Higher Education

I am posting this in hopes to hear different ways colleges are handling BYOD's in dorms. I was part of an older dorm network discussion that was back in 2018, but things are changing fast. There are many devices that students can bring to the dorms, but not all devices are equal. Students have brought everything from wireless air fresheners to Smart TV's.
      At the present time, we have two SSIDs in our dorms. One SSID is for non 802.1x devices such as smart tv's, game boxes, etc. and students have to register these devices through a splash page on Clearpass for mac authentication. We are seeing some devices are using randomized mac addresses or the devices are asking questions of whether they are in a dorm or home and looking for a pre-shared key.
       Our other SSID is for 802.1x authentication, which is the same SSID used across campus.
       Our end goal in the dorms is to give the students the best wireless user experience possible and make them feel more at home. " If it works at home, it should work in the dorm". "Easier said than done."
       ** The thought is: Why can't we place the dorms in a DMZ where they can register their devices, maybe for a pre-shared key or some other registration path and then almost everything that works "at home" should work in the dorm. Students can use the school VPN to connect to school resources or connect through the cloud for their resources like they do presently. The dorms would have a different SSID than the academic areas on campus. When the students leave the dorms, their devices would connect to the 802.1x SSID for classes, etc.
         This is a round table forum, so please open your mind and share your ideas and methods that you use in the dorms.

------------------------------
Scott Kirkland
------------------------------

Great topic Scott and one I am interested in as well.  We do the same thing are are currently doing and spend the first 2-3 weeks of school helping students join the BYOD network by registering their devices.  The we have to clean up devices at end of the year.  Never consider the DMZ idea but that is interesting for sure.  Would love to hear from others who may have done something different and it works.  Always trying to improve students experience and wireless a BIG part of that experience.

------------------------------
David Mattox
------------------------------

Original Message:
Sent: Aug 31, 2021 05:49 PM
From: Scott Kirkland
Subject: Dorm Networks - Different Ways to build Dorm Networks

I am posting this in hopes to hear different ways colleges are handling BYOD's in dorms. I was part of an older dorm network discussion that was back in 2018, but things are changing fast. There are many devices that students can bring to the dorms, but not all devices are equal. Students have brought everything from wireless air fresheners to Smart TV's.
      At the present time, we have two SSIDs in our dorms. One SSID is for non 802.1x devices such as smart tv's, game boxes, etc. and students have to register these devices through a splash page on Clearpass for mac authentication. We are seeing some devices are using randomized mac addresses or the devices are asking questions of whether they are in a dorm or home and looking for a pre-shared key.
       Our other SSID is for 802.1x authentication, which is the same SSID used across campus.
       Our end goal in the dorms is to give the students the best wireless user experience possible and make them feel more at home. " If it works at home, it should work in the dorm". "Easier said than done."
       ** The thought is: Why can't we place the dorms in a DMZ where they can register their devices, maybe for a pre-shared key or some other registration path and then almost everything that works "at home" should work in the dorm. Students can use the school VPN to connect to school resources or connect through the cloud for their resources like they do presently. The dorms would have a different SSID than the academic areas on campus. When the students leave the dorms, their devices would connect to the 802.1x SSID for classes, etc.
         This is a round table forum, so please open your mind and share your ideas and methods that you use in the dorms.

------------------------------
Scott Kirkland
------------------------------

Thanks for sharing and great topic. I would also be curious to see what others are doing. Our classes started about week and half ago and we saw an influx of tickets like always at start of school year. A lot of IOT devices from wireless printers, smart lights, light panels, google homes..... and so on. Last year we setup/configured AirGroups to assist with some of the IOT devices. They have helped with some devices but again too many non-enterprise devices out there.

If you haven't - take a look at AirGroups. They might possibly help.

Chintan


------------------------------
Chintan Patel
------------------------------

Original Message:
Sent: Sep 01, 2021 03:31 PM
From: David Mattox
Subject: Dorm Networks - Different Ways to build Dorm Networks

Great topic Scott and one I am interested in as well.  We do the same thing are are currently doing and spend the first 2-3 weeks of school helping students join the BYOD network by registering their devices.  The we have to clean up devices at end of the year.  Never consider the DMZ idea but that is interesting for sure.  Would love to hear from others who may have done something different and it works.  Always trying to improve students experience and wireless a BIG part of that experience.

------------------------------
David Mattox

Original Message:
Sent: Aug 31, 2021 05:49 PM
From: Scott Kirkland
Subject: Dorm Networks - Different Ways to build Dorm Networks

I am posting this in hopes to hear different ways colleges are handling BYOD's in dorms. I was part of an older dorm network discussion that was back in 2018, but things are changing fast. There are many devices that students can bring to the dorms, but not all devices are equal. Students have brought everything from wireless air fresheners to Smart TV's.
      At the present time, we have two SSIDs in our dorms. One SSID is for non 802.1x devices such as smart tv's, game boxes, etc. and students have to register these devices through a splash page on Clearpass for mac authentication. We are seeing some devices are using randomized mac addresses or the devices are asking questions of whether they are in a dorm or home and looking for a pre-shared key.
       Our other SSID is for 802.1x authentication, which is the same SSID used across campus.
       Our end goal in the dorms is to give the students the best wireless user experience possible and make them feel more at home. " If it works at home, it should work in the dorm". "Easier said than done."
       ** The thought is: Why can't we place the dorms in a DMZ where they can register their devices, maybe for a pre-shared key or some other registration path and then almost everything that works "at home" should work in the dorm. Students can use the school VPN to connect to school resources or connect through the cloud for their resources like they do presently. The dorms would have a different SSID than the academic areas on campus. When the students leave the dorms, their devices would connect to the 802.1x SSID for classes, etc.
         This is a round table forum, so please open your mind and share your ideas and methods that you use in the dorms.

------------------------------
Scott Kirkland
------------------------------

Perhaps look at doing MPSK? Devices would still need to register via Clearpass Guest Device Registration but could have a custom PSK for that device. Same overhead as MAC auth.

------------------------------
Benjamin Jackson
------------------------------

Original Message:
Sent: Aug 31, 2021 05:49 PM
From: Scott Kirkland
Subject: Dorm Networks - Different Ways to build Dorm Networks

I am posting this in hopes to hear different ways colleges are handling BYOD's in dorms. I was part of an older dorm network discussion that was back in 2018, but things are changing fast. There are many devices that students can bring to the dorms, but not all devices are equal. Students have brought everything from wireless air fresheners to Smart TV's.
      At the present time, we have two SSIDs in our dorms. One SSID is for non 802.1x devices such as smart tv's, game boxes, etc. and students have to register these devices through a splash page on Clearpass for mac authentication. We are seeing some devices are using randomized mac addresses or the devices are asking questions of whether they are in a dorm or home and looking for a pre-shared key.
       Our other SSID is for 802.1x authentication, which is the same SSID used across campus.
       Our end goal in the dorms is to give the students the best wireless user experience possible and make them feel more at home. " If it works at home, it should work in the dorm". "Easier said than done."
       ** The thought is: Why can't we place the dorms in a DMZ where they can register their devices, maybe for a pre-shared key or some other registration path and then almost everything that works "at home" should work in the dorm. Students can use the school VPN to connect to school resources or connect through the cloud for their resources like they do presently. The dorms would have a different SSID than the academic areas on campus. When the students leave the dorms, their devices would connect to the 802.1x SSID for classes, etc.
         This is a round table forum, so please open your mind and share your ideas and methods that you use in the dorms.

------------------------------
Scott Kirkland
------------------------------

Thanks Ben,
MPSK is on the list of options. Does Aruba have any documents or workflow for MPSK set up in ClearPass?

------------------------------
Scott Kirkland
------------------------------

Original Message:
Sent: Sep 03, 2021 07:47 AM
From: Benjamin Jackson
Subject: Dorm Networks - Different Ways to build Dorm Networks

Perhaps look at doing MPSK? Devices would still need to register via Clearpass Guest Device Registration but could have a custom PSK for that device. Same overhead as MAC auth.

------------------------------
Benjamin Jackson

Original Message:
Sent: Aug 31, 2021 05:49 PM
From: Scott Kirkland
Subject: Dorm Networks - Different Ways to build Dorm Networks

I am posting this in hopes to hear different ways colleges are handling BYOD's in dorms. I was part of an older dorm network discussion that was back in 2018, but things are changing fast. There are many devices that students can bring to the dorms, but not all devices are equal. Students have brought everything from wireless air fresheners to Smart TV's.
      At the present time, we have two SSIDs in our dorms. One SSID is for non 802.1x devices such as smart tv's, game boxes, etc. and students have to register these devices through a splash page on Clearpass for mac authentication. We are seeing some devices are using randomized mac addresses or the devices are asking questions of whether they are in a dorm or home and looking for a pre-shared key.
       Our other SSID is for 802.1x authentication, which is the same SSID used across campus.
       Our end goal in the dorms is to give the students the best wireless user experience possible and make them feel more at home. " If it works at home, it should work in the dorm". "Easier said than done."
       ** The thought is: Why can't we place the dorms in a DMZ where they can register their devices, maybe for a pre-shared key or some other registration path and then almost everything that works "at home" should work in the dorm. Students can use the school VPN to connect to school resources or connect through the cloud for their resources like they do presently. The dorms would have a different SSID than the academic areas on campus. When the students leave the dorms, their devices would connect to the 802.1x SSID for classes, etc.
         This is a round table forum, so please open your mind and share your ideas and methods that you use in the dorms.

------------------------------
Scott Kirkland
------------------------------

I saw this thread earlier that may be helpful: https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=26931
Original Message:
Sent: Sep 03, 2021 09:16 AM
From: Scott Kirkland
Subject: Dorm Networks - Different Ways to build Dorm Networks

Thanks Ben,
MPSK is on the list of options. Does Aruba have any documents or workflow for MPSK set up in ClearPass?

------------------------------
Scott Kirkland

Original Message:
Sent: Sep 03, 2021 07:47 AM
From: Benjamin Jackson
Subject: Dorm Networks - Different Ways to build Dorm Networks

Perhaps look at doing MPSK? Devices would still need to register via Clearpass Guest Device Registration but could have a custom PSK for that device. Same overhead as MAC auth.

------------------------------
Benjamin Jackson

Original Message:
Sent: Aug 31, 2021 05:49 PM
From: Scott Kirkland
Subject: Dorm Networks - Different Ways to build Dorm Networks

I am posting this in hopes to hear different ways colleges are handling BYOD's in dorms. I was part of an older dorm network discussion that was back in 2018, but things are changing fast. There are many devices that students can bring to the dorms, but not all devices are equal. Students have brought everything from wireless air fresheners to Smart TV's.
      At the present time, we have two SSIDs in our dorms. One SSID is for non 802.1x devices such as smart tv's, game boxes, etc. and students have to register these devices through a splash page on Clearpass for mac authentication. We are seeing some devices are using randomized mac addresses or the devices are asking questions of whether they are in a dorm or home and looking for a pre-shared key.
       Our other SSID is for 802.1x authentication, which is the same SSID used across campus.
       Our end goal in the dorms is to give the students the best wireless user experience possible and make them feel more at home. " If it works at home, it should work in the dorm". "Easier said than done."
       ** The thought is: Why can't we place the dorms in a DMZ where they can register their devices, maybe for a pre-shared key or some other registration path and then almost everything that works "at home" should work in the dorm. Students can use the school VPN to connect to school resources or connect through the cloud for their resources like they do presently. The dorms would have a different SSID than the academic areas on campus. When the students leave the dorms, their devices would connect to the 802.1x SSID for classes, etc.
         This is a round table forum, so please open your mind and share your ideas and methods that you use in the dorms.

------------------------------
Scott Kirkland
------------------------------

We're using MPSK with an IOT ssid and it works pretty well.  We post instructions for students and make them do the registrations even if they call in for support.  They then help each other once they learn the (relatively easy) process.  The hardest part is locating the correct mac address for the devices.  Amazon devices are horrible with Re: displaying a MAC, and some devices have a wired/wireless MAC and students register the wrong one.  

We're also using AP505H in the dorm rooms.  These are small cell APs that have 4 eth ports on the bottom, so students can plug in devices - but the registration is the same. 

Our big complaints are Strict NAT type and multiplayer join issues.  (Which I may be able to solve with IPv6)

------------------------------
Phillip Horn
------------------------------

Original Message:
Sent: Sep 03, 2021 09:16 AM
From: Scott Kirkland
Subject: Dorm Networks - Different Ways to build Dorm Networks

Thanks Ben,
MPSK is on the list of options. Does Aruba have any documents or workflow for MPSK set up in ClearPass?

------------------------------
Scott Kirkland

Original Message:
Sent: Sep 03, 2021 07:47 AM
From: Benjamin Jackson
Subject: Dorm Networks - Different Ways to build Dorm Networks

Perhaps look at doing MPSK? Devices would still need to register via Clearpass Guest Device Registration but could have a custom PSK for that device. Same overhead as MAC auth.

------------------------------
Benjamin Jackson

Original Message:
Sent: Aug 31, 2021 05:49 PM
From: Scott Kirkland
Subject: Dorm Networks - Different Ways to build Dorm Networks

I am posting this in hopes to hear different ways colleges are handling BYOD's in dorms. I was part of an older dorm network discussion that was back in 2018, but things are changing fast. There are many devices that students can bring to the dorms, but not all devices are equal. Students have brought everything from wireless air fresheners to Smart TV's.
      At the present time, we have two SSIDs in our dorms. One SSID is for non 802.1x devices such as smart tv's, game boxes, etc. and students have to register these devices through a splash page on Clearpass for mac authentication. We are seeing some devices are using randomized mac addresses or the devices are asking questions of whether they are in a dorm or home and looking for a pre-shared key.
       Our other SSID is for 802.1x authentication, which is the same SSID used across campus.
       Our end goal in the dorms is to give the students the best wireless user experience possible and make them feel more at home. " If it works at home, it should work in the dorm". "Easier said than done."
       ** The thought is: Why can't we place the dorms in a DMZ where they can register their devices, maybe for a pre-shared key or some other registration path and then almost everything that works "at home" should work in the dorm. Students can use the school VPN to connect to school resources or connect through the cloud for their resources like they do presently. The dorms would have a different SSID than the academic areas on campus. When the students leave the dorms, their devices would connect to the 802.1x SSID for classes, etc.
         This is a round table forum, so please open your mind and share your ideas and methods that you use in the dorms.

------------------------------
Scott Kirkland
------------------------------

Phillip - thanks for the feedback.  Would like to hear more about your configuration offline if you would be willing to share.  We also use 505s in the dorm rooms and it seems to have helped a great deal.

------------------------------
David Mattox
------------------------------

Original Message:
Sent: Sep 15, 2021 09:48 AM
From: Phillip Horn
Subject: Dorm Networks - Different Ways to build Dorm Networks

We're using MPSK with an IOT ssid and it works pretty well.  We post instructions for students and make them do the registrations even if they call in for support.  They then help each other once they learn the (relatively easy) process.  The hardest part is locating the correct mac address for the devices.  Amazon devices are horrible with Re: displaying a MAC, and some devices have a wired/wireless MAC and students register the wrong one.  

We're also using AP505H in the dorm rooms.  These are small cell APs that have 4 eth ports on the bottom, so students can plug in devices - but the registration is the same. 

Our big complaints are Strict NAT type and multiplayer join issues.  (Which I may be able to solve with IPv6)

------------------------------
Phillip Horn

Original Message:
Sent: Sep 03, 2021 09:16 AM
From: Scott Kirkland
Subject: Dorm Networks - Different Ways to build Dorm Networks

Thanks Ben,
MPSK is on the list of options. Does Aruba have any documents or workflow for MPSK set up in ClearPass?

------------------------------
Scott Kirkland

Original Message:
Sent: Sep 03, 2021 07:47 AM
From: Benjamin Jackson
Subject: Dorm Networks - Different Ways to build Dorm Networks

Perhaps look at doing MPSK? Devices would still need to register via Clearpass Guest Device Registration but could have a custom PSK for that device. Same overhead as MAC auth.

------------------------------
Benjamin Jackson

Original Message:
Sent: Aug 31, 2021 05:49 PM
From: Scott Kirkland
Subject: Dorm Networks - Different Ways to build Dorm Networks

I am posting this in hopes to hear different ways colleges are handling BYOD's in dorms. I was part of an older dorm network discussion that was back in 2018, but things are changing fast. There are many devices that students can bring to the dorms, but not all devices are equal. Students have brought everything from wireless air fresheners to Smart TV's.
      At the present time, we have two SSIDs in our dorms. One SSID is for non 802.1x devices such as smart tv's, game boxes, etc. and students have to register these devices through a splash page on Clearpass for mac authentication. We are seeing some devices are using randomized mac addresses or the devices are asking questions of whether they are in a dorm or home and looking for a pre-shared key.
       Our other SSID is for 802.1x authentication, which is the same SSID used across campus.
       Our end goal in the dorms is to give the students the best wireless user experience possible and make them feel more at home. " If it works at home, it should work in the dorm". "Easier said than done."
       ** The thought is: Why can't we place the dorms in a DMZ where they can register their devices, maybe for a pre-shared key or some other registration path and then almost everything that works "at home" should work in the dorm. Students can use the school VPN to connect to school resources or connect through the cloud for their resources like they do presently. The dorms would have a different SSID than the academic areas on campus. When the students leave the dorms, their devices would connect to the 802.1x SSID for classes, etc.
         This is a round table forum, so please open your mind and share your ideas and methods that you use in the dorms.

------------------------------
Scott Kirkland
------------------------------

Thank You for your response. We are seeing some great information here.
 We have AP-315 planned out in our dorms and 515's in our new dorms only and with no wired ports in the dorms. This plan works really well for us. Our only trouble tickets are some strict NAT calls or BYOD registrations and most of those are wrong MAC addresses.
 **I wanted to address a recent issue that we came across with a Xbox X Series (not the Xbox-one X). The student registered the wireless MAC address correctly, and the device kept giving him the " more authentication needed to connect" error. This usually would be MAC address registration typo, but not in this case. The MAC was invisible to the Aruba wireless network with nothing on the controllers or ClearPass. The student had to get the Xbox to create a new MAC address and register it for it to be seen on the network and connect to our SSID. We are afraid more BYOD devices are going in this direction.
 ***So my questions are: 1. Do we need to worry about MAC registration anymore when using MPSK? 2. Why do we need MAC registration with MPSK if we place the dorms in a DMZ?

------------------------------
Scott Kirkland
------------------------------

Original Message:
Sent: Sep 15, 2021 09:48 AM
From: Phillip Horn
Subject: Dorm Networks - Different Ways to build Dorm Networks

We're using MPSK with an IOT ssid and it works pretty well.  We post instructions for students and make them do the registrations even if they call in for support.  They then help each other once they learn the (relatively easy) process.  The hardest part is locating the correct mac address for the devices.  Amazon devices are horrible with Re: displaying a MAC, and some devices have a wired/wireless MAC and students register the wrong one.  

We're also using AP505H in the dorm rooms.  These are small cell APs that have 4 eth ports on the bottom, so students can plug in devices - but the registration is the same. 

Our big complaints are Strict NAT type and multiplayer join issues.  (Which I may be able to solve with IPv6)

------------------------------
Phillip Horn

Original Message:
Sent: Sep 03, 2021 09:16 AM
From: Scott Kirkland
Subject: Dorm Networks - Different Ways to build Dorm Networks

Thanks Ben,
MPSK is on the list of options. Does Aruba have any documents or workflow for MPSK set up in ClearPass?

------------------------------
Scott Kirkland

Original Message:
Sent: Sep 03, 2021 07:47 AM
From: Benjamin Jackson
Subject: Dorm Networks - Different Ways to build Dorm Networks

Perhaps look at doing MPSK? Devices would still need to register via Clearpass Guest Device Registration but could have a custom PSK for that device. Same overhead as MAC auth.

------------------------------
Benjamin Jackson

Original Message:
Sent: Aug 31, 2021 05:49 PM
From: Scott Kirkland
Subject: Dorm Networks - Different Ways to build Dorm Networks

I am posting this in hopes to hear different ways colleges are handling BYOD's in dorms. I was part of an older dorm network discussion that was back in 2018, but things are changing fast. There are many devices that students can bring to the dorms, but not all devices are equal. Students have brought everything from wireless air fresheners to Smart TV's.
      At the present time, we have two SSIDs in our dorms. One SSID is for non 802.1x devices such as smart tv's, game boxes, etc. and students have to register these devices through a splash page on Clearpass for mac authentication. We are seeing some devices are using randomized mac addresses or the devices are asking questions of whether they are in a dorm or home and looking for a pre-shared key.
       Our other SSID is for 802.1x authentication, which is the same SSID used across campus.
       Our end goal in the dorms is to give the students the best wireless user experience possible and make them feel more at home. " If it works at home, it should work in the dorm". "Easier said than done."
       ** The thought is: Why can't we place the dorms in a DMZ where they can register their devices, maybe for a pre-shared key or some other registration path and then almost everything that works "at home" should work in the dorm. Students can use the school VPN to connect to school resources or connect through the cloud for their resources like they do presently. The dorms would have a different SSID than the academic areas on campus. When the students leave the dorms, their devices would connect to the 802.1x SSID for classes, etc.
         This is a round table forum, so please open your mind and share your ideas and methods that you use in the dorms.

------------------------------
Scott Kirkland
------------------------------

That is a strange issue with the Series X.  Perhaps it's looking for some 802.1x authentication??  That'd be nice.

Re the questions you posted
1. Yes- MPSK is just a way for clearpass to match a mac address to a password. It's checking the client MAC against the password entered, and if it matches, access is granted.  It's nice because the password has to match the mac, so students can't just register a device and share that password with a bunch of friends.  Every device has a unique password (that we generate - we don't allow students to choose passwords) that gets emailed to the user that registered the device.
2. We started with having all guest traffic in the DMZ, but it didn't really help much.  You can set firewall rules on the controller to limit traffic between clients and just give them internet access, and you probably should log who has what device, so you want some sort of registration so that you can track down a device that becomes problematic for whatever reason.  (IE DMCA copywrite takedown notice, spammer, etc)

------------------------------
Phillip Horn
------------------------------

Original Message:
Sent: Sep 15, 2021 10:37 AM
From: Scott Kirkland
Subject: Dorm Networks - Different Ways to build Dorm Networks

Thank You for your response. We are seeing some great information here.
 We have AP-315 planned out in our dorms and 515's in our new dorms only and with no wired ports in the dorms. This plan works really well for us. Our only trouble tickets are some strict NAT calls or BYOD registrations and most of those are wrong MAC addresses.
 **I wanted to address a recent issue that we came across with a Xbox X Series (not the Xbox-one X). The student registered the wireless MAC address correctly, and the device kept giving him the " more authentication needed to connect" error. This usually would be MAC address registration typo, but not in this case. The MAC was invisible to the Aruba wireless network with nothing on the controllers or ClearPass. The student had to get the Xbox to create a new MAC address and register it for it to be seen on the network and connect to our SSID. We are afraid more BYOD devices are going in this direction.
 ***So my questions are: 1. Do we need to worry about MAC registration anymore when using MPSK? 2. Why do we need MAC registration with MPSK if we place the dorms in a DMZ?

------------------------------
Scott Kirkland

Original Message:
Sent: Sep 15, 2021 09:48 AM
From: Phillip Horn
Subject: Dorm Networks - Different Ways to build Dorm Networks

We're using MPSK with an IOT ssid and it works pretty well.  We post instructions for students and make them do the registrations even if they call in for support.  They then help each other once they learn the (relatively easy) process.  The hardest part is locating the correct mac address for the devices.  Amazon devices are horrible with Re: displaying a MAC, and some devices have a wired/wireless MAC and students register the wrong one.  

We're also using AP505H in the dorm rooms.  These are small cell APs that have 4 eth ports on the bottom, so students can plug in devices - but the registration is the same. 

Our big complaints are Strict NAT type and multiplayer join issues.  (Which I may be able to solve with IPv6)

------------------------------
Phillip Horn

Original Message:
Sent: Sep 03, 2021 09:16 AM
From: Scott Kirkland
Subject: Dorm Networks - Different Ways to build Dorm Networks

Thanks Ben,
MPSK is on the list of options. Does Aruba have any documents or workflow for MPSK set up in ClearPass?

------------------------------
Scott Kirkland

Original Message:
Sent: Sep 03, 2021 07:47 AM
From: Benjamin Jackson
Subject: Dorm Networks - Different Ways to build Dorm Networks

Perhaps look at doing MPSK? Devices would still need to register via Clearpass Guest Device Registration but could have a custom PSK for that device. Same overhead as MAC auth.

------------------------------
Benjamin Jackson

Original Message:
Sent: Aug 31, 2021 05:49 PM
From: Scott Kirkland
Subject: Dorm Networks - Different Ways to build Dorm Networks

I am posting this in hopes to hear different ways colleges are handling BYOD's in dorms. I was part of an older dorm network discussion that was back in 2018, but things are changing fast. There are many devices that students can bring to the dorms, but not all devices are equal. Students have brought everything from wireless air fresheners to Smart TV's.
      At the present time, we have two SSIDs in our dorms. One SSID is for non 802.1x devices such as smart tv's, game boxes, etc. and students have to register these devices through a splash page on Clearpass for mac authentication. We are seeing some devices are using randomized mac addresses or the devices are asking questions of whether they are in a dorm or home and looking for a pre-shared key.
       Our other SSID is for 802.1x authentication, which is the same SSID used across campus.
       Our end goal in the dorms is to give the students the best wireless user experience possible and make them feel more at home. " If it works at home, it should work in the dorm". "Easier said than done."
       ** The thought is: Why can't we place the dorms in a DMZ where they can register their devices, maybe for a pre-shared key or some other registration path and then almost everything that works "at home" should work in the dorm. Students can use the school VPN to connect to school resources or connect through the cloud for their resources like they do presently. The dorms would have a different SSID than the academic areas on campus. When the students leave the dorms, their devices would connect to the 802.1x SSID for classes, etc.
         This is a round table forum, so please open your mind and share your ideas and methods that you use in the dorms.

------------------------------
Scott Kirkland
------------------------------

Looks like the X series was designed that way.


------------------------------
Scott Kirkland
------------------------------

Original Message:
Sent: Sep 15, 2021 05:24 PM
From: Phillip Horn
Subject: Dorm Networks - Different Ways to build Dorm Networks

That is a strange issue with the Series X.  Perhaps it's looking for some 802.1x authentication??  That'd be nice.

Re the questions you posted
1. Yes- MPSK is just a way for clearpass to match a mac address to a password. It's checking the client MAC against the password entered, and if it matches, access is granted.  It's nice because the password has to match the mac, so students can't just register a device and share that password with a bunch of friends.  Every device has a unique password (that we generate - we don't allow students to choose passwords) that gets emailed to the user that registered the device.
2. We started with having all guest traffic in the DMZ, but it didn't really help much.  You can set firewall rules on the controller to limit traffic between clients and just give them internet access, and you probably should log who has what device, so you want some sort of registration so that you can track down a device that becomes problematic for whatever reason.  (IE DMCA copywrite takedown notice, spammer, etc)

------------------------------
Phillip Horn

Original Message:
Sent: Sep 15, 2021 10:37 AM
From: Scott Kirkland
Subject: Dorm Networks - Different Ways to build Dorm Networks

Thank You for your response. We are seeing some great information here.
 We have AP-315 planned out in our dorms and 515's in our new dorms only and with no wired ports in the dorms. This plan works really well for us. Our only trouble tickets are some strict NAT calls or BYOD registrations and most of those are wrong MAC addresses.
 **I wanted to address a recent issue that we came across with a Xbox X Series (not the Xbox-one X). The student registered the wireless MAC address correctly, and the device kept giving him the " more authentication needed to connect" error. This usually would be MAC address registration typo, but not in this case. The MAC was invisible to the Aruba wireless network with nothing on the controllers or ClearPass. The student had to get the Xbox to create a new MAC address and register it for it to be seen on the network and connect to our SSID. We are afraid more BYOD devices are going in this direction.
 ***So my questions are: 1. Do we need to worry about MAC registration anymore when using MPSK? 2. Why do we need MAC registration with MPSK if we place the dorms in a DMZ?

------------------------------
Scott Kirkland

Original Message:
Sent: Sep 15, 2021 09:48 AM
From: Phillip Horn
Subject: Dorm Networks - Different Ways to build Dorm Networks

We're using MPSK with an IOT ssid and it works pretty well.  We post instructions for students and make them do the registrations even if they call in for support.  They then help each other once they learn the (relatively easy) process.  The hardest part is locating the correct mac address for the devices.  Amazon devices are horrible with Re: displaying a MAC, and some devices have a wired/wireless MAC and students register the wrong one.  

We're also using AP505H in the dorm rooms.  These are small cell APs that have 4 eth ports on the bottom, so students can plug in devices - but the registration is the same. 

Our big complaints are Strict NAT type and multiplayer join issues.  (Which I may be able to solve with IPv6)

------------------------------
Phillip Horn

Original Message:
Sent: Sep 03, 2021 09:16 AM
From: Scott Kirkland
Subject: Dorm Networks - Different Ways to build Dorm Networks

Thanks Ben,
MPSK is on the list of options. Does Aruba have any documents or workflow for MPSK set up in ClearPass?

------------------------------
Scott Kirkland

Original Message:
Sent: Sep 03, 2021 07:47 AM
From: Benjamin Jackson
Subject: Dorm Networks - Different Ways to build Dorm Networks

Perhaps look at doing MPSK? Devices would still need to register via Clearpass Guest Device Registration but could have a custom PSK for that device. Same overhead as MAC auth.

------------------------------
Benjamin Jackson

Original Message:
Sent: Aug 31, 2021 05:49 PM
From: Scott Kirkland
Subject: Dorm Networks - Different Ways to build Dorm Networks

I am posting this in hopes to hear different ways colleges are handling BYOD's in dorms. I was part of an older dorm network discussion that was back in 2018, but things are changing fast. There are many devices that students can bring to the dorms, but not all devices are equal. Students have brought everything from wireless air fresheners to Smart TV's.
      At the present time, we have two SSIDs in our dorms. One SSID is for non 802.1x devices such as smart tv's, game boxes, etc. and students have to register these devices through a splash page on Clearpass for mac authentication. We are seeing some devices are using randomized mac addresses or the devices are asking questions of whether they are in a dorm or home and looking for a pre-shared key.
       Our other SSID is for 802.1x authentication, which is the same SSID used across campus.
       Our end goal in the dorms is to give the students the best wireless user experience possible and make them feel more at home. " If it works at home, it should work in the dorm". "Easier said than done."
       ** The thought is: Why can't we place the dorms in a DMZ where they can register their devices, maybe for a pre-shared key or some other registration path and then almost everything that works "at home" should work in the dorm. Students can use the school VPN to connect to school resources or connect through the cloud for their resources like they do presently. The dorms would have a different SSID than the academic areas on campus. When the students leave the dorms, their devices would connect to the 802.1x SSID for classes, etc.
         This is a round table forum, so please open your mind and share your ideas and methods that you use in the dorms.

------------------------------
Scott Kirkland
------------------------------