There Is Hope For BYOD Security. University Wi-Fi Evolution Shows Why.

One of the hottest topics in wireless and even networking today is Bring Your Own Device (BYOD) networks. Everyone wants to talk about this “new” networking concept and how to plan, architect, execute, and deliver on a network strategy around BYOD.

I don’t think BYOD is all that new, in fact, I will propose that the first instance of BYOD computer networking is likely celebrating its 30th anniversary this year.

BYOD has history

Why do I think BYOD started 30 years ago and not just recently as so many networking vendors would have you believe? I say BYOD is celebrating its pearl anniversary because the first personal computer or PC was introduced in 1975, and I would propose that some poor network admin at some university was presented with the problem of getting this personal computer onto their network not long after.

The truth of the matter is that universities have been dealing with BYOD for decades. I know when I walked into my freshman dorm room in the early 1990’s that one of the first things I carried in was my computer case and monitor.

In those days the network access in dormitories was controlled largely via telephony and modems (BYOD 1.0) but I remember fondly the excitement when, to start my junior year of college, I moved into a dormitory with 10Mbps Ethernet access. I see this increase in speed of access and more restricted access as BYOD 2.0.

Fast forward just a few years and I was the admin now at that same university having to run the network with 20,000 Ethernet ports and having to architect the vlan and subnet design to provide 2 Ethernet ports to each dorm room on campus. This still wasn’t that big a challenge as we were limiting access to the network via the number of physical ports available.

Jump a few more years though and I had the project dropped in my lap to provide ubiquitous Wi-Fi for the entire campus and a Wi-Fi first network access model for the dormitory students. No more Ethernet ports in each room as Ethernet because a distribution model and Wi-Fi became the access layer of the network. BYOD 3.0 was born and network access became easier to obtain.

With this change in access layer architecture from wired to wireless, the chains of physical access limitations were removed, but the client devices weren’t really ready to take advantage of this freedom yet. It wasn’t until the client devices caught up, with the introduction of the smartphone, tablets, IoT, etc. that we really started to see what BYOD could do for the end user.

It was also as these client devices caught up that network admins discovered that the plans, architectures, and infrastructures that were put in place for BYOD 1.0, 2.0, and 3.0 wasn’t really ready for the influx of devices and information that the client transformation caused as BYOD 4.0 was born.

As our admins in all verticals now struggle with BYOD our university admins are again leading the charge.  While businesses and enterprise build policies and infrastructure around phones and personal laptops on the corporate network, and schools work to understand how to design for a device per student, our universities are struggling with the same problems on a different scale.

Our typical commuting college student carries 3-5 devices on them at all times capable of a network connection (phone, tablet, laptop, watch, health metric device.) Our typical resident college student has those devices but also wants to connect anywhere from 5-7 more (gaming consoles, television, media players, printer, mobile gaming devices, IoT devices, cameras.)

Can Universities securely meet students’ Wi-Fi demand? 

How can a university admin plan and design around 5 devices per commuter and 12 devices per resident?  The logistics are a nightmare and security is just out the window right? Of those devices listed how many can even support a full 802.1x security solution?  So is our university networking solution to simply open the Wi-Fi and create a wild west free for all for hackers to exploit?

There are many ways to skin a cat but in Aerohive’s case, the BYOD security quandary is addressed with ID Manager. Using this solution, our beleaguered university admin can create policies around the number of devices per user for simultaneous access as well as the number of devices registered. The admin can also set the system up to allow the end users to self-register within the guidelines and policies that the admin sets up freeing the network admin and helpdesk up from the manual tedium of device on boarding.

The workflow for the user with IDM is very simple. First they authenticate using to the HTML web application or the mobile OS (iOS or Android) application using their employee/student credentials. Having authenticated the credentials as belonging to a valid user, IDM assigns a Private PSK (PPSK) that allows the system to identify and authenticate the user’s device(s.)

The beauty of this system is that any Wi-Fi enable device, even the simplest low cost gadget, supports PSK (WPA(2)-Personal) authentication. This simplicity on the client side, coupled with the flexibility and Power of Aerohive’s PPSK, provides the authentication and identification so desired from a quality 802.1x deployment. The end user enters this PPSK as the security key for the network and now the device is on the network in a secure and identifiable manner.

Controlling the gadget explosion

A powerful side effect of this deployment is that PPSK also allows you to control the explosion of DHCP requests by limiting the number of simultaneous devices allowed to authenticate using the same key. This can be important in today’s age of gadget explosion. Gone are the days where the network engineer is the only person on the network requiring more than one IP address. This is presenting new challenges in IP address management that admins have to solve in new and creative ways.

So as we all struggle with our own BYOD policies and plans, let’s keep in mind security is NOT hopeless in this new world order.


Jeff Haydel (CWNE #163) is a Principal Systems Engineer with Aerohive covering the Mid-South.

Leave a Reply

Your email address will not be published. Required fields are marked *