We are still in the adoption stage of our EAP-TLS w/ onboarding. We use Clearpass Onboarding. I have not found an issue with the system, but users are often frustrated with the steps required.
This is not a fault of Clearpass, I believe; but has led us to seek other options to improve adoption by users. None of this answers your first two questions, but I thought I'd chime in on our experience. To your third question, I would LOVE to keep only managed devices on EAP-TLS and remove any requirements for onboarding/security for personal devices. Then, restrict access on personal devices to our normal internet facing services. However, this just doesn't seem like a model supported by staff. The viewpoint is often that they are limited in what they can do. The 2FA requirement is what people don't seem to enjoy. The stigma of open WiFi won't be forgotten for some time as well. Thanks for bringing up this conversation Lee. Please do not use this post as a request for vendor contact. From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> On Behalf Of Lee H Badman Sent: Tuesday, April 13, 2021 9:31 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1X, onboarders, continued **** EXTERNAL EMAIL **** AND ANOTHER THING!... For those using Cloudpath ES or Secure W2, are you on-prem or cloud-based, why, and any regrets about the option you went with? Thanks, Lee From: Lee H Badman Sent: Tuesday, April 13, 2021 9:42 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: 802.1X, onboarders, continued Thanks for the responses to my last email on onboarders. FWIW, after various discussions with a number of people, I find myself with a few more questions: * For your onboarder of choice (focusing on CAT Tool, Cloudpath ES, and Secure W2) how responsive is the provider to support issues and OS updates? * Are you using, or have you recently used CAT Tool, Cloudpath ES or Secure W2 and found yourself dissatisfied with the tool or vender/provider- and why? * Here's the fun one, asked in complete seriousness: has anyone gone down the road of robustly securing staff/"company" devices while turning the general wireless network into a wide-open WLAN, relying on other controls to provide security? Any and all feedback welcomed, on list or off. Lee Badman | Network Architect (CWNE#200) Information Technology Services (NDD Group) 206 Machinery Hall 120 Smith Drive Syracuse, New York 13244 t 315.443.3003 e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w its.syr.edu Campus Wireless Policy: https://answers.syr.edu/display/network/Wireless+Network+and+Systems<https://urldefense.proofpoint.com/v2/url?u=https-3A__answers.syr.edu_display_network_Wireless-2BNetwork-2Band-2BSystems&d=DwMFAg&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=wLdFd1ZL0ZcUbF2oBZW_IGbytKgpgr2PoVwEtmgISwA&m=CyZJiaCmubp6Q9mdts0Hm9D43SbP0mRyc0V0biUANhA&s=zDu8-opV2LV7yuj6lwdSGm26KaNbwlsKrqGPLcUXVss&e=> SYRACUSE UNIVERSITY syr.edu ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.educause.edu_community&d=DwMFAg&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=wLdFd1ZL0ZcUbF2oBZW_IGbytKgpgr2PoVwEtmgISwA&m=CyZJiaCmubp6Q9mdts0Hm9D43SbP0mRyc0V0biUANhA&s=ovItqGiF6mlY4qFoMfILByNhXS1zcuOVMnSSaX2PewE&e=> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
