Wireless Access

Hello everyone,

I'm sure this has been discussed many times before but maybe there's something new. I'm going to require WPA2-Enterprise auth this Summer, moving away from MAC authentication.

I already have it working with our RADIUS server so that part it is done. But how do I handle devices that don't support 802.1x like TVs, ROKU, gaming devices, etc. We have a lot of these devices in our dorms and, without creating a separate PSK network, I'm not sure how to proceed. What's the recommended way to support these devices in 2021 while still maintaining security?

Thanks in advance.

------------------------------
Nathan Kuhl
------------------------------

I may have thought of a solution. Check my logic here. Currently, we have two SSIDs: School Name and School Name Guest

School Name will move to 802.1x.

School Name BYOD will remain open with MAC auth, will only be available in the dorms, with Internet access only.

School Name Guest will remain WPA2-PSK with a frequently changed password, with Internet access only.

------------------------------
Nathan Kuhl
------------------------------

Original Message:
Sent: 3/12/2021 11:21:00 AM
From: nkuhl30
Subject: RE: WPA2-Enterprise in dorms

I may have thought of a solution. Check my logic here. Currently, we have two SSIDs: School Name and School Name Guest

School Name will move to 802.1x.

School Name BYOD will remain open with MAC auth, will only be available in the dorms, with Internet access only.

School Name Guest will remain WPA2-PSK with a frequently changed password, with Internet access only.

------------------------------
Nathan Kuhl
------------------------------

I'm no expert in what I'm about to advocate, because I'm struggling with it myself presently, but if you haven't looked into this already, and you're using ClearPass in your infrastructure, it sounds like you should deploy MPSK, because what you propose for frequently changing the PSK for users isn't going to be manageable and will be cumbersome from user's perspective. If you haven't done so already you'll deploy AirGroup at the controller, and MPSK on ClearPass.

Good place to start with AG

https://www.arubanetworks.com/techdocs/InstantWenger_Mobile/Advanced/Content/AirGroup/AirGroup.htm

Good place to start with MPSK - all sorts, but simply put, every user registers their own device by MAC, and is handed a unique PSK for that device. If they have 5 devices they register 5 devices and get 5 unique PSKs.

------------------------------
nathan millward
------------------------------

Original Message:
Sent: Mar 12, 2021 11:20 AM
From: Nathan Kuhl
Subject: WPA2-Enterprise in dorms

I may have thought of a solution. Check my logic here. Currently, we have two SSIDs: School Name and School Name Guest

School Name will move to 802.1x.

School Name BYOD will remain open with MAC auth, will only be available in the dorms, with Internet access only.

School Name Guest will remain WPA2-PSK with a frequently changed password, with Internet access only.

------------------------------
Nathan Kuhl
------------------------------

Hi Nathan,

I wouldn't recommend an open network for BYOD as it means no data privacy over the air, as you would get with a WPA2 or WPA3 protected network. MAC authentication is a good idea. You can seen some people have suggested ClearPass - there is a lot of power in the ClearPass solution - including solutions like MPSK.

A guest portal may be better than a rotating pre-shared key on the guest network. This way you can account for who is using the network and deter BYOD users who can't be bothered registering their MAC address from using it instead of the BYOD network.
Original Message:
Sent: Mar 12, 2021 11:20 AM
From: Nathan Kuhl
Subject: WPA2-Enterprise in dorms

I may have thought of a solution. Check my logic here. Currently, we have two SSIDs: School Name and School Name Guest

School Name will move to 802.1x.

School Name BYOD will remain open with MAC auth, will only be available in the dorms, with Internet access only.

School Name Guest will remain WPA2-PSK with a frequently changed password, with Internet access only.

------------------------------
Nathan Kuhl
------------------------------

MPSK may be an option now but it was not an option when we first set up this network. The onboarding / MAC Auth SSID was also set up before we had any Guest access. As I said the portal on this network goes directly to our secure onboarding cloud provider unless it ihas been registered for MAC Auth.

Most web traffic is over https anyway, giving a level of encryption.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer
------------------------------

Original Message:
Sent: Mar 16, 2021 07:04 AM
From: Matthew Sutherland
Subject: WPA2-Enterprise in dorms

Hi Nathan,

I wouldn't recommend an open network for BYOD as it means no data privacy over the air, as you would get with a WPA2 or WPA3 protected network. MAC authentication is a good idea. You can seen some people have suggested ClearPass - there is a lot of power in the ClearPass solution - including solutions like MPSK.

A guest portal may be better than a rotating pre-shared key on the guest network. This way you can account for who is using the network and deter BYOD users who can't be bothered registering their MAC address from using it instead of the BYOD network.

Original Message:
Sent: Mar 12, 2021 11:20 AM
From: Nathan Kuhl
Subject: WPA2-Enterprise in dorms

I may have thought of a solution. Check my logic here. Currently, we have two SSIDs: School Name and School Name Guest

School Name will move to 802.1x.

School Name BYOD will remain open with MAC auth, will only be available in the dorms, with Internet access only.

School Name Guest will remain WPA2-PSK with a frequently changed password, with Internet access only.

------------------------------
Nathan Kuhl

MPSK does sound like an ideal option, however, we don't use Clearpass for RADIUS. We use FortiNAC, formerly Bradford Networks Network Sentry, and I don't believe that it has this option.

The open network for BYOD devices would still be behind a captive portal requiring LDAP authentication. It's not completely open.

------------------------------
Nathan Kuhl
------------------------------

Original Message:
Sent: Mar 16, 2021 07:27 AM
From: Bruce Osborne
Subject: WPA2-Enterprise in dorms

MPSK may be an option now but it was not an option when we first set up this network. The onboarding / MAC Auth SSID was also set up before we had any Guest access. As I said the portal on this network goes directly to our secure onboarding cloud provider unless it ihas been registered for MAC Auth.

Most web traffic is over https anyway, giving a level of encryption.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer
------------------------------


Original Message:
Sent: Mar 16, 2021 07:04 AM
From: Matthew Sutherland
Subject: WPA2-Enterprise in dorms

Hi Nathan,

I wouldn't recommend an open network for BYOD as it means no data privacy over the air, as you would get with a WPA2 or WPA3 protected network. MAC authentication is a good idea. You can seen some people have suggested ClearPass - there is a lot of power in the ClearPass solution - including solutions like MPSK.

A guest portal may be better than a rotating pre-shared key on the guest network. This way you can account for who is using the network and deter BYOD users who can't be bothered registering their MAC address from using it instead of the BYOD network.

Original Message:
Sent: Mar 12, 2021 11:20 AM
From: Nathan Kuhl
Subject: WPA2-Enterprise in dorms

I may have thought of a solution. Check my logic here. Currently, we have two SSIDs: School Name and School Name Guest

School Name will move to 802.1x.

School Name BYOD will remain open with MAC auth, will only be available in the dorms, with Internet access only.

School Name Guest will remain WPA2-PSK with a frequently changed password, with Internet access only.

------------------------------
Nathan Kuhl

We are former Aruba ECS / Bradford Network Sentry customers. It may work for you, depending on the size of your network.

We moved away from Bradford quite a while ago for a few reasons.

  1.  Even with their network Manager it would not scale to the size of your network at that time and give consistent results across the network.          Each node had its own idea of whether a client was compliant.

   2.  At that time there was no hierarchy for users / devices that fit into multiple categories.  Results were indeterminate.

   3. At that time although it could pass RADIUS traffic it could not easily use RADIUS data to determine client access.

We have been happy with Aruba ClearPass and our network has grown immensely since our time with Bradford. Just saying it may be worth your while to give ClearPass a look.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer
------------------------------

Original Message:
Sent: Mar 16, 2021 07:43 AM
From: Nathan Kuhl
Subject: WPA2-Enterprise in dorms

MPSK does sound like an ideal option, however, we don't use Clearpass for RADIUS. We use FortiNAC, formerly Bradford Networks Network Sentry, and I don't believe that it has this option.

The open network for BYOD devices would still be behind a captive portal requiring LDAP authentication. It's not completely open.

------------------------------
Nathan Kuhl
------------------------------


Original Message:
Sent: Mar 16, 2021 07:27 AM
From: Bruce Osborne
Subject: WPA2-Enterprise in dorms

MPSK may be an option now but it was not an option when we first set up this network. The onboarding / MAC Auth SSID was also set up before we had any Guest access. As I said the portal on this network goes directly to our secure onboarding cloud provider unless it ihas been registered for MAC Auth.

Most web traffic is over https anyway, giving a level of encryption.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer


Original Message:
Sent: Mar 16, 2021 07:04 AM
From: Matthew Sutherland
Subject: WPA2-Enterprise in dorms

Hi Nathan,

I wouldn't recommend an open network for BYOD as it means no data privacy over the air, as you would get with a WPA2 or WPA3 protected network. MAC authentication is a good idea. You can seen some people have suggested ClearPass - there is a lot of power in the ClearPass solution - including solutions like MPSK.

A guest portal may be better than a rotating pre-shared key on the guest network. This way you can account for who is using the network and deter BYOD users who can't be bothered registering their MAC address from using it instead of the BYOD network.

Original Message:
Sent: Mar 12, 2021 11:20 AM
From: Nathan Kuhl
Subject: WPA2-Enterprise in dorms

I may have thought of a solution. Check my logic here. Currently, we have two SSIDs: School Name and School Name Guest

School Name will move to 802.1x.

School Name BYOD will remain open with MAC auth, will only be available in the dorms, with Internet access only.

School Name Guest will remain WPA2-PSK with a frequently changed password, with Internet access only.

------------------------------
Nathan Kuhl

Thanks Bruce. Clearpass is on the horizon but not doable this year. We're overhauling our Aruba network this Summer since we're still on AOS 6.5. And to be honest, the only reason that we feel the need to upgrade is because of the hardware AP requirements. AOS 6.5 works fine for us but the newer APs require 8 and above.

So once we move to AOS 8, and we're on that for awhile, we'll probably move to Clearpass. FortiNAC has been a good servant for the past 15 years. We've had it since 2006 when it was Campus Manager.

------------------------------
Nathan Kuhl
------------------------------

Original Message:
Sent: Mar 16, 2021 08:03 AM
From: Bruce Osborne
Subject: WPA2-Enterprise in dorms

We are former Aruba ECS / Bradford Network Sentry customers. It may work for you, depending on the size of your network.

We moved away from Bradford quite a while ago for a few reasons.

  1.  Even with their network Manager it would not scale to the size of your network at that time and give consistent results across the network.          Each node had its own idea of whether a client was compliant.

   2.  At that time there was no hierarchy for users / devices that fit into multiple categories.  Results were indeterminate.

   3. At that time although it could pass RADIUS traffic it could not easily use RADIUS data to determine client access.

We have been happy with Aruba ClearPass and our network has grown immensely since our time with Bradford. Just saying it may be worth your while to give ClearPass a look.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer
------------------------------


Original Message:
Sent: Mar 16, 2021 07:43 AM
From: Nathan Kuhl
Subject: WPA2-Enterprise in dorms

MPSK does sound like an ideal option, however, we don't use Clearpass for RADIUS. We use FortiNAC, formerly Bradford Networks Network Sentry, and I don't believe that it has this option.

The open network for BYOD devices would still be behind a captive portal requiring LDAP authentication. It's not completely open.

------------------------------
Nathan Kuhl


Original Message:
Sent: Mar 16, 2021 07:27 AM
From: Bruce Osborne
Subject: WPA2-Enterprise in dorms

MPSK may be an option now but it was not an option when we first set up this network. The onboarding / MAC Auth SSID was also set up before we had any Guest access. As I said the portal on this network goes directly to our secure onboarding cloud provider unless it ihas been registered for MAC Auth.

Most web traffic is over https anyway, giving a level of encryption.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer


Original Message:
Sent: Mar 16, 2021 07:04 AM
From: Matthew Sutherland
Subject: WPA2-Enterprise in dorms

Hi Nathan,

I wouldn't recommend an open network for BYOD as it means no data privacy over the air, as you would get with a WPA2 or WPA3 protected network. MAC authentication is a good idea. You can seen some people have suggested ClearPass - there is a lot of power in the ClearPass solution - including solutions like MPSK.

A guest portal may be better than a rotating pre-shared key on the guest network. This way you can account for who is using the network and deter BYOD users who can't be bothered registering their MAC address from using it instead of the BYOD network.

Original Message:
Sent: Mar 12, 2021 11:20 AM
From: Nathan Kuhl
Subject: WPA2-Enterprise in dorms

I may have thought of a solution. Check my logic here. Currently, we have two SSIDs: School Name and School Name Guest

School Name will move to 802.1x.

School Name BYOD will remain open with MAC auth, will only be available in the dorms, with Internet access only.

School Name Guest will remain WPA2-PSK with a frequently changed password, with Internet access only.

------------------------------
Nathan Kuhl

I understand.

We started in 2008 with Aruba's branded Campus Manager, called ECS (Endpoint Compliance System) and moved to Campus Manager & then network Sentry when Aruba discontinued ECS. The whole time much of our support actually came from Bradford though.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer
------------------------------

Original Message:
Sent: Mar 16, 2021 10:03 AM
From: Nathan Kuhl
Subject: WPA2-Enterprise in dorms

Thanks Bruce. Clearpass is on the horizon but not doable this year. We're overhauling our Aruba network this Summer since we're still on AOS 6.5. And to be honest, the only reason that we feel the need to upgrade is because of the hardware AP requirements. AOS 6.5 works fine for us but the newer APs require 8 and above.

So once we move to AOS 8, and we're on that for awhile, we'll probably move to Clearpass. FortiNAC has been a good servant for the past 15 years. We've had it since 2006 when it was Campus Manager.

------------------------------
Nathan Kuhl
------------------------------


Original Message:
Sent: Mar 16, 2021 08:03 AM
From: Bruce Osborne
Subject: WPA2-Enterprise in dorms

We are former Aruba ECS / Bradford Network Sentry customers. It may work for you, depending on the size of your network.

We moved away from Bradford quite a while ago for a few reasons.

  1.  Even with their network Manager it would not scale to the size of your network at that time and give consistent results across the network.          Each node had its own idea of whether a client was compliant.

   2.  At that time there was no hierarchy for users / devices that fit into multiple categories.  Results were indeterminate.

   3. At that time although it could pass RADIUS traffic it could not easily use RADIUS data to determine client access.

We have been happy with Aruba ClearPass and our network has grown immensely since our time with Bradford. Just saying it may be worth your while to give ClearPass a look.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer


Original Message:
Sent: Mar 16, 2021 07:43 AM
From: Nathan Kuhl
Subject: WPA2-Enterprise in dorms

MPSK does sound like an ideal option, however, we don't use Clearpass for RADIUS. We use FortiNAC, formerly Bradford Networks Network Sentry, and I don't believe that it has this option.

The open network for BYOD devices would still be behind a captive portal requiring LDAP authentication. It's not completely open.

------------------------------
Nathan Kuhl


Original Message:
Sent: Mar 16, 2021 07:27 AM
From: Bruce Osborne
Subject: WPA2-Enterprise in dorms

MPSK may be an option now but it was not an option when we first set up this network. The onboarding / MAC Auth SSID was also set up before we had any Guest access. As I said the portal on this network goes directly to our secure onboarding cloud provider unless it ihas been registered for MAC Auth.

Most web traffic is over https anyway, giving a level of encryption.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer


Original Message:
Sent: Mar 16, 2021 07:04 AM
From: Matthew Sutherland
Subject: WPA2-Enterprise in dorms

Hi Nathan,

I wouldn't recommend an open network for BYOD as it means no data privacy over the air, as you would get with a WPA2 or WPA3 protected network. MAC authentication is a good idea. You can seen some people have suggested ClearPass - there is a lot of power in the ClearPass solution - including solutions like MPSK.

A guest portal may be better than a rotating pre-shared key on the guest network. This way you can account for who is using the network and deter BYOD users who can't be bothered registering their MAC address from using it instead of the BYOD network.

Original Message:
Sent: Mar 12, 2021 11:20 AM
From: Nathan Kuhl
Subject: WPA2-Enterprise in dorms

I may have thought of a solution. Check my logic here. Currently, we have two SSIDs: School Name and School Name Guest

School Name will move to 802.1x.

School Name BYOD will remain open with MAC auth, will only be available in the dorms, with Internet access only.

School Name Guest will remain WPA2-PSK with a frequently changed password, with Internet access only.

------------------------------
Nathan Kuhl

You are not saying what flavor of WPA2-Enterprise, but we have been doing PEAP-MSCHAPv2 for many years and will be moving to EAP-TLS sometime in the future.

Currently we have 3 SSIDs but plan on consolidating down to 2. We have a CPPM Guest SSID, an 802.1X secure SSID and an open SSID with a captive portal used for onboarding to 802.1X and for non-802.1X devices through MAC Authentication. We plan on merging the Guest & open SSIDs.

We make use of the ClearPass REST API and have our own portals for Guest registration & login as well as MAC address registration. We use a cloud vendor for onboarding. If somebody trues to register their student address to Guest we automatically direct them to the 802.1X onboarding portal. 

You can avoid one of our shortcomings. When determining these device roles be sure to account for student * staff personal devices as well as corporate owned devices that are unable to do 802.1X. We do not use 802.1X for Apple TVs because it requires specific software on MacOS to configure. We treat them as non-802.1X devices.


------------------------------
Bruce Osborne
------------------------------

We were planning on MSCHAPv2 to start off with but TLS should be just as easy to push out via our MDM.

I have MSCHAPv2 set up now on a test SSID and it works fine with 4th gen and above Apple TVs. ATVs are one of the very few headless devices that support enterprise auth. I did not test it on 3rd gens yet.

------------------------------
Nathan Kuhl
------------------------------

Original Message:
Sent: Mar 15, 2021 07:14 AM
From: Bruce Osborne
Subject: WPA2-Enterprise in dorms

You are not saying what flavor of WPA2-Enterprise, but we have been doing PEAP-MSCHAPv2 for many years and will be moving to EAP-TLS sometime in the future.

Currently we have 3 SSIDs but plan on consolidating down to 2. We have a CPPM Guest SSID, an 802.1X secure SSID and an open SSID with a captive portal used for onboarding to 802.1X and for non-802.1X devices through MAC Authentication. We plan on merging the Guest & open SSIDs.

We make use of the ClearPass REST API and have our own portals for Guest registration & login as well as MAC address registration. We use a cloud vendor for onboarding. If somebody trues to register their student address to Guest we automatically direct them to the 802.1X onboarding portal. 

You can avoid one of our shortcomings. When determining these device roles be sure to account for student * staff personal devices as well as corporate owned devices that are unable to do 802.1X. We do not use 802.1X for Apple TVs because it requires specific software on MacOS to configure. We treat them as non-802.1X devices.


------------------------------
Bruce Osborne
------------------------------

Our school owned Apple TVS are not yet in MDM. On our wireless network we have more student devices than staff / enterprise even before COVID.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer
------------------------------

Original Message:
Sent: Mar 15, 2021 07:47 AM
From: Nathan Kuhl
Subject: WPA2-Enterprise in dorms

We were planning on MSCHAPv2 to start off with but TLS should be just as easy to push out via our MDM.

I have MSCHAPv2 set up now on a test SSID and it works fine with 4th gen and above Apple TVs. ATVs are one of the very few headless devices that support enterprise auth. I did not test it on 3rd gens yet.

------------------------------
Nathan Kuhl
------------------------------


Original Message:
Sent: Mar 15, 2021 07:14 AM
From: Bruce Osborne
Subject: WPA2-Enterprise in dorms

You are not saying what flavor of WPA2-Enterprise, but we have been doing PEAP-MSCHAPv2 for many years and will be moving to EAP-TLS sometime in the future.

Currently we have 3 SSIDs but plan on consolidating down to 2. We have a CPPM Guest SSID, an 802.1X secure SSID and an open SSID with a captive portal used for onboarding to 802.1X and for non-802.1X devices through MAC Authentication. We plan on merging the Guest & open SSIDs.

We make use of the ClearPass REST API and have our own portals for Guest registration & login as well as MAC address registration. We use a cloud vendor for onboarding. If somebody trues to register their student address to Guest we automatically direct them to the 802.1X onboarding portal. 

You can avoid one of our shortcomings. When determining these device roles be sure to account for student * staff personal devices as well as corporate owned devices that are unable to do 802.1X. We do not use 802.1X for Apple TVs because it requires specific software on MacOS to configure. We treat them as non-802.1X devices.


------------------------------
Bruce Osborne

Gotcha. You can easily add those Apple TVs to your MDM via Apple Configurator 2 if they were not purchased directly from Apple. The majority of ours were not and this is how I got them in.

------------------------------
Nathan Kuhl
------------------------------

Original Message:
Sent: Mar 15, 2021 08:08 AM
From: Bruce Osborne
Subject: WPA2-Enterprise in dorms

Our school owned Apple TVS are not yet in MDM. On our wireless network we have more student devices than staff / enterprise even before COVID.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer
------------------------------


Original Message:
Sent: Mar 15, 2021 07:47 AM
From: Nathan Kuhl
Subject: WPA2-Enterprise in dorms

We were planning on MSCHAPv2 to start off with but TLS should be just as easy to push out via our MDM.

I have MSCHAPv2 set up now on a test SSID and it works fine with 4th gen and above Apple TVs. ATVs are one of the very few headless devices that support enterprise auth. I did not test it on 3rd gens yet.

------------------------------
Nathan Kuhl


Original Message:
Sent: Mar 15, 2021 07:14 AM
From: Bruce Osborne
Subject: WPA2-Enterprise in dorms

You are not saying what flavor of WPA2-Enterprise, but we have been doing PEAP-MSCHAPv2 for many years and will be moving to EAP-TLS sometime in the future.

Currently we have 3 SSIDs but plan on consolidating down to 2. We have a CPPM Guest SSID, an 802.1X secure SSID and an open SSID with a captive portal used for onboarding to 802.1X and for non-802.1X devices through MAC Authentication. We plan on merging the Guest & open SSIDs.

We make use of the ClearPass REST API and have our own portals for Guest registration & login as well as MAC address registration. We use a cloud vendor for onboarding. If somebody trues to register their student address to Guest we automatically direct them to the 802.1X onboarding portal. 

You can avoid one of our shortcomings. When determining these device roles be sure to account for student * staff personal devices as well as corporate owned devices that are unable to do 802.1X. We do not use 802.1X for Apple TVs because it requires specific software on MacOS to configure. We treat them as non-802.1X devices.


------------------------------
Bruce Osborne