University of Guelph

University of Guelph Ontario

Case Study

BYOD Onboarding on a Large Scale

At the beginning of the 2013 semester, University of Guelph was preparing for a massive proliferation of smartphones, laptops, and tablets to the company’s network. As the Bring Your Own Device (BYOD) phenomenon continued to spread, students were requesting instantaneous network connection that was secure and easily accessible.

Allowing BYOD devices onto the network brought several inherent risks to the table, including the potential for widespread security vulnerabilities. “We were facing many problems with the manual onboarding process,” said Dennis Xu, University of Guelph Network Analyst, Computing and Communications (CCS), “Some manual configurations rendered devices vulnerable to certain impersonation and authentication attacks.”

Guelph needed to figure out how to make the network as easy to access as possible without compromising over-the-air device security.

SecureW2 JoinNow provides a fairly straight-forward utility for the onboarding process without requiring additional IT support.

Dennis Xu

Ccie #13056, crisp, network analyst, computing and communications

Manually Configuring WPA2-Enterprise Poses a Risk

Prior to implementing JoinNow, Guelph did not have an automated onboarding solution and instead relied on manual device configuration. However, they quickly determined this wouldn’t work as IT staff continued to face an influx support tickets from end users misconfiguring their devices.

Xu noticed many problems when onboarding BYODs, especially inconsistencies across devices and operating systems. “We noticed that, for example, Apple iOS devices show the RADIUS server certificate ‘Not Verified’ message even when the server certificate is issued by a trusted Certificate Authority (CA),” Xu said.

Configuring devices effectively is one of the most challenging components of deploying WPA, WPA2, and 802.1X. Since manually configuring a device properly for 802.1X involves a convoluted series of steps that can confuse end users, there is plenty of room to err during setup.

Skipping one step in the process can leave students susceptible to a ‘man-in-the-middle’ (MITM) attack. Just one misconfigured device can leave the entire network vulnerable to over-the-air credential theft. Guelph needed a solution for onboarding misconfiguration, and they needed it fast.

Automating the Configuration Process to Enroll Certificates

The university was in the middle of migrating everyone to secure Wi-Fi when they decided to deploy SecureW2’s JoinNow. “The tool has provided great assistance in this endeavor,” Xu said. “[SecureW2’s] JoinNow provides a fairly straight-forward utility for the onboarding process without requiring additional IT support.”

By integrating JoinNow into the guest/onboarding web portal, users are automatically configured with all of the proper settings required for WPA2-Enterprise level encryption with no additional IT help. “As a result, the calls to our help desk regarding connectivity challenges to secure Wi-Fi are less frequent,” Xu said.

Guelph configured their implementation of JoinNow to only allow devices to accept pre-defined server certificates; users are no longer prompted to authorize new or unknown certificates. After the user enters their Guelph credentials, the device is automatically configured with the proper settings and trusted certificates are installed.

JoinNow’s sophisticated reporting capabilities, including full network visibility and device monitoring, proved to be a win for Guelph. The solution delivers a plethora of data such as connection and error logs for user devices. According to Xu, the lack of Java requirement in the product proved to be very beneficial.

Safely Onboarding Devices for WPA2-Enterprise Wi-Fi

Guelph began to see results immediately. The number of users correctly configured for the WPA2-Enterprise campus network steadily increased. “In September 2014, the number of users on secure wireless doubled since the same time the year prior,” Xu said.

With the onboarding challenge resolved, calls to the help desk have been less frequent, saving IT teams valuable time and resources. JoinNow’s capability of showing crucial device data makes the jobs of network administrators much easier. Complimenting SecureW2’s comprehensive onboarding solution is our technical support and their extensive knowledge of WPA2-Enterprise. “Support teams from SecureW2 have been very helpful throughout the deployment and operation processes,” Xu said. “The support engineers are very knowledgeable and questions are always handled in a timely fashion.”

As the BYOD movement continues to grow, the number of Wi-Fi-enabled devices connecting to WPA2-Enterprise networks has increased exponentially. With JoinNow, device onboarding doesn’t have to be a support and end user nightmare. SecureW2’s automated solution, JoinNow MultiOS, streamlines the user experience to deliver secure wireless with the click of a button. Check out our pricing page to see why SecureW2 is a cost-effective solution.

Support teams from SecureW2 have been very helpful throughout the deployment and operation processes,” Xu said. “The support engineers are very knowledgeable and questions are always handled in a timely fashion.

Dennis Xu

Ccie #13056, crisp, network analyst, computing and communications