Meraki

Community
  • About NaNaSSHi

About NaNaSSHi

Re: Automated onboarding solution for BYOD devices on 802.1X SSID

by in Wireless
yesterday
yesterday
The key problem is Android users. For Android users to onboard to our Wi-Fi they must manually select EAP methods in their Wi-Fi settings. If they accidentally select "Do not validate" on the CA certificate option then they can expose their credentials to a MITM attack, and if they mess up the Inner Phase Authentication option then they do not have Wi-Fi.  Apple devices are also a problem, as users are forced to manually 'Trust' our RADIUS certificate and many are rightfully afraid to tap the big red 'Trust' button without understanding what it does. We want to automate everything so the students do not need to understand EAP and RADIUS in order to get on the Wi-Fi. Re: segmentation, yes, the Wi-Fi is segmented from the rest of the network. ... View more

Automated onboarding solution for BYOD devices on 802.1X SSID

by in Wireless
yesterday
yesterday
Hi all!! Recently I've been looking for a solution to onboard BYOD (unmanaged devices) to our 802.1X SSID. We service thousands of students using a wide variety of devices with different requirements to login to our Wi-Fi, and we are looking for a paid solution that creates downloadable config profiles/agents to install the required settings and RADIUS certificate on the device without requiring the end-user to know how to configure EAP methods. Issues we are facing in finding a new solution: Surprisingly very few BYOD Wi-Fi onboarding solutions exist, most config template solutions are part of MDM solutions for enterprise managed devices. We don't want to force students to use our MDM. There are many cloud RADIUS providers, but most do not have BYOD onboarding solutions (i.e. a portal for users to download the config templates) and just provide the server itself There is no IEEE standard for EAP templates, there are only abandoned draft articles like https://datatracker.ietf.org/doc/html/draft-winter-opsawg-eap-metadata-02 Vendors we are evaluating, and issues with them: Extreme Networks UZTNA / Extreme Control - Did not have the features we are looking for when we evaluated them, maybe this will change? More of a NAC solution. Ruckus CloudPath - The only vendor who checks all our boxes, but they have had reputation issues lately and I've heard rumors that Commscope wants to get rid of them. Their support has not been great. eduroam's CAT solution - Also would check most of our boxes, but this is a solution we would need to deploy on our own as eduroam only provides support for the eduroam SSID. We want to keep our own SSID, and we don't want to be responsible for maintaining the CAT infrastructure without enterprise support. We would like to offload authentication to a company with good support. SecureW2 - Prohibitively expensive      I have read several academic papers about this very issue, and have looked at other universities with public KB articles indicating that they face similar problems. As of 2025, is there still no good solution?   (We have not yet evaluated Cisco ISE, as my understanding is that is more of a NAC than an onboarding portal. We aren't looking for a wireless NAC at this time, as that would be overkill and probably really expensive? If anyone thinks ISE would be a good solution for this please let me know! We also have not yet evaluated Aruba Clearpass, for the same reasons. I heard Clearpass has a module called Clearpass Onboard, but I imagine we cannot use that without getting the full version of ClearPass. If anyone has experience with ClearPass please also let me know!) ... View more
Labels:
© 2025 Cisco Systems, Inc.