I was recently working with an existing Xirrus WiFi customer looking for a better way to onboard customers and I thought the solution we decided on would be of interest to this community. This K-12 school used WPA2 Pre-Shared Key to secure their student SSID. They knew that this was not an optimum configuration because all users on the SSID used the same pre-shared key (PSK). District staff had to touch each device as they didn’t want the PSK to “get out” and allow just anyone to connect to the WiFi. With several hundred students and only a couple members of IT staff, onboarding devices this way had become a nightmare. They could have setup a RADIUS server with EAP authentication, but they had no existing AD structure for their students. Going this route would also mean one more service to manage.
I introduced them to the EasyPass Onboarding portal. This onboarding method allowed the district to assign a Unique Pre-Shared Key (UPSK) to each student for SSID authentication. A couple of added benefits on EasyPass Onboarding are that the number of devices a user can connect to the network can be limited, and admins can get visibility that allows them to see if a user is connected and if so to what access point. This data makes troubleshooting connection issues much easier.
One of the best parts of choosing this solution is very simple and straightforward. Just choose the EasyPass portal type you want to use, give it a name and click Create.
Setting up the desired portal configuration was equally as simple. In this case, the district wanted to have the UPSK last the whole school year, so they used a custom Session Expiration setting. The maximum number of devices for any user to be allowed to connect to the network would be three and once the device connected it would be redirected to the district’s website. The district wanted to issue the UPSKs to students and faculty at orientation. Again, this was super simple to configure.
Had the district wanted to allow users to self-onboard, EasyPass would let them do that by allowing you to select open SSID that only lets you setup your account and request a UPSK. Once the user receives the UPSK via email or text message they can then connect to a secured and encrypted SSID and join the network.
The end result was a very happy school district. They could provide secure wifi to their end users, increase their own visibility into their network, and not be forced to stand up any new servers or services all while minimizing the time staff spent on this process.
Unique psk's are awesome. Is this already integrated with Cambium Networks (cnmaestro)? Is it only working with xirrus hardware or also with Cambium hardware? Do you need extra licenses? How is the open ssid onboarding working (how do they authenticate before they get the upsk)?
How do they handle the following:
Segmentation - assign different groups to different vlans
student that leaves the school, do they need to manually delete the user?
Let me know if it is not working with Cambium hardware. We created a solution based on epsk's. Our solutions (wiflex.eu):
Byod solution: students, teachers,employees,... can login with their office365/azure AD credentials on a captive portal, after this login they receive an epsk to onboard on a secure SSID. We create a qr code to easy onboard on the ssid. If the user is deleted in office365/azure ad we delete the epsk. You can also assign different vlan or block access based on the user group in office365/Azure AD
Visitor registration: user signs in at a tablet at the reception, after signing in they receive a unique epsk (sms, email, printout or on the screen with qr code). They also receive a visitor badge. The host gets an notification (sms/email) that his guest has checked-in.
Hotel: we are creating a solution where guests get aan unique epsk after check-in. We created a connection with different pms software tools. If the user check-out we delete the password. We can also link the epsk with the samen vlan as the hotel room so he can cast netflix, spotify,... without installing an app.
Right now, this EasyPass UPSK is a Xirrus only feature, but we're working hard on the integration into a unified platform.
You do not authenticate before you receive the UPSK. A user connects to an open, unencrypted SSID and is presented a portal page. This SSID is for registering for your UPSK and does not allow other internet traffic. Upon association you are presented with this portal page:
You can receive your UPSK via email or text. Keep in mind that onboarding this way is normally used for BYOD devices (obviously) so most users setup this UPSK account on a cell phone. They can then use the same UPSK on multiple devices. Once the registration is successful the users will see the portal message below which will verify their password has been sent and tell them which SSID is the secure one they should use.
Right now EasyPass Onboarding requires you to delete users manually. In reality one key point of this solution is to eliminate the need for Azure, Google, or any other type of AD/RADIUS authentication. You can utilize a WPA2 PSK encrypted SSID while providing the unique pre-shared keys. This increases functionality over traditional PSK by giving easy visibility into a user's WiFi experience (faster and better troubleshooting) and limiting the number of devices on your network because users can't just pass around a PSK and connect every device desired. You don’t need to standup any new services to get this.
We also have Azure and Google onboarding as part of the EasyPass solution as well as guest onboarding with self-registration, through an ambassador, or with pre-generated vouchers. We've tried to take on-boarding one step farther with a portal called Personal WiFi. Here users can actually setup their own unique SSIDs. I'll do a complete EasyPass overview very soon for the community.
Your solution sounds very interesting and like a great fit for many market segments. I particularly like the usage of qr codes and notifications.
