That is quite impressive, GT. If you put something together I would be interested in watching it.
Looking forward to the video. I know you are not affilliated with Ruckus, but being a security researcher, I see some issues with the initial assiciation to "Provision" in your example.
Since there is no mutual authentication, the client has no way of knowing whether the AP is in fact the AP they assume it to be, making it fairly vulnerable to MitM, gathering the valid authentication credentials and using these credentials to connect to the WLAN as the legitimate student.
Do you know how Ruckus is taking care of this? I have sent them an email asking for more technical specs. on the implementation of DPSK since I cannot seem to find them on their site. I will update this message when I get something back from Ruckus.
As to the original post, I'd be interested to know more about the actual problems experienced by Apple users. All of the modern Apple devices are compatible with PEAP/MSCHAPv2, which is the recommended EAP type for most university environments. EAP-TTLS would be a runner-up EAP solution, but that introduces other problems as well. EAP-TLS is not recommended for the university environment. The added security is not worth the added (major) headache of client-side certificates for every user. And, if you can't deploy 802.1X for some reason or another, per-user PSKs are the next best thing, but that locks you in with either Ruckus or Aerohive, for now.
I think you'll find that wireless is becoming more and more important in the university environment, and its just no longer acceptable for a major university like yours to not offer encrypted Wi-Fi for students. There's always exceptions, like gaming consoles or printers, where you'll just want to provide a MAC filter and firewalling, but primary student/faculty access should be 802.1X. You may consider checking out the Educause wireless listserv, which is an email list specifically for higher education wireless. This topic has been addressed there in the past, and you should be able to find it with a simple search here:
If the problem you're facing is related to users that can't configure their devices properly, you have two real options. Create and maintain accessible and exhaustive configuration guides for all of the OSs (Windows, Apple, Linux, mobile devices, etc.) you want to support on your network or you can use a software-based deployment aid. A lot of universities like the Cloudpath XpressConnect solution, which eases the management side of deploying 802.1X to uncontrolled client devices.
Hope this helps.
I actually do work for Ruckus now. In fact, I think I responded (via someone else) to your question.
The answer is, you are right. If you provision over Wi-Fi and HTTPS, there is a chance that a MitM attack could take place if you aren't authenticating your certificates.
Our party line is that we prefer that the initial DPSK process take place over Ethernet. However, we get a lot of questions as to whether we can do it over Wi-Fi and the answer is yes, but there is added risk. Thanks for the great questions!
I recommend looking at Bradford networks.
One cool thing you can do is pre register your students BEFORE they come to college and scan there laptops to make sure they have AV etc.
It works with any wireless system , cisco aruba etc all the major ones.
If you need now to do encryption of the student traffic and you have 1800 lwapp aps out there you are limited to what your vendor can do, like cisco it will be eap-peap, eap-fast (you have to buy acs for that).