Higher Education

We have been running an open SSID on campus for several years - long story, please no coments. We are looking into securing access but want to kep things simple and accessible. Is ther a way with a single WLAN to get to 802.1x for protected traffic then fall through to a captive portal using clearpass?

If authentication passes, you can drop to a captive portal based on the
role. You cannot fail open on a wireless 802.1X network.

Thanks, for replying. I read in another post - 247277, that sounded like what we want to do.

Single SSID with 802.1x for devices that support it - push config to AD devices or on-board.

Splash page for those that do not - Guest Access

White listed MAC address that we want to allow on

White list devices that a user can Auth against AD.

 

We have had clearpass but it has not been put into production. My backgroupnd is MSM and Cisco so I am not sure how CP can play into what we want.

A typical university design would be:

802.1X network for all university users with devices that support it.

An open network with MAC-auth for guests and headless devices like game consoles, media players, printers, etc. Those device can be pre registered by end users using the device registration portal.


Sent from Nine<>

---

@cappalli wrote:
A typical university design would be:

802.1X network for all university users with devices that support it.

An open network with MAC-auth for guests and headless devices like game consoles, media players, printers, etc. Those device can be pre registered by end users using the device registration portal.


Sent from Nine<>

---

This is exactly what we do at Liberty University. We also have an open SSID for guest, controlled by a ClearPass Guest portal.

When i was working with other venor products that is how i would set it up, open guest ssid and another protected by 802.1x. What i found was when a user would take their laptop home and conenct to their wlan, or starbucks, or ...,  then come back they would from time to time connect to the open ssid instead of the preferred protected ssid.

 

I was hoping for an easier solution.

They will only connect to it automatically if they have it saved on their laptop. If users connect to it, they need to forget it.

Sent from Nine<>

We currently use another vendor's product for onboarding. The product automatically connects the client to the 802.1X SSID, sets it as top priority and "forgets" the open one. For Apple users, tjhey need to manually connect after installing the network profile, though.

Instead of asking tens of thousands of users to "forget" the open network on their Apple devices, instead use the on boarding piece to configure the open network as well but set auto-join=no. We do this and it has helped tremendously.

- Ryan -
(sent while mobile)

Another suggestion in this case: why not move from open to a WPA2-PSK SSID,with a simple or complex password depending on the purpose? 

 

I believe that you should not deploy open networks these days. I do understand the arguments that it is convenient, the whole world does it, and you are probably just offering internet hotspot service, personally I hate it to connect to an open network. PSK is supported by almost any device that supports open networks, and it does provide a basic form of protection for the end-user. Sniffing, insertion and modifying traffic is not as trivial as it is on an open SSID. Also setting a simple passphrase overcomes issues in situations where you are close to a public place (city square, shopping center, school, trainstation) and people walking by are automatically connectong and depleting your DHCP IP pool. So I would even put a PSK on the guest network, and that can be a simple passphrase like internet, or the name of your organization. Most people don't have their home internet as an open network, so they know how to type in a passphrase, why wouldn't you expect that at a university? Also, on a PSK network (or even a WPA2-Enterprise network), you can still work with captive portals for further authentication, disclaimers, user agreements and so on..

 

It does even give you the option to start again by changing te PSK at some moment.

 

Just as something to consider.

The WLAN is open due to mishandling/misconfiguration of previous admins. We need to secure it but now i have to over come the ease of access issue. It is sounding like I will have to go with two WLANs. One protected by 802.1x ( don't want to go down the PSK road ) to encrypt faculty/staff data and one to handle other devices through clearpass. I am working with local Aruba Support and Sales the get HPE engaged to setup and test.

Agreed on PSK. Open is the best route for guests and headless devices at a
university. PSK is not manageable in a university setting.

PSK should not be used in *any*enterprise setting except possiby for temporary testing.

 

PSK is WPA2-Personal.

capalli,

 

"Those device can be pre registered by end users using the device registration portal."

 

Here is where I am having a problem. Currently, I setup ClearPass Mac registration form with two roles: Mac Role and Games Roles. Mac Roles for any non-802.1x devices and Games Roles for game consoles. The reason i separate them is because the Game Role is getting public ip addresses to avoid nat the game consoles in the dorms.

 

So my plan was to have the students call the help desk for non-802.1x devices and have the help desk tech register the devices and place them in the correct role. I also created a form in the help desk page that will send the information to the help desk via email.

 

Now I am sure after a while the help desk will not like me anymore lol, so i am looking for a long term solution: self-registration

 

Option 2:

 

Create the Self-Registration Webpage and have the student register the devices. Instead of having an Open ssid in the dorms for onboarding i was going to have a link in the help desk page that will redirect to the clearpass self-registration.

 

Now,

 

The first page the student should see is a login page that they will input their AD credentials and then allow to register the mac addresses. Here is the problem:

 

1. Cannot control they select the right role MAC or Games. Or can i?

2. Cannot control students registering laptop mac addresses and using the MAC auth SSID instead of the 802.1x SSID?

 

The perfect scenario will be students registering the devices then having only a single role. Also, have clearpass or the controller track via endpoint profiler or 802.1x compliant status so laptops and 802.1x capable devices dont use this SSID.

 

Sorry for the long message. I hope also this help someone else.

 

Thank you

Nils

 

I work for Nova Southeasten Univeristy in Florida. We have currently around 13,000 wireless devices connecting on Guest, 802.1x SSID, Phone SSID, and Mac Auth SSID.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Having the students self register is definitely the way to go. It's really easy for them to do.

 

1. Cannot control they select the right role MAC or Games. Or can i?

Yes, you can. Each operator profile can have different roles enabled. You can assign operator profiles based on identity information. For example, you may have an "OTHER" role that only the staff and help desk can use.

 

 

You may also want to consider expanding your roles to be more specific: Media Player, Game Console, Printer, etc so that you have better visibility. For example, a media player might get dropped into the MEDIA-PLAYER role on the controller which will then be reported to AirWave. It's much easier to set all this up at the beginning than going back and doing it later.

 

2. Cannot control students registering laptop mac addresses and using the MAC auth SSID instead of the 802.1x SSID?

What you do can is leverage the conflict function in ClearPass. So you can compare what they registered the device as, to the profile information from ClearPass and if they don't match, drop them into a captive portal that says "use the secure network", etc. ClearPass can also issue a CoA if the device category changes (a printer becomes a computer, for example).

Capalli,

1. Cannot control they select the right role MAC or Games. Or can i?

 

- I like the idea of having different operators so i can have the help desk log-in and have access to Media, Printer, Games, and Others Roles. Then have students, and employees log-in and have access only to Media, Printer, and Games. (Indeed this will make it easier to view on Airwave what types of devices are connecting)

 

Now if i give Games Roles Public ip addresses my concern is that students will be selecting that role for everything else once they noticed that with that Role ps4, xbox, wii obtain public ip addresses. Also, I wonder if having the multiple roles will confuse the students and then they will just select whichever. (I know we are talking about user error or human behavior, but my approach of having one role was to avoid giving them a choice) Should i trust them lol.

 

2. Cannot control students registering laptop mac addresses and using the MAC auth SSID instead of the 802.1x SSID?

 

I like this approach but by profiling information do you mean: fingerprinting?

 

Student register device A into Media Role

Studen Laptop Windows 10 device B into Game Role

 

Clearpass will see that Device B was profiled as a windows device so i have the option to either push a role with captive portal or drop the connection because of the profiling conflict. 

 

Am i correct?

 

Thank you

Nils.

 

 

 

 

 

Here, at Liberty University, we use a custom php-based portal using the ClearPass eTIPS 

API to register non-802.1X devices. If the user selects they have an Apple TV or Chromecast, we also use the same API to regiater the device as an AirGroup personal device. We also dst-nat any DNS requests to our chosen DNS server so users cannot manually set DNS servers that bypass our system.  

 

This system has worked quite well. Our HelpDesk can see & remove CPPM Endpoints, if needed. We do not differentiate between game consoles & other devices, but that could be easily added. We do not support wireless printers.

 

New this year, if a Staff member registers a device, we mark the registration as Permanent. If a Student registers a device, we plan to expire (remove) them during the summer.

 

To "discourage" students registering laptop mac addresses, registered devices cannot access our website or Blackboard course system. If they try,they get a web page directing them to our 802.1X onboarding web page.

 

I understand that ClearPass will introduce a new API soon. I am not sure if the older eTIPS API will be deprecated & scheduled to be removed.

nilslau03,

 

I've found that students usually select the right role. Sometimes its helpful to put help text below the box (Media Players: Chromecast, AppleTV, Roku, SmartTVs, etc. Game Consoles: XBOX, Playstation).

 

Profiling in ClearPass is similar to fingerprinting. What we can do is write a policy that says:

If registered as a media player and endpoint category NOT_EQUALS Home Audio/Video Equipment, then take X action.

 

There is also the auto conflict detection that I was referring to that will automatically CoA the device if the device category changes. You can then have a rule at the top of your enforcement policy that checks if CONFLICT = TRUE. You can then drop them into a captive portal asking them to contact the help desk or even automagically open a help desk ticket (if your ticketing system has a RESTful API).

 

As Bruce mentioned, there are other things to consider. I always enable AirGroup in the background for all students so everything just works without them having to play with checkboxes and dropdowns. So I usually hide the enable airgroup (it's enabled though), hide the sharing type (and set it to personal), and then leave only the Shared With box.

We hjave found profiling to be not too reliable, but we do not (yet?) have DHCP helpers oin our hundreds of VLANs directing ind=formaiton to our 4 CPPM nodes.

 

I hope a future network redesign will reduce the nuimber of VLANs and permit us to improve profiling accuracy.

There are other options like using the Aruba-Device-Type VSA that comes in
every RADIUS request. I usually leverage both ClearPass profiling data and
the controller profile. You can also leverage IF-MAP between the controllers
and ClearPass to update the device profile information.

In ClearPass, you can set whatever role you wish, including a captive portal logon role, for authentication failure. 

 

You might be able to use ClearPass Guest to accomplish this. 

 

We have an open mac auth SSID that fails to a captive portal role.

 

We have found it best to send a RADIUS accept for the failed auth and set the role. IF you do not use the RADIUS accept, it should work with Aruba wireless, but we have found things work morwe reliable with the Accept.

Just an FYI. The benefit of doing a reject over an accept is that a license
is not consumed which is helpful for drive bys on an open network.