Re: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV support for instructors.
Bruce - I was thinking of your installation when I responded as I was aware of your work with with Aruba to optimize b'cast/m'cast and converting b'cast/m'cast to unicast at the AP. I got the 12 client tradeoff point from something I remember for an Aruba AirHeads conference a couple of years ago. Granted, my memory may be fading, but I remember one of their engineers state that it is effective to do the conversion to unicast per client for up to ~12 clients, and after that, it's better to keep the packets m'cast. Sorry if I mis-spoke on the technology. - Stan Brooks - CWNA/CWSP Emory University University Technology Services 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: wlans...@hotmail.com GoogleTalk: wlans...@gmail.com -Original Message- From: Osborne, Bruce W bosbo...@liberty.edu Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Date: Thu, 23 Feb 2012 17:14:06 + To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV support for instructors. Where did you get that 12 client number?? At Liberty University, we have successfully had 20 students per AP with 5Mbit streams. In a Lab test situation, we had 30 clients all streaming on one AP-125 access point. Multicast on 802.11 uses the lowest rate which is 6Mbit for 5GHz networks. That is why Aruba developed their multicast technology. We have been using it since it was introduced. Bruce Osborne Network Engineer IT Network Services (434) 592-4229 LIBERTY UNIVERSITY 40 Years of Training Champions for Christ: 1971-2011 -Original Message- From: Brooks, Stan [mailto:stan.bro...@emory.edu] Sent: Wednesday, February 22, 2012 12:49 PM Subject: Re: You knew it was coming...Airplay/Apple TV support for instructors. So it's not just about the bandwidth. B'cast M'cast use the lowest configured data rate of the AP - just like wireless management frames. This means that even for 300Mbps 802.11n network is reduced to 24Mbps or less. That also ties up airtime that could be given to faster clients as well, since transmitting data at a lower data rate consumes more time that transmitting data at a higher data rate. So even if it is a low bit-rate stream, it takes away more available bandwidth from other clients. Aruba has a method that takes b'cast m'cast and converts it to higher speed unicast traffic to each client. This gives better results for about up to 12 clients on an AP/radio. - Stan Brooks - CWNA/CWSP Emory University University Technology Services 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: wlans...@hotmail.com GoogleTalk: wlans...@gmail.com -Original Message- From: Mike Goebel michael.goe...@wmich.edu Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Date: Wed, 22 Feb 2012 11:09:16 -0500 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV support for instructors. Has anyone actually tracked how much bandwidth/usage Bonjour coughs up across their wlan infrastructure? I haven't analyzed it, and while it could be bandwidth hungry, it appears to me that will be more with device to device. I'm playing devils advocate here, but is a 6 meg stream on an N access point both ways really going to be crunching anyone? I'd be worried about G yes, but N with a gig uplink? I do find it unnerving that all the bonjour devices are able to find each other and potentially create a lot of traffic, but 99.9% of the time I don't see anyone working any access point very hard. Mike Goebel Network Programmer Office of Information Technology Western Michigan University Phone: 269-387-0453 Email: michael.goe...@wmich.edu On 2/22/2012 10:18 AM, Kellogg, Brian D. wrote: We will need Bonjour in order to allow faculty members to mirror their iPads/WhateverAppleProductElse to an AppleTV in a classroom for presentations wirelessly. Presently we block all mcast and bcast on our WLAN due to the channel use overhead this incurs (anywhere from 10% to 20%). We'll be moving to Aruba this summer where enabling bcast and mcast is not an all or nothing endeavor I believe. I think Aruba is integrating some stuff into their controller code to help with this problem or already has it. Someone who knows more about Aruba can correct me if I'm wrong. -Brian -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Brian David Sent: Wednesday, February 22, 2012 10:11 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: You knew it was coming...Airplay/Apple TV support for instructors. We are faced with the same issues here at BC... We are starting to block it for all students but have not for the Faculty. Could you give more details on what apps the faculty needed
Re: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV support for instructors.
So it's not just about the bandwidth. B'cast M'cast use the lowest configured data rate of the AP - just like wireless management frames. This means that even for 300Mbps 802.11n network is reduced to 24Mbps or less. That also ties up airtime that could be given to faster clients as well, since transmitting data at a lower data rate consumes more time that transmitting data at a higher data rate. So even if it is a low bit-rate stream, it takes away more available bandwidth from other clients. Aruba has a method that takes b'cast m'cast and converts it to higher speed unicast traffic to each client. This gives better results for about up to 12 clients on an AP/radio. - Stan Brooks - CWNA/CWSP Emory University University Technology Services 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: wlans...@hotmail.com GoogleTalk: wlans...@gmail.com -Original Message- From: Mike Goebel michael.goe...@wmich.edu Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Date: Wed, 22 Feb 2012 11:09:16 -0500 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV support for instructors. Has anyone actually tracked how much bandwidth/usage Bonjour coughs up across their wlan infrastructure? I haven't analyzed it, and while it could be bandwidth hungry, it appears to me that will be more with device to device. I'm playing devils advocate here, but is a 6 meg stream on an N access point both ways really going to be crunching anyone? I'd be worried about G yes, but N with a gig uplink? I do find it unnerving that all the bonjour devices are able to find each other and potentially create a lot of traffic, but 99.9% of the time I don't see anyone working any access point very hard. Mike Goebel Network Programmer Office of Information Technology Western Michigan University Phone: 269-387-0453 Email: michael.goe...@wmich.edu On 2/22/2012 10:18 AM, Kellogg, Brian D. wrote: We will need Bonjour in order to allow faculty members to mirror their iPads/WhateverAppleProductElse to an AppleTV in a classroom for presentations wirelessly. Presently we block all mcast and bcast on our WLAN due to the channel use overhead this incurs (anywhere from 10% to 20%). We'll be moving to Aruba this summer where enabling bcast and mcast is not an all or nothing endeavor I believe. I think Aruba is integrating some stuff into their controller code to help with this problem or already has it. Someone who knows more about Aruba can correct me if I'm wrong. -Brian -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Brian David Sent: Wednesday, February 22, 2012 10:11 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: You knew it was coming...Airplay/Apple TV support for instructors. We are faced with the same issues here at BC... We are starting to block it for all students but have not for the Faculty. Could you give more details on what apps the faculty needed bonjour for? -Brian Brian J David Network Systems Engineer Boston College -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Brian Helman Sent: Wednesday, February 22, 2012 9:54 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV support for instructors. Agreed. We are blocking bonjour between buildings, but not within. I wanted to block within, but there are apps out there that the faculty want to use that require it. That was the compromise I settled on... looking forward to 802.11ac now. I thought my days of dealing with AppleTalk, IPX and Netbeui were done. -Brian -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Kellogg, Brian D. Sent: Tuesday, February 21, 2012 5:21 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV support for instructors. Had an Apple rep in recently and he stated Apple (Bonjour) has come a long way since Appletalk on their network protocols. I wanted to believe him and then I tried to use it on our campus. LAN only protocol that relies on mDNS registration to bridge networks assuming all your end devices support it of course. Reminds me of LAN/SOHO only protocols I worked with a decade ago. Why not allow the device being mirrored to specify the device you want to mirror to by IP address or FQDN. I don't think I'm asking for too much from the man but, alas, perhaps I am. Disappointed yet again by Apple network protocols, Brian -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf
RE: [WIRELESS-LAN] Odd issue with Aruba wireless...
Jeff - Besides the only affects Win7 comment, this sounds like it could be an Aruba validuser ACL issue. If you've modified that ACL from the default of allow all IP addresses, it would block all but the specific allowed addresses. The symptoms are user gets a valid IP address from DHCP, then all their traffic it blocked because their IP is not in the validuser ACL. I get bit by that problem every time I add a subnet can forget to add it to the list of valid networks in our validuser ACL. Just a thought... - Stan Brooks - CWNA/CWSP Emory University University Technology Services 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: wlans...@hotmail.com GoogleTalk: wlans...@gmail.com From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Jeff Kell [jeff-k...@utc.edu] Sent: Wednesday, December 07, 2011 2:36 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Odd issue with Aruba wireless... Having a strange issue with our wireless today... wondered if it rings any bells... seems to just be affecting Win7... Clients associate with access points fine, but shows limited internet connectivity. Mouse-over wireless icon and it shows unidentified network (same in network and sharing center); although list of SSIDs shows the same expected SSID as Connected. Client RADIUS works fine (verified controller and radius server), dropped on production role. DHCP transaction is normal, request received and ACKed. Wireless router shows MAC address in expected vlan, and ARP entry shows expected IP address with the MAC. ipconfig /all shows correct IP, mask, gateway, DNS, and DHCP servers. No stray IPv6 or tunnel adapters. route print shows all expected correct entries for wireless. No stray IPv6 (other than loopback and link-local). Default points to default gateway IP. arp -a does *NOT* show an entry for the default gateway, and client is unable to ping the default gateway. I'm baffled :) Jeff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Aruba roles / vlan pooling...
Bruce - That's correct - both 5.x and 6.x have named VLAN pools. 3.3 3.4 did too. The question asked if you could apply a named VLAN pool (or even a pool for that matter) to a specific role instead of just making it the default for a Virtual AP profile config. You cannot apply a named VLAN pool (or a pool for that matter) to a role or assign it via a passed RADIUS attribute. Today, you can only do that sort of assignment to a VLAN or named VLAN - not a pool. To the best of my knowledge, pools and named pools can only be applied to the VAP profile. - Stan Brooks - CWNA/CWSP Emory University University Technology Services 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: wlans...@hotmail.com GoogleTalk: wlans...@gmail.com From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Osborne, Bruce W [bosbo...@liberty.edu] Sent: Wednesday, July 27, 2011 7:37 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Aruba roles / vlan pooling... 5.X 6.x have named VLAN Pools. Bruce Osborne Wireless Network Engineer IT Network Services (434) 592-4229 LIBERTY UNIVERSITY 40 Years of Training Champions for Christ: 1971-2011 -Original Message- From: Brooks, Stan [mailto:stan.bro...@emory.edu] Sent: Tuesday, July 26, 2011 1:01 PM Subject: Re: Aruba roles / vlan pooling... Quick answer - No. Not with the current versions of code available. This is a feature I've been asking for from Aruba for over 3 years - along with things like named VLANs and named VLAN pools. Assigning VLANs/Named VLANs by role or RADIUS attribute works well in the code available today. It doesn't work for assigning VLAN pools. There is potentially good news, however. I heard that it will be supported in a version of v6.x code slated for late this year... - Stan Brooks - CWNA/CWSP Emory University University Technology Services 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: wlans...@hotmail.com GoogleTalk: wlans...@gmail.com From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Jeff Kell [jeff-k...@utc.edu] Sent: Tuesday, July 26, 2011 12:44 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Aruba roles / vlan pooling... Quick question... Can you have a pool of vlans for an Aruba role? or is pooling restricted to the default connection vlan list to the VAP? Jeff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Aruba roles / vlan pooling...
Quick answer - No. Not with the current versions of code available. This is a feature I've been asking for from Aruba for over 3 years - along with things like named VLANs and named VLAN pools. Assigning VLANs/Named VLANs by role or RADIUS attribute works well in the code available today. It doesn't work for assigning VLAN pools. There is potentially good news, however. I heard that it will be supported in a version of v6.x code slated for late this year... - Stan Brooks - CWNA/CWSP Emory University University Technology Services 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: wlans...@hotmail.com GoogleTalk: wlans...@gmail.com From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Jeff Kell [jeff-k...@utc.edu] Sent: Tuesday, July 26, 2011 12:44 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Aruba roles / vlan pooling... Quick question... Can you have a pool of vlans for an Aruba role? or is pooling restricted to the default connection vlan list to the VAP? Jeff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Aruba Mobility Design Options
Shiling - The answers to your questions depend a lot on which code you are running. I can speak for the the code we are running at Emory (3.3 and 3.4 code trains - we haven't made the jump to 5.0 yet). We run in a multi core/VRF environment and have just changed out mobility model from IP mobility to VLAN due to a limitation with are versions of Aruba code. There is an issue with IP mobility in a multi-core environment. Aruba will tunnel the IP traffic from the foreign agent (controller) to the home agent (controller) to effect user mobility, BUT it will use the home agent default route for the traffic. If the default route is on a different core, you've got a broken path for the traffic, especially if you've got firewalls between cores. Aruba is working on this limitation, but I don't know when they will have a fix for it. VLAN pooling is the best thing since sliced bread and named VLANs and named VLAN pools are fantastic features (I've been asking for them since 2005 - they were implemented a year ago). There is currently a limitation that you cannot assign a VLAN pool name through RADIUS, but I think it will be supported in the (hopefully near) future. We do use VLAN pooling extensively and our pools are large - 16 to 20 /24 subnets. I don't think there is any issue going higher, but I don't know what the upper limit is. I'd be happy to discuss our architecture with you off list. You might also want to engage your Aruba Systems Engineer to advise you on the best way to integrate the Aruba hardware into your network architecture. - Stan Brooks - CWNA/CWSP Emory University University Technology Services 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: wlans...@hotmail.com GoogleTalk: wlans...@gmail.com From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of schilling [schilling2...@gmail.com] Sent: Tuesday, January 18, 2011 11:40 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Aruba Mobility Design Options Hi All, I tried to join the list with my edu email, but still not received any confirmation email yet. Resubscribe got email of Rejected - similar commands already pending. So I am posting this message with my gmail account. We are trying to implement mobility for student. In order to fit into our campus network virtualization with MPLS L3VPN, we would like to have WLANs default gateway at Core routers, so we could have the flexibility to selectively put certain WLANs to a MPLS L3VPN i.e facstaff or students. We would also like to put certain clients into certain WLAN pools according to their AD/LDAP attribute. I knew we could have dedicated controllers for each specific group of users. I wish Aruba could provide multi-vrf/vrf-lite capability. All security device like Cisco ASA/Juniper ScreenOS/Fortigate Firewall all have the virtual router/context capability. There are two ways to do mobility, layer 2/VLAN mobility, layer 3/IP mobility. I am trying to explore both mobility options with the constraint of WLAN default gateway in the Core router. Attached please find two diagram, student-alternatives-vlan-mobility.jpeg with the following notes/questions Notes: Layer 2/VLAN mobility requires all user VLANs/WLANs to be present on all controllers in the same mobility domain. Is it feasible/recommended to have 10 Aruba Controllers w/ 80%*512 AP termination in a layer 2/VLAN mobility group? Is it feasible/recommended to have 4000 users/devices in a layer 2/VLAN mobility group w/ 16 /24 VLANs in a VLAN pool? student-alternatives-ip-mobility.jpeg with the following notes/questions Notes: Layer 3/IP mobility requires ip address for user VLAN -WLAN to correctly forward layer-3 broadcast/multicast traffic to clients when they are away from home network Could Core be the default gateway for user VLANs/WLANs while still have an IP address in Aruba Controllers for corresponding user VLANs/WLANs to provide layer 3/IP mobility? Could VLAN pooling feature be used in this kind of design if feasible? Basically West WLANs and East WLANs will be in same VLAN pool, so upon association, clients will be evenly distributed among pool member VLANs. But they will be tunneled to their home agent once roam to foreign agent. Questions for both design: Could an IETF tunnel private Group ID in RADIUS server to be set to VLAN pool name instead of VLAN? Could server-derived rule to be used to map certain RADIUS attribute to VLAN pool name? I would really appreciate your feedback on my design or what your institution are doing for the mobility. Thanks, Shiling Shiling Ding Network Specialist 850-645-6810 Information Technology Services Florida State University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] WiFi blockers in classrooms
And if you offer guest access, that is another end run that students will find and use. We prefer to keep the students authenticated and using an encrypted connection as a matter of general security - anyone heard of Firesheep? Addressing this issue with technology really is a losing proposition. Students will find ways around any method we use to limit there access. In my day, it was the comic or other book inside the textbook, passing notes, or skipping class. Today it's the Internet, Facebook, IM, and texting. It really needs to be addressed in the classroom by the instructors and the students. On a lighter note, I have this Doonesbury cartoon on my cube wall to remind me of what the students are really doing with Wi-Fi (or 3/4G) access. http://www.gocomics.com/doonesbury/2008/04/27 There was an HP laptop TV ad from about the same time that highlighted this issue as well (motocross bikes and rock bands in the lecture hall), but I've not been able to find it online. If anyone remembers it and has a link, please share! - Stan Brooks - CWNA/CWSP Emory University University Technology Services 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: wlans...@hotmail.commailto:wlans...@hotmail.com GoogleTalk: wlans...@gmail.commailto:wlans...@gmail.com From: The EDUCAUSE Wireless Issues Constituent Group Listserv [wireless-...@listserv.educause.edu] on behalf of John Rodkey [rod...@westmont.edu] Sent: Friday, November 19, 2010 4:20 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WiFi blockers in classrooms And the law of unintended consequences strikes again: Students figure this out and exchange credentials with those who aren't supposed to be in class at the time. End result: not only do you have student using the network, but you've now compromised the passwords of any number of students. On Fri, Nov 19, 2010 at 8:50 AM, Methven, Peter J p.j.meth...@hw.ac.ukmailto:p.j.meth...@hw.ac.uk wrote: Greg, your suggestion makes sense in many ways especially as those students should be in the class! If they are not in class their “punishment” is no internet on campus... I would have a concern about what happens when a class location is moved (room or time), or a student changes class/module/course midterm whether this information is fed back correctly and in a timely manner. However this would be easy to implement as long as the student records systems had accurate information. (Which of course they always do ;-) ) Many Thanks Peter Mr Peter Methven, Network Specialist Information Technology (IT) Allen McTernan Building, Edinburgh Campus Tel: 0131 451 3516 For IT support queries or requests, please email ith...@hw.ac.ukmailto:ith...@hw.ac.uk or phone ext 4045, with full details of your query or request and your contact details. http://www.hw.ac.uk/it From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Greg Schaffer Sent: 19 November 2010 16:35 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WiFi blockers in classrooms David, that's an interesting perspective. I have had the opposite experience when I have taught. Now, I should say that I am in IT and taught as an adjunct one intro networking class to 25-35 students. At the beginning of the first class I told them that I am not going to regulate use of electronic devices in class; if they wanted to watch videos all during the class that was their decision *so long as it did not interfere with the class or other students*. I also made it clear that they were responsible for all work in class and not paying attention in class was not a valid reason for extra attention during office hours. It worked well, but it might have been a function of the smaller class size. Tinkering on a device did not relieve you from being called on, and class participation was part of he grade. Having said that, I never had anyone complain of another's laptop use bothering them; if I had I would have adjusted. Actually, I only had a few using laptops, and often they would use it to research class topics as I was talking. Bottom line, in my experience (limited), letting students decide worked the best. But I can certainly see the other side. Finally, with regards to WiFi blocking, I don't think the simplest solution has been offered yet. If the wireless is accessed via credentials, create an LDAP/AD/Radius interface that can disable those accounts during a specified class time, or on command from the instructor. Can it be done? I don't see why not, but I may be missing something(s)... Greg As a side note, authentication On Fri, Nov 19, 2010 at 10:02 AM, David J Molta djmo...@syr.edumailto:djmo...@syr.edu wrote: As a faculty member who also closely follows developments
RE: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
Justin, Thank you for pointing out that most management systems (AirWave, etc) use the MAC address as a unique identifier - it is supposed to be a unique hardware address. I've seen indication of that MAC on our Airwave Management Platform at Emory and can deduce we had 3-4 unique visitors, mostly on our guest network, but no successful authentications on our WPA-Enterprise network. The first sighting was on 07/23/2010, there was a sighting on 09/01/2010, and the last time I saw that MAC (possibly two separate users) was on 09/16/2010. I do have two different email addresses for the last two sightings, but will probably not pursue this further unless we have more sightings. This doesn't seem like a big issue here, but it is troubling if a manufacturer is putting out product with duplicate unique hardware identifiers (MAC addresses). - Stan Brooks - CWNA/CWSP Emory University University Technology Services 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: wlans...@hotmail.commailto:wlans...@hotmail.com GoogleTalk: wlans...@gmail.commailto:wlans...@gmail.com From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Hao, Justin C Sent: Monday, September 27, 2010 11:37 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses keep in mind that in airwave, the clients are uniquely identified by their mac address, so you'll need to check if multiple usernames show up associated to this single mac address, if this is the case, most likely it is multiple clients with either a manually configured mac address (due to WEP sniffing guides on the internet) or with possibly defective wireless NICs. Airwave (and other monitoring systems) won't be able to show you the real manufacturer because they're only performing a standard oui lookup on the first 3 octet. what James (YorkU) did is the next logical step in trying to identify these clients by other metrics (hostname, useragent, etc) depending on how much time and interest you have in this. We've seen at least 4 users all claiming to be 00:11:22:33:44:55 in the past week and we're internally discussing options on how to deal with this issue. - Justin Hao CCNA Network Engineer, ITS Networking The University of Texas at Austin j...@austin.utexas.edumailto:j...@austin.utexas.edu - On Sep 27, 2010, at 9:10 AM, Holland, Ryan C. wrote: I will second that. I, too, am seeing one client with this mac address, reported the same way via Airwave as CIMSYS Inc. == Ryan Holland Network Engineer, Wireless Office of the Chief Information Officer The Ohio State University 614-292-9906 holland@osu.edumailto:holland@osu.edu On Sep 27, 2010, at 9:39 AM, Michael Dickson wrote: Fascinating. We have one user on campus so far with this address: 00:11:22:33:44:55 Vendor (reported by Airwave): CIMSYS Inc For Macbooks, the vendor is typically reported as Apple or Apple,Inc. Mike Michael Dickson 413.545.9639 Network AnalystUniv. of Massachusetts Amherst On 9/26/2010 11:34 PM, Watters, John wrote: I have 7 or 8 machines with this MAC address on our campus. Is it possible that Apple did something not nice with the MAC addresses in the MacBooks? We will try to track some of them down, but it won't be easy even using the block-it-nd-they-will-come method. -jcw From: The EDUCAUSE Wireless Issues Constituent Group Listserv [wireless-...@listserv.educause.edu] On Behalf Of Cortes, Diana [dcor...@miami.edu] Sent: Friday, September 24, 2010 4:17 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses Thought I'd share some interesting news... The student was able to recover the box where her Macbook Pro came in and indeed the Airport ID printed on the box is 00:11:22:33:44:55 Diana Cortes, CISSP, CWNA University of Miami IT - Telecommunications -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Greg Williams Sent: Monday, September 20, 2010 7:19 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses Not sure if there is software out there for the mac to change this automatically, if you just do an ifconfig en1 ether xx:xx:xx:xx:xx:xx, the mac address will change, but ONLY stay until you reboot the machine, then it changes back. You have to put that command into a script under /system/library/starupitems/ and then run sudo chmod 700 script.sh sudo defaults write com.apple.loginwindow LoginHook
RE: DHCP lease times?
At Emory, we've been using 1 hour lease times for our wireless subnets for 5 years. This has worked well for us over the years. As wireless gained popularity (and massive amounts of users/devices), we moved to private IP addresses to handle the load. We are still using the 1 hour lease time for wireless even though we now have plenty of IP addresses. We did have an issue when school started where one area sucked up over 1000 IP addresses with users having 2 or more devices - we added subnets to handle the additional load using Aruba's VLAN pooling. - Stan Brooks - CWNA/CWSP Emory University University Technology Services 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: wlans...@hotmail.commailto:wlans...@hotmail.com GoogleTalk: wlans...@gmail.commailto:wlans...@gmail.com From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Marcelo Lew Sent: Monday, September 13, 2010 5:47 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] DHCP lease times? What do you guys use for DHCP lease times on your wireless networks (external DHCP server)? We have an issue were our DHCP server (Cisco) reports subnets almost full, however, the Aruba Controller shows plenty IPs available. I think the issue might be related with devices getting on the network for a very short time, going off line, but the DHCP server still holds that lease. We have lease times set at 1hour for the wireless network. Shorter lease times maybe? Thanks, Marcelo Marcelo Lew Wireless Enterprise Administrator University Technology Services University of Denver Desk: (303) 871-6523 Cell: (303) 669-4217 Fax: (303) 871-5900 Email: m...@du.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Student Wireless Printers in Dorms
I would LOVE to see wireless printers support 802.1x/WPA-Enterprise authentication, but I'm not holding my breath. The same is true for game consoles (Xboxes, Wiis, etc), but that's even more unlikely - especially since the Wii has trouble connecting to an 802.11g network without dot11b data rates enabled. I wish vendors would get it right with their wireless drivers and authentication support - or win the lottery. I probably have a better chance of winning the lottery, though. - Stan Brooks - CWNA/CWSP Emory University University Technology Services 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: wlans...@hotmail.com GoogleTalk: wlans...@gmail.com -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Bruce Curtis Sent: Friday, August 27, 2010 1:54 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Student Wireless Printers in Dorms On Aug 26, 2010, at 8:20 PM, Lee H Badman wrote: Hi Stan- Your thoughts are a carbon copy of my own, and your approach mirrors what we are doing now. At the same time, a lot of parents and those who want to keep them happy would love to see a silver bullet emerge that somehow makes it all work. I'm picturing some not yet existent protocol/framework developed just for higher ed by the printer folks and WLAN makers. Actually I think the right combination of existing protocols would work. If the printers supported 802.1x authentication for WPA2 Enterprise, and IPsec over IPV6. IPv6 support would solve the problem of having enough IP numbers and IPsec support would be a way to only allow certain computers to print to the printer. With some new federal requirements we may actually see more printers support IPsec. But maybe not the $40 printers for a while. https://sites.google.com/site/ipv6implementors/2010/agenda/LT_03_Narten_IPv6-USGv6-Google.pdf?attredirects=0 http://www.youtube.com/watch?v=U45hV16LA1A#t=1h34m4s And I'd like a pony and some ice cream and to win the lottery:) Winning the lottery would be fine for me, then I could buy my own pony and ice cream. :-) -Lee From: The EDUCAUSE Wireless Issues Constituent Group Listserv [wireless-...@listserv.educause.edu] On Behalf Of Brooks, Stan [stan.bro...@emory.edu] Sent: Thursday, August 26, 2010 6:50 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Student Wireless Printers in Dorms Lee, The answer is buy a Bluetooth printer or get a USB cable. At Emory, we do not support or allow wireless printers on our network. There is no easy way to manage these devices. They don't support 802.1x authentication, so they would have to go on either an open or WPA-PSK wireless network. Even if they got connected, there is no guarantee that the student would find their printer since we don't do static IPs on our wireless network and we use Aruba's VLAN pooling to provide manageable subnets on our controllers, so a wireless user and their wireless printer may end up on separate subnets. An additional disincentive for wireless printing is that others could see and print pages to the student's printer. While this may make an interesting practical joke, I think the student who ends up with 100's of pages of garbage spewing from their printer will not be amused at the waste of paper and ink. If we see wireless printers, we ask the students to turn off the wireless interface and strongly recommend that they invest in a USB cable for printing. - Stan Brooks - CWNA/CWSP Emory University University Technology Services 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: wlans...@hotmail.commailto:wlans...@hotmail.com GoogleTalk: wlans...@gmail.commailto:wlans...@gmail.com From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman Sent: Thursday, August 26, 2010 6:08 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Student Wireless Printers in Dorms Is not the first time this topic has been put out there, but the semester opening once again pushes it out front and center. Has anyone found a supportable, comfortable way to squeeze hundreds of $40 wireless printers into your carefully designed and tuned 802.1x-auth/secure residential WLANs? They tend not to run enterprise security profiles, and even if they did, there are still a lot of questions about how you'd use them as authorized clients. Thanks- Lee Badman ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. This e-mail message (including any attachments) is for the sole use of the intended recipient(s
RE: Student Wireless Printers in Dorms
Lee, The answer is buy a Bluetooth printer or get a USB cable. At Emory, we do not support or allow wireless printers on our network. There is no easy way to manage these devices. They don't support 802.1x authentication, so they would have to go on either an open or WPA-PSK wireless network. Even if they got connected, there is no guarantee that the student would find their printer since we don't do static IPs on our wireless network and we use Aruba's VLAN pooling to provide manageable subnets on our controllers, so a wireless user and their wireless printer may end up on separate subnets. An additional disincentive for wireless printing is that others could see and print pages to the student's printer. While this may make an interesting practical joke, I think the student who ends up with 100's of pages of garbage spewing from their printer will not be amused at the waste of paper and ink. If we see wireless printers, we ask the students to turn off the wireless interface and strongly recommend that they invest in a USB cable for printing. - Stan Brooks - CWNA/CWSP Emory University University Technology Services 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: wlans...@hotmail.commailto:wlans...@hotmail.com GoogleTalk: wlans...@gmail.commailto:wlans...@gmail.com From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman Sent: Thursday, August 26, 2010 6:08 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Student Wireless Printers in Dorms Is not the first time this topic has been put out there, but the semester opening once again pushes it out front and center. Has anyone found a supportable, comfortable way to squeeze hundreds of $40 wireless printers into your carefully designed and tuned 802.1x-auth/secure residential WLANs? They tend not to run enterprise security profiles, and even if they did, there are still a lot of questions about how you'd use them as authorized clients. Thanks- Lee Badman ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Any issues with iPhone 4 and 2.4GHz 802.11n?
John, At Emory University, we've just completed upgrading our ResHalls to 802.11n and are now working on our academic buildings as part of a system-wide upgrade to 802.11n. We've moved from single radio b/g APs to dual radio a/b/g/n APs. We are running 802.11n (backwards compatible to b/g) on our 2.4GHz radios, but without the 40MHz (high-throughput) channel plan. In fact I (and most wireless engineers) would advise against running 40MHz channels at 2.4GHz. We do run the 40MHz channels in the 5GHz band, however. That said, 802.11n with standard 20MHz channels does give marked improvement over 802.11b/g because of other dot11n technologies - multiple special streams, frame aggregation, etc. - Stan Brooks - CWNA/CWSP Emory University University Technology Services 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: wlans...@hotmail.commailto:wlans...@hotmail.com GoogleTalk: wlans...@gmail.commailto:wlans...@gmail.com From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of j...@nww.com Sent: Tuesday, August 24, 2010 10:08 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Any issues with iPhone 4 and 2.4GHz 802.11n? Chris, Thanks. Your observation on 40Mhz limiting the channel options in 2.4 band fits with what I've learned also. As I mentioned in my direct reply, your email reminded me -- and I should have thought of this -- that of course the same 3-channel limitation exists for 11b/g iPhones. But...what I'm wondering is if the iPhone 4's demand or preference for 11n makes the situation more problematic, especially in a mixed-client environment -- when b/g iPhones are associating to the same 11n access point? Regards, John Cox Senior Editor Network World From: Chris Murphy [mailto:ch...@mit.edu] Sent: Monday, August 23, 2010 7:28 PM To: The EDUCAUSE Wireless Issues Constituent Group Listserv Cc: John Cox Subject: Re: [WIRELESS-LAN] Any issues with iPhone 4 and 2.4GHz 802.11n? John, I don't think there is much of an issue here, unless there is a requirement that the iPhone 4's need the bandwidth possible using 40Mhz channels. Just about every design guideline I've seen, and every conversation I've had with engineers at various networking companies, considers using 40Mhz channels at 2.4Ghz to be a bad idea, due to the loss of what little flexibility one has with channel layout as well as with adverse effects on neighboring networks in crowded areas (the anti-social effect), so here at least we never considered it. -Chris On Aug 23, 2010, at 9:12 AM, j...@nww.commailto:j...@nww.com j...@nww.commailto:j...@nww.com wrote: Folks, I was talking to a higher education IT guy last week; they have a lot of iPhones, and are rollling out iPhone 4's to new freshman and to faculty. As part of this, they upgraded the campus WLAN to 802.11n. BUT, after iPhone 4 was announced, they realized its 11n support was ONLY for the 2.4 GHz band (with of course only 3 non-overlapping channels, and tradeoffs if you merge two of them into one 40MHz channel). In SOME locations, they're having to do some fancy juggling of access points, channel and power settings. Juggling 3 channels in a crowded location clearly is NOT new. But the fact that this is occurring in 11n with a popular client device that often relies on WLAN access, seems noteworthy. I was wondering if anyone else is running into similar issues with iPhone 4 and 11n? I'm going to be writing this up as a Network World story today or early Tuesday. If you're interested in emailing/talking briefly with me about this, please just copy any listserv response to (or email me directly at) my NW email: john_...@nww.commailto:john_...@nww.com. Thanks! Regards, John Cox __ J o h n C o x Senior Editor Main: 508.766.5301 | Direct: 508.766.5422 Office at home: 978-834-0554 NETWORKWORLD Maximize Your Return on IT 492 Old Connecticut Path | Framingham, MA 01701-9002 __ NetworkWorld.comhttp://www.networkworld.com/ | 2009 Media Guidehttp://www.networkworld.com/media/ | Conferences and Eventshttp://www.networkworld.com/events/ ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. === Chris Murphy Network Engineer MIT Information Services Technology Room W92-191 77 Massachusetts Avenue Cambridge, MA 02139 ch...@mit.edumailto:ch...@mit.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged
RE: [WIRELESS-LAN] Any issues with iPhone 4 and 2.4GHz 802.11n?
Good point, John. The iPhone is only a 1x1 MiMo, so no special stream boost. There is still the reduced guard time and frame aggregation that will give better performance compared to 802.11b/g. I'm still digging out from (a very successful) Back-to-School weekend, but we are seeing approximately 1/3 of our total ResNet users running 802.11n in 5GHz, 1/3 running 802.11n in 2.4GHz, and 1/3 running 802.11g. I don't have any breakout for the iPhones specifically but can say that iDevices (iPads, iPhones, iPod Touches) accounted for a little over 8% or our total clients registered over the weekend. - Stan Brooks - CWNA/CWSP Emory University University Technology Services 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: wlans...@hotmail.commailto:wlans...@hotmail.com GoogleTalk: wlans...@gmail.commailto:wlans...@gmail.com From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of j...@nww.com Sent: Tuesday, August 24, 2010 11:04 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Any issues with iPhone 4 and 2.4GHz 802.11n? Stan, What kind of 11n data rates and throughput are you seeing in the 2.4 band? Also, I think iPhone 4 has only a single Wi-Fi antenna, so it doesn't benefit (or benefit as much) as a 2x2 or 3x3 MIMO laptop. Have you done any i4 performance metrics? I'm trying to get 11n implementation details from Apple, but so far they've only referred me to the Web i4 spec sheet. Regards, John Cox Senior Editor Network World From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Brooks, Stan Sent: Tuesday, August 24, 2010 11:00 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Any issues with iPhone 4 and 2.4GHz 802.11n? John, At Emory University, we've just completed upgrading our ResHalls to 802.11n and are now working on our academic buildings as part of a system-wide upgrade to 802.11n. We've moved from single radio b/g APs to dual radio a/b/g/n APs. We are running 802.11n (backwards compatible to b/g) on our 2.4GHz radios, but without the 40MHz (high-throughput) channel plan. In fact I (and most wireless engineers) would advise against running 40MHz channels at 2.4GHz. We do run the 40MHz channels in the 5GHz band, however. That said, 802.11n with standard 20MHz channels does give marked improvement over 802.11b/g because of other dot11n technologies - multiple special streams, frame aggregation, etc. - Stan Brooks - CWNA/CWSP Emory University University Technology Services 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: wlans...@hotmail.commailto:wlans...@hotmail.com GoogleTalk: wlans...@gmail.commailto:wlans...@gmail.com From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of j...@nww.com Sent: Tuesday, August 24, 2010 10:08 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Any issues with iPhone 4 and 2.4GHz 802.11n? Chris, Thanks. Your observation on 40Mhz limiting the channel options in 2.4 band fits with what I've learned also. As I mentioned in my direct reply, your email reminded me -- and I should have thought of this -- that of course the same 3-channel limitation exists for 11b/g iPhones. But...what I'm wondering is if the iPhone 4's demand or preference for 11n makes the situation more problematic, especially in a mixed-client environment -- when b/g iPhones are associating to the same 11n access point? Regards, John Cox Senior Editor Network World From: Chris Murphy [mailto:ch...@mit.edu] Sent: Monday, August 23, 2010 7:28 PM To: The EDUCAUSE Wireless Issues Constituent Group Listserv Cc: John Cox Subject: Re: [WIRELESS-LAN] Any issues with iPhone 4 and 2.4GHz 802.11n? John, I don't think there is much of an issue here, unless there is a requirement that the iPhone 4's need the bandwidth possible using 40Mhz channels. Just about every design guideline I've seen, and every conversation I've had with engineers at various networking companies, considers using 40Mhz channels at 2.4Ghz to be a bad idea, due to the loss of what little flexibility one has with channel layout as well as with adverse effects on neighboring networks in crowded areas (the anti-social effect), so here at least we never considered it. -Chris On Aug 23, 2010, at 9:12 AM, j...@nww.commailto:j...@nww.com j...@nww.commailto:j...@nww.com wrote: Folks, I was talking to a higher education IT guy last week; they have a lot of iPhones, and are rollling out iPhone 4's to new freshman and to faculty. As part of this, they upgraded the campus WLAN to 802.11n. BUT, after iPhone 4 was announced, they realized its 11n support was ONLY for the 2.4 GHz band (with of course only 3 non-overlapping channels, and tradeoffs if you merge two of them into one 40MHz
RE: [WIRELESS-LAN] Cisco Wireless Controller Feature Gaps
At Emory, we've been using VLAN pooling on our Aruba infrastructure for at least 2 years (may be 3 - I forget because it works so well). Basically, you create a pool and put as many or as few VLANs you want in that pool. You can even add VLANs as needed. The VLAN pool is tied to an SSID for a group of APs and it acts just like a single VLAN for configuration purposes. The controller load balances users across the VLANs in the pool (by MAC address hash, I believe). This allows us to have may subnets associated with an SSID and automagically spread users across those nets. It works extremely well. I no longer worry about running out of wireless client IP addresses. If the pools start showing higher usage, I just add another VLAN to the pool. That way we keep our subnet sizes down (class Cs), but can support thousands of users on wireless network without having enormous broadcast domains. Aruba's IP mobility takes care of clients roaming between APs on different controllers. This feature is one of the best that Aruba has come out with. It makes wireless network planning and scaling easy. If you need additional information or help with configuring this, hit me off-list. - Stan Brooks - CWNA/CWSP Emory University University Technology Services 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: wlans...@hotmail.commailto:wlans...@hotmail.com GoogleTalk: wlans...@gmail.commailto:wlans...@gmail.com From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Michael Simpson Sent: Monday, April 26, 2010 11:51 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Cisco Wireless Controller Feature Gaps One pain point of a quickly growing wireless network (especially when using public IPs) is to accommodate from growth. Recently we went through an informal RFI process to select a new wireless vendor. With Cisco we are now able to add IP address space to our wireless network by using AP Groups and assigning certain groups of APs to map our campus SSID(s) to certain VLANs. With this setup users in one building when connecting to the student SSID will get addresses from a different VLAN than students connecting to the same SSID in a different building. While this approach is far better than our previous setup it still requires some network changes when adding IP address space. We can add another subnet when needed but we must then fiddle with AP groups to try to balance out or right-size each area of our wireless network. It also leaves us vulnerable to unexpected client shifts. If we have an AP Group area that usually has 60% of it's IP address space in use decide to host a conference and suddenly doubles the demand for IP address space we are left scrambling to accommodate for growth that may not be needed in the future. With VLAN Pooling (I believe Aruba uses this) you can map an SSID to a VLAN Pool instead of a VLAN so when users connect to that SSID they are given an address from any subnet that has been assigned to that Pool. From my understanding this allows you to add IP address space simply by adding more subnets to the Pool. It also eliminates the problem of large influxes of users who happen to come to a building that usually doesn't need a great deal of addresses. This sounded very useful when the Aruba sales team was showing us their product but since I haven't actually tested or deployed a system with VLAN Pooling capabilities I can't speak to its effectiveness in practice. Michael Simpson Mike King m...@mpking.com 4/26/2010 8:24 AM On Fri, Apr 23, 2010 at 1:09 PM, Michael Simpson michael.simp...@uvu.edumailto:michael.simp...@uvu.edu wrote: Though I wouldn't say it is a source of discontent, I would like to see VLAN Pooling added. Michael Simpson Michael, What do you mean by VLAN Pooling? ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Hacking Cisco WLC - macfilters
Jethro - On the Web App side we capture who entered the MAC and when along with the wireless users ID, device type, and if it's a student or faculty/staff so we can age out the students at the end of term. On the RADIUS side, we log auth times so we can see the last time they authenticated - which also helps in aging out devices. Since we have the user IDs. We can email them to tell them their MAC auth is going away before we delete/age it out. BTW - we gave the system a cute name - WiiRAD - to indicate that it authenticates game consoles via RADIUS. - Stan Brooks - CWNA/CWSP Emory University University Technology Services 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: wlans...@hotmail.com GoogleTalk: wlans...@gmail.com -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jethro R Binks Sent: Friday, April 16, 2010 4:46 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Hacking Cisco WLC - macfilters On Thu, 15 Apr 2010, Brooks, Stan wrote: Our system uses Mac-Auth via RADIUS. We've built a custom web app in house that updates the RADIUS auth database so trusted people (some of our clean room techs and others) can verify the type of device and enter the MAC into the system. Other than the MAC address, what other sort of data do you store for the entry? User? Time of registration? Any expiry time for the entry? Type of device? Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Aruba vs HP vs Meraki
I have to chime in here... We've deployed close to 2000 Aruba APs at Emory (AP60/61's) over the last 5 years. In that time, we've had less than 10 fail because of hardware. I've had something like 20 more damaged in the ResHalls - mostly someone threw a ball and broke the flipper antenna on the AP61. We've been very happy with the reliability of the Aruba products. They do hold up well in an academic (read hostile) environment. Oh - those failed APs were all purchased before the lifetime warranty. We found that even with our self-insurance for APs our maintenance costs were quite low. We are now deploying AP105s as we move to 802.11n across campus and are finding that, even though they are light in weight, they're sturdy devices that should hold up even better than our AP61's have. - Stan Brooks - CWNA/CWSP Emory University University Technology Services 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: wlans...@hotmail.com GoogleTalk: wlans...@gmail.com -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jeffrey Sessler Sent: Sunday, April 11, 2010 9:24 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Aruba vs HP vs Meraki Lifetime warranty is great, but it still costs time/money to have an IT staff member mount/dismount the AP and send it back for replacement. All things being equal, I'd rather mount the AP once, and the next time I visit it will be when it is life-cycled and replaced with the latest standard. Jeff Todd Lane t...@email.unc.edu 4/11/2010 5:46 PM We don't worry about our Aruba APs. They're covered by a lifetime warranty unlike the Cisco APs we were buying. Aruba Lifetime Warranty* The following Aruba indoor enterprise-grade wireless access points are covered by Aruba’s Lifetime Warranty if purchased after May 21, 2009: ● AP-60 ● AP-61 ● AP-65 ● AP-65WB ● AP-70 ● AP-105 ● AP-120 ● AP-120abg ● AP-121 ● AP-121abg ● AP-124 ● AP-124abg ● AP-125 ● AP-125abg ● RAP-5 ● RAP-5WN * Aruba Lifetime Warranty coverage remains in place for as long as you own the product, up to five years following Aruba announcement of end-of-sale of that product. Todd Lane University of North Carolina at Chapel Hill On 4/11/2010 6:31 PM, Jeffrey Sessler wrote: Ethan, Where I would suggest spending some evaluation time is on the AP construction. Having had time to evaluate both the Aruba and Cisco AP's, there were doubts as to the Aruba's life-span when placed in our residential halls. The design (this was their 802.11n product), relied on venting and convection cooling, and it was unknown what would happen as dust-bunnies and other obstructions settled on those vents. Even in our lab the Aruba AP got hot, so much so that the metal shield on the ethernet connector was uncomfortable to the touch. The Cisco AP's on the other hand were 100% sealed, stayed cool, and the large aluminum casing is the heat sink. Between the two, it was felt the Cisco would be maintenance free while the Aruba might require attention (dusting off) from time to time. Point being, as you look at Aruba, HP, Meru, etc. make sure to keep the AP's design and planned deployment locations in mind. Jeff Ethan Sommersomm...@gac.edu 4/2/2010 6:25 PM As I said in another post we selected our finalists based on what others colleges seem happy with (which by a wide margin seems to be mostly cisco, aruba, and meru) and HP because we already have a HP infrastructure. My assumption is that all of you are smart and there is a reason you all chose to go with those products. We are on a tight budget, so based on initial pricing we eliminated Cisco and Meru who seemed to be the most expensive (plus we don't like cisco for a number of other reasons). (As an aside, after posting here meru contacted me _and my boss_, which I believe is not allowed under this list's rules. In any case, I told them if they could provide a quote for a 200 dual radio complete system in the same ballpark as the other systems we're looking at, then we'll talk.) Our next steps are * To get quotes * And bring in the systems to do test runs in real life conditions. (We're going to try each out in one of the dorms and the library, each of which currently have 10 APs.) If we aren't in love with any of those systems, we'll widen our search. We have very limited resources, so if one comes in much cheaper than the others the question will be is that system good enough for us. Otherwise we'll pick the system that we think will work best for us. Based on talking with schools running Aruba and Meraki, I think either would be a great move forward for us. I've yet to hear of a school who chose either and regretted it. Ethan Mike Hydra wrote: What I personally find interesting is the wide choice not from a manufacturing point of view but more from a Wi-Fi
RE: [WIRELESS-LAN] ARuba VLAN pooling
Actually, the VLANs are assigned to a particular controller, so your limit (using /24 - 8096) is per controller. If you need more, go with /23 subnets. Any way you cut it, it's a lot of users per VAP or per Controller. We've been using VLAN pooling for something like 3 or 4 years now and it's been freaking AWESOME for scaling our wireless network. The MAC hashing for load balancing clients wireless clients had been great. It may not give a perfect user distribution across the pooled VLANs but it gets very close. Aruba's layer 3 roaming (mobility) works with the VLAN pooling to truly make a decent scalable wireless solution. After hearing about different wireless deployments with a /20 subnet or larger just to handle roaming, I shudder at the thought of NOT having VLAN pooling an mobility. - Stan Brooks - CWNA/CWSP Emory University University Technology Services 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: wlans...@hotmail.commailto:wlans...@hotmail.com GoogleTalk: wlans...@gmail.commailto:wlans...@gmail.com From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Philippe Hanset Sent: Thursday, May 28, 2009 12:56 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ARuba VLAN pooling If my memory serves me well, there is a capacity caveat to Aruba's VLAN pooling at the moment: (might change in a future code release) 1 SSID = 1 VAP = 1 Pool = Max 32 VLANs So if you use /24, a maximum of 8096 ((256 - 3(gateway, network, broadcast)) * 32) users is the limit for one SSID. Not too many places have to worry about exceeding this number, but it's good to keep in mind! Philippe Univ. of TN On May 28, 2009, at 12:34 PM, Garrett Harmon wrote: We've also loved vlan pooling, and the distribution of clients across the /24's is excellent. As we start to see our vlans becoming highly utilized, we simply add another /24 to the pool and slowly the distribution evens out again, current users are not affected until they disconnect and reconnect at which point they'll likely receive a new vlan assignment, while new users immediately get hashed into the new algorithm. Garrett Harmon Network Engineer Office of Information Technology The Ohio State University 614.292.2122 (o) 614.747.5539 (c) On May 28, 2009, at 11:45 AM, Michael Dickson wrote: We find that Vlan Pooling does a really good job at balancing the users across our 24 client vlans. We have eighteen client vlans on our main SSID and I'm impressed with the even distribution this feature offers. If you have multiple local controllers make sure that the client vlans are properly configured on each controller for both L2 and L3. This will ensure that the clients can roam across controller boundaries with the same IP address. Also, we found it helpful to size each client vlan/subnet the same (again we use /24 subnets) Hope this helps. Mike *** Michael Dickson Network Analyst University of Massachusetts Network Systems and Services Ken Connell wrote: Assuming you you have multiple client side vlans already configured on your controller, you assign those vlans to the vap (currently your only specifying one vlan, just comma seperate and add another ). Now when a user associates, there is hash done on the client mac address and they are placed in a vlan based on the output of the hash. That mac will always hash out the same, and they will therefore always be put into the same vlan. Just be careful if you have any static clients or use reserved DHCP, cause once you add another vlan to the pool, they'll more than likely hash out to a diff vlan and therefore require a diff IP of course We've been using that since it was available and have no complaints. Ken Connell Intermediate Network Engineer Computer Communication Services Ryerson University 350 Victoria St RM AB50 Toronto, Ont M5B 2K3 416-979-5000 x6709 *From*: Jason Appah *Date*: Thu, 28 May 2009 08:16:07 -0700 *To*: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject*: [WIRELESS-LAN] ARuba VLAN pooling What is this VLAN pooling? How does it work? ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- BEGIN-ANTISPAM-VOTING-LINKS -- Teach CanIt if this mail (ID 879804209) is spam: Spam:https://antispam.osu.edu/b.php?c=si=879804209m=307de3940232 Not spam:https://antispam.osu.edu/b.php?c=ni=879804209m=307de3940232 Forget vote:
RE: [WIRELESS-LAN] Meru and Broadcast Suppression
Aruba's VLAN pooling ROCKS We use 4 VLANs/controller (all /24's) and pool them. Users are load-balanced across the 4 VLANs/subnets automagically. - Stan Brooks - CWNA/CWSP Emory University University Technology Services 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: wlans...@hotmail.commailto:wlans...@hotmail.com GoogleTalk: wlans...@gmail.commailto:wlans...@gmail.com From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Philippe Hanset Sent: Wednesday, May 27, 2009 4:16 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Meru and Broadcast Suppression At the moment: /20 but with a lot of controls on Broadcast and Multicast (I would advise against it!) We lived well with a /21 though Our new Aruba install is planned with a bunch of /23 and /24, using VLAN pooling. Philippe Univ. of TN On May 27, 2009, at 3:50 PM, Scott Irey wrote: Hello, Anyone that is using Meru know how well Meru does broadcast suppression to WLAN clients. Looking at some of my packet captures the broadcast traffic seems to be limited but I do see some broadcasted DHCP packets. I know they claim to do some suppression according to the config guide. It doesn't seem as cut and dry though as compared to how Cisco's WLC's do it. We are looking to possibly expand the size of our subnets for wireless and this plays into that. What are some of the subnet sizes that some of you are using for WLAN? Thanks! Scott Irey Network Telecom Systems Engineer Oakland University Office: 248.370.2808 Mobile: 248.505.9827 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Enforcing and Ensuring Machine Auth 802.1x
At Emory, we use Machine Auth in our Healthcare organization to authenticate wireless carts in the hospitals. The carts only do machine auth for connectivity; users don't log in to the network - they must use a Citrix session for any work, It's my understanding that Machine Auth is strictly a Windows thing; it's not supported in Mac or Linux. It works is by using the computer name and SID to authenticate instead of a username/PW. If the computer loses its security association with the AD domain, authentication will fail. Once you lose the security association, I believe you need to rebuild it by connecting through a wired network. I don't know what causes the machine to lose it's security association. Maybe someone better versed on AD and Windows can chime with an answer. You should be able to trouble shoot this (or at least locate the wayward machines) by either looking at the RADIUS/AD auth failures on your RADIUS server or on the controller side. With Aruba, clients that fail the dot1x auth are usually put in the logon role, so looking at users in that role should give you an indication of who's not functioning properly. RADIUS auth fails are also logged in syslog messages, so mining the logs can also help you find non-working machines. With Aruba, to prove it is an auth issue, use the show auth-tracebuf mac mac-of-failing-machine or show auth-tracebuf failures. The auth-tracebuf rolls over very quickly, so you have to catch it while the authentication is happening. I don't know any Meru commands for troubleshooting. - Stan Brooks - CWNA/CWSP Emory University University Technology Services 404.727.0226 stan.bro...@emory.edu AIM: WLANstan Yahoo!: WLANstan MSN: wlans...@hotmail.com From: The EDUCAUSE Wireless Issues Constituent Group Listserv [wireless-...@listserv.educause.edu] On Behalf Of Johnson, Neil M [neil-john...@uiowa.edu] Sent: Friday, May 15, 2009 3:44 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Enforcing and Ensuring Machine Auth 802.1x We have similar issues in our library, and haven’t found a solution yet. We are a Meru shop. Users attempting to log on to laptops that are members of the domain get “Unable to find a logon server” errors when the wireless net in the library is being heavily utilized. We are using a Vista SSO GPO configured to first authenticate users to the wireless network and then authenticate them to the domain. One hack we’ve found is to reboot the machine and then don’t attempt to login (don’t hit ctrl-alt-del) until the screen saver starts. We don’t think it’s an wireless issue because Mac’s and Linux systems don’t have problems getting authenticated to the wireless network. -Neil -- Neil Johnson Network Engineer Information Technology Services The University of Iowa Work: 319 384-0938 Mobile: 319 540-2081 Fax: 319 355-2618 E-mail/MSN: neil-john...@uiowa.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jason Appah Sent: Friday, May 15, 2009 1:01 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Enforcing and Ensuring Machine Auth 802.1x At our little campus we have about 100 computers that are pure wireless workstations provided in the library for student use. From time to time they will refuse to machine auth to the network. Typically they are reported after the fact as the student will bounce from workstation to workstation until they find a “Hot” one. Troubleshooting: We have tried JAMAP (Just add more access points). (for a stretch there we had 36 to 50 people, including wireless workstations on a single access point). Modifying the power settings so the machines never sleep. Updating drivers for the mix of Broadcom, intel and Linksys wireless cards. All to no avail. We are an all aruba shop and are quite pleased with their entire line, the system never bogs, higgs or given us any hint of trouble just the 802.1x problem. The problem is difficult because there are so many workstations and that they don’t do it on any predicable scale. So….. any tips for 802.1x machine auth? Thanks! Jason Appah Systems Administrator Oregon Institute of Technology http://www.oit.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly
RE: [WIRELESS-LAN] IDEngines and Autoconnect
Josh Wright and Brad Antoniewicz did a great presentation on the issues with PEAP at Shmoocon last year. His presentation is posted on his website and makes for interesting (and scary) reading. http://www.willhackforsushi.com/presentations/PEAP_Shmoocon2008_Wright_Antoniewicz.pdf He also lists the correct' way to set up PEAP clients to verify the RADIUS server and its cert (slide 37). The correct way drastically reduces the potential for Man-in-the-Middle attacks. If you decide to create instructions or automatic tools for setting up wireless clients, setting up verification of both the certificate and RADIUS server names is crucial to preventing MitM attacks and maintaining WLAN security. Just my 2 cents. - Stan Brooks - CWNA/CWSP Emory University University Technology Services 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: wlans...@hotmail.com GoogleTalk: wlans...@gmail.com -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman Sent: Wednesday, March 11, 2009 12:30 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] IDEngines and Autoconnect One personal observation... but first I need to agree with Randy. This utility and it's ease of use has been very helpful in configuring our 802.1x supplicants, and the ID Engines folks were great to work with. That being said- the latest Mac versions and now Windows 7 (and Ubuntu) seem to be much better at autoconfiguring all on their own- at least for PEAP/MS-CHAPv2. The drawback- they won't get set up correctly for trusting only your Auth servers. But then again, most iPhones and such probably aren't trusting the server cert either. I don't recommend not trusting the cert, but this is one area that is probably wildly inconsistent among and across PEAP/MS-CHAPv2 environments. Also- the use of the XPressConnect tool requires use of Windows supplicant- no more Intel ProSet/Broadcom/Toshiba/Linksys, etc wireless utility. These third party utilities are often far more functional than the native Windows wireless clients, but it can be very hard to support a variety of supplicants so you need to be restrictive to just Windows client for the Cloudpath tool to be effective. Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Randall C Grimshaw Sent: Wednesday, March 11, 2009 12:12 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] IDEngines and Autoconnect The IdEngines company closed and was in part acquired by ... but the Autoconnect product is also marketed as Cloudpath.net XPressConnect And yes, we are also a satisfied customer. Randy -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Dennis Xu Sent: Wednesday, March 11, 2009 12:08 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] IDEngines and Autoconnect We have heard many positive feedback about IDEngines and Autoconnect. We are just trying to evaluate this product and I cannot find this company anymore. Is this product completely replaced by XpressConnect? For the folks using this product, do you still get good support? will you stay with this product or look for other alternatives? Any suggestions are appreciated. Thanks, Dennis Xu Network Analyst Computing and Communication Services University of Guelph 5198244120 x 56217 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Does the Aruba MC-2400 have PoE support on any/all 24 10/100 Ethernet ports?
Frank, I believe the Aruba 2400 DOES support PoE on the 10/100 ports. This is/was also true of the Aruba 800 and of the 10/100 port cards that plug into their 5000/6000 chassis. I know the 2400 used to when it first came out - I don't think that has changed. Surprising they don't mention it on the current spec sheets. - Stan Brooks - CWNA/CWSP Emory University University Technology Services 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: wlans...@hotmail.commailto:wlans...@hotmail.com GoogleTalk: wlans...@gmail.commailto:wlans...@gmail.com From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Frank Bulk Sent: Monday, December 29, 2008 12:41 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Does the Aruba MC-2400 have PoE support on any/all 24 10/100 Ethernet ports? It's not mentioned in the literature, so I'm guessing it doesn't. Frank ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Wireless controllers and Spanning Tree
Here at Emory University, all of our controllers reside at our core router locations and connect using port channel (link aggregation) to the core routers. We explicitly turn off spanning tree on our controllers as there are no opportunities for bridge loops in our architecture. - Stan Brooks - CWNA/CWSP Emory University University Technology Services 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: wlans...@hotmail.com GoogleTalk: wlans...@gmail.com -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Brian J David Sent: Monday, December 15, 2008 1:36 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Wireless controllers and Spanning Tree I was wondering what other Aruba schools are doing for spanning tree? Do you use it or not? Aruba uses Mono spanning tree so how does it play in your network environment if you are. If you are a Cisco shop same as above for you? Thanks Brian Brian J David Network Systems Engineer Boston College ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Windows Wireless Clients- strange behavior after recent Windows Updates?
Jim, What version of Aruba code are you running? At Emory, we've experienced similar problems since our move to 3.3.1 code (currently on 3.3.1.15). We've been working with Aruba TAC and have identified a bug - bugid 27234. It relates to MobileIP where a wireless client may not be cleanly removed from the mobility table. Symptoms are strong signal level and 802.1x authentication occurs normally but user is unsuccessful in getting an IP address (self-assigned or it just keeps trying to reconnect). A user debug shows the user requesting a DHCP IP address, but the mobility process preventing it from being assigned. We've only seen a handful of users affected by this problem. The users are generally only affected in locations homed to one controller, and can connect normally at other locations homed to different controllers. The good news is that Aruba has a patch for this in 3.3.1.20 code. We are upgrading next weekend to address this problem. There are some workarounds (some drastic) that I'll let Aruba TAC tell you about to temporarily address this. - Stan Brooks - CWNA/CWSP Emory University University Technology Services 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: [EMAIL PROTECTED] GoogleTalk: [EMAIL PROTECTED] -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Jim Galiardi Sent: Monday, November 03, 2008 1:03 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Windows Wireless Clients- strange behavior after recent Windows Updates? Interesting thread. I've only recently been made aware of similar issue on our WLAN that may have been occurring since the start of fall quarter but took a few weeks to filter through to me from our helpdesk and NOC. This also seems new to us and we've made no configuration changes since winter quarter of last year. In our case DHCP transactions seem to occur normally according to DHCP logs. Requests are being received And ACKs returned. The client seems to be receiving the ACKs as they maintain the same IP address being issued during a release/renew. However, as mentioned in other threads the client cannot ping anything on the network but itself. However, in many of the reports I've received and some of the duplication we've been able to produce, a reset of the NIC or even full reboot of the client does not alleviate the issue. Seems only moving to a different controller alleviates the issue. What is interesting, is most of the recent talk has been focused on Cisco sites, but in our case we are an Aruba shop. The one commonality may be mobility as we also run a large mobility domain. This may be just coincidence, but the symptoms sounded so eerily familiar, I thought I would post our experiences to date. After a significant amount of problem replication and troubleshooting last week, I finally opened a case with Aruba TAC on this which is currently being worked. We'll see what they can come up with. Regarding the post from Bruce Johnson: When a mobile station roams from an AP joined to one controller, to an AP joined to another controller, the client may suffer a lack of data connectivity for a period as long as the configured user idle timeout. This may also be a commonality. I reduced the configured 'idle timeout' on our controllers to 300 seconds late last week which seems to have stemmed the number of complaints, but it's still too early to say for sure. Also in similar problems we've had in the past, Aruba has a similar workaround to the one Bruce mentions;' Delete the mobility members from the configuration and re-add them.' Fortunately, though we don't have to re-add them manually, it is still not a very scalable solution for clients stuck out on campus with no connectivity. ___ Jim Galiardi Network Specialist, Network Systems UW Technology University of Washington (206)616-0397 Box 354150 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Lee H Badman Sent: Friday, October 31, 2008 11:35 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: Windows Wireless Clients- strange behavior after recent Windows Updates? It's good to know we have our choice of bugs on this condition:) It's looking very much like the symmetric mobility tunneling that the esteemed gentleman from New Mexico mentioned- set this up on our spare controllers and tested thoroughly, we're looking much better. But we went to this version of code months ago, yet the problem started in the last week- that's the real confusion agent to me. Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Johnson, Bruce T Sent:
RE: [WIRELESS-LAN] Cisco WLAN 4400 Controllers and 802.1x
Matt, At Emory, we are handling what we call PWD's - personal wireless devices - including PDAs, game consoles, on other miscellaneous wireless devices using our Guest Access SSID. For students, staff, and faculty devices that don't support our secure 802.1x SSID, but on campus and have a legitimate need, we use MAC authentication to bypass the guest access captive portal. The user has to bring the device in so that we can verify the type of device and get the MAC address. The MAC address, Users ID, and device type are entered in the RADIUS database. Our Aruba infrastructure then uses that RADIUS server to authenticate our guest access SSID users - a pass will put them into a special PWD role while a fail forces them to use the captive portal for guest access authentication. We lock down our guest access pretty well - only web/secure web and VPN access is allowed and also bandwidth-limited. The PWD role is slightly more open - we add secure mail and some TiVo/game console access. We originally added the MAC authentication to handle the flood of iPhones last fall. The TiVos and game consoles, too. This fall with the iPhone 2.0 firmware supporting WPA/2-Enterprise 802.1x, we will have less of those, but probably more game consoles and other devices. While I'm sure what all the Cisco capabilities are, you should be able to implement something similar to what we've done with our Aruba hardware. - Stan Brooks - CWNA/CWSP Emory University Network Communications Division 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] GoogleTalk: [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Jenkins, Matthew Sent: Thursday, July 24, 2008 5:37 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Cisco WLAN 4400 Controllers and 802.1x Thanks everyone for your quick responses! As far as the EAP method goes, we will primarily be using MS AD to authenticate. I figured we would use MS IAS unless there is something better to sit between MS AD. I'll have to check out Jorge's suggestion of using Funk. We are having a large issue with people wanting to register playstations, pdas, and such on the wireless. Currently we can't do it because our guest network is using the basic Cisco auth page. As far as laptop guests go if we were using 802.1x, we can give out temporary 1-day accounts. However, how is everyone handling PDAs and gaming consoles that do not support 802.1x? Thanks, Matt Matthew Jenkins Network/Server Administrator Fairmont State University Visit us online at www.fairmontstate.eduhttps://fsmail.fairmontstate.edu/exchweb/bin/redir.asp?URL=http://www.fairmontstate.edu/ From: The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Peter P Morrissey Sent: Thu 7/24/2008 4:38 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Cisco WLAN 4400 Controllers and 802.1x I think the biggest challenge was (and still is to some extent) getting people to use it and not user our Guest access or PDA access. We don't require guests configure 1x and not all PDA's can even do 1x. As a result, sometimes people use the network we provide for that instead of using the 1x network. It required a major publicity campaign to get everyone to make the switch. Pete Morrissey From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Jenkins, Matthew Sent: Thursday, July 24, 2008 4:01 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Cisco WLAN 4400 Controllers and 802.1x How many others are doing 802.1x in a Cisco LWAPP environment? Have you had success with it, or would you recommend another route for authentication? Currently we are using VPNs over our secure wireless and I am investigating whether we would be ahead to start using 802.1x coupled with WPA. Any thoughts would be appreciated. Thanks, Matt Matthew Jenkins Network/Server Administrator Fairmont State University Visit us online at www.fairmontstate.eduhttp://www.fairmontstate.edu/ ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you
RE: [WIRELESS-LAN] NAT in large scale wireless networks
Greg, Depending on the code version, you can set the logging levels to capture user associations and authentications to a syslog server. The data logged includes the location name/group of the AP the user connected to, the SSID, along with the user's MAC, IP and user ID. - Stan Brooks - CWNA/CWSP Emory University Network Communications Division 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: [EMAIL PROTECTED] GoogleTalk: [EMAIL PROTECTED] -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Scholz, Greg Sent: Thursday, July 03, 2008 8:55 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] NAT in large scale wireless networks Stan, Can you tell me what type of location information you get and from what log? 802.1x/WPA-Enterprise, so we have usernames and locations in our logs We are trying to figure out if there is a way to determine what APs user are/have been on but all we have seen in the radius logs is the controller as the NAS. Thanks, Greg -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Brooks, Stan Sent: Wednesday, July 02, 2008 6:34 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] NAT in large scale wireless networks Mike, We, too, are an Aruba shop, and have been doing NAT on our academic and ResNet wireless networks for about a year now. Two years ago, we ran out of IP addresses on our wireless network on Move-In Weekend and had to scramble to add additional subnets - a scarce commodity here at Emory. To prevent that from happening last year, we implemented NAT for our wireless clients and now have plenty of address space for our growing user base. We let the Aruba controllers perform the NAT function (very easy to set up - just a firewall rule in the user role in the Aruba config). We've not had any complaints from users regarding NAT issues; we were concerned that it might break some apps, but no problems have been observed or reported. We've even got our homegrown NAC (NetReg/CAT) working over the wireless, too - NetReg DHCP traffic is not NAT'ed, but all other traffic is. This all works great, thanks to the Aruba capabilities. The only issue we've had with NAT have been voiced by Philippe - DCMA notices are hard to isolate. Our wired network has some protection in place to identify and reduce peer-to-peer traffic (Tipping Points), so we don't generally get a lot of notices. User tracking and RF location still works well as those are functions of the radio and authentication subsystems. Our academic users log on using 802.1x/WPA-Enterprise, so we have usernames and locations in our logs. Connecting those usernames to the NAT pool IP addresses is the hard part. I'd be happy to share some basic configuration tips and tricks regarding NAT with you off-list, or on-list if other s are interested. BTW - We've been NAT'ing our guest access users since day one on the Aruba equipment. Guests log in through the captive portal and are given limited access - bandwidth limited web access and VPN access back to their home organizations. - Stan Brooks - CWNA/CWSP Emory University Network Communications Division 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: [EMAIL PROTECTED] GoogleTalk: [EMAIL PROTECTED] -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Michael Dickson Sent: Tuesday, July 01, 2008 9:47 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] NAT in large scale wireless networks Though we currently have enough available routed IP space for our wireless clients we are looking toward the future and wondering if NAT-ing the wireless network makes sense. Does anyone have any experiences, good or bad, using NAT for the wireless client pool in a large scale environment? What features go away (i.e. RFID or user tracking, etc.) Are there any gotchas? We're an Aruba shop and expect about 3000+ wireless clients this semester and have been adding more APs by the week. Thanks, Mike *** Michael Dickson Phone: 413-545-9639 Network Analyst [EMAIL PROTECTED] University of Massachusetts Network Systems and Services *** ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message
RE: [WIRELESS-LAN] NAT in large scale wireless networks
Mike, We, too, are an Aruba shop, and have been doing NAT on our academic and ResNet wireless networks for about a year now. Two years ago, we ran out of IP addresses on our wireless network on Move-In Weekend and had to scramble to add additional subnets - a scarce commodity here at Emory. To prevent that from happening last year, we implemented NAT for our wireless clients and now have plenty of address space for our growing user base. We let the Aruba controllers perform the NAT function (very easy to set up - just a firewall rule in the user role in the Aruba config). We've not had any complaints from users regarding NAT issues; we were concerned that it might break some apps, but no problems have been observed or reported. We've even got our homegrown NAC (NetReg/CAT) working over the wireless, too - NetReg DHCP traffic is not NAT'ed, but all other traffic is. This all works great, thanks to the Aruba capabilities. The only issue we've had with NAT have been voiced by Philippe - DCMA notices are hard to isolate. Our wired network has some protection in place to identify and reduce peer-to-peer traffic (Tipping Points), so we don't generally get a lot of notices. User tracking and RF location still works well as those are functions of the radio and authentication subsystems. Our academic users log on using 802.1x/WPA-Enterprise, so we have usernames and locations in our logs. Connecting those usernames to the NAT pool IP addresses is the hard part. I'd be happy to share some basic configuration tips and tricks regarding NAT with you off-list, or on-list if other s are interested. BTW - We've been NAT'ing our guest access users since day one on the Aruba equipment. Guests log in through the captive portal and are given limited access - bandwidth limited web access and VPN access back to their home organizations. - Stan Brooks - CWNA/CWSP Emory University Network Communications Division 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: [EMAIL PROTECTED] GoogleTalk: [EMAIL PROTECTED] -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Michael Dickson Sent: Tuesday, July 01, 2008 9:47 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] NAT in large scale wireless networks Though we currently have enough available routed IP space for our wireless clients we are looking toward the future and wondering if NAT-ing the wireless network makes sense. Does anyone have any experiences, good or bad, using NAT for the wireless client pool in a large scale environment? What features go away (i.e. RFID or user tracking, etc.) Are there any gotchas? We're an Aruba shop and expect about 3000+ wireless clients this semester and have been adding more APs by the week. Thanks, Mike *** Michael Dickson Phone: 413-545-9639 Network Analyst [EMAIL PROTECTED] University of Massachusetts Network Systems and Services *** ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Using MAC Authentication
Mike, As others have stated, MAC authentication for full network access is not considered a best practice. With the ease of spoofing MAC addresses, it should be considered a security risk. That said, at Emory we DO use MAC auth for users to bypass the captive portal for our GUEST network. Our Guest network is severely restricted (bandwidth limited with only web and VPN access). We implemented the MAC auth bypass last fall to accommodate what we call PWD's - Personal Wireless Devices. These are defined as devices can connect to a wireless network, but can't do strong authentication. Some examples are iPhones, PDAs, dual mode cell phones (cell/Wi-Fi - like T-Mobile), game consoles, TiVos, etc. This was implemented specifically to support iPhones in the dorms where policy dictates no guest access. While this will be a moot point after July 11th (the iPhone is getting an 802.1x supplicate that works very well according to the reports I've heard), other devices still need access. Try telling a dorm resident that they cannot connect their TiVo or game console to the wireless network... While we've built an web app to enter MAC addresses and associated information (NetID, type of device, etc.), we restrict its use to a very limited number of IT staff. The registration process is manual in that we need to physically see that the device to get its MAC and ensure it is a PWD. For Move-In Weekend, the IT Staff can register devices in the dorms. During the school year, students must bring their devices to the clean room to get them registered. We have a lot of iPod Touches registered in January - I guess it was a popular Christmas gift. The PWDs have a very restrictive role on the network, similar to our guest access role. Since we know what the device is and who owns it, we do open some additional ports such as secure mail and TiVo support. We eventually want to put different devices in specific roles; iPhones get different roles from TiVos or game consoles. That enhancement will be completed when I have time - may be this fall. Let me know if you have any questions... - Stan Brooks - CWNA/CWSP Emory University Network Communications Division 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: [EMAIL PROTECTED] GoogleTalk: [EMAIL PROTECTED] -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Michael Dickson Sent: Tuesday, July 01, 2008 9:58 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Using MAC Authentication We are considering using MAC authentication to allow users to bypass the captive portal web login page to access our wireless network. This is considered sort of a stop-gap measure until 802.1x is fully implemented. Is anyone maintaining (by harvesting or user-initiated manual entry) a MAC auth table after initial captive portal login so that users can bypass the web login page every time they connect? We are considering a manual opt-in process instead of an auto-harvest and we would not harvest MAC addresses of folks with guest accounts. Is this generally a good idea? What is the down side of not making users sign in every session? As an aside, we are considering extending the dhcp lease times and the reauth intervals so that users don't have to log in again if they walk to class from their dorms, etc. We are an Aruba shop. We currently have an open SSID, no encryption, with captive portal as the only point of authentication. 802.1x rollout expected soon. As always, thanks for the help! Mike *** Michael Dickson Phone: 413-545-9639 Network Analyst [EMAIL PROTECTED] University of Massachusetts Network Systems and Services *** ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Disabling 1, 2 Mbps- revisit
Brandon, We are using Avaya (SpectraLInk/PolyComm) handsets for our VoIP over Wi-Fi. - Stan Brooks - CWNA/CWSP Emory University Network Communications Division 404.727.0226 [EMAIL PROTECTED] AIM: WLANstan Yahoo!: WLANstan MSN: [EMAIL PROTECTED] From: The EDUCAUSE Wireless Issues Constituent Group Listserv [EMAIL PROTECTED] On Behalf Of Brandon Pinsky [EMAIL PROTECTED] Sent: Thursday, May 29, 2008 1:03 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Disabling 1, 2 Mbps- revisit Stan, Are you using Vocera for VoIP over Wifi? Thanks, BJ On May 29, 2008, at 11:24 AM, Brooks, Stan wrote: Matt Lee - At Emory, we've disabled the 1 2 Mbps data rates on our healthcare wireless network for our VoIP over Wi-Fi and electronic medical records SSIDs in 2 of our hospitals. The hospitals are hot environments - lots of APs. Doing so improved the quality of our wireless voice traffic tremendously. It also improved our electronic medical records connectivity as well - less roaming between APs means fewer authentications. We've been running with the disabled data rates since last fall with no problems. We have not done this (yet) on the academic network, but are looking into it at certain high density locations. The Aruba gear we are running allows doing this on a per SSID and per AP (or per building) basis - very flexible. We haven't done this for our guest network, even in those hot environments. BTW - for guest authentication, we use a captive portal, but have MAC auth for pre- registered iPhones, gaming devices, and PDAs to bypass the captive portal. Users must bring the device to our clean-room to get the device registered and we only register devices that can't support WPA/WPA2-Enterprise (802.1x). - Stan Brooks - CWNA/CWSP Emory University Network Communications Division 404.727.0226 [EMAIL PROTECTED] AIM: WLANstan Yahoo!: WLANstan MSN: [EMAIL PROTECTED] From: The EDUCAUSE Wireless Issues Constituent Group Listserv [EMAIL PROTECTED] ] On Behalf Of Barber, Matt [EMAIL PROTECTED] Sent: Thursday, May 29, 2008 8:13 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Disabling 1, 2 Mbps- revisit Hi Lee, We have been running with the 1 and 2 Mbps data rates disabled for quite some time. The Meru stuff lets us do it by ESS, which actually ended up being very helpful because of one issue I found. We have a separate SSID for devices (iPods, gaming consoles, etc) that is using WEP. I started off having the 1 and 2 data rates disabled on this SSID as well, until I found that the Nintendo Wii and Nintendo DS did not like it. In doing a packet capture over the air, the Wii would just sit there doing probe requests, get probe responses from the APs, but then just keep on probe requesting. It would never try and associate. Turning the low data rates back on for this ESS resolved the issue. I contacted Nintendo about it and they said I may be correct, but said they didn’t understand why I would want to turn those data rates off. Those were the only devices I found that had any issue. In general, I see the same things as you in terms of clients not connecting to distant APs. Take care, Matt Barber Network Analyst / PC Support Morrisville State College 315-684-6053 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU ] On Behalf Of Lee H Badman Sent: Thursday, May 29, 2008 7:57 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Disabling 1, 2 Mbps- revisit I recall someone floating this not too long ago, but can’t recall the responses. Being an LWAPP environment (currently) and growing fast in AP numbers and overall density, I’m considering disabling 1 and 2 Mbps data rates globally. I did this in an under the radar test for a couple of months on some of our busiest APs with no ill effects noted and what I see as fewer weak clients trying to get on board busy cells. Has anyone else taken this step? Curious in general, and in LWAPP., and if there have been any ill effects noted. One concern/peeve I have is that in LWAPP its controller wide- if there is some compelling reason to change the data rate on just a few APs in one area, you have no choice but to do the same for all APs on the controller. Thanks- Lee Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ . This e-mail message (including any attachments
RE: [WIRELESS-LAN] Disabling 1, 2 Mbps- revisit
Bruce, We use Aruba for our wireless infrastructure. We are using the Avaya 3641's - .11b/g phones, not a. We use WPA2-PSK for security as the phones don't support an 802.1x. Yes, we do use SVP (or in Avaya terms the AVPP) for QoS - but that limits us to a single layer 2 VLAN for our phones. I'd much prefer a SIP-based phone that supports routing of the traffic beyond the phones' subnet. I'm not sure if they support WMM - I don't think so - and not sure about CCKM as we are not a Cisco shop for wireless. We did have some problems when we first moved to the 3641's with roaming - they couldn't make up their mind wich AP to stick with. This has been mostly fixed with newer handset code. - Stan Brooks - CWNA/CWSP Emory University Network Communications Division 404.727.0226 [EMAIL PROTECTED] AIM: WLANstan Yahoo!: WLANstan MSN: [EMAIL PROTECTED] From: The EDUCAUSE Wireless Issues Constituent Group Listserv [EMAIL PROTECTED] On Behalf Of Johnson, Bruce T [EMAIL PROTECTED] Sent: Monday, June 02, 2008 11:37 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Disabling 1, 2 Mbps- revisit Hey Stan, What's been your experience with the PolyComm phones? Are you using the 8000 Series 802.11a phones? Their minimum RSSI spec (-60) seems to be considerably lower than the Cisco 7921G. I'm assuming you are using a Cisco infrastructure (apologies if not). Do these phones truly support CCKM (Cisco Fast Roaming)? They indicate as much but don't support the requisite 802.1x mechanisms (LEAP/EAP-FAST). Can they interoperate with WMM or did you have to enable SVP QoS? Thanks, --Bruce Johnson -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Brooks, Stan Sent: Monday, June 02, 2008 11:21 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Disabling 1, 2 Mbps- revisit Brandon, We are using Avaya (SpectraLInk/PolyComm) handsets for our VoIP over Wi-Fi. - Stan Brooks - CWNA/CWSP Emory University Network Communications Division 404.727.0226 [EMAIL PROTECTED] AIM: WLANstan Yahoo!: WLANstan MSN: [EMAIL PROTECTED] From: The EDUCAUSE Wireless Issues Constituent Group Listserv [EMAIL PROTECTED] On Behalf Of Brandon Pinsky [EMAIL PROTECTED] Sent: Thursday, May 29, 2008 1:03 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Disabling 1, 2 Mbps- revisit Stan, Are you using Vocera for VoIP over Wifi? Thanks, BJ On May 29, 2008, at 11:24 AM, Brooks, Stan wrote: Matt Lee - At Emory, we've disabled the 1 2 Mbps data rates on our healthcare wireless network for our VoIP over Wi-Fi and electronic medical records SSIDs in 2 of our hospitals. The hospitals are hot environments - lots of APs. Doing so improved the quality of our wireless voice traffic tremendously. It also improved our electronic medical records connectivity as well - less roaming between APs means fewer authentications. We've been running with the disabled data rates since last fall with no problems. We have not done this (yet) on the academic network, but are looking into it at certain high density locations. The Aruba gear we are running allows doing this on a per SSID and per AP (or per building) basis - very flexible. We haven't done this for our guest network, even in those hot environments. BTW - for guest authentication, we use a captive portal, but have MAC auth for pre- registered iPhones, gaming devices, and PDAs to bypass the captive portal. Users must bring the device to our clean-room to get the device registered and we only register devices that can't support WPA/WPA2-Enterprise (802.1x). - Stan Brooks - CWNA/CWSP Emory University Network Communications Division 404.727.0226 [EMAIL PROTECTED] AIM: WLANstan Yahoo!: WLANstan MSN: [EMAIL PROTECTED] From: The EDUCAUSE Wireless Issues Constituent Group Listserv [EMAIL PROTECTED] ] On Behalf Of Barber, Matt [EMAIL PROTECTED] Sent: Thursday, May 29, 2008 8:13 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Disabling 1, 2 Mbps- revisit Hi Lee, We have been running with the 1 and 2 Mbps data rates disabled for quite some time. The Meru stuff lets us do it by ESS, which actually ended up being very helpful because of one issue I found. We have a separate SSID for devices (iPods, gaming consoles, etc) that is using WEP. I started off having the 1 and 2 data rates disabled on this SSID as well, until I found that the Nintendo Wii and Nintendo DS did not like it. In doing a packet capture over the air, the Wii would just sit there doing probe requests, get probe responses from the APs, but then just keep on probe requesting. It would never try and associate. Turning the low data rates
RE: [WIRELESS-LAN] Disabling 1, 2 Mbps- revisit
Well, SVP technically is capable of being routed, but I don't know of any installations that do. It requires multicast be enabled on the VoIP over Wi-Fi subnets as the handsets find the AVPP (Avaya Voice Priority Processor) using a multicast/broadcast address. The AVPP really doesn't buy you much in a centralized controller-based wireless environment since the controllers do a lot of what the AVPP does (QoS). It's just needed in the Avaya environment... - Stan Brooks - CWNA/CWSP Emory University Network Communications Division 404.727.0226 [EMAIL PROTECTED] AIM: WLANstan Yahoo!: WLANstan MSN: [EMAIL PROTECTED] From: The EDUCAUSE Wireless Issues Constituent Group Listserv [EMAIL PROTECTED] On Behalf Of Johnson, Bruce T [EMAIL PROTECTED] Sent: Monday, June 02, 2008 12:12 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Disabling 1, 2 Mbps- revisit Appreciate the info. That's interesting about AVPP/SVP not being routable. Thanks very much Stan. Bruce Johnson Network Engineer Partners Healthcare 617-726-9662 mailto: [EMAIL PROTECTED] -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Brooks, Stan Sent: Mon 6/2/2008 11:51 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Disabling 1, 2 Mbps- revisit Bruce, We use Aruba for our wireless infrastructure. We are using the Avaya 3641's - .11b/g phones, not a. We use WPA2-PSK for security as the phones don't support an 802.1x. Yes, we do use SVP (or in Avaya terms the AVPP) for QoS - but that limits us to a single layer 2 VLAN for our phones. I'd much prefer a SIP-based phone that supports routing of the traffic beyond the phones' subnet. I'm not sure if they support WMM - I don't think so - and not sure about CCKM as we are not a Cisco shop for wireless. We did have some problems when we first moved to the 3641's with roaming - they couldn't make up their mind wich AP to stick with. This has been mostly fixed with newer handset code. - Stan Brooks - CWNA/CWSP Emory University Network Communications Division 404.727.0226 [EMAIL PROTECTED] AIM: WLANstan Yahoo!: WLANstan MSN: [EMAIL PROTECTED] From: The EDUCAUSE Wireless Issues Constituent Group Listserv [EMAIL PROTECTED] On Behalf Of Johnson, Bruce T [EMAIL PROTECTED] Sent: Monday, June 02, 2008 11:37 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Disabling 1, 2 Mbps- revisit Hey Stan, What's been your experience with the PolyComm phones? Are you using the 8000 Series 802.11a phones? Their minimum RSSI spec (-60) seems to be considerably lower than the Cisco 7921G. I'm assuming you are using a Cisco infrastructure (apologies if not). Do these phones truly support CCKM (Cisco Fast Roaming)? They indicate as much but don't support the requisite 802.1x mechanisms (LEAP/EAP-FAST). Can they interoperate with WMM or did you have to enable SVP QoS? Thanks, --Bruce Johnson -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Brooks, Stan Sent: Monday, June 02, 2008 11:21 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Disabling 1, 2 Mbps- revisit Brandon, We are using Avaya (SpectraLInk/PolyComm) handsets for our VoIP over Wi-Fi. - Stan Brooks - CWNA/CWSP Emory University Network Communications Division 404.727.0226 [EMAIL PROTECTED] AIM: WLANstan Yahoo!: WLANstan MSN: [EMAIL PROTECTED] From: The EDUCAUSE Wireless Issues Constituent Group Listserv [EMAIL PROTECTED] On Behalf Of Brandon Pinsky [EMAIL PROTECTED] Sent: Thursday, May 29, 2008 1:03 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Disabling 1, 2 Mbps- revisit Stan, Are you using Vocera for VoIP over Wifi? Thanks, BJ On May 29, 2008, at 11:24 AM, Brooks, Stan wrote: Matt Lee - At Emory, we've disabled the 1 2 Mbps data rates on our healthcare wireless network for our VoIP over Wi-Fi and electronic medical records SSIDs in 2 of our hospitals. The hospitals are hot environments - lots of APs. Doing so improved the quality of our wireless voice traffic tremendously. It also improved our electronic medical records connectivity as well - less roaming between APs means fewer authentications. We've been running with the disabled data rates since last fall with no problems. We have not done this (yet) on the academic network, but are looking into it at certain high density locations. The Aruba gear we are running allows doing this on a per SSID and per AP (or per building) basis - very flexible. We haven't done this for our guest network, even in those hot environments. BTW - for guest authentication
RE: [WIRELESS-LAN] Disabling 1, 2 Mbps- revisit
Matt Lee - At Emory, we've disabled the 1 2 Mbps data rates on our healthcare wireless network for our VoIP over Wi-Fi and electronic medical records SSIDs in 2 of our hospitals. The hospitals are hot environments - lots of APs. Doing so improved the quality of our wireless voice traffic tremendously. It also improved our electronic medical records connectivity as well - less roaming between APs means fewer authentications. We've been running with the disabled data rates since last fall with no problems. We have not done this (yet) on the academic network, but are looking into it at certain high density locations. The Aruba gear we are running allows doing this on a per SSID and per AP (or per building) basis - very flexible. We haven't done this for our guest network, even in those hot environments. BTW - for guest authentication, we use a captive portal, but have MAC auth for pre- registered iPhones, gaming devices, and PDAs to bypass the captive portal. Users must bring the device to our clean-room to get the device registered and we only register devices that can't support WPA/WPA2-Enterprise (802.1x). - Stan Brooks - CWNA/CWSP Emory University Network Communications Division 404.727.0226 [EMAIL PROTECTED] AIM: WLANstan Yahoo!: WLANstan MSN: [EMAIL PROTECTED] From: The EDUCAUSE Wireless Issues Constituent Group Listserv [EMAIL PROTECTED] On Behalf Of Barber, Matt [EMAIL PROTECTED] Sent: Thursday, May 29, 2008 8:13 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Disabling 1, 2 Mbps- revisit Hi Lee, We have been running with the 1 and 2 Mbps data rates disabled for quite some time. The Meru stuff lets us do it by ESS, which actually ended up being very helpful because of one issue I found. We have a separate SSID for devices (iPods, gaming consoles, etc) that is using WEP. I started off having the 1 and 2 data rates disabled on this SSID as well, until I found that the Nintendo Wii and Nintendo DS did not like it. In doing a packet capture over the air, the Wii would just sit there doing probe requests, get probe responses from the APs, but then just keep on probe requesting. It would never try and associate. Turning the low data rates back on for this ESS resolved the issue. I contacted Nintendo about it and they said I may be correct, but said they didn’t understand why I would want to turn those data rates off. Those were the only devices I found that had any issue. In general, I see the same things as you in terms of clients not connecting to distant APs. Take care, Matt Barber Network Analyst / PC Support Morrisville State College 315-684-6053 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Lee H Badman Sent: Thursday, May 29, 2008 7:57 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Disabling 1, 2 Mbps- revisit I recall someone floating this not too long ago, but can’t recall the responses. Being an LWAPP environment (currently) and growing fast in AP numbers and overall density, I’m considering disabling 1 and 2 Mbps data rates globally. I did this in an under the radar test for a couple of months on some of our busiest APs with no ill effects noted and what I see as fewer weak clients trying to get on board busy cells. Has anyone else taken this step? Curious in general, and in LWAPP., and if there have been any ill effects noted. One concern/peeve I have is that in LWAPP its controller wide- if there is some compelling reason to change the data rate on just a few APs in one area, you have no choice but to do the same for all APs on the controller. Thanks- Lee Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Using Private IP addresses for wireless users.
Neil, At Emory, we've been NAT'ing wireless users since last fall - ResNet users since before move in weekend, and regular academic users since last fall break. We've not had any issues from the users that have been NAT'ed. By far the more complicated NAT was ResNet as we use NetReg and CAT for network access control and scanning. We end up internally routing the NAT addresses for NetReg - it hands out the DHCP addresses. Once a ResNet client gets an IP address, the NAT function is handled by our Aruba controllers. On the academic side, the controllers themselves handle DHCP for the wireless users along with NAT'ing the traffic. We have 4 class C non-routeable subnets per controller (4 ResNet controllers and 6 Academic controllers). The Aruba gear will load-balance users across those subnets for us. The Aruba gear also NATs the traffic though a pool of (routeable) addresses. IDS is handled by Tipping Points on the (routeable) network, just like any wired device. We don't have any way of easily tying a user/session on the non-routeable subnets to an IP on the routeable network. We can see the session as it happens, but there is not good way to go back through the logs and determine that this user hit a particular IP address on the Internet. To date, we haven't needed to. We originally moved to NAT because of scarce IP resources, and the number of wireless users was increasing at alarming rates. With NAT'ed IP addresses, we can support huge numbers of wireless users and ease some of the pressure on our allocated IP addresses. We felt and still feel that the benefits outweigh the problems with tracking individual users. - Stan Brooks - CWNA/CWSP Emory University Network Communications Division 404.727.0226 [EMAIL PROTECTED] AIM: WLANstan Yahoo!: WLANstan MSN: [EMAIL PROTECTED] From: The EDUCAUSE Wireless Issues Constituent Group Listserv [EMAIL PROTECTED] On Behalf Of Johnson, Neil M [EMAIL PROTECTED] Sent: Thursday, May 29, 2008 9:55 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Using Private IP addresses for wireless users. We will be out of address space for one of our wireless nets (currently a /21) in the fall. We do not have a larger block available, and attempts to obtain additional address space by fall are not looking promising, so there is a distinct possibility that will have to move our wireless users to private address space. So I'm looking for information from other institutions who use private address space for their wireless networks. We are primarily a Meru shop, although we have about 86 Cisco LWAPP AP's in production. We use 802.1X (WPA2 Enterprise) for authentication. Here are the questions I have: - How do you implement NAT ? - How do you provide DHCP addresses to your clients ? - How do you handle IDS and Flow data collection ? - What tools and processes do you use to tie a public IP address back to an 802.1X authenticated user ? - What kind of application issues have you run into and how do you handle them ? - Are your end-users satisfied with the service ? Thanks. -- Neil Johnson Network Engineer The University of Iowa W: 319 384-0938 M: 319 540-2081 http://www.uiowa.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Integrating Freeradius and Novell eDirectory
Just a thought - Is the universal password really your RADIUS shared secret and not a user pw? - Stan Brooks - CWNA/CWSP Emory University Network Communications Division 404.727.0226 [EMAIL PROTECTED] AIM: WLANstan Yahoo!: WLANstan MSN: [EMAIL PROTECTED] From: Nathan Hay [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 24, 2007 2:38 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Integrating Freeradius and Novell eDirectory We've been trying to integrate Freeradius with Novell eDirectory to authenticate our users on our Meru wireless network. We have eDirectory 8.7.3.7 and Freeradius 1.1.0 I've spend much time pouring over all the Novell and Freeradius docs on how to do this, but we still get the following error from Freeradius: rlm_ldap: Error reading Universal Password.Return Code = -1635 I've verified that the Universal Password setup is correct on my test user with the Universal Password utility. Any ideas? Thanks in advance, Nathan Nathan P. Hay Network Engineer Computer Services Cedarville University www.cedarville.eduhttp://www.cedarville.edu/ ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Cisco vs. Meru article
Kevin - I would caution against just looking at coverage for your high school deployment. I would also consider your user density. We originally went for coverage over capacity at our Law School deployment a couple of years ago. When the instructors discovered wireless coverage, they had their students all try opening web pages at once - 5 classrooms of about 120 students each that was covered by 4 APs. Needless to say, not all the students were able to get on, much less surf to the web pages. We use a rule of 20-30 maximum users per AP here at Emory; less if we expect any sort of multi-media traffic on the wireless network. Personally, I definitely see value of a centralized architecture for as little as 6-10 APs. The centralized systems allow for much easier configuration and management than fat APs, and it will give you a better view into your wireless network. BTW - Emory is an Aruba shop with about 1525 APs and 21 controllers. - Stan Brooks - CWNA/CWSP Emory University Network Communications Division 404.727.0226 [EMAIL PROTECTED] AIM: WLANstan Yahoo!: WLANstan MSN: [EMAIL PROTECTED] -Original Message- From: Kevin Whitney [mailto:[EMAIL PROTECTED] Sent: Thursday, June 14, 2007 2:34 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Cisco vs. Meru article May be a little off subject but I would like to post question out there as it seems there are some happy Meru users here on this forum.. Any thoughts or advice on implementing/selecting a wireless system for use in a High School environment ? Specifically, would love any feedback on pros/cons of a central controller based system (ie -Meru, Aruba, etc) vs installing Fat AP's around our building. While our needs are quite simple I am sure, compared to the size of other user's who have posted, I can see there is a great deal of knowledge and experience in this area. Basic site surveys conducted here have indicated we need somewhere around 25 access points to provide coverage throughout our building. Appreciate any input on this subject. Kevin Whitney District Technology Coordinator Cresskill Public Schools 1 Lincoln Drive Cresskill, NJ 07626 201-541-4162 [EMAIL PROTECTED] http://www.cresskillboe.k12.nj.us -Original Message- From: Dave Molta [mailto:[EMAIL PROTECTED] Sent: Thursday, June 14, 2007 12:21 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Cisco vs. Meru article Debbie, They were Intel 2915 clients. I have some pretty dense spreadsheets covering various permutations of clients and infrastructure if you are interested in seeing raw results. We didn't come away from this with any firm conclusions about what's good and what's bad (I guess we've learned our lesson about pointing the finger too soon!). What was most interesting to us was the fact that there was so much variation, which is something we didn't expect from such a mature standard. dm -Original Message- From: debbie fligor [mailto:[EMAIL PROTECTED] Sent: Thursday, June 14, 2007 11:59 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Cisco vs. Meru article On Jun 14, 2007, at 10:24, Dave Molta wrote: Just to elaborate a bit, the article James sent around was not the original Meru-Cisco feature story but rather a column that reports on results of subsequent testing. In this column, I reported three things. First, Cisco was unsuccessful in getting the Wi-Fi Alliance to rescind Meru's certification. Since WFA certifies interoperability rather than standards compliance, this is not proof that Meru isn't stretching standards a bit but it still casts a cloud over Cisco's allegations. Second, I reported findings from subsequent tests where we added Aruba to the mix and found that Cisco's performance also cratered when co-located with Aruba gear. Again, that could indicate that Aruba is also somehow playing foul as well (Cisco speculated that they might be using a variation of PCF interframe spacing, though Aruba denied it) but it doesn't look that way to me. Finally, we decided to re-run these interference tests with different mixes of clients, using Atheros, Broadcom, and Intel chipsets. We found significant differences in the performance results. Atheros-based clients performed best. Something I noticed in the article was that Meru did the worst with Intel chipsets, but which chipset wasn't mentioned. The 3945 Intel micro code bug makes them work very poorly with Meru and causes some problems with other vendors APs. We've been waiting for an update from Intel, but still don't have it. What Intel has done is ceased to sell that chipset -- this worries me that there wont be a microcode fix, but at least we wont have new equipment coming in with that card. So if the testing was with all 3945 cards, I don't think that accurately indicates Meru doesn't work well with Intel
RE: [WIRELESS-LAN] 'Clustering' and 'failover' in the context of Aruba
John, Others on the list have responded and given some good answers to your question. Let me add my experience and 2 cents. At Emory we have 1500 APs running in two Aruba systems - one for the Academic side of the house and one for our Healthcare organization. Needless to say, our Healthcare organization demands high availability :-) Our architecture is similar on each side - one set of redundant master controllers and multiple local controllers. In the Aruba architecture, the masters' function is to manage overall global issues - configuration, user and AP lists, heat maps, IDS correlation functions, etc. Masters can also support AP connections, like the local controllers. We don't have any APs homing to our master controllers (but we could if we wanted to). Instead, we home APs to local controllers. We also have a dedicated local controller as a back-up, i.e., if any of the local controllers fail, the APs would re-home to the backup. We have one local backup/system, and can withstand ONE controller failure at a time. Initially this a bit pricy, but as we've expanded, we find that a single backup controller works very well. In the past two years, we've only lost one controller (bad sup card), so our backup controllers are idle virtually all of the time. BTW - it is EASY (and necessary) to direct an AP or group of APs to specific controllers. In the command line, the syntax (vers 2.5 and below) is ap location location code lms-ip specific controller IP address. You can also set the backup controller using (again, ver 2.5 and below) ap location location code bkplms-ip backup controller IP address. There are a number of ways to build redundancy with the Aruba system, with the best way dependent on your situation. The method you mentioned with interleaving APs to different controllers WILL work because of Aruba's mobility/roaming capability. The problem arises if you only have one master and one local. Losing the master will prevent the global functions from happening (heat map, configuration, IDS correlation, etc) and the loss of servicing APs that are homed to it. Losing the local results in loss of ability to service the APs homed to it. Aruba licenses each controller to support a set number of APs. If you lose a controller, those APs will home where you told them to go, but if that backup doesn't have capacity (based on it's licensing) to handle those APs, they are effectively down. That's why we use an N+1 local controller model for our redundancy - a dedicated backup can handle all APs on any active controller - but sits idle most of the time. I realize that my ramblings on this subject may not be quite clear - so if you need additional explanations, or just want to pick my brain, touch base with me off the list. I've gone over a number of different redundancy scenarios as we've built our network, and may be able to offer some useful advice. - Stan Brooks - CWNA/CWSP Emory University Network Communications Division 404.727.0226 [EMAIL PROTECTED] AIM: WLANstan Yahoo!: WLANstan MSN: [EMAIL PROTECTED] -Original Message- From: John Rodkey [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 22, 2007 7:24 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] 'Clustering' and 'failover' in the context of Aruba We are currently considering expanding our existing wireless environment to cover additional dorms. By doing so, we will exceed the capacity of our current controller, and can either add an additional controller card or for a slight incremental cost, add another controller. We planned to add the additional controller, with the idea that the controller would allow redundancy/failover/clustering to happen, so that if one controller were to go down, for instance, the other would take over. We were subsequently told that this was a faulty understanding of the failover function. So we thought we might be able to try another approach: every other WAP would be controlled by alternating controllers. That way, if controller A, with waps 1,3,5,7,9... on it were to go down, the coverage in any given building would be halved, because controller B, with waps 2,4,6,8 ... would continue to run. Nope, that is a bad idea, says the contact: each controller will maintain its own heat map and routing info, etc. and as a result, there would be nowhere to look for a unified picture of the wireless network. So I'm confused: what is the exact nature of controller clustering or failover under Aruba? Given somewhere in the neighborhood of 200 APs, how should one configure the controllers John ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Transition from open to encrypted
Nathan, At Emory, we initially had a security/access model that was an open SSID, but required users to initiate a VPN session to encrypt the air link and authenticate the user. We finally retired this model as of the first of the year. We are now using WPA-Enterprise (802.11i/802.1x) for authentication and encryption. We used the following steps to migrate students to the new access method (and our helpdesk/support teams touched a lot of machines to help with the transition): Fall 2005 - brought up a second SSID to support WPA, we already had an open SSID for VPN authenticated access and guest access using a captive portal. We added pdf's to the captive portal describing steps to connect using VPN and WPA. School year 2005-2006 - Held pizza parties, and Wireless Wednesdays clinics to assist students to connect using WPA. Started a media campaign (posters/newspaper ads) to publicize the new way of connecting to the wireless network. Summer of 2006 - Plan for sunsetting VPN access. Turned off VPN Guest access in dorms student apartments. Developed automated scripts for our Emory Online CD to assist students in setting up WPA on Windows Mac machines. Move-In Weekend 2006 - Held connectivity clinics in each dorm to assist students connecting to our WPA SSID. The support staff touched a lot of machines this weekend and got very good at setting up WPA on student machines quickly. Without VPN access in the dorms, student's had to use WPA to get connected wirelessly (or use a wired connection). Fall 2006 - Sent a series of emails to known VPN access wireless users (culled from authentication logs) informing them that wireless VPN access was going away. VPN usage levels are very low - about what they were during summer break. January 3rd, 2007 - turned off wireless VPN access. We received no complaints that users couldn't get on the network. Over this same period (starting Move-In Weekend 2006), our wireless usage more than doubled - All WPA growth. We now support two access methods - WPA-Enterprise (EAP-PEAP-MSCHAPv2) and guest access (captive portal authentication, then Web browsing only - bandwidth limited to 500kbps). EAP-PEAP-MSCHAPv2 is supported natively in both Windows Mac. Ther is Linux support available as well. We don't officially support other devices (Wii, Tivo, etc.), but are working on defining a secure and supportable method to do so. Our wireless infrastructure is Aruba, and it handled this transition seamlessly. - Stan Brooks - CWNA/CWSP Emory University Network Communications Division 404.727.0226 [EMAIL PROTECTED] AIM: WLANstan Yahoo!: WLANstan MSN: [EMAIL PROTECTED] From: Nathan Hay [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 25, 2007 9:25 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Transition from open to encrypted We've been running our main SSID without encryption to make it easier for students to connect and to make life easier for our help desk. Not surprisingly we've started to have problems with students sniffing packets and capturing the IM passwords, etc of other students. Because of this, we are working on a plan to make our main SSID encrypted by the start of next school year. Does anyone have a recommended scheme for encryption that supports a wide variety of clients? We have Windows, Mac, Linux, Nintendo Wii, and many different types of handheld devices on campus. Our wireless network is Meru. We don't have any 802.1x experience, but we are willing to learn if that is where we need to head. We'd like a scheme that makes it as easy for the client to connect as possible, but still provides a good level of security. Any thoughts or suggestions would be appreciated, Nathan Nathan P. Hay Network Engineer Computer Services Cedarville University www.cedarville.edu http://www.cedarville.edu/ ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] LWAPP [was: [WIRELESS-LAN] Upgrade 1200 to lwapp]
Simon, While I can't speak definitively about the Cisco solution, I can tell you about Emory's Aruba installation. The Aruba and Cisco architectures are similar (but with some significant differences). We now have over 1400 APs and 21 controllers - all Aruba. I'm a big proponent of the centralized architecture of Aruba or Cisco (or others in the marketspace) for any wireless installation of over a handful of APs because of the benefits it provides over thick APs. These benefits fall roughly into 3 categories: management, security, and user experience. Here are just some examples in each category - Management: I can see and manage the entire system on one console. I can tell if an AP is up or down, how many users are on it, etc. An also upgrade firmware for all APs and controllers in under 2 hours, with limited interruptions to users during the upgrade. Deploying APs is as simple as setting location code and connecting it to the network - the AP gets its address via DHCP, looks up its controller via DNS, and connects to its controller to get its configuration. I can add or delete SSIDs or change configuration on as many or few of the APs as needs dictate in less than a minute. New SSID on all APs? - done - no problem! One wireless infrastructure can support many different wireless networks (guest, voice, etc). Security: Since all wireless traffic is tunneled back to the controller (Aruba/Cisco - Trapeze is different), I can apply ACLs or firewall rules for wireless at the controller. With Aruba, I can apply different firewall rule sets based on authentication (device, user, etc). I can build a very secure wireless infrastructure that is easily adaptable to whatever security needs we need on our various wireless networks. The wireless network is now more secure than the wired network because of the role-based access control that can be applied to users. User Experience: Two words - Ubiquitous roaming. Users can roam across campus and not lose connectivity (assuming wireless coverage exists). The controllers take care of the mobile IP stuff without the need to load a mobile IP client on the users' computer. With Aruba, I can even load-balance users across subnets (we use class C subnets -24 of them - for all of our wireless users). A user gets an IP address and keeps it for as long as they are active - no matter where they roam across campus. I can easily scale the system, too - adding subnets as needed quickly at the controller, as opposed to adding subnets in the buildings where the APs are. We needed to do this during our Move-in weekend last year when our wireless usage grew to over double what we saw the previous spring. Without the centralized architecture, there is no way Emory's wireless network could have grown to its current size and still be manageable. There is A LOT of value in the centralized architecture. - Stan Brooks - CWNA/CWSP Emory University Network Communications Division 404.727.0226 [EMAIL PROTECTED] AIM: WLANstan Yahoo!: WLANstan MSN: [EMAIL PROTECTED] -Original Message- From: Simon Kissler [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 28, 2007 2:08 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] LWAPP [was: [WIRELESS-LAN] Upgrade 1200 to lwapp] Okay, so I've been trying to figure this out and figured I may as well ask. Where is the cost benefit of the using the controllers and LWAPPs. The controllers aren't cheap and the APs don't get cheaper even though they are light ? I assume there are some management benefits in this kind of solution, but have you found them to be worth the money ? Are there other benefits that aren't as obvious to me that are ? I like the idea of making management easier and just like any technologist like shiny new toys, but in the context of overall funding priorities with aging network equipment in places and other challenges find it hard to justify since our APs mostly just work and require little touching beyond initial config and occasional firmware upgrades. What about this am I missing ? -Simon ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.