Deployment Timeline
Dan, the Information Systems Director of Antelope Valley High School, never liked using a password to secure his school’s Wi-Fi network to begin with. He’d known for a long time that Pre-Shared Key (PSK) networks simply aren’t as secure as other alternatives.
When a student brought in a hacking tool and grabbed the encrypted password over-the-air one day, he knew he had to make a change. After reaching out to a few different vendors, including Meraki, Dan contacted SecureW2 in October of 2023. After some discussion with our team, they were able to deploy quickly over winter break in December.
Remembering the beginning of his search for a solution, Dan recalled:
Challenges
The Antelope Valley High School District has a large number of students and devices. One of the greatest challenges Dan faces is the sheer number of managed 1:1 devices the district has; with well over 40,000 Chromebooks and other devices to manage, he simply didn’t have time to configure them all.
The student password-hacking incident was a major motivator for moving away from a PSK network, but Dan also understood that having to manually configure each Chromebook would take too much of the already little time he had. On top of that, he had concerns about the school’s VPN. Although they didn’t have as many devices on the VPN, he didn’t want to leave it open to the same kind of hack that the Wi-Fi had already endured.
Finally, there was the challenge of the school’s infrastructure to consider. While many organizations have moved much of their infrastructure to the cloud, AVHSD has an on-premise Active Directory server it needs. Any solution they implemented would have to be capable of integrating with their existing infrastructure as seamlessly as possible.
Solution
SecureW2 has worked with hundreds of K-12 schools in the past, so we were familiar with environments like AVHSD’s. Issuing certificates to Chromebooks wasn’t a challenge for us at all.
First, we helped them set up our cloud PKI, JoinNow Connector, so they could issue certificates from anywhere. With our PKI, they can distribute as many client certificates as they need for Wi-Fi authentication rapidly and from one single management portal.
Chromebooks are a bit unique in certificate distribution. However, we’ve developed an exclusive Chrome extension that allows Chromebooks to request and install certificates quickly. JoinNow can also use the Simple Certificate Enrollment Protocol (SCEP) with Google Workspace to auto-enroll Chromebooks. Either method allows administrators like Dan to automatically push certificates out to Chromebooks without having to rely on students or staff for the configuration.
Our team of experts also helped the school set up multiple Certificate Authorities (CAs) for different MDMs, such as Jamf Pro or Google Workspace. This empowered Dan to create uniquely tailored network access policies, including segmenting devices onto their own VLANs based on which MDM is used.
After the first wave of certificates was issued to their Chromebooks for Wi-Fi authentication, we began working on the next goal on Dan’s checklist: locking down their VPN with certificates, too. Although Wi-Fi authentication through client certificates is a popular use case for our PKI, we also support other use cases - including VPN authentication, code-signing, and server/SSL certificates.
For the occasional unmanaged device on the network, we provided JoinNow MultiOS. JoinNow MultiOS is a user-friendly, self-service device onboarding application that makes it simple for users to request certificates and configure their devices for secure Wi-Fi access in seconds.
Evaluating Success
As it turned out, the Antelope Valley High School District was going to see firsthand a compelling argument for the use of certificate-driven security. Just weeks after they implemented certificates for their VPN, the school district survived an attack on their firewall.
Reflecting on the incident, Dan said:
Nowadays, Dan can rest easy knowing that his VPN and his wireless network are locked down - he’s seen himself how it works. He’s considering expanding his use of our PKI to SSL certificates for his servers or even setting up a wired 802.1X network. With our WSTEP gateway support, he could even leverage our certificates for his AD domain-joined devices. The possibilities are endless.