I've lost track of part of this discussion. Can someone roughly state what is being called "onboarding" in this thread?
On Fri, Jan 23, 2015 at 11:42 AM, Peter P Morrissey <ppmor...@syr.edu> wrote: > “Don't assume I'm counter to what we've traditionally been doing in > EDU, but I'm constantly reevaluating if some of these "best practices" have > outlived their usefulness.” > > I think that is a very healthy approach. We shouldn’t do things just > because we’ve always done them a certain way or because we have some vague > sense that we have to because it is somehow more secure. We stopped doing > NAC a few years ago for this reason. The vendor we were using caused way to > many issues for our students, extra expenses and labor us supporting them. > Given that OS’s tend to have auto updates and firewalls turned on by > default now, the gain we got from enforcing it for those who did not was > not measurable. Not to mention we are essentially an ISP for the students. > Do ISP’s ever require this? Our students don’t know what it is like to not > have a computer and they seemed to survive just fine before they got here, > so do we need to enforce behaviors that weren’t enforced at home? So far no > one has been able to demonstrate any measurable advantage to do the posture > checking component of NAC. I have a much longer, involved justification on > that that I will spare you reading right now. > > We get authentication and thus historical retribution from 802.1x by > default, which is also considered NAC by some definitions. This is handy. > We also get encryption, although I’m with you on questioning that as well. > Nowadays, it is hard to come up with an application that needs to be > secured that doesn’t already add its own encryption. So why do we need > encryption at layer 2? I seriously could be missing something on this, and > would welcome further input. And if you really want to go wild here, do we > even need it for the admin side? Just asking. Don’t judge me. J > > Pete Morrissey > > *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Jeffrey Sessler > *Sent:* Friday, January 23, 2015 2:07 PM > > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > *Subject:* Re: [WIRELESS-LAN] Trying to get the Wi-Fi Alliance's Attention > > > > Our environments have _some_ data security concerns like a hospital, but > when you really drill down and look at what those are, they are more > exception then rule. In cases were we need to provide a greater level of > security, we typically have full control (and ownership) of the > device. Show me in HIPPA where it's a requirement that a student be > provided an encrypted WiFi connection to their own device when accessing > the medical records your campus holds? There isn't such a requirement, and > they could access them from starbucks' open wifi if they wished. > > > > As for on-boarding these "internet of things" devices, I always ask the > same question... why? What are we gaining by the on-board process? Are our > wlans so poorly designed that an unpatched system with no anti-virus poses > a greater threat then if it was reaching services from outside our network? > > > > Don't assume I'm counter to what we've traditionally been doing in EDU, > but I'm constantly reevaluating if some of these "best practices" have > outlived their usefulness. > > > > Jeff > > > > > > >>> On Friday, January 23, 2015 at 10:36 AM, in message < > 70a4ca525a32ff42bbb8d79eec55b3bb41e19...@wmxd04p.sscad.salemstate.edu>, > Brian Helman <bhel...@salemstate.edu> wrote: > > But our environments are unique in the sense that we have many of the same > data security concerns that a hospital has, but unlike their tenants, ours > are 1) largely irresponsible children, 2) using systems we have to maintain > (I’ve never seen a hospital help a patient fix a laptop) and 3) live on > site for long periods of time. Your points regarding media/game systems > are well taken and appreciated by everyone on here who has resident > students though. I say this over and over .. it’s really not the “rule” > that is the problem, it’s the exceptions. And those “Internet of things” > devices (far beyond “BYOD”) are becoming more and more prevalent everywhere > on campus… and very few of them support “enterprise” wireless > configurations. > > As far as the onboarding headaches, I’m still surprised at how difficult > this is. The closest I’ve seen to a good process is from a (very > expensive) cloud **cough** provider. But is that expense warranted? Or > better asked, WHY do we STILL NEED that expense when we’re now 4-5 > generations (depending on how you count 11n) into mainstream wireless? > > My fear is that we are going to start seeing proprietary ‘standards’ for > on-boarding similar to how Ethernet drivers worked 20 years ago or NAC-type > interfaces built in to some supplicant-like application that each wifi > vendor packages with their equipment (ie an enterprise version of WPS). > > -Brian > > > > *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [ > mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] *On Behalf Of *Jeffrey Sessler > *Sent:* Friday, January 23, 2015 1:20 PM > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > *Subject:* Re: [WIRELESS-LAN] Trying to get the Wi-Fi Alliance's Attention > > > > I think you could accomplish the same consumer friendly setup in > classrooms, labs, etc. and still provide meet your goals including > regulatory compliance. I see this sort of hybrid approach today in hospital > settings, so I'm not sure why it can't be accomplished in EDU. The new > Kaiser hospital in my area has free WiFi everywhere, secure wifi for all > their mobile computer stations (one per room), EKGs, pumps, etc. mesh-based > location solution with tags on everything, and cellular distribution. > > > > I would also question setting highest performance as a goal. What you want > is a solution that provides the user what they need at the moment they need > it. I didn't deploy 802.11n or 802.11ac so that I could win unrealistic max > performance claims. I deployed those technologies to support more efficient > access to a finite amount of spectrum. And if performance is a goal, it's > going to be more difficult to attain if the access to the service is > complex enough to make the typical user reach for their MiFi device. > > > > Jeff > > >>> On Friday, January 23, 2015 at 9:44 AM, in message < > 7c623f076ece4354b6039ec505e9c...@ex13-mbx-10.ad.syr.edu>, Lee H Badman < > lhbad...@syr.edu> wrote: > > No easy answer. The dorms could be set up “consumer style” with a > different operational profile, SSID, etc and don’t HAVE to be run like the > rest of campus. > > > > But in classrooms, labs and meeting rooms there is now way to deliver > highest performance, regulatory compliance, and accommodation of crap > devices all at the same time without hyper complexity, and then at the > physics level you still have problems. > > > > Even if every issue can’t be fixed in one fell swoop, there are a number > of easy tweaks that device makers could provide if they pulled their heads > out of 2004. > > > > Lee Badman > > Wireless/Network Architect > > ITS, Syracuse University > > 315.443.3003 > > (Blog: http://wirednot.wordpress.com) > > > > *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [ > mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] *On Behalf Of *Jeffrey Sessler > *Sent:* Friday, January 23, 2015 12:39 PM > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > *Subject:* Re: [WIRELESS-LAN] Trying to get the Wi-Fi Alliance's Attention > > > > I don't know Lee, in my mind is it the device maker's requirements to work > in both consumer and enterprise environment, or does the enterprise wlan > market need to figure out how to look more like a consumer wlan? Is this a > problem EDU's have created because of some desire to provide a service > that's more complex or invasive to use then it has to be? Is there really a > need to on-board devices and have them associate using WPA2 Ent, or could > we support the bulk of our users (especially students) using something more > consumer friendly? > > > > Take residential (dorm) wifi as an example. If you had a model with an > open or PSK-emulated wireless network coupled with location-based service > filtering, the user gets on with every device out there, and they can see > their chromecast, appletv, etc. and any others on that AP or 1 adjacent. > Pretty much gives you the consumer feel. > > > > Jeff > > >>> On Thursday, January 22, 2015 at 11:47 AM, in message < > 432756068f5346b59e108b825efca...@ex13-mbx-10.ad.syr.edu>, Lee H Badman < > lhbad...@syr.edu> wrote: > > I know self-promotion is in poor taste, but wanted to share this > > > > > http://www.networkcomputing.com/wireless-infrastructure/the-case-for-wlan-interoperability/a/d-id/1318718? > > > > > and encourage anyone of like (or opposing) mind to add comments. I'm told > that the Alliance is at least reading along, FWIW. > > > > -Lee > > > > *Lee H. Badman* > Network Architect/Wireless TME > ITS, Syracuse University > 315.443.3003 > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
