Security

We have recently implemented Clearpass and one of the things we are doing is enabling users to use headless/IoT devices on the network.  We have a specific wireless network designed for those devices that is segregated by VLAN.  Was wondering what others were doing as far as either using a PSK or leaving the network open?  We are also trying to come up with a name that makes sense for this type of use case and was wondering what others are using? 

We are a fairly small private university.

Thanks all.

---

@Hephzibah11 wrote:

We have recently implemented Clearpass and one of the things we are doing is enabling users to use headless/IoT devices on the network.  We have a specific wireless network designed for those devices that is segregated by VLAN.  Was wondering what others were doing as far as either using a PSK or leaving the network open?  We are also trying to come up with a name that makes sense for this type of use case and was wondering what others are using? 

 

We are a fairly small private university.

 

Thanks all.

---

Hi Hephzibah11,

This will be our first semester offering students the ability to register their "streaming/headless" devices onto our network. What we saw some universties doing - as well as discussions around Airheads - is building SSIDs around encryption type (1-802.1x, 1-Open, 1-PSK, etc) to help free up airtime as each SSID consumes more airtime - and making use of roles for access-management. The Single SSID we've seen other universities call (University-Start), (StartHere), something to lead the users to connect to that SSID first.

Although I've seen several variations. One university had a variation where the initial-role when connecting to the "Start" SSID was internet access - but you could request a guest account to have access to internal resources.

We consolidated our 2 open networks (guest and setup) into a single SSID with (University-Start-Here) that serves three purposes. If a user connects, they are presented with three options (register a guest account, setup a windows/mac computer, or register a streaming device):

• If you self-register and web auth (with mac caching) as a guest account on the SSID - Clearpass returns a guest role with basic access to e-mail, web (http/https), vpn, etc.
• If you register a streaming/headless device (mac auth) as a streaming device on the SSID - Clearpass returns a device role with internet access and some internal access (for casting, printing, etc)
• Some form of configuration/onboard utility for getting laptops onto the secure 801.1x SSID.

The built-in Device Registration feature in ClearPass is perfect for consolidating your guest/open and headless network. Students can self-register their devices into a role (Media Player, Printer, Game Console, etc) and the policy will drop the device into the appropriate role/VLAN/bandwidth contract, etc.

We are leveraging Clearpass to do something similar to that.  We have a captive portal on our Guest page (serviced by Clearpass Guest).  We have services setup for our headless netowrk that leverages profiling data to prevent Computers and Smart Devices from connecting to the network.  Additionally devices that will connect to the streaming network must be regustered in the Guest User Repository.  For the user to register a device in that database they must login with their University credentials.  We have also segregated off the headless network onto its own VLAN.  Would adding a PSK to that network provide much of any benefit? 

My opinion is no to the PSK. Unneeded complexity with very little benefit.

---

@cappalli wrote:

My opinion is no to the PSK. Unneeded complexity with very little benefit.

---

Tim,

I was curious what are you thoughts on students/staff having consumer level printers operating over an open-wireless network (non-PSK)? Going into our "streaming/headless" device deployment we're not doing anything to specifically "block" printers (nor are we adding a PSK network) - if the students can figure them out - it's a bonus - however, we've strongly urged them that this isn't a secure network and should plug in through a USB cable for a secure connection.

I guess printers are always the odd one out as most of their traffic is local and not encrypted vs Chromecasts, Google Homes, TVs, smart home stuff, etc where most of the traffic is internet bound and encrypted.

When I worked at a university we just simple said they weren't supported but we wouldn't stop them from attempting to get them to work. We also didn't come across too many students who were bringing their own printers. But obviously that varies by school.

---

@cappalli wrote:

I guess printers are always the odd one out as most of their traffic is local and not encrypted vs Chromecasts, Google Homes, TVs, smart home stuff, etc where most of the traffic is internet bound and encrypted.

 

When I worked at a university we just simple said they weren't supported but we wouldn't stop them from attempting to get them to work. We also didn't come across too many students who were bringing their own printers. But obviously that varies by school.

---

It's a shame our students didn't behave more like yours. :-) Our student-computer store surprisingly said that "wireless printers" were the number one question/demand -> but that could mean a number of things - (if students expect streaming devices to work already such as chromecasts, roku, apple tvs, etc - then they're not going to ask that question) - we've had a little over a 100 devices registered (with only one being a printer). With that said, that's the stance we're taking as well (not supporting them, but not blocking them as well). We didn't consider a separate PSK network just cause having a shared PSK across many students just isn't secure - so not much benefit - although I've heard of Aerohive's PPSK. Sorry to get off-topic.

I would also like to thank you Tim - one of your previous posts is what pushed us to the Single SSID with ClearPass design - so far it seems to be working very well - but Major move-in begins tomorrow :-).