802.1x vs PPSK vs CWP for a student BYOD environment? Nick.Lowe??

  • 1
  • Question
  • Updated 5 years ago
  • Answered

We are still migrating from a large number of legacy SOHO AP's to Aerohive. We essentially replicated the existing WPA2 SSID's and are now looking at moving forwards...

We use 802.1x with computer authentication for domain joined (Our) machines.

We use daily auto generated PPSK's for guests (Visitors etc.) which are handed out via reception

Our last remaining issue is students with their own devices. These people have AD accounts which we can use as the basis for authentication.

CWP seems like a good idea, but it seems to want to re-authenticate people a lot with the basic settings, and it looks like even if you extend the roaming cache settings it still does not last longer than a day which is pretty frustrating.

PPSK also seems like a good idea but managing the PPSK creation/distribution (Without using self-register because it is a SPOF) and lifecycle is also tricky (We have expiration dates on users and new users start frequently etc and there is no synchronization with AD if we disable their account etc... also it is quite hard to track which user is actually using which PPSK...

And then we have 802.1x... I was looking at using EAP-PEAP-MSCHAPv2 based on their user credentials. The nice points of this are that is tied to AD so easy user lifecycle management and easy to track in the interface. The negatives are that it is a pain to setup on the end user device (Especially Android)...

I would be really interested to know how others are handling student populations like this...

Also a little shout out to Nick Lowe... I believe you have done a few bits in similar locations and would love to talk to you about your RADIUS work???
Photo of BeeKeeper


  • 9 Posts
  • 0 Reply Likes

Posted 5 years ago

  • 1
Photo of Andrew MacTaggart

Andrew MacTaggart, Champ

  • 483 Posts
  • 86 Reply Likes

you want leverage what you have
fill in the gaps of what you are missing
and make it as painless as possible

6.1 has a trial version
Client Management (Trial Version)

get a copy of 6.1r1 new features guide and read over the client management section.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hello! :)

For users who are not ephemeral to an organisation, I am a massive proponent of WPA2-Enterprise/802.1X, this of course therefore includes students.

As you highlight, there are on-boarding issues with 802.1X with the supplicant configuration where you wish it to be locked down/secure... but... solutions exist in the market place to assist with this and it is not really that big a deal, in my opinon.

Even where a supplicant is not configured to constrain to your root certificate correctly, you are no worse off from a security perspective than with a CWP.
Many devices manage to get a usable connection without supplicant configuration. For BYOD, where sensitive data is accessed only via HTTPS (SSL/TLS) based Web resources or a VPN is mandated for all but general browsing, you may not care about this that much.

Hopefully the configuration burden to get a secure configuration in clients will be unnecessary a few years down the line with Hotspot 2.0 (802.11u) - today, unfortunately, it is...

It has to be said that students are some of the most generally tech savvy people you will encounter; as long as you give, as a minimum, comprehensive and clear instructions that are easily accessible, they will largely manage amount themselves and trouble you little.
(It is staff that will be your pain points!)

The key for me is the realisation educational environments usually wish to authenticate the user and not the device. Conceptually, I feel that you should not ever care what the device is and filter, where necessary, based on content for that user.
Achieving SSO to your firewall/filter via 802.1X for the user's session too is therefore a huge bonus too... I am a huge proponent of the PaloAlto firewalls in this space to work in concert with your access layer...

There are trade-offs to be balanced between all three wireless authentication methods. For me, that balance has always fallen to 802.1X, but then I do keep banging the security drum...

There are considerations that you have to make about what you do with user owned/managed devices that do not support 802.1X if you choose this route... I have always been of the opinion that its the device that is faulty and any complaints should be directed at the manufacturer, but then I do not fall on the side of pragmatism here...

Really happy to talk about whatever - drop me an email at nick.lowe {at} gmail.com!