on 06-21-2016 02:09 PM
We are looking at Aruba to replace our wifi network of HP's MSM range (~200AP and 2x HA controllers).
I've looked at a number of Aruba schools (none that are using ClearPass and certificates) and a number of Ruckus Wireless schools as well (also, none using TLS-EAP certificates).
We currently use CloudPath for onboarding BYOD devices (CloudPath was previously independent, but then recently purchased by Ruckus, which was in turn acquired by Brocade this year). Cloudpath essentially onboards a BYOD by providing a captive portal where students enter their AD credentials, a unique certificate is generated and then installed on the client device(s).
I feel this is a really secure method and I like lots of it (we can revoke certificates at any time, it helps with reporting in HP's IMC, students can change their AD password without affecting their wifi authentication because the certificate does that, student's can't impersonate each other if they've shared passwords etc).
HOWEVER: It does cause us some issues - cheaper devices don't like profiles/certificates all the time
and even though the onboarding is pretty simple, many students still need assistance with it. Secondly, configuring RADIUS for .1x authenticate adds some complexity to the mangement.
The Ruckus school I visited yesterday uses dynamic WPA2-PSK. These are unique to the user, generated when a valid AD credentials is entered into a portal, it pairs the MAC address to the DPSK, and is valid for one year. the up side of this is that virtually every device supports basic PSK.
This got me thinking - is using cerificate based authentication over the top in schools? Is this why virtually no schools that I've come across use it? When you're dealing wtih a wide range of BYOD there is no guarantees the end client devices are going to support this well, whereas virtually every device, no matter how cheap, supports a PSK.
IS wifi authentication/security the biggest/most likely attack vector in a school network? I think it's probably not to be honest. We would never go back to a generic WPA2-PSK, but am wondering if the complexity of certificates is over the top for school environments.
I'd be interested to hear what others in this community think - I'm especially interested to learn if there are any schools using ClearPass and deploying certificates to student BYOD.
Thanks in advance,
on 06-23-2016 03:59 PM
Is certificate-based authentication over the top for BYOD in schools? Quite possibly. IF your BYOD network is segregated from sensitive network resources and firewalled so that anyone who gets on the BYOD network will not be able to reach your network and have limited Internet capabilities, then a weaker form of authentication can be justified.
However, nowadays you are likely to have machines (e.g the Principal’s tablet), that need to access your Trusted Network, but which do not support machine-based certificates. These devices can only be identified by their user, and a user-based certificate from CloudPath or ClearPass is preferable to AD credentials which are easily discovered. The per-user PSK method used by Ruckus allows any device to enrol and receive a key provided it presents valid AD credentials, so needs an additional layer of overhead to prevent impersonation.
Once you have an easy method to to securely onboard Trusted Devices, you can extend it to Untrusted BYOD devices, even if you believe that the risk of entry through the BYOD network is remote.
Both CloudPath and ClearPass offer significant advantages in terms of ease of use over DPSK, although it is easier to work around a device that won’t enrol a PSK than it is to remediate the same device that needs a certificate.
As for why doesn’t everyone use these products? Principally, cost, but also the default position of Trust that leads to the conclusion that a teacher’s credentials are sufficient to block access to the school network.
The good news is that both CloudPath and ClearPass are cross-platform authentication systems, and can work with a variety of underlying wireless networks. I would suggest you run a trial of ClearPass to explore what the differences are between the two options.
on 06-23-2016 04:31 PM
We use the simple AD authentication for over 1400 students and all staff BYOD with our Aruba kit.
The BYOD network is seperated by 12 subnets from the wired network. Sounds complicated but I have the WLAN rocking handling over 1800 devices at any one time.
The only staff tablets that access the other parts of our network are windows based devices so controlled by Group policy for connecting to a different SSID with different access.
All other devices, iPads, Chromebooks, phones and all personal stuff use the BYOD SSID.
It works fine and I have no issues but we do have awesome students..
IT Services Director
Wellington Girls' College