date:20160803

Re: [WIRELESS-LAN] Cisco ISE

2016-08-03 Thread Jeremy Mooney

We had that for years, and no issues from a technical perspective. Internet
access was the same as any other wireless device, although we did block the
designed-for-private-networks things like SMB. These days that seems like
little motivation for the average student though (they'd rather use Drive,
so printing was the biggest real loss), so many just stayed on the open
network. It would actually be nice to keep around from a support
perspective (it just works). The model does seem to be slowly gaining some
ground over captive portals in general, which is making things like Project
Fi's wifi offload w/vpn practical - it'll only auto-connect to completely
open networks (or networks you've saved of course).

On Wed, Aug 3, 2016 at 6:51 AM, Lee H Badman  wrote:

> This is without MAC auth. Pure open, piloted market leading MAC auth
> solutions and fingerprinting was less than impressive.
>
> This is an experiment.
>
> On Aug 3, 2016, at 7:36 AM, Osborne, Bruce W (Network Services) <
> bosbo...@liberty.edu > wrote:
>
> We have been doing open network with mac authentication for non-802.1X
> devices for years.
>
>
>
> We just block some things like our web site & course system that would not
> be used by those devices anyway. This “encourages” people to use the secure
> 802.1X network.
>
>
>
> 
>
>
>
> *Bruce Osborne*
>
> *Wireless Engineer*
>
> *IT Network Oprations - Wireless*
>
>
>
> *(434) 592-4229 <%28434%29%20592-4229>*
>
>
>
> *LIBERTY UNIVERSITY*
>
> *Training Champions for Christ since 1971*
>
>
>
> *From:* Lee H Badman [mailto:lhbad...@syr.edu ]
> *Sent:* Tuesday, August 2, 2016 7:01 PM
> *Subject:* Re: Cisco ISE
>
>
>
> Open network, brother. We're about to test the good and bad of it in
> production for non-smart resnet devices.
>
>
> On Aug 2, 2016, at 12:10 PM, Shayne Ghere  > wrote:
>
> Bruce,
>
>
>
> It was a consultant that recommended it, but for gaming/non-802.1x capable
> devices.  I may have stated it incorrectly.
>
>
>
> Our problem is that we have more and more devices that are non-standard
> Windows/Mac OS so the certificate don’t work.  Most are Engineering/IT
> students and it’s an uphill battle for us.
>
>
>
> We’re currently looking at Apogee to take over our Dorm wired/wireless
> network, but we can do the same thing with our own equipment.  The question
> we’re asking ourselves is..do we want to create an open network in the
> dorms, firewall them from everything unless they’re using secure wireless,
> or continue to fight the certificate issues.
>
>
>
> We have a homegrown registration system, but we’re quickly outgrowing it
> and need to move to something that’s all encompassing.  We used ACS a few
> years ago, but our CIO (at the time) wanted to move to all open source and
> that’s caused more headaches than anything.
>
>
>
> I do have a conference call with Cisco deployment on Wednesday, but just
> wanted to get a feel how others in our field like the product, and what
> real world issues you’ve had.   Unfortunately, we don’t get that kind of
> feedback from the manufacturer.
>
>
>
> I appreciate all the e-mails and responses!
>
>
>
> Shayne
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Osborne, Bruce W
> (Network Services)
> *Sent:* Tuesday, August 02, 2016 6:33 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] Cisco ISE
>
>
>
> I am surprised ( and appalled) that Cisco would recommend **WPA2-Personal**
> (aka WPA2-PSK) in an Enterprise environment. We are currently using
> PEAP-MSCHAPv2 with our WPAs-Enterprise (aka 802.1X) wireless network.
>
>
>
> For self-registration on devices that cannot use 802.1X, we are using a
> custom portal with the ClearPass APIs. We are currently using an open
> network for mac authentication. We block our website & Blackboard system to
> “encourage” users to use our secure network for laptops instead of
> registering for mac auth.
>
>
>
> We are considering moving to using certs with ClearPass Onbiard, but
> have not yet imp;lemented. We are currently using CloudPath Wizard for
> onboarding 802.1X devices.
>
>
>
> *Bruce Osborne*
>
> *Wireless Engineer*
>
> *IT Network Services - Wireless*
>
>
>
> *(434) 592-4229 <%28434%29%20592-4229>*
>
>
>
> *LIBERTY UNIVERSITY*
>
> *Training Champions for Christ since 1971*
>
>
>
> *From:* T. Shayne Ghere [mailto:sgh...@fsmail.bradley.edu
> ]
> *Sent:* Monday, August 1, 2016 10:06 AM
> *Subject:* Cisco ISE
>
>
>
> Good morning,
>
>
>
> Currently we have a home grown wireless registration system in place that
> is becoming obsolete.  We are getting ready to refresh our Cisco AP’s, and
> I’m writing to see if anyone has any positive/negative issues in using
> Cisco ISE for individual “self” registration on your wireless network.
>
>
>
> We also

Re: [WIRELESS-LAN] How big are your wireless segments?

2016-08-03 Thread James Andrewartha

I tried DTIM 3 (after reading that blog post), but it didn't help, the laptop's 
wifi chipset still just went to sleep and missed packets. Plus, some vendors 
(eg Meraki, Ruckus) don't let you change it anyway. One thing Ruckus does do is 
broadcast to unicast conversion when an SSID has 5 or fewer devices on an AP, 
which masks the issue.

A quick way to demonstrate the problem is to have Wireshark running on a Mac 
with OS X 10.10 or 10.11, and another laptop (either running OS X 10.9 or 
Windows) connected to the same AP, and filter by arp. The first Mac will see 
between 10-40% of the ARP packets of the second laptop in my testing, depending 
on the load.

James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of Jake Snyder 

Sent: Wednesday, 3 August 2016 8:56 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] How big are your wireless segments?

There was some talk about this with IOS a while back.  Something about Apple 
wanting a longer dtim value (3 seems to be working for a lot of folks).  Dtim 
of 1 seemed to give some grief.

http://www.sniffwifi.com/2016/05/go-to-sleep-go-to-sleep-go-to-sleep.html?m=1



Thanks
Jake Snyder


Sent from my iPhone

>> On Aug 2, 2016, at 9:04 PM, James Andrewartha  
>> wrote:
>>
>> On 02/08/16 04:19, Peter P Morrissey wrote:
>> Given my understanding of the way arp works, not sure I understand how
>> it is possible for a large subnet to cause a client arp table to become
>> exhausted unless that client for some reason is directly communicating
>> with all of the other endpoints on the large subnet.
>>
>> My understanding is that the table is only populated in response to arp
>> queries that the client has initiated, even though it can “hear”
>> responses from other clients that are sent as a broadcast. It is easy
>> enough to verify this on Windows with an arp –a.
>>
>> I also don’t believe that broadcast traffic can have a material impact
>> on clients these days due to increases in CPU power at the magnitude of
>> Moore’s Law.
>
> Sadly there is no Moore's Law for batteries. OS X since 10.10 will
> aggressively sleep and miss broadcast ARP packets. I have seen this on
> four different AP vendors and have the wireless captures to prove it.
> Generally it doesn't cause user-visible problems, and it can be worked
> around by enabling proxy ARP on the APs/controller (if the vendor
> supports it).
>
> It will most likely present problems if the clients are trying to access
> servers on the same subnet and it's the *server's* ARP cache that gets
> exhausted (or simply expires the client). The client will resolve the
> server's MAC address OK, send the SYN packet, then the server will send
> a broadcast ARP request to resolve the client's MAC address, which can
> be missed by the Mac laptop. Depending on the level of broadcast
> traffic, it can take a minute or more with retries before a connection
> is established.
>
> For wireless designs where all data goes through the gateway and there's
> no client communication to other devices on the same subnet you probably
> won't notice a problem as the gateway's ARP cache will always be fresh.
> We saw it because we have a campus-wide flat L2 network shared between
> wired and wireless, and I also noticed a lot of ARP traffic from laptops
> looking for Apple TV IP addresses.
>
> We have filed a ticket with Apple, radar://26488949 if anyone has any
> contacts to escalate it. The fastest resolution we've had for any Apple
> bug is 3 years, so I don't expect this to be fixed any time soon.
>
> --
> James Andrewartha
> Network & Projects Engineer
> Christ Church Grammar School
> Claremont, Western Australia
> Ph. (08) 9442 1757
> Mob. 0424 160 877
>
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] How big are your wireless segments?

2016-08-03 Thread Chuck Enfield

Apple is battery-life obsessed.  I wouldn't take their advice about anything 
that affects network performance.

BTW, don’t interpret this as an opinion on the DTIM interval.  I have an 
opinion on that, but don’t know enough to share it publicly.  It's just an 
ad hominem attack.

Chuck Enfield
Manager, Wireless Engineering
Telecommunications & Networking Services
The Pennsylvania State University
110H, USB2, UP, PA 16802
ph: 814.863.8715
fx: 814.865.3988

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Wednesday, August 03, 2016 10:13 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] How big are your wireless segments?

But what's the penalty on non-Apple devices?



-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jake Snyder
Sent: Wednesday, August 03, 2016 8:56 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] How big are your wireless segments?

There was some talk about this with IOS a while back.  Something about Apple 
wanting a longer dtim value (3 seems to be working for a lot of folks). 
Dtim of 1 seemed to give some grief.

http://www.sniffwifi.com/2016/05/go-to-sleep-go-to-sleep-go-to-sleep.html?m=1



Thanks
Jake Snyder


Sent from my iPhone

>> On Aug 2, 2016, at 9:04 PM, James Andrewartha 
>>  wrote:
>>
>> On 02/08/16 04:19, Peter P Morrissey wrote:
>> Given my understanding of the way arp works, not sure I understand
>> how it is possible for a large subnet to cause a client arp table to
>> become exhausted unless that client for some reason is directly
>> communicating with all of the other endpoints on the large subnet.
>>
>> My understanding is that the table is only populated in response to
>> arp queries that the client has initiated, even though it can “hear”
>> responses from other clients that are sent as a broadcast. It is easy
>> enough to verify this on Windows with an arp –a.
>>
>> I also don’t believe that broadcast traffic can have a material
>> impact on clients these days due to increases in CPU power at the
>> magnitude of Moore’s Law.
>
> Sadly there is no Moore's Law for batteries. OS X since 10.10 will
> aggressively sleep and miss broadcast ARP packets. I have seen this on
> four different AP vendors and have the wireless captures to prove it.
> Generally it doesn't cause user-visible problems, and it can be worked
> around by enabling proxy ARP on the APs/controller (if the vendor
> supports it).
>
> It will most likely present problems if the clients are trying to
> access servers on the same subnet and it's the *server's* ARP cache
> that gets exhausted (or simply expires the client). The client will
> resolve the server's MAC address OK, send the SYN packet, then the
> server will send a broadcast ARP request to resolve the client's MAC
> address, which can be missed by the Mac laptop. Depending on the level
> of broadcast traffic, it can take a minute or more with retries before
> a connection is established.
>
> For wireless designs where all data goes through the gateway and
> there's no client communication to other devices on the same subnet
> you probably won't notice a problem as the gateway's ARP cache will always 
> be fresh.
> We saw it because we have a campus-wide flat L2 network shared between
> wired and wireless, and I also noticed a lot of ARP traffic from
> laptops looking for Apple TV IP addresses.
>
> We have filed a ticket with Apple, radar://26488949 if anyone has any
> contacts to escalate it. The fastest resolution we've had for any
> Apple bug is 3 years, so I don't expect this to be fixed any time soon.
>
> --
> James Andrewartha
> Network & Projects Engineer
> Christ Church Grammar School
> Claremont, Western Australia
> Ph. (08) 9442 1757
> Mob. 0424 160 877
>
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent 
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent 
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] How big are your wireless segments?

2016-08-03 Thread Lee H Badman

But what's the penalty on non-Apple devices?



-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jake Snyder
Sent: Wednesday, August 03, 2016 8:56 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] How big are your wireless segments?

There was some talk about this with IOS a while back.  Something about Apple 
wanting a longer dtim value (3 seems to be working for a lot of folks).  Dtim 
of 1 seemed to give some grief.

http://www.sniffwifi.com/2016/05/go-to-sleep-go-to-sleep-go-to-sleep.html?m=1



Thanks
Jake Snyder


Sent from my iPhone

>> On Aug 2, 2016, at 9:04 PM, James Andrewartha  
>> wrote:
>> 
>> On 02/08/16 04:19, Peter P Morrissey wrote:
>> Given my understanding of the way arp works, not sure I understand how
>> it is possible for a large subnet to cause a client arp table to become
>> exhausted unless that client for some reason is directly communicating
>> with all of the other endpoints on the large subnet.
>> 
>> My understanding is that the table is only populated in response to arp
>> queries that the client has initiated, even though it can “hear”
>> responses from other clients that are sent as a broadcast. It is easy
>> enough to verify this on Windows with an arp –a.
>> 
>> I also don’t believe that broadcast traffic can have a material impact
>> on clients these days due to increases in CPU power at the magnitude of
>> Moore’s Law.
> 
> Sadly there is no Moore's Law for batteries. OS X since 10.10 will
> aggressively sleep and miss broadcast ARP packets. I have seen this on
> four different AP vendors and have the wireless captures to prove it.
> Generally it doesn't cause user-visible problems, and it can be worked
> around by enabling proxy ARP on the APs/controller (if the vendor
> supports it).
> 
> It will most likely present problems if the clients are trying to access
> servers on the same subnet and it's the *server's* ARP cache that gets
> exhausted (or simply expires the client). The client will resolve the
> server's MAC address OK, send the SYN packet, then the server will send
> a broadcast ARP request to resolve the client's MAC address, which can
> be missed by the Mac laptop. Depending on the level of broadcast
> traffic, it can take a minute or more with retries before a connection
> is established.
> 
> For wireless designs where all data goes through the gateway and there's
> no client communication to other devices on the same subnet you probably
> won't notice a problem as the gateway's ARP cache will always be fresh.
> We saw it because we have a campus-wide flat L2 network shared between
> wired and wireless, and I also noticed a lot of ARP traffic from laptops
> looking for Apple TV IP addresses.
> 
> We have filed a ticket with Apple, radar://26488949 if anyone has any
> contacts to escalate it. The fastest resolution we've had for any Apple
> bug is 3 years, so I don't expect this to be fixed any time soon.
> 
> -- 
> James Andrewartha
> Network & Projects Engineer
> Christ Church Grammar School
> Claremont, Western Australia
> Ph. (08) 9442 1757
> Mob. 0424 160 877
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Cisco ISE

2016-08-03 Thread Lee H Badman

Is Cisco 11ac environment. The open SSID is straight to Internet, no campus 
access. Also 1X SSID still in place for campus business. RF side really doesn’t 
change much. The devices have always been there, just many of them unusable. 
And we still draw the line on legacy data rate support.

Lee Badman | Network Architect (CWDP, CWNA, CWSP, Mobility+)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Norton, Thomas 
(Network Services)
Sent: Wednesday, August 03, 2016 7:57 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco ISE

Q/A , EIRP, data rates, and channel planning are going to be your friend. 
Should be interesting. Would certainly be interested to hear how it goes. What 
APs are you going to be using?
T.J. Norton
Wireless Network Architect | Team Lead
Network Operations - Wireless

(434) 592-6552

Liberty University | Training Champions for Christ since 1971

On Aug 3, 2016, at 7:52 AM, Lee H Badman 
> wrote:
This is without MAC auth. Pure open, piloted market leading MAC auth solutions 
and fingerprinting was less than impressive.

This is an experiment.

On Aug 3, 2016, at 7:36 AM, Osborne, Bruce W (Network Services) 
> wrote:
We have been doing open network with mac authentication for non-802.1X devices 
for years.

We just block some things like our web site & course system that would not be 
used by those devices anyway. This “encourages” people to use the secure 802.1X 
network.

Bruce Osborne
Wireless Engineer
IT Network Oprations - Wireless

(434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Lee H Badman [mailto:lhbad...@syr.edu]
Sent: Tuesday, August 2, 2016 7:01 PM
Subject: Re: Cisco ISE

Open network, brother. We're about to test the good and bad of it in production 
for non-smart resnet devices.

On Aug 2, 2016, at 12:10 PM, Shayne Ghere 
> wrote:
Bruce,

It was a consultant that recommended it, but for gaming/non-802.1x capable 
devices.  I may have stated it incorrectly.

Our problem is that we have more and more devices that are non-standard 
Windows/Mac OS so the certificate don’t work.  Most are Engineering/IT students 
and it’s an uphill battle for us.

We’re currently looking at Apogee to take over our Dorm wired/wireless network, 
but we can do the same thing with our own equipment.  The question we’re asking 
ourselves is..do we want to create an open network in the dorms, firewall them 
from everything unless they’re using secure wireless, or continue to fight the 
certificate issues.

We have a homegrown registration system, but we’re quickly outgrowing it and 
need to move to something that’s all encompassing.  We used ACS a few years 
ago, but our CIO (at the time) wanted to move to all open source and that’s 
caused more headaches than anything.

I do have a conference call with Cisco deployment on Wednesday, but just wanted 
to get a feel how others in our field like the product, and what real world 
issues you’ve had.   Unfortunately, we don’t get that kind of feedback from the 
manufacturer.

I appreciate all the e-mails and responses!

Shayne

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
 On Behalf Of Osborne, Bruce W (Network Services)
Sent: Tuesday, August 02, 2016 6:33 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco ISE

I am surprised ( and appalled) that Cisco would recommend *WPA2-Personal* (aka 
WPA2-PSK) in an Enterprise environment. We are currently using PEAP-MSCHAPv2 
with our WPAs-Enterprise (aka 802.1X) wireless network.

For self-registration on devices that cannot use 802.1X, we are using a custom 
portal with the ClearPass APIs. We are currently using an open network for mac 
authentication. We block our website & Blackboard system to “encourage” users 
to use our secure network for laptops instead of registering for mac auth.

We are considering moving to using certs with ClearPass Onbiard, but have 
not yet imp;lemented. We are currently using CloudPath Wizard for onboarding 
802.1X devices.

Bruce Osborne
Wireless Engineer
IT Network Services - Wireless

(434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: T. Shayne Ghere [mailto:sgh...@fsmail.bradley.edu]
Sent: Monday, August 1, 2016 10:06 AM
Subject: Cisco ISE

Good morning,

Currently we have a home grown wireless registration system in place that is 
becoming obsolete.  We

Re: [WIRELESS-LAN] How big are your wireless segments?

2016-08-03 Thread Jake Snyder

There was some talk about this with IOS a while back.  Something about Apple 
wanting a longer dtim value (3 seems to be working for a lot of folks).  Dtim 
of 1 seemed to give some grief.

http://www.sniffwifi.com/2016/05/go-to-sleep-go-to-sleep-go-to-sleep.html?m=1



Thanks
Jake Snyder


Sent from my iPhone

>> On Aug 2, 2016, at 9:04 PM, James Andrewartha  
>> wrote:
>> 
>> On 02/08/16 04:19, Peter P Morrissey wrote:
>> Given my understanding of the way arp works, not sure I understand how
>> it is possible for a large subnet to cause a client arp table to become
>> exhausted unless that client for some reason is directly communicating
>> with all of the other endpoints on the large subnet.
>> 
>> My understanding is that the table is only populated in response to arp
>> queries that the client has initiated, even though it can “hear”
>> responses from other clients that are sent as a broadcast. It is easy
>> enough to verify this on Windows with an arp –a.
>> 
>> I also don’t believe that broadcast traffic can have a material impact
>> on clients these days due to increases in CPU power at the magnitude of
>> Moore’s Law.
> 
> Sadly there is no Moore's Law for batteries. OS X since 10.10 will
> aggressively sleep and miss broadcast ARP packets. I have seen this on
> four different AP vendors and have the wireless captures to prove it.
> Generally it doesn't cause user-visible problems, and it can be worked
> around by enabling proxy ARP on the APs/controller (if the vendor
> supports it).
> 
> It will most likely present problems if the clients are trying to access
> servers on the same subnet and it's the *server's* ARP cache that gets
> exhausted (or simply expires the client). The client will resolve the
> server's MAC address OK, send the SYN packet, then the server will send
> a broadcast ARP request to resolve the client's MAC address, which can
> be missed by the Mac laptop. Depending on the level of broadcast
> traffic, it can take a minute or more with retries before a connection
> is established.
> 
> For wireless designs where all data goes through the gateway and there's
> no client communication to other devices on the same subnet you probably
> won't notice a problem as the gateway's ARP cache will always be fresh.
> We saw it because we have a campus-wide flat L2 network shared between
> wired and wireless, and I also noticed a lot of ARP traffic from laptops
> looking for Apple TV IP addresses.
> 
> We have filed a ticket with Apple, radar://26488949 if anyone has any
> contacts to escalate it. The fastest resolution we've had for any Apple
> bug is 3 years, so I don't expect this to be fixed any time soon.
> 
> -- 
> James Andrewartha
> Network & Projects Engineer
> Christ Church Grammar School
> Claremont, Western Australia
> Ph. (08) 9442 1757
> Mob. 0424 160 877
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Cisco ISE

2016-08-03 Thread Danny Eaton

We’ve got a pure open SSID – but with a captive portal AUP acceptance page.  
Keeps some of the devices off that either don’t have a browser or can’t click 
on “Accept”.  It ends up in our visitor VRF, which we treat devices as if they 
are at Starbucks, etc., so cannot reach private devices (storage, etc.), but 
can reach publically available resources (email, etc.).  For the most part, it 
works pretty well – but we have folks who want to connect game consoles, TV 
streaming devices, etc. to it.  If a user wants to join that instead of the 
802.1X wireless network, that’s fine too, for basic internet access, they just 
won’t be able to get to some resources on campus.

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Wednesday, August 03, 2016 6:51 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco ISE

 

This is without MAC auth. Pure open, piloted market leading MAC auth solutions 
and fingerprinting was less than impressive. 

 

This is an experiment.


On Aug 3, 2016, at 7:36 AM, Osborne, Bruce W (Network Services) 
 > wrote:

We have been doing open network with mac authentication for non-802.1X devices 
for years. 

 

We just block some things like our web site & course system that would not be 
used by those devices anyway. This “encourages” people to use the secure 802.1X 
network.

 



 

Bruce Osborne

Wireless Engineer

IT Network Oprations - Wireless

 

(434) 592-4229

 

LIBERTY UNIVERSITY

Training Champions for Christ since 1971

 

From: Lee H Badman [mailto:lhbad...@syr.edu] 
Sent: Tuesday, August 2, 2016 7:01 PM
Subject: Re: Cisco ISE

 

Open network, brother. We're about to test the good and bad of it in production 
for non-smart resnet devices. 


On Aug 2, 2016, at 12:10 PM, Shayne Ghere  > wrote:

Bruce,

 

It was a consultant that recommended it, but for gaming/non-802.1x capable 
devices.  I may have stated it incorrectly.

 

Our problem is that we have more and more devices that are non-standard 
Windows/Mac OS so the certificate don’t work.  Most are Engineering/IT students 
and it’s an uphill battle for us.

 

We’re currently looking at Apogee to take over our Dorm wired/wireless network, 
but we can do the same thing with our own equipment.  The question we’re asking 
ourselves is..do we want to create an open network in the dorms, firewall them 
from everything unless they’re using secure wireless, or continue to fight the 
certificate issues.  

 

We have a homegrown registration system, but we’re quickly outgrowing it and 
need to move to something that’s all encompassing.  We used ACS a few years 
ago, but our CIO (at the time) wanted to move to all open source and that’s 
caused more headaches than anything.

 

I do have a conference call with Cisco deployment on Wednesday, but just wanted 
to get a feel how others in our field like the product, and what real world 
issues you’ve had.   Unfortunately, we don’t get that kind of feedback from the 
manufacturer.

 

I appreciate all the e-mails and responses!

 

Shayne

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
 ] On Behalf Of Osborne, Bruce W 
(Network Services)
Sent: Tuesday, August 02, 2016 6:33 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
 
Subject: Re: [WIRELESS-LAN] Cisco ISE

 

I am surprised ( and appalled) that Cisco would recommend *WPA2-Personal* (aka 
WPA2-PSK) in an Enterprise environment. We are currently using PEAP-MSCHAPv2 
with our WPAs-Enterprise (aka 802.1X) wireless network. 

 

For self-registration on devices that cannot use 802.1X, we are using a custom 
portal with the ClearPass APIs. We are currently using an open network for mac 
authentication. We block our website & Blackboard system to “encourage” users 
to use our secure network for laptops instead of registering for mac auth. 

 

We are considering moving to using certs with ClearPass Onbiard, but have 
not yet imp;lemented. We are currently using CloudPath Wizard for onboarding 
802.1X devices.

 

Bruce Osborne

Wireless Engineer

IT Network Services - Wireless

 

(434) 592-4229

 

LIBERTY UNIVERSITY

Training Champions for Christ since 1971

 

From: T. Shayne Ghere [mailto:sgh...@fsmail.bradley.edu] 
Sent: Monday, August 1, 2016 10:06 AM
Subject: Cisco ISE

 

Good morning,

 

Currently we have a home grown wireless registration system in place that is 
becoming obsolete.  We are getting ready to refresh our Cisco AP’s, and I’m 
writing to see if anyone has any positive/negative issues in using Cisco ISE 
for individual “self” registration on your wireless network.

 

We also use WPA2/AES Certificate based security, but that is

Re: [WIRELESS-LAN] Cisco ISE

2016-08-03 Thread Norton, Thomas (Network Services)

Q/A , EIRP, data rates, and channel planning are going to be your friend. 
Should be interesting. Would certainly be interested to hear how it goes. What 
APs are you going to be using?

T.J. Norton
Wireless Network Architect | Team Lead
Network Operations - Wireless

(434) 592-6552

Liberty University | Training Champions for Christ since 1971

On Aug 3, 2016, at 7:52 AM, Lee H Badman 
> wrote:

This is without MAC auth. Pure open, piloted market leading MAC auth solutions 
and fingerprinting was less than impressive.

This is an experiment.

On Aug 3, 2016, at 7:36 AM, Osborne, Bruce W (Network Services) 
> wrote:

We have been doing open network with mac authentication for non-802.1X devices 
for years.

We just block some things like our web site & course system that would not be 
used by those devices anyway. This “encourages” people to use the secure 802.1X 
network.

Bruce Osborne
Wireless Engineer
IT Network Oprations - Wireless

(434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Lee H Badman [mailto:lhbad...@syr.edu]
Sent: Tuesday, August 2, 2016 7:01 PM
Subject: Re: Cisco ISE

Open network, brother. We're about to test the good and bad of it in production 
for non-smart resnet devices.

On Aug 2, 2016, at 12:10 PM, Shayne Ghere 
> wrote:
Bruce,

It was a consultant that recommended it, but for gaming/non-802.1x capable 
devices.  I may have stated it incorrectly.

Our problem is that we have more and more devices that are non-standard 
Windows/Mac OS so the certificate don’t work.  Most are Engineering/IT students 
and it’s an uphill battle for us.

We’re currently looking at Apogee to take over our Dorm wired/wireless network, 
but we can do the same thing with our own equipment.  The question we’re asking 
ourselves is..do we want to create an open network in the dorms, firewall them 
from everything unless they’re using secure wireless, or continue to fight the 
certificate issues.

We have a homegrown registration system, but we’re quickly outgrowing it and 
need to move to something that’s all encompassing.  We used ACS a few years 
ago, but our CIO (at the time) wanted to move to all open source and that’s 
caused more headaches than anything.

I do have a conference call with Cisco deployment on Wednesday, but just wanted 
to get a feel how others in our field like the product, and what real world 
issues you’ve had.   Unfortunately, we don’t get that kind of feedback from the 
manufacturer.

I appreciate all the e-mails and responses!

Shayne

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
 On Behalf Of Osborne, Bruce W (Network Services)
Sent: Tuesday, August 02, 2016 6:33 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco ISE

I am surprised ( and appalled) that Cisco would recommend *WPA2-Personal* (aka 
WPA2-PSK) in an Enterprise environment. We are currently using PEAP-MSCHAPv2 
with our WPAs-Enterprise (aka 802.1X) wireless network.

For self-registration on devices that cannot use 802.1X, we are using a custom 
portal with the ClearPass APIs. We are currently using an open network for mac 
authentication. We block our website & Blackboard system to “encourage” users 
to use our secure network for laptops instead of registering for mac auth.

We are considering moving to using certs with ClearPass Onbiard, but have 
not yet imp;lemented. We are currently using CloudPath Wizard for onboarding 
802.1X devices.

Bruce Osborne
Wireless Engineer
IT Network Services - Wireless

(434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: T. Shayne Ghere [mailto:sgh...@fsmail.bradley.edu]
Sent: Monday, August 1, 2016 10:06 AM
Subject: Cisco ISE

Good morning,

Currently we have a home grown wireless registration system in place that is 
becoming obsolete.  We are getting ready to refresh our Cisco AP’s, and I’m 
writing to see if anyone has any positive/negative issues in using Cisco ISE 
for individual “self” registration on your wireless network.

We also use WPA2/AES Certificate based security, but that is problematic 
because of compatibility issues and devices that have no way of accepting 
certs.   In talking with some Cisco Wireless Engineers, they recommend 
WPA2/AES-PSK but we don’t have the manpower to set that up on every device.   
We also do not NAT any devices.

If you have any suggestions, or comments on using ISE and moving away from 
Certs, I would greatly appreciate them.

Thanks
Shayne

--
T. Shayne Ghere
Bradley University
Wireless/Lan Network Engineer
1501 W. Bradley Ave, Jobst 224A

Re: [WIRELESS-LAN] Cisco ISE

2016-08-03 Thread Lee H Badman

This is without MAC auth. Pure open, piloted market leading MAC auth solutions 
and fingerprinting was less than impressive.

This is an experiment.

On Aug 3, 2016, at 7:36 AM, Osborne, Bruce W (Network Services) 
> wrote:

We have been doing open network with mac authentication for non-802.1X devices 
for years.

We just block some things like our web site & course system that would not be 
used by those devices anyway. This “encourages” people to use the secure 802.1X 
network.

Bruce Osborne
Wireless Engineer
IT Network Oprations - Wireless

(434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Lee H Badman [mailto:lhbad...@syr.edu]
Sent: Tuesday, August 2, 2016 7:01 PM
Subject: Re: Cisco ISE

Open network, brother. We're about to test the good and bad of it in production 
for non-smart resnet devices.

On Aug 2, 2016, at 12:10 PM, Shayne Ghere 
> wrote:
Bruce,

It was a consultant that recommended it, but for gaming/non-802.1x capable 
devices.  I may have stated it incorrectly.

Our problem is that we have more and more devices that are non-standard 
Windows/Mac OS so the certificate don’t work.  Most are Engineering/IT students 
and it’s an uphill battle for us.

We’re currently looking at Apogee to take over our Dorm wired/wireless network, 
but we can do the same thing with our own equipment.  The question we’re asking 
ourselves is..do we want to create an open network in the dorms, firewall them 
from everything unless they’re using secure wireless, or continue to fight the 
certificate issues.

We have a homegrown registration system, but we’re quickly outgrowing it and 
need to move to something that’s all encompassing.  We used ACS a few years 
ago, but our CIO (at the time) wanted to move to all open source and that’s 
caused more headaches than anything.

I do have a conference call with Cisco deployment on Wednesday, but just wanted 
to get a feel how others in our field like the product, and what real world 
issues you’ve had.   Unfortunately, we don’t get that kind of feedback from the 
manufacturer.

I appreciate all the e-mails and responses!

Shayne

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
 On Behalf Of Osborne, Bruce W (Network Services)
Sent: Tuesday, August 02, 2016 6:33 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco ISE

I am surprised ( and appalled) that Cisco would recommend *WPA2-Personal* (aka 
WPA2-PSK) in an Enterprise environment. We are currently using PEAP-MSCHAPv2 
with our WPAs-Enterprise (aka 802.1X) wireless network.

For self-registration on devices that cannot use 802.1X, we are using a custom 
portal with the ClearPass APIs. We are currently using an open network for mac 
authentication. We block our website & Blackboard system to “encourage” users 
to use our secure network for laptops instead of registering for mac auth.

We are considering moving to using certs with ClearPass Onbiard, but have 
not yet imp;lemented. We are currently using CloudPath Wizard for onboarding 
802.1X devices.

Bruce Osborne
Wireless Engineer
IT Network Services - Wireless

(434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: T. Shayne Ghere [mailto:sgh...@fsmail.bradley.edu]
Sent: Monday, August 1, 2016 10:06 AM
Subject: Cisco ISE

Good morning,

Currently we have a home grown wireless registration system in place that is 
becoming obsolete.  We are getting ready to refresh our Cisco AP’s, and I’m 
writing to see if anyone has any positive/negative issues in using Cisco ISE 
for individual “self” registration on your wireless network.

We also use WPA2/AES Certificate based security, but that is problematic 
because of compatibility issues and devices that have no way of accepting 
certs.   In talking with some Cisco Wireless Engineers, they recommend 
WPA2/AES-PSK but we don’t have the manpower to set that up on every device.   
We also do not NAT any devices.

If you have any suggestions, or comments on using ISE and moving away from 
Certs, I would greatly appreciate them.

Thanks
Shayne

--
T. Shayne Ghere
Bradley University
Wireless/Lan Network Engineer
1501 W. Bradley Ave, Jobst 224A
sgh...@fsmail.bradley.edu
FBI CA Graduate2011 Alumni
FBI InfraGard Member
--
UPCOMING OUT OF OFFICE
None
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and

RE: Cisco ISE

2016-08-03 Thread Osborne, Bruce W (Network Services)

We have been doing open network with mac authentication for non-802.1X devices 
for years.

We just block some things like our web site & course system that would not be 
used by those devices anyway. This “encourages” people to use the secure 802.1X 
network.



Bruce Osborne
Wireless Engineer
IT Network Oprations - Wireless

(434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Lee H Badman [mailto:lhbad...@syr.edu]
Sent: Tuesday, August 2, 2016 7:01 PM
Subject: Re: Cisco ISE

Open network, brother. We're about to test the good and bad of it in production 
for non-smart resnet devices.

On Aug 2, 2016, at 12:10 PM, Shayne Ghere 
> wrote:
Bruce,

It was a consultant that recommended it, but for gaming/non-802.1x capable 
devices.  I may have stated it incorrectly.

Our problem is that we have more and more devices that are non-standard 
Windows/Mac OS so the certificate don’t work.  Most are Engineering/IT students 
and it’s an uphill battle for us.

We’re currently looking at Apogee to take over our Dorm wired/wireless network, 
but we can do the same thing with our own equipment.  The question we’re asking 
ourselves is..do we want to create an open network in the dorms, firewall them 
from everything unless they’re using secure wireless, or continue to fight the 
certificate issues.

We have a homegrown registration system, but we’re quickly outgrowing it and 
need to move to something that’s all encompassing.  We used ACS a few years 
ago, but our CIO (at the time) wanted to move to all open source and that’s 
caused more headaches than anything.

I do have a conference call with Cisco deployment on Wednesday, but just wanted 
to get a feel how others in our field like the product, and what real world 
issues you’ve had.   Unfortunately, we don’t get that kind of feedback from the 
manufacturer.

I appreciate all the e-mails and responses!

Shayne

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
 On Behalf Of Osborne, Bruce W (Network Services)
Sent: Tuesday, August 02, 2016 6:33 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco ISE

I am surprised ( and appalled) that Cisco would recommend *WPA2-Personal* (aka 
WPA2-PSK) in an Enterprise environment. We are currently using PEAP-MSCHAPv2 
with our WPAs-Enterprise (aka 802.1X) wireless network.

For self-registration on devices that cannot use 802.1X, we are using a custom 
portal with the ClearPass APIs. We are currently using an open network for mac 
authentication. We block our website & Blackboard system to “encourage” users 
to use our secure network for laptops instead of registering for mac auth.

We are considering moving to using certs with ClearPass Onbiard, but have 
not yet imp;lemented. We are currently using CloudPath Wizard for onboarding 
802.1X devices.

Bruce Osborne
Wireless Engineer
IT Network Services - Wireless

(434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: T. Shayne Ghere [mailto:sgh...@fsmail.bradley.edu]
Sent: Monday, August 1, 2016 10:06 AM
Subject: Cisco ISE

Good morning,

Currently we have a home grown wireless registration system in place that is 
becoming obsolete.  We are getting ready to refresh our Cisco AP’s, and I’m 
writing to see if anyone has any positive/negative issues in using Cisco ISE 
for individual “self” registration on your wireless network.

We also use WPA2/AES Certificate based security, but that is problematic 
because of compatibility issues and devices that have no way of accepting 
certs.   In talking with some Cisco Wireless Engineers, they recommend 
WPA2/AES-PSK but we don’t have the manpower to set that up on every device.   
We also do not NAT any devices.

If you have any suggestions, or comments on using ISE and moving away from 
Certs, I would greatly appreciate them.

Thanks
Shayne

--
T. Shayne Ghere
Bradley University
Wireless/Lan Network Engineer
1501 W. Bradley Ave, Jobst 224A
sgh...@fsmail.bradley.edu
FBI CA Graduate2011 Alumni
FBI InfraGard Member
--
UPCOMING OUT OF OFFICE
None
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at

Re: [WIRELESS-LAN] Cisco ISE

Re: [WIRELESS-LAN] How big are your wireless segments?

RE: [WIRELESS-LAN] How big are your wireless segments?

RE: [WIRELESS-LAN] How big are your wireless segments?

RE: [WIRELESS-LAN] Cisco ISE

Re: [WIRELESS-LAN] How big are your wireless segments?

RE: [WIRELESS-LAN] Cisco ISE

Re: [WIRELESS-LAN] Cisco ISE

Re: [WIRELESS-LAN] Cisco ISE

RE: Cisco ISE

10 matches

Site Navigation

Mail list logo

Footer information