Wireless Access

I'm just curious how other school districts are authenticating iPads for teacher/student use. Our district just bought 650 iPad2's to start, and will be buying many more this fall. We are fairly large with 140 sites. Apple has obviously designed these devices with 1:1 personal use in mind.

I currently have three VAP's in use:
1. Guest with Captive portal
2. WPA2-PSK for Mac's (majority of our Macs are still OSX 10.4/10.5 - can't handle 802.1X reliably)
3. Secure 802.1X for district PC's

I have been brainstorming trying to figure how I will authenticate these iPads. They are going to be shared by classes of students and need to "just work". Trying to have a grade one student enter AD credentials is not going to happen. I have the Secure 802.1X VAP configured so that both machine and user authentication has to be passed before full authentication and real IP is given out. If only user authentication is passed then guest IP/role is given.

Here are some options:
1. Use guest network with captive portal
- Issue: If iPad goes to sleep and user idle timer expires, many apps fail to launch because Safari needs to be launched to accept guest captive portal agreement.
2. Use WPA2-PSK with MAC address filtering
- Issue: Managing thousands of MAC addresses is not practical, plus easy enough to spoof.
3. Use WPA2-PSK
- Issue: Security. Jailbreak for iPad2 is probably weeks away. On iPad and iPod it takes minutes and then app like WiFiPass can be downloaded to display all network SSID/key.
4. Use WPA2-E with 802.1x service account
- Issue: Service account could be comprised with Jailbreak - but deny local logon could be applied and if used on a device without a valid AD account - only guest IP/role would given. This would also get around the Captive portal issue because Safari doesn't need to be re-launched after the iPads sleep.
5. Use ArubaOS 6.1 device fingerprinting - assign iPad role
- Issue: I'm still on Aruba OS 5.0.3.0 but am planning to upgrade to 6.1 this summer. But I wouldn't really want to give any iPad detected a "district" role.
6. EAP-TLS?
- Issue: Configuration cumbersome. If iPads need to be restored on site then someone needs the iPhone configuration utility with generic iTunes account, etc.
7. Amigopod?
- Issue: Haven't tested - not familiar with product. Possibly a one time certificate load/enrollment - but how would that work if iPads are restored on site by somewhat non-technical staff?

Other thoughts:
1. AirPrint - probably more of a district policy to allow/disallow printing from iOS devices. But keeping it in mind, it definitely rules out certain authentication options because printers are currently residing in internal VLANs.
2. File sharing/streaming between MacBook/iMac and iPad. Not sure if this is already available - but if not it's definitely coming in iOS 5. Then I've got problems if I'm separating iPads and district Macs and they need to talk.

For now I have them using the guest network and have extended the user idle timeout to the max (4.25 hours). However, that's not long enough to last a full school day. I already have some teachers complaining it's inconvenient to have to accept the captive portal so often.

Any thoughts?
Thanks.

---

I'm just curious how other school districts are authenticating iPads for teacher/student use. Our district just bought 650 iPad2's to start, and will be buying many more this fall. We are fairly large with 140 sites. Apple has obviously designed these devices with 1:1 personal use in mind.

I currently have three VAP's in use:
1. Guest with Captive portal
2. WPA2-PSK for Mac's (majority of our Macs are still OSX 10.4/10.5 - can't handle 802.1X reliably)
3. Secure 802.1X for district PC's

I have been brainstorming trying to figure how I will authenticate these iPads. They are going to be shared by classes of students and need to "just work". Trying to have a grade one student enter AD credentials is not going to happen. I have the Secure 802.1X VAP configured so that both machine and user authentication has to be passed before full authentication and real IP is given out. If only user authentication is passed then guest IP/role is given.

Here are some options:
1. Use guest network with captive portal
- Issue: If iPad goes to sleep and user idle timer expires, many apps fail to launch because Safari needs to be launched to accept guest captive portal agreement.
2. Use WPA2-PSK with MAC address filtering
- Issue: Managing thousands of MAC addresses is not practical, plus easy enough to spoof.
3. Use WPA2-PSK
- Issue: Security. Jailbreak for iPad2 is probably weeks away. On iPad and iPod it takes minutes and then app like WiFiPass can be downloaded to display all network SSID/key.
4. Use WPA2-E with 802.1x service account
- Issue: Service account could be comprised with Jailbreak - but deny local logon could be applied and if used on a device without a valid AD account - only guest IP/role would given. This would also get around the Captive portal issue because Safari doesn't need to be re-launched after the iPads sleep.
5. Use ArubaOS 6.1 device fingerprinting - assign iPad role
- Issue: I'm still on Aruba OS 5.0.3.0 but am planning to upgrade to 6.1 this summer. But I wouldn't really want to give any iPad detected a "district" role.
6. EAP-TLS?
- Issue: Configuration cumbersome. If iPads need to be restored on site then someone needs the iPhone configuration utility with generic iTunes account, etc.
7. Amigopod?
- Issue: Haven't tested - not familiar with product. Possibly a one time certificate load/enrollment - but how would that work if iPads are restored on site by somewhat non-technical staff?

Other thoughts:
1. AirPrint - probably more of a district policy to allow/disallow printing from iOS devices. But keeping it in mind, it definitely rules out certain authentication options because printers are currently residing in internal VLANs.
2. File sharing/streaming between MacBook/iMac and iPad. Not sure if this is already available - but if not it's definitely coming in iOS 5. Then I've got problems if I'm separating iPads and district Macs and they need to talk.

For now I have them using the guest network and have extended the user idle timeout to the max (4.25 hours). However, that's not long enough to last a full school day. I already have some teachers complaining it's inconvenient to have to accept the captive portal so often.

Any thoughts?
Thanks.

---

On the guest network, add a user derivation rule for DHCP fingerprinting for iPads that allow iPads to bypass the Captive Portal login on the guest SSID, and put them in an iPad role that limits them to do what you want them to do, at the bandwidth that you want them to do it. Since it seems like the great majority of your users are using it on the guest network right now anyway, only provision it as such. Alot of the other things you mention are what-if and future scenarios, but if you address how the majority of users are using it now, it will give you a good head start.

I've looked into the user derivation rules and it looks like the iPad shares the same DHCP fingerprint as all other "i" devices (370103060F77FC). This would defeat the purpose of a captive portal because 90% of the guest devices are "i" devices and would bypass the portal if I enabled that rule.

Any other way to idenify iPads and apply a rule only for them?
Thanks.
Steve

The signatures published before only said derivation rule = IOS, but it was for the iPad. That signature is only triggered by the ipad. Signatures for the iPad and iPhone are below:

Ipad = 370103060f77fc IPhone = 37011c02030f06770c2c2f1a792a

The signatures published before did not specify which device. These two above are specific.

I just tried an iPod, iPad, and iPhone- back to back to back. The signatures look the same to me.

iPod 4
Aug 29 11:02:34 :202536: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan2002: REQUEST 88:c6:63:3c:89:6e reqIP=10.7.252.14 Options 37:0103060f77fc 39:05dc 3d:0188c6633c896e 33:0076a700 0c:494e464f2d49504f442d49303031

iPad 2
Aug 29 11:03:53 :202536: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan2003: REQUEST a4:d1:d2:3c:b5:97 reqIP=10.7.250.54 Options 37:0103060f77fc 39:05dc 3d:01a4d1d23cb597 33:0076a700 0c:494e464f2d495041442d49303034

iPhone 4
Aug 29 11:10:29 :202536: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan2001: REQUEST 7c:c5:37:0f:a3:e2 reqIP=42.7.248.252 Options 37:0103060f77fc 39:05dc 3d:017cc5370fa3e2 36:2a070001 0c:52756269636f6e

Maybe I'm looking in the wrong spot?
Steve</DBUG></DBUG></DBUG>

What versions of OS are these devices specifically? Your only option may be to use TLS for devices that you want to differentiate between personal and company-owned devices.

All three are iOS 4.3.3. Our problem will be that teachers will be reloading these iPads at the schools at will - and handing out the iPhone Configuration utility to configure TLS adds another layer of complexity for them. I suppose we would have the same issue doing some fashion of Amigopod auto enrollment?

DHCP fingerprinting aside, your first post details what your challenge is in general. I want to say your first challenge is determine what connectivity what devices will need for what resources and applications that will determine your strategy. I would suggest that you speak to your local Aruba Engineer about this to determine what is the best strategy, tailored to your specific situation. We can make suggestions on this forum, but they do not compare with a focused plan to get results.

We too have been tasked with a similar situation. Here is what I have come up with.

1. Download the iPhone configuration utility here: http://www.apple.com/support/ipad/enterprise/

2. Create a generic account on your domain (or however you are doing accounts) and set the password to expire at the end of the semester. You might want to create one per department. However, never give them the password.

3. Using the iPhone configuration utility, create a profile for your 802.1x wireless and store the username/password you created in step 2.

4. Configure other security settings on the ipad. You'll be amazed what you can control with this utility. Be sure to RTM.

5. Put the generated configuration file on a web server where the http is password protected (you don't want Joe Somebody installing this on their personal iPhone/iPad).

6. Browse to the config file on the iPad and install it.


Now granted you will need to revisit each iPad at the end of the semester. But this will also prevent multi-use iPads from having some student's login/password stored on there. You could also configure an Captive Portal after the 802.1x auth, but iPad + CP = sad panda. When the iPad locks, disconnects wifi, then unlock, they will have to login to CP again.

These are just my thoughts. I completely agree with Colin. Talk to your local SE about other options.

Zach

---

@zjennings wrote:
We too have been tasked with a similar situation. Here is what I have come up with.

1. Download the iPhone configuration utility here: http://www.apple.com/support/ipad/enterprise/

2. Create a generic account on your domain (or however you are doing accounts) and set the password to expire at the end of the semester. You might want to create one per department. However, never give them the password.

3. Using the iPhone configuration utility, create a profile for your 802.1x wireless and store the username/password you created in step 2.

4. Configure other security settings on the ipad. You'll be amazed what you can control with this utility. Be sure to RTM.

5. Put the generated configuration file on a web server where the http is password protected (you don't want Joe Somebody installing this on their personal iPhone/iPad).

6. Browse to the config file on the iPad and install it.


Now granted you will need to revisit each iPad at the end of the semester. But this will also prevent multi-use iPads from having some student's login/password stored on there. You could also configure an Captive Portal after the 802.1x auth, but iPad + CP = sad panda. When the iPad locks, disconnects wifi, then unlock, they will have to login to CP again.

These are just my thoughts. I completely agree with Colin. Talk to your local SE about other options.

Zach

---

We use this option as well. We have found that 802.1x and an ad service account are the best options for shared devices. The great thing is you can limit what they can access via a role as well as limit what that username can access for added security just incase someone somehow gets the password.

The schools that I work with are all using WPA2-PSK for iPads...