead displaying a scary warning, "This
> connection will not be secure". The user is forced to go ahead with "do not
> validate certificate", leaving them open to leak their credentials to a rogue
> AP. Far from ideal.
>
> Theoretically, we could ask the user to trust the CA certificate in advance,
> and (hopefully) the warning message would go away. But I haven't gotten this
> to work.
>
> Is there a general consensus that these devices are better served with an
> onboar