I agree that complicated onboarding is the worst from the end user perspective and a pain to manage.
I started designing a PPSK/MPSK design to take over our primary 802.1x network. The biggest hurdle I ran into with it was the randomization of MAC addresses for device. I've been told Android 10 has it on by default,and I know that windows support also. I could only see issues from a support issue coming down the line. O need to spend some more research time with it. -- Charles Rumford IT Architect ISC Tech Services University of Pennsylvania OpenPGP Key ID: 0xF3D8215A (Sent from Mobile) ________________________________ From: "Enfield, Chuck" <cae...@psu.edu> Sent: Thursday, September 12, 2019 14:11 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use Seconded. And for those who think that security is more important than the user experience in some cases, I wouldn’t argue, but I would point out that an improperly configured 1x device puts the user’s credentials at risk. 802.1x isn’t all upside from a security perspective either. Chuck From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> On Behalf Of Jeffrey D. Sessler Sent: Thursday, September 12, 2019 1:46 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use I’ve never been a fan of the complicated onboarding. It’s intrusive, and unlike any other wireless experience an individual will encounter in their life i.e. any other wifi-enabled location/venue. With the growing trend of EDUs moving to SaaS and other Cloud solutions, wireless will be nothing but a gateway to those external services. When it’s easier to consume those services via one’s own unlimited-data cellular connection, or go to Starbucks, it may be time for us (EDU’s) to reevaluate our approach. Besides a purely open network, the next-best (same?) experience to home would be something like PPSK or for the Cisco folks IPSK. You get something slightly better than an open network, but it’s PSK and all of those wonderful IoT devices just work. My crystal ball wish is to have that PPSK/IPSK solution then group that user’s devices into a private virtual home network, providing something that approaches their home experience. Jeff From: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Kurtis Olsen <kurtis.ol...@uvu.edu> Reply-To: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Date: Thursday, September 12, 2019 at 9:27 AM To: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [WIRELESS-LAN] Feasibility of an open SSID for student use We have been receiving a lot of complaints about a complicated onboarding process and have been asked to look at providing an Open SSID that has little to no onboarding. I see an advantage being the ease of connecting but I have some concerns, mainly about providing a secure environment. Our current onboarding process works like this. Users connect to our Wolverine-WIFI SSID. They then authenticate through our NAC solution which forces laptops to download a client. This client scans their device for Antivirus and OS updates. If it fails the scan they have access to get these updates. Once it passes they are moved to our wireless production vLan. There are no clients or scans for cellular devices at this time. Users then of the option to join our Wolverine-Secure which authenticates by cert using SecureW2’s services. I am curious if anyone else is using a completely open network for their general population or any other suggestions of how this can be simplified. Kurtis Olsen Director – Network & Telecom Utah Valley University 800 W University Prkway Orem, UT 84058 801-863-8000 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ccae104%40psu.edu%7C14cdb0c9204a4ee54bc708d737a9132f%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637039071619717616&sdata=%2Ba8ybkmSiB0UgAtm75tG3IsPWCswIVjWQD0glWE3LNs%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ccae104%40psu.edu%7C14cdb0c9204a4ee54bc708d737a9132f%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637039071619717616&sdata=%2Ba8ybkmSiB0UgAtm75tG3IsPWCswIVjWQD0glWE3LNs%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community