Re: [WIRELESS-LAN] [External] [WIRELESS-LAN] Aruba 8.6.0.5 and 8.6.0.7 intel 8260

2021-02-02 Thread Norton, Thomas (Network Operations) 
Super weird man, what do you get when you do a “show ap client trail-info” for 
that device?

 any blacklist thresholds enabled?

T.J. Norton
Wireless Network Architect
Network Operations

Office: (434) 592-6552

[http://www.liberty.edu/media/1616/40themail/wordmark-for-email.jpg]

Liberty University  |  Training Champions for Christ since 1971

On Feb 2, 2021, at 9:06 PM, Hurt,Trenton W.  wrote:


What model aps are you running?
515,535
- Are you running standard data rates and default profiles for the most part?
12 meg and up and for most part defaults are what I’m running any changes have 
come from the 802.11ac roaming guide or via Tac cases

- If running 802.11ax/Wi-FI 6 enabled access point make a new HE profile, 
disable “High Efficiency Enable” in the HE profile, and possibly apply on a 
dedicated SSID for testing.

802.11ax is disabled

- Also is WiDS enabled in your environment?
No dedicated wips/wids


Trent Hurt

University of Louisville


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Norton, Thomas (Network 
Operations) 
Sent: Tuesday, February 2, 2021 8:51:53 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] [External] [WIRELESS-LAN] Aruba 8.6.0.5 and 8.6.0.7 
intel 8260


CAUTION: This email originated from outside of our organization. Do not click 
links, open attachments, or respond unless you recognize the sender's email 
address and know the contents are safe.

Hey Trent,

Couple quick things:

- What model aps are you running?
- Are you running standard data rates and default profiles for the most part?
- If running 802.11ax/Wi-FI 6 enabled access point make a new HE profile, 
disable “High Efficiency Enable” in the HE profile, and possibly apply on a 
dedicated SSID for testing.
- Also is WiDS enabled in your environment?




T.J. Norton

Wireless Network Architect
Network Operations

Office: (434) 592-6552



[http://www.liberty.edu/media/1616/40themail/wordmark-for-email.jpg]

Liberty University  |  Training Champions for Christ since 1971

On Feb 2, 2021, at 8:33 PM, Hurt,Trenton W.  wrote:




[ EXTERNAL EMAIL: Do not click any links or open attachments unless you know 
the sender and trust the content. ]


So I’ve updated/downgraded drivers and still can’t get this card to keep 
connection on aruba wlan.  I had disabled HT and VHT on the card and it at 
least was able to keep stable connection.  That was on 8.6.0.5 code.  I 
upgraded to 8.6.0.7 and now user can’t connect to any ssid on aruba 
infrastructure with those disabled or enabled and regardless of driver.  I’m 
meeting in person Thursday to get some pcaps but was wondering if any aruba 
folks may have already seen this and or have possible fix to try?

Trent Hurt

University of Louisville


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

RE: [WIRELESS-LAN] [External] [WIRELESS-LAN] Aruba 8.6.0.5 and 8.6.0.7 intel 8260

2021-02-02 Thread Cody Ensanian 
+1 check for blacklisted client…  “show ap blacklist-clients | include xx:xx:xx”

Cody
University of Colorado Colorado Springs


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Norton, Thomas (Network 
Operations)
Sent: Tuesday, February 2, 2021 7:10 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [External] [WIRELESS-LAN] Aruba 8.6.0.5 and 8.6.0.7 
intel 8260

Super weird man, what do you get when you do a “show ap client trail-info” for 
that device?

 any blacklist thresholds enabled?

T.J. Norton
Wireless Network Architect
Network Operations

Office: (434) 592-6552

[http://www.liberty.edu/media/1616/40themail/wordmark-for-email.jpg]

Liberty University  |  Training Champions for Christ since 1971


On Feb 2, 2021, at 9:06 PM, Hurt,Trenton W. 
mailto:trent.h...@louisville.edu>> wrote:

What model aps are you running?
515,535
- Are you running standard data rates and default profiles for the most part?
12 meg and up and for most part defaults are what I’m running any changes have 
come from the 802.11ac roaming guide or via Tac cases

- If running 802.11ax/Wi-FI 6 enabled access point make a new HE profile, 
disable “High Efficiency Enable” in the HE profile, and possibly apply on a 
dedicated SSID for testing.

802.11ax is disabled

- Also is WiDS enabled in your environment?
No dedicated wips/wids


Trent Hurt

University of Louisville


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Norton, Thomas (Network Operations) 
mailto:tnort...@liberty.edu>>
Sent: Tuesday, February 2, 2021 8:51:53 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] [External] [WIRELESS-LAN] Aruba 8.6.0.5 and 8.6.0.7 
intel 8260


CAUTION: This email originated from outside of our organization. Do not click 
links, open attachments, or respond unless you recognize the sender's email 
address and know the contents are safe.
Hey Trent,

Couple quick things:

- What model aps are you running?
- Are you running standard data rates and default profiles for the most part?
- If running 802.11ax/Wi-FI 6 enabled access point make a new HE profile, 
disable “High Efficiency Enable” in the HE profile, and possibly apply on a 
dedicated SSID for testing.
- Also is WiDS enabled in your environment?



T.J. Norton

Wireless Network Architect
Network Operations

Office: (434) 592-6552



[http://www.liberty.edu/media/1616/40themail/wordmark-for-email.jpg]

Liberty University  |  Training Champions for Christ since 1971


On Feb 2, 2021, at 8:33 PM, Hurt,Trenton W. 
mailto:trent.h...@louisville.edu>> wrote:



[ EXTERNAL EMAIL: Do not click any links or open attachments unless you know 
the sender and trust the content. ]


So I’ve updated/downgraded drivers and still can’t get this card to keep 
connection on aruba wlan.  I had disabled HT and VHT on the card and it at 
least was able to keep stable connection.  That was on 8.6.0.5 code.  I 
upgraded to 8.6.0.7 and now user can’t connect to any ssid on aruba 
infrastructure with those disabled or enabled and regardless of driver.  I’m 
meeting in person Thursday to get some pcaps but was wondering if any aruba 
folks may have already seen this and or have possible fix to try?

Trent Hurt

University of Louisville


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the

Re: [External] [WIRELESS-LAN] Aruba 8.6.0.5 and 8.6.0.7 intel 8260

2021-02-02 Thread Hurt,Trenton W. 
What model aps are you running?
515,535
- Are you running standard data rates and default profiles for the most part?
12 meg and up and for most part defaults are what I’m running any changes have 
come from the 802.11ac roaming guide or via Tac cases

- If running 802.11ax/Wi-FI 6 enabled access point make a new HE profile, 
disable “High Efficiency Enable” in the HE profile, and possibly apply on a 
dedicated SSID for testing.

802.11ax is disabled

- Also is WiDS enabled in your environment?
No dedicated wips/wids


Trent Hurt

University of Louisville


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Norton, Thomas (Network 
Operations) 
Sent: Tuesday, February 2, 2021 8:51:53 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] [External] [WIRELESS-LAN] Aruba 8.6.0.5 and 8.6.0.7 
intel 8260


CAUTION: This email originated from outside of our organization. Do not click 
links, open attachments, or respond unless you recognize the sender's email 
address and know the contents are safe.

Hey Trent,

Couple quick things:

- What model aps are you running?
- Are you running standard data rates and default profiles for the most part?
- If running 802.11ax/Wi-FI 6 enabled access point make a new HE profile, 
disable “High Efficiency Enable” in the HE profile, and possibly apply on a 
dedicated SSID for testing.
- Also is WiDS enabled in your environment?




T.J. Norton

Wireless Network Architect
Network Operations

Office: (434) 592-6552



[http://www.liberty.edu/media/1616/40themail/wordmark-for-email.jpg]

Liberty University  |  Training Champions for Christ since 1971

On Feb 2, 2021, at 8:33 PM, Hurt,Trenton W.  wrote:




[ EXTERNAL EMAIL: Do not click any links or open attachments unless you know 
the sender and trust the content. ]


So I’ve updated/downgraded drivers and still can’t get this card to keep 
connection on aruba wlan.  I had disabled HT and VHT on the card and it at 
least was able to keep stable connection.  That was on 8.6.0.5 code.  I 
upgraded to 8.6.0.7 and now user can’t connect to any ssid on aruba 
infrastructure with those disabled or enabled and regardless of driver.  I’m 
meeting in person Thursday to get some pcaps but was wondering if any aruba 
folks may have already seen this and or have possible fix to try?

Trent Hurt

University of Louisville


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] Wireless Segmentation and NAC

2021-02-02 Thread Curtis, Bruce 


> On Feb 1, 2021, at 7:26 PM, William Green  wrote:
> 
> I don't believe the network is the appropriate place for security to be 
> applied, but witnessing the carnage... I believe there is a careful 
> cost/benefit role. 
> 
> By n=1, I was clumsily referring to Terry Gray's Perimeter Protection 
> Paradox-- wanting to get to a perimeter of 1 (or very few failing that).   
> From a client's perspective, it is more likely to be compromised stepping 
> onto a large campus than staying at home.

  OK, I see.  Yes I have seen articles and vendor claims about “segment of 
one”.   Especially for Identity based segmentation.

> I haven't convinced myself, but think seriously about the following to help 
> clients.  Setting aside the science DMZ exception case... First, if only 
> doing stateful inspection, there are not the combinatorials that occur with  
> firewall rule sets.  In the case of most end user device, simple stateful 
> inspection without additional restriction is probably 90% or more of any 
> network isolation/security benefit.  

Stateful inspection has its own problems like the risk of exceeding the max 
amount of state from DDoS attacks.  We saw lots of problems with that in the 
devices our state network put between them and us.  But the problems did reduce 
after they replaced the boxes with models with more state and fixed some bad 
config mistakes like having the box deny new sessions when the state was way 
less than the max and having sessions for some protocols time out in 30 minutes 
rather than 30 seconds etc.

> Stateful inspection won't likely be coming to access layer switches real soon,

  If the feature you are looking for is to allow outbound initiated sessions 
from devices and block sessions trying to connect to the device closet switches 
can do that today in a stateless way, but only for TCP.  Just set the filters 
on the switches to allow packets with SYN/ACK to the devices but block packets 
to the devices that have only the SYN flag.   We have done this on a temporary 
basis on our router that connects to the state network when there were severe 
security bugs on a TCP port on devices.  That way if a connection to a web site 
happened to use the same source port as the blocked port it would still work 
and it avoids the problem with statefull devices.


> but perhaps in a decade.  Second, on our campus most traffic is north/south 
> now (very little east/west).  Where the north keeps going off to the cloud.  
> At our border, we deploy devices doing full-cone (but could perform stateful 
> at the same rate) where Moore's Law has advanced things quite a bit.  Latency 
> through them is under a millisecond at our scale (not perceptible in the 
> general case, and given most is going north to the cloud not really 
> detectable).  Third, if one were to trust no devices (about where I am), then 
> why not tunnel all packets from their origination through such a device.  Not 
> to protect servers or enforce policies, but to protect the clients.  Hardware 
> tunneling capabilities are showing up on access switches, and in the next 
> turn of the silicon likely at more reasonable prices.  The same is needed for 
> wireless (since that's were most devices are).  Sending all traffic northward 
> for inspection is susceptible to east/west performance issues and increasing 
> failure domains.  But if almost everything is already going north that 
> failure domain is already being exercised.
> 
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community

Bruce Curtis
Network Engineer  /  Information Technology
NORTH DAKOTA STATE UNIVERSITY
phone: 701.231.8527
bruce.cur...@ndsu.edu


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [External] [WIRELESS-LAN] Aruba 8.6.0.5 and 8.6.0.7 intel 8260

2021-02-02 Thread Norton, Thomas (Network Operations) 
Hey Trent,

Couple quick things:

- What model aps are you running?
- Are you running standard data rates and default profiles for the most part?
- If running 802.11ax/Wi-FI 6 enabled access point make a new HE profile, 
disable “High Efficiency Enable” in the HE profile, and possibly apply on a 
dedicated SSID for testing.
- Also is WiDS enabled in your environment?



T.J. Norton
Wireless Network Architect
Network Operations

Office: (434) 592-6552

[http://www.liberty.edu/media/1616/40themail/wordmark-for-email.jpg]

Liberty University  |  Training Champions for Christ since 1971

On Feb 2, 2021, at 8:33 PM, Hurt,Trenton W.  wrote:




[ EXTERNAL EMAIL: Do not click any links or open attachments unless you know 
the sender and trust the content. ]


So I’ve updated/downgraded drivers and still can’t get this card to keep 
connection on aruba wlan.  I had disabled HT and VHT on the card and it at 
least was able to keep stable connection.  That was on 8.6.0.5 code.  I 
upgraded to 8.6.0.7 and now user can’t connect to any ssid on aruba 
infrastructure with those disabled or enabled and regardless of driver.  I’m 
meeting in person Thursday to get some pcaps but was wondering if any aruba 
folks may have already seen this and or have possible fix to try?

Trent Hurt

University of Louisville


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Aruba 8.6.0.5 and 8.6.0.7 intel 8260

2021-02-02 Thread Hurt,Trenton W. 
So I’ve updated/downgraded drivers and still can’t get this card to keep 
connection on aruba wlan.  I had disabled HT and VHT on the card and it at 
least was able to keep stable connection.  That was on 8.6.0.5 code.  I 
upgraded to 8.6.0.7 and now user can’t connect to any ssid on aruba 
infrastructure with those disabled or enabled and regardless of driver.  I’m 
meeting in person Thursday to get some pcaps but was wondering if any aruba 
folks may have already seen this and or have possible fix to try?

Trent Hurt

University of Louisville


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

2021-02-02 Thread Hurt,Trenton W. 
FYI

Tim you are correct in the android update in Dec are the changes and these 
additional pieces are securew2 specific.  This is what support told me

The change that was done by android in dec is that any manual connection 
attempt would not work with these config in place. Our SecureW2 application in 
playstore wasn't updated since then but now the application needs to be updated 
and when the app is updated it needs to make sure android 11 can be configured 
with the specified parameters.


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Hurt,Trenton W.
Sent: Monday, February 1, 2021 6:09 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

CAUTION: This email originated from outside of our organization. Do not click 
links, open attachments, or respond unless you recognize the sender's email 
address and know the contents are safe.
LOL if it's working now on those android 11 devices as is then I guess it is.  
And if it's not well then Feb 15th I guess will be fun

Trent Hurt

University of Louisville


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Sent: Monday, February 1, 2021 6:06:41 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021


CAUTION: This email originated from outside of our organization. Do not click 
links, open attachments, or respond unless you recognize the sender's email 
address and know the contents are safe.
If the supplicant is properly configured, then yes.


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Hurt,Trenton W. 
mailto:trent.h...@louisville.edu>>
Sent: Monday, February 1, 2021 18:03
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

Tim

I know you can't comment specifically on my setup or environment but if I have 
android 11 pixel 4 and others that have the December update already and the do 
not validate is not an option for those devices but they can use our onboard 
eap tls workflow and the devices auth via that method.  Do you think that my 
setup (regardless if it's not the most secure way or whatever) will still work 
after this feb 15 date?

Trent Hurt

University of Louisville


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Trenton Hurt mailto:trenth...@gmail.com>>
Sent: Monday, February 1, 2021 5:55:20 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021


CAUTION: This email originated from outside of our organization. Do not click 
links, open attachments, or respond unless you recognize the sender's email 
address and know the contents are safe.
Android 11 (pixels 4 and other google handsets) have been doing the do not 
validate since early dec and for us it meant eap peap unmanaged over the air ( 
yes I know Tim this is not secure method but just how it is or was anyway).  
Now those users don't have eap peap option and we have been moving them to our 
eap tls onboarding and this has been working for those android 11 users.  I 
just wasn't sure if these were additional security measures that I needed to 
look out for or make some changes to my onboard profile stuff to make sure 
these android 11 still work after February 15

On Mon, Feb 1, 2021 at 5:28 PM Jennifer Minella 
mailto:j...@cadinc.com>> wrote:

I may disagree with some of the other feedback here...  I think this is a big 
deal.



It sounds like Google will be enforcing proper server validation for 
802.1X-secured networks, based on what Trent sent originally. I believe Apple 
already has been enforcing this for a bit.



If my guess is correct (I'll try to find a link) then what it means is - after 
this update, you can't tell the endpoint to ignore or bypass the server 
certificate for 802.1X (any EAP method).



The impact of this is...

  *   If you're organization has any endpoints that have been configured to use 
a secured network but are ignoring the server's certificate - then that will 
STOP working suddenly at the update.
  *   This setting (ignore/don't validate server cert) is not ideal but it's 
prevalent especially for things like BYOD or HED device onboarding, testing, 
etc. It should be fixed but this is one of

Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

2021-02-02 Thread Jonathan Waldrep 
 I'd be down for a QR code that onboards clients. Just put up a warning
saying, "hey, this is a camera-readable password" before clicking to
reveal it.

 I don't particularly care about a 100x zoom if my back is to a wall.
Walk in support could easily setup a kiosk that makes it a non-issue.
For walk-in support, an NFC pad would also work really well.

 Of course, this only works on devices that you can easily use the
camera or NFC on, but those also tend to be the more difficult devices
to on-board.

On 2021-02-02 18:55:59+, Tim Cappalli wrote:
> Yeah, I think you're asking for a profile-like configuration mechanism on 
> Android which is different than invocation of provisioning. I agree and hope 
> there will be some traction in this area in the future.
> 
> For the time being though, you could still have a generic QR code that takes 
> users to a landing page where you can use UA detection to invoke the correct 
> flow, be it a profile download or just instructions.
> 
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  on behalf of Hunter Fuller 
> <0211f6bc0913-dmarc-requ...@listserv.educause.edu>
> Sent: Tuesday, February 2, 2021 13:53
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] [External] Re: 
> [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] android 11 upcoming changes Feb 
> 15th 2021
> 
> That's fair, and it's why I included the bit about requiring existing 
> connectivity. I think in my mind, if there was a certificate involved, it 
> would be downloaded from the Internet once the QR code was scanned. This is 
> similar to what you can do with .mobileconfig files on iOS. You do have to 
> find a way to get the .mobileconfig file into Safari on the device, but once 
> you do that, the configuration process is quite streamlined. An Android 
> equivalent would be amazing.
> 
> --
> Hunter Fuller (they)
> Router Jockey
> VBH Annex B-5
> +1 256 824 5331
> 
> Office of Information Technology
> The University of Alabama in Huntsville
> Network Engineering
> 
> 
> On Tue, Feb 2, 2021 at 12:48 PM Tim Cappalli 
> <0194c9ecac40-dmarc-requ...@listserv.educause.edu>
>  wrote:
> I can scan a QR code with embedded credentials over your shoulder
> 
> (I think the newest Galaxy has 100x zoom?)
> 
> 
> 
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
>  on behalf of Hunter Fuller 
> <0211f6bc0913-dmarc-requ...@listserv.educause.edu>
> Sent: Tuesday, February 2, 2021 13:45
> To: 
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
> Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] [External] Re: 
> [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
> 
> I don't follow how sending someone configuration via a QR code on our 
> website, would have a different trust profile from showing instructions on 
> that same website, or sending them to eduroam CAT from that website.
> 
> --
> Hunter Fuller (they)
> Router Jockey
> VBH Annex B-5
> +1 256 824 5331
> 
> Office of Information Technology
> The University of Alabama in Huntsville
> Network Engineering
> 
> 
> On Tue, Feb 2, 2021 at 12:43 PM Tim Cappalli 
> <0194c9ecac40-dmarc-requ...@listserv.educause.edu>
>  wrote:
> While UX is great with QR codes, security and trust is challenging.
> 
> You'll start to see more QR-based provisioning with IoT as part of Wi-Fi Easy 
> Connect but those have other security layers baked on top.
> 
> 
> 
> 
> 
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
>  on behalf of Hunter Fuller 
> <0211f6bc0913-dmarc-requ...@listserv.educause.edu>
> Sent: Tuesday, February 2, 2021 13:41
> To: 
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
> Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] android 11 upcoming 
> changes Feb 15th 2021
> 
> I wish there was a QR schema. Even if it only worked on devices with another 
> connection available (LTE, etc.) to download the config. Sigh.
> 
> The closest we have right now is scanning a QR code leading to a 
> .mobileconfig file on iOS.
> 
> --
> Hunter Fuller (they)
> Router Jockey
> VBH Annex B-5
> +1 256 824 5331
> 
> Office of Information Technology
> The University of Alabama in Huntsville
> Network Engineering
> 
> 
> On Tue, Feb 2, 2021 at 12:29 PM Tim Cappalli 
>

RE: [WIRELESS-LAN] [EXTERNAL] Re: [WIRELESS-LAN] ArubaOS 8.5.0.11 or 8.6.0.6 Experiences?

2021-02-02 Thread Johnson, Christopher 
Hi Max,

I apologize as realized I hadn’t responded back to you. Bug is NOT fixed in 
8.5.0.11. AOS-207552 was the bug id that I saw in the release notes that we had 
hoped the fix would have also resolved – even though the identified scenario 
was related to “rap-gre-mtu”.

[cid:image001.png@01D6F961.FCAA6E20]

TAC has opened an engineering ticket yesterday for my issue.
Christopher Johnson
Wireless Network Engineer
Office of Technology Solutions | Illinois State University
(309) 438-8444

Stay connected with ISU IT news and tips with @ISU IT Help on 
Facebook and 
Twitter
From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Turpin, Max
Sent: Saturday, January 16, 2021 5:51 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [EXTERNAL] Re: [WIRELESS-LAN] ArubaOS 8.5.0.11 or 
8.6.0.6 Experiences?

[This message came from an external source. If suspicious, report to 
ab...@ilstu.edu]
I am running I got his MTU issue right now. But we also do not have CPSec 
enabled and are going to be enabling it. The MTU should be 1200 with CPSec 
enabled. Are you saying this bug is fixed in 8.5.0.11?

Many thanks.


On Jan 15, 2021, at 6:16 PM, Johnson, Christopher  wrote:

Thank to everyone that responded! Myself and my coworkers were greatly 
impressed and surprised about the amount of feedback and information we got 
from each experience!

We performed an upgrade to 8.5.0.11 successfully without any issues except for 
one AP-225 (think the AP is just bad) – which is really good compared to past 
situations.

  *   We are still seeing an “MTU issue” where the AP seems to be ignoring it’s 
SAP MTU of 1200, and defaulting to 1500 upon reboot. Which affects Campus APs 
behind Hardware Cisco ASA. 8.5.0.11 release notes had a fix related to this (or 
so thought) – working with TAC on that.
  *   I’ll start another post related to Campus APs and VPNs – want to pick 
some brains on that isn’t related to typical “MTU issues” - 

Sides that things are going pretty good. Still working on an issue with 
AirGroup Servers not being purged when they age out of the user-table.

Again thank you for everyone’s experiences! Greatly appreciated!
Christopher Johnson
Wireless Network Engineer
Office of Technology Solutions | Illinois State University
(309) 438-8444

Stay connected with ISU IT news and tips with @ISU IT Help on 
Facebook
 and 
Twitter
From: Johnson, Christopher
Sent: Thursday, December 17, 2020 2:50 PM
To: The EDUCAUSE Wireless Issues Community Group Listserv 

Subject: ArubaOS 8.5.0.11 or 8.6.0.6 Experiences?

We’re considering doing some pre-emptive maintenance before winter-break ends 
to resolve a couple issues, and was curious if anyone is running ArubaOS 
8.5.0.11 or 8.6.0.6 (200/220 and 270 Series APs) and what their experiences 
have been?
Christopher Johnson
Wireless Network Engineer
Office of Technology Solutions | Illinois State University
(309) 438-8444

Stay connected with ISU IT news and tips with @ISU IT Help on 
Facebook
 and 
Twitter


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply.

Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

2021-02-02 Thread Tim Cappalli 
Yeah, I think you're asking for a profile-like configuration mechanism on 
Android which is different than invocation of provisioning. I agree and hope 
there will be some traction in this area in the future.

For the time being though, you could still have a generic QR code that takes 
users to a landing page where you can use UA detection to invoke the correct 
flow, be it a profile download or just instructions.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Hunter Fuller 
<0211f6bc0913-dmarc-requ...@listserv.educause.edu>
Sent: Tuesday, February 2, 2021 13:53
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] [External] Re: 
[WIRELESS-LAN] [External] Re: [WIRELESS-LAN] android 11 upcoming changes Feb 
15th 2021

That's fair, and it's why I included the bit about requiring existing 
connectivity. I think in my mind, if there was a certificate involved, it would 
be downloaded from the Internet once the QR code was scanned. This is similar 
to what you can do with .mobileconfig files on iOS. You do have to find a way 
to get the .mobileconfig file into Safari on the device, but once you do that, 
the configuration process is quite streamlined. An Android equivalent would be 
amazing.

--
Hunter Fuller (they)
Router Jockey
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering


On Tue, Feb 2, 2021 at 12:48 PM Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
 wrote:
I can scan a QR code with embedded credentials over your shoulder

(I think the newest Galaxy has 100x zoom?)



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Hunter Fuller 
<0211f6bc0913-dmarc-requ...@listserv.educause.edu>
Sent: Tuesday, February 2, 2021 13:45
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] [External] Re: 
[WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

I don't follow how sending someone configuration via a QR code on our website, 
would have a different trust profile from showing instructions on that same 
website, or sending them to eduroam CAT from that website.

--
Hunter Fuller (they)
Router Jockey
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering


On Tue, Feb 2, 2021 at 12:43 PM Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
 wrote:
While UX is great with QR codes, security and trust is challenging.

You'll start to see more QR-based provisioning with IoT as part of Wi-Fi Easy 
Connect but those have other security layers baked on top.





From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Hunter Fuller 
<0211f6bc0913-dmarc-requ...@listserv.educause.edu>
Sent: Tuesday, February 2, 2021 13:41
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] android 11 upcoming 
changes Feb 15th 2021

I wish there was a QR schema. Even if it only worked on devices with another 
connection available (LTE, etc.) to download the config. Sigh.

The closest we have right now is scanning a QR code leading to a .mobileconfig 
file on iOS.

--
Hunter Fuller (they)
Router Jockey
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering


On Tue, Feb 2, 2021 at 12:29 PM Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
 wrote:
Well, again, you should be properly configuring the supplicant regardless, so 
the instructions would apply to any version of Android

RE: QR, no, enterprise authentication is not supported. A supplicant 
configuration tool should always be used. The supplicant was not designed to be 
manually configured by end users (on any OS).



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Michael Holden 
mailto:mhol...@datanetworksolutions.com>>
Sent: Tuesday, February 2, 2021 13:16
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] android 11 upcoming

Re: [External] Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

2021-02-02 Thread Hunter Fuller 
That's fair, and it's why I included the bit about requiring existing
connectivity. I think in my mind, if there was a certificate involved, it
would be downloaded from the Internet once the QR code was scanned. This is
similar to what you can do with .mobileconfig files on iOS. You do have to
find a way to get the .mobileconfig file into Safari on the device, but
once you do that, the configuration process is quite streamlined. An
Android equivalent would be amazing.

--
Hunter Fuller (they)
Router Jockey
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering


On Tue, Feb 2, 2021 at 12:48 PM Tim Cappalli <
0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote:

> I can scan a QR code with embedded credentials over your shoulder
>
> (I think the newest Galaxy has 100x zoom?)
>
>
> --
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Hunter Fuller <
> 0211f6bc0913-dmarc-requ...@listserv.educause.edu>
> *Sent:* Tuesday, February 2, 2021 13:45
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject:* Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] [External]
> Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
>
> I don't follow how sending someone configuration via a QR code on our
> website, would have a different trust profile from showing instructions on
> that same website, or sending them to eduroam CAT from that website.
>
> --
> Hunter Fuller (they)
> Router Jockey
> VBH Annex B-5
> +1 256 824 5331
>
> Office of Information Technology
> The University of Alabama in Huntsville
> Network Engineering
>
>
> On Tue, Feb 2, 2021 at 12:43 PM Tim Cappalli <
> 0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote:
>
> While UX is great with QR codes, security and trust is challenging.
>
> You'll start to see more QR-based provisioning with IoT as part of Wi-Fi
> Easy Connect but those have other security layers baked on top.
>
>
>
> --
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Hunter Fuller <
> 0211f6bc0913-dmarc-requ...@listserv.educause.edu>
> *Sent:* Tuesday, February 2, 2021 13:41
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject:* Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] android 11
> upcoming changes Feb 15th 2021
>
> I wish there was a QR schema. Even if it only worked on devices with
> another connection available (LTE, etc.) to download the config. Sigh.
>
> The closest we have right now is scanning a QR code leading to a
> .mobileconfig file on iOS.
>
> --
> Hunter Fuller (they)
> Router Jockey
> VBH Annex B-5
> +1 256 824 5331
>
> Office of Information Technology
> The University of Alabama in Huntsville
> Network Engineering
>
>
> On Tue, Feb 2, 2021 at 12:29 PM Tim Cappalli <
> 0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote:
>
> Well, again, you should be properly configuring the supplicant regardless,
> so the instructions would apply to any version of Android
>
> RE: QR, no, enterprise authentication is not supported. A supplicant
> configuration tool should always be used. The supplicant was not designed
> to be manually configured by end users (on any OS).
>
>
> --
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Michael Holden <
> mhol...@datanetworksolutions.com>
> *Sent:* Tuesday, February 2, 2021 13:16
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject:* Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
>
> We've seen much the same.
> A Pixel 2XL and a Pixel3XL fully updated, the 2XL had the Don't Validate
> option, but the Pixel3XL did not.
>
> We added the CA cert to a subpage on the guest captive portal for ease of
> access to the Wireless device, and provided some instructions for the
> devices.
> The workflow to manually add the Wireless Trust was a bit flaky too with
> Modify Settings not really working.
>
> The instruction set that appeared to work as of the current (January 2021)
> Android software release on the Pixel 3XL not tested on Pixel 4/4a/5:
>
>
>1. Download the CA cert from the ClearPass Guest Captive Portal Page
>2. Go to Settings
>3. Network & Internet
>4. Wi-Fi
>5. Wi-Fi preferences
>6. Advanced
>7. Install Certificate
>8. Choose the Certificate downloaded in the first step
>9. Name the Certificate
>10. Connect to the Secure SSID
>   1. Change the Certificate from System Certs to the Certificate name
>   entered in the previous step
>   2. Domain to 
>   3. Identity as the username
>   4. Password as the user’s password
>   5. Connect
>11. Confirm

Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

2021-02-02 Thread Tim Cappalli 
I can scan a QR code with embedded credentials over your shoulder

(I think the newest Galaxy has 100x zoom?)



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Hunter Fuller 
<0211f6bc0913-dmarc-requ...@listserv.educause.edu>
Sent: Tuesday, February 2, 2021 13:45
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] [External] Re: 
[WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

I don't follow how sending someone configuration via a QR code on our website, 
would have a different trust profile from showing instructions on that same 
website, or sending them to eduroam CAT from that website.

--
Hunter Fuller (they)
Router Jockey
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering


On Tue, Feb 2, 2021 at 12:43 PM Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
 wrote:
While UX is great with QR codes, security and trust is challenging.

You'll start to see more QR-based provisioning with IoT as part of Wi-Fi Easy 
Connect but those have other security layers baked on top.





From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Hunter Fuller 
<0211f6bc0913-dmarc-requ...@listserv.educause.edu>
Sent: Tuesday, February 2, 2021 13:41
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] android 11 upcoming 
changes Feb 15th 2021

I wish there was a QR schema. Even if it only worked on devices with another 
connection available (LTE, etc.) to download the config. Sigh.

The closest we have right now is scanning a QR code leading to a .mobileconfig 
file on iOS.

--
Hunter Fuller (they)
Router Jockey
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering


On Tue, Feb 2, 2021 at 12:29 PM Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
 wrote:
Well, again, you should be properly configuring the supplicant regardless, so 
the instructions would apply to any version of Android

RE: QR, no, enterprise authentication is not supported. A supplicant 
configuration tool should always be used. The supplicant was not designed to be 
manually configured by end users (on any OS).



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Michael Holden 
mailto:mhol...@datanetworksolutions.com>>
Sent: Tuesday, February 2, 2021 13:16
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

We've seen much the same.
A Pixel 2XL and a Pixel3XL fully updated, the 2XL had the Don't Validate 
option, but the Pixel3XL did not.

We added the CA cert to a subpage on the guest captive portal for ease of 
access to the Wireless device, and provided some instructions for the devices.
The workflow to manually add the Wireless Trust was a bit flaky too with Modify 
Settings not really working.

The instruction set that appeared to work as of the current (January 2021) 
Android software release on the Pixel 3XL not tested on Pixel 4/4a/5:


  1.  Download the CA cert from the ClearPass Guest Captive Portal Page
  2.  Go to Settings
  3.  Network & Internet
  4.  Wi-Fi
  5.  Wi-Fi preferences
  6.  Advanced
  7.  Install Certificate
  8.  Choose the Certificate downloaded in the first step
  9.  Name the Certificate
  10. Connect to the Secure SSID
 *   Change the Certificate from System Certs to the Certificate name 
entered in the previous step
 *   Domain to 
 *   Identity as the username
 *   Password as the user’s password
 *   Connect
  11. Confirm Wireless is connected to the WPA2-Enterprise SSID
 *   You may have to forget and add network as the Modify Setting on the 
SSID does not appear to work properly as of January, 2021 Android Software 
release


There is a QR code that can be created for PSK networks, has anyone seen if 
this is possible for WPA2/3-Enterprise?



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Sent: Tuesday, February 2, 2021 12:54
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU

Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

2021-02-02 Thread Travis Schick 
this is my favorite QR code

use it as my profile pic :)

[image: image.png]

I and our help desk love the CAT tool

On Tue, Feb 2, 2021 at 10:41 AM Hunter Fuller <
0211f6bc0913-dmarc-requ...@listserv.educause.edu> wrote:

> I wish there was a QR schema. Even if it only worked on devices with
> another connection available (LTE, etc.) to download the config. Sigh.
>
> The closest we have right now is scanning a QR code leading to a
> .mobileconfig file on iOS.
>
> --
> Hunter Fuller (they)
> Router Jockey
> VBH Annex B-5
> +1 256 824 5331
>
> Office of Information Technology
> The University of Alabama in Huntsville
> Network Engineering
>
>
> On Tue, Feb 2, 2021 at 12:29 PM Tim Cappalli <
> 0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote:
>
>> Well, again, you should be properly configuring the supplicant
>> regardless, so the instructions would apply to any version of Android
>>
>> RE: QR, no, enterprise authentication is not supported. A supplicant
>> configuration tool should always be used. The supplicant was not designed
>> to be manually configured by end users (on any OS).
>>
>>
>> --
>> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
>> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Michael Holden <
>> mhol...@datanetworksolutions.com>
>> *Sent:* Tuesday, February 2, 2021 13:16
>> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <
>> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
>> *Subject:* Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
>>
>> We've seen much the same.
>> A Pixel 2XL and a Pixel3XL fully updated, the 2XL had the Don't Validate
>> option, but the Pixel3XL did not.
>>
>> We added the CA cert to a subpage on the guest captive portal for ease of
>> access to the Wireless device, and provided some instructions for the
>> devices.
>> The workflow to manually add the Wireless Trust was a bit flaky too with
>> Modify Settings not really working.
>>
>> The instruction set that appeared to work as of the current (January
>> 2021) Android software release on the Pixel 3XL not tested on Pixel 4/4a/5:
>>
>>
>>1. Download the CA cert from the ClearPass Guest Captive Portal Page
>>2. Go to Settings
>>3. Network & Internet
>>4. Wi-Fi
>>5. Wi-Fi preferences
>>6. Advanced
>>7. Install Certificate
>>8. Choose the Certificate downloaded in the first step
>>9. Name the Certificate
>>10. Connect to the Secure SSID
>>   1. Change the Certificate from System Certs to the Certificate
>>   name entered in the previous step
>>   2. Domain to 
>>   3. Identity as the username
>>   4. Password as the user’s password
>>   5. Connect
>>11. Confirm Wireless is connected to the WPA2-Enterprise SSID
>>   1. You may have to forget and add network as the Modify Setting on
>>   the SSID does not appear to work properly as of January, 2021 Android
>>   Software release
>>
>>
>>
>> There is a QR code that can be created for PSK networks, has anyone seen
>> if this is possible for WPA2/3-Enterprise?
>>
>>
>> --
>> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
>> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Tim Cappalli <
>> 0194c9ecac40-dmarc-requ...@listserv.educause.edu>
>> *Sent:* Tuesday, February 2, 2021 12:54
>> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <
>> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
>> *Subject:* Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
>>
>> Screenshot please.
>>
>>
>> --
>> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
>> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Walter Reynolds <
>> wa...@umich.edu>
>> *Sent:* Tuesday, February 2, 2021 12:46
>> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <
>> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
>> *Subject:* Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
>>
>> Can someone explain something to me?
>>
>> I have a Pixel 3 that I did a factory rest on.  Next I did all the
>> updates needed and it is running Android 11.  The build number is
>> RQ1A.210205.004 which includes the latest security patch for the phone.
>>
>> When I go to configure a WPA2 Enterprise network I still have the "Don't
>> validate" option.
>>
>> What am I missing here?
>>
>> 
>> Walter Reynolds
>> Network Architect
>> Information and Technology Services
>> University of Michigan
>> (734) 615-9438
>>
>>
>> On Tue, Feb 2, 2021 at 8:51 AM Hurt,Trenton W. 
>> wrote:
>>
>> LOL if it’s working now on those android 11 devices as is then I guess it
>> is.  And if it’s not well then Feb 15th I guess will be fun
>>
>> Trent Hurt
>>
>> University of Louisville
>>
>> --
>> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
>> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Tim Cappalli <
>> 0194c9ecac40-dmarc-requ...@listserv.educause.edu>
>> *Sent:* Monday, February

Re: [External] Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

2021-02-02 Thread Hunter Fuller 
I don't follow how sending someone configuration via a QR code on our
website, would have a different trust profile from showing instructions on
that same website, or sending them to eduroam CAT from that website.

--
Hunter Fuller (they)
Router Jockey
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering


On Tue, Feb 2, 2021 at 12:43 PM Tim Cappalli <
0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote:

> While UX is great with QR codes, security and trust is challenging.
>
> You'll start to see more QR-based provisioning with IoT as part of Wi-Fi
> Easy Connect but those have other security layers baked on top.
>
>
>
> --
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Hunter Fuller <
> 0211f6bc0913-dmarc-requ...@listserv.educause.edu>
> *Sent:* Tuesday, February 2, 2021 13:41
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject:* Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] android 11
> upcoming changes Feb 15th 2021
>
> I wish there was a QR schema. Even if it only worked on devices with
> another connection available (LTE, etc.) to download the config. Sigh.
>
> The closest we have right now is scanning a QR code leading to a
> .mobileconfig file on iOS.
>
> --
> Hunter Fuller (they)
> Router Jockey
> VBH Annex B-5
> +1 256 824 5331
>
> Office of Information Technology
> The University of Alabama in Huntsville
> Network Engineering
>
>
> On Tue, Feb 2, 2021 at 12:29 PM Tim Cappalli <
> 0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote:
>
> Well, again, you should be properly configuring the supplicant regardless,
> so the instructions would apply to any version of Android
>
> RE: QR, no, enterprise authentication is not supported. A supplicant
> configuration tool should always be used. The supplicant was not designed
> to be manually configured by end users (on any OS).
>
>
> --
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Michael Holden <
> mhol...@datanetworksolutions.com>
> *Sent:* Tuesday, February 2, 2021 13:16
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject:* Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
>
> We've seen much the same.
> A Pixel 2XL and a Pixel3XL fully updated, the 2XL had the Don't Validate
> option, but the Pixel3XL did not.
>
> We added the CA cert to a subpage on the guest captive portal for ease of
> access to the Wireless device, and provided some instructions for the
> devices.
> The workflow to manually add the Wireless Trust was a bit flaky too with
> Modify Settings not really working.
>
> The instruction set that appeared to work as of the current (January 2021)
> Android software release on the Pixel 3XL not tested on Pixel 4/4a/5:
>
>
>1. Download the CA cert from the ClearPass Guest Captive Portal Page
>2. Go to Settings
>3. Network & Internet
>4. Wi-Fi
>5. Wi-Fi preferences
>6. Advanced
>7. Install Certificate
>8. Choose the Certificate downloaded in the first step
>9. Name the Certificate
>10. Connect to the Secure SSID
>   1. Change the Certificate from System Certs to the Certificate name
>   entered in the previous step
>   2. Domain to 
>   3. Identity as the username
>   4. Password as the user’s password
>   5. Connect
>11. Confirm Wireless is connected to the WPA2-Enterprise SSID
>   1. You may have to forget and add network as the Modify Setting on
>   the SSID does not appear to work properly as of January, 2021 Android
>   Software release
>
>
>
> There is a QR code that can be created for PSK networks, has anyone seen
> if this is possible for WPA2/3-Enterprise?
>
>
> --
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Tim Cappalli <
> 0194c9ecac40-dmarc-requ...@listserv.educause.edu>
> *Sent:* Tuesday, February 2, 2021 12:54
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject:* Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
>
> Screenshot please.
>
>
> --
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Walter Reynolds <
> wa...@umich.edu>
> *Sent:* Tuesday, February 2, 2021 12:46
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject:* Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
>
> Can someone explain something to me?
>
> I have a Pixel 3 that I did a factory rest on.  Next I did all the updates
> needed and it is running Android 11.  The build number is RQ1A.210205.004
>

Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

2021-02-02 Thread Tim Cappalli 
While UX is great with QR codes, security and trust is challenging.

You'll start to see more QR-based provisioning with IoT as part of Wi-Fi Easy 
Connect but those have other security layers baked on top.





From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Hunter Fuller 
<0211f6bc0913-dmarc-requ...@listserv.educause.edu>
Sent: Tuesday, February 2, 2021 13:41
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] android 11 upcoming 
changes Feb 15th 2021

I wish there was a QR schema. Even if it only worked on devices with another 
connection available (LTE, etc.) to download the config. Sigh.

The closest we have right now is scanning a QR code leading to a .mobileconfig 
file on iOS.

--
Hunter Fuller (they)
Router Jockey
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering


On Tue, Feb 2, 2021 at 12:29 PM Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
 wrote:
Well, again, you should be properly configuring the supplicant regardless, so 
the instructions would apply to any version of Android

RE: QR, no, enterprise authentication is not supported. A supplicant 
configuration tool should always be used. The supplicant was not designed to be 
manually configured by end users (on any OS).



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Michael Holden 
mailto:mhol...@datanetworksolutions.com>>
Sent: Tuesday, February 2, 2021 13:16
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

We've seen much the same.
A Pixel 2XL and a Pixel3XL fully updated, the 2XL had the Don't Validate 
option, but the Pixel3XL did not.

We added the CA cert to a subpage on the guest captive portal for ease of 
access to the Wireless device, and provided some instructions for the devices.
The workflow to manually add the Wireless Trust was a bit flaky too with Modify 
Settings not really working.

The instruction set that appeared to work as of the current (January 2021) 
Android software release on the Pixel 3XL not tested on Pixel 4/4a/5:


  1.  Download the CA cert from the ClearPass Guest Captive Portal Page
  2.  Go to Settings
  3.  Network & Internet
  4.  Wi-Fi
  5.  Wi-Fi preferences
  6.  Advanced
  7.  Install Certificate
  8.  Choose the Certificate downloaded in the first step
  9.  Name the Certificate
  10. Connect to the Secure SSID
 *   Change the Certificate from System Certs to the Certificate name 
entered in the previous step
 *   Domain to 
 *   Identity as the username
 *   Password as the user’s password
 *   Connect
  11. Confirm Wireless is connected to the WPA2-Enterprise SSID
 *   You may have to forget and add network as the Modify Setting on the 
SSID does not appear to work properly as of January, 2021 Android Software 
release


There is a QR code that can be created for PSK networks, has anyone seen if 
this is possible for WPA2/3-Enterprise?



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Sent: Tuesday, February 2, 2021 12:54
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

Screenshot please.




From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Walter Reynolds mailto:wa...@umich.edu>>
Sent: Tuesday, February 2, 2021 12:46
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

Can someone explain something to me?

I have a Pixel 3 that I did a factory rest on.  Next I did all the updates 
needed and it is running Android 11.  The build number is RQ1A.210205.004 which 
includes the latest security patch for the phone.

When I go to configure a WPA2 Enterprise network I still have the "Don't 
validate" option.

What am I missing here?


Walter Reynolds
Network Architect
Information and Technology Services
University of Michigan
(734) 615-9438


On Tue, Feb 2, 2021 at 8:51 AM Hurt,Trenton W. 
mailto:trent.h...@louisville.edu>> wrote:
LOL if it’s working now on those android 11 devices as is then I guess it is.  
And if

Re: [External] Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

2021-02-02 Thread Hunter Fuller 
I wish there was a QR schema. Even if it only worked on devices with
another connection available (LTE, etc.) to download the config. Sigh.

The closest we have right now is scanning a QR code leading to a
.mobileconfig file on iOS.

--
Hunter Fuller (they)
Router Jockey
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering


On Tue, Feb 2, 2021 at 12:29 PM Tim Cappalli <
0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote:

> Well, again, you should be properly configuring the supplicant regardless,
> so the instructions would apply to any version of Android
>
> RE: QR, no, enterprise authentication is not supported. A supplicant
> configuration tool should always be used. The supplicant was not designed
> to be manually configured by end users (on any OS).
>
>
> --
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Michael Holden <
> mhol...@datanetworksolutions.com>
> *Sent:* Tuesday, February 2, 2021 13:16
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject:* Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
>
> We've seen much the same.
> A Pixel 2XL and a Pixel3XL fully updated, the 2XL had the Don't Validate
> option, but the Pixel3XL did not.
>
> We added the CA cert to a subpage on the guest captive portal for ease of
> access to the Wireless device, and provided some instructions for the
> devices.
> The workflow to manually add the Wireless Trust was a bit flaky too with
> Modify Settings not really working.
>
> The instruction set that appeared to work as of the current (January 2021)
> Android software release on the Pixel 3XL not tested on Pixel 4/4a/5:
>
>
>1. Download the CA cert from the ClearPass Guest Captive Portal Page
>2. Go to Settings
>3. Network & Internet
>4. Wi-Fi
>5. Wi-Fi preferences
>6. Advanced
>7. Install Certificate
>8. Choose the Certificate downloaded in the first step
>9. Name the Certificate
>10. Connect to the Secure SSID
>   1. Change the Certificate from System Certs to the Certificate name
>   entered in the previous step
>   2. Domain to 
>   3. Identity as the username
>   4. Password as the user’s password
>   5. Connect
>11. Confirm Wireless is connected to the WPA2-Enterprise SSID
>   1. You may have to forget and add network as the Modify Setting on
>   the SSID does not appear to work properly as of January, 2021 Android
>   Software release
>
>
>
> There is a QR code that can be created for PSK networks, has anyone seen
> if this is possible for WPA2/3-Enterprise?
>
>
> --
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Tim Cappalli <
> 0194c9ecac40-dmarc-requ...@listserv.educause.edu>
> *Sent:* Tuesday, February 2, 2021 12:54
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject:* Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
>
> Screenshot please.
>
>
> --
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Walter Reynolds <
> wa...@umich.edu>
> *Sent:* Tuesday, February 2, 2021 12:46
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject:* Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
>
> Can someone explain something to me?
>
> I have a Pixel 3 that I did a factory rest on.  Next I did all the updates
> needed and it is running Android 11.  The build number is RQ1A.210205.004
> which includes the latest security patch for the phone.
>
> When I go to configure a WPA2 Enterprise network I still have the "Don't
> validate" option.
>
> What am I missing here?
>
> 
> Walter Reynolds
> Network Architect
> Information and Technology Services
> University of Michigan
> (734) 615-9438
>
>
> On Tue, Feb 2, 2021 at 8:51 AM Hurt,Trenton W. 
> wrote:
>
> LOL if it’s working now on those android 11 devices as is then I guess it
> is.  And if it’s not well then Feb 15th I guess will be fun
>
> Trent Hurt
>
> University of Louisville
>
> --
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Tim Cappalli <
> 0194c9ecac40-dmarc-requ...@listserv.educause.edu>
> *Sent:* Monday, February 1, 2021 6:06:41 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject:* Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
>
>
> *CAUTION:* This email originated from outside of our organization. Do not
> click links, open attachments, or respond unless you recognize the sender's
> email address and know the contents

Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

2021-02-02 Thread Tim Cappalli 
Well, again, you should be properly configuring the supplicant regardless, so 
the instructions would apply to any version of Android

RE: QR, no, enterprise authentication is not supported. A supplicant 
configuration tool should always be used. The supplicant was not designed to be 
manually configured by end users (on any OS).



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Michael Holden 

Sent: Tuesday, February 2, 2021 13:16
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

We've seen much the same.
A Pixel 2XL and a Pixel3XL fully updated, the 2XL had the Don't Validate 
option, but the Pixel3XL did not.

We added the CA cert to a subpage on the guest captive portal for ease of 
access to the Wireless device, and provided some instructions for the devices.
The workflow to manually add the Wireless Trust was a bit flaky too with Modify 
Settings not really working.

The instruction set that appeared to work as of the current (January 2021) 
Android software release on the Pixel 3XL not tested on Pixel 4/4a/5:


  1.  Download the CA cert from the ClearPass Guest Captive Portal Page
  2.  Go to Settings
  3.  Network & Internet
  4.  Wi-Fi
  5.  Wi-Fi preferences
  6.  Advanced
  7.  Install Certificate
  8.  Choose the Certificate downloaded in the first step
  9.  Name the Certificate
  10. Connect to the Secure SSID
 *   Change the Certificate from System Certs to the Certificate name 
entered in the previous step
 *   Domain to 
 *   Identity as the username
 *   Password as the user’s password
 *   Connect
  11. Confirm Wireless is connected to the WPA2-Enterprise SSID
 *   You may have to forget and add network as the Modify Setting on the 
SSID does not appear to work properly as of January, 2021 Android Software 
release


There is a QR code that can be created for PSK networks, has anyone seen if 
this is possible for WPA2/3-Enterprise?



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Sent: Tuesday, February 2, 2021 12:54
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

Screenshot please.




From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Walter Reynolds 

Sent: Tuesday, February 2, 2021 12:46
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

Can someone explain something to me?

I have a Pixel 3 that I did a factory rest on.  Next I did all the updates 
needed and it is running Android 11.  The build number is RQ1A.210205.004 which 
includes the latest security patch for the phone.

When I go to configure a WPA2 Enterprise network I still have the "Don't 
validate" option.

What am I missing here?


Walter Reynolds
Network Architect
Information and Technology Services
University of Michigan
(734) 615-9438


On Tue, Feb 2, 2021 at 8:51 AM Hurt,Trenton W. 
mailto:trent.h...@louisville.edu>> wrote:
LOL if it’s working now on those android 11 devices as is then I guess it is.  
And if it’s not well then Feb 15th I guess will be fun

Trent Hurt

University of Louisville


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Sent: Monday, February 1, 2021 6:06:41 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021


CAUTION: This email originated from outside of our organization. Do not click 
links, open attachments, or respond unless you recognize the sender's email 
address and know the contents are safe.

If the supplicant is properly configured, then yes.


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Hurt,Trenton W. 
mailto:trent.h...@louisville.edu>>
Sent: Monday, February 1, 2021 18:03
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

Tim

I know you can’t comment specifically on my setup or environment but if I have 
android 11 pixel 4 and others that have the December update already and the do 
not validate is not an option for those devices but they can use our onboard 
eap tls workflow and the devices auth via that method.  Do you think that my 
setup (regardless if it’s not the most

Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

2021-02-02 Thread Michael Holden 
We've seen much the same.
A Pixel 2XL and a Pixel3XL fully updated, the 2XL had the Don't Validate 
option, but the Pixel3XL did not.

We added the CA cert to a subpage on the guest captive portal for ease of 
access to the Wireless device, and provided some instructions for the devices.
The workflow to manually add the Wireless Trust was a bit flaky too with Modify 
Settings not really working.

The instruction set that appeared to work as of the current (January 2021) 
Android software release on the Pixel 3XL not tested on Pixel 4/4a/5:


  1.  Download the CA cert from the ClearPass Guest Captive Portal Page
  2.  Go to Settings
  3.  Network & Internet
  4.  Wi-Fi
  5.  Wi-Fi preferences
  6.  Advanced
  7.  Install Certificate
  8.  Choose the Certificate downloaded in the first step
  9.  Name the Certificate
  10. Connect to the Secure SSID
 *   Change the Certificate from System Certs to the Certificate name 
entered in the previous step
 *   Domain to 
 *   Identity as the username
 *   Password as the user’s password
 *   Connect
  11. Confirm Wireless is connected to the WPA2-Enterprise SSID
 *   You may have to forget and add network as the Modify Setting on the 
SSID does not appear to work properly as of January, 2021 Android Software 
release


There is a QR code that can be created for PSK networks, has anyone seen if 
this is possible for WPA2/3-Enterprise?



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Sent: Tuesday, February 2, 2021 12:54
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

Screenshot please.




From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Walter Reynolds 

Sent: Tuesday, February 2, 2021 12:46
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

Can someone explain something to me?

I have a Pixel 3 that I did a factory rest on.  Next I did all the updates 
needed and it is running Android 11.  The build number is RQ1A.210205.004 which 
includes the latest security patch for the phone.

When I go to configure a WPA2 Enterprise network I still have the "Don't 
validate" option.

What am I missing here?


Walter Reynolds
Network Architect
Information and Technology Services
University of Michigan
(734) 615-9438


On Tue, Feb 2, 2021 at 8:51 AM Hurt,Trenton W. 
mailto:trent.h...@louisville.edu>> wrote:
LOL if it’s working now on those android 11 devices as is then I guess it is.  
And if it’s not well then Feb 15th I guess will be fun

Trent Hurt

University of Louisville


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Sent: Monday, February 1, 2021 6:06:41 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021


CAUTION: This email originated from outside of our organization. Do not click 
links, open attachments, or respond unless you recognize the sender's email 
address and know the contents are safe.

If the supplicant is properly configured, then yes.


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Hurt,Trenton W. 
mailto:trent.h...@louisville.edu>>
Sent: Monday, February 1, 2021 18:03
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

Tim

I know you can’t comment specifically on my setup or environment but if I have 
android 11 pixel 4 and others that have the December update already and the do 
not validate is not an option for those devices but they can use our onboard 
eap tls workflow and the devices auth via that method.  Do you think that my 
setup (regardless if it’s not the most secure way or whatever) will still work 
after this feb 15 date?

Trent Hurt

University of Louisville


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Trenton Hurt mailto:trenth...@gmail.com>>
Sent: Monday, February 1, 2021 5:55:20 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021


CAUTION: This email originated from outside of our organization. Do not

Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

2021-02-02 Thread Tim Cappalli 
Screenshot please.




From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Walter Reynolds 

Sent: Tuesday, February 2, 2021 12:46
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

Can someone explain something to me?

I have a Pixel 3 that I did a factory rest on.  Next I did all the updates 
needed and it is running Android 11.  The build number is RQ1A.210205.004 which 
includes the latest security patch for the phone.

When I go to configure a WPA2 Enterprise network I still have the "Don't 
validate" option.

What am I missing here?


Walter Reynolds
Network Architect
Information and Technology Services
University of Michigan
(734) 615-9438


On Tue, Feb 2, 2021 at 8:51 AM Hurt,Trenton W. 
mailto:trent.h...@louisville.edu>> wrote:
LOL if it’s working now on those android 11 devices as is then I guess it is.  
And if it’s not well then Feb 15th I guess will be fun

Trent Hurt

University of Louisville


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Sent: Monday, February 1, 2021 6:06:41 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021


CAUTION: This email originated from outside of our organization. Do not click 
links, open attachments, or respond unless you recognize the sender's email 
address and know the contents are safe.

If the supplicant is properly configured, then yes.


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Hurt,Trenton W. 
mailto:trent.h...@louisville.edu>>
Sent: Monday, February 1, 2021 18:03
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

Tim

I know you can’t comment specifically on my setup or environment but if I have 
android 11 pixel 4 and others that have the December update already and the do 
not validate is not an option for those devices but they can use our onboard 
eap tls workflow and the devices auth via that method.  Do you think that my 
setup (regardless if it’s not the most secure way or whatever) will still work 
after this feb 15 date?

Trent Hurt

University of Louisville


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Trenton Hurt mailto:trenth...@gmail.com>>
Sent: Monday, February 1, 2021 5:55:20 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021


CAUTION: This email originated from outside of our organization. Do not click 
links, open attachments, or respond unless you recognize the sender's email 
address and know the contents are safe.

Android 11 (pixels 4 and other google handsets) have been doing the do not 
validate since early dec and for us it meant eap peap unmanaged over the air ( 
yes I know Tim this is not secure method but just how it is or was anyway).  
Now those users don’t have eap peap option and we have been moving them to our 
eap tls onboarding and this has been working for those android 11 users.  I 
just wasn’t sure if these were additional security measures that I needed to 
look out for or make some changes to my onboard profile stuff to make sure 
these android 11 still work after February 15

On Mon, Feb 1, 2021 at 5:28 PM Jennifer Minella 
mailto:j...@cadinc.com>> wrote:

I may disagree with some of the other feedback here…  I think this is a big 
deal.



It sounds like Google will be enforcing proper server validation for 
802.1X-secured networks, based on what Trent sent originally. I believe Apple 
already has been enforcing this for a bit.



If my guess is correct (I’ll try to find a link) then what it means is – after 
this update, you can’t tell the endpoint to ignore or bypass the server 
certificate for 802.1X (any EAP method).



The impact of this is…

  *   If you’re organization has any endpoints that have been configured to use 
a secured network but are ignoring the server’s certificate – then that will 
STOP working suddenly at the update.
  *   This setting (ignore/don’t validate server cert) is not ideal but it’s 
prevalent especially for things like BYOD or HED device onboarding, testing, 
etc. It should be fixed but this is one of those things that could have a huge 
widespread impact

Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

2021-02-02 Thread Walter Reynolds 
Can someone explain something to me?

I have a Pixel 3 that I did a factory rest on.  Next I did all the updates
needed and it is running Android 11.  The build number is RQ1A.210205.004
which includes the latest security patch for the phone.

When I go to configure a WPA2 Enterprise network I still have the "Don't
validate" option.

What am I missing here?


Walter Reynolds
Network Architect
Information and Technology Services
University of Michigan
(734) 615-9438


On Tue, Feb 2, 2021 at 8:51 AM Hurt,Trenton W. 
wrote:

> LOL if it’s working now on those android 11 devices as is then I guess it
> is.  And if it’s not well then Feb 15th I guess will be fun
>
> Trent Hurt
>
> University of Louisville
>
> --
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Tim Cappalli <
> 0194c9ecac40-dmarc-requ...@listserv.educause.edu>
> *Sent:* Monday, February 1, 2021 6:06:41 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject:* Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
>
>
> *CAUTION:* This email originated from outside of our organization. Do not
> click links, open attachments, or respond unless you recognize the sender's
> email address and know the contents are safe.
> If the supplicant is properly configured, then yes.
>
> --
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Hurt,Trenton W. <
> trent.h...@louisville.edu>
> *Sent:* Monday, February 1, 2021 18:03
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject:* Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
>
> Tim
>
> I know you can’t comment specifically on my setup or environment but if I
> have android 11 pixel 4 and others that have the December update already
> and the do not validate is not an option for those devices but they can use
> our onboard eap tls workflow and the devices auth via that method.  Do you
> think that my setup (regardless if it’s not the most secure way or
> whatever) will still work after this feb 15 date?
>
> Trent Hurt
>
> University of Louisville
>
> --
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Trenton Hurt <
> trenth...@gmail.com>
> *Sent:* Monday, February 1, 2021 5:55:20 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject:* Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
>
>
> *CAUTION:* This email originated from outside of our organization. Do not
> click links, open attachments, or respond unless you recognize the sender's
> email address and know the contents are safe.
> Android 11 (pixels 4 and other google handsets) have been doing the do not
> validate since early dec and for us it meant eap peap unmanaged over the
> air ( yes I know Tim this is not secure method but just how it is or was
> anyway).  Now those users don’t have eap peap option and we have been
> moving them to our eap tls onboarding and this has been working for those
> android 11 users.  I just wasn’t sure if these were additional security
> measures that I needed to look out for or make some changes to my onboard
> profile stuff to make sure these android 11 still work after February 15
>
> On Mon, Feb 1, 2021 at 5:28 PM Jennifer Minella  wrote:
>
> I may disagree with some of the other feedback here…  I think this is a
> big deal.
>
>
>
> It sounds like Google will be enforcing proper server validation for
> 802.1X-secured networks, based on what Trent sent originally. I believe
> Apple already has been enforcing this for a bit.
>
>
>
> If my guess is correct (I’ll try to find a link) then what it means is –
> after this update, you can’t tell the endpoint to ignore or bypass the
> server certificate for 802.1X (any EAP method).
>
>
>
> The impact of this is…
>
>- If you’re organization has any endpoints that have been configured
>to use a secured network but are ignoring the server’s certificate – then
>that will STOP working suddenly at the update.
>- This setting (ignore/don’t validate server cert) is not ideal but
>it’s prevalent especially for things like BYOD or HED device onboarding,
>testing, etc. It should be fixed but this is one of those things that could
>have a huge widespread impact if the endpoints/networks aren’t configured
>properly now.
>- Typically proper settings for secured 1X networks are pushed through
>GPO, MDM, or an onboarding process through vendor tools (can be a
>server-based tool or a client-based config assist tool). If that wasn’t
>done then the endpoints may not have the server certificate installed and
>trusted, and if that’s the case they will just cease to work after the

RE: [WIRELESS-LAN] Wireless Segmentation and NAC

2021-02-02 Thread Price, Jamie G 
Take this for what it’s worth, use/copy/plagiarize or tell me how I could state 
things better. Really trying to explain why home networks are not Enterprise 
networks.

We have a home-like network with Meraki and their partner Splash for dorms. 
There’s more we want to do- but it’s a start.
We were also working on this angle for Mist, but other than a story over vodka, 
we went the Meraki direction. And it’s working pretty well, and we will go 
through iterations. The goal is flexibility across campuses, and not just dorms.

I agree with Lee, you can say no- with a kind explanation.



New Connectivity and Wi-Fi Flexibility in The CU Denver Dorms
Residents can now connect their Alexa & Their Game Console, too.

Wait- What, we have dorms, and they can connect devices to the network like 
Alexa?
CU Denver is in the Dorm Business. The Office of Information Technology (OIT) 
took over the wired network and Wi-Fi from an existing 3rd party provider. This 
meant replacing switches and wireless access points. The dorms now have the new 
Cisco Meraki Wi-Fi platform.

Why Can’t I Have My Alexa or other smart device?
If you live in the dorms, now you can. Nearly everybody has experienced the 
issue of “This Wi-Fi is an Enterprise Network - take your Alexa home” in one 
manner or another. The fundamental issue is how wireless security is 
implemented in home networks vs. Enterprise networks.

On a typical home wireless network, one router/modem operates, and a single 
master password is used by devices wanting to connect. It is also desired that 
these home devices can communicate with each other on this shared network. This 
home network method of password use (known as Pre-Shared Key, or “PSK”) is not 
scalable. Enterprise networks support hundreds and thousands of unique devices, 
and more robust security and authentication methods are required to 
specifically handle Enterprise needs.

·  For Enterprise networks, a device must be able to support a security 
method called WPA2-Enterprise in order to join

·  Most manufacturer’s home devices (such as Alexas, HomePods, or smart 
bulbs) only support PSK as a security method (and they cannot join Enterprise 
networks which require WPA2-Enterprise).

·  Most computers and phones support both WPA2-Enterprise and PSK (allowing 
you to connect to both PSK networks or WPA2-Enterprise networks).


Again- Why Can Dorms have Alexa- but I can’t?

The Office in Information Technology (OIT) created a new Wi-Fi network called 
“ResNet” for the dorms—a new network that gives the look and feel of a home 
wireless network. We partnered with Cisco and a third-party middleware called 
“Splash” that assists with home functionality and onboarding of home devices 
onto this new wireless network. Residents can have their Alexa and their 
Playstation, too. They will continue to have the ability to connect to the 
regular Enterprise grade campus networks, as well as the new ResNet network 
made specifically to allow home-like use.
Can We Push ResNet Across the rest of the CU Denver/Anschutz Network?

It is the desire of OIT to make the network (Wi-Fi and cable) as flexible as 
possible. Our job is providing connectivity. The first step is to upgrade to 
the new Cisco Meraki Wi-Fi platform. This platform was chosen for its 
futuristic capabilities with third-party software designers. COVID has 
considerably slowed down the ability to engage funding. However, we continue to 
work to secure funding to increase flexibility and connectivity of the Wi-Fi 
networks. The dorms are a great first-step in the right direction.

Jamie Price
Wireless Network Engineer
Office of Information Technology
University of Colorado Denver | Anschutz Medical Campus



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Lee H Badman
Sent: Tuesday, February 2, 2021 9:23 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless Segmentation and NAC

All I would say here is that networks are not obligated to accommodate every 
half-baked, livin-in-1988 device that comes along, either. You can say no to 
the worst offenders, and also work with device manufacturers on occasion to 
help them drag their stuff into this century rather than risk non-acceptance on 
campus.

Not to take anything away from David’s good points.
Lee Badman (mobile)


On Feb 2, 2021, at 11:17 AM, David Logan 
mailto:tarheeldav...@gmail.com>> wrote:

One more consideration for network design (especially L2, L3) and policy 
enforcement architecture, somewhat relevant in this "segment the network?  And 
how?" portion of this thread:  the __performance effects/consequences__ of 
consumer IoT tech operating in the Enterprise setting (what I call BYOT).

Here's a couple of examples:

All BYOT uses a combination of Bcast and Mcast for ease of installation, peer 
product discovery and display/print/communications sharing use cases.   Flatter 
networks with no Bcast/Mcast controls in place will

Re: [WIRELESS-LAN] Wireless Segmentation and NAC

2021-02-02 Thread Lee H Badman 
All I would say here is that networks are not obligated to accommodate every 
half-baked, livin-in-1988 device that comes along, either. You can say no to 
the worst offenders, and also work with device manufacturers on occasion to 
help them drag their stuff into this century rather than risk non-acceptance on 
campus.

Not to take anything away from David’s good points.

Lee Badman (mobile)

On Feb 2, 2021, at 11:17 AM, David Logan  wrote:


One more consideration for network design (especially L2, L3) and policy 
enforcement architecture, somewhat relevant in this "segment the network?  And 
how?" portion of this thread:  the __performance effects/consequences__ of 
consumer IoT tech operating in the Enterprise setting (what I call BYOT).

Here's a couple of examples:

All BYOT uses a combination of Bcast and Mcast for ease of installation, peer 
product discovery and display/print/communications sharing use cases.   Flatter 
networks with no Bcast/Mcast controls in place will propagate the protocols, 
which in turn will make mobile devices WLAN radios "wake up" more frequently 
than in an actual in-home location, driving battery life down and causing 
weirdness for the apps that require these protocols on the BYOT and/or mobile 
device.   This argues for some level of network segmentation, likely beyond 
macrosegmentation and into microsegmentation.

VoIP architectures involving soft clients on BYOD/personal mobile devices and 
locally hosted media gateways both cause and suffer from performance / 
scalability problems when the underlying legacy network design forces 
undesirable network and application behaviors.  For example, when a mobile 
device calls another mobile device in the same "Enterprise" organization, and 
those devices are associated with a network that prevents East-West flows -- it 
will require the soft clients to use the (likely) DMZ hosted VoIP Media Gateway 
to stitch together the call flow acting as a proxy.   While these architectures 
seem to be waning in new deployments, they are still widely deployed, and are 
frequently sized to support limited inbound/outbound calling through the Media 
Gateway.  This, in turn, causes individual call quality issues and media 
gateway capacity issues as constant hairpinning occurs, mobile devices roam and 
need to rekey and potentially re-IP, etc.  This argues for consideration of 
L2/L3/DDI design as applied to BYOD, consideration of where East-West flows are 
required for expected application behaviors / capacity / cost, in turn 
requiring consideration for security policy and network-level enforcement.

-- David Logan
Aruba Networks, CTO office

On Mon, Feb 1, 2021 at 8:27 PM William Green 
mailto:gr...@austin.utexas.edu>> wrote:
I don't believe the network is the appropriate place for security to be 
applied, but witnessing the carnage... I believe there is a careful 
cost/benefit role.

By n=1, I was clumsily referring to Terry Gray's Perimeter Protection Paradox-- 
wanting to get to a perimeter of 1 (or very few failing that).   From a 
client's perspective, it is more likely to be compromised stepping onto a large 
campus than staying at home.

I haven't convinced myself, but think seriously about the following to help 
clients.  Setting aside the science DMZ exception case... First, if only doing 
stateful inspection, there are not the combinatorials that occur with  firewall 
rule sets.  In the case of most end user device, simple stateful inspection 
without additional restriction is probably 90% or more of any network 
isolation/security benefit.  Stateful inspection won't likely be coming to 
access layer switches real soon, but perhaps in a decade.  Second, on our 
campus most traffic is north/south now (very little east/west).  Where the 
north keeps going off to the cloud.  At our border, we deploy devices doing 
full-cone (but could perform stateful at the same rate) where Moore's Law has 
advanced things quite a bit.  Latency through them is under a millisecond at 
our scale (not perceptible in the general case, and given most is going north 
to the cloud not really detectable).  Third, if one were to trust no devices 
(about where I am), then why not tunnel all packets from their origination 
through such a device.  Not to protect servers or enforce policies, but to 
protect the clients.  Hardware tunneling capabilities are showing up on access 
switches, and in the next turn of the silicon likely at more reasonable prices. 
 The same is needed for wireless (since that's were most devices are).  Sending 
all traffic northward for inspection is susceptible to east/west performance 
issues and increasing failure domains.  But if almost everything is already 
going north that failure domain is already being exercised.

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the

Re: [WIRELESS-LAN] Wireless Segmentation and NAC

2021-02-02 Thread David Logan 
One more consideration for network design (especially L2, L3) and policy
enforcement architecture, somewhat relevant in this "segment the network?
And how?" portion of this thread:  the __performance effects/consequences__
of consumer IoT tech operating in the Enterprise setting (what I call
BYOT).

Here's a couple of examples:

All BYOT uses a combination of Bcast and Mcast for ease of installation,
peer product discovery and display/print/communications sharing use cases.
 Flatter networks with no Bcast/Mcast controls in place will propagate the
protocols, which in turn will make mobile devices WLAN radios "wake up"
more frequently than in an actual in-home location, driving battery life
down and causing weirdness for the apps that require these protocols on the
BYOT and/or mobile device.   This argues for some level of network
segmentation, likely beyond macrosegmentation and into microsegmentation.

VoIP architectures involving soft clients on BYOD/personal mobile devices
and locally hosted media gateways both cause and suffer from performance /
scalability problems when the underlying legacy network design forces
undesirable network and application behaviors.  For example, when a mobile
device calls another mobile device in the same "Enterprise" organization,
and those devices are associated with a network that prevents East-West
flows -- it will require the soft clients to use the (likely) DMZ hosted
VoIP Media Gateway to stitch together the call flow acting as a proxy.
 While these architectures seem to be waning in new deployments, they are
still widely deployed, and are frequently sized to support limited
inbound/outbound calling through the Media Gateway.  This, in turn, causes
individual call quality issues and media gateway capacity issues as
constant hairpinning occurs, mobile devices roam and need to rekey and
potentially re-IP, etc.  This argues for consideration of L2/L3/DDI design
as applied to BYOD, consideration of where East-West flows are required for
expected application behaviors / capacity / cost, in turn requiring
consideration for security policy and network-level enforcement.

-- David Logan
Aruba Networks, CTO office

On Mon, Feb 1, 2021 at 8:27 PM William Green 
wrote:

> I don't believe the network is the appropriate place for security to be
> applied, but witnessing the carnage... I believe there is a careful
> cost/benefit role.
>
> By n=1, I was clumsily referring to Terry Gray's Perimeter Protection
> Paradox-- wanting to get to a perimeter of 1 (or very few failing that).
>  From a client's perspective, it is more likely to be compromised stepping
> onto a large campus than staying at home.
>
> I haven't convinced myself, but think seriously about the following to
> help clients.  Setting aside the science DMZ exception case... First, if
> only doing stateful inspection, there are not the combinatorials that occur
> with  firewall rule sets.  In the case of most end user device, simple
> stateful inspection without additional restriction is probably 90% or more
> of any network isolation/security benefit.  Stateful inspection won't
> likely be coming to access layer switches real soon, but perhaps in a
> decade.  Second, on our campus most traffic is north/south now (very little
> east/west).  Where the north keeps going off to the cloud.  At our border,
> we deploy devices doing full-cone (but could perform stateful at the same
> rate) where Moore's Law has advanced things quite a bit.  Latency through
> them is under a millisecond at our scale (not perceptible in the general
> case, and given most is going north to the cloud not really detectable).
> Third, if one were to trust no devices (about where I am), then why not
> tunnel all packets from their origination through such a device.  Not to
> protect servers or enforce policies, but to protect the clients.  Hardware
> tunneling capabilities are showing up on access switches, and in the next
> turn of the silicon likely at more reasonable prices.  The same is needed
> for wireless (since that's were most devices are).  Sending all traffic
> northward for inspection is susceptible to east/west performance issues and
> increasing failure domains.  But if almost everything is already going
> north that failure domain is already being exercised.
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [External] Re: [WIRELESS-LAN] Aruba Clearpass Voucher System

2021-02-02 Thread Smith, Nayef 
+1.  We've implemented a simple web portal that leverages below stated 
ClearPass guest features via APIs.

Nayef Z. Smith | Network Services | Voice: 404-727-6019

[cid:5a1993bc-66c5-4ef2-9929-e86ec2ab7829]

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Cody Ensanian 

Sent: Thursday, January 28, 2021 10:46 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: [External] Re: [WIRELESS-LAN] Aruba Clearpass Voucher System


ClearPass has a Guest module (pretty powerful, you can do a lot with it). We 
use it for a few different things (our captive portal guest network, 
self-registering for a temp username/password for our secure network, specialty 
one-off accounts, etc)



You can manually create guest accounts and set their expiration to whatever 
you’d like, and assign the account the role you’d like (to define their 
access). It maybe sounds like this what you’re trying to achieve?

(If you didn’t want to go the ‘manual’ route if you expect a lot of these, you 
could build a registration page in the Guest module for these types of guests 
to register themselves, and build approval into your workflow – this way a 
sponsor has to OK the account and they can also set expiration dates)



-Cody

University of Colorado Colorado Springs







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Aaron D. DeVall
Sent: Thursday, January 28, 2021 8:03 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Aruba Clearpass Voucher System



Hey all –



Does anyone know if Aruba Clearpass uses a voucher system for long term guests? 
We used to use Cloudpath which had a voucher system, but have moved away from 
it. Looking for a solution for long-term guests.



Thanks!



Aaron DeVall

System Administrator

Information Technology



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community



This e-mail message (including any attachments) is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this message (including any attachments) is strictly
prohibited.

If you have received this message in error, please contact
the sender by reply e-mail message and destroy all copies of the
original message (including attachments).

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community