Re: [WIRELESS-LAN] InCommon certificate trust chain issues with upgraded Windows Systems

2019-09-16 Thread Cappalli, Tim (Aruba Security) 
An EAP server certificate from a PKI in your control is always the recommended 
path. A public CA-signed EAP server certificate should be a last resort.

tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of "McClintic, Thomas" 

Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Monday, September 16, 2019 at 9:49 AM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] InCommon certificate trust chain issues with 
upgraded Windows Systems

Thank you for this information. We are planning to change our certificate and 
path in the coming months and were not aware of these issues. Can you please 
keep us informed on your progress? I’m also interested in if the private PKI is 
the preferred method. Hopefully we will be off PEAP and on EAP-TLS by late 2020.

Thanks

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Johnson, Neil M
Sent: Saturday, September 14, 2019 1:58 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] InCommon certificate trust chain issues with upgraded 
Windows Systems


 EXTERNAL EMAIL 
This problem has been vexing us for a few weeks, so I’d thought I’d pass along 
my message to Microsoft and Sectigo in case others run into the same issue.

Thanks.

-Neil

The authentication has been temporarily resolved, BUT only temporarily.

The cause of the problem involved many factors:

First, The server certificate issued by Sectigo utilizes cross-signed 
certificates:
https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N00rgSZ

This means that there are two trust chain paths that can be used to validate 
the server certificate:
(see diagram at 
https://docs.google.com/drawings/d/1P6_ZbsbOMeRJEYwX__s9gJWC5IXgnr7LDUrc7ys8oDs/edit?usp=sharing
 )
Second, Since the ADDTrust Root CA certificate used in Path #1 expires May 30th 
of 2020, so I had the RADIUS Server (Aruba ClearPass) configured to send the 
server and intermediate cert for Path #2. This worked for the majority of 
systems on campus.

Third, However, some customers upgrading from previous versions of Windows (7, 
8, and Windows 10 versions previous to 1809) began having authentication issues 
because of this. It appears that the Windows systems are unable to validate the 
certificate chain in Path #2. This was confirmed by system traces and packet 
captures between the client and the RADIUS Server.

Temporary solution: I reconfigured the RADIUS server to send the server and 
intermediate certs for Path #1. This seems to have resolved the issue for the 
majority of our customers.

The long term problem: The AddTrust Root CA certificate expires May 30th, 2020. 
Customers systems will have to validate the server certificate using Path #2. 
My concern is that this will break certificate validation (and thus wireless 
authentication) for many of our customers after the ADDTrust Root CA 
certificate expires.

Action Items:

  *   Microsoft & Sectigo  – Needs to find out what is preventing upgraded 
Windows systems from validating the server certificate via Path #2.
  *   The University of Iowa – Needs to develop a risk mitigation plan prior to 
May 30th, 2020 (Including the possibility of moving to a private PKI over 
winter break).

I’m happy to help collect additional information required to troubleshoot this 
issue.

Thanks for everyone’s efforts in troubleshooting this issue. If you have any 
questions please feel free to contact me.
-Neil


Neil Johnson
Network Engineer
The University of Iowa
+1 319 384-0938


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

2019-09-13 Thread Cappalli, Tim (Aruba Security) 
Just a clarification. Android 10 generates a MAC address per ESSID for the 
lifetime of the OS instance. It does not change daily.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Felix Windt 

Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Friday, September 13, 2019 at 8:26 AM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

I’d pay a fair price for an easily administered solution that lets us roll out 
PPSK in the dorms and deploy broadcast/multicast domains scoped to specific 
users.

We run eduroam and a completely open guest SSID. The open SSID has no captive 
portal, no click through terms of services, and no restrictions on Internet 
access for content or speed. That SSID bridges through to VLANs in a DMZ, and 
its only real restriction is that it can only reach proper public IP addresses 
on campus, plus 2-3 applications on private IPs that are specifically 
permitted. That’s enforced on the firewalls between campus and the DMZ.
We do see quite a lot of students on that SSID permanently. As a huge amount of 
our student applications are either cloud hosted or available on the public 
Internet, that works just fine for them. We’d prefer them on eduroam, but user 
experience trumps our preferences. The only real problem are devices such as 
Sonos sound bars, Google appliances, and other devices that will only support 
PSKs for wireless. For those we don’t have a solution right now.

Once WPA3/OWE is out and widely supported I genuinely don’t know how much we’ll 
care about where devices are. At that point it seems not just more user 
friendly but easier for IT overall to just throw reasonable security in front 
of web apps that the student and faculty population need to access, and let 
them sit on the SSID that’s easier to get on to. Administrative machines under 
central control would probably be kept on properly authenticated networks, but 
those are easier to solve if you have reasonable mass device management options.

For what it’s worth, we use the eduroam CAT tool for onboarding.

thx,

Felix Windt
Dartmouth College

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of "Rumford, Charles" 

Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Thursday, September 12, 2019 at 2:26 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

I agree that complicated onboarding is the worst from the end user perspective 
and a pain to manage.

I started designing a PPSK/MPSK design to take over our primary 802.1x network. 
The biggest hurdle I ran into with it was the randomization of MAC addresses 
for device. I've been told Android 10 has it on by default,and I know that 
windows support also. I could only see issues from a support issue coming down 
the line. O need to spend some more research time with it.

--
Charles Rumford
IT Architect
ISC Tech Services
University of Pennsylvania
OpenPGP Key ID: 0xF3D8215A
(Sent from Mobile)

From: "Enfield, Chuck" 
Sent: Thursday, September 12, 2019 14:11
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

Seconded.

And for those who think that security is more important than the user 
experience in some cases, I wouldn’t argue, but I would point out that an 
improperly configured 1x device puts the user’s credentials at risk.  802.1x 
isn’t all upside from a security perspective either.

Chuck

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jeffrey D. Sessler
Sent: Thursday, September 12, 2019 1:46 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

I’ve never been a fan of the complicated onboarding. It’s intrusive, and unlike 
any other wireless experience an individual will encounter in their life i.e. 
any other wifi-enabled location/venue.
With the growing trend of EDUs moving to SaaS and other Cloud solutions, 
wireless will be nothing but a gateway to those external services. When it’s 
easier to consume those services via one’s own unlimited-data cellular 
connection, or go to Starbucks, it may be time for us (EDU’s) to reevaluate our 
approach.

Besides a purely open network, the next-best (same?) experience to home would 
be something like PPSK or for the Cisco folks IPSK. You get something slightly 
better than an open network, but it’s PSK and all of those wonderful IoT 
devices just work. My crystal ball wish is to have that PPSK/IPSK solution then 
group that user’s devices into a private virtual home network, providing 
something that approaches their home experience.

Jeff

From: "wireless-lan@listserv.educause.edu"  
on behalf of Kurtis Olsen 
Reply-To: "wireless-lan@listserv.educause.edu" 

Date: Thursday, September 12, 2019 at 9:27 AM
To:

Re: [WIRELESS-LAN] Onboarding Android devices

2018-08-07 Thread Cappalli, Tim (Aruba Security) 
PEAP is not standardized and was not designed to be used outside a Windows 
AD-joined, GPO controlled environment. 

I'm hoping Google's changes (very welcome IMO) and continued restrictions on 
Apple platforms will steer people away from legacy, deprecated protocols/EAP 
methods.

tim


On 8/7/18, 3:25 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
on behalf of Norman Elton"  wrote:

We've got an encrypted network with the classic PEAP + MSCHAPv2 combo,
allowing users to connect with their domain credentials. We've shied
away from onboarding tools like SecureW2, especially for student
devices, as they seem more cumbersome than just having the user
configure the connection properly the first time.

Preparing for the fall, we've noticed that recent versions of Android
make the process a little more cumbersome. It appears that 8.1 & 9.0
allow the user to validate the certificate by domain, which is great.
Although the steps to get this setup are far from intuitive.

8.0 doesn't give that option, instead displaying a scary warning,
"This connection will not be secure". The user is forced to go ahead
with "do not validate certificate", leaving them open to leak their
credentials to a rogue AP. Far from ideal.

Theoretically, we could ask the user to trust the CA certificate in
advance, and (hopefully) the warning message would go away. But I
haven't gotten this to work.

Is there a general consensus that these devices are better served with
an onboarding tool that can accommodate the various flavors of
Android? Or is there a recipe for a user to setup 802.1x securely
(with some sort of certificate validation) on Android devices pre-8.1?

Thanks,

Norman Elton

**
Participation and subscription information for this EDUCAUSE Constituent 
Group discussion list can be found at http://www.educause.edu/discuss.



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Issues with Windows 10

2018-07-31 Thread Cappalli, Tim (Aruba Security) 
“Not Trusted” is always shown on iOS if the supplicant is not configured. It 
has nothing to do with public root trust.

macOS has split EAP trust vs system trusted CAs when displaying the prompt.


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of Hunter Fuller 
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 

Date: Tuesday, July 31, 2018 at 8:50 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] Issues with Windows 10

Because Macs and iPhones allow you to manually verify the certificate hash, 
which is easier and equally secure to a supplicant utility, so we also support 
that avenue for configuration. However, if you don't have a public-CA-signed 
certificate, they display the words "Not Trusted" in red bold letters during 
the certificate verification process.
On Tue, Jul 31, 2018 at 5:30 PM Cappalli, Tim (Aruba Security) 
mailto:t...@hpe.com>> wrote:
Just curious, for those running a supplicant configuration utility, why are you 
using a public CA-signed EAP server certificate?


On 7/31/18, 4:21 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
on behalf of Charles Rumford" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
on behalf of charl...@isc.upenn.edu<mailto:charl...@isc.upenn.edu>> wrote:

On 07/31/2018 04:18 PM, Michael Dickson wrote:
> Hi Charles,
>
>
> What do you mean by "we ended up configuring all of the intermediate 
certs"? Do
> you mean you are now pushing all certs down to the client during the 
JoinNow
> process?

Yes. We ended up, just for Windows, pushing all of certs down to the 
clients. It
was the only way we could get the profile to work.

>
>
> We are also running EAP-TTLS/PAP with JoinNow with a cross-signed double
> intermediate cert. I haven't heard of any issues yet but want to get in 
front of
> any that might crop up..
>
>
> Thanks,
> Mike
>
> Michael Dickson
> Network Engineer
> Information Technology
> University of Massachusetts Amherst
> 413-545-9639
> michael.dick...@umass.edu<mailto:michael.dick...@umass.edu>
> PGP: 0x16777D39
>
>
>
> 

> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv
> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Charles Rumford
> mailto:charl...@isc.upenn.edu>>
> *Sent:* Tuesday, July 31, 2018 12:24 PM
> *To:* 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject:* Re: [WIRELESS-LAN] Issues with Windows 10
>
> On 07/30/2018 01:09 PM, Turner, Ryan H wrote:
>> From SecureW2:
>>
>> The issue is noticed when the RADIUS server cert is signed by AddTrust 
External CA Root (Cross signed by USERTrust RSA Certification Authority) and 
with the recent windows 10 update. We are looking into this and should be able 
to provide you an update.
>>
>
> We ended up configuring all of the intermediate certs, and it solved the 
problem.
>
>
> --
> Charles Rumford
> Senior Network Engineer
> ISC Tech Services
> University of Pennsylvania
> OpenPGP Key ID: 0x173F5F3A (2018/07/05)
>
>
> **
> Participation and subscription information for this EDUCAUSE Constituent 
Group
> discussion list can be found at http://www.educause.edu/discuss.
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
>


--
Charles Rumford
Senior Network Engineer
ISC Tech Services
University of Pennsylvania
OpenPGP Key ID: 0x173F5F3A (2018/07/05)

**
Participation and subscription information for this EDUCAUSE Constituent 
Group discussion list can be found at http://www.educause.edu/discuss.



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.
--

--
Hunter Fuller
Network Engineer
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Issues with Windows 10

2018-07-31 Thread Cappalli, Tim (Aruba Security) 
Just curious, for those running a supplicant configuration utility, why are you 
using a public CA-signed EAP server certificate?


On 7/31/18, 4:21 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
on behalf of Charles Rumford"  wrote:

On 07/31/2018 04:18 PM, Michael Dickson wrote:
> Hi Charles,
> 
> 
> What do you mean by "we ended up configuring all of the intermediate 
certs"? Do
> you mean you are now pushing all certs down to the client during the 
JoinNow
> process?

Yes. We ended up, just for Windows, pushing all of certs down to the 
clients. It
was the only way we could get the profile to work.

> 
> 
> We are also running EAP-TTLS/PAP with JoinNow with a cross-signed double
> intermediate cert. I haven't heard of any issues yet but want to get in 
front of
> any that might crop up..
> 
> 
> Thanks,
> Mike
> 
> Michael Dickson
> Network Engineer
> Information Technology
> University of Massachusetts Amherst
> 413-545-9639
> michael.dick...@umass.edu
> PGP: 0x16777D39
> 
> 
> 
> 

> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv
>  on behalf of Charles Rumford
> 
> *Sent:* Tuesday, July 31, 2018 12:24 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] Issues with Windows 10
>  
> On 07/30/2018 01:09 PM, Turner, Ryan H wrote:
>> From SecureW2:
>> 
>> The issue is noticed when the RADIUS server cert is signed by AddTrust 
External CA Root (Cross signed by USERTrust RSA Certification Authority) and 
with the recent windows 10 update. We are looking into this and should be able 
to provide you an update.
>> 
> 
> We ended up configuring all of the intermediate certs, and it solved the 
problem.
> 
> 
> -- 
> Charles Rumford
> Senior Network Engineer
> ISC Tech Services
> University of Pennsylvania
> OpenPGP Key ID: 0x173F5F3A (2018/07/05)
> 
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
Group
> discussion list can be found at http://www.educause.edu/discuss.
> 
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
> 


-- 
Charles Rumford
Senior Network Engineer
ISC Tech Services
University of Pennsylvania
OpenPGP Key ID: 0x173F5F3A (2018/07/05)

**
Participation and subscription information for this EDUCAUSE Constituent 
Group discussion list can be found at http://www.educause.edu/discuss.



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Aruba Clearpass Guest Portal

2018-06-04 Thread Cappalli, Tim (Aruba Security) 
Feel free to unicast me any questions as well.

tim

 
TIM CAPPALLI | Aruba Security
 

On 6/4/18, 3:46 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
on behalf of Kenny, Eric"  wrote:

Hi Patrick,

We are using the guest portal for self-registered and sponsored guest 
access.   What part did you need help with?
--- 
Eric Kenny
Network Architect
Harvard University IT
---

> On Jun 4, 2018, at 9:39 AM, Patrick Mauretti 
 wrote:
> 
> Hello,
>  
> Is anyone out there well versed with Clearpass?  In particular, using it 
for their wireless Guest Portal?  If you have a few minutes for a question or 
two, or could share the relevant configuration you have for it, I’d very much 
appreciate it.
>  
> Thank you in advance,
> Patrick
>  
> Patrick Mauretti
> Sr. Network Admin
> Massasoit Community College
> 1 Massasoit Blvd
> Brockton, MA 02302
> 508-588-9100 x1660
> “On the internet, nobody knows you’re a dog.”
>  
>  
> ** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.


**
Participation and subscription information for this EDUCAUSE Constituent 
Group discussion list can be found at http://www.educause.edu/discuss.




**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] ClearPass - not so clear anymore

2018-04-04 Thread Cappalli, Tim (Aruba Security) 
Hector,

Something definitely seems amiss then. I’ll take a look at the case.

A maximum of 1 access license is consumed per MAC address, regardless of 
multiple sessions or lack of accounting stop.

Thanks for the followup.
tim

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of Hector J Rios 
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 

Date: Wednesday, April 4, 2018 at 12:49 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] ClearPass - not so clear anymore

Update on my previous statement. We talked to Aruba and they saw our licensing 
count. It appears that the higher numbers we are seeing might be due to a bug. 
We do have accounting enabled everywhere. So not sure exactly what else could 
be causing this. We’ll be working with TAC and hopefully get this resolved. Our 
license count today showed 102K. We are only licensed for 75K and in the past 
we never exceeded 60K.

Hector


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Turner, Ryan H
Sent: Wednesday, April 04, 2018 10:00 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] ClearPass - not so clear anymore

You should look into pfSense.  It is extremely powerful and open source.  You 
can pay for commercial support.

Ryan

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
On Behalf Of Lee H Badman
Sent: Tuesday, April 3, 2018 8:00 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] ClearPass - not so clear anymore

This is a hot-button topic for me. The whole guest access thing has gotten 
ridiculously complex in the main players trying to funnel this through a 
behemoth NAC (same could be said for simple RADIUS) or through some other 
convoluted framework. Bluesocket (now Adtran) had a good thing going with a 
gateway that was simple to set up and use on any vendor’s WLAN. They too 
evolved into something chunky and complex. I’d love to see Adtran dust off the 
old code, make it just a wee bit updated on browser friendliness, and 
re-productize it as a cost-effective 3rd party guest solution. The rest of the 
industry has blown it in this regard, says I.

Lee Badman | Network Architect

Certified Wireless Network Expert (#200)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
On Behalf Of Trinklein, Jason R
Sent: Monday, April 02, 2018 5:48 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] ClearPass - not so clear anymore

We are considering clearpass for our guest network captive portal. We have a 
case of sticker shock, however…at a cost of nearly $50K, it seems expensive for 
a captive portal.

What alternative solutions are people using? We are very happy with FreeRADIUS 
for wireless auth, but we need a robust captive portal that allows OAuth/social 
media login or validated email/sms login. We tried packetfence, but in cluster 
mode, it wasn’t reliable.

--
Jason Trinklein
Wireless Engineering Manager
College of Charleston
81 St. Philip Street | Office 311D | Charleston, SC 29403
trinkle...@cofc.edu | (843) 300–8009
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
on behalf of Hector J Rios >
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>
Date: Monday, April 2, 2018 at 5:23 PM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
>
Subject: [WIRELESS-LAN] ClearPass - not so clear anymore

I’ve got two complaints about this product. One, it seems like with every patch 
or upgrade, this solution is getting worse and worse. This is disappointing 
because when we bought this solution two years ago it was rock solid. Second, 
due to the new licensing scheme, we are now exceeding our licensing capacity. 
How convenient for Aruba, right? As some of you might know, the new licensing 
scheme is based on concurrency. When we purchased the solution the licensing 
scheme was based on rolling averages. Yes, the new licensing scheme is 
attempting to make things simpler, but at a higher cost.

Re: [WIRELESS-LAN] ClearPass - not so clear anymore

2018-04-03 Thread Cappalli, Tim (Aruba Security) 
The UI lockout mechanism was removed in 6.7. Instead a warning will be 
displayed in the web user interface as well as over syslog and SNMP when you 
exceed licensing.

We’ve really tried to make the new licensing as flexible as possible for our 
customers.

This is a good reference > ClearPass 6.7 Scaling & Ordering 
Guide<https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=29193>

tim

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Hector J Rios <hr...@lsu.edu>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Date: Tuesday, April 3, 2018 at 11:10 AM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] ClearPass - not so clear anymore

Authentication might not stop, but what about access to the UI or the ability 
to make config changes?

-H

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Cappalli, Tim (Aruba 
Security)
Sent: Tuesday, April 03, 2018 9:43 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] ClearPass - not so clear anymore

Hector,

During a roam event where a new session is created, a stop should also be 
generated by the NAD, so this should be a non-issue.

Also, as of 6.7.2, TACACS+ does not directly consume any access licenses (as 
long as you have at least 100 access licenses installed, TACACS+ usage is 
unlimited).

I should also add that all licensing ‘violations’ in ClearPass are UI / trap 
warning only. Authentication will never stop.

Tim


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Hector J Rios <hr...@lsu.edu<mailto:hr...@lsu.edu>>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Tuesday, April 3, 2018 at 10:02 AM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] ClearPass - not so clear anymore

Ian,

6.7 introduced a new licensing scheme which is based on concurrent users, and 
it encompasses both guests, mac-auth, TACACS, etc. This means that each user or 
device will consume an Access License during an active session. This is the 
Access license. The part that really sucks is the way sessions are treated. 
Basically, if a session end is not identified, the license that is being used 
is not freed until after a period of 24 hours. In wireless environments, it is 
normal for devices to roam, turn off and on continuously, and thus establish 
multiple sessions. So, for every device that authenticates to your network, it 
will be very likely that you will see multiple active sessions, thus consuming 
more licenses than you would have planned for.

All of these new “features” were not part of the previous licensing scheme.

Hector Rios
Louisiana State University

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Ian Lyons
Sent: Monday, April 02, 2018 5:10 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] ClearPass - not so clear anymore

Jason
That price *was* real, many years ago.
I got a pair of 5000 user licenses for ~15k, last year.
Word of caution, I have seen some vendors that say they sell Cisco and Aruba 
products "forget' discounting on Aruba.
Shop around, that is not necessarily accurate.
Having said that, quantity of users and features where not mentioned.  50k or 
more users and all the features enabled.I can not speak to that.
Hector
I have had clearpass, on and off, for 6 years...it has always been concurrent 
usersyes to a rolling average, but not an immediate cut off if you exceed 
once or twice.
Can you elaborate?
Get Outlook for Android<https://aka.ms/ghei36>



From: Trinklein, Jason R
Sent: Monday, April 2, 17:48
Subject: Re: [WIRELESS-LAN] ClearPass - not so clear anymore
To: 
wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>


We are considering clearpass for our guest network captive portal. We have a 
case of sticker shock, however…at a cost of nearly $50K, it seems expensive for 
a captive portal.

What alternative solutions are people using? We are very happy with FreeRADIUS 
for wireless auth, but we need a robust captive portal that allows OAuth/social 
media login or validated email/sms login. We tried packetfence, but in cluster 
mode, it wasn’t reliable.

--
Jason Trin

Re: [WIRELESS-LAN] ClearPass - not so clear anymore

2018-04-03 Thread Cappalli, Tim (Aruba Security) 
Hector,

During a roam event where a new session is created, a stop should also be 
generated by the NAD, so this should be a non-issue.

Also, as of 6.7.2, TACACS+ does not directly consume any access licenses (as 
long as you have at least 100 access licenses installed, TACACS+ usage is 
unlimited).

I should also add that all licensing ‘violations’ in ClearPass are UI / trap 
warning only. Authentication will never stop.

Tim


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of Hector J Rios 
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 

Date: Tuesday, April 3, 2018 at 10:02 AM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] ClearPass - not so clear anymore

Ian,

6.7 introduced a new licensing scheme which is based on concurrent users, and 
it encompasses both guests, mac-auth, TACACS, etc. This means that each user or 
device will consume an Access License during an active session. This is the 
Access license. The part that really sucks is the way sessions are treated. 
Basically, if a session end is not identified, the license that is being used 
is not freed until after a period of 24 hours. In wireless environments, it is 
normal for devices to roam, turn off and on continuously, and thus establish 
multiple sessions. So, for every device that authenticates to your network, it 
will be very likely that you will see multiple active sessions, thus consuming 
more licenses than you would have planned for.

All of these new “features” were not part of the previous licensing scheme.

Hector Rios
Louisiana State University

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Ian Lyons
Sent: Monday, April 02, 2018 5:10 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] ClearPass - not so clear anymore

Jason
That price *was* real, many years ago.
I got a pair of 5000 user licenses for ~15k, last year.
Word of caution, I have seen some vendors that say they sell Cisco and Aruba 
products "forget' discounting on Aruba.
Shop around, that is not necessarily accurate.
Having said that, quantity of users and features where not mentioned.  50k or 
more users and all the features enabled.I can not speak to that.
Hector
I have had clearpass, on and off, for 6 years...it has always been concurrent 
usersyes to a rolling average, but not an immediate cut off if you exceed 
once or twice.
Can you elaborate?
Get Outlook for Android



From: Trinklein, Jason R
Sent: Monday, April 2, 17:48
Subject: Re: [WIRELESS-LAN] ClearPass - not so clear anymore
To: 
wireless-lan@listserv.educause.edu


We are considering clearpass for our guest network captive portal. We have a 
case of sticker shock, however…at a cost of nearly $50K, it seems expensive for 
a captive portal.

What alternative solutions are people using? We are very happy with FreeRADIUS 
for wireless auth, but we need a robust captive portal that allows OAuth/social 
media login or validated email/sms login. We tried packetfence, but in cluster 
mode, it wasn’t reliable.

--
Jason Trinklein
Wireless Engineering Manager
College of Charleston
81 St. Philip Street | Office 311D | Charleston, SC 29403
trinkle...@cofc.edu | (843) 300–8009
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
on behalf of Hector J Rios >
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>
Date: Monday, April 2, 2018 at 5:23 PM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
>
Subject: [WIRELESS-LAN] ClearPass - not so clear anymore

I’ve got two complaints about this product. One, it seems like with every patch 
or upgrade, this solution is getting worse and worse. This is disappointing 
because when we bought this solution two years ago it was rock solid. Second, 
due to the new licensing scheme, we are now exceeding our licensing capacity. 
How convenient for Aruba, right? As some of you might know, the new licensing 
scheme is based on concurrency. When we purchased the solution the licensing 
scheme was based on rolling averages. Yes, the new licensing scheme is 
attempting to make things simpler, but at a higher cost. Ask your rep how much 
a 25K server costs and you’ll see what I’m talking about.

Hector Rios
Louisiana State University
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at

Re: [WIRELESS-LAN] Amazon Fire Tablet Line - 802.1x Support Dropped?

2018-02-09 Thread Cappalli, Tim (Aruba Security) 
Kind of makes sense though doesn’t it? Why would you want to allow a device 
unique private key to be used without requiring a device unlock?


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of "Turner, Ryan H" 

Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 

Date: Friday, February 9, 2018 at 10:01 AM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] Amazon Fire Tablet Line - 802.1x Support Dropped?

For TLS, Android requires a screen lock, and if you remove it post, it breaks 
the certificate store.  That issue isn’t a bug, but another design decision by 
Google (to make TLS more difficult to use when it isn’t that way with almost 
every other operating system).

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W 
(Network Operations)
Sent: Friday, February 9, 2018 8:23 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Amazon Fire Tablet Line - 802.1x Support Dropped?

I know there was a bug corrected in SecureW2 802.1X onboarding where they were 
requiring a screen lock for Android when using PEAP=MSCHAPv2.
They corrected the issue in a later release.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Mike Atkins [mailto:matk...@nd.edu]
Sent: Thursday, February 8, 2018 5:26 PM
Subject: Re: Amazon Fire Tablet Line - 802.1x Support Dropped?

I have seen dot1x issues with Android tablets that do not have the lock enabled 
or have it removed after Wi-Fi is configured and working.  I know our onboard 
utility notifies the user that Screen Lock/Pin is required.  Does the 802.1x 
option show up if screen lock is enabled?






Mike Atkins
Network Engineer
Office of Information Technology
University of Notre Dame

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
 On Behalf Of Johnson, Christopher
Sent: Wednesday, February 07, 2018 10:49 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Amazon Fire Tablet Line - 802.1x Support Dropped?

Good Morning,

I was curious if anyone had any of the newer Amazon Fire tablets and could 
confirm something for me? Our support center contacted me in regards to an 
issue with connecting to our secure network (they were only able to see our 
“open network”) which matches with our some newer devices will not even display 
networks that they are unable to connect to – such as WPA2 Enterprise. I had 
suggested that they attempt to manually create the profile and was disappointed 
when they confirmed that “802.1x” was no longer an option on the list of 
security types.

That’s unfortunate that their earlier generations had support, and it appears 
to have been removed. It’s been a few years since I’ve seen one, so no idea 
which generation this occurred (Fire 7 is their 7th generation). I just know 
the 1st and 2nd generation could connect since I got to be the one to figure it 
out all those years ago.

Christopher Johnson
Wireless Network Engineer
AT Infrastructure Operations & Networking (ION)
Illinois State University
(309) 438-8444
Stay connected with ISU IT news and tips with @ISU IT Help on 
Facebook and 
Twitter


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Wall plate AP and Coax line sharing box

2018-01-24 Thread Cappalli, Tim (Aruba Security) 
For the Aruba AP-303H, there is now a bracket that allows for two keystone 
pass-through connectors on the bottom.

AP-303H-MNTW (JY688A)
 

On 1/23/18, 4:12 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
on behalf of Richard Nedwich"  wrote:

Hi Alan,

I am not certain if this would fit the bill, but in case it helps please 
see this link to the Ruckus C110 wall plate AP with a built-in DOCSIS cable 
modem.  Coax in, dual Ethernet ports out, plus 2x2:2 802.11ac Wave 2 Wi-Fi.  
Note: you will need a CMTS in the building.

https://s3.amazonaws.com/ruckus-www/pdf/solution-briefs/sb-docsis-c110.pdf 

Designed for hospitality and multi-dwelling units such as residence halls.

Hope that helps,
Rich

**
Participation and subscription information for this EDUCAUSE Constituent 
Group discussion list can be found at http://www.educause.edu/discuss.



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] IOS 11 problem with eap-mschapv2/peap authentication

2017-10-31 Thread Cappalli, Tim (Aruba Security) 
Just curious. Why aren't you using the same EAP server certificate across all 
of your RADIUS servers?


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of Linchuan Yang 

Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 

Date: Tuesday, October 31, 2017 at 10:28 AM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: [WIRELESS-LAN] IOS 11 problem with eap-mschapv2/peap authentication

Dear All

Good morning. All of our IOS users start having authentication problem after 
they upgrading to IOS 11. The devices keep asking the user name and password. 
The only way we can fix for now is that “forget” the old profile, and manually 
create a new one, after trusting the certificate, the IOS 11 devices can 
connect to the wireless network. However, we have more than three radius 
servers, if the clients go to other buildings, they have to do this again. In 
some case, the clients have to repeat the procedure every morning when they 
come back to the office.

We noticed that some related discussion on Cisco and Apple Communities. But 
there is not any solution for it. Do you have the same problem for your 
wireless network? Could you please give us some suggestions?

​Thank you, and have a nice day.

Yours,
Linchuan Yang (Antony)
MEng, ACMP
Wireless Networking Analyst
Network Assessment and Integration,
IITS-Concordia University
Tel: (514)848-2424 ext. 7664

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Wi-Fi Request for University Conference event

2017-09-27 Thread Cappalli, Tim (Aruba Security) 
What are you using for a AAA solution? ClearPass fully supports per-device PSK 
with Cisco WLC’s with full self-registration.

 

tim

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of Jason Cook 

Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 

Date: Wednesday, September 27, 2017 at 9:00 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] Wi-Fi Request for University Conference event

 

We currently setup dedicated PSK’s for everything, but that’s such a pain so 
are currently going through the process of something new. As a short term 
measure to improve things  (since at times we end up with 5 additional PSK’s 
and cisco’s SSID assignment is a bit crappy) we have a single PSK that rolls 
over once a week and our service desk hands out the PSK upon requests.

 

We are currently building a registered guest environment in Cloudpath, it’s not 
set in stone yet but…. Short term visitors will likely connected to an open 
network with MAC registration while longer term visitors will get  a 
certificate and use our primary SSID with wpa2-enterprise. We’ll enable various 
groups like service desk and event organisers to be sponsors to create the 
codes to register with and get  users to identify themselves via txt, email or 
external auth like Google/facebook/linked in. 

Dedicated PSK’s will be allowed under certain circumstances

 

We would ideally migrate the MAC rego to IPSK “when” it’s ready for such an 
implementation. 

 

--

Jason Cook

Technology Services

The University of Adelaide, AUSTRALIA 5005

Ph: +61 8 8313 4800

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Trinklein, Jason R
Sent: Thursday, 28 September 2017 7:08 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wi-Fi Request for University Conference event

 

We used to set up custom SSIDs for conferences and special events on a subset 
of our APs with PSKs, and the traffic ended up on a dedicated VLAN with 
internet-only access. It was cumbersome and made our APs unstable with the 
frequent configuration changes. We switched to creating a special OU/group in 
AD for housing temporary self-expiring accounts for use by these events. Then, 
we hand these credentials over to the event organizer, and the attendees log 
into our normal secure college wireless SSID with WPA2-Enterprise. Our 
FreeRADIUS server detects the user’s OU/group as being a guest account, and 
sets the internet-only guest VLAN dynamically.

 

Same functionality, better security, easier to process, and now we’re in a 
position to hand off these requests to our IAM team instead of processing them 
in our wireless or network groups.

 

We are also in the process of switching to Packetfence for managing our guest 
wireless SSID, which should alleviate some of the demand for these custom 
accounts since we’ll be able to lift some of our guest network restrictions.

 

-- 

Jason Trinklein

Wireless Engineering Manager

College of Charleston

81 St. Philip Street | Office 311D | Charleston, SC 29403

trinkle...@cofc.edu | (843) 300–8009

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of James Helzerman 

Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 

Date: Wednesday, September 27, 2017 at 4:58 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] Wi-Fi Request for University Conference event

 

We have a guest ssid with a click to accept use agreement that works for most 
conferences we have.  On occasion we will need to create a unique PSK for a one 
time event but that is maybe once or twice a year and usually centered around 
technology and accessing specific resources either on campus or through ports 
we normally restrict on the guest network. 

 

IMO a guest network that is well designed and implemented should be able to 
accommodate 95+% of the conferences or events.

 

-Jimmy

 

-- 

James Helzerman
Wireless Network Engineer
University of Michigan - ITS

 

On Wed, Sep 27, 2017 at 8:34 AM, Michael Davis  wrote:

We currently do something similar as Bruce.  Normal Self-registration and 
sponsored registration
using clearpass guest, but large and/or multi-day events can get a PSK SSID 
assigned if given 
ample time and planning.

On 9/27/17 8:07 AM, Osborne, Bruce W (Network Operations) wrote:

Our process is not ideal.

 

Where possible, we try to avoid setting up special SSIDs. Our normal Guest SSID 
allows for self registration for bandwidth-restricted Internet access or 
sponsored registration for faster Internet access.

 

We utilize our

Re: [WIRELESS-LAN] UT Austin Biennial Network Report

2017-09-27 Thread Cappalli, Tim (Aruba Security) 
William – Very interested in this:

>> The wireless“eduroam” service is not available at the university, or for 
>> university members at other institutions. Current interpretation of the laws 
>> and policies surrounding use of state resources is that eduroam use is 
>> prohibited on university properties

Can you provide any additional information as to why the use of eduroam is 
prohibited?



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of "Green, William C" 

Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 

Date: Thursday, September 21, 2017 at 10:23 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: [WIRELESS-LAN] UT Austin Biennial Network Report

Linked is UT Austin's biennial network report:
https://utexas.box.com/s/drckih61cw8yvom3avihe6j7c8nx972n


I encourage others to provide their operational reports for everyone’s benefit. 
 And, if you find this exciting we are hiring!
https://utdirect.utexas.edu/apps/hr/jobs/nlogon/search/0/   (hint, search for 
network)

--
William C. Green  e-mail:  
gr...@austin.utexas.edu
Director, Networking and Telecommunications   phone:   +1 512-475-9295
ITS (Information Technology Services) fax: +1 512-471-2449
University of Texas
1 University Station Stop C3800
Austin, TX  78712

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] UT Austin Biennial Network Report

2017-09-27 Thread Cappalli, Tim (Aruba Security) 
William – Very interested in this:

 

>> The wireless“eduroam” service is not available at the university, or for 
>> university members at other institutions. Current interpretation of the laws 
>> and policies surrounding use of state resources is that eduroam use is 
>> prohibited on university properties

 

Can you provide any additional information as to why the use of eduroam is 
prohibited?

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of "Green, William C" 

Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 

Date: Thursday, September 21, 2017 at 10:23 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: [WIRELESS-LAN] UT Austin Biennial Network Report

 

Linked is UT Austin's biennial network report:

https://utexas.box.com/s/drckih61cw8yvom3avihe6j7c8nx972n

 

 

I encourage others to provide their operational reports for everyone’s benefit. 
 And, if you find this exciting we are hiring!

https://utdirect.utexas.edu/apps/hr/jobs/nlogon/search/0/   (hint, search for 
network)

--
William C. Green  e-mail:  gr...@austin.utexas.edu
Director, Networking and Telecommunications   phone:   +1 512-475-9295
ITS (Information Technology Services) fax: +1 512-471-2449
University of Texas
1 University Station Stop C3800
Austin, TX  78712

 

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss. 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.



smime.p7s
Description: S/MIME cryptographic signature

Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

2017-08-27 Thread Cappalli, Tim (Aruba Security) 
ClearPass will auto-generate an internal WebAuth request by default after a 
device registration.

Create a service to accept this request and issue a disconnect message to the 
controller to force a reauthentication.

See these screenshots for the service config, it’s very basic. You only need 
the enforcement profiles for the NADs you’re using.

http://aruba.i.lithium.com/t5/image/serverpage/image-id/30944iE5F3B1A85398D84E/image-size/large?v=1.0=999

http://aruba.i.lithium.com/t5/image/serverpage/image-id/30943i73208ADC98FF1301/image-size/large?v=1.0=999



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of "Sweetser, Frank E" 

Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 

Date: Sunday, August 27, 2017 at 2:32 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?


The canonical answer is to set up Clearpass to do a RADIUS COA to proactively 
change the device role when it's registration status gets updated.  That way it 
should happen pretty much immediately, rather than having to wait for a timeout.


Frank Sweetser
Director of Network Operations
Worcester Polytechnic Institute
"For every problem, there is a solution that is simple, elegant, and wrong." - 
HL Mencken


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of Michael Davis 
Sent: Sunday, August 27, 2017 9:11 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

Thanks.. I believe it turned out to be devices sticking in the "preauth" role 
that
were not yet registered.  The commonality of all the epsons focused on them 
instead
of the issue.  They're defensive IP policy must have been triggered by the 
locked
down role.

Does anyone know offhand, how to ageout devices quickly from a preauth role 
that's
not the default system preauth role.

thanks
mike

On 8/26/17 4:05 PM, Michael Dickson wrote:
Just a thought but do you have multiple helper addresses configured for that 
vlan/subnet? I'm wondering if maybe the printers aren't expecting that. Another 
random thought, if they're not broadcasting for a lease because they require a 
static could they have maybe all self-assigned themselves the same IP and are 
discovering each other over L2?

Good luck. We're pretty much going down the same CPPM/Airgroup path right now.

Mike

Michael Dickson
Network Engineer
Information Technology
University of Massachusetts Amherst
413-545-9639
michael.dick...@umass.edu
PGP: 0x16777D39

On Aug 26, 2017, at 3:18 PM, Michael Davis 
> wrote:
First Semester supporting mDNS in production with Aruba Clearpass Airgroup.

Almost every Epson XP series printer is complaining of duplicate IP addresses
which of course is not the case.  Anyone see anything similar?  There are a few
older web searches about Epson's requiring a static IP, which isn't an option 
right
now unfortunately.

Only Freshmen moving in today (~5K), the bulk (~20K) will arrive tomorrow and
throughout the week.

ArubaOS 6.5.3.2
CPPM 6.6.7.96909
Four 7240 controllers
~3200 APs
Three primary SSIDs: eduroam, Devices, Guest (clearpass)


thanks
mike

On 8/25/17 9:22 AM, Lee H Badman wrote:
It might be beneficial to share notes in case other schools are hitting common 
problems. I’m wondering how everyone who is in the thick of it is faring with 
back-to-school?

On this end, we are doing OK halfway to our expected total daily peak clients 
(we’re at 15K now high water mark).

Our significant WLAN-related changes since end of Spring semester
· Running 8.2.151 on our 8540s
· Significant quantities of Wave 2 APs
· ISE as RADIUS (only, no NAC, no onboarding)

No changes to:
· our guest WLAN (Clearpass/an Aruba controller pair)
· onboarding (Cloudpath Wiz)
· overall topology
· open network in dorms for gadgets
· non-use of AVC, it crapped out and never got solved after hundreds of 
hours with TAC

Fears:
· We haven’t yet hit the scale that will reveal problems with any of 
the newer stuff listed above

Anyone else care to share?

-Lee


Lee Badman | Network Architect

Certified Wireless Network Expert (#200)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.


** Participation and subscription information for this EDUCAUSE

Re: [WIRELESS-LAN] Android phones having strange issues

2017-08-23 Thread Cappalli, Tim (Aruba Security) 
Aruba ClearPass Onboard also fully supports Android Oreo.







On 8/22/17, 6:16 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
on behalf of Richard Nedwich"  wrote:



Hi Bruce,



Yes, our Wizard and Cloudpath ES products do officially support Oreo.



Thanks,

Rich



**

Participation and subscription information for this EDUCAUSE Constituent 
Group discussion list can be found at http://www.educause.edu/discuss.



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment

2017-07-25 Thread Cappalli, Tim (Aruba Security) 
The problem with this statement:
EAP-PEAP/EAP-TTLS, if properly onboarded, are very secure.  But the 
problem is ‘properly onboarded’.

… is that even having PEAP or EAP-TTLS enabled on the network exposes you to 
risk regardless of the supplicant configuration as anyone can attempt to 
connect using PEAP, putting their creds at risk.

Secure solution = EAP-TLS only.


Also, did you mean EAP-TTLS here? > any institution that is running EAP-TLS 
with PAP



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of "Turner, Ryan H" 
<rhtur...@email.unc.edu>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Date: Tuesday, July 25, 2017 at 11:53 AM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment

There are flaws with every mechanism.  We are a long time EAP-TLS shop.

In a university environment, access is rarely as difficult thing.  There are 
many buildings and methods for motivated individuals to get access.  Most of us 
actually provide some level of access to guests, already.  In short, university 
defenses for network access are weak, often by design.  For us, the issue 
really isn’t about access to the network.   It is, however, about access to 
credentials.  With all other ‘normal’ widely adopted methods out there, you are 
setting individuals up to expose their credentials to MitM.  With TLS, even if 
someone exports a cert, all that next person has is network access.  They don’t 
have credentials.

Put another way, any institution that is running EAP-TLS with PAP (using this 
configuration because it is the easiest), I would be willing to make a large 
bet that I could drive to your campus, sit outside your main administrative 
building, and I could have some tasty usernames and passwords in short order.  
It requires no hacking (because I’m not a hacker).  Other methods like PEAP are 
definitely much more difficult, but not outside of the range of a hacker IF the 
client didn’t onboard their device properly.  And many people won’t onboard 
properly with a username/password method because it is easier just to punch 
those in upon connection.

EAP-PEAP/EAP-TTLS, if properly onboarded, are very secure.  But the problem is 
‘properly onboarded’.


Ryan Turner
Manager of Network Operations
ITS Communication Technologies
The University of North Carolina at Chapel Hill

r...@unc.edu<mailto:r...@unc.edu>
+1 919 445 0113 Office
+1 919 274 7926 Mobile





From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Thomas Carter
Sent: Wednesday, July 12, 2017 1:20 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment

Depending on the setup and purpose, the certs could be exported and shared to 
people/devices not intended; it may be assumed that will not happen.
Thomas Carter
Network & Operations Manager / IT
Austin College
900 North Grand Avenue
Sherman, TX 75090
Phone: 903-813-2564
www.austincollege.edu<http://www.austincollege.edu/>

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Cappalli, Tim (Aruba 
Security)
Sent: Wednesday, July 12, 2017 10:33 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment

I’m curious about “…certs may give a false sense of security and identity”. Can 
you elaborate on that?

Tim

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Thomas Carter 
<tcar...@austincollege.edu<mailto:tcar...@austincollege.edu>>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Wednesday, July 12, 2017 at 11:22 AM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment

We use mac address auth (using Packetfence) for this reason. On-boarding is 
easy (there’s even a mac self-registration portal for devices that don’t 
understand the captive portal on connecting) through a captive portal, and the 
kids are used to captive portals at Starbucks/Target/McDonalds already . We 
formerly used Bradford Networks (long story, but we had some major issues with 
them) using a certificate based solution, and our opening of school support has 
gone from lines out the door of IT to almost nothing. While mac spoofing is a

Re: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment

2017-07-12 Thread Cappalli, Tim (Aruba Security) 
Well, in a proper deployment, certificates would be marked non-exportable 
(which makes it incredibly difficult to export them) and additional 
authorization checks would be in place on the policy server to prevent that 
certificate from being used with a different device. For faculty and staff, 
you’d also layer in network-based MFA to occasionally re-validate the user.

EAP-TLS is the safest bet these days. EAP-TTLS and PEAP are far too risky, even 
for students and especially for faculty and staff. The added benefit of EAP-TLS 
is the client certificate can also be used to authenticate to web services like 
your SAML-based SSO provider. Very popular.

tim


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Thomas Carter 
<tcar...@austincollege.edu>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Date: Wednesday, July 12, 2017 at 1:20 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment

Depending on the setup and purpose, the certs could be exported and shared to 
people/devices not intended; it may be assumed that will not happen.
Thomas Carter
Network & Operations Manager / IT
Austin College
900 North Grand Avenue
Sherman, TX 75090
Phone: 903-813-2564
www.austincollege.edu<http://www.austincollege.edu/>

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Cappalli, Tim (Aruba 
Security)
Sent: Wednesday, July 12, 2017 10:33 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment

I’m curious about “…certs may give a false sense of security and identity”. Can 
you elaborate on that?

Tim

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Thomas Carter 
<tcar...@austincollege.edu<mailto:tcar...@austincollege.edu>>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Wednesday, July 12, 2017 at 11:22 AM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment

We use mac address auth (using Packetfence) for this reason. On-boarding is 
easy (there’s even a mac self-registration portal for devices that don’t 
understand the captive portal on connecting) through a captive portal, and the 
kids are used to captive portals at Starbucks/Target/McDonalds already . We 
formerly used Bradford Networks (long story, but we had some major issues with 
them) using a certificate based solution, and our opening of school support has 
gone from lines out the door of IT to almost nothing. While mac spoofing is a 
thing, EAP/PEAP/certs may give a false sense of security and identity. In a 
past life in the corporate world we did a PEAP solution with locked down 
certificates, but we tightly controlled all the end-points as well (only 
corporate owned devices allowed on the corp network).

Thomas Carter
Network & Operations Manager / IT
Austin College
900 North Grand Avenue
Sherman, TX 75090
Phone: 903-813-2564
www.austincollege.edu<http://www.austincollege.edu/>

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Tim Tyler
Sent: Tuesday, July 11, 2017 10:17 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment

I think this is an excellent topic that has made me wonder.  Given that so many 
users don’t secure their radius client profile, I have often thought mac 
address authentication might be a better option, but it would require a 
convenient registration method.  If someone uses a man in the middle attack 
against a mac address, the consequences are minimal.  If someone does it 
against usernames and password, they likely will have access to their other 
accounts as well.  If people can on-board a full PEAP with certificate lock 
down solution, then it is the best.  But if many of your clients are not 
getting the cert loaded and the client dependent on it, then it makes me wonder 
if mac address authentication isn’t better in the bigger picture of things.
  I am still using PEAP, but I am constantly thinking about mac address 
authentication.
Tim

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>]
 On Behalf Of Jonathan Waldrep
Sent: Tuesday, J

Re: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment

2017-07-12 Thread Cappalli, Tim (Aruba Security) 
I’m curious about “…certs may give a false sense of security and identity”. Can 
you elaborate on that?

Tim

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of Thomas Carter 

Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 

Date: Wednesday, July 12, 2017 at 11:22 AM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment

We use mac address auth (using Packetfence) for this reason. On-boarding is 
easy (there’s even a mac self-registration portal for devices that don’t 
understand the captive portal on connecting) through a captive portal, and the 
kids are used to captive portals at Starbucks/Target/McDonalds already . We 
formerly used Bradford Networks (long story, but we had some major issues with 
them) using a certificate based solution, and our opening of school support has 
gone from lines out the door of IT to almost nothing. While mac spoofing is a 
thing, EAP/PEAP/certs may give a false sense of security and identity. In a 
past life in the corporate world we did a PEAP solution with locked down 
certificates, but we tightly controlled all the end-points as well (only 
corporate owned devices allowed on the corp network).

Thomas Carter
Network & Operations Manager / IT
Austin College
900 North Grand Avenue
Sherman, TX 75090
Phone: 903-813-2564
www.austincollege.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Tim Tyler
Sent: Tuesday, July 11, 2017 10:17 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment

I think this is an excellent topic that has made me wonder.  Given that so many 
users don’t secure their radius client profile, I have often thought mac 
address authentication might be a better option, but it would require a 
convenient registration method.  If someone uses a man in the middle attack 
against a mac address, the consequences are minimal.  If someone does it 
against usernames and password, they likely will have access to their other 
accounts as well.  If people can on-board a full PEAP with certificate lock 
down solution, then it is the best.  But if many of your clients are not 
getting the cert loaded and the client dependent on it, then it makes me wonder 
if mac address authentication isn’t better in the bigger picture of things.
  I am still using PEAP, but I am constantly thinking about mac address 
authentication.
Tim

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
 On Behalf Of Jonathan Waldrep
Sent: Tuesday, July 11, 2017 9:58 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment

We acknowledged that many users are going to connect without using an 
on-boarding tool, and almost no one is going to secure their wireless profile 
manually. This leaves these users (on *all* platforms) open to a radius 
impersonation attack. Given this, we require a different password for network 
access.

It's worth making a note of our security and business models (slightly over 
simplified, but sufficient for this topic). We treat ourselves as an ISP to our 
users. Everyone gets online with the same level of access. Our systems are 
secured at the server level. Guests self-register to access the network for a 
limited time.

All this means that getting someone's network credentials means very little. If 
someone were doing something especially nefarious, using someone else's 
credentials would make it more difficult for us to find them. However, the 
attacker doesn't gain access to the compromised user's financial records, 
email, or anything else.

--
Jonathan Waldrep
Network Engineer
Network Infrastructure and Services
Virginia Tech

On Mon, Jul 10, 2017 at 8:24 PM, Mike King 
> wrote:
Marcelo,

If windows 7 is just 4%, what is your highest percentage?  Windows 10, or 
something else?

On Mon, Jul 10, 2017 at 5:36 PM, Marcelo Maraboli 
> wrote:
Hello David

we did this last month and "secured" PEAP by minimizing the risk in Windows 7 
clients.

We used this guide and it worked very well.
http://www.defenceindepth.net/2010/05/attacking-and-securing-peap.html

We did not use "step 4" because it didn't leave the user ID in our AAA,
they were all "anonymous".

We also studied every operating system that connected to our WIFI and
found out that Windows-7 is just 4%, so we hope this problem will die on
it's own.  Windows 10 can use PAP-TTLS, even though that is another deal.


hope it helps.


best regards,

On 7/10/17

Re: [WIRELESS-LAN] 802.1x expired certificate (Eduroam)

2017-07-04 Thread Cappalli, Tim (Aruba Security) 
It really depends on how the supplicant is configured. If a configuration tool 
was used, it may have locked the supplicant to a specific cert and disallowed 
the user to approve exceptions.

 

On 7/4/17, 11:34 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
on behalf of Julian Y Koh"  wrote:

> On Jul 3, 2017, at 17:38, Marcelo Maraboli  wrote:
> 
> What happens on the supplicant side of the 802.1x (User) when the
> Radius certificate expires ?
> 
> I am interested in what the user will face and HAVE to do.
> 
> We have found 2 possibilities:
> a) The user is prompted to "trust" the new certificate and that's it.

This has been our experience.  Some clients behave differently here and 
there due to bugs and/or config differences, but generally the worst that 
happens is that people need to trust the new certificate.

-- 
Julian Y. Koh
Associate Director, Telecommunications and Network Services
Northwestern Information Technology

2001 Sheridan Road #G-166
Evanston, IL 60208
+1-847-467-5780
Northwestern IT Web Site: 
PGP Public Key: 

**
Participation and subscription information for this EDUCAUSE Constituent 
Group discussion list can be found at http://www.educause.edu/discuss.



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

2017-04-28 Thread Cappalli, Tim (Aruba Security) 
Can you elaborate on this comment?

“whereas with eduroam we were kind of locked-in to the PEAP model.”

Eduroam is EAP agnostic.

 


On 4/27/17, 10:57 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
on behalf of Curtis K. Larsen"  wrote:

We also use eduroam and a university SSID and one benefit I've seen is that 
when our CISO decided to deprecate PEAP due to the "fake AP/MITM - exposed 
password" issue and favor EAP-TLS - we could easily control our own destiny 
with our own SSID whereas with eduroam we were kind of locked-in to the PEAP 
model.  Lesser security will often result when universal compatibility is the 
goal.  I mean we could force our own users to use EAP-TLS at home and abroad 
but in my opinion we could not truly say that we've done everything possible to 
mitigate the PEAP vulnerability while still propping up a PEAP SSID org-wide 
even if PEAP only ends up being used by visitors.

We currently offer long-term EAP-TLS connections on our university SSID to 
any guest willing to provide an SMS number (Cloudpath Feature).  It turns out 
that the SMS-capable phone carrying population is much larger than those with 
eduroam credentials so far, and phone numbers are possibly more valuable to 
administrators than AD credentials of participating institutions in resolving 
issues.  In my opinion, as onboarding solutions mature the SSID becomes less 
important, and who knows maybe with Hotspot 2.0 completely irrelevant?  
Something to consider at least when making that decision anyway.

--
Curtis K. Larsen
Senior Network Engineer
University of Utah IT/CIS
Office 801-587-1313

___
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of Les Ridgley 

Sent: Thursday, April 27, 2017 10:10 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

We retained both the eduroam SSID and the university one for the reasons of 
branding and more importantly for us, to ensure that our users on a site that 
has multiple institutions broadcasting the eduroam SSID we could guarantee 
connection to our network by using the university SSID.

Had we only broadcast the eduroam SSID there was the possibility that the 
user could unknowingly connect to another institutions eduroam SSID and then 
not have the same access to system resources that they would experience had 
they connected to our SSID.

We have not experienced significant support difficulties and allow the 
users to use either SSID at their own discretion.

HTH,
Les.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Brian Helman
Sent: Friday, 28 April 2017 1:26 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Eduroam adoption (and migration process)


A related question came up today when discussing whether or not to get rid 
of our branded SSID or not once eduroam is up and running on our network.  
Specifically:

For those who decided to keep both the branded and eduroam SSID's (and 
assuming they are identical in terms of access for your institutional users) -- 
have there been any issues in doing so?  For example, does it cause confusion 
to users or doesn't it matter to them?  Any support issues either with the 
people directly supporting the users and/or managing the wireless network?  If 
you decided to keep both .. do you regret this decision or are you 
happy/neutral with it?

Conversely, if you DID decide to go with only the eduroam SSID, has anyone 
regretted this decision?

We're just trying to get a fuller understanding before we decide to remove 
the branded SSID.  We do think that's what people will look for .. especially 
those not familiar with eduroam.

Thanks!

-Brian



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Brian Helman 
[bhel...@salemstate.edu]
Sent: Tuesday, April 25, 2017 1:57 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Eduroam adoption (and migration process)
Ahh, I see.  They are separate networks.  We are using a NAC to place users 
in their proper vlan, so there’s no differentiation between our current 
university ssid and eduroam.

By the way, I keep writing “EDUROAM”.  I know it’s “eduroam” .. it’s just 
habit from typing “EDUCAUSE”.

Thanks!

-Brian

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John Heartlein
Sent: Tuesday, April 25, 2017

Re: [WIRELESS-LAN] Multiple SSIDs, AIrGroups, Consumer Devices and you...

2017-04-26 Thread Cappalli, Tim (Aruba Security) 
Ben,

You can put a user into a restricted headless “provisioning” role temporarily 
which would allow them to connect to your headless network and configure the 
device. We can write policy to check the device registration database to ensure 
that they actually have a registered headless device before allowing them into 
the provisioning state.

tim


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of "Higgins, Benjamin J" 

Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 

Date: Wednesday, April 26, 2017 at 1:18 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: [WIRELESS-LAN] Multiple SSIDs, AIrGroups, Consumer Devices and you...

Greetings!

We are attempting to implement a controlled but open/unencrypted wireless 
network (WPI-Gadgets) in conjunction with our EAP-TLS secured primary wireless 
network (WPI-Wireless or eduroam).

All users primary devices (laptop, phone, tablet, etc) are both registered and 
on-boarded using known and proven procedures to WPI-Wireless.

Users which use Roku/Chromecast/AppleTV/etc need to onboard their device for 
the WPI-Gadgets network.  In order to use  WPI-Gadgets:

-  the device needs to be a known MAC Address registered on our IPAM

oWhen a user registers a Chromecast in the IPAM system, the device will be 
enrolled in the user’s “AirGroup”

-  If the device is a known 802.1x capable device, even if its 
registered, it is not allowed on the open, unencrypted WPI-Gadgets network

From there, a user should be able to cast/control/communicate with their 
Chromecast on WPI-Gadget from their primary device on WPI-Wireless.

That’s the concept –but my question is not about the technical aspect of 
getting this to work.  Everything above appears to work in our lab environment.

The problem starts with *how* a Chromecast is configured from factory defaults:

-  you need to run the “Google Home” application on your phone

-  your phone find the Chromecast and configures it for the selected 
network (WPI-Gadgets)

-  the Chromecast appears to be properly setup

-  [PROBLEM} the “Google Home” app tries to move the phone from the 
WPI-Wireless network to the WPI-Gadgets network

-  The phone loses connection, as we don’t allow 802.1x devices on 
WPI-Gadgets

-  The Chromecast sits there saying it’s ready and properly configured

-  The phone says the configuration failed and keeps insisting on 
starting the configuration again.

Here are the questions (after the long winded explanation):

-  Do other institutions have a secure network for 802.1x devices and 
an open network for non 802.1x capable devices?

-  Does anyone go far enough to keep 802.1x capable devices off their 
open network?

oTangent: for those who are eduroam only, how do you allow Chromecasts and 
similar on your network?

-  Specifically with Chromecasts, how do you keep the two device 
classes separate?

-  How do other institutions deal with the “basement network” syndrome 
like this Chromecast; the consumer devices which don’t like enterprise networks?

Thanks for reading this far!

--ben

--
Benjamin J. Higgins (‘97), N1ZVY  |  
bjhigg...@wpi.edu
Senior Network Engineer, JNCIA, ACCA  |  Office 508.831.4860
Worcester Polytechnic Institute   |  Cell   508.713.1739

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Shared iPads

2017-04-18 Thread Cappalli, Tim (Aruba Security) 
Jason – Are the tablets managed by an MDM/EMM?


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of "Osborne, Bruce W (Network 
Operations)" 
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 

Date: Tuesday, April 18, 2017 at 7:58 AM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] Shared iPads

We currently use PEAP=MSCHAPv2.

For department-owned devices, we create a service account per department.
We also have iPads used in out elementary & high school. The students are 
divided into 3 groups based on academic grade. We have a service account per 
group and different web filtering policies for each of those groups.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Benedick, Jason [mailto:bened...@stevenscollege.edu]
Sent: Monday, April 17, 2017 4:17 PM
Subject: Shared iPads

How do you deal with shared iPads for students authenticating to the WiFi 
network? We currently use an 802.1x enabled SSID using RADIUS back to our 
Microsoft NPS server.

My initial thought is to create an AD account for each iPad, but if we start 
getting a lot of them I can see that becoming very tedious managing usernames 
and passwords for each device.

Thanks,
Jason R. Benedick
IT Generalist
Thaddeus Stevens College of Technology
Office: (717) 391-6957 Cell: (717) 587-9065

*This electronic communication from TSCT is confidential and intended 
solely for use by the individual to whom it is addressed. If you are not the 
named recipient do not forward, propagate or replicate this e-mail. Please 
notify the sender immediately by e-mail if you have received this message by 
mistake and remove from your system. If you are not the intended recipient you 
are notified that disclosing, copying, distributing or taking any action 
dependent upon the contents of this email or attachment is strictly 
prohibited.*
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.