Wireless in dorms
All, We don't currently provide wireless in our dorms, and our official policy is to not allow students to bring their own wireless devices. We don't actively enforce this policy though, and as long as the students' device isn't causing problems, they typically don't hear from us. (We do provide at least a 100mbps wired connection to each student). We are considering changing our policy to allow BYOD (bring your own device) in the dorms. I know lots of students already BYOD, but we're not policing it. We're considering the costs associated with deploying our Aruba system to all the dorms, and the fact that students are going to BYOD anyway. Rather than fight them, allow it. We'll secure our wired network obviously, but also have workshops and online instructions to show the students how to properly connect and secure their device. Of course we realize the interference issues that may arise in a crowded 2.4ghz space... The University of Wisconsin-Madison ( http://www.housing.wisc.edu/resnet/gameConsoles.php) already has a policy like this in place. Just looking to hear from other universities who have or are considering a policy such as this. thanks, ray -- Ray DeJean Systems Engineer Southeastern Louisiana University email: r...@selu.edu http://r-a-y.org ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Wireless in dorms
We don't have dorms, and don't generally permit random users to add their own infrastructure to our network. BYO *endpoint* device is permitted on our wireless network and a couple of specific wired locations, but we frown on people unplugging college-provided machines to plug their own into network segments where they are NOT welcome At least once a term, we'll have an emergency scramble to track down the rogue DHCP server that is giving campus clients bogus addresses and gateway/mask information and so isolating multiple clients from the Internet. Almost invariably it will turn out to be someone's BYOD router, misconfigured and/or connected backwards If I were a dorm resident, I'm sure I would prefer a campus with a BYOD policy, but as an IT employee, I worry that campuses may adopt them without appreciating the workload that supporting such a policy can entail. David Gillett, CISSP CCNP _ From: Ray DeJean [mailto:r...@selu.edu] Sent: Monday, September 19, 2011 08:04 To: WIRELESS-LAN@listserv.educause.edu Subject: [WIRELESS-LAN] Wireless in dorms All, We don't currently provide wireless in our dorms, and our official policy is to not allow students to bring their own wireless devices. We don't actively enforce this policy though, and as long as the students' device isn't causing problems, they typically don't hear from us. (We do provide at least a 100mbps wired connection to each student). We are considering changing our policy to allow BYOD (bring your own device) in the dorms. I know lots of students already BYOD, but we're not policing it. We're considering the costs associated with deploying our Aruba system to all the dorms, and the fact that students are going to BYOD anyway. Rather than fight them, allow it. We'll secure our wired network obviously, but also have workshops and online instructions to show the students how to properly connect and secure their device. Of course we realize the interference issues that may arise in a crowded 2.4ghz space... The University of Wisconsin-Madison (http://www.housing.wisc.edu/resnet/gameConsoles.php) already has a policy like this in place. Just looking to hear from other universities who have or are considering a policy such as this. thanks, ray -- Ray DeJean Systems Engineer Southeastern Louisiana University email: r...@selu.edu http://r-a-y.org ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless in dorms
On 09/19/2011 11:04 AM, Ray DeJean wrote: All, We don't currently provide wireless in our dorms, and our official policy is to not allow students to bring their own wireless devices. We don't actively enforce this policy though, and as long as the students' device isn't causing problems, they typically don't hear from us. (We do provide at least a 100mbps wired connection to each student). We are considering changing our policy to allow BYOD (bring your own device) in the dorms. I know lots of students already BYOD, but we're not policing it. We're considering the costs associated with deploying our Aruba system to all the dorms, and the fact that students are going to BYOD anyway. Rather than fight them, allow it. We'll secure our wired network obviously, but also have workshops and online instructions to show the students how to properly connect and secure their device. Of course we realize the interference issues that may arise in a crowded 2.4ghz space... The University of Wisconsin-Madison (http://www.housing.wisc.edu/resnet/gameConsoles.php) already has a policy like this in place. Just looking to hear from other universities who have or are considering a policy such as this. You don't mention what kind of network architecture you have - if you're using a relatively flat topology, with comingling of residence hall, administrative, and academic traffic, be sure that you've got technology and procedures in place to shut down misconfigured endpoints. Nobody will be happy when they start getting RFC1918 addresses from the DHCP server on little Timmy's free-with-rebate Linksys AP. -- Matt Gracie (716) 888-8378 Information Security Administrator grac...@canisius.edu Canisius College ITSBuffalo, NY http://www2.canisius.edu/~graciem/graciem_public_key.gpg ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless in dorms
We do have dorms segregated on separate vlans behind a firewall from the rest of the network. However, the Rogue DHCP server issue is one of the main reasons we find out that a student is trying to run their own router. We have a roguedhcp perl script that sends out dhcp requests every hour or so and sees who responds... if any rogue's respond we quarantine them and tell them to unplug the router. However that's not good enough for the BYOD policy. So we're currently testing out ACLs and qos profiles on our switches that will just block the dhcp server responses on the endpoint ports. So Timmy can run a dhcp server in his room all he wants without affecting anyone else. I don't know why we didn't think of that years ago... ray -- Ray DeJean Systems Engineer Southeastern Louisiana University email: r...@selu.edu http://r-a-y.org On Mon, Sep 19, 2011 at 10:54 AM, Matthew Gracie grac...@canisius.eduwrote: On 09/19/2011 11:04 AM, Ray DeJean wrote: All, We don't currently provide wireless in our dorms, and our official policy is to not allow students to bring their own wireless devices. We don't actively enforce this policy though, and as long as the students' device isn't causing problems, they typically don't hear from us. (We do provide at least a 100mbps wired connection to each student). We are considering changing our policy to allow BYOD (bring your own device) in the dorms. I know lots of students already BYOD, but we're not policing it. We're considering the costs associated with deploying our Aruba system to all the dorms, and the fact that students are going to BYOD anyway. Rather than fight them, allow it. We'll secure our wired network obviously, but also have workshops and online instructions to show the students how to properly connect and secure their device. Of course we realize the interference issues that may arise in a crowded 2.4ghz space... The University of Wisconsin-Madison (http://www.housing.wisc.edu/resnet/gameConsoles.php) already has a policy like this in place. Just looking to hear from other universities who have or are considering a policy such as this. You don't mention what kind of network architecture you have - if you're using a relatively flat topology, with comingling of residence hall, administrative, and academic traffic, be sure that you've got technology and procedures in place to shut down misconfigured endpoints. Nobody will be happy when they start getting RFC1918 addresses from the DHCP server on little Timmy's free-with-rebate Linksys AP. -- Matt Gracie (716) 888-8378 Information Security Administrator grac...@canisius.edu Canisius College ITSBuffalo, NY http://www2.canisius.edu/~graciem/graciem_public_key.gpg ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Same Radius server, more than one SSID, different groups of users?
We at UC Hastings would like to create a new SSID that only allows certain users with WPA-Enterprise authentication to access. We currently have two SSIDs one which uses WPA-Enterprise with RADIUS which checks against and Active Directory group and the other which uses Web-Auth which checks against the same Active Directory. We are using the Cisco Solution for enterprise wireless. I would like to use the same RADIUS server for both WPA-Enterprise SSIDs. Any ideas? --- Nicholas Urrea Information Technology UC Hastings College of the Law San Francisco, CA, 94102 urr...@uchastings.edu mailto:urr...@uchastings.edu help desk: 415-581-8802 helpd...@uchastings.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Wireless in dorms
Depending on your switch vendor, you can setup DHCP Trust, which says only certain ports can respond to DHCP requests. Solved the rouge DHCP problem for us instantly. :) (Our access layer is Cisco 3750). As for our wireless, we have Aruba deployed in our newer locations, and are in progress on the older buildings. Actually looking to use the students wired jack to activate the AP. We discourage via policy BYO Access Points campus wide, but don't enforce heavily in the non covered Res Hall areas, that will change as the Aruba deployment expands. Carl Oakes Network Architect California State University Sacramento (916) 278-5551 / oake...@csus.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Ray DeJean Sent: Monday, September 19, 2011 9:11 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless in dorms We do have dorms segregated on separate vlans behind a firewall from the rest of the network. However, the Rogue DHCP server issue is one of the main reasons we find out that a student is trying to run their own router. We have a roguedhcp perl script that sends out dhcp requests every hour or so and sees who responds... if any rogue's respond we quarantine them and tell them to unplug the router. However that's not good enough for the BYOD policy. So we're currently testing out ACLs and qos profiles on our switches that will just block the dhcp server responses on the endpoint ports. So Timmy can run a dhcp server in his room all he wants without affecting anyone else. I don't know why we didn't think of that years ago... ray -- Ray DeJean Systems Engineer Southeastern Louisiana University email: r...@selu.edumailto:r...@selu.edu http://r-a-y.org On Mon, Sep 19, 2011 at 10:54 AM, Matthew Gracie grac...@canisius.edumailto:grac...@canisius.edu wrote: On 09/19/2011 11:04 AM, Ray DeJean wrote: All, We don't currently provide wireless in our dorms, and our official policy is to not allow students to bring their own wireless devices. We don't actively enforce this policy though, and as long as the students' device isn't causing problems, they typically don't hear from us. (We do provide at least a 100mbps wired connection to each student). We are considering changing our policy to allow BYOD (bring your own device) in the dorms. I know lots of students already BYOD, but we're not policing it. We're considering the costs associated with deploying our Aruba system to all the dorms, and the fact that students are going to BYOD anyway. Rather than fight them, allow it. We'll secure our wired network obviously, but also have workshops and online instructions to show the students how to properly connect and secure their device. Of course we realize the interference issues that may arise in a crowded 2.4ghz space... The University of Wisconsin-Madison (http://www.housing.wisc.edu/resnet/gameConsoles.php) already has a policy like this in place. Just looking to hear from other universities who have or are considering a policy such as this. You don't mention what kind of network architecture you have - if you're using a relatively flat topology, with comingling of residence hall, administrative, and academic traffic, be sure that you've got technology and procedures in place to shut down misconfigured endpoints. Nobody will be happy when they start getting RFC1918 addresses from the DHCP server on little Timmy's free-with-rebate Linksys AP. -- Matt Gracie (716) 888-8378tel:%28716%29%20888-8378 Information Security Administrator grac...@canisius.edumailto:grac...@canisius.edu Canisius College ITSBuffalo, NY http://www2.canisius.edu/~graciem/graciem_public_key.gpg ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Same Radius server, more than one SSID, different groups of users?
On 19/09/2011 17:24, Urrea, Nick wrote: We at UC Hastings would like to create a new SSID that only allows certain users with WPA-Enterprise authentication to access. We currently have two SSIDs one which uses WPA-Enterprise with RADIUS which checks against and Active Directory group and the other which uses Web-Auth which checks against the same Active Directory. We are using the Cisco Solution for enterprise wireless. I would like to use the same RADIUS server for both WPA-Enterprise SSIDs. Any ideas? ** If by Cisco Solution you meant Cisco WLC's with controller based APs: This would be very easy to do with FreeRADIUS (http://www.freeradius.org/). Do you have any other constraints? e.g. FreeRADIUS is unix/linux based, if you are a solely Windows shop, it'd be a bit of a learning curve. We use FreeRADIUS to AAA our: VPN, Web-Auth wireless multiple WPA2-Enterprise Wireless (inc. eduroam). A single instance can handle these simultaneously. I believe the majority of the eduroam community use FreeRADIUS too. ** If you meant with Cisco ACS as your RADIUS server: ...sorry, no idea Regards, James -- James J J Hooper Senior Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Wireless in dorms
At the risk of being seen as shameless in self-promotion, I just wrote a brief piece about Extreme Networks Snap On WiFi (built on Motorola under the hood) Altitude 4511. If you buy into the philosophy, and under the right conditions I would, no additional wiring needed beyond the Cat 5 already installed for Ethernet. There are a growing number of ways to skin the wireless cat, and if you are new to wireless the options are many and interesting beyond the controller based stuff. See http://www.networkcomputing.com/wireless/231601558 And Extreme's page on these at http://extremenetworks.com/products/altitude-4511.aspx Given that wiring can be as expensive as the APs, this sort of solution is at least interesting. -Lee Badman From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Oakes, Carl W Sent: Monday, September 19, 2011 12:49 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless in dorms Depending on your switch vendor, you can setup DHCP Trust, which says only certain ports can respond to DHCP requests. Solved the rouge DHCP problem for us instantly. :) (Our access layer is Cisco 3750). As for our wireless, we have Aruba deployed in our newer locations, and are in progress on the older buildings. Actually looking to use the students wired jack to activate the AP. We discourage via policy BYO Access Points campus wide, but don't enforce heavily in the non covered Res Hall areas, that will change as the Aruba deployment expands. Carl Oakes Network Architect California State University Sacramento (916) 278-5551 / oake...@csus.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Ray DeJean Sent: Monday, September 19, 2011 9:11 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless in dorms We do have dorms segregated on separate vlans behind a firewall from the rest of the network. However, the Rogue DHCP server issue is one of the main reasons we find out that a student is trying to run their own router. We have a roguedhcp perl script that sends out dhcp requests every hour or so and sees who responds... if any rogue's respond we quarantine them and tell them to unplug the router. However that's not good enough for the BYOD policy. So we're currently testing out ACLs and qos profiles on our switches that will just block the dhcp server responses on the endpoint ports. So Timmy can run a dhcp server in his room all he wants without affecting anyone else. I don't know why we didn't think of that years ago... ray -- Ray DeJean Systems Engineer Southeastern Louisiana University email: r...@selu.edumailto:r...@selu.edu http://r-a-y.org On Mon, Sep 19, 2011 at 10:54 AM, Matthew Gracie grac...@canisius.edumailto:grac...@canisius.edu wrote: On 09/19/2011 11:04 AM, Ray DeJean wrote: All, We don't currently provide wireless in our dorms, and our official policy is to not allow students to bring their own wireless devices. We don't actively enforce this policy though, and as long as the students' device isn't causing problems, they typically don't hear from us. (We do provide at least a 100mbps wired connection to each student). We are considering changing our policy to allow BYOD (bring your own device) in the dorms. I know lots of students already BYOD, but we're not policing it. We're considering the costs associated with deploying our Aruba system to all the dorms, and the fact that students are going to BYOD anyway. Rather than fight them, allow it. We'll secure our wired network obviously, but also have workshops and online instructions to show the students how to properly connect and secure their device. Of course we realize the interference issues that may arise in a crowded 2.4ghz space... The University of Wisconsin-Madison (http://www.housing.wisc.edu/resnet/gameConsoles.php) already has a policy like this in place. Just looking to hear from other universities who have or are considering a policy such as this. You don't mention what kind of network architecture you have - if you're using a relatively flat topology, with comingling of residence hall, administrative, and academic traffic, be sure that you've got technology and procedures in place to shut down misconfigured endpoints. Nobody will be happy when they start getting RFC1918 addresses from the DHCP server on little Timmy's free-with-rebate Linksys AP. -- Matt Gracie (716) 888-8378tel:%28716%29%20888-8378 Information Security Administrator grac...@canisius.edumailto:grac...@canisius.edu Canisius College ITSBuffalo, NY http://www2.canisius.edu/~graciem/graciem_public_key.gpg ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Issue with Microsoft NPS certs and ipads/iphones
We have a new issue that popped up when we upgraded our radius backend for our dot1x/peap from 2 microsoft widows 2003 IAS servers with Equifax certs to 3 microsoft windows 2008 NPS servers with geotrust certs. What we have is issues with ipad/iphones that seem to only sometimes remember the cert they most recently accepted. So for example, an IPAD connecting to the wireless using NPS server 1 will prompt the user to accept and they get on. Subsequent attempts to an AP that uses that same server will work fine. But an attempt to another set of APs using server 2 will cause the user to have to accept the cert corresponding to the new server. We do use the Cloudpath installers, but they seem to be of no help here. So, we did change 2 things at once, new certs and going from IAS to NPS. Anyone having any issues like this? Thanks, Bob Richman University of Notre Dame. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Same Radius server, more than one SSID, different groups of users?
Cisco shop yes we use a WISM2 with CAPWAP APs. We are currently using IAS as our RADIUS server. Can you have FreeRADIUS talk to AD or do you need another LDAP? -Nick -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of James J J Hooper Sent: Monday, September 19, 2011 10:02 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Same Radius server, more than one SSID, different groups of users? On 19/09/2011 17:24, Urrea, Nick wrote: We at UC Hastings would like to create a new SSID that only allows certain users with WPA-Enterprise authentication to access. We currently have two SSIDs one which uses WPA-Enterprise with RADIUS which checks against and Active Directory group and the other which uses Web-Auth which checks against the same Active Directory. We are using the Cisco Solution for enterprise wireless. I would like to use the same RADIUS server for both WPA-Enterprise SSIDs. Any ideas? ** If by Cisco Solution you meant Cisco WLC's with controller based APs: This would be very easy to do with FreeRADIUS (http://www.freeradius.org/). Do you have any other constraints? e.g. FreeRADIUS is unix/linux based, if you are a solely Windows shop, it'd be a bit of a learning curve. We use FreeRADIUS to AAA our: VPN, Web-Auth wireless multiple WPA2-Enterprise Wireless (inc. eduroam). A single instance can handle these simultaneously. I believe the majority of the eduroam community use FreeRADIUS too. ** If you meant with Cisco ACS as your RADIUS server: ...sorry, no idea Regards, James -- James J J Hooper Senior Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Same Radius server, more than one SSID, different groups of users?
On 19/09/2011 18:12, Urrea, Nick wrote: Cisco shop yes we use a WISM2 with CAPWAP APs. We are currently using IAS as our RADIUS server. Can you have FreeRADIUS talk to AD or do you need another LDAP? We also use AD as our primary credentials DB. FR can talk to AD by using ntlm_auth (part of samba) for authentication, and LDAP for authorization. -James -- James J J Hooper Senior Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Same Radius server, more than one SSID, different groups of users?
Nick, Most RADIUS servers will let you do that (freeRADIUS, RADIATOR, ACS...) If you want to separate users you can also Use the same SSID that you use currently And return an attribute item from AD that would Set the VLAN per user or per group of users. Philippe, eduroamus.orghttp://eduroamus.org University of Tennessee (using a tiny keyboard) On Sep 19, 2011, at 9:33 AM, Urrea, Nick urr...@uchastings.edumailto:urr...@uchastings.edu wrote: We at UC Hastings would like to create a new SSID that only allows certain users with WPA-Enterprise authentication to access. We currently have two SSIDs one which uses WPA-Enterprise with RADIUS which checks against and Active Directory group and the other which uses Web-Auth which checks against the same Active Directory. We are using the Cisco Solution for enterprise wireless. I would like to use the same RADIUS server for both WPA-Enterprise SSIDs. Any ideas? --- Nicholas Urrea Information Technology UC Hastings College of the Law San Francisco, CA, 94102 urr...@uchastings.edumailto:urr...@uchastings.edu help desk: 415-581-8802 helpd...@uchastings.edumailto:helpd...@uchastings.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Same Radius server, more than one SSID, different groups of users?
Nick, I've used both NPS (New RADIUS server from Microsoft) and IAS. What you want to do is Extremely simple. FYI: Do NOT under any circumstances roll out a new SSID using WPA. Use WPA2. I have 3 SSID's that go back to the same RADIUS server. Is there anything special you want to do? Limit the groups so that only one SSID is availble to them? with VLAN id's you can even have users on the same SSID be in different VLAN's, amoung other tricks. Mike On Mon, Sep 19, 2011 at 12:24 PM, Urrea, Nick urr...@uchastings.edu wrote: We at UC Hastings would like to create a new SSID that only allows certain users with WPA-Enterprise authentication to access. We currently have two SSIDs one which uses WPA-Enterprise with RADIUS which checks against and Active Directory group and the other which uses Web-Auth which checks against the same Active Directory. We are using the Cisco Solution for enterprise wireless. ** ** I would like to use the same RADIUS server for both WPA-Enterprise SSIDs.* *** Any ideas? ** ** ** ** ** ** ** ** --- *Nicholas Urrea* *Information Technology* UC Hastings College of the Law San Francisco, CA, 94102 urr...@uchastings.edu help desk: 415-581-8802 helpd...@uchastings.edu ** ** ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Issue with Microsoft NPS certs and ipads/iphones
We use the same certificate on two ACS servers for PEAP authentication to avoid the certificate warning when user connects to the 2nd ACS server. We haven't seen any issues with that. --- Dennis Xu Network Analyst, Computing and Communication Services University of Guelph 5198244120 x 56217 - Original Message - From: Bob Richman robert.b.richma...@nd.edu To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Sent: Monday, September 19, 2011 1:11:02 PM Subject: [WIRELESS-LAN] Issue with Microsoft NPS certs and ipads/iphones We have a new issue that popped up when we upgraded our radius backend for our dot1x/peap from 2 microsoft widows 2003 IAS servers with Equifax certs to 3 microsoft windows 2008 NPS servers with geotrust certs. What we have is issues with ipad/iphones that seem to only sometimes remember the cert they most recently accepted. So for example, an IPAD connecting to the wireless using NPS server 1 will prompt the user to accept and they get on. Subsequent attempts to an AP that uses that same server will work fine. But an attempt to another set of APs using server 2 will cause the user to have to accept the cert corresponding to the new server. We do use the Cloudpath installers, but they seem to be of no help here. So, we did change 2 things at once, new certs and going from IAS to NPS. Anyone having any issues like this? Thanks, Bob Richman University of Notre Dame. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Wireless in dorms
2 cents from someone in a similar boat. Unfortunately, some of our campuses have been unable to support ubiquitous wireless in dorms due to cost. In some cases they have only common areas covered. That being the case , with wireless being the preferred access method along with a lack of local campus policy in this regard they've understandably connected SOHO wireless routers. Some our of ResHalls caused us significant problems on the wired side at the start of this semester. Although we enable L2 features (such as DHCP snooping/DAI/SG,MAC limits) we weren't able to corral an issue until implementing blocking of unknown unicast (cisco UUFB) on the ResHall subnets. This being a wireless forum, I'll omit the details but in a nutshell, the issues were ICMP redirect/ARP-amplification related and would intermittently peg the attaching campus router's CPU. I think efforts to searchfix offending devices or train students is entering a never ending battle. As cheaper devices will not have A radios (not that many clients will either..) co-channel interference is likely common. Add in interference , ex. assuming a fair # of microwave ovens, and I'd think their wireless experience is less than spectacular with no one to reach out to for insight/support. I feel such devices in ResHalls add an unmanaged infrastructure that not only underserves the users but may also have consequences for the managed infrastructure it connects to. I suppose by allowing them to use such devices, one can remove themselves from wireless infrastructure/client support, but I'd rather be in a position where we could supply the needed wireless service in a managed way and avoid their need to use them. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Ray DeJean Sent: Monday, September 19, 2011 11:04 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Wireless in dorms All, We don't currently provide wireless in our dorms, and our official policy is to not allow students to bring their own wireless devices. We don't actively enforce this policy though, and as long as the students' device isn't causing problems, they typically don't hear from us. (We do provide at least a 100mbps wired connection to each student). We are considering changing our policy to allow BYOD (bring your own device) in the dorms. I know lots of students already BYOD, but we're not policing it. We're considering the costs associated with deploying our Aruba system to all the dorms, and the fact that students are going to BYOD anyway. Rather than fight them, allow it. We'll secure our wired network obviously, but also have workshops and online instructions to show the students how to properly connect and secure their device. Of course we realize the interference issues that may arise in a crowded 2.4ghz space... The University of Wisconsin-Madison (http://www.housing.wisc.edu/resnet/gameConsoles.php) already has a policy like this in place. Just looking to hear from other universities who have or are considering a policy such as this. thanks, ray -- Ray DeJean Systems Engineer Southeastern Louisiana University email: r...@selu.edu http://r-a-y.org ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Same Radius server, more than one SSID, different groups of users?
I would like to limit the SSID so only a certain group can access it. I want to use different QoS rates on different SSIDs so one network has more bandwidth available to individual users than the other. SSID for students 5 MB/s SSID for staff/faculty 20 MB/s -Nick From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Mike King Sent: Monday, September 19, 2011 11:42 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Same Radius server, more than one SSID, different groups of users? Nick, I've used both NPS (New RADIUS server from Microsoft) and IAS. What you want to do is Extremely simple. FYI: Do NOT under any circumstances roll out a new SSID using WPA. Use WPA2. I have 3 SSID's that go back to the same RADIUS server. Is there anything special you want to do? Limit the groups so that only one SSID is availble to them? with VLAN id's you can even have users on the same SSID be in different VLAN's, amoung other tricks. Mike On Mon, Sep 19, 2011 at 12:24 PM, Urrea, Nick urr...@uchastings.edu wrote: We at UC Hastings would like to create a new SSID that only allows certain users with WPA-Enterprise authentication to access. We currently have two SSIDs one which uses WPA-Enterprise with RADIUS which checks against and Active Directory group and the other which uses Web-Auth which checks against the same Active Directory. We are using the Cisco Solution for enterprise wireless. I would like to use the same RADIUS server for both WPA-Enterprise SSIDs. Any ideas? --- Nicholas Urrea Information Technology UC Hastings College of the Law San Francisco, CA, 94102 urr...@uchastings.edu help desk: 415-581-8802 helpd...@uchastings.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Same Radius server, more than one SSID, different groups of users?
We're not using Cisco but what we do is evaluate the NAS Identifier (which is the same as the SSID in our environment) along with AD group membership to determine what wireless networks our users can connect to. We are using Windows Network Policy Server and FreeRADIUS for our RADIUS servers. Jason Todd Western University of Health Sciences From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Urrea, Nick Sent: Monday, September 19, 2011 1:07 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Same Radius server, more than one SSID, different groups of users? I would like to limit the SSID so only a certain group can access it. I want to use different QoS rates on different SSIDs so one network has more bandwidth available to individual users than the other. SSID for students 5 MB/s SSID for staff/faculty 20 MB/s -Nick From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Mike King Sent: Monday, September 19, 2011 11:42 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Same Radius server, more than one SSID, different groups of users? Nick, I've used both NPS (New RADIUS server from Microsoft) and IAS. What you want to do is Extremely simple. FYI: Do NOT under any circumstances roll out a new SSID using WPA. Use WPA2. I have 3 SSID's that go back to the same RADIUS server. Is there anything special you want to do? Limit the groups so that only one SSID is availble to them? with VLAN id's you can even have users on the same SSID be in different VLAN's, amoung other tricks. Mike On Mon, Sep 19, 2011 at 12:24 PM, Urrea, Nick urr...@uchastings.edumailto:urr...@uchastings.edu wrote: We at UC Hastings would like to create a new SSID that only allows certain users with WPA-Enterprise authentication to access. We currently have two SSIDs one which uses WPA-Enterprise with RADIUS which checks against and Active Directory group and the other which uses Web-Auth which checks against the same Active Directory. We are using the Cisco Solution for enterprise wireless. I would like to use the same RADIUS server for both WPA-Enterprise SSIDs. Any ideas? --- Nicholas Urrea Information Technology UC Hastings College of the Law San Francisco, CA, 94102 urr...@uchastings.edumailto:urr...@uchastings.edu help desk: 415-581-8802tel:415-581-8802 helpd...@uchastings.edumailto:helpd...@uchastings.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless in dorms
That Altitude 4511 product looked interesting. I'm curious to know the per-unit price on those, as quick google and amazon searches didn't bring anything up in that regard. I'd also like to see one with a pass-through port, so I can put one over an existing port in a student's room or classroom and still connect the existing wired device at the same location. We also were unable to find the budget for a traditional controller-based system, but we managed to do pretty well for ourselves using APs from Engenius (ECB-9500). They run under $100 each, vs $400, $600, or more for enterprise level access points, and we run them without a controller, instead using existing infrastructure. The cheaper APs plus no controller put us in at about 1/10 what were quoted for a traditional Aruba or Cisco system. Of course, at that price we made a few compromises: - Reporting. This is huge. I don't get to know who's using what spectrum, and I often have to wait for students to tell me an access point isn't working in an area before I know about, rather than being proactive about it. We work around this because we have good er - Multiple SSIDs per access point. Our system actually will support this, but we haven't had the time to set it up yet. We do have some basic divisions by geographical area on campus to split up broadcast domains, but that's it. - Fixed cell sizes (limited air space). My understanding is that more advanced systems can be set to automatically turn down transmission power based on the power from the neighboring access points, and thereby reduce the amount of airspace used by each client. We get by because we're small. Hand in hand with this is the need to manually tune channels. The access points we have support DD-WRT, which would allow us to tune this manually, but that would also mean buying and deploying more access points that we don't have budget for. - Limited to 50 access points for radius purposes with Windows Standard Server. Of course, we need more than 50 access points and so had to open up our dorm wifi (no encryption there at all :( ). Our administrative and classroom buildings are encrypted, though; we're small enough to be able to do it that way. I'm working right now on a FreeRADIUS implementation that should fix this for us soon, but honestly our students **really like** the open wifi. We haven't had problems with campus neighbors and others leeching bandwidth, I have zero reports of abuse from tools like firesheep, and so while this is something I'm working on I'm not as rushed about it as I should be. We're up to 78 access points now. Add in wiring some PoE injectors, and we still spent less than $10,000 to unwire the whole campus. Joel Coehoorn York College IT Director 402.363.5603 On Mon, Sep 19, 2011 at 2:17 PM, Garry Peirce pei...@maine.edu wrote: 2 cents from someone in a similar boat. ** ** Unfortunately, some of our campuses have been unable to support ubiquitous wireless in dorms due to cost. In some cases they have only common areas covered. That being the case , with wireless being the preferred access method along with a lack of local campus policy in this regard they’ve understandably connected SOHO wireless routers. ** ** Some our of ResHalls caused us significant problems on the wired side at the start of this semester. Although we enable L2 features (such as DHCP snooping/DAI/SG,MAC limits) we weren’t able to corral an issue until implementing blocking of unknown unicast (cisco UUFB) on the ResHall subnets. This being a wireless forum, I’ll omit the details but in a nutshell, the issues were ICMP redirect/ARP-amplification related and would intermittently peg the attaching campus router’s CPU. I think efforts to searchfix offending devices or train students is entering a never ending battle. ** ** As cheaper devices will not have A radios (not that many clients will either….) co-channel interference is likely common. Add in interference , ex. assuming a fair # of microwave ovens, and I’d think their wireless experience is less than spectacular with no one to reach out to for insight/support. ** ** I feel such devices in ResHalls add an unmanaged infrastructure that not only underserves the users but may also have consequences for the managed infrastructure it connects to. I suppose by allowing them to use such devices, one can remove themselves from wireless infrastructure/client support, but I’d rather be in a position where we could supply the needed wireless service in a managed way and avoid their need to use them. ** ** ** ** *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Ray DeJean *Sent:* Monday, September 19, 2011 11:04 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* [WIRELESS-LAN] Wireless