Chris, Thanks for the feedback. What is your expiration time on our RADIUS Server certificate?
-Neil -- Neil Johnson Network Engineer The University of Iowa Phone: 319 384-0938 Fax: 319 335-2951 E-Mail: neil-john...@uiowa.edu > On Nov 2, 2016, at 10:53 AM, Chris Hart <ch...@northwestern.edu> wrote: > > Neil - we rolled out these locks to 3 Res Halls this past summer. We have > them on the eduroam SSID connecting via PEAP/MSCHAPv2 with a local account > on our ClearPass server. We have an enforcement policy that assigns this > user account a VLAN ID that is private IP space that is restricted to only be > able to communicate with the Lock system database server. We only had 1 > complaint that we had to troubleshoot but it was found that a bunch of the > lock were not configured to do their nightly check in for updates. The locks > can also be set to check for an update upon a failure of proximity card. So > if a student is issued a new card and tries to enter their room it will fail, > the lock will check for an update and then on the next attempt the student > should then have access. We used Assaa Abloyas our vendor. > > > Chris > > > > <image001.png> > Chris Hart > Senior Network Engineer > > > <image004.png> > > > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Johnson, Neil M > Sent: Wednesday, November 2, 2016 10:18 AM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: [WIRELESS-LAN] Certificate Expiration and IoT (Door Locks) > > > Our housing department is pushing pretty hard to replace keyed locks on dorm > room doors with Wi-Fi connected proximity card locks (a pilot this summer and > then eventually rolling out to ~3,000 rooms). > > The locks would be “offline” locks that cache valid cards locally and only > connect to the Wi-Fi network periodically for updates and when presented with > a non-cached card. > > While the locks support multiple methods for authenticating to the wireless > network (everything from a PSK to PEAP/MSCHAPv2 to EAP-TLS), I think EAP-TLS > is probably the most secure method for these devices. > > My thinking is to setup a private PKI and generate a client cert for every > lock. However, I have two issues concerning EAP-TLS. > > 1. What should I use for a client certificate expiration date? > Our key and access folks don’t want to update the locks client certs very > often. (They will have to touch each lock on a regular basis to replace > batteries, but don’t want to have to connect a computer to the locks every > year). > The same question applies for the server certificate expiration. > > 2. Should I advertise a separate SSID? > We currently use eduroam as our primary campus SSID. I would prefer not to > have to add an additional SSID just for these devices, but their use case > seems different enough to warrant one. > > If your institution has implemented or thinking about implementing Wi-Fi > connected locks, I’d appreciate your feedback. > > Thanks. > -Neil > > -- > Neil Johnson > Network Engineer > The University of Iowa > Phone: 319-384-0938 > e-mail: neil-john...@uiowa.edu > > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
