Wireless Authentication

Posted by mhoffman on August 28, 2012

Dear Colleagues,

The start of the semester has brought us numerous problems with students not being able to authenticate to our wireless portal to access our network and the Internet. I’m curious how other campuses control WiFi access. Specifically, are you forcing authentication? Do you allow students to use the wireless without any authentication/registration?

Thank you.

Michael S. Hoffman

Executive Director for Information Technology

St. Bonaventure University

mhoffman@sbu.edu

www.sbu.edu

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Post a Comment

Comments

We steer students to our open network where they download a connection utility which sets them up for our secure1x network. Our open network is heavily filtered and extremely slow intentionally. This indirectly forces students to connect to the secure1x network.

Tim Cappalli, ACMP CCNA | (802) 626-6456

Office of Information Technology (OIT) | Lyndon

» cappalli@lyndonstate.edu | oit.lyndonstate.edu

Sent from Windows 8 and Outlook 2013

Posted by: cappalli@brande... on August 28, 2012

Message from russ.leathe@gordon.edu

We have two SSID’s, guest and authenticated. The guest network provides limited access on ports 80,443 only. Authenticated is 802.1x AeS, providing all access using their Active Directory credentials.

We are moving toward the portal solution though..we hold numerous conferences, groups throughout the year

I Hope this is helpful,

Russ

Gordon College

Posted by: listserv-anon on August 28, 2012

We force them to register all their networked appliances (computers/phones/gaming systems/magic jack…etc) through our NAC system. If they don't register and pass any requirements for the device, they don't get access anywhere on campus.

We have a few areas, like some meeting areas that are normally populated with people that aren't from our University that have "public" in them. In this case, public gets you a rate limited very restricted link to the internet outside of our firewall and that's it. These areas have the APs tuned down so that unless you are sitting in them, you can't even see the SSID.

After several years of this, the students are used to it and seem to be more accepting of NAC since it keeps their systems from infecting each other.

_____________________

Steve Swartz

Chief Information Officer

Fitchburg State University

sswartz@fitchburgstate.edu

978-665-4444

Posted by: sswartz on August 28, 2012

All network access here requires authentication. We don’t offer any “open” access. All of our students have Active Directory login accounts that they can use.

--
Ron Parker, Director of Information Technology, Brazosport College
Voice: (979) 230-3480 FAX: (979) 230-3111
http://www.brazosport.edu

A single ton of uranium produces more energy than a million tons of coal.

Posted by: rparker on August 28, 2012

We force login authentication through our NAC system.

You are a little ahead of us in the fall explosion of traffic. What kinds of problems are you encountering? I admit to anticipating problems without any evidence so far.

Theresa

Posted by: rowe on August 28, 2012

Michael,

We are set up similar to Gordon. We have two SSID's as well. The open guest/student access just provides Internet access to 80 and 443. The College's administrative side uses standard authentication methods to access College resources.

We have a large contract training area at one campus and two others have large conference facilities that are used regularly by outside groups. As we provide no network services to the majority of our students, they have no current need to authenticate into the network over wireless.

Dave

David Hoyt

Chief Information Systems Officer

Collin College

Collin Higher Education Center

3452 Spur 399

McKinney, TX 75069

P - 972.599.3133 F - 972.599.3131

dhoyt@collin.edu

>>> On 8/28/2012 at 10:32 AM, in message <EA8230F8BAC20240984AA982E3A2F3E00ACA8D7B76@EMPMAIL.sbu.edu>, "Hoffman, Michael" <mhoffman@SBU.EDU> wrote:

Dear Colleagues,

The start of the semester has brought us numerous problems with students not being able to authenticate to our wireless portal to access our network and the Internet. I'm curious how other campuses control WiFi access. Specifically, are you forcing authentication? Do you allow students to use the wireless without any authentication/registration?

Thank you.

Michael S. Hoffman

Executive Director for Information Technology

St. Bonaventure University

mhoffman@sbu.edu

www.sbu.edu

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Posted by: dhoyt on August 28, 2012

Each device must be registered through our NAC for both wired and wireless access. Registration requires authentication to AD. It is only necessary to register a device once per academic year. Guests request an access code through a self-service process managed by the NAC. Guest access codes are automatically disabled after 24 hours requiring registration each day.

Certain devices, primarily gaming consoles, are not able to register through the NAC. In these cases students provide the MAC address of the device to the help desk where the device is manually registered in the NAC.

I share Theresa’s sentiment. So far, it has gone well but I’m far from ready to declare victory.

Instructions for our students are available at www.umhb.edu/network

Brent Harris

Associate Vice President for Information Technology

University of Mary Hardin-Baylor

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Theresa Rowe
Sent: Tuesday, August 28, 2012 11:23 AM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Wireless Authentication

Posted by: bharris@umhb.edu on August 28, 2012

We have SSIDs for students, staff Faculty and guest all requiring authentication. For facualt staff and students authentication is through network credentials (ID and Password) for guest we change the password and login id every 30 days and publish in an internal newsletter for community to share with outside guests. Guest access is only to internet beyond our firewall. Tom Thomas H. Carnwath Vice President Technology and Information Services Hamilton Hall 320 South Broad Street Philadelphia, PA 19102 Tel: 215-717-6440 [cid:6733D65F-8CEE-4F70-B857-6C1A13D541A0] Need Assistance? Call Oops (215-717-6677) to get answers. OTIS will never ask for your personal information or password in an email. Never share this information with anyone. This message and any attachment may contain confidential or privileged information and is intended for the intended individual named as addressee. If you are not the intended recipient of this message, please notify the sender immediately by return email and delete this message and all attachments from your system. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be deemed unlawful. Please consider the environment before printing this email. From: , Michael > Reply-To: The EDUCAUSE CIO Constituent Group Listserv > Date: Tuesday, August 28, 2012 11:32 AM To: "CIO@LISTSERV.EDUCAUSE.EDU" > Subject: [CIO] Wireless Authentication Dear Colleagues, The start of the semester has brought us numerous problems with students not being able to authenticate to our wireless portal to access our network and the Internet. I’m curious how other campuses control WiFi access. Specifically, are you forcing authentication? Do you allow students to use the wireless without any authentication/registration? Thank you. Michael S. Hoffman Executive Director for Information Technology St. Bonaventure University mhoffman@sbu.edu www.sbu.edu ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Posted by: thcarnwath on August 28, 2012

Message from jbest@theseattleschool.edu

We are using a similar setup as Thomas. SSIDs for Faculty/Staff, Students and Guests but we add one or Events as well. Guests is really just a single day pass where Events will last up to 5 days. All users are authenticated via AD.

-------------------------------------------------------------------------------------------
Jason Best
Director of Media and IT at The Seattle School of Theology & Psychology
jbest@theseattleschool.edu | 206.876.6111 | theseattleschool.edu
-------------------------------------------------------------------------------------------

Posted by: listserv-anon on August 28, 2012

Sent from my Android phone using TouchDown (www.nitrodesk.com)

-----Original Message-----
From: Steve Swartz [sswartz@FITCHBURGSTATE.EDU]
Received: Tuesday, 28 Aug 2012, 11:49am
To: CIO@LISTSERV.EDUCAUSE.EDU [CIO@LISTSERV.EDUCAUSE.EDU]
Subject: Re: [CIO] Wireless Authentication

After several years of this, the students are used to it and seem to be more accepting of NAC since it keeps their systems from infecting each other.

_____________________

Steve Swartz

Chief Information Officer

Fitchburg State University

sswartz@fitchburgstate.edu

978-665-4444

Posted by: kim.milford on August 28, 2012

Thanks everyone.

Theresa, we are having problems automatically re-directing students to our Aruba captive portal for authentication. Many computers work fine, but large numbers are encumbered by wireless card issues, toolbars, proxies etc. Thus we are considering how best to proceed in the future.

All of the feedback has been most appreciated.

Mike

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Theresa Rowe
Sent: Tuesday, August 28, 2012 12:23 PM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Wireless Authentication

Posted by: mhoffman on August 28, 2012

Like many of the responders, Seton Hall University requires users in public, academic and administrative spaces to authenticate using AD in order to access the campus wireless network. We provide an open SSID in the residence halls, however, for the convenience of students who bring their gaming and/or older devices that can’t easily authenticate with AD; the open SSID is bandwidth rate limited and tuned so that bleed outside the residence hall is minimized (the older residence halls are so massively constructed we have one AP per suite and bleed isn’t much of an issue). Please note, however, we have very restricted access to our residence halls; guests must be signed in and out by a sponsoring student, we have strict curfews, etc. Our approach wouldn’t work well for campuses that have less restrictive access to the residence halls.

Steve

Stephen G. Landry, Ph.D.

Chief Information Officer

Seton Hall University

Tel.: 973-761-7386

Email: cio@shu.edu

Twitter: @landryst

Facebook: www.facebook.com/landryst

LinkedIn: www.linkedin.com/in/landryst

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Posted by: landryst on August 28, 2012

Message from dthibeau@post03.curry.edu

We currently are not forcing authentication, but we will be within the next couple of weeks. We are undecided as to whether or not to include verification of active anti-virus and the latest windows/mac patches. I believe we will at least warn them about expired anti-virus, and likely by the middle of the term start blocking them if they don’t install one.

Dennis Thibeault

CIO, Curry College

Posted by: listserv-anon on August 28, 2012

At Suffolk CCC we have a hybrid to the solutions most are posting. We have all students, faculty and staff register up to two device MACs with us. We have a SSID that they can then authenticate with our AD (using one of their pre-registered devices.) We limit their access to three hours at which point they have to re-authenticate. I am wondering what limits others place on sessions; in particular what other community colleges are doing.

Doug

Posted by: kahnd on August 28, 2012

Hello… New to the list.

At Knox we went made a major commitment to wireless technology about 4 years ago. By major commitment I mean that 4 years ago in our residence hall network upgrade we abandoned wired connectivity and only put in enough POE ports to power our access points. We provide wired connectivity in the residence halls only for an additional fee.

We offer a few different SSIDs and have deployed a NAC solution (Bradford Networks). The “primary SSID” that we make available for students, faculty and staff utilizes 802.1x authentication. This ties into our NAC which uses RADIUS on the backend. Upon initial registration, it assesses the security posture of the device (critical patches/updates, has College supplied. Both up to date) and profiles it (who, what OS, MAC Address, and role - assigns device to a particular VLAN based on OU). To gain access you have to an account in Active Directory in the OUs we define for students, faculty and staff.

We’ve run into a few devices that don’t support 802.1x authentication. Generally these are gaming systems, TIVOs, DVRs, some streaming devices, and Internet enabled televisions. We’ve created an SSID that offers WEP authentication to allow these devices on our network. End users still have to provide their credentials to register them. When registered, we move these to a captive VLAN that provides only Internet access. One nice side effect… many of the gaming issues our students were reporting just went away when we did this.

We also offer a guest network with a unique SSID. It is tied into a different authentication mechanism (uses 802.1x) scheme that is integral to our NAC system so that we don’t have to add temporary accounts to Active Directory. We can create username/password pairs that have a start and sunset date associated with them. We ask people inviting guests to campus to request an account and supply us with their e-mail address. The e-mail address becomes the username and the NAC generates a random password. It creates a “ticket” with the username, password, instructions, and the dates when the account will be active and e-mails it address that is the username associated with the account.

Lastly, we create some SSIDs on the fly for large groups coming to campus (e.g. Admission Open House, Board Meetings, Relay for Life, …) where the guest list is unknown or the group is so large that creating guest accounts is impractical. We offer a web form where an authenticated user (even students… e.g. Ultimate Frisbee Tournament) request a WEP keyed network for an event with duration of up to 5 days. Users on these networks are placed on a single VLAN outside our firewall and given restricted (shaped bandwidth and certain ports) access to the Internet only.

Steve Hall

Steven S. Hall | Vice President and Chief Information Officer
KNOX COLLEGE – Information Technology Services
2 East South Street | Galesburg, IL 61401
Tel 309.341.7823 | Fax 309.341.7099

shall@knox.edu | www.knox.edu

Celebrating 175 Years

175.knox.edu

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jason Best
Sent: Tuesday, August 28, 2012 12:20 PM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Wireless Authentication

We are using a similar setup as Thomas. SSIDs for Faculty/Staff, Students and Guests but we add one or Events as well. Guests is really just a single day pass where Events will last up to 5 days. All users are authenticated via AD.

Posted by: shall@knox.edu on August 28, 2012

Michael, Hello! I am fairly new at Siena and I gather we are sister schools. To answer your question: We do require authentication and registration on our wireless network. Siena has used Bradford Networks system for access control for many years and it is used for both wired and wireless management. I'd be happy to talk to you about it. - Mark -- Mark Berman, Chief Information Officer Siena College 515 Loudon Road Loudonville, NY 12211 (518)786-5000, Fax: (518)783-2590 Siena College is a learning community advancing the ideals of a liberal arts education, rooted in its identity as a Franciscan and Catholic institution. CONFIDENTIALITY NOTICE: This e-mail, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you received this e-mail and are not the intended recipient, please inform the sender by e-mail reply and destroy all copies of the original message. From: "Hoffman, Michael" > Date: Tuesday, August 28, 2012 11:32 AM Subject: Wireless Authentication Dear Colleagues, The start of the semester has brought us numerous problems with students not being able to authenticate to our wireless portal to access our network and the Internet. I’m curious how other campuses control WiFi access. Specifically, are you forcing authentication? Do you allow students to use the wireless without any authentication/registration? Thank you. Michael S. Hoffman Executive Director for Information Technology St. Bonaventure University mhoffman@sbu.edu www.sbu.edu ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Posted by: mberman on August 29, 2012

Message from dewittlatimer@gmail.com

Good Morning List: Seems like I'm going against conventional wisdom, but we're getting ready to rewrite the SSID rules at Montana State: MSU-Guest -- open, unauthenticated MSU -- open, unauthenticated MSU-Secure -- 802.1x After weighing the benefits vs risks, the BYOD movement, and any number of other factors, we see little downside and lots of upside to running an open net while also offering those so inclined a secure option. Our users are smart - they'll do what they need to. Might we get some abuses? Yes..but they'll be small in the grand scheme of things. We'll evaluate after a year, so stay tuned. -d

Posted by: listserv-anon on August 29, 2012

At Roanoke College, we just changed to unauthenticated guest wireless in time for the parents and families to use. It is a low risk, "free" service for the community which will please our visitors on campus (parents, trustees, alumni) and which everyone is beginning to expect. Rebecca F. Sandlin Chief Information Officer P: 540-375-2585 | M: 540-759-0942 sandlin@roanoke.edu Like us on Facebook On 8/29/12 8:31 AM, "Dewitt Latimer" wrote: >Good Morning List: > >Seems like I'm going against conventional wisdom, but we're getting >ready to rewrite the SSID rules at Montana State: > >MSU-Guest -- open, unauthenticated > >MSU -- open, unauthenticated > >MSU-Secure -- 802.1x > >After weighing the benefits vs risks, the BYOD movement, and any >number of other factors, we see little downside and lots of upside to >running an open net while also offering those so inclined a secure >option. > >Our users are smart - they'll do what they need to. Might we get some >abuses? Yes..but they'll be small in the grand scheme of things. > >We'll evaluate after a year, so stay tuned. > > >-d > >

Posted by: rsandlin on August 29, 2012

We have part of our wireless open to the public but we have it password protected. We broadcast the password in the SSID so anyone can see what it is. Using a password turns on security which turns in encryption. The use of encryption circumvents things like firesheep which someone can use to hijack someone's else's session. It's a simple protection technique but it works. David Carson Chief Information Officer 432-335-6649 (Office) 432-335-6780 (Fax) dcarson@odessa.edu www.odessa.edu Odessa College 201 W. University Blvd Odessa, TX 79764 -----Original Message----- From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dewitt Latimer Sent: Wednesday, August 29, 2012 7:32 AM To: CIO@LISTSERV.EDUCAUSE.EDU Subject: Re: [CIO] Wireless Authentication Good Morning List: Seems like I'm going against conventional wisdom, but we're getting ready to rewrite the SSID rules at Montana State: MSU-Guest -- open, unauthenticated MSU -- open, unauthenticated MSU-Secure -- 802.1x After weighing the benefits vs risks, the BYOD movement, and any number of other factors, we see little downside and lots of upside to running an open net while also offering those so inclined a secure option. Our users are smart - they'll do what they need to. Might we get some abuses? Yes..but they'll be small in the grand scheme of things. We'll evaluate after a year, so stay tuned. -d

Posted by: drcarson on August 29, 2012

We have been running similar to this since the iPhone 1 was introduced. No real issues to date. Guest is open but VLANed outside border firewall and our IPS blocks P2P on that vlan. Campus wireless has a login, but is being phased out for eduroam Eduroam is being pushed as the secure 801.x SSID we want to promote since you can use this from other campuses that have done eduroam Anyone on campus can use guest wireless but you might have go through VPN for some services that are not Internet facing. We are seeing more people move devices (phones, tablets, laptops) to eduroam and it works well. Once configured there is no user login interaction. For AY 12-13 we are pushing eduroam hard in areas. Jack Jack Suess Sent from mobile

Posted by: jack on August 29, 2012

Perhaps my thinking is outdated here... but I've always wanted to operate authenticated wireless because of CALEA. Not offering "public" access is key to being exempt from provisions of CALEA. At least, that is the stance that many Colleges and Universities have been taking. Does anyone have other guidance to offer? Steven S. Hall | VP & CIO KNOX COLLEGE 2 East South Street | Galesburg, IL 61401 Tel 309.341.7823 | Fax 309.341.7099 -----Original Message----- From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Sandlin, Rebecca Sent: Wednesday, August 29, 2012 8:24 AM To: CIO@LISTSERV.EDUCAUSE.EDU Subject: Re: [CIO] Wireless Authentication At Roanoke College, we just changed to unauthenticated guest wireless in time for the parents and families to use. It is a low risk, "free" service for the community which will please our visitors on campus (parents, trustees, alumni) and which everyone is beginning to expect. Rebecca F. Sandlin Chief Information Officer P: 540-375-2585 | M: 540-759-0942 sandlin@roanoke.edu Like us on Facebook On 8/29/12 8:31 AM, "Dewitt Latimer" wrote: >Good Morning List: > >Seems like I'm going against conventional wisdom, but we're getting >ready to rewrite the SSID rules at Montana State: > >MSU-Guest -- open, unauthenticated > >MSU -- open, unauthenticated > >MSU-Secure -- 802.1x > >After weighing the benefits vs risks, the BYOD movement, and any number >of other factors, we see little downside and lots of upside to running >an open net while also offering those so inclined a secure option. > >Our users are smart - they'll do what they need to. Might we get some >abuses? Yes..but they'll be small in the grand scheme of things. > >We'll evaluate after a year, so stay tuned. > > >-d > >

Posted by: shall@knox.edu on August 29, 2012

Steve- My first thought was CALEA as well, but it seems that the specific application of CALEA to broadband -data- access is still in the legal netherworld. I know at least a couple of years ago most higher ed institutions, including ours, were requiring some kind of guest authentication or sponsorship to abide by the (then) anticipated upcoming requirements of CALEA. Maybe it has since become a moot point? -- Jeff Giacobbe Associate Vice President Enterprise Technology Montclair State University On 08/29/2012 10:30 AM, Steve Hall wrote: > Perhaps my thinking is outdated here... but I've always wanted to operate > authenticated wireless because of CALEA. Not offering "public" access is > key to being exempt from provisions of CALEA. At least, that is the > stance that many Colleges and Universities have been taking. Does anyone > have other guidance to offer? > > Steven S. Hall | VP & CIO > KNOX COLLEGE > 2 East South Street | Galesburg, IL 61401 > Tel 309.341.7823 | Fax 309.341.7099 > > -----Original Message----- > From: The EDUCAUSE CIO Constituent Group Listserv > [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Sandlin, Rebecca > Sent: Wednesday, August 29, 2012 8:24 AM > To: CIO@LISTSERV.EDUCAUSE.EDU > Subject: Re: [CIO] Wireless Authentication > > At Roanoke College, we just changed to unauthenticated guest wireless in > time for the parents and families to use. It is a low risk, "free" service > for the community which will please our visitors on campus (parents, > trustees, alumni) and which everyone is beginning to expect. > > > > > > > Rebecca F. Sandlin > Chief Information Officer > > P: 540-375-2585 | M: 540-759-0942 > sandlin@roanoke.edu > Like us on Facebook > > > > > On 8/29/12 8:31 AM, "Dewitt Latimer" wrote: > >> Good Morning List: >> >> Seems like I'm going against conventional wisdom, but we're getting >> ready to rewrite the SSID rules at Montana State: >> >> MSU-Guest -- open, unauthenticated >> >> MSU -- open, unauthenticated >> >> MSU-Secure -- 802.1x >> >> After weighing the benefits vs risks, the BYOD movement, and any number >> of other factors, we see little downside and lots of upside to running >> an open net while also offering those so inclined a secure option. >> >> Our users are smart - they'll do what they need to. Might we get some >> abuses? Yes..but they'll be small in the grand scheme of things. >> >> We'll evaluate after a year, so stay tuned. >> >> >> -d >> >>

Posted by: giacobbej on August 29, 2012

Steve,

I'm no expert on CALEA, but that is still my understanding as well. We gave up on being exempt from CALEA a long time ago as we've always had open wireless. The administration decided it was more important as a community college to be open to the community, so we purchased the hardware needed to comply with CALEA.

Dave

David Hoyt

Chief Information Systems Officer

Collin College

Collin Higher Education Center

3452 Spur 399

McKinney, TX 75069

P - 972.599.3133 F - 972.599.3131

dhoyt@collin.edu

>>> On 8/29/2012 at 9:30 AM, in message <02f901cd85f2$e2763570$a762a050$@knox.edu>, Steve Hall <shall@KNOX.EDU> wrote:

Perhaps my thinking is outdated here... but I've always wanted to operate
authenticated wireless because of CALEA. Not offering "public" access is
key to being exempt from provisions of CALEA. At least, that is the
stance that many Colleges and Universities have been taking. Does anyone
have other guidance to offer?

Steven S. Hall | VP & CIO
KNOX COLLEGE
2 East South Street | Galesburg, IL 61401
Tel 309.341.7823 | Fax 309.341.7099

-----Original Message-----
From: The EDUCAUSE CIO Constituent Group Listserv
[mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Sandlin, Rebecca
Sent: Wednesday, August 29, 2012 8:24 AM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Wireless Authentication

At Roanoke College, we just changed to unauthenticated guest wireless in
time for the parents and families to use. It is a low risk, "free" service
for the community which will please our visitors on campus (parents,
trustees, alumni) and which everyone is beginning to expect.

<http://roanoke.edu/>

Rebecca F. Sandlin
Chief Information Officer

P: 540-375-2585 | M: 540-759-0942
sandlin@roanoke.edu
Like us on Facebook <http://www.facebook.com/roanoke>

On 8/29/12 8:31 AM, "Dewitt Latimer" <dewittlatimer@GMAIL.COM> wrote:

>Good Morning List:
>
>Seems like I'm going against conventional wisdom, but we're getting
>ready to rewrite the SSID rules at Montana State:
>
>MSU-Guest -- open, unauthenticated
>
>MSU -- open, unauthenticated
>
>MSU-Secure -- 802.1x
>
>After weighing the benefits vs risks, the BYOD movement, and any number
>of other factors, we see little downside and lots of upside to running
>an open net while also offering those so inclined a secure option.
>
>Our users are smart - they'll do what they need to. Might we get some
>abuses? Yes..but they'll be small in the grand scheme of things.
>
>We'll evaluate after a year, so stay tuned.
>
>
>-d <gathering no moss>
>
>

Posted by: dhoyt on August 29, 2012

David,

So out of curiosity, what did you decide you needed to purchase in order to comply?

--Dave

DAVID A. CURRY, CISSP • DIRECTOR OF INFORMATION SECURITY

THE NEW SCHOOL • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry@newschool.edu

Posted by: curryd on August 29, 2012

Message from dewittlatimer@gmail.com

Yes - good catch Jack. I was neglectful in mentioning the role and benefits of eduroam - that certainly will be a tool in our toolbag *soon*. -d

Posted by: listserv-anon on August 29, 2012

With the iPhone 1 we saw BYOD changing wireless. Logging in to the iPhone each time seemed the wrong approach. I felt it was necessary to easily accommodate this and we worked with legal prior to providing guest access to make certain that we were not violating CALEA. In our case, we are not advertising our guest wireless SSID outside the physical boundaries of our campus. Campuses are public, but within a limited context. Saying that, every lawyer will view risk differently. Over the last five years we have tended to see less restrictions so we feel we made the right decision. The material below is a little technical but explains how we worked to discuss this with the lawyers. What we discussed with the lawyer was the mechanics of meeting a CALEA request. It will either be someone wanting traffic trapped based on an IP address being visited, a campus ip address and a timestamp, or a person's name. In the first case, an IP address being visited, we will look at netflow data and determine what campus IP address was used and get the MAC address this IP address was assigned to at that time. The second case is an easier version of the first case because we have the IP address issued. For the third case, a person's name, the reality is that authenticated wireless would still require us to look up the user and do the actual trapping of packets by MAC/IP address that was logged in by that user. We felt confident we can do that even in a guest wireless world because of other logging data. As a result, we did not see how guest wireless was materially different from plugging an ethernet cable into an existing wall jack (we are not doing NAC for wired connections) and felt that if guest wireless was an issue then so would wired connections not implementing NAC. Again, we have a fairly sophisticated network and security team and we felt comfortable we could meet a request in the wired case if a request came in. In doing this a bigger concern was P2P. Our University Counsel is the DMCA agent. We needed to make sure this did not become a backdoor for illegal downloads and tried a number of things, the most effective was enabling the P2P filters on our IPS. Another issue was we had to convince the auditors this was not a security threat. This is why it is vlann'ed to run outside the border router. A user on campus looks like they are coming in from off-campus and so the security issues are the same for anyone connecting it from home. Finally, we have said all along to legal and the campus that if there is legal guidance that clarifies this to require a more restrictive approach we can eliminate this at a moments notice. There would be some inconvenience but people would understand we have to comply with regulations. Our campus could use the other SSID's and we would do a guest signup. Based on those accommodations Legal agreed with moving forward on an unauthenticated guest wireless. jack

Posted by: jack on August 29, 2012

There is a very good discussion of this topic in the CIO list archives from November 2011. I won't repeat my points from that thread here. I have some new ones. :-) The November 2011 thread has a post in it from Susan Grajek of EDUCAUSE giving survey data that shows that about 70% of us DO NOT offer public, unauthenticated access. So, if you don't offer it, don't feel like you're unusual. We do not offer any access that isn't authenticated. I don't offer public access to my wifi at home either. I believe it would be irresponsible of me to provide anonymous, unauthenticated access to my network to anyone who happens to be within radio range of it. I don't have staff to monitor 24x7x365 what these "guests" do using my network. Here are some quotes from the grand jury indictment in a case where my college was a victim of abuse committed using another college's network: "Due to the speed of the University of blanks's network, blank continued to send his spam emails from campus. Blank accomplished this by either connecting via the wireless Internet service provided by blank University from anywhere on campus, or by connecting directly to the blank University network through an ethernet cable connection in a classroom or other blank University building." "In all, the defendants sold over $4.1 million worth of products through their illegal spam operation." Please note that the target of these criminals was college students. -- Ron Parker, Director of Information Technology, Brazosport College Voice: (979) 230-3480 FAX: (979) 230-3111 http://www.brazosport.edu Nuclear power plants supply 19.2% of electricity in the United States. > -----Original Message----- > From: The EDUCAUSE CIO Constituent Group Listserv > [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Steve Hall > Sent: Wednesday, August 29, 2012 9:30 AM > To: CIO@LISTSERV.EDUCAUSE.EDU > Subject: Re: [CIO] Wireless Authentication > > Perhaps my thinking is outdated here... but I've always wanted to operate > authenticated wireless because of CALEA. Not offering "public" access is key > to being exempt from provisions of CALEA. At least, that is the stance that > many Colleges and Universities have been taking. Does anyone have other > guidance to offer? > > Steven S. Hall | VP & CIO > KNOX COLLEGE > 2 East South Street | Galesburg, IL 61401 Tel 309.341.7823 | Fax 309.341.7099 > > -----Original Message----- > From: The EDUCAUSE CIO Constituent Group Listserv > [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Sandlin, Rebecca > Sent: Wednesday, August 29, 2012 8:24 AM > To: CIO@LISTSERV.EDUCAUSE.EDU > Subject: Re: [CIO] Wireless Authentication > > At Roanoke College, we just changed to unauthenticated guest wireless in time > for the parents and families to use. It is a low risk, "free" service for the > community which will please our visitors on campus (parents, trustees, > alumni) and which everyone is beginning to expect. > > > > > > > Rebecca F. Sandlin > Chief Information Officer > > P: 540-375-2585 | M: 540-759-0942 > sandlin@roanoke.edu > Like us on Facebook > > > > > On 8/29/12 8:31 AM, "Dewitt Latimer" wrote: > > >Good Morning List: > > > >Seems like I'm going against conventional wisdom, but we're getting > >ready to rewrite the SSID rules at Montana State: > > > >MSU-Guest -- open, unauthenticated > > > >MSU -- open, unauthenticated > > > >MSU-Secure -- 802.1x > > > >After weighing the benefits vs risks, the BYOD movement, and any number > >of other factors, we see little downside and lots of upside to running > >an open net while also offering those so inclined a secure option. > > > >Our users are smart - they'll do what they need to. Might we get some > >abuses? Yes..but they'll be small in the grand scheme of things. > > > >We'll evaluate after a year, so stay tuned. > > > > > >-d > > > >

Posted by: rparker on August 29, 2012

Message from ellisj@mail.strose.edu

We had a situation about a year ago where someone used a stolen debit card to make online purchases using a generic logon on one of our classroom teacher stations. The FBI contacted us and requested assistance in identifying the culprit who they suspected being part of an organized crime gang. When they found out that a generic logon was used they were quite disappointed and lectured me on the importance of CALEA. They strongly suggested that we avoid generic logons and other forms of guest access to network resources in an effort to deter future criminal activities.

- John

John R. Ellis

Executive Director Information Technology Services

The College of Saint Rose

432 Western Avenue

Albany, New York 12203

518-454-5166

ellisj@strose.edu

www.strose.edu

ITS.strose.edu

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of David Hoyt
Sent: Wednesday, August 29, 2012 10:56 AM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Wireless Authentication

Steve,

Dave

David Hoyt

Chief Information Systems Officer

Collin College

Collin Higher Education Center

3452 Spur 399

McKinney, TX 75069

P - 972.599.3133 F - 972.599.3131

dhoyt@collin.edu

>>> On 8/29/2012 at 9:30 AM, in message <02f901cd85f2$e2763570$a762a050$@knox.edu>, Steve Hall <shall@KNOX.EDU> wrote:

Perhaps my thinking is outdated here... but I've always wanted to operate
authenticated wireless because of CALEA. Not offering "public" access is
key to being exempt from provisions of CALEA. At least, that is the
stance that many Colleges and Universities have been taking. Does anyone
have other guidance to offer?

Steven S. Hall | VP & CIO
KNOX COLLEGE
2 East South Street | Galesburg, IL 61401
Tel 309.341.7823 | Fax 309.341.7099

-----Original Message-----
From: The EDUCAUSE CIO Constituent Group Listserv
[mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Sandlin, Rebecca
Sent: Wednesday, August 29, 2012 8:24 AM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Wireless Authentication

At Roanoke College, we just changed to unauthenticated guest wireless in
time for the parents and families to use. It is a low risk, "free" service
for the community which will please our visitors on campus (parents,
trustees, alumni) and which everyone is beginning to expect.

<http://roanoke.edu/>

Rebecca F. Sandlin
Chief Information Officer

P: 540-375-2585 | M: 540-759-0942
sandlin@roanoke.edu
Like us on Facebook <http://www.facebook.com/roanoke>

On 8/29/12 8:31 AM, "Dewitt Latimer" <dewittlatimer@GMAIL.COM> wrote:

>Good Morning List:
>
>Seems like I'm going against conventional wisdom, but we're getting
>ready to rewrite the SSID rules at Montana State:
>
>MSU-Guest -- open, unauthenticated
>
>MSU -- open, unauthenticated
>
>MSU-Secure -- 802.1x
>
>After weighing the benefits vs risks, the BYOD movement, and any number
>of other factors, we see little downside and lots of upside to running
>an open net while also offering those so inclined a secure option.
>
>Our users are smart - they'll do what they need to. Might we get some
>abuses? Yes..but they'll be small in the grand scheme of things.
>
>We'll evaluate after a year, so stay tuned.
>
>
>-d <gathering no moss>
>
>

Posted by: listserv-anon on August 29, 2012

Dave,

I asked my network staff for the details and they are below. I knew we had purchased a Cisco Mars appliance as part of CALEA compliance.

"Besides MARS, we rely on a combination of tools/appliances that we have in place. These tools would include our Cisco ASA with IPS, Bluesocket for agreement and individual MAC association and Pharos Sign In to track utilization on many of the open computers.

Using all of these devices in some variation, we can identify the individual device and provide the needed information to whatever Law Enforcement Agency if needed."

Dave

David Hoyt

Chief Information Systems Officer

Collin College

Collin Higher Education Center

3452 Spur 399

McKinney, TX 75069

P - 972.599.3133 F - 972.599.3131

dhoyt@collin.edu

>>> On 8/29/2012 at 10:06 AM, in message <CA+d9XAPs_rmG3i9urLhn0bt8DA15Q-PNBnXo8QXWHZ2YMxQYdg@mail.gmail.com>, David Curry <david.curry@NEWSCHOOL.EDU> wrote:

David,

So out of curiosity, what did you decide you needed to purchase in order to comply?

--Dave

DAVID A. CURRY, CISSP . DIRECTOR OF INFORMATION SECURITY

THE NEW SCHOOL . 55 W. 13TH STREET . NEW YORK, NY 10011

+1 212 229-5300 x4728 . david.curry@newschool.edu

Posted by: dhoyt on August 29, 2012

Dear all,

We used to have open unauthenticated guest wireless. There was some level of abuse by members of the community coming to campus to download their media of choice. However, what drove us to eliminate unauthenticated wireless to assure that we are exempt from the requirements of CALEA. From http://www.nacua.org/documents/ACECalea.pdf:

"While CALEA exempts “private networks,” neither the statute nor the FCC’s rules define

that key term. Without question, the term encompasses networks that are “closed” in the sense

that they are self-contained and do not interconnect with a public network (either the Internet or

the telephone network). The FCC’s order also strongly suggests that interconnected networks

will be considered private when made available only to limited constituencies, rather than to the

general public. Thus, campus networks that offer Internet connectivity but are made available

only to students, faculty, and administrators—and that exclude the public at large, for example

by requiring university ID cards to gain access to networked terminals and by requiring password

authentication on wireless networks, among other measures—almost certainly would be

considered private."

We set up a portal where any faculty, staff, or student can create a temporary wireless account for their guests.

Rick

--
Rick Matthews

Associate Provost for Technology & Information Systems

Wake Forest University

Posted by: rick1matthews on August 29, 2012

Message from mike.cunningham@pct.edu

Rick, how to you deal with conferences or sports camps on campus in the summer or overnight visiting high school seniors who need to have internet access and most likely wireless internet access? Do you make each person register and use a unique username?

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Matthews, Rick
Sent: Wednesday, August 29, 2012 12:51 PM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Wireless Authentication