We are using Aerohive PPSK for media devices on our residential network as well. We have a RESNet-Media SSID for gaming consoles, smart-TVs, streaming media devices, and other non-802.1x compliant devices to connect to.
We strictly enforce 1 key per device connection limits to avoid abuse. This solution has worked well for us because we have been able to create accounts within the HiveManager for the IT Service Desk to provision the PPSK keys themselves and simplify key distribution. We also automatically roll the keys every 12 months which prevents stale/idle keys from hanging around too long. Thanks, Chris Adams Director, Network & Telecom Services Division of Information Technology University of North Georgia From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Forrester, Matthew Sent: Tuesday, March 1, 2016 5:18 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the headaches? I believe that is a bit out of date! We use Aerohive and their PPSK option extensively. We love the feature. The total number of PPSK’s that each access point can store is around 5000 at this time. For our environment, that is more than enough. Aerohive is a great company and their kit is wonderful. Thanks, Matt Forrester Senior Systems Engineer Berry College From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Trent Hurt Sent: Tuesday, March 1, 2016 3:58 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the headaches? Not sure how up to date this is… http://2.bp.blogspot.com/-XhUW84JOJj4/TdZdX3YbIJI/AAAAAAAAAAA/BpQ7LDfc5Yo/s1600/comparison%2Bbetween%2BPPSK.jpg From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Chuck Enfield Sent: Tuesday, March 1, 2016 3:09 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the headaches? I’m curious how PPSK scales. What are the limits on the number and span of a PPSK? From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Coehoorn, Joel Sent: Tuesday, March 01, 2016 12:02 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the headaches? Ruckus supports a PPSK variant, as well. I'm just gonna put this out there. I have this idea in my head for an ideal wifi service. It starts with personal pre-shared key (PPSK), but it's something I don't believe is possible yet with any vendor. Step one is to create a unique key prefix for each user, effectively embedding a username value (the prefix) into the same field as the key/password. The prefix would be as short as possible, perhaps as small as three characters, in order to keep entry into devices simple. The purpose of this prefix is to allow users to choose their own wifi password, while still ensuring that each PSK value is unique and identifiable to a given user. If we don't value allowing users to choose their own wifi passwords, we could instead generate and assign them, and just map back the assigned key to the user.. but I believe there is value in this. Users would onboard by first connecting to a portal available via open/limited ssid to claim their key. They would have to log in with their traditional username/password. The portal would then prompt them for a key suffix (their wifi password), and then show them the complete key (prefix + suffix), which would be registered with our system. It would also have options to show them history for devices authenticated using their key, expire an old/create a new key using the same prefix, and other typical account management options. Once created, that key could be used with anything that supports traditional PSK connections. One important feature that I'd like to see as part of this, and what I think helps make this idea unique, is that devices authenticated with the same PPSK should always end up with the same vlan id. In this way, a student would be able to, for example, connect to a desktop in his room from the phone/tablet he brought to class and grab a file he forget to show an instructor. It also makes things like wireless printers, long the bane or our existence, almost reasonable in terms of setup and support. By keeping a prefix that's unique to each user, or mapping all key assignments back to the user, we can still always know who is responsible for a given device. We could do things like get a report of keys that authenticate more than, say, 6 devices to monitor for key abuse, expire keys when there is a problem, engage a known user when expiring old keys is not enough, and even map users to specific vlan pools for network policy enforcement. We could also create keys for events or specially classes of device (security cameras, door locks, wifi phones, etc). Additionally, per-user keys means each user's over-the-air signals have different encryption keys, preventing things like firesheep from working. This is just about all the things we do with 802.1x today, but in a form that's much friendlier to the consumer devices we have to support. This plan effectively embeds a username (the prefix) and a password (suffix) into the same value, with our without the prefix, so some of the same security concerns apply, but these are solvable problems. We just need to get vendors on board with the idea. <http://www.york.edu/Portals/0/Images/Logo/YorkCollegeLogoSmall.jpg> Joel Coehoorn Director of Information Technology 402.363.5603 jcoeho...@york.edu <mailto:jcoeho...@york.edu> The mission of York College is to transform lives through Christ-centered education and to equip students for lifelong service to God, family, and society On Tue, Mar 1, 2016 at 10:20 AM, David R. Morton <dmor...@uw.edu <mailto:dmor...@uw.edu> > wrote: Matt, Bill and others, You’d indicated that you have instructions for most common devices, is this something that you can share. Like others, we have a manual registration process (built on ClearPass), but it does require the MAC in order to complete the registration. The Amazon Echo is now relatively straightforward, as it shows up in the Alexa app after you’ve connected your phone to the Echo. To find it, users open the Alexa app, go to settings, choose the device and scroll all the way down to the bottom of the screen. There it will show you the software version, serial number and MAC address. All of that said, I haven’t been able to test the latest versions to see if you can do all of this without needing to connect to the Internet. If you aren’t we are back at square one and have to take it off site to get through the initial setup, which is a real pain. Another device we’ve had a lot of issues with is the newest AppleTV. Again I haven’t checked the latest update so this may have changed, but when it first came out, you had to do a little dance to get the MAC. The dance had you connect it to wired, navigate to the network settings when the MAC address and then remove the wired cable. This would put the device back into Wi-Fi mode and would display the Wi-Fi MAC. Then you are able to manually register it and go through the complete process. Chromecast has had a few other issues, mostly related to dropping sessions and making poor AP choices. This whole discussion has got me thinking and brings up a topic that I think that the industry needs to address. There is a growing number of devices that don’t support 802.1x and the number those devices will continue to as Internet of Things and more consumer devices make it onto our campuses. We need a better, easier way for our students, faculty and staff to connect appropriate devices to the network. Using a captive portal is one way to try to get around these restrictions and get the devices on the network, but as this thread demonstrates it brings other difficulties. Some schools use a PSK network to onboard non-802.1x devices, but this too has problems. While it makes it easy for the user to get devices on the network, there isn’t a good way to track the owner of that device. It also raises and issue of why anyone would go through the 802.1x process when they can just put their devices on the PSK network. Putting restrictions on the PSK network will help, but still not a great solution. \ David David Morton Director, Mobile Communications Service Owner: Wi-Fi, Mobile & HuskyTV University of Washington dmor...@u.washington.edu <mailto:dmor...@u.washington.edu> tel 206.221.7814 <tel:206.221.7814> On Mar 1, 2016, at 7:21 AM, Williams, Matthew <mwill...@kent.edu <mailto:mwill...@kent.edu> > wrote: Our helpdesk folks sat down and wrote up documents on how to find the MAC addresses for as many devices as they could. We haven’t done any instructions for the Amazon Echoes yet. We hit the most common devices and are waiting to see what tickets we get for devices that we missed so we can build them into our registration page. Our registration page was written in-house and the developers set it up to display the instructions for finding the MAC address, including screen shots, based on the device that you selected in the drop down. Respectfully, Matt From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Thomas Carter Sent: Tuesday, March 1, 2016 10:01 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <mailto:WIRELESS-LAN@listserv.educause.edu> Subject: Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the headaches? This is something we struggle with, especially being a small school. Keeping up with the latest Chromecast/Roku/Amazon Echo, etc devices is near impossible. A big thank you to product designers who put the MAC on a label on the outside. Thomas Carter Network & Operations Manager Austin College From: The EDUCAUSE Wireless Issues Constituent Group Listserv [ <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman Sent: Tuesday, March 1, 2016 8:12 AM To: <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Self-registered MAC device bypass- worth the headaches? Hi Everyone, Not looking for a lot of input on all of the things you CAN do- just asking a focused question for those that are doing it. We're piloting the ability for students to self-register games, TVs, Roku, etc. but am astounded at how hard some devices are to find MAC addresses for from the user side. Amazon Echo is notorious, also fighting with a Roku 2. No labels, not easy to find in menu. Sure, you can find all of this on APs, but that isn't "self-service" for self-registration. Anyone have thoughts, comments, scars, suggestions? I know Clearpass and ISE can fingerprint, but I'm finding that's far from accurate at times, and again- doesn't help with "register YOUR device by MAC" for users that can't see what network admins use. -Lee Badman Lee H. Badman Network Architect/Wireless TME ITS, Syracuse University 315.443.3003 <tel:315.443.3003> ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_groups_&d=AwMFaQ&c=SgMrq23dbjbGX6e0ZsSHgEZX6A4IAf1SO3AJ2bNrHlk&r=rtlMYUF4nwLIYnoG0qXTf9aFc5RLK7DMyf8lTMu__vs&m=Cu8jSaCjV-rWR8d_SKTC9PNzd7CIIgvI2-csedDvonU&s=Ta4mZ7rOqv2UNP86naE3zF7N1Lj8jGsx3GTdH3Z8gG4&e=> http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_groups_&d=AwMFaQ&c=SgMrq23dbjbGX6e0ZsSHgEZX6A4IAf1SO3AJ2bNrHlk&r=rtlMYUF4nwLIYnoG0qXTf9aFc5RLK7DMyf8lTMu__vs&m=Cu8jSaCjV-rWR8d_SKTC9PNzd7CIIgvI2-csedDvonU&s=Ta4mZ7rOqv2UNP86naE3zF7N1Lj8jGsx3GTdH3Z8gG4&e=> http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_groups_&d=AwMFaQ&c=SgMrq23dbjbGX6e0ZsSHgEZX6A4IAf1SO3AJ2bNrHlk&r=rtlMYUF4nwLIYnoG0qXTf9aFc5RLK7DMyf8lTMu__vs&m=Cu8jSaCjV-rWR8d_SKTC9PNzd7CIIgvI2-csedDvonU&s=Ta4mZ7rOqv2UNP86naE3zF7N1Lj8jGsx3GTdH3Z8gG4&e=> http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_groups_&d=AwMFaQ&c=SgMrq23dbjbGX6e0ZsSHgEZX6A4IAf1SO3AJ2bNrHlk&r=rtlMYUF4nwLIYnoG0qXTf9aFc5RLK7DMyf8lTMu__vs&m=Cu8jSaCjV-rWR8d_SKTC9PNzd7CIIgvI2-csedDvonU&s=Ta4mZ7rOqv2UNP86naE3zF7N1Lj8jGsx3GTdH3Z8gG4&e=> . ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_groups_&d=AwMFaQ&c=SgMrq23dbjbGX6e0ZsSHgEZX6A4IAf1SO3AJ2bNrHlk&r=rtlMYUF4nwLIYnoG0qXTf9aFc5RLK7DMyf8lTMu__vs&m=Cu8jSaCjV-rWR8d_SKTC9PNzd7CIIgvI2-csedDvonU&s=Ta4mZ7rOqv2UNP86naE3zF7N1Lj8jGsx3GTdH3Z8gG4&e=> . ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_groups_&d=AwMFaQ&c=SgMrq23dbjbGX6e0ZsSHgEZX6A4IAf1SO3AJ2bNrHlk&r=rtlMYUF4nwLIYnoG0qXTf9aFc5RLK7DMyf8lTMu__vs&m=Cu8jSaCjV-rWR8d_SKTC9PNzd7CIIgvI2-csedDvonU&s=Ta4mZ7rOqv2UNP86naE3zF7N1Lj8jGsx3GTdH3Z8gG4&e=> . ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
smime.p7s
Description: S/MIME cryptographic signature
