I'd also like to address the comment about post-college experience. Most organizations these students are going to work at are going to require MDM or MAM on their personal devices. So I fundamentally disagree with the comment that they won't deal with "enrollment" post campus life. ________________________________ From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Tim Cappalli <00000194c9ecac40-dmarc-requ...@listserv.educause.edu> Sent: Wednesday, April 21, 2021 5:24:25 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?
Why not take baby steps? One example: So many organizations talk about user experience challenges of onboarding (and trust me, I hear you) but then issue 1 year certs and force the user through it every year. Switch to a 5 year cert (or device specific cred) and use authorization rules to temporarily (or permanently) revoke access. You don't have to burn the whole forest down. I'm sure your security folks would rather have a guaranteed encrypted network with user identity, a 5 year cert and full control, than an open network with no reliable user identity or enforcement mechanism. ________________________________ From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Jonathan Waldrep <wald...@vt.edu> Sent: Wednesday, April 21, 2021 5:15:09 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? I keep trying to reply to this thread with my thoughts and some idea of where we are trying to move on this topic, but inevitably, it ends up rambly and unfinished. Let's see if I can actually keep it short and relevant. If so, there is lots left unsaid; please feel free to ask for details. We don't have a non-BYOD side of the network. There are some traditional institution-managed devices, but they are the exception, and they don't have a special network. Painting with a broad brush lacking some nuance, all of our user facing networks are zero trust. Turns out, this simplifies a great many things. That said, I would love to move to a model where we have eduroam, and a wide open network (preferably with OWE, but that is orthogonal). No captive portal. No PSK. Both of those methods are problematic. Why? And what about device discovery (Chromecasts, airplay, etc)? How do we know who the device belongs to? How do you keep the devices secure without encryption? How do you keep the network secure without authentication? Why have eduroam at all? Great questions, that I'm going to skip right over (see preface). In general, shifting our mindset about network authentication from something that is required for the administrators' sake to something that the user can opt into because it gives _the user_ tangible value opens up a lot of opportunity. The biggest challenges to overcome here are _not_ technical. They are business and legal issues. On that note, I have yet to see a time where a technical solution to a non-technical problem doesn't end up hurting the user. -- Jonathan Waldrep Network Engineer Network Infrastructure and Services Virginia Tech On Wed, Apr 21, 2021 at 3:22 PM Jennifer Minella <j...@cadinc.com<mailto:j...@cadinc.com>> wrote: Ooh Lee what a great thread! I didn’t have a chance yesterday but catching up now. Here’s what I throw in the mix for consideration… (no recommendations just free flow thoughts) Sorry this is long; WPA3 gets me really excited 😊 1. OWE/Open Enhanced (not technically part of WPA3 but #semantics) ONLY provides OTA encryption; it does nothing for authenticating the user to the network NOR the network to the user. 2. …that means you could use a guest portal experience, with or without user ID, and add encryption vs historically having to use a Pre-Shared Key or 802.1X for key exchanges and encryption. 3. If you care about who the user is, you can still use a portal with self-registration and whatever duration you feel is appropriate. Depending on how much you care, a self-registration portal may (or may not) be sufficient. 4. If you care about protecting the user/device against a MiTM or evil twin attack, then you probably prefer a mechanism that allows some type of authentication, which is typically mutual authentication (e.g. 1X). 5. Under WPA3, security is increased across the board and will be ongoing (not fixed). Including replacing Pre-Shared Key (PSK) with SAE- which looks/feels JUST like PSK to admins/users but further protects assets by using unique key derivations for each endpoint. So… if someone has the passcode they can get on, but they can’t decrypt any other traffic even if the endpoint(s) are using the same key. The list of enhancements goes on and on. 6. Does your organization require traceability of users for any internal or external policies or compliance? This could be for security reasons, compliance with IP and digital rights, or other needs. One Uni org I’ve worked with successfully stopped a student from a suicide attempt when the student posted online- they physically located the person and saved them from what they were about to do… There are a lot of things to consider and every org is different. 7. Whether or not portal acceptable use and/or user ID/registration is needed is a hotly-debated topic and has a lot of “it depends”. I recently asked several CISOs, lawyers, auditors, and cyber security friends at the FBI. * The CISOs feel it’s “window dressing” except that per … * …Lawyers, there may be some legal protection if a user compromised while on your network comes after you (e.g. policy says “org not responsible for anything resulting from use of their network”). * The FBI says they need “something” to open a case and prosecute (e.g. Acceptable Use clause or access banner). * In Europe (I’m told) orgs providing public internet access fall under ISP laws, and therefore must be diligent about registration/acceptable use/etc. By policy/compliance they have stricter rules for requiring accountability and registration. ___________ Jennifer Minella, CISSP, HP MASE VP of Engineering & Security Carolina Advanced Digital, Inc. www.cadinc.com<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.cadinc.com%2F&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C17a9d9fad91f4763584e08d9050bdb42%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637546370764680973%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ukAVrIsuYhzV08am9Rn9xqoQHNE16oSF4rfjgIFJPow%3D&reserved=0> j...@cadinc.com<mailto:j...@cadinc.com> 919.460.1313 Main Office 919.539.2726 Mobile/text [CAD LOGO EMAIL SIG] From: Enfield, Chuck <cae...@psu.edu<mailto:cae...@psu.edu>> Sent: Friday, April 16, 2021 4:57 PM Subject: Re: WPA3/OWE as campus solution? I’ve been floating this idea to IT leadership for years, with no interest on their part. We implemented an open guest network with no rate limiting about 18 months ago, so now any student who doesn’t want to onboard doesn’t have to. I figured that would get the bosses asking why we bother to authenticate on the other SSID, but still no. It’s ironic that the people who constantly stress the importance of customer experience and regularly complain to me about the onboarding experience can’t be bothered to consider obvious alternatives. I wouldn’t be so disappointed if we discussed the pros and cons and they came to a different conclusion than I have, but it sounds so radical to them that they don’t even care to discuss it. Chuck From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Lee H Badman Sent: Friday, April 16, 2021 10:09 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [WIRELESS-LAN] WPA3/OWE as campus solution? One more for you all- anyone contemplating ditching 802.1X for the BYOD side of your WLAN (not managed laptops and “business” clients) and simplifying with OWE/WPA3? Like… the open network that’s actually moderately secure leveraging the latest security options? Thanks, Lee Badman | Network Architect (CWNE#200) Information Technology Services (NDD Group) 206 Machinery Hall 120 Smith Drive Syracuse, New York 13244 t 315.443.3003 e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w its.syr.edu<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fits.syr.edu%2F&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C17a9d9fad91f4763584e08d9050bdb42%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637546370764690942%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=TVcPfJlrbe2%2BUVgM9Vh1YE3E%2BNBveo1h60tYSDuUk1w%3D&reserved=0> Campus Wireless Policy: https://answers.syr.edu/display/network/Wireless+Network+and+Systems<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fanswers.syr.edu%2Fdisplay%2Fnetwork%2FWireless%2BNetwork%2Band%2BSystems&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C17a9d9fad91f4763584e08d9050bdb42%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637546370764690942%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Fi%2FVyXRfXj9nsm6jVXHpwHJ6h8dLkkRbi7W48e5%2FlhE%3D&reserved=0> SYRACUSE UNIVERSITY syr.edu<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsyr.edu%2F&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C17a9d9fad91f4763584e08d9050bdb42%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637546370764700889%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=%2FFpQLg1qw4P9%2B5DsweRsBvr4WDwanAsJDZK8wtkzDsA%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C17a9d9fad91f4763584e08d9050bdb42%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637546370764700889%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=EbiAKGNPiSfrIFxKW8Tg2z5a7Kp7VMf1jN%2Fp7EuJpjI%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C17a9d9fad91f4763584e08d9050bdb42%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637546370764710839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=c8nBllDNzjAFGG%2Fpy2Quv8zC1sjEzs5Kgq7Xs%2Fxr%2Bfo%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C17a9d9fad91f4763584e08d9050bdb42%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637546370764710839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=c8nBllDNzjAFGG%2Fpy2Quv8zC1sjEzs5Kgq7Xs%2Fxr%2Bfo%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C17a9d9fad91f4763584e08d9050bdb42%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637546370764720799%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=YvtmBh2y8ZnkpBOtDfCwS6zh%2F2XJFk%2BnpMf93cyL9Yw%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C17a9d9fad91f4763584e08d9050bdb42%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637546370764720799%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=YvtmBh2y8ZnkpBOtDfCwS6zh%2F2XJFk%2BnpMf93cyL9Yw%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
