Extreme Networks

Hi Will,
thank you for your answer, and sorry for my deferred reply due to vacations.
However I definitely would not agree on the "non-standard"-excuse. Even the question how you actually define a standard wouldn't be easy. For example IEEE makes standards. But are RFCs "standards"? In my opinion yes, but one might argue that they are just recommendations for better interopability. In the end most customers are looking for working solutions. Whether a working solution is completely based on "standards" or also includes some "good" vendor-proprietary addons, doesn't really matter. Even in the Extreme world we have so many examples of proprietary implementations - good ones and bad ones. For example mLAG is a great thing; although it is prioprietary and not compatible with comparable technologies from other leading vendors. On the other hand there are also rather bad implementations like the way how Extreme implements simple spanning tree. I just want to have port-based RSTP (802.1w) and I want it to be enabled per default, and I want it to co-exist with other stuff like mLAG, Netlogin etc. Well, real life is a little bit different.

What I want to say: Our customers need solutions. And if they see that there are working solutions, they want to have it. Or in other words: If Netflix offers a series you want to see, at a reasonable price, and it works, you probably won't care whether they actually stream it by using a standard video codec. Most people wouldn't chose another more complicated to use service just because of the fact it's a standard.

To make a long story short: I myself still do not see a standard-based way how to address these requirements yet.
1) Some end systems may simply not 802.1x capable or configuring 802.1x would be to complicated for end users. That's a fact.
2) Relying only on L7 / transport-level security, really? Using one (probably public-known) PSK for all devices? That's not what we understand as secure networks.
3) Even if we could use 802.1x, binding one account (username/password) to one end-device is still not possible due to lacking NAC feature. For 100 MAC-to-Account bindings you would have to create 100 users, 100 user groups, 100 end-system groups and 100 nac rules for 1:1 bindings. Nobody want's to maintain this.

If the problem wasn't clear yet, let me describe it. Imagine a typical bring your own device environment. Devices end up in a VLAN which is routed by a firewall allowing certain services like HTTP to Web or RDP to Terminal Servers. You want to secure "the air", i.e. need a network-layer encryption. You do not want one shared "wifi password", i.e. no single PSK for all devices. Instead every user should get their own secret. And you want to ensure that the user can only connect the device you approved. Since end-systems can be anything (and end-user skills are limited) you cannot ensure that all devices would support 802.1x / WPA-enterprise.

With private PSKs like known from other vendors such a scenario can be addressed quite easily. And most important, it is easy to manage for the admin, and easy to use for the end user; connect to the Wi-Fi, enter your personalized PSK, that's it. End users could save their Wi-Fi profile together with their personalized key and are happy.

In theory I could image something with a public-known PSK combined with a captive portal doing the end-device registration. But it is more complicated to setup, and more complicated for the end users. That's a bit like mentioned before with RTSP: It's just to complicated to be usable. Most customers will most likely prefer the (proprietary) easy-to-use solutions instead of the more complicated based on standards. Of course might depend on the customer. Complicated implentations like the RTSP example lead to refusal by customer, i.e. they might simply leave it disabled if it is too complicated to configure. Of course, also just my experience, depending on the customer.

If something is simply not possible (in a usable way), that we are fine with that. No vendor has the "perfect product" in their portfolio addressing all kind of setups. I raised this discussion in the hope to inspire some brainstorming on how to address such a real-life scenario. My conclusion is that we simply cannot provide this functionality with Extreme Wireless, yet. But if that's the case, then please mention it as such, so we can be aware of it. Of course WPA-Enterprise should be the preferable way (and works for most setups) but there are situations where we simply need alternatives.

Regarding your second question, I agree with you that it is of course solvable if we do the actual traffic shaping on some other "more intelligent" device behind the access point. Whether it might be a switch, router, or firewall. Especially in more decentralized environments with smaller sites like for example retail stores having this functionality directly in the access point would be appreciated thus avoiding the need of additional (expensive) L2/L3 devices. If looking towards ideas like "cloud based" wi-fi infrastructures, it would be vital to have these functionality in the access point.

- David