Chuck, The key that you touch on is that this has to do with the organization's appetite for risk, and what legal says is defensible. Tell me the rules as you see them and I'll make adjustments accordingly to my Joo Janta 200 Super-Chromatic Peril Sensitive Sunglasses.
Jeff From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> On Behalf Of Enfield, Chuck Sent: Thursday, April 22, 2021 12:29 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? We discussed all those issues, and no doubt it opens a smelly can of worms. Most of these issues come into play simply by allowing employees to use personal devices. If you allow for personal device use, requiring their use didn't create many additional legal issues. I feel like I need to make a disclaimer here. I'm not a lawyer, you may recall me getting things very wrong regarding CALEA a couple years back. I researched your comments and concluded you were right and the university attorney that gave me contradictory information was incorrect. It took me long enough to be sure of that that I never replied to the thread to say so. I could be wrong about this as well, but unlike our guest network access, which was evaluated by one attorney and probably didn't get very much attention from her, this issue was taken very seriously by the controller, HR, Risk, and General Counsel. Outside counsel with expertise in this area was also consulted. I'm confident that whatever our legal team concluded on this issue was defensible. From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Jeffrey D. Sessler Sent: Thursday, April 22, 2021 3:04 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? For sure, my lens is based on California law, however, the federal Fair Labor Standards Act and state overtime and wage payment laws also come into play here. Since nonexempt (hourly) workers have ready access to the technology, they will be in a position to respond to e-mails and text messages or to otherwise engage in work activities outside their scheduled work hours. Even if you don't reimburse for the use of the personal device, there is the wage exposure of having to compensate those nonexempt employees because checking their work email is - well - working. When we rolled out DUO, we had to offer all employees a token, and they signed a waiver if they wanted to use the DUO app on their personal phone for their convenience. On the eDiscovery/litigation front, it can be difficult/impossible to ensure that business records stored on an employee's personal device are retained long enough to satisfy discovery requests. There are also risks should that data not be available, and presents a whole other quagmire in the BYOD movement that is beyond this conversation. Jeff From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Enfield, Chuck Sent: Thursday, April 22, 2021 10:54 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? Jeff, It makes sense that you think this is settled law, because in California it is settled law. I don't recall all the details, but I was on a team involved with considering mobile device policies for Penn State, and we discussed a case in California around 2014/2015 that clarified California labor law. The law required that employers reimburse employees for expenses, but said nothing about how those expenses should be calculated. Some employers decided they only needed to reimburse marginal expenses, but the court decision said that's not the case. So if you're required to use your device for work in California you're entitled to reimbursement of some kind. As I recall, no specific reimbursement formula was recommended by the court in that case. I assume there's been some standardization since, even if only de facto. That, however, was a California court interpreting California law. Our institution considered that ruling and concluded that Pennsylvania law was different and that we could discontinue our stipend and require certain employees to provide and use their own phones for work communications. In the end, we stopped the stipend, but never implemented the mandate. I was never informed precisely why we stopped short of the mandate. That decision was made out of committee. I'm confident there was no clear Federal requirement when we were discussing this in 2016, but if there's been case law or US Department of Labor guidance since then I wouldn't necessarily expect to know about it. I'm am curious if anybody knows more about it. Chuck From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Jeffrey D. Sessler Sent: Thursday, April 22, 2021 1:06 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? Tim, I would take a look at case law, where it was determined that an employer can not expect an employee to use their own device without compensation. This has resulted in two scenarios now. The first being that the employer provides the employee with a stipend to compensate them for use of their personal device. The second being that employers now provide the necessary devices (tools) to the employee in order to carry out their duties. For example, with COVID, many employers are providing temporary stipends to employees to cover Internet consumption and personal cell use. In no way shape or fashion can an employer compel the user to install or enroll their personal device into their employer's end-point management. The employer could say it's an optional condition of the employee's desire, in a voluntary decision, to use that device for company business. Can't be forced. Jeff From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Tim Cappalli Sent: Thursday, April 22, 2021 9:14 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? Well, I can tell you that is just not the reality. Sorry! ________________________________ From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Jeffrey D. Sessler <j...@scrippscollege.edu<mailto:j...@scrippscollege.edu>> Sent: Thursday, April 22, 2021 12:04 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? On 2021-04-21 21:30:53+0000, Tim Cappalli wrote: > I'd also like to address the comment about post-college experience. > > Most organizations these students are going to work at are going to > require MDM or MAM on their personal devices. So I fundamentally > disagree with the comment that they won't deal with "enrollment" post > campus life. On the above specifically. In every business scenario I've encountered, and it's at EDU level now too, unless you are going to compensate the user for access/control of their device, the business has no right to require MDM. This is in the same territory as requiring an employee to check business email from a personal device - it must be only as an employee opt-in convenience, and not a substitute for the business providing that person the tools they need to do their job. That's a long trip version of saying that a business is going to hand their employee a pre-enrolled/managed company-owned device(s) where it is the business' responsibility to handle whatever onboarding they've established for their company assets. The individual will never encounter this activity (nor should they) with a personal device they own. Jeff -----Original Message----- From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Jonathan Waldrep Sent: Wednesday, April 21, 2021 7:27 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? On 2021-04-21 21:24:25+0000, Tim Cappalli wrote: > Why not take baby steps? One example: So many organizations talk > about user experience challenges of onboarding (and trust me, I hear > you) but then issue 1 year certs and force the user through it every > year. > > Switch to a 5 year cert (or device specific cred) and use > authorization rules to temporarily (or permanently) revoke access. 100%. Preach. We are kicking off a project to move from PEAP/MSCHAPv2 to EAP-TLS, primarily for usability reasons. There are plenty of other reasons why it is a good change (that I as an admin am personally excited about), but they are not what is pushing things forward that hardest. Right now, because MSCHAPv2 is hot garbage, users have a password used only for network access. We want to get rid of that. Partly because _passwords_ are hot garbage. The intent is to move to per-device certs that will expire after the device is dead from oxidation. The cert/key establishes _authentication_ (who is this?). This is only breaks if the key is compromised or the device changes hands. Everything else is an issue of _authorization_ (is this allowed?). We're considering blurring that line a bit and pretending it is all authorization, but now I'm just rambling. I don't think I've said anything until this point that Tim would disagree with. It's here mostly for the broader discussion of the thread. > You don't have to burn the whole forest down. I'm not planning on it. We'll still have a .1X network (eduroam). I just won't care if someone decides to not use it. What I do want to burn down are the dead trees - the captive portal and _mandated_ authentication. And that's not going to happen for a while. EAP-TLS isn't a strict prereq, but it is more urgent, and we don't have the manpower to do both at the same time. > I'm sure your security folks would rather have a guaranteed encrypted > network with user identity, a 5 year cert and full control, than an > open network with no reliable user identity or enforcement mechanism. I've talked to them. They don't care. That's the simplicity zero-trust brings to the table. The _legal_ team on the other hand... that's a conversation that still needs to happen. I've used the term "zero-trust" some already, and I'm about to a lot more, so let's get past the buzz-word and define it. By "zero-trust", I am making the explicit choice to _NOT_: - care who you are - make any assumption about the security posture of the device - make any assumption about the network between us (encrypted, MitM, etc) I _might_ care if your identity is knowable. Subtle but important distinction here: I _might_ care if the question, "Who are you?" has a meaningful answer, for the sake of accountability. I do _not_ care what that answer is. Also, some of these questions obviously need answering somewhere around layer 7. But, layers 1-3 are not designed to answer those questions and are really bad at trying. Zero-trust is specifically layers 1-3. On enforcement, lets take a trip into the nuances of our implementation of zero-trust (told you I was going to use it more). Right now, if you connect on eduroam (VT affiliate or a roaming user), as a sponsored guest, or with a (MAC) registered device, you end up in the same network. Lets call it the accountable network. If you connect as a self-sponsored guest, you end up in a different network. Let's call it the unaccountable network. The unaccountable network is a different routing instance, with clearly segmented IP space, where the traffic is basically hairpinned at the border. _Both_ networks are zero-trust. With the accountable network, we are telling sysadmins that we can additionally answer the question, "who is this?" given an IP/timestamp. Those in the unaccountable network should be treated as coming from the villainous wilderness that is the Internet. Among other things, this allows for writing some really coarse ACLs that mostly filter out noise. Let's take another detour on some core considerations for our guest network. We've decided that someone should be able to walk on campus and be able to use the wireless network. Maybe that takes some self-sponsoring, maybe not, but they can get on the network without us providing credentials for them. This means there is an open(ish) network with unreliable or no identity sitting right next to our .1X network. So what does that mean for enforcement? Effectively, reliable authentication is already optional. Adding a captive portal to the open network doesn't change that. Zero-trust and the accountable vs unaccountable network split helps quite a bit here, and I think it's pretty obvious why. On 2021-04-21 21:30:53+0000, Tim Cappalli wrote: > I'd also like to address the comment about post-college experience. > > Most organizations these students are going to work at are going to > require MDM or MAM on their personal devices. So I fundamentally > disagree with the comment that they won't deal with "enrollment" post > campus life. I don't think I've made that specific claim, but I have made a similar one (though not in this thread, I think), that users don't deal with "enrollment" outside of campus (pre-graduation), referring to restaurants, public venues, hotels, etc. Either way, I see where you are coming from. It is not something I had considered before. I do not find it compelling. I'm not going to make my users miserable because someone else's network experience is painful. As a final thought, it is my estimation that captive portals and mac auth are on their way out industry wide. (Why is a rambling for another time.) I'd rather be on the front edge of that wave than get caught by surprise, and I suspect the users would agree. Well, I rambled _a lot_ in this email. Congrats if you made it to the end, I guess. If I had more time, it would have been shorter. -- Jonathan Waldrep Network Engineer Network Infrastructure and Services Virginia Tech ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C6cd685c64ecf4376ce7408d905a84c98%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637547042670350760%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=s0oNiYICddHopKjjl7jvGT%2BgblpLcmpxGtoln%2B6YE6c%3D&reserved=0<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ccae104%40PSU.EDU%7C5946df185ae44db502b108d905c174b6%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637547150745713825%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=d79%2FdJHgy5vc7C%2Bbjbemgti1Z76liwT%2BDRG7XDi1kYY%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C6cd685c64ecf4376ce7408d905a84c98%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637547042670360720%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=12zGDL44%2Bb4hdFz36jhY3y82rV3a6pE2XuJVBQMG8mg%3D&reserved=0<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ccae104%40PSU.EDU%7C5946df185ae44db502b108d905c174b6%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637547150745723825%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=RvzSNxviyWmkbghTLhafZ02j3QiyPlP6pyGAj5wJImo%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ccae104%40PSU.EDU%7C5946df185ae44db502b108d905c174b6%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637547150745733816%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=rgIy7iXI3OXIwkmDDoOs8gNS8onEVneM2Z7eAOLzn6w%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ccae104%40PSU.EDU%7C5946df185ae44db502b108d905c174b6%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637547150745733816%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=rgIy7iXI3OXIwkmDDoOs8gNS8onEVneM2Z7eAOLzn6w%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ccae104%40PSU.EDU%7C5946df185ae44db502b108d905c174b6%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637547150745743809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=m22LeVgAjNvyF%2Fcp9IW84nIEh1cb%2Fkd7V7cHihie0Sw%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ccae104%40PSU.EDU%7C5946df185ae44db502b108d905c174b6%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637547150745743809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=m22LeVgAjNvyF%2Fcp9IW84nIEh1cb%2Fkd7V7cHihie0Sw%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
