Security

Reply
Occasional Contributor II

Streaming and Gaming devices

We have recently implemented Clearpass and one of the things we are doing is enabling users to use headless/IoT devices on the network.  We have a specific wireless network designed for those devices that is segregated by VLAN.  Was wondering what others were doing as far as either using a PSK or leaving the network open?  We are also trying to come up with a name that makes sense for this type of use case and was wondering what others are using? 

 

We are a fairly small private university.

 

Thanks all.

Frequent Contributor I

Re: Streaming and Gaming devices


Hephzibah11 wrote:

We have recently implemented Clearpass and one of the things we are doing is enabling users to use headless/IoT devices on the network.  We have a specific wireless network designed for those devices that is segregated by VLAN.  Was wondering what others were doing as far as either using a PSK or leaving the network open?  We are also trying to come up with a name that makes sense for this type of use case and was wondering what others are using? 

 

We are a fairly small private university.

 

Thanks all.


Hi Hephzibah11,

This will be our first semester offering students the ability to register their "streaming/headless" devices onto our network. What we saw some universties doing - as well as discussions around Airheads - is building SSIDs around encryption type (1-802.1x, 1-Open, 1-PSK, etc) to help free up airtime as each SSID consumes more airtime - and making use of roles for access-management. The Single SSID we've seen other universities call (University-Start), (StartHere), something to lead the users to connect to that SSID first.

Although I've seen several variations. One university had a variation where the initial-role when connecting to the "Start" SSID was internet access - but you could request a guest account to have access to internal resources.

 

We consolidated our 2 open networks (guest and setup) into a single SSID with (University-Start-Here) that serves three purposes. If a user connects, they are presented with three options (register a guest account, setup a windows/mac computer, or register a streaming device):

  • If you self-register and web auth (with mac caching) as a guest account on the SSID - Clearpass returns a guest role with basic access to e-mail, web (http/https), vpn, etc.
  • If you register a streaming/headless device (mac auth) as a streaming device on the SSID - Clearpass returns a device role with internet access and some internal access (for casting, printing, etc)
  • Some form of configuration/onboard utility for getting laptops onto the secure 801.1x SSID.
Guru Elite

Re: Streaming and Gaming devices

The built-in Device Registration feature in ClearPass is perfect for consolidating your guest/open and headless network. Students can self-register their devices into a role (Media Player, Printer, Game Console, etc) and the policy will drop the device into the appropriate role/VLAN/bandwidth contract, etc.

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Streaming and Gaming devices

We are leveraging Clearpass to do something similar to that.  We have a captive portal on our Guest page (serviced by Clearpass Guest).  We have services setup for our headless netowrk that leverages profiling data to prevent Computers and Smart Devices from connecting to the network.  Additionally devices that will connect to the streaming network must be regustered in the Guest User Repository.  For the user to register a device in that database they must login with their University credentials.  We have also segregated off the headless network onto its own VLAN.  Would adding a PSK to that network provide much of any benefit? 

Guru Elite

Re: Streaming and Gaming devices

My opinion is no to the PSK. Unneeded complexity with very little benefit.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I

Re: Streaming and Gaming devices


cappalli wrote:

My opinion is no to the PSK. Unneeded complexity with very little benefit.


Tim,

 

I was curious what are you thoughts on students/staff having consumer level printers operating over an open-wireless network (non-PSK)? Going into our "streaming/headless" device deployment we're not doing anything to specifically "block" printers (nor are we adding a PSK network) - if the students can figure them out - it's a bonus - however, we've strongly urged them that this isn't a secure network and should plug in through a USB cable for a secure connection.

Guru Elite

Re: Streaming and Gaming devices

I guess printers are always the odd one out as most of their traffic is local and not encrypted vs Chromecasts, Google Homes, TVs, smart home stuff, etc where most of the traffic is internet bound and encrypted.

 

When I worked at a university we just simple said they weren't supported but we wouldn't stop them from attempting to get them to work. We also didn't come across too many students who were bringing their own printers. But obviously that varies by school.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I

Re: Streaming and Gaming devices


cappalli wrote:

I guess printers are always the odd one out as most of their traffic is local and not encrypted vs Chromecasts, Google Homes, TVs, smart home stuff, etc where most of the traffic is internet bound and encrypted.

 

When I worked at a university we just simple said they weren't supported but we wouldn't stop them from attempting to get them to work. We also didn't come across too many students who were bringing their own printers. But obviously that varies by school.


It's a shame our students didn't behave more like yours. :-) Our student-computer store surprisingly said that "wireless printers" were the number one question/demand -> but that could mean a number of things - (if students expect streaming devices to work already such as chromecasts, roku, apple tvs, etc - then they're not going to ask that question) - we've had a little over a 100 devices registered (with only one being a printer). With that said, that's the stance we're taking as well (not supporting them, but not blocking them as well). We didn't consider a separate PSK network just cause having a shared PSK across many students just isn't secure - so not much benefit - although I've heard of Aerohive's PPSK. Sorry to get off-topic.

I would also like to thank you Tim - one of your previous posts is what pushed us to the Single SSID with ClearPass design - so far it seems to be working very well - but Major move-in begins tomorrow :-)

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: