Amen- NAC is often a solution to problems that either don't exist or that don't warrant the weight of the NAC. These solutions are not without value per se, but at onboarding time? Nah.
Lee Badman | Network Architect (CWNE#200) Information Technology Services (NDD Group) 206 Machinery Hall 120 Smith Drive Syracuse, New York 13244 t 315.443.3003 e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w its.syr.edu SYRACUSE UNIVERSITY syr.edu From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> On Behalf Of Turner, Ryan H Sent: Thursday, September 12, 2019 12:59 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use I think your problem is the NAC solution... I was one of the first to deploy campus wide NAC (2006) and then we pushed agents a few years after. The time for NAC agents has come and gone in my mind. We have removed it from practically every place that has it. There is one large school that still uses it, but I am a semester away from telling them I am deprecating the service entirely. In my mind, it is a check the box solution that has stayed way past its expiration date. These agents are clumsy, often fail to find any real problems, report false positives, and add a whole lot of headaches to users and support staff without any benefit. I do support a login approach the first time to get the users registered, however. It is a simple process. But at that point, you should hand them off to SecureW2 to onboard for your network. Strip the NAC agent, push them directly to SecureW2, and see how that works. I wouldn't throw out the baby with the bathwater. Ryan From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Kurtis Olsen Sent: Thursday, September 12, 2019 12:18 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [WIRELESS-LAN] Feasibility of an open SSID for student use We have been receiving a lot of complaints about a complicated onboarding process and have been asked to look at providing an Open SSID that has little to no onboarding. I see an advantage being the ease of connecting but I have some concerns, mainly about providing a secure environment. Our current onboarding process works like this. Users connect to our Wolverine-WIFI SSID. They then authenticate through our NAC solution which forces laptops to download a client. This client scans their device for Antivirus and OS updates. If it fails the scan they have access to get these updates. Once it passes they are moved to our wireless production vLan. There are no clients or scans for cellular devices at this time. Users then of the option to join our Wolverine-Secure which authenticates by cert using SecureW2's services. I am curious if anyone else is using a completely open network for their general population or any other suggestions of how this can be simplified. Kurtis Olsen Director - Network & Telecom Utah Valley University 800 W University Prkway Orem, UT 84058 801-863-8000 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
