iOS 11.0.1 Captive Network Assitant Behavior

2017-09-28 Thread Curtis K. Larsen 
Has anyone noticed a difference in Apple's CNA behavior on iOS 11.0.1?  It 
seems when the user clicks a link whilst still in the captive browser it opens 
it in the real Safari browser.  The problem is the real Safari browser is only 
found behind the captive browser which takes up the full screen.  So the user 
has to click the blue "Done" link in order to see the URL you linked to.  If a 
user doesn't happen to notice the blue "Done" link they may think the captive 
portal is just broken or hung.

In iOS 10.3.3 the link would redirect and load the linked page staying inside 
the captive browser for the duration.  Just sharing an observation.


Thanks,

--
Curtis K. Larsen
Senior Network Engineer
University of Utah IT/CIS
Office 801-587-1313

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: UT Austin Biennial Network Report

2017-09-28 Thread Green, William C 

Can you provide any additional information as to why the use of eduroam is 
prohibited?
Regarding local campus use, it was an opinion by university legal counsel— I 
have nothing more add.  (and this is not a listserv for legal experts)

I can comment on security for UT Austin’s use of eduroam elsewhere, and that 
would be an appropriate conversation for this list.  It is related to how our 
university has implemented credentials and wireless authentication that may not 
apply at many other institutions.

1)  Wireless at UT Austin may only be accessed via 802.1x at present, and the 
only EAP method supported is PEAPv0/EAP-MSCHAPv2.  MSCHAPv2 has 
vulnerabilities.  As long as the RADIUS infrastructure is operated securely by 
the university, we do not believe this is much of an exposure.  eduroam, 
however, is a confederation of thousands of RADIUS servers, none of which are 
operated by the university.  We think some of those could be compromised, 
providing access to exploit MSCHAPv2 weaknesses.

2)  The credential is same one used for “consistent sign-on” for almost all 
university services.  Additional factors are being added to a number of 
services, but compromise of the single credential would still be very bad.

3)  We know about alternative EAP methods, such as certificates.  It is a tool 
we would like for other use cases and benefits.  But that has not be 
prioritized for resources to date (please insert long-tail time and money here).

4)  It has been our experience that PEAPv0/EAP-MSCHAPv2 is the path of least 
resistance on the most popular platforms.  A different credential or 
alternative EAP methods for regular campus use would create too much friction 
when connecting (your campus may be different).  Yes, we are aware of current 
on-boarding products — and we use some of them.  At some point the security 
environment may change (it usually does) tipping in favor of other methods.  
Along the way native OS support may improve for other methods obviating need 
for an on-boarding step by our community (wouldn’t that be swell), or 
on-boarding tools may become better and less cumbersome.



-William

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Wi-Fi Request for University Conference event

2017-09-28 Thread Osborne, Bruce W (Network Operations) 

With our Aruba ClearPass Guest solution we do mac address caching fir the 
lifetime of the guest account. This means they only log in once per device. 
After that, we authenticate based on the device mac address.

Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Yahya M. Jaber [mailto:yahya.ja...@kaust.edu.sa]
Sent: Wednesday, September 27, 2017 8:18 AM
Subject: Re: Wi-Fi Request for University Conference event

Hi,

We are actually improving our guest experience, and what I thought of is the 
following: “we use Cisco Equipment’s”:

  *   Would give up my guest SSID through ISE. As still there is no feature to 
increase the idle timeout on the WLC “like the sleeping client” which will stop 
users from complaining about the constant login once they go idle “”especially 
iPhone that turns off WiFi after sometime when its on the lock screen!!””…I 
know that I can increase the idle timeout, but that would prevent getting real 
client count from the WLC and PI and might affect the client WLC DB.
  *   Would use simple AUP guest SSID with sleeping client timer of 1-4 days.
  *   Won’t use bandwidth limit…the internet link is good.
  *   802.11ac 80Mhz or 40Mhz based on the location of the event.
  *   Survey..survey..survey..before the event to check everything.


Yahya Jaber.
Sr. Wireless Engineer
IT Network & Communications – Engineering
Building 14, Level 3, Rm 308-WS07
KAUST 23955-6900 Thuwal, KSA

Email yahya.ja...@kaust.edu.sa
Office +966 (0) 12 8081237
Mobile +966 (0) 558697555
On Call Rotation Mobile: +966 54 470 1177

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W 
(Network Operations)
Sent: Wednesday, September 27, 2017 3:08 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wi-Fi Request for University Conference event

Our process is not ideal.

Where possible, we try to avoid setting up special SSIDs. Our normal Guest SSID 
allows for self registration for bandwidth-restricted Internet access or 
sponsored registration for faster Internet access.

We utilize our ClearPass Guest management to create an expiring event guest 
username with unlimited devices ending in “@event” instead of a proper email 
address. The original plan was for our IT Communications BRMs to create these 
accounts. Lately, our wireless team has been doing that. Event coordinators 
need to test access ahead of time, especially if it is “critical”. Otherwise, 
they are failing their job, IMHO.

For major events, with special access we sometimes set up a PSK SSID. In our 
experience, an open SSID is not good because you will pick up every roaming 
mobile device, exhausting your DHCP address pool.

Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Williams, Mr. Michael [mailto:mmwilli...@tarleton.edu]
Sent: Monday, September 25, 2017 4:01 PM
Subject: Wi-Fi Request for University Conference event

Hello,

Here recently, we have received numerous requests for guest WI-FI access during 
on campus conference events.  In order to support these events, we normally 
create a special open conference SSID that requires a pre-shared key or 
passcode for authentication.

What we struggling with is how to set the level of expectation for WI-FI 
functionality during these types events.   Conference sponsors inform us that 
Wi-Fi/internet access for conference attendees is critical, or some special app 
must function flawlessly or their conference event will be a bust.

We want to develop a formal conference request process that would detail what 
type of Wi-Fi support we can offer, what level of user experience to expect and 
what the sponsor responsibilities would be during these conference events.

I am curious to hear how other university handle these types of events. Does 
anyone have a formal process, that they are willing to share, that addresses 
some of these concerns?
Thanks

Mike


Michael M. Williams
Senior Network Engineer
Information Technology Services
Tarleton State University
201 St. Felix Str.
Box T-0220
Stephenville, TX 76402
Tel: (254) 968-1850
Fax: (254) 968-9658
mmwilli...@tarleton.edu

“ Tarleton Networks – Connecting people with their potential”

Information Technology Services staff will never ask for your password in an 
email.  Don't ever email your password to anyone or share confidential 
information in emails.

Confidentiality Notice:  This electronic message, including any attachments, is 
for the sole use of the intended recipients(s) and may contain confidential and 
privileged information.  Any unauthorized review, use, disclosure or 
distribution is prohibited.  If you are not the intended recipient, please 
contact the sender by reply e-ma

Re: Aruba OS 6.5.X

2017-09-28 Thread Eddy van Loo 
Hi,

we just upgraded our small WLAN environment (2* WLC7210 (master/local) 147 * 
AP-315 and 6 * AP-335) to AOS 6.5.1.8 last night, after having daily AP 
crashes/reboots from Kernel Panics (XXX TARGET ASSERTED XXX) on about 7% of our 
installed base (). We have been running AOS 6.5.1.7 since mid July.
and the kernel panics started to occur when the new school term started by the 
end of August. 
TAC adviced to run 6.5.3.2 last week but this didn't fix the kernel panics. 
Yesterday they gave us advice to upgrade to 6.5.1.8 or 6.5.4.1 as they 
identified this issue as "Bug ID 168947".

So far, no crashes today. (fingers crossed, today is a quiet one with respect 
to the number of connected clients)

Eddy, network admin
HZ University of Applied Sciences.
Vlissingen, NL
---

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] Wi-Fi Request for University Conference event

2017-09-28 Thread Jason Cook 
Thanks Tim, we don’t have clearpass (we use freeradius and cloudpath). I’ll 
certainly keep that in mind though for future

--
Jason Cook
Technology Services
The University of Adelaide, AUSTRALIA 5005
Ph: +61 8 8313 4800

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Cappalli, Tim (Aruba 
Security)
Sent: Thursday, 28 September 2017 1:04 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wi-Fi Request for University Conference event

What are you using for a AAA solution? ClearPass fully supports per-device PSK 
with Cisco WLC’s with full self-registration.

tim

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Jason Cook 
mailto:jason.c...@adelaide.edu.au>>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Wednesday, September 27, 2017 at 9:00 PM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Wi-Fi Request for University Conference event

We currently setup dedicated PSK’s for everything, but that’s such a pain so 
are currently going through the process of something new. As a short term 
measure to improve things  (since at times we end up with 5 additional PSK’s 
and cisco’s SSID assignment is a bit crappy) we have a single PSK that rolls 
over once a week and our service desk hands out the PSK upon requests.

We are currently building a registered guest environment in Cloudpath, it’s not 
set in stone yet but…. Short term visitors will likely connected to an open 
network with MAC registration while longer term visitors will get  a 
certificate and use our primary SSID with wpa2-enterprise. We’ll enable various 
groups like service desk and event organisers to be sponsors to create the 
codes to register with and get  users to identify themselves via txt, email or 
external auth like Google/facebook/linked in.
Dedicated PSK’s will be allowed under certain circumstances

We would ideally migrate the MAC rego to IPSK “when” it’s ready for such an 
implementation.

--
Jason Cook
Technology Services
The University of Adelaide, AUSTRALIA 5005
Ph: +61 8 8313 4800

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Trinklein, Jason R
Sent: Thursday, 28 September 2017 7:08 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wi-Fi Request for University Conference event

We used to set up custom SSIDs for conferences and special events on a subset 
of our APs with PSKs, and the traffic ended up on a dedicated VLAN with 
internet-only access. It was cumbersome and made our APs unstable with the 
frequent configuration changes. We switched to creating a special OU/group in 
AD for housing temporary self-expiring accounts for use by these events. Then, 
we hand these credentials over to the event organizer, and the attendees log 
into our normal secure college wireless SSID with WPA2-Enterprise. Our 
FreeRADIUS server detects the user’s OU/group as being a guest account, and 
sets the internet-only guest VLAN dynamically.

Same functionality, better security, easier to process, and now we’re in a 
position to hand off these requests to our IAM team instead of processing them 
in our wireless or network groups.

We are also in the process of switching to Packetfence for managing our guest 
wireless SSID, which should alleviate some of the demand for these custom 
accounts since we’ll be able to lift some of our guest network restrictions.

--
Jason Trinklein
Wireless Engineering Manager
College of Charleston
81 St. Philip Street | Office 311D | Charleston, SC 29403
trinkle...@cofc.edu | (843) 300–8009

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of James Helzerman mailto:jarh...@umich.edu>>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Wednesday, September 27, 2017 at 4:58 PM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Wi-Fi Request for University Conference event

We have a guest ssid with a click to accept use agreement that works for most 
conferences we have.  On occasion we will need to create a unique PSK for a one 
time event but that is maybe once or twice a year and usually centered around 
technology and accessing specific resources either on campus or through ports 
we normally restrict on the guest network.

IMO a guest network that is well designed and implemented should be able to 
accommodate 95+% of the conferences or events.

-Jimmy

--
James He