Re: [WIRELESS-LAN] eduroam in a Cisco environment

2015-09-24 Thread Jake Snyder 
You can always do an interface group and use the name of the group instead of 
the vlan ID coming from Cloudpath. Just keep all interfaces in the group the 
same size.

Thanks
Jake Snyder
jsny...@compunet.biz
208-286-3015

Sent from my iPhone

> On Sep 24, 2015, at 2:38 PM, Timothy Burns  wrote:
> 
> We are just now starting down the eduroam path. 
> 
> We are a Cisco shop and currently have our controllers pointed towards 
> xpressconnect to onboard/authenticate our students.
> 
> We currently have many interfaces on our controllers per building/SSID. We 
> were thinking of collapsing many of those interfaces and have larger subnets 
> and vlan tag the clients based on access we want to allow using the single 
> "eduroam" ssid.
> 
> So, for example, our local users will be placed in vlan 1 and eduroam users 
> from different colleges would be placed in vlan 2 with internet only access. 
> We have brought this up to our SE and VAR engineers and they are a little 
> hesitant on this approach as they say the the subnets will be too large. But, 
> as I understand it, the broadcast messages are suppressed at the controller. 
> 
> Xpressconnect only supports 1 vlan tag so we were looking at using free 
> radius and create different realms and vlan tag the clients based on end of 
> the username(ex: @.edu). We still have ACS at our disposal as we were 
> using it very heavily before using xpressconnect, so we thought it may be an 
> option to bring that back into the picture and use it to tag the clients.
> 
> The answers I am looking to gain from this are:
> 
> Do you have eduroam deployed as your primary SSID or in addition to your 
> SSID's? 
> 
> Do you separate/tag your eduraom users? If so, how(acs/ISE/free radius, etc)?
> 
> How big are your wireless subnets?
> 
> Any opinions/suggestion/questions are welcome.
> 
> Thanks again in advance.
> 
> -- 
> Tim Burns
> 
> Junior Network Administrator
> 1 University Heights
> Asheville, NC 28804
> 828-232-5013
> bu...@unca.edu
> 
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] eduroam in a Cisco environment

2015-09-24 Thread Turner, Ryan H 

The answers I am looking to gain from this are:
Do you have eduroam deployed as your primary SSID or in addition to your SSID's?
Eduroam is the primary SSID
Do you separate/tag your eduraom users? If so, how(acs/ISE/free radius, etc)?
Yes.  We use freeRadius.  However, we don’t use freeradius for tagging.  Since 
we have an Aruba environment, we use a simple feature that allows us, at the 
controller, without any messing around in freeRadius, to assign a VLAN based on 
user realm.  So, unc.edu users get one vlan, and non unc.edu get another.
How big are your wireless subnets?

Huge.  Thousands and thousands.  With the broadcast suppression, it hasn’t been 
an issue for us.  You can message me privately if you want me to give you more 
specifics.  I just pulled up our interface config for main campus and stopped 
counting after a few thousand.

Any opinions/suggestion/questions are welcome.
Thanks again in advance.

--

Tim Burns

Junior Network Administrator
1 University Heights
Asheville, NC 28804
828-232-5013
bu...@unca.edu
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

eduroam in a Cisco environment

2015-09-24 Thread Timothy Burns 
We are just now starting down the eduroam path.

We are a Cisco shop and currently have our controllers pointed towards
xpressconnect to onboard/authenticate our students.

We currently have many interfaces on our controllers per building/SSID. We
were thinking of collapsing many of those interfaces and have larger
subnets and vlan tag the clients based on access we want to allow using the
single "eduroam" ssid.

So, for example, our local users will be placed in vlan 1 and eduroam users
from different colleges would be placed in vlan 2 with internet only
access. We have brought this up to our SE and VAR engineers and they are a
little hesitant on this approach as they say the the subnets will be too
large. But, as I understand it, the broadcast messages are suppressed at
the controller.

Xpressconnect only supports 1 vlan tag so we were looking at using free
radius and create different realms and vlan tag the clients based on end of
the username(ex: @.edu). We still have ACS at our disposal as we were
using it very heavily before using xpressconnect, so we thought it may be
an option to bring that back into the picture and use it to tag the clients.

The answers I am looking to gain from this are:

Do you have eduroam deployed as your primary SSID or in addition to your
SSID's?

Do you separate/tag your eduraom users? If so, how(acs/ISE/free radius,
etc)?

How big are your wireless subnets?

Any opinions/suggestion/questions are welcome.

Thanks again in advance.

-- 

Tim Burns

Junior Network Administrator
1 University Heights
Asheville, NC 28804
828-232-5013
bu...@unca.edu

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Zebra Wireless

2015-09-24 Thread Lee H Badman 
Joel,

Zebra is presenting next week at Wireless Field Day 8, which will be live 
streamed. http://techfieldday.com/event/wfd8/ If you have time to watch, and 
want anything specific asked as they go, hit me up on Twitter at @wirednot and 
if you don’t do Twitter but still want to try to interact for this I can give 
you my mobile # off list for texting. I’ll be there in person.

Just throwing it out there☺  I have played with the WiNG architecture, and it 
has a lot of interesting features- but I’ve never done real eval outside of my 
own lab tests.

-Lee

Lee Badman | Network Architect
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Coehoorn, Joel
Sent: Thursday, September 24, 2015 4:09 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Zebra Wireless

Has anyone here used or looked the Zebra wireless platform (formerly 
Motorola/Symbol)?  I'm looking at them for a deployment away from the main 
campus. They have a very tempting AP line-up with pricing less than $250 per 
AP, and I wonder if anyone else has used or looked at them.


[http://www.york.edu/Portals/0/Images/Logo/YorkCollegeLogoSmall.jpg]


Joel Coehoorn
Director of Information Technology
402.363.5603
jcoeho...@york.edu



The mission of York College is to transform lives through Christ-centered 
education and to equip students for lifelong service to God, family, and society
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Zebra Wireless

2015-09-24 Thread Coehoorn, Joel 
Has anyone here used or looked the Zebra wireless platform (formerly
Motorola/Symbol)?  I'm looking at them for a deployment away from the main
campus. They have a very tempting AP line-up with pricing less than $250
per AP, and I wonder if anyone else has used or looked at them.


Joel Coehoorn
Director of Information Technology
402.363.5603
*jcoeho...@york.edu *

The mission of York College is to transform lives through
Christ-centered education and to equip students for lifelong service to
God, family, and society

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] EAP-TLS Windows 8 and 10 Problems

2015-09-24 Thread Kevin McCormick 

I think you got us on to something.

I checked the cert and got Leaf certificate is REVOKED (Reason=9).

Looks like this maybe the source of our issue.

Keep you informed.

Kevin McCormick
uTech Network Services
Western Illinois University



On 9/24/2015 12:18 PM, Heaton, Tobias wrote:

Kevin,

We recently encountered a similar situation where Windows 8/8.1/10 devices were 
onboarding fine and some days later failing to authenticate and unable to 
re-onboard.

Turns out the Radius certificate (also self-signed root & intermediate) was 
revoked and there was no clear indication of this in the Radius configuration and 
Windows devices were silently failing. I eventually found and unrevoked the Radius 
certificate and the devices associated with no issue.

Apparently Windows 8+ devices are much more particular about revocation status 
versus other operating systems that simply ensure valid certificate dates. 
Cloudpath did add a feature request to add revocation status to the Radius 
configuration pane in the Enrollment System.

Tobias Heaton
Network Operations
University of New Hampshire


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Kevin McCormick
Sent: Thursday, September 24, 2015 1:11 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-TLS Windows 8 and 10 Problems

Clients on Windows 8 and 10 fail on boarding. Macs, Windows 7, IOS, and
Androids does not seem to have any issues.

The radius server is issuing the certificates and the Windows 8 and 10
appear to be saying that the radius server is reporting the certificates
revoked.

We can export the certs from the Windows 8 or 10 machine, and then check
the certs on Windows 7 using the command 'certutil -f -urlfetch -verify
cert_name.cer' and the radius server is reporting the certs are fine.

We use our own Root CA and Intermediate CA.

Kevin McCormick
uTech Network Services
Western Illinois University

On 9/24/2015 11:55 AM, Turner, Ryan H wrote:

Let me see if I can clear things up...

Your clients were successfully onboarded, and when the clients connect, they 
are reporting that the radius server certificates being sent are revoked?  Or 
are you saying that your clients are reporting that the radius servers are 
saying the client certificates are revoked?

If I read the error, it would indicate to me that your clients are having 
issues with the radius server certificates.  Who issued the certs?

Ryan H Turner
Senior Network Engineer
The University of North Carolina at Chapel Hill
CB 1150 Chapel Hill, NC 27599
+1 919 445 0113 Office
+1 919 274 7926 Mobile

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Kevin McCormick
Sent: Thursday, September 24, 2015 12:00 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] EAP-TLS Windows 8 and 10 Problems

I know many of you are using EAP-TLS and CloudPath on boarding.

We have ran in to an issue where some Windows 8 and 10 machines will say the 
server said the certificates are revoked, but they are not revoked.
We have checked the things like time being correct. We did discover the command 
'certutil -f -urlfetch -verify cert_name.cer' will work just fine on Windows 7, 
but crashes on Windows 8 and Windows 10. The event viewer is showing these 
errors.

"The certificate received from the remote server has been revoked. This means that 
the certificate authority that issued the certificate has invalidated it. The SSL 
connection request has failed. The attached data contains the server certificate."  
-- Attached is the root CA.

"A fatal alert was generated and sent to the remote endpoint. This may result in 
termination of the connection. The TLS protocol defined fatal error code is 44. The 
Windows SChannel error state is 552."

I have tried googling the problem and and have come up empty.

CouldPath has told our security admin that our university seems to be the only 
one having this issue.

Makes me wonder if our certs are being generated with incorrect settings for 
Windows 8 and Windows 10.

What algorithm and key length are you using?

Any suggestions?

Kevin McCormick
uTech Network Services
Western Illinois University

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.


**
Participation and sub

RE: [WIRELESS-LAN] EAP-TLS Windows 8 and 10 Problems

2015-09-24 Thread Heaton, Tobias 
Kevin,

We recently encountered a similar situation where Windows 8/8.1/10 devices were 
onboarding fine and some days later failing to authenticate and unable to 
re-onboard.

Turns out the Radius certificate (also self-signed root & intermediate) was 
revoked and there was no clear indication of this in the Radius configuration 
and Windows devices were silently failing. I eventually found and unrevoked the 
Radius certificate and the devices associated with no issue.

Apparently Windows 8+ devices are much more particular about revocation status 
versus other operating systems that simply ensure valid certificate dates. 
Cloudpath did add a feature request to add revocation status to the Radius 
configuration pane in the Enrollment System.

Tobias Heaton
Network Operations
University of New Hampshire


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Kevin McCormick
Sent: Thursday, September 24, 2015 1:11 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-TLS Windows 8 and 10 Problems

Clients on Windows 8 and 10 fail on boarding. Macs, Windows 7, IOS, and 
Androids does not seem to have any issues.

The radius server is issuing the certificates and the Windows 8 and 10 
appear to be saying that the radius server is reporting the certificates 
revoked.

We can export the certs from the Windows 8 or 10 machine, and then check 
the certs on Windows 7 using the command 'certutil -f -urlfetch -verify 
cert_name.cer' and the radius server is reporting the certs are fine.

We use our own Root CA and Intermediate CA.

Kevin McCormick
uTech Network Services
Western Illinois University

On 9/24/2015 11:55 AM, Turner, Ryan H wrote:
> Let me see if I can clear things up...
>
> Your clients were successfully onboarded, and when the clients connect, they 
> are reporting that the radius server certificates being sent are revoked?  Or 
> are you saying that your clients are reporting that the radius servers are 
> saying the client certificates are revoked?
>
> If I read the error, it would indicate to me that your clients are having 
> issues with the radius server certificates.  Who issued the certs?
>
> Ryan H Turner
> Senior Network Engineer
> The University of North Carolina at Chapel Hill
> CB 1150 Chapel Hill, NC 27599
> +1 919 445 0113 Office
> +1 919 274 7926 Mobile
>
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Kevin McCormick
> Sent: Thursday, September 24, 2015 12:00 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] EAP-TLS Windows 8 and 10 Problems
>
> I know many of you are using EAP-TLS and CloudPath on boarding.
>
> We have ran in to an issue where some Windows 8 and 10 machines will say the 
> server said the certificates are revoked, but they are not revoked.
> We have checked the things like time being correct. We did discover the 
> command 'certutil -f -urlfetch -verify cert_name.cer' will work just fine on 
> Windows 7, but crashes on Windows 8 and Windows 10. The event viewer is 
> showing these errors.
>
> "The certificate received from the remote server has been revoked. This means 
> that the certificate authority that issued the certificate has invalidated 
> it. The SSL connection request has failed. The attached data contains the 
> server certificate."  -- Attached is the root CA.
>
> "A fatal alert was generated and sent to the remote endpoint. This may result 
> in termination of the connection. The TLS protocol defined fatal error code 
> is 44. The Windows SChannel error state is 552."
>
> I have tried googling the problem and and have come up empty.
>
> CouldPath has told our security admin that our university seems to be the 
> only one having this issue.
>
> Makes me wonder if our certs are being generated with incorrect settings for 
> Windows 8 and Windows 10.
>
> What algorithm and key length are you using?
>
> Any suggestions?
>
> Kevin McCormick
> uTech Network Services
> Western Illinois University
>
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.
>
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] EAP-TLS Windows 8 and 10 Problems

2015-09-24 Thread Kevin McCormick 
Clients on Windows 8 and 10 fail on boarding. Macs, Windows 7, IOS, and 
Androids does not seem to have any issues.


The radius server is issuing the certificates and the Windows 8 and 10 
appear to be saying that the radius server is reporting the certificates 
revoked.


We can export the certs from the Windows 8 or 10 machine, and then check 
the certs on Windows 7 using the command 'certutil -f -urlfetch -verify 
cert_name.cer' and the radius server is reporting the certs are fine.


We use our own Root CA and Intermediate CA.

Kevin McCormick
uTech Network Services
Western Illinois University

On 9/24/2015 11:55 AM, Turner, Ryan H wrote:

Let me see if I can clear things up...

Your clients were successfully onboarded, and when the clients connect, they 
are reporting that the radius server certificates being sent are revoked?  Or 
are you saying that your clients are reporting that the radius servers are 
saying the client certificates are revoked?

If I read the error, it would indicate to me that your clients are having 
issues with the radius server certificates.  Who issued the certs?

Ryan H Turner
Senior Network Engineer
The University of North Carolina at Chapel Hill
CB 1150 Chapel Hill, NC 27599
+1 919 445 0113 Office
+1 919 274 7926 Mobile

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Kevin McCormick
Sent: Thursday, September 24, 2015 12:00 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] EAP-TLS Windows 8 and 10 Problems

I know many of you are using EAP-TLS and CloudPath on boarding.

We have ran in to an issue where some Windows 8 and 10 machines will say the 
server said the certificates are revoked, but they are not revoked.
We have checked the things like time being correct. We did discover the command 
'certutil -f -urlfetch -verify cert_name.cer' will work just fine on Windows 7, 
but crashes on Windows 8 and Windows 10. The event viewer is showing these 
errors.

"The certificate received from the remote server has been revoked. This means that 
the certificate authority that issued the certificate has invalidated it. The SSL 
connection request has failed. The attached data contains the server certificate."  
-- Attached is the root CA.

"A fatal alert was generated and sent to the remote endpoint. This may result in 
termination of the connection. The TLS protocol defined fatal error code is 44. The 
Windows SChannel error state is 552."

I have tried googling the problem and and have come up empty.

CouldPath has told our security admin that our university seems to be the only 
one having this issue.

Makes me wonder if our certs are being generated with incorrect settings for 
Windows 8 and Windows 10.

What algorithm and key length are you using?

Any suggestions?

Kevin McCormick
uTech Network Services
Western Illinois University

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] EAP-TLS Windows 8 and 10 Problems

2015-09-24 Thread Craig Pluchinsky 
We found a bug with the CloudPath onboarding and microsoft cert checking. 
We are using Microsoft NPS for the RADIUS server and it would randomly 
start saying that the certificate had been revoked.  Cloudpath released an 
update for fix this issue.  Upgrading the Enrollment Server fixed this for 
us.



---
Craig Pluchinsky
IT Services
Indiana University of Pennsylvania
724-357-3327


On Thu, 24 Sep 2015, Kevin McCormick wrote:


I know many of you are using EAP-TLS and CloudPath on boarding.

We have ran in to an issue where some Windows 8 and 10 machines will say the 
server said the certificates are revoked, but they are not revoked. We have 
checked the things like time being correct. We did discover the command 
'certutil -f –urlfetch -verify cert_name.cer' will work just fine on Windows 
7, but crashes on Windows 8 and Windows 10. The event viewer is showing these 
errors.


"The certificate received from the remote server has been revoked. This means 
that the certificate authority that issued the certificate has invalidated 
it. The SSL connection request has failed. The attached data contains the 
server certificate."  -- Attached is the root CA.


"A fatal alert was generated and sent to the remote endpoint. This may result 
in termination of the connection. The TLS protocol defined fatal error code 
is 44. The Windows SChannel error state is 552."


I have tried googling the problem and and have come up empty.

CouldPath has told our security admin that our university seems to be the 
only one having this issue.


Makes me wonder if our certs are being generated with incorrect settings for 
Windows 8 and Windows 10.


What algorithm and key length are you using?

Any suggestions?

Kevin McCormick
uTech Network Services
Western Illinois University

**
Participation and subscription information for this EDUCAUSE Constituent 
Group discussion list can be found at http://www.educause.edu/groups/.




**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] EAP-TLS Windows 8 and 10 Problems

2015-09-24 Thread Turner, Ryan H 
BTW...  I am only trying to clear this up, because as I read this, it would 
have nothing to do with your client certificates, and everything to do with the 
server certificate being offered by your authentication server (freeRadius/etc) 
to the client.  It is possible that there is a problem with the authentication 
server certificate, and certain clients/operating systems are more sensitive to 
this than others.

Ryan H Turner
Senior Network Engineer
The University of North Carolina at Chapel Hill
CB 1150 Chapel Hill, NC 27599
+1 919 445 0113 Office
+1 919 274 7926 Mobile

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Turner, Ryan H
Sent: Thursday, September 24, 2015 12:56 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-TLS Windows 8 and 10 Problems

Let me see if I can clear things up...

Your clients were successfully onboarded, and when the clients connect, they 
are reporting that the radius server certificates being sent are revoked?  Or 
are you saying that your clients are reporting that the radius servers are 
saying the client certificates are revoked? 

If I read the error, it would indicate to me that your clients are having 
issues with the radius server certificates.  Who issued the certs?

Ryan H Turner
Senior Network Engineer
The University of North Carolina at Chapel Hill CB 1150 Chapel Hill, NC 27599
+1 919 445 0113 Office
+1 919 274 7926 Mobile

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Kevin McCormick
Sent: Thursday, September 24, 2015 12:00 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] EAP-TLS Windows 8 and 10 Problems

I know many of you are using EAP-TLS and CloudPath on boarding.

We have ran in to an issue where some Windows 8 and 10 machines will say the 
server said the certificates are revoked, but they are not revoked. 
We have checked the things like time being correct. We did discover the command 
'certutil -f -urlfetch -verify cert_name.cer' will work just fine on Windows 7, 
but crashes on Windows 8 and Windows 10. The event viewer is showing these 
errors.

"The certificate received from the remote server has been revoked. This means 
that the certificate authority that issued the certificate has invalidated it. 
The SSL connection request has failed. The attached data contains the server 
certificate."  -- Attached is the root CA.

"A fatal alert was generated and sent to the remote endpoint. This may result 
in termination of the connection. The TLS protocol defined fatal error code is 
44. The Windows SChannel error state is 552."

I have tried googling the problem and and have come up empty.

CouldPath has told our security admin that our university seems to be the only 
one having this issue.

Makes me wonder if our certs are being generated with incorrect settings for 
Windows 8 and Windows 10.

What algorithm and key length are you using?

Any suggestions?

Kevin McCormick
uTech Network Services
Western Illinois University

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] EAP-TLS Windows 8 and 10 Problems

2015-09-24 Thread Turner, Ryan H 
Let me see if I can clear things up...

Your clients were successfully onboarded, and when the clients connect, they 
are reporting that the radius server certificates being sent are revoked?  Or 
are you saying that your clients are reporting that the radius servers are 
saying the client certificates are revoked? 

If I read the error, it would indicate to me that your clients are having 
issues with the radius server certificates.  Who issued the certs?

Ryan H Turner
Senior Network Engineer
The University of North Carolina at Chapel Hill
CB 1150 Chapel Hill, NC 27599
+1 919 445 0113 Office
+1 919 274 7926 Mobile

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Kevin McCormick
Sent: Thursday, September 24, 2015 12:00 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] EAP-TLS Windows 8 and 10 Problems

I know many of you are using EAP-TLS and CloudPath on boarding.

We have ran in to an issue where some Windows 8 and 10 machines will say the 
server said the certificates are revoked, but they are not revoked. 
We have checked the things like time being correct. We did discover the command 
'certutil -f -urlfetch -verify cert_name.cer' will work just fine on Windows 7, 
but crashes on Windows 8 and Windows 10. The event viewer is showing these 
errors.

"The certificate received from the remote server has been revoked. This means 
that the certificate authority that issued the certificate has invalidated it. 
The SSL connection request has failed. The attached data contains the server 
certificate."  -- Attached is the root CA.

"A fatal alert was generated and sent to the remote endpoint. This may result 
in termination of the connection. The TLS protocol defined fatal error code is 
44. The Windows SChannel error state is 552."

I have tried googling the problem and and have come up empty.

CouldPath has told our security admin that our university seems to be the only 
one having this issue.

Makes me wonder if our certs are being generated with incorrect settings for 
Windows 8 and Windows 10.

What algorithm and key length are you using?

Any suggestions?

Kevin McCormick
uTech Network Services
Western Illinois University

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Cisco WLC RADIUS Packet ID Bug

2015-09-24 Thread Curtis K. Larsen 
In this case remember all other WLC's (9 of them) are authenticating 
successfully against the same RADIUS servers and same LDAP/AD without problem.  
Only a single WLC stops authenticating and we see the logs with the duplicate 
RADIUS ID's coming from that WLC which seems to match the Cisco bug ID 
CSCuo96366.

We have also done dot1x load testing with the Spirent Test center, eapol_test, 
etc. and we monitor authentications and graph them down to the second.  We are 
certain it is not a back-end ldap or NTLM auth issue.


Thanks,

Curtis Larsen
University of Utah IT/CIS
Sr. Network Engineer


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Wang, Yu [ywan...@fsu.edu]
Sent: Thursday, September 24, 2015 10:06 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco WLC RADIUS Packet ID Bug

FSU uses Aruba wireless controllers with freeradius but we have seen similar 
issues in the past during peak hours. Through tests we found out that our 
backend (ldap) had congestions during peak hours and radius servers had to hold 
 on authentication requests forwarded by wireless controllers and wait for ldap 
servers responses. Because radius cannot get in time response from ldap to 
reply back to wireless controllers, wireless controllers resend auth requests 
thinking the previous ones were lost.

To remedy this issue,FSU purchased powerful hardware and installed latest ldap 
service. We also increased number of radius servers and paired up radius and 
wireless controller.

We haven't seen the issue since then. I created a way to test backend capacity 
from radius server and will share it here later.

Since you mentioned "Symptom: Clients are not able to Authenticate at Peak 
loads when using FreeRadius.", I suspect that you have congested backend as 
well at peak load time. Not sure what backend you use at Utah you may need to 
take a look at it, check its load and logs during peak time. Also check that 
one WLC to see if it has more load than other WLCs (APs serving high 
concentrated areas) and move some APs to other WLC. You can also increase 
timeout value on your controllers so they wait a little longer for radius to 
response back. Increasing number of radius servers would help too but it'll 
require proper setup between controllers and radius servers.


Yu Wang
FSU



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Curtis K. Larsen 
[curtis.k.lar...@utah.edu]
Sent: Thursday, September 24, 2015 11:30 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Cisco WLC RADIUS Packet ID Bug

Hi Guys,

I have a TAC case open on this but It looks like once a week or so when the 
perfect storm arises we are hitting this one for a couple of minutes:  
CSCuo96366

---
WLC sends Radius packets with same ID without doing Radius ID check
CSCuo96366
Description
Symptom:
Clients are not able to Authenticate at Peak loads when using FreeRadius.

Conditions:
Using Freed radius (most susceptible), we observe at high auth rate and if 
Radius server is not responding to all Radius packets in seq order or if the 
server is slow, WLC when wraps around 0-255 Radius ID's, it does not do a check 
when posting new packet.

So essentially you have 2 packets with same ID being presented to AAA server.
---

The funny thing is that 9 of 10 WLC's are working fine against the same servers 
at the same time - the problem only happens on one WLC.  When it occurs we see 
this in the logs (Notice the same ID number 253 below)

servername radiusd[23964]: Discarding conflicting packet from client (IP of 
WLC) port 32770 - ID: 253 due to recent request 57345605.
servername radiusd[23964]: Discarding conflicting packet from client (IP of 
WLC) port 32770 - ID: 253 due to recent request 57347264

Wondering if other Cisco WLC customers see this since I know a lot of you are 
using FreeRADIUS, or FreeRADIUS-based authentication servers.  If so, let me 
know of any solutions and/or work-arounds.


Thanks,

Curtis Larsen
University of Utah IT/CIS
Sr. Network Engineer
**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Cisco WLC RADIUS Packet ID Bug

2015-09-24 Thread Wang, Yu 
FSU uses Aruba wireless controllers with freeradius but we have seen similar 
issues in the past during peak hours. Through tests we found out that our 
backend (ldap) had congestions during peak hours and radius servers had to hold 
 on authentication requests forwarded by wireless controllers and wait for ldap 
servers responses. Because radius cannot get in time response from ldap to 
reply back to wireless controllers, wireless controllers resend auth requests 
thinking the previous ones were lost. 

To remedy this issue,FSU purchased powerful hardware and installed latest ldap 
service. We also increased number of radius servers and paired up radius and 
wireless controller. 

We haven't seen the issue since then. I created a way to test backend capacity 
from radius server and will share it here later.

Since you mentioned "Symptom: Clients are not able to Authenticate at Peak 
loads when using FreeRadius.", I suspect that you have congested backend as 
well at peak load time. Not sure what backend you use at Utah you may need to 
take a look at it, check its load and logs during peak time. Also check that 
one WLC to see if it has more load than other WLCs (APs serving high 
concentrated areas) and move some APs to other WLC. You can also increase 
timeout value on your controllers so they wait a little longer for radius to 
response back. Increasing number of radius servers would help too but it'll 
require proper setup between controllers and radius servers.


Yu Wang
FSU



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Curtis K. Larsen 
[curtis.k.lar...@utah.edu]
Sent: Thursday, September 24, 2015 11:30 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Cisco WLC RADIUS Packet ID Bug

Hi Guys,

I have a TAC case open on this but It looks like once a week or so when the 
perfect storm arises we are hitting this one for a couple of minutes:  
CSCuo96366

---
WLC sends Radius packets with same ID without doing Radius ID check
CSCuo96366
Description
Symptom:
Clients are not able to Authenticate at Peak loads when using FreeRadius.

Conditions:
Using Freed radius (most susceptible), we observe at high auth rate and if 
Radius server is not responding to all Radius packets in seq order or if the 
server is slow, WLC when wraps around 0-255 Radius ID's, it does not do a check 
when posting new packet.

So essentially you have 2 packets with same ID being presented to AAA server.
---

The funny thing is that 9 of 10 WLC's are working fine against the same servers 
at the same time - the problem only happens on one WLC.  When it occurs we see 
this in the logs (Notice the same ID number 253 below)

servername radiusd[23964]: Discarding conflicting packet from client (IP of 
WLC) port 32770 - ID: 253 due to recent request 57345605.
servername radiusd[23964]: Discarding conflicting packet from client (IP of 
WLC) port 32770 - ID: 253 due to recent request 57347264

Wondering if other Cisco WLC customers see this since I know a lot of you are 
using FreeRADIUS, or FreeRADIUS-based authentication servers.  If so, let me 
know of any solutions and/or work-arounds.


Thanks,

Curtis Larsen
University of Utah IT/CIS
Sr. Network Engineer
**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Cisco WLC software upgrade

2015-09-24 Thread Dan Brisson 
I'll second the false DFS events, or perhaps more accurately said 
"alleged" DFS events.  I'm working with TAC now to figure out whether we 
really have radar or was it the upgrade from 7.6.130 to 8.0.120 that did it.


-dan


Dan Brisson
Network Engineer
University of Vermont
(Ph) 802.656.8111
dbris...@uvm.edu

On 9/23/2015 9:45 PM, Trent Hurt wrote:

Watch out for false dfs events.  Various bugs throughout 8 code

Sent from my iPhone


On Sep 23, 2015, at 11:04 AM, Philip C Theruvakattil 
 wrote:

We are currently running 8.0.120.0 on our production pair of Cisco 5508 
controllers. APs are primarily 3500, 1142, 1131 and just starting to deploy 
2700s.

It has been a month and a half since we upgraded to 8.0.120.0 and have not 
experienced any problems.

Phil T
Network Engineer
Phillips Andover Academy


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Bruce Curtis
Sent: Tuesday, September 22, 2015 4:47 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco WLC software upgrade

  We have been running 8.0.120.0 on our 8510 HA Pair and haven't had any major 
issues.

  We had some strange behavior that we mistakenly thought might be related to 
8.0.120.0 but we finally found that the real issue was MAC table exhaustion on 
switches in the Residence Halls.  (The APs there are in flex connect mode.)


On Sep 22, 2015, at 10:44 AM, Entwistle, Bruce  
wrote:

We are currently running version 7.6.130.30 on our pair of Cisco 5508 
controllers and have been dealing with an issue where the clean air sensor on 
the APs will randomly crash.  The APs are primarily model 3500 and 3600.  I 
have been informed that the solution is to upgrade to version 8.0.120.0.  I was 
looking to see what others have experienced in there upgrade from 7.6.130.30 to 
version 8.0.120.0.

Thank you
Bruce Entwistle
Network Manager
University of Redlands


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found 
athttp://www.educause.edu/groups/.

---
Bruce Curtis bruce.cur...@ndsu.edu
Certified NetAnalyst II701-231-8527
North Dakota State University

**
Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be 
found at 
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_groups_&d=AwIFAg&c=SgMrq23dbjbGX6e0ZsSHgEZX6A4IAf1SO3AJ2bNrHlk&r=rtlMYUF4nwLIYnoG0qXTf9aFc5RLK7DMyf8lTMu__vs&m=HiCvEDgQpcQr8_C1ZTwMJUuHZjGGeu4FRrVd6X_enC0&s=tDaPC8rt0vMNK5nYLG_a_PtMir4bEAvujCXcQ-WRQnw&e=
 .

**
Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be 
found at 
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_groups_&d=AwIFAg&c=SgMrq23dbjbGX6e0ZsSHgEZX6A4IAf1SO3AJ2bNrHlk&r=rtlMYUF4nwLIYnoG0qXTf9aFc5RLK7DMyf8lTMu__vs&m=HiCvEDgQpcQr8_C1ZTwMJUuHZjGGeu4FRrVd6X_enC0&s=tDaPC8rt0vMNK5nYLG_a_PtMir4bEAvujCXcQ-WRQnw&e=
 .

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

EAP-TLS Windows 8 and 10 Problems

2015-09-24 Thread Kevin McCormick 

I know many of you are using EAP-TLS and CloudPath on boarding.

We have ran in to an issue where some Windows 8 and 10 machines will say 
the server said the certificates are revoked, but they are not revoked. 
We have checked the things like time being correct. We did discover the 
command 'certutil -f –urlfetch -verify cert_name.cer' will work just 
fine on Windows 7, but crashes on Windows 8 and Windows 10. The event 
viewer is showing these errors.


"The certificate received from the remote server has been revoked. This 
means that the certificate authority that issued the certificate has 
invalidated it. The SSL connection request has failed. The attached data 
contains the server certificate."  -- Attached is the root CA.


"A fatal alert was generated and sent to the remote endpoint. This may 
result in termination of the connection. The TLS protocol defined fatal 
error code is 44. The Windows SChannel error state is 552."


I have tried googling the problem and and have come up empty.

CouldPath has told our security admin that our university seems to be 
the only one having this issue.


Makes me wonder if our certs are being generated with incorrect settings 
for Windows 8 and Windows 10.


What algorithm and key length are you using?

Any suggestions?

Kevin McCormick
uTech Network Services
Western Illinois University

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Cisco WLC RADIUS Packet ID Bug

2015-09-24 Thread Curtis K. Larsen 
Hi Guys,

I have a TAC case open on this but It looks like once a week or so when the 
perfect storm arises we are hitting this one for a couple of minutes:  
CSCuo96366

---
WLC sends Radius packets with same ID without doing Radius ID check
CSCuo96366
Description
Symptom:
Clients are not able to Authenticate at Peak loads when using FreeRadius.

Conditions:
Using Freed radius (most susceptible), we observe at high auth rate and if 
Radius server is not responding to all Radius packets in seq order or if the 
server is slow, WLC when wraps around 0-255 Radius ID's, it does not do a check 
when posting new packet.

So essentially you have 2 packets with same ID being presented to AAA server.
---

The funny thing is that 9 of 10 WLC's are working fine against the same servers 
at the same time - the problem only happens on one WLC.  When it occurs we see 
this in the logs (Notice the same ID number 253 below)

servername radiusd[23964]: Discarding conflicting packet from client (IP of 
WLC) port 32770 - ID: 253 due to recent request 57345605.
servername radiusd[23964]: Discarding conflicting packet from client (IP of 
WLC) port 32770 - ID: 253 due to recent request 57347264

Wondering if other Cisco WLC customers see this since I know a lot of you are 
using FreeRADIUS, or FreeRADIUS-based authentication servers.  If so, let me 
know of any solutions and/or work-arounds.


Thanks,

Curtis Larsen
University of Utah IT/CIS
Sr. Network Engineer
**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.