Re: ResNet wireless Streaming, IoT, and Gaming self-registration

["Adam T. Ferrero" <adam () TEMPLE EDU>]

  We deployed similarly with Aruba Clearpass.  I wish I didn’t use a separate WPA2 Enterprise ResNet SSID and a 
separate WPA2 PSK ResNet SSID (students do self register MAC addresses via Clearpass).  Rather, I wished we used logic 
inside Clearpass to do the slightly different things for ResNet.  We require an Aruba Onguard agent only in ResNet so 
we went separate SSID but we could’ve easily enough done that with logic even on top of eduroam.

  We land them in our student VRF along with all other student networks (labs included).  They have the same outbound 
rules that all students do.

  It’s worked well for us because we drove the user experience to be truly self service.  Help Desk tickets are very, 
very low (they used to be insane but we solved it).

  Adam

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Di Fabio, Andrea
Sent: Wednesday, November 20, 2019 9:33 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] ResNet wireless Streaming, IoT, and Gaming self-registration

This email originated from outside of Temple University. Use caution when clicking on links or attachments.
We are in the process of deploying Cisco ISE in the residence halls. Our goal is to allow students to self-register 
their gaming, streaming, and other devices that do not support WPA2 Enterprise. Currently our ResNet is physically 
separated from campus and has two secure SSIDs: a resnet SSID and the eduroam SSID. If you have deployed ISE or a 
similar solution, how did your institution go about the following?


  *   Did you create a separate SSID for devices that do not support WPA Enterprise? (This solution would give us 3 
SSIDs)
  *   If you created a separate SSID, what ACL or restrictions did you put on that network?
  *   If you placed a restriction on the new SSID network, i.e. it can only talk to the internet, or it cannot talk to 
the secure SSID, how did you handle

     *   Ongoing awareness of what each SSID is used for.
     *   Issues where students may not understand why different networks/SSID provide different end user experiences 
and access?

  *   Looking back at your deployment, is there anything you wish you had done differently from a self-registration and 
wireless experience?

Thank you for your expert feedback.

Andrea Di Fabio
Chief Information Security Officer & Associate CIO
Information Technology Services
Nicks Hall Room 425
(423) 439-3303
[signature_289290980]<https://twitter.com/ETSU_CISO>  [signature_771230585] <https://www.linkedin.com/in/adifabio>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community