I'm just curious how other school districts are authenticating iPads for teacher/student use. Our district just bought 650 iPad2's to start, and will be buying many more this fall. We are fairly large with 140 sites. Apple has obviously designed these devices with 1:1 personal use in mind.
I currently have three VAP's in use:
1. Guest with Captive portal
2. WPA2-PSK for Mac's (majority of our Macs are still OSX 10.4/10.5 - can't handle 802.1X reliably)
3. Secure 802.1X for district PC's
I have been brainstorming trying to figure how I will authenticate these iPads. They are going to be shared by classes of students and need to "just work". Trying to have a grade one student enter AD credentials is not going to happen. I have the Secure 802.1X VAP configured so that both machine and user authentication has to be passed before full authentication and real IP is given out. If only user authentication is passed then guest IP/role is given.
Here are some options:
1. Use guest network with captive portal
- Issue: If iPad goes to sleep and user idle timer expires, many apps fail to launch because Safari needs to be launched to accept guest captive portal agreement.
2. Use WPA2-PSK with MAC address filtering
- Issue: Managing thousands of MAC addresses is not practical, plus easy enough to spoof.
3. Use WPA2-PSK
- Issue: Security. Jailbreak for iPad2 is probably weeks away. On iPad and iPod it takes minutes and then app like WiFiPass can be downloaded to display all network SSID/key.
4. Use WPA2-E with 802.1x service account
- Issue: Service account could be comprised with Jailbreak - but deny local logon could be applied and if used on a device without a valid AD account - only guest IP/role would given. This would also get around the Captive portal issue because Safari doesn't need to be re-launched after the iPads sleep.
5. Use ArubaOS 6.1 device fingerprinting - assign iPad role
- Issue: I'm still on Aruba OS 5.0.3.0 but am planning to upgrade to 6.1 this summer. But I wouldn't really want to give any iPad detected a "district" role.
6. EAP-TLS?
- Issue: Configuration cumbersome. If iPads need to be restored on site then someone needs the iPhone configuration utility with generic iTunes account, etc.
7. Amigopod?
- Issue: Haven't tested - not familiar with product. Possibly a one time certificate load/enrollment - but how would that work if iPads are restored on site by somewhat non-technical staff?
Other thoughts:
1. AirPrint - probably more of a district policy to allow/disallow printing from iOS devices. But keeping it in mind, it definitely rules out certain authentication options because printers are currently residing in internal VLANs.
2. File sharing/streaming between MacBook/iMac and iPad. Not sure if this is already available - but if not it's definitely coming in iOS 5. Then I've got problems if I'm separating iPads and district Macs and they need to talk.
For now I have them using the guest network and have extended the user idle timeout to the max (4.25 hours). However, that's not long enough to last a full school day. I already have some teachers complaining it's inconvenient to have to accept the captive portal so often.
Any thoughts?
Thanks.