One other thing to keep in mind when considering an open access environment is it's only the default and doesn't have to be the final word. If you see a suspicious or malicious device, you can still force it back behind a captive portal to get or re-up whatever user info you want before granting (or not) access again, even on an otherwise open network.
Making people register a device or authenticate a captive portal doesn't stop bad people, infected devices, stolen credentials, etc, from coming to your network, so we need to be prepared to do this anyway. The *only* place an open network leaves us hanging is the one-time event, where someone does a Bad Thing™ and then never comes back. Even then, for lesser events if they never come back it's not so much of a problem. But for those greater events we hope never happen, not being able to say, "It was him, and here are the logs to prove it." can be pretty scary. Joel Coehoorn Director of Information Technology York College of Nebraska On Thu, Apr 22, 2021 at 2:47 PM Floyd, Brad <bfl...@mail.smu.edu> wrote: > We as IT people can discuss the merits of captive portal / no captive > portal, authentication / reasonably knowing if a device is doing something > bad, etc. We are asked all of the time what our recommendations are in > these circumstances and we should weigh in with our opinions. However, it > seems like this discussion comes down to two questions that we should be > asking our organization’s legal team / advisors: > > > > 1. If I make this “XYZ decision in providing / maintaining our > infrastructure”, am I considered to have legally exercised “due diligence”? > 2. If I implement the decision in #1, are you (as the legal team) able > to reasonably defend the organization against likely legal challenges? > > > > Every organization has different pain levels and will likely make a > decision based on those factors. Just my 2 cents. > > Thanks, > > Brad > > > > *From:* The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Jeffrey D. Sessler > *Sent:* Thursday, April 22, 2021 2:04 PM > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > *Subject:* Re: [WIRELESS-LAN] WPA3/OWE as campus solution? > > > > *[EXTERNAL SENDER]* > > For sure, my lens is based on California law, however, the federal Fair > Labor Standards Act and state overtime and wage payment laws also come into > play here. Since nonexempt (hourly) workers have ready access to the > technology, they will be in a position to respond to e-mails and text > messages or to otherwise engage in work activities outside their scheduled > work hours. Even if you don’t reimburse for the use of the personal device, > there is the wage exposure of having to compensate those nonexempt > employees because checking their work email is – well – working. When we > rolled out DUO, we had to offer all employees a token, and they signed a > waiver if they wanted to use the DUO app on their personal phone for their > convenience. > > > > On the eDiscovery/litigation front, it can be difficult/impossible to > ensure that business records stored on an employee’s personal device are > retained long enough to satisfy discovery requests. There are also risks > should that data not be available, and presents a whole other quagmire in > the BYOD movement that is beyond this conversation. > > > > Jeff > > > > > > *From:* The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Enfield, Chuck > *Sent:* Thursday, April 22, 2021 10:54 AM > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > *Subject:* Re: [WIRELESS-LAN] WPA3/OWE as campus solution? > > > > Jeff, > > > > It makes sense that you think this is settled law, because in California > it is settled law. I don’t recall all the details, but I was on a team > involved with considering mobile device policies for Penn State, and we > discussed a case in California around 2014/2015 that clarified California > labor law. The law required that employers reimburse employees for > expenses, but said nothing about how those expenses should be calculated. > Some employers decided they only needed to reimburse marginal expenses, but > the court decision said that’s not the case. So if you’re required to use > your device for work in California you’re entitled to reimbursement of some > kind. As I recall, no specific reimbursement formula was recommended by > the court in that case. I assume there’s been some standardization since, > even if only de facto. > > > > That, however, was a California court interpreting California law. Our > institution considered that ruling and concluded that Pennsylvania law was > different and that we could discontinue our stipend and require certain > employees to provide and use their own phones for work communications. In > the end, we stopped the stipend, but never implemented the mandate. I was > never informed precisely why we stopped short of the mandate. That > decision was made out of committee. > > > > I’m confident there was no clear Federal requirement when we were > discussing this in 2016, but if there’s been case law or US Department of > Labor guidance since then I wouldn’t necessarily expect to know about it. > I’m am curious if anybody knows more about it. > > > > Chuck > > > > *From:* The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Jeffrey D. Sessler > *Sent:* Thursday, April 22, 2021 1:06 PM > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > *Subject:* Re: [WIRELESS-LAN] WPA3/OWE as campus solution? > > > > Tim, > > > > I would take a look at case law, where it was determined that an employer > can not expect an employee to use their own device without compensation. > This has resulted in two scenarios now. The first being that the employer > provides the employee with a stipend to compensate them for use of their > personal device. The second being that employers now provide the necessary > devices (tools) to the employee in order to carry out their duties. > > > > For example, with COVID, many employers are providing temporary stipends > to employees to cover Internet consumption and personal cell use. > > > > In no way shape or fashion can an employer compel the user to install or > enroll their personal device into their employer’s end-point management. > The employer could say it’s an optional condition of the employee’s desire, > in a voluntary decision, to use that device for company business. Can’t be > forced. > > > > Jeff > > > > *From:* The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Tim Cappalli > *Sent:* Thursday, April 22, 2021 9:14 AM > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > *Subject:* Re: [WIRELESS-LAN] WPA3/OWE as campus solution? > > > > Well, I can tell you that is just not the reality. Sorry! > > > ------------------------------ > > *From:* The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Jeffrey D. Sessler < > j...@scrippscollege.edu> > *Sent:* Thursday, April 22, 2021 12:04 > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Subject:* Re: [WIRELESS-LAN] WPA3/OWE as campus solution? > > > > On 2021-04-21 21:30:53+0000, Tim Cappalli wrote: > > I'd also like to address the comment about post-college experience. > > > > Most organizations these students are going to work at are going to > > require MDM or MAM on their personal devices. So I fundamentally > > disagree with the comment that they won't deal with "enrollment" post > > campus life. > > On the above specifically. In every business scenario I've encountered, > and it's at EDU level now too, unless you are going to compensate the user > for access/control of their device, the business has no right to require > MDM. This is in the same territory as requiring an employee to check > business email from a personal device - it must be only as an employee > opt-in convenience, and not a substitute for the business providing that > person the tools they need to do their job. > > That's a long trip version of saying that a business is going to hand > their employee a pre-enrolled/managed company-owned device(s) where it is > the business' responsibility to handle whatever onboarding they've > established for their company assets. The individual will never encounter > this activity (nor should they) with a personal device they own. > > Jeff > > -----Original Message----- > From: The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> On Behalf Of Jonathan Waldrep > Sent: Wednesday, April 21, 2021 7:27 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? > > On 2021-04-21 21:24:25+0000, Tim Cappalli wrote: > > Why not take baby steps? One example: So many organizations talk > > about user experience challenges of onboarding (and trust me, I hear > > you) but then issue 1 year certs and force the user through it every > > year. > > > > Switch to a 5 year cert (or device specific cred) and use > > authorization rules to temporarily (or permanently) revoke access. > 100%. Preach. We are kicking off a project to move from PEAP/MSCHAPv2 to > EAP-TLS, primarily for usability reasons. There are plenty of other reasons > why it is a good change (that I as an admin am personally excited about), > but they are not what is pushing things forward that hardest. Right now, > because MSCHAPv2 is hot garbage, users have a password used only for > network access. We want to get rid of that. > Partly because _passwords_ are hot garbage. > > The intent is to move to per-device certs that will expire after the > device is dead from oxidation. The cert/key establishes _authentication_ > (who is this?). This is only breaks if the key is compromised or the device > changes hands. Everything else is an issue of _authorization_ (is this > allowed?). We're considering blurring that line a bit and pretending it is > all authorization, but now I'm just rambling. > > I don't think I've said anything until this point that Tim would disagree > with. It's here mostly for the broader discussion of the thread. > > > You don't have to burn the whole forest down. > I'm not planning on it. We'll still have a .1X network (eduroam). I just > won't care if someone decides to not use it. > > What I do want to burn down are the dead trees - the captive portal and > _mandated_ authentication. And that's not going to happen for a while. > EAP-TLS isn't a strict prereq, but it is more urgent, and we don't have > the manpower to do both at the same time. > > > I'm sure your security folks would rather have a guaranteed encrypted > > network with user identity, a 5 year cert and full control, than an > > open network with no reliable user identity or enforcement mechanism. > I've talked to them. They don't care. That's the simplicity zero-trust > brings to the table. The _legal_ team on the other hand... that's a > conversation that still needs to happen. > > I've used the term "zero-trust" some already, and I'm about to a lot > more, so let's get past the buzz-word and define it. By "zero-trust", I am > making the explicit choice to _NOT_: > - care who you are > - make any assumption about the security posture of the device > - make any assumption about the network between us (encrypted, MitM, > etc) > I _might_ care if your identity is knowable. Subtle but important > distinction here: I _might_ care if the question, "Who are you?" has a > meaningful answer, for the sake of accountability. I do _not_ care what > that answer is. > Also, some of these questions obviously need answering somewhere around > layer 7. But, layers 1-3 are not designed to answer those questions and are > really bad at trying. Zero-trust is specifically layers 1-3. > > On enforcement, lets take a trip into the nuances of our implementation > of zero-trust (told you I was going to use it more). > Right now, if you connect on eduroam (VT affiliate or a roaming user), as > a sponsored guest, or with a (MAC) registered device, you end up in the > same network. Lets call it the accountable network. > If you connect as a self-sponsored guest, you end up in a different > network. Let's call it the unaccountable network. > The unaccountable network is a different routing instance, with clearly > segmented IP space, where the traffic is basically hairpinned at the border. > _Both_ networks are zero-trust. With the accountable network, we are > telling sysadmins that we can additionally answer the question, "who is > this?" given an IP/timestamp. Those in the unaccountable network should be > treated as coming from the villainous wilderness that is the Internet. > Among other things, this allows for writing some really coarse ACLs that > mostly filter out noise. > > Let's take another detour on some core considerations for our guest > network. We've decided that someone should be able to walk on campus and be > able to use the wireless network. Maybe that takes some self-sponsoring, > maybe not, but they can get on the network without us providing credentials > for them. This means there is an open(ish) network with unreliable or no > identity sitting right next to our .1X network. > > So what does that mean for enforcement? Effectively, reliable > authentication is already optional. Adding a captive portal to the open > network doesn't change that. Zero-trust and the accountable vs > unaccountable network split helps quite a bit here, and I think it's pretty > obvious why. > > On 2021-04-21 21:30:53+0000, Tim Cappalli wrote: > > I'd also like to address the comment about post-college experience. > > > > Most organizations these students are going to work at are going to > > require MDM or MAM on their personal devices. So I fundamentally > > disagree with the comment that they won't deal with "enrollment" post > > campus life. > > I don't think I've made that specific claim, but I have made a similar > one (though not in this thread, I think), that users don't deal with > "enrollment" outside of campus (pre-graduation), referring to restaurants, > public venues, hotels, etc. > > Either way, I see where you are coming from. It is not something I had > considered before. I do not find it compelling. I'm not going to make my > users miserable because someone else's network experience is painful. > > > As a final thought, it is my estimation that captive portals and mac auth > are on their way out industry wide. (Why is a rambling for another > time.) I'd rather be on the front edge of that wave than get caught by > surprise, and I suspect the users would agree. > > > Well, I rambled _a lot_ in this email. Congrats if you made it to the > end, I guess. If I had more time, it would have been shorter. > > -- > Jonathan Waldrep > Network Engineer > Network Infrastructure and Services > Virginia Tech > > ********** > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email reply. > Additional participation and subscription information can be found at > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C6cd685c64ecf4376ce7408d905a84c98%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637547042670350760%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=s0oNiYICddHopKjjl7jvGT%2BgblpLcmpxGtoln%2B6YE6c%3D&reserved=0 > <https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ccae104%40PSU.EDU%7C6caba255bf6e468df29a08d905b0dbce%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637547079442165720%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=kOESyTa4UbOUux0OpqF%2BXHhcxyvD4Jtn2bZAuSIBCfk%3D&reserved=0> > > ********** > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email reply. > Additional participation and subscription information can be found at > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C6cd685c64ecf4376ce7408d905a84c98%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637547042670360720%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=12zGDL44%2Bb4hdFz36jhY3y82rV3a6pE2XuJVBQMG8mg%3D&reserved=0 > <https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ccae104%40PSU.EDU%7C6caba255bf6e468df29a08d905b0dbce%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637547079442175717%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=f%2BbKChghyAyUv36qzVY3AdoieAOHQ3WGNQaP0Mnsu5A%3D&reserved=0> > > ********** > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email reply. > Additional participation and subscription information can be found at > https://www.educause.edu/community > <https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ccae104%40PSU.EDU%7C6caba255bf6e468df29a08d905b0dbce%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637547079442175717%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=f%2BbKChghyAyUv36qzVY3AdoieAOHQ3WGNQaP0Mnsu5A%3D&reserved=0> > > ********** > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email reply. > Additional participation and subscription information can be found at > https://www.educause.edu/community > <https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ccae104%40PSU.EDU%7C6caba255bf6e468df29a08d905b0dbce%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637547079442185706%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=0DfyolwosrA7bn074t6DUBMW3ZzrAslEwg%2BeypvuNIw%3D&reserved=0> > > ********** > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email reply. > Additional participation and subscription information can be found at > https://www.educause.edu/community > > ********** > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email reply. > Additional participation and subscription information can be found at > https://www.educause.edu/community > > ********** > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email reply. > Additional participation and subscription information can be found at > https://www.educause.edu/community > ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community