We are looking at Aruba to replace our wifi network of HP's MSM range (~200AP and 2x HA controllers).
I've looked at a number of Aruba schools (none that are using ClearPass and certificates) and a number of Ruckus Wireless schools as well (also, none using TLS-EAP certificates).
We currently use CloudPath for onboarding BYOD devices (CloudPath was previously independent, but then recently purchased by Ruckus, which was in turn acquired by Brocade this year). Cloudpath essentially onboards a BYOD by providing a captive portal where students enter their AD credentials, a unique certificate is generated and then installed on the client device(s).
I feel this is a really secure method and I like lots of it (we can revoke certificates at any time, it helps with reporting in HP's IMC, students can change their AD password without affecting their wifi authentication because the certificate does that, student's can't impersonate each other if they've shared passwords etc).
HOWEVER: It does cause us some issues - cheaper devices don't like profiles/certificates all the time
and even though the onboarding is pretty simple, many students still need assistance with it. Secondly, configuring RADIUS for .1x authenticate adds some complexity to the mangement.
The Ruckus school I visited yesterday uses dynamic WPA2-PSK. These are unique to the user, generated when a valid AD credentials is entered into a portal, it pairs the MAC address to the DPSK, and is valid for one year. the up side of this is that virtually every device supports basic PSK.
This got me thinking - is using cerificate based authentication over the top in schools? Is this why virtually no schools that I've come across use it? When you're dealing wtih a wide range of BYOD there is no guarantees the end client devices are going to support this well, whereas virtually every device, no matter how cheap, supports a PSK.
IS wifi authentication/security the biggest/most likely attack vector in a school network? I think it's probably not to be honest. We would never go back to a generic WPA2-PSK, but am wondering if the complexity of certificates is over the top for school environments.
I'd be interested to hear what others in this community think - I'm especially interested to learn if there are any schools using ClearPass and deploying certificates to student BYOD.
Thanks in advance,
Sam