RE: [WIRELESS-LAN] Idengines AutoConnect
Branden, We are using Autoconnect here with LDAP/ACS 3.3. We are not using the Idengies Ignition Server. We didn't have to make any modifications. We were able to drop Autoconnect into our existing deployment without incident. Regards, J. Bart Casey Network Engineer Wofford College -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Branden Kirk Sent: Tuesday, July 22, 2008 5:01 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Idengines AutoConnect For those that are using this product, how many of you are using it with LDAP? For those that started out with an LDAP/ACS setup, what changes were made to use AutoConnect? I'm wondering if anyone is using AutoConnect with an LDAP/ACS setup without the purchase of the Idengines Ignition Server. My understanding is that using AutoConnect with LDAP requires a modified RADIUS server and am wondering about the benefits/costs vs. buying the out-of-box solution. Thanks in advance to those that respond. Branden Kirk Biola University Network Administrator (562) 903-4740 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Automating wireless configuration on clients
Mike, We are considering purchasing AutoConnect for our needs here at Wofford. We've heard/seen really good reviews from other schools and have had a lot of success with our testing of the product on all 3 platforms. Would you be willing to elaborate on the issues that you have seen with OS 10.4? Would you also be willing to share specifics of how your wireless network is configured (type of APs, type of encryption, type of RADIUS servers and what supplicant(s) you are using)? Your input is greatly appreciated. J. Bart Casey Network Engineer Wofford College From: Schomer, Michael J. [mailto:[EMAIL PROTECTED] Sent: Friday, November 02, 2007 10:26 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Automating wireless configuration on clients We are using AutoConnect from idEngines. We deploy it though an open SSID and captive portal, but you can deploy it as a standalone executable if you prefer. Using the captive portal, AutoConnect uses Java or ActiveX to configure wireless settings, so there aren't many browsers it won't work with. It works well with XP and Vista. The current release is supposed to support OS X 10.4, but in my limited testing, it didn't seem to work quite right; not sure what the plans are for 10.5. -Mike Schomer -ResNet Coordinator -St. Cloud State University From: Nathan Hay [mailto:[EMAIL PROTECTED] Sent: Friday, November 02, 2007 8:30 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Automating wireless configuration on clients We are researching ways to automate the creation of our SSID on a student's laptop via a script of some kind. Our technicians would pop in a flash drive, run the script from it, and the SSID with the needed 802.1X settings would be created. This would also serve as a way to refresh the configuration if the student configured the SSID incorrectly. We need to support XP, Vista, and Mac OS X. Has anyone done this before? Any suggestions on where to start? Nathan Nathan P. Hay Network Engineer Computer Services Cedarville University www.cedarville.edu http://www.cedarville.edu/ ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
SPAM RE: [WIRELESS-LAN] wireless guest access
Kevin and Lee, We are providing Guest access via a beaconed SSID on our Cisco Aironet 1230s. When a user connects to that SSID, they are placed into a VLAN for one of our DMZs and are assigned IP addressing and DNS information by a Linux Box running a Captive Portal Package (NoCat Auth). We limit the DHCP scope to 126 devices as we don't have many guests connecting to our guest wireless network. When users connect they are required to click-to-accept an AUP before being provided access to the internet. Their connectivity is valid for a period of 24 hours or 5 minutes of inactivity (these are adjustable); whichever comes first. At the point of expiration, the user is required to re-accept the AUP before continuing. All of their information is logged to include assigned IP address, system name, and MAC-Address. All of the bandwidth is rate-shaped to 256Kbps Up/Down via 2 CBQ configuration files (one for ingress and one for egress). Since this software is iptables based, we are also able to limit the type of traffic that is allowed for these guests. We allow http, https, pop3, imap, telnet, and SSH. Everything else is explicitly denied including SMTP as we don't want to provide the ability to spam from our network. This system has no access to our internal network at all which helps keep our internal systems and traffic secure in relation to the Guest Network. We provide authorized wireless access through a non-beaconed SSID on the same access point and a different VLAN. We also use PEAP on the authorized wireless network which helps keep the two methods of access further separated. Yes, I'm aware there are better methods for securing our authorized wireless network but due to the dynamic nature of our authorized clients and political boundaries, we have opted for a path with minimal resistance. As for the CALEA issue, we have spent a fair amount of time discussing CALEA and its implications internally and with our 2 ISPs and have come to the conclusion that even though we provide anonymous access, we are exempt for the following reasons: 1) Both of our ISPs are CALEA compliant. So, we piggy-back off of their compliance. 2) There are no CALEA compliant devices available to our organization at this point in time. As a side note, the Captive Portal box is also configured to provide guest access to the wired network which will be of great use as we convert the campus to support 802.1x for wired connections. Through this method, guests have the option to log in using RADIUS credentials and gain access to the secure certificates and configuration instructions or connect as a guest using the same method listed above with the wireless guest access. We provide a larger DHCP scope for our wired users (1022) since more people connect to the wired network. Since RADIUS is clear text and I haven't found a package that supports TACACS authentication yet we don't provide this option to wireless users. I hope that helps. J. Bart Casey Network Engineer Wofford College -Original Message- From: Lee Badman [mailto:[EMAIL PROTECTED] Sent: Monday, February 26, 2007 1:04 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] wireless guest access Would like to expand out Kevin's question- what of wireless access for guests, and for the non-affiliated folks (anonymous) that might end up on campus? Anybody rethinking any of their sponsored guest/open access policies because of CALEA concerns? Regards- Lee Badman Network/Wireless Engineer Syracuse University 315 443-3003 Kevin Lanning [EMAIL PROTECTED] 2/26/2007 12:46:48 PM Wondering what academic institutions are doing these days regarding wireless access for guests? -- -- Kevin Lanning lanning at unc.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Auto-configuring Windows XP Native Client for 802.1x
Emerson, We would be very interested in your script. Would this script also be able to do the same thing for a wired connection? Regards, J. Bart Casey Network Engineer Wofford College -Original Message- From: Emerson Parker [mailto:[EMAIL PROTECTED] Sent: Friday, January 26, 2007 10:48 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Auto-configuring Windows XP Native Client for 802.1x Let me know if you want one. I'll place it on a DL server for you. Don't forget the latest WZC can be GPO'd for all the settings. -Emerson -Original Message- From: Lee Badman [mailto:[EMAIL PROTECTED] Sent: Friday, January 26, 2007 9:48 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Auto-configuring Windows XP Native Client for 802.1x Wondering if anyone has gone down the road of scripting the steps to configure 802.1x on the native Windows supplicants- as opposed to just providing how to guidance, wondering if anyone is providing an executable that selects EAP type, encryption type, etc along with the few other settings required? (PEAP/MSCHAP v2/TKIP in our case). Lee Lee Badman Network/Wireless Engineer Syracuse University 315 443-3003 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] securew2 client
Jorge, We are very interested in the .exe that you have set up. Something like that would be great for our school as we have just implemented 802.1x on our wired network. We have been running it on our wireless network for a couple of years. There are concerns about the lengthy process that students have to go through. A single step install would be very helpful for our helpdesk. Any and all info you could provide would be greatly appreciated. Regards, J. Bart Casey Network Engineer Wofford College -Original Message- From: Jorge Bodden [mailto:[EMAIL PROTECTED] Sent: Friday, July 21, 2006 12:44 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] securew2 client We use the secureW2 client. And it works pretty well. We have even set it up so that we can run a .exe on the PC and it will install the network and the client as well as configure them. The only one thing that we cannot get the file to do is WPA/TKIP. Those have to be done manually. But I am this can be done as well. The only tricky part of the secureW2 install/config process is finding where to configure it. If you are not familiar with the client, the way to go about it is under the authentication tab in the network properties. If you have any further questions please feel free. Thanks. Jorge Bodden Fred Archibald wrote: Matt, We too are investigating this combination with EAP-TTLS using the securew2 client at EECS. We are just getting started with this next week so I don't have anything to report yet. However, I will keep you posted and be happy to hear your results as well. Fred Matt Ashfield wrote: Hi All, We're in the process of evaluating how our clients will connect to our new wireless network. For encryption/authentication, we ended up having to go with EAP-TTLS (users authenticate with username/password). Unfortunately to do this, we need to install the client from www.securew2.com to get this to work properly. I'm just hoping to hear from people on this list who are also using this client and would like to know the support issues that arose from it. Offhand I can think of a few such as: installing and configuring the client, tech support and upgrades for new releases, as well as the ever-bothersome habit of laptops to come equipped with proprietary software to configure the wireless cards as opposed to just using windows. Any feedback is appreciated. Thanks Matt Ashfield [EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. This electronic message is intended to be for the use only of the named recipient, and may contain information that is confidential or privileged. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of the contents of this message is strictly prohibited. If you have received this message in error or are not the named recipient, please notify us immediately by contacting the sender at the electronic mail address noted above, and delete and destroy all copies of this message. Thank you. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] getting started with 802.1X?
Steve, Cisco Press has a pretty decent book Network Security Architectures (ISBN: 158705115X) that has a section on 802.1X that provides some base knowledge. The rest of the book is wealth of knowledge on other security topics. Granted it is a Cisco book and focused toward Cisco Networks. However, it does provide as a base for the topics in general. You might have a look at it. Regards, J. Bart Casey Network Engineer Wofford College From: Steve Fletty [mailto:[EMAIL PROTECTED] Sent: Friday, May 19, 2006 12:07 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] getting started with 802.1X? Anyone got any pointers to any good overview docs on 1X? -- Steve Fletty Network Design Engineer University of Minnesota ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Guest Access
Hey All, It has been deemed necessary by the powers that be that we provide some level of wireless access to guests on our campus. Some of these people might include members of the Media for athletic events, alumni visiting the campus, and guest professors/speakers. While I am not exactly thrilled about the idea, I can certainly understand the need. I would like some feedback on how other schools are handling issues such as this. Our current wireless network is comprised solely of Cisco Aironet 1200 series APs. We use a single SSID which allows authenticated users to be placed in a wireless VLAN. We do not beacon our SSID. In order to connect to the wireless network, our users must know the SSID. We require users to install a secure certificate, and also require them to authenticate their domain user credentials against a radius server. We currently use IAS but are migrating to CSACS. My initial plan is as follows: Determine which APs are going to provide this guest access. Guest access wont be necessary for all APs Configure the selected APs with a second SSID Create a new VLAN for the second SSID Place users who use the second SSID into the new VLAN Only allow the new VLAN to access the internet Limit the bandwidth to the internet to about 512Kbps (This should be sufficient for the Medias needs and allow any guest to check email etc.) Provide some sort of security but not as in depth as we currently use. What are your comments on beaconing the new SSID? What are you thoughts on security and encryption? Does a user that connects to our network have expectations of security and encryption? Are we obligated to provide some sort of security and encryption to protect these guest users? At what point does administrative burden overcome security? Your thoughts and ideas are greatly appreciated. Thanks in advance, J. Bart Casey ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Multiple VLANs configuration
First execute a couple of commands 1) sh int fa2/36 switchport Look at the output from this and see if your interface is actually in trunk mode 2) conf t int fa2/36 switchport mode trunk This will turn trunking on Alternatively, you can do a switchport mode dynamic auto which sets the trunk negotiation to auto, or you can do a switchport mode dynamic desirable which sets the trunk negotiation to desirable 3) no spanning-tree portfast 4) sh vtp stat If you are using a VTP domain, You want to make sure your vtp domain info is correct as well This should get you up and going J. Bart Casey Network Engineer Wofford College -Original Message- From: Ranjit Philip [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 14, 2005 5:26 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Multiple VLANs configuration We are currently testing setting up our Cisco Aironet 1100 and 1200 infrastructure with multiple VLANs Our test device is statically configured for VLAN 168. We have another test VLAN 19 which we want to have trunked to the device. The access point is connected to a port on a Cisco 4500 chassis running native IOS. The port configuration that is currently on is: interface FastEthernet2/36 switchport access vlan 168 switchport trunk encapsulation dot1q switchport trunk native vlan 168 switchport trunk allowed vlan 1,19,168,998,999,1001-4094 qos trust cos no snmp trap link-status tx-queue 3 priority high spanning-tree portfast If I do a 'sh vlan id 19' on the same switch it does not show the VLAN active on the same port Should I be configuring the port differently to carry multiple VLANs to the access point? Any clues would be appreciated... Ranjit Philip ITR Network Engineering California State University, Northridge ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.