Jeff, I think that actually advanced EAP methods have turned the corner. Manufacturers are making onboarding easier. I think you are under the impression that configuring a device for certificates is a big process. It takes most people less than 5 minutes, and they do this once a year.
Just in our area, UNC and NC State, representing over 60,000 students are TLS. Duke is moving that way. I haven't spoken to anyone recently even remotely considering PPSK. I've heard plenty starting to explore TLS. Ryan Turner Manager of Network Operations, ITS The University of North Carolina at Chapel Hill +1 919 274 7926 Mobile +1 919 445 0113 Office > On Nov 1, 2016, at 6:31 PM, Jeffrey D. Sessler <j...@scrippscollege.edu> > wrote: > > I think the distinction between enterprise and residential blurred with the > advent of SaaS and the cloud. No longer did an employee need to be “at the > office” to enter their hours worked in the time and attendance system, or as > an administrator, you no longer had to run the accounting application from > your office computer. It’s difficult for me to name anything we’re doing here > now that isn’t some form of web-based SaaS model, where the expectation is > that an employee (baring overtime rules) can access these systems from any > location. If an employee can access these systems from Starbucks for the 16 > hours a day they aren’t at work, what’s the point of WPA2-ent for the other > 8? > > I’m of the mindset that WAP2-Enterprise may in fact be an endangered species. > I think most will come to accept that something like PPSK is “good enough”. > Users don’t want significant barriers to getting access to what they need, > and once those barriers reach a certain level, the user will absolutely find > alternatives i.e. I’ve visited many colleges where it was easier to use my > MiFi hotspot then to be forced thru a cumbersome on-boarding system where > there are restrictions be it on services available or data rates. > > Taken to the extreme. At the point you no longer have a local data center and > everything is SaaS, can an argument for WPA2-ent still be made? > > Jeff > > On 11/1/16, 3:03 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv > on behalf of Curtis K. Larsen" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf > of curtis.k.lar...@utah.edu> wrote: > > Well, I think users in general expect that when they connect to the > "Secure" wireless network - it is both encrypted, and they are not being > impersonated. If not, maybe you could allow them to opt-out after accepting > the risk. Often these are the same credentials that staff use to login and > set the direct deposit for their paycheck, credentials faculty use to post > grades, and students use to add/drop classes. The business could also > opt-out if they are willing to accept the risk. But as the Enterprise > Wireless Engineer you should at least make everyone aware that with PPSK > there are still risks. Also, I just think one of these standards was > intended to be mostly for residential purposes and the other for mostly > enterprise purposes. When you look at federated authentication as in eduroam > or hotspot 2.0, etc. WPA2-Ent. just seems to fit better long-term. In short, > I think the difficult/expensive parts of PKI/EAP-TLS have recently become a > lot easier and I think they'll continue to do so. > > -Curtis > > ________________________________________ > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Chuck Enfield > <chu...@psu.edu> > Sent: Tuesday, November 1, 2016 2:54 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors > > "If we can agree that most applications today (including ones that involve > FERPA or PII) are web-based (let’s toss in cloud too), and a user can > access > them from any location including at home on a PSK protected SSID (or > cellular connection, or open network at Starbucks), does forcing WPA2-Ent > at > the campus actually result in reduced risk? Is there cost justification > for > the infrastructure (staff, hardware, software) necessary to implement > EAP-TLS (or alternatives)?" > > Where's the like button? FWIW, I still like enterprise encryption and > authentication for keeping people off of my network. I's nevertheless > useful to remind ourselves of precisely what the value is, and it's not > protecting the data. > > Chuck > > -----Original Message----- > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler > Sent: Tuesday, November 01, 2016 4:41 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors > > Curtis, > > If we can agree that most applications today (including ones that involve > FERPA or PII) are web-based (let’s toss in cloud too), and a user can > access > them from any location including at home on a PSK protected SSID (or > cellular connection, or open network at Starbucks), does forcing WPA2-Ent > at > the campus actually result in reduced risk? Is there cost justification > for > the infrastructure (staff, hardware, software) necessary to implement > EAP-TLS (or alternatives)? > > Our Admissions process starts with getting Common App (filled out by > student/parents at home on a website and includes a lot of sensitive info), > that data feeds into Slate (another cloud-based Admissions package), then > feeds into financial-aid and the SiS (again web-based for the users). The > bulk of the PII/FERPA items have then been collected outside of the college > envirnoment, from connections that may have Starbucks level of protection. > I’m > trying to see the justification of WPA2-Ent, but it’s a hard sell – sure, I > know there can be advantages, but are they necessary and/or justified? Is > PPSK good enough for everyone. Is it good enough for students and their > devices? > > Jeff > > On 11/1/16, 8:56 AM, "The EDUCAUSE Wireless Issues Constituent Group > Listserv on behalf of Curtis K. Larsen" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > on behalf of curtis.k.lar...@utah.edu> wrote: > > I personally would *not* prefer PPSK for devices that are WPA2-Ent. > (EAP-TLS) capable. PPSK has a nice niche in the IoT device category for > devices that do not support WPA2-Ent. (EAP-TLS) in my opinion, and we'll be > anxious to use it there when our vendor delivers ...but the same > vulnerabilities around a regular WPA2-PSK are still there (de-auths, brute > forcing). So, for IoT in student housing (game consoles, and roku devices > that only do PSK) maybe PPSK is the appropriate new level of security > because sensitive data is unlikely, but for the most common devices (Phone, > Laptop, Tablet, etc.) where users are more likely to access and transmit > FERPA, PHI, etc. WPA2-Enterprise with EAP-TLS seems more appropriate. From > what I can tell it is probably easier to implement EAP-TLS than PPSK > amongst > the fully-managed portion of that device class anyway (thinking GPO here). > In my ideal world I would have 3 SSID's One Guest SSID unencrypted, One > PPSK SSID that accommodates all of the non-dot1x capable devices that are > not guest users, and one dot1x WPA2-Ent (EAP-TLS) SSID for traditional > Student/Faculty/Staff devices (Phone, Laptop, Tablet). Then someday in the > future Hotspot 2.0/802.11u would convert many of the un-encrypted guests > over to encrypted without any captive portal interaction. > > > -- > Curtis K. Larsen > Senior Network Engineer > University of Utah IT/CIS > > ________________________________________ > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Coehoorn, Joel > <jcoeho...@york.edu> > Sent: Tuesday, November 1, 2016 8:33 AM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors > >> If those using or considering TLS had the option of PPSK (personal > pre-shared key), would you opt for PPSK instead? > > Definitely. I think it's a much more user-friendly option, while > providing similar control and security as TLS. > > > > > > [https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.york.edu%2FPortals%2F0%2FImages%2FLogo%2FYorkCollegeLogoSmall.jpg&data=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7C8ba9f4f887a04f7e52e108d402a6da68%7C58b3d54f16c942d3af081fcabd095666%7C1&sdata=j5gtTSxQnAijXNtvjGfjq2af%2FlXacwcY0P2oTcl%2BXqc%3D&reserved=0] > > > Joel Coehoorn > Director of Information Technology > 402.363.5603 > jcoeho...@york.edu<mailto:jcoeho...@york.edu> > > > > > The mission of York College is to transform lives through > Christ-centered education and to equip students for lifelong service to > God, > family, and society > > On Tue, Nov 1, 2016 at 9:12 AM, Jeffrey D. Sessler > <j...@scrippscollege.edu<mailto:j...@scrippscollege.edu>> wrote: > Just curious. If those using or considering TLS had the option of PPSK > (personal pre-shared key), would you opt for PPSK instead? > > Jeff > > On 10/31/16, 9:27 AM, "The EDUCAUSE Wireless Issues Constituent Group > Listserv on behalf of Bruce Boardman" > > <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > on behalf of board...@syr.edu<mailto:board...@syr.edu>> wrote: > > We are using Cloud Path for onboarding, but we are considering > other > options if and when we go to EAP TLS. We may get it baked in if we use ISE > or Clear Pass but I considering other standalone options as well. Anybody > have experience or thoughts they'd like to share. Thanks > > Bruce Boardman Networking Syracuse University 315 > 412-4156<tel:315%20412-4156> Skype > board...@syr.edu<mailto:board...@syr.edu> > > ********** > Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > > https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F&data=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7C8ba9f4f887a04f7e52e108d402a6da68%7C58b3d54f16c942d3af081fcabd095666%7C1&sdata=5Rk6AtHTqrH0NnCBI%2B5Q9Jn%2BE1X9BM9R9PrvnhrRT4k%3D&reserved=0. > > > > ********** > Participation and subscription information for this EDUCAUSE > Constituent > Group discussion list can be found at > https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F&data=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7C8ba9f4f887a04f7e52e108d402a6da68%7C58b3d54f16c942d3af081fcabd095666%7C1&sdata=5Rk6AtHTqrH0NnCBI%2B5Q9Jn%2BE1X9BM9R9PrvnhrRT4k%3D&reserved=0. > > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > > https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F&data=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7C8ba9f4f887a04f7e52e108d402a6da68%7C58b3d54f16c942d3af081fcabd095666%7C1&sdata=5Rk6AtHTqrH0NnCBI%2B5Q9Jn%2BE1X9BM9R9PrvnhrRT4k%3D&reserved=0. > > ********** > Participation and subscription information for this EDUCAUSE > Constituent > Group discussion list can be found at > https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F&data=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7C8ba9f4f887a04f7e52e108d402a6da68%7C58b3d54f16c942d3af081fcabd095666%7C1&sdata=5Rk6AtHTqrH0NnCBI%2B5Q9Jn%2BE1X9BM9R9PrvnhrRT4k%3D&reserved=0. > > > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at > https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F&data=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7C8ba9f4f887a04f7e52e108d402a6da68%7C58b3d54f16c942d3af081fcabd095666%7C1&sdata=5Rk6AtHTqrH0NnCBI%2B5Q9Jn%2BE1X9BM9R9PrvnhrRT4k%3D&reserved=0. > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at > https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F&data=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7C8ba9f4f887a04f7e52e108d402a6da68%7C58b3d54f16c942d3af081fcabd095666%7C1&sdata=5Rk6AtHTqrH0NnCBI%2B5Q9Jn%2BE1X9BM9R9PrvnhrRT4k%3D&reserved=0. > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at > https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F&data=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7C8ba9f4f887a04f7e52e108d402a6da68%7C58b3d54f16c942d3af081fcabd095666%7C1&sdata=5Rk6AtHTqrH0NnCBI%2B5Q9Jn%2BE1X9BM9R9PrvnhrRT4k%3D&reserved=0. > > > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at > https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F&data=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7C8ba9f4f887a04f7e52e108d402a6da68%7C58b3d54f16c942d3af081fcabd095666%7C1&sdata=5Rk6AtHTqrH0NnCBI%2B5Q9Jn%2BE1X9BM9R9PrvnhrRT4k%3D&reserved=0. > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.