Higher Education

Reply
This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.
Occasional Contributor I

Dorm networks

I've been tasked with coming up with a new design for our dorms to help the students have a more "at home" experience. While I have what I think are some great ideas, others thought that it was too cumbersome....

 

I'm curious, what are other Universities doing for their residential colleges (dorms) for the students, to allow them to connect their IoT devices? (Apple TVs, Rokus, Fire TVs, Sonos, Echos, Google Homes, Kindles, just to name a few)

 

 

My idea:

1 network

      - mac auth + PSK

      - We currently have airgroups enabled but I'd like for the students to be able to use clearpass to segregate their devices from eachother

      - PSK changing every year, and database getting wiped every year

1 network

      - open (or PSK from front desk); ideally for the "Guests" to the dorms (parents, other students, friends from around)

      - PSK changing every semester

 

 

I do realize its sort of chicken & the egg with the mac-auth...I'll figure out something for that later :-D

 

 

Thanks in Advance!

16 REPLIES
Guru Elite

Re: Dorm networks

Generally, we recommend a dual network setup.


1. 802.1X network for primary usage
2. Open network with MAC authentication for guests and headless devices

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Super Contributor I

Re: Dorm networks

One more thing to consider, going forward, is how WPA3 features will play into this environment.  WPA3 wil make PSK and open(ish) networks a bit more safe from the crypto standpoint.  Spoofing-wise, WPA3 headless devices will also be able to do dot1x through remote confiuration APIs, but of course you'll always have older WPA2 devices kicking around as well.

 

Guru Elite

Re: Dorm networks

Not exactly correct. WPA3 does not give devices without an 802.1X supplicant the ability to all of a sudden do 802.1X.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Super Contributor I

Re: Dorm networks

Of course... my point is that some device classes that previously never used dot1x will have among their ranks some dot1x capable clients.  So plan accordingly.

 

Super Contributor I

Re: Dorm networks

Timing of this is great, as we’re also looking at augmenting what we have. Today, we have primary 802.1X SSID and we have an Open/Captive Portal SSID with a click-through guest login. The same Open SSID does MAC auth as well for pre-registered devices. All the roles that are derived block unestablished inbound connections, which breaks many of the headless devices, so we’re looking at making modifications.

One idea I had was to modify the self-registration for devices to include a checkbox or sorts where the person would opt-in to allowing inbound connectivity. There’s a ton of risk associated with that obviously, but I’m not interested in creating roles for every device type.

I’m very interested in hearing others’ ideas in this regard… not just for dorms but for higher ed in general. I’m sure your faculty are wanting similar things, too!

- Ryan -
==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Guru Elite

Re: Dorm networks

You can use ClearPass roles during device registration which would allow the user to select the device type and you could map them back to controller roles.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Super Contributor I

Re: Dorm networks

Yeah, I realize that that’s technically possible. But my concerns are to scale. Building something to capture specific device types will require a lot of ongoing maintenance, so common denominators are desirable.

I appreciate the feedback, Tim, though I’m more interested in what other customers are doing. If you have those insights, I’m all ears!
==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Guru Elite

Re: Dorm networks

I usually recommend high level groupings like “Media Player”, “Printer” and “Game Console” which reduces the long-term maintenance.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Highlighted

Re: Dorm networks

We have our users register the mac address of non-802.1X devices in a web portal. This summer we are moving to a small choice of devices types, 3 of which are configured as AirGroup servers.

 

Registered Device

Apple TV

Chromecast

Other AirGroup Device

 

The default option is Registered Device, rather than forcing a choice.

 

Later on we plan on moving from our 3 current main SSIDs (802.1X, Guest, MAC Auth/Onboarding) to just 2, combining Guest with the MAC Auth/Onboarding SSID.


Bruce Osborne - Wireless Engineer
ACCP, ACMP

All opinions written here are my own and do not necessarily reflect the views and opinions of my employer or Aruba Networks

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: