Based on your data, this is what I ran in my head.
58,000 devices on TLS – Say 5 minutes each to provision based on your comments.
WAP2-Ent TLS:
5 minutes x 58000 clients = 4833 hours spent by the community connecting to
WiFi.
4833 hours each and every year given the expiration on the cert.
Open WiFi:
10 seconds to pick SSID x 58000 clients = 161 hours.
No additional hours in subsequent years other than new clients.
PSK/PPSK WiFi:
30 seconds to pick SSID and enter passphrase x 58000 clients = 483 hours.
No additional hours in subsequent years other than when adding a new client.
For all of them:
How many IT admin hours are spent managing it?
How many IT user support hours responding to questions/problems?
Yearly cost for infrastructure to support each?
What are the risks associated with each?
In the case of TLS, does the loss of over 4000 hours per year on just the user
side justify its use over the alternatives? Is it that much better? Does IT
save 4000 hours in other areas?
That’s why I asked about PPSK as an alternative. When one scales up to tens of
thousands of devices, five minutes starts to matter.
Jeff
On 11/4/16, 6:18 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv
on behalf of Turner, Ryan H" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of
rhtur...@email.unc.edu> wrote:
We do, too. I really wasn’t even thinking of those types of devices in the
initial response because our belief has been for any device that doesn’t
support TLS to just use PSK.
Yesterday we had 58,000 devices on eduroam (using TLS) and 9000 on our PSK
network.
Ryan
-----Original Message-----
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W
(Network Operations)
Sent: Friday, November 4, 2016 7:51 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors
Those devices do not support 802.1X. That is why we currently have a
separate SSID for those devices.
PPSK *may* be a more secure solution for those devices that do not support
TLS much like WPA2-Personal (PSK) is currently a solution for devices that do
not support WPA2-Enterprise (802.1X).
Bruce Osborne
Wireless Engineer
IT Network Operations - Wireless
(434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971
-----Original Message-----
From: Jeffrey D. Sessler [mailto:j...@scrippscollege.edu]
Sent: Thursday, November 3, 2016 4:45 PM
Subject: Re: TLS Onboarding Vendors
Really? So Wii U, Playstation 3 &4, Amazon Fire TV, and Xbox 360/One now
support TLS?
Jeff
On 11/3/16, 11:52 AM, "The EDUCAUSE Wireless Issues Constituent Group
Listserv on behalf of Turner, Ryan H" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on
behalf of rhtur...@email.unc.edu> wrote:
Right now the only things that don't play well with TLS are Windows
phones and blackberries. If they run Linux, it is also not great (although we
have instructions on how to do this and many people configure manually without
issue).
Ryan
-----Original Message-----
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
Sent: Thursday, November 3, 2016 11:15 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors
Ryan,
No doubt we’re seeing better support, my question about PPSK was just
that… a question. I’m looking at options going forward to solve the ongoing
divide between the devices that do and do not support these advanced methods.
For students (which is my focus), the advantages/disadvantages between the
options don’t matter when their devices have to be dealt with differently.
On face value, PPSK appears to solve the problem for the user, removing
barriers at the college that don’t exist at their home. While I agree that TLS
configuration isn’t difficult, it’s still far harder than just entering a PPSK,
and not everything supports TLS. We’ve been wishing for better support from
device makers for a decade, and each year we take a few steps forward, and then
a few backward.
Our vendor is rumored to be adding enterprise-scalable PPSK support
early next year, so I was really curious to know if others had this option,
would it influence the deployment of TLS. Right or wrong, it’s influenced mine,
so I wasn’t sure if I was an outlier or were others of the same mindset.
Jeff
On 11/2/16, 3:49 PM, "The EDUCAUSE Wireless Issues Constituent Group
Listserv on behalf of Turner, Ryan H" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on
behalf of rhtur...@email.unc.edu> wrote:
Jeff,
I think that actually advanced EAP methods have turned the corner.
Manufacturers are making onboarding easier. I think you are under the
impression that configuring a device for certificates is a big process. It
takes most people less than 5 minutes, and they do this once a year.
Just in our area, UNC and NC State, representing over 60,000
students are TLS. Duke is moving that way.
I haven't spoken to anyone recently even remotely considering PPSK.
I've heard plenty starting to explore TLS.
Ryan Turner
Manager of Network Operations, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office
> On Nov 1, 2016, at 6:31 PM, Jeffrey D. Sessler
<j...@scrippscollege.edu> wrote:
>
> I think the distinction between enterprise and residential
blurred with the advent of SaaS and the cloud. No longer did an employee need
to be “at the office” to enter their hours worked in the time and attendance
system, or as an administrator, you no longer had to run the accounting
application from your office computer. It’s difficult for me to name anything
we’re doing here now that isn’t some form of web-based SaaS model, where the
expectation is that an employee (baring overtime rules) can access these
systems from any location. If an employee can access these systems from
Starbucks for the 16 hours a day they aren’t at work, what’s the point of
WPA2-ent for the other 8?
>
> I’m of the mindset that WAP2-Enterprise may in fact be an
endangered species. I think most will come to accept that something like PPSK
is “good enough”. Users don’t want significant barriers to getting access to
what they need, and once those barriers reach a certain level, the user will
absolutely find alternatives i.e. I’ve visited many colleges where it was
easier to use my MiFi hotspot then to be forced thru a cumbersome on-boarding
system where there are restrictions be it on services available or data rates.
>
> Taken to the extreme. At the point you no longer have a local
data center and everything is SaaS, can an argument for WPA2-ent still be made?
>
> Jeff
>
> On 11/1/16, 3:03 PM, "The EDUCAUSE Wireless Issues Constituent
Group Listserv on behalf of Curtis K. Larsen"
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of curtis.k.lar...@utah.edu>
wrote:
>
> Well, I think users in general expect that when they connect
to the "Secure" wireless network - it is both encrypted, and they are not being
impersonated. If not, maybe you could allow them to opt-out after accepting
the risk. Often these are the same credentials that staff use to login and set
the direct deposit for their paycheck, credentials faculty use to post grades,
and students use to add/drop classes. The business could also opt-out if they
are willing to accept the risk. But as the Enterprise Wireless Engineer you
should at least make everyone aware that with PPSK there are still risks.
Also, I just think one of these standards was intended to be mostly for
residential purposes and the other for mostly enterprise purposes. When you
look at federated authentication as in eduroam or hotspot 2.0, etc. WPA2-Ent.
just seems to fit better long-term. In short, I think the difficult/expensive
parts of PKI/EAP-TLS have recently become a lot easier and I think they'll
continue to do so.
>
> -Curtis
>
> ________________________________________
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Chuck Enfield <chu...@psu.edu>
> Sent: Tuesday, November 1, 2016 2:54 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors
>
> "If we can agree that most applications today (including ones
that involve
> FERPA or PII) are web-based (let’s toss in cloud too), and a
user can access
> them from any location including at home on a PSK protected
SSID (or
> cellular connection, or open network at Starbucks), does
forcing WPA2-Ent at
> the campus actually result in reduced risk? Is there cost
justification for
> the infrastructure (staff, hardware, software) necessary to
implement
> EAP-TLS (or alternatives)?"
>
> Where's the like button? FWIW, I still like enterprise
encryption and
> authentication for keeping people off of my network. I's
nevertheless
> useful to remind ourselves of precisely what the value is, and
it's not
> protecting the data.
>
> Chuck
>
> -----Original Message-----
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of
Jeffrey D. Sessler
> Sent: Tuesday, November 01, 2016 4:41 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors
>
> Curtis,
>
> If we can agree that most applications today (including ones
that involve
> FERPA or PII) are web-based (let’s toss in cloud too), and a
user can access
> them from any location including at home on a PSK protected
SSID (or
> cellular connection, or open network at Starbucks), does
forcing WPA2-Ent at
> the campus actually result in reduced risk? Is there cost
justification for
> the infrastructure (staff, hardware, software) necessary to
implement
> EAP-TLS (or alternatives)?
>
> Our Admissions process starts with getting Common App (filled
out by
> student/parents at home on a website and includes a lot of
sensitive info),
> that data feeds into Slate (another cloud-based Admissions
package), then
> feeds into financial-aid and the SiS (again web-based for the
users). The
> bulk of the PII/FERPA items have then been collected outside
of the college
> envirnoment, from connections that may have Starbucks level of
protection. I’m
> trying to see the justification of WPA2-Ent, but it’s a hard
sell – sure, I
> know there can be advantages, but are they necessary and/or
justified? Is
> PPSK good enough for everyone. Is it good enough for students
and their
> devices?
>
> Jeff
>
> On 11/1/16, 8:56 AM, "The EDUCAUSE Wireless Issues Constituent
Group
> Listserv on behalf of Curtis K. Larsen"
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> on behalf of curtis.k.lar...@utah.edu> wrote:
>
> I personally would *not* prefer PPSK for devices that are
WPA2-Ent.
> (EAP-TLS) capable. PPSK has a nice niche in the IoT device
category for
> devices that do not support WPA2-Ent. (EAP-TLS) in my opinion,
and we'll be
> anxious to use it there when our vendor delivers ...but the
same
> vulnerabilities around a regular WPA2-PSK are still there
(de-auths, brute
> forcing). So, for IoT in student housing (game consoles, and
roku devices
> that only do PSK) maybe PPSK is the appropriate new level of
security
> because sensitive data is unlikely, but for the most common
devices (Phone,
> Laptop, Tablet, etc.) where users are more likely to access
and transmit
> FERPA, PHI, etc. WPA2-Enterprise with EAP-TLS seems more
appropriate. From
> what I can tell it is probably easier to implement EAP-TLS
than PPSK amongst
> the fully-managed portion of that device class anyway
(thinking GPO here).
> In my ideal world I would have 3 SSID's One Guest SSID
unencrypted, One
> PPSK SSID that accommodates all of the non-dot1x capable
devices that are
> not guest users, and one dot1x WPA2-Ent (EAP-TLS) SSID for
traditional
> Student/Faculty/Staff devices (Phone, Laptop, Tablet). Then
someday in the
> future Hotspot 2.0/802.11u would convert many of the
un-encrypted guests
> over to encrypted without any captive portal interaction.
>
>
> --
> Curtis K. Larsen
> Senior Network Engineer
> University of Utah IT/CIS
>
> ________________________________________
> From: The EDUCAUSE Wireless Issues Constituent Group
Listserv
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Coehoorn,
Joel
> <jcoeho...@york.edu>
> Sent: Tuesday, November 1, 2016 8:33 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors
>
>> If those using or considering TLS had the option of PPSK
(personal
> pre-shared key), would you opt for PPSK instead?
>
> Definitely. I think it's a much more user-friendly option,
while
> providing similar control and security as TLS.
>
>
>
>
>
[https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.york.edu%2FPortals%2F0%2FImages%2FLogo%2FYorkCollegeLogoSmall.jpg&data=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7C8ba9f4f887a04f7e52e108d402a6da68%7C58b3d54f16c942d3af081fcabd095666%7C1&sdata=j5gtTSxQnAijXNtvjGfjq2af%2FlXacwcY0P2oTcl%2BXqc%3D&reserved=0]
>
>
> Joel Coehoorn
> Director of Information Technology
> 402.363.5603
> jcoeho...@york.edu<mailto:jcoeho...@york.edu>
>
>
>
>
> The mission of York College is to transform lives through
> Christ-centered education and to equip students for lifelong
service to God,
> family, and society
>
> On Tue, Nov 1, 2016 at 9:12 AM, Jeffrey D. Sessler
> <j...@scrippscollege.edu<mailto:j...@scrippscollege.edu>>
wrote:
> Just curious. If those using or considering TLS had the
option of PPSK
> (personal pre-shared key), would you opt for PPSK instead?
>
> Jeff
>
> On 10/31/16, 9:27 AM, "The EDUCAUSE Wireless Issues
Constituent Group
> Listserv on behalf of Bruce Boardman"
>
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> on behalf of board...@syr.edu<mailto:board...@syr.edu>> wrote:
>
> We are using Cloud Path for onboarding, but we are
considering other
> options if and when we go to EAP TLS. We may get it baked in
if we use ISE
> or Clear Pass but I considering other standalone options as
well. Anybody
> have experience or thoughts they'd like to share. Thanks
>
> Bruce Boardman Networking Syracuse University 315
> 412-4156<tel:315%20412-4156> Skype
board...@syr.edu<mailto:board...@syr.edu>
>
> **********
> Participation and subscription information for this
EDUCAUSE
> Constituent Group discussion list can be found at
>
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F&data=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7C8ba9f4f887a04f7e52e108d402a6da68%7C58b3d54f16c942d3af081fcabd095666%7C1&sdata=5Rk6AtHTqrH0NnCBI%2B5Q9Jn%2BE1X9BM9R9PrvnhrRT4k%3D&reserved=0.
>
>
>
> **********
> Participation and subscription information for this
EDUCAUSE Constituent
> Group discussion list can be found at
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F&data=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7C8ba9f4f887a04f7e52e108d402a6da68%7C58b3d54f16c942d3af081fcabd095666%7C1&sdata=5Rk6AtHTqrH0NnCBI%2B5Q9Jn%2BE1X9BM9R9PrvnhrRT4k%3D&reserved=0.
>
>
> ********** Participation and subscription information for
this EDUCAUSE
> Constituent Group discussion list can be found at
>
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F&data=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7C8ba9f4f887a04f7e52e108d402a6da68%7C58b3d54f16c942d3af081fcabd095666%7C1&sdata=5Rk6AtHTqrH0NnCBI%2B5Q9Jn%2BE1X9BM9R9PrvnhrRT4k%3D&reserved=0.
>
> **********
> Participation and subscription information for this
EDUCAUSE Constituent
> Group discussion list can be found at
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F&data=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7C8ba9f4f887a04f7e52e108d402a6da68%7C58b3d54f16c942d3af081fcabd095666%7C1&sdata=5Rk6AtHTqrH0NnCBI%2B5Q9Jn%2BE1X9BM9R9PrvnhrRT4k%3D&reserved=0.
>
>
>
> **********
> Participation and subscription information for this EDUCAUSE
Constituent
> Group discussion list can be found at
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F&data=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7C8ba9f4f887a04f7e52e108d402a6da68%7C58b3d54f16c942d3af081fcabd095666%7C1&sdata=5Rk6AtHTqrH0NnCBI%2B5Q9Jn%2BE1X9BM9R9PrvnhrRT4k%3D&reserved=0.
>
> **********
> Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F&data=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7C8ba9f4f887a04f7e52e108d402a6da68%7C58b3d54f16c942d3af081fcabd095666%7C1&sdata=5Rk6AtHTqrH0NnCBI%2B5Q9Jn%2BE1X9BM9R9PrvnhrRT4k%3D&reserved=0.
>
> **********
> Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F&data=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7C8ba9f4f887a04f7e52e108d402a6da68%7C58b3d54f16c942d3af081fcabd095666%7C1&sdata=5Rk6AtHTqrH0NnCBI%2B5Q9Jn%2BE1X9BM9R9PrvnhrRT4k%3D&reserved=0.
>
>
>
> **********
> Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F&data=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7C8ba9f4f887a04f7e52e108d402a6da68%7C58b3d54f16c942d3af081fcabd095666%7C1&sdata=5Rk6AtHTqrH0NnCBI%2B5Q9Jn%2BE1X9BM9R9PrvnhrRT4k%3D&reserved=0.
>
**********
Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F&data=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7C8271fbcab29045ab7bc308d403fc3b45%7C58b3d54f16c942d3af081fcabd095666%7C1&sdata=NHmjELNcxjdpzSEJ7D6pyown3L3tGA1axVK6gmsfPRM%3D&reserved=0.
**********
Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F&data=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7C8271fbcab29045ab7bc308d403fc3b45%7C58b3d54f16c942d3af081fcabd095666%7C1&sdata=NHmjELNcxjdpzSEJ7D6pyown3L3tGA1axVK6gmsfPRM%3D&reserved=0.
**********
Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F&data=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7C185af5d002604071dc1408d404a8cba7%7C58b3d54f16c942d3af081fcabd095666%7C1&sdata=4AtjMoYNatJG1%2BiTXkJn4tN3LFqmUExSHuqFQR7Gh2w%3D&reserved=0.
**********
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F&data=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7C185af5d002604071dc1408d404a8cba7%7C58b3d54f16c942d3af081fcabd095666%7C1&sdata=4AtjMoYNatJG1%2BiTXkJn4tN3LFqmUExSHuqFQR7Gh2w%3D&reserved=0.
**********
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F&data=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7C185af5d002604071dc1408d404a8cba7%7C58b3d54f16c942d3af081fcabd095666%7C1&sdata=4AtjMoYNatJG1%2BiTXkJn4tN3LFqmUExSHuqFQR7Gh2w%3D&reserved=0.
**********
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
