Cisco AP DHCP Lease Time
Do any of the Cisco LWAPP AP owners out there give any special consideration to the DHCP lease time assigned to the wired interface (i.e. the managment IP of the AP) of the Cisco AP's themselves? Is there any reason to give the AP's an extremely long lease time to anyone's knowledge? Thanks, --- B.J. Pinsky Manager, Core Resources NYP/CUMC (o): 212-305-9021 (m): 917-626-9485 630 W. 168th Street PH18-126 NY, NY 10032 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Enforcing and Ensuring Machine Auth 802.1x
ACS- has been rock solid (we use it in a fairly simple way) with excellent logs. Tried IAS briefly a few years back, worked, but didn't feel the love with logging details. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [wireless-...@listserv.educause.edu] On Behalf Of Johnson, Neil M [neil-john...@uiowa.edu] Sent: Thursday, May 21, 2009 6:09 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Enforcing and Ensuring Machine Auth 802.1x What are you using for your RADIUS server ? -Neil -- Neil Johnson Network Engineer Information Technology Services The University of Iowa Work: 319 384-0938 Mobile: 319 540-2081 Fax: 319 355-2618 E-mail/MSN: neil-john...@uiowa.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jason Appah Sent: Friday, May 15, 2009 1:01 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Enforcing and Ensuring Machine Auth 802.1x At our little campus we have about 100 computers that are pure wireless workstations provided in the library for student use. From time to time they will refuse to machine auth to the network. Typically they are reported after the fact as the student will bounce from workstation to workstation until they find a “Hot” one. Troubleshooting: We have tried JAMAP (Just add more access points). (for a stretch there we had 36 to 50 people, including wireless workstations on a single access point). Modifying the power settings so the machines never sleep. Updating drivers for the mix of Broadcom, intel and Linksys wireless cards. All to no avail. We are an all aruba shop and are quite pleased with their entire line, the system never bogs, higgs or given us any hint of trouble just the 802.1x problem. The problem is difficult because there are so many workstations and that they don’t do it on any predicable scale. So….. any tips for 802.1x machine auth? Thanks! Jason Appah Systems Administrator Oregon Institute of Technology http://www.oit.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Enforcing and Ensuring Machine Auth 802.1x
Idengines From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Johnson, Neil M Sent: Thursday, May 21, 2009 3:09 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Enforcing and Ensuring Machine Auth 802.1x What are you using for your RADIUS server ? -Neil -- Neil Johnson Network Engineer Information Technology Services The University of Iowa Work: 319 384-0938 Mobile: 319 540-2081 Fax: 319 355-2618 E-mail/MSN: neil-john...@uiowa.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jason Appah Sent: Friday, May 15, 2009 1:01 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Enforcing and Ensuring Machine Auth 802.1x At our little campus we have about 100 computers that are pure wireless workstations provided in the library for student use. From time to time they will refuse to machine auth to the network. Typically they are reported after the fact as the student will bounce from workstation to workstation until they find a Hot one. Troubleshooting: We have tried JAMAP (Just add more access points). (for a stretch there we had 36 to 50 people, including wireless workstations on a single access point). Modifying the power settings so the machines never sleep. Updating drivers for the mix of Broadcom, intel and Linksys wireless cards. All to no avail. We are an all aruba shop and are quite pleased with their entire line, the system never bogs, higgs or given us any hint of trouble just the 802.1x problem. The problem is difficult because there are so many workstations and that they don't do it on any predicable scale. So. any tips for 802.1x machine auth? Thanks! Jason Appah Systems Administrator Oregon Institute of Technology http://www.oit.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] WLAN Deployment-High number of users
Jason et al, Following up on the earlier the two-SSID Nirvana (open and EAP-TLS) dialogue. We have a multi-controller/multi-campus environment. I'd love to have a single EAP-TLS SSID handle all devices/applications, several with unique walled-garden isolation requirements that would otherwise require their own SSID. How difficult is this to manage when you have to differentiate by controllers and campus-specific subnets? Can you combine attributes like NAS (controller) IP and device credentials to serve up locally-significant VLANs? Overall, has moving the administrative burden to RADIUS been a net gain in terms of RF cleanliness and client simplicity? Regards all, --Bruce Johnson From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jason Appah Sent: Friday, May 15, 2009 4:43 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users It wasn't particularly difficult and many attributes from login name, authenticator type, location, machine name, and snmp names can be used to differentiate and pass different vlans... just do your research on what the cisco is looking for when passing a vlan.. As an aside, the scenario we've seen both wired and wireless goes like this: We have a vlan ascribed to authentication/Updates only, no internet, nothing but a domain controller login conduit; then we have staff, student, lab vlans, and so forth... The clients perform machine authentication via 802.1x... the machines are placed in the auth only vlan.. then the student staff or user logs in, and is placed in the proper vlan.. the ip address is invalid and for a few moments 10 -15 seconds they get limited or no connectivity until Microsoft retries the dhcp requests... Having one or two SSIDS is king, and when it works, its magic! From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Johnson, Bruce T Sent: Friday, May 15, 2009 1:25 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users Yes I can imagine. Thanks for the heads-up. How hard has it been to provision via RADIUS? I am in favor of the reduced SSID load over the air. Are MAC addresses the only thing can you use to map attributes to? What about machine names? Thanks for your feedback, Bruce T. Johnson | Network Engineer Partners Healthcare | Network Engineering | 617.726.9662 | Pager: 31633 | bjohns...@partners.org BLOCKED::mailto:bjohns...@partners.org From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jason Appah Sent: Friday, May 15, 2009 4:10 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users Correct, but it generated a ton of support calls.. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Johnson, Bruce T Sent: Friday, May 15, 2009 12:45 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users Is that a temporary condition until DHCP completes? Bruce T. Johnson | Network Engineer Partners Healthcare | Network Engineering | 617.726.9662 | Pager: 31633 | bjohns...@partners.org BLOCKED::mailto:bjohns...@partners.org From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jason Appah Sent: Friday, May 15, 2009 3:43 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users The only thing about that is training your users to accept the limited or no connectivity state when connecting to the assigned vlan... From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Mike King Sent: Friday, May 15, 2009 12:04 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users You don't mention if your using 802.1x, but if you are, you can utilize Vlan Override. http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09 186a0080665ceb.shtml which allows you to throw users int specific VLAN's based on RADIUS return attributes. All off the same SSID. Mike On Fri, May 15, 2009 at 2:39 PM, Jason Appah jason.ap...@oit.edu wrote: You could still get away with that with FAT AP's That is since they are autonomous, you could assign different vlans and in turn different ip scopes to the same ssid as they are all unawares of each other. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv