Re: [WIRELESS-LAN] Cisco WLC 9800 Gotchas

2020-12-14 Thread Ciesinski, Nick 
Hi Jesse


After reading your last email and me thinking about it I was starting to second 
guess myself and pulled a new 9105AX out of the box to connect it to our 9800.  
Yea, it sure doesn't enable the ports, and then I thought about it some more 
and realized that either I didn't have this issue with 1810 because their 
different in some way then the 9105AX (as their the same config syntax), or 
because I moved my 1810's from AirOS to IOS and as they where already enabled I 
didn't have to deal with it, or I was just delirious and forgot about this with 
the 1810's.  I'm leaning to a mixture of the 2nd and 3rd option.  As the more I 
think about it the more I recall seeing this in testing on the 9800 before 
migration and thinking "how dumb is this" but didn't end up having to deal with 
it as APs migrated with ports enabled.

Either way, here is something that can help you out.  I wrote a quick simple 
EEM script to look for 9105AX's Joining the controller and then enabling all 
the ports.  Probably don't want to run it all the time on your controllers and 
you can modify it as you see fit, maybe even stream line it a bit.  While I 
don't think it matters since the syslog output and commands should be the same 
this was written against 17.3.x code.

event manager applet enable-rlan-ports
 event syslog pattern "%CAPWAPAC_SMGR_TRACE_MESSAGE-5-AP_JOIN_DISJOIN:.* Joined"
 action 050 set ap_model "null"
 action 100 regexp "^.*%CAPWAPAC_SMGR_TRACE_MESSAGE-5-AP_JOIN_DISJOIN:.* AP 
Name: (.*),.* Joined$" "$_syslog_msg" ignore ap_name
 action 150 cli command "enable"
 action 200 cli command "show ap name $ap_name config general | i Model"
 action 250 regexp ".*(C9105AXW).*" "$_cli_result" ignore ap_model
 action 300 if $ap_model eq "C9105AXW"
 action 350  syslog msg "C9105AX Joined Setting LAN Ports to Enabled"
 action 400  cli command "ap name $ap_name lan port-id 1 enable"
 action 450  cli command "ap name $ap_name lan port-id 2 enable"
 action 500  cli command "ap name $ap_name lan port-id 3 enable"
 action 550 end

Nick




From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Jesse Thomas 

Sent: Friday, December 11, 2020 8:27 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco WLC 9800 Gotchas

EXTERNAL EMAIL
Hi Eric and Nick,

I do not believe the traditional templates work for APs on the 9800 platform 
(we make heavy use of them for our AireOS hardware). I did give it a try and it 
returns a status of "Not Applicable", and the settings for the LAN ports are 
not changed. That said, the behavior we are experiencing could also be related 
to an SNMP bug between 17.3.2a and Prime. This is currently preventing us from 
using Prime to change names on these APs as well.

In Prime 3.8 there is a new section: Menu > Configuration > Cisco Catalyst 9800 
Configuration where you can create and deploy tags & profiles (matching what's 
on the WLC), but the trouble we've found is that there is no way to enable the 
LAN ports in this manner—either via Prime or directly on the WLC using 
tags/profiles. We have created an RLAN Profile and RLAN Policy to configure the 
basic settings, security, VLAN mapping, PoE, etc. and these all work as 
expected, but once this configuration is applied, the ports remain in a 
disabled state, and we've have to manually enable them on each AP. We have 
confirmed this behavior with TAC and our regional Cisco SE and are in the 
process of filing an enhancement request.

@Eric - would you be willing to share more detail on or off the list regarding 
"CSV uploads of MAC-to-AP name assignments"? If I am understanding this 
correctly, it may be something useful in our deployment workflow.

Thanks,


--
Jesse


On Thu, Dec 10, 2020 at 5:36 PM Ciesinski, Nick 
mailto:ciesi...@uww.edu>> wrote:
Are you talking about enabling the LAN ports from Prime or on the WLC itself?  
On the WLC itself the LAN ports are configured via the policy tag configuration 
in the RLAN-POLICY map section where you assign a RLAN to each port.  That 
policy tag then needs to be applied to the APs.

For applying tags I’ve personally moved away from having Prime statically 
assign APs tags like I used to do with AP groups in AirOS and instead have 
written regex rules on the WLC to automatically apply the tag based on the AP 
name.

Nick

On Dec 10, 2020, at 11:43 AM, Jesse Thomas 
mailto:jtho...@hamilton.edu>> wrote:

EXTERNAL EMAIL
Hi Everyone,

We are boldly moving forward with a deployment of two 9800-40s (HA pair) and 
about 400 of the new 9105AXW access points. We have encountered a couple of 
minor issues thus far and I am curious if anyone in the group has also 
experienced them and perhaps has some recommendations for workarounds.

1. Oddly,

Re: [WIRELESS-LAN] Cisco WLC 9800 Gotchas

2020-12-10 Thread Ciesinski, Nick 
Are you talking about enabling the LAN ports from Prime or on the WLC itself?  
On the WLC itself the LAN ports are configured via the policy tag configuration 
in the RLAN-POLICY map section where you assign a RLAN to each port.  That 
policy tag then needs to be applied to the APs.

For applying tags I’ve personally moved away from having Prime statically 
assign APs tags like I used to do with AP groups in AirOS and instead have 
written regex rules on the WLC to automatically apply the tag based on the AP 
name.

Nick

On Dec 10, 2020, at 11:43 AM, Jesse Thomas 
mailto:jtho...@hamilton.edu>> wrote:

EXTERNAL EMAIL
Hi Everyone,

We are boldly moving forward with a deployment of two 9800-40s (HA pair) and 
about 400 of the new 9105AXW access points. We have encountered a couple of 
minor issues thus far and I am curious if anyone in the group has also 
experienced them and perhaps has some recommendations for workarounds.

1. Oddly, there does not appear to be a way to enable the LAN ports on the 
access points via a policy or tag within the RLAN configuration. We have 
confirmed this behavior with TAC and filed for an enhancement request. Our 
current plan is to export a list of all APs and then do a bulk configuration 
via the CLI.

2. We intend to manage this new setup via Prime Infrastructure and potentially 
move to DNAC once we retire our older equipment that is not supported on the 
new platform. However, there does not seem to be a straightforward way to apply 
existing tags/policies created on the WLC to APs within Prime, and 
documentation is sparse in this area.

Thanks for any insights you can provide on these topics.

Regards,


--
Jesse Thomas
Network & Systems Administrator
Hamilton College
315-859-4211

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: Icing ISE 2.1 but where to jump

2020-07-16 Thread Ciesinski, Nick 
ISE 2.7 is a stable release. Cisco released very few new features and instead 
focused a lot of bug fixes in 2.6 and 2.7.

I’d for sure recommend patch 1 as well as it fixes a display issue with the 
live logs for failed authentications.

Nick

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Bruce Boardman 
<00f864c74f72-dmarc-requ...@listserv.educause.edu>
Sent: Thursday, July 16, 2020 2:18:00 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Icing ISE 2.1 but where to jump

EXTERNAL EMAIL
We are having to leave our ISE 2.1 servers, in favor a of a supported release. 
Cisco is recommending 2.7 patch 1 (for whatever that’s worth). Anybody got any 
experience good or bad with said release? FWIW we just use it for RADIUS.
Thanks Bruce

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] WLC 8.10.121 Deferred

2020-06-26 Thread Ciesinski, Nick 
Interesting. For us it’s like one particular area with one particular mode of 
AP we don’t have anyplace else.  It magically went away again today too. 

Nick 

Sent from my iPhone

> On Jun 26, 2020, at 5:12 PM, Paul Smith  wrote:
> 
> *EXTERNAL EMAIL*
> 
> Q. Are you by any chance running WPA2 + WPA3 Enterprise with both the WPA2 
> and WPA3 boxes checked?  We are currently on 8.10.121 and seeing this issue 
> as well primarily with Windows devices.  I have not seen any issues with Macs 
> and authentication.
> 
> A. No. WPA2 + WPA3, but only WPA2 is checked. I will experiment with this 
> when I get back to the office. The big problem is it's impacting Windows 10 
> PCs. We have not seen the issue with iPhones or Android devices, but there 
> may not be enough of them on campus right now to say for sure (we don't have 
> a summer semester). We do have Mac's having a similar issue, but forgetting 
> the SSID and re-selecting fixes any auth issues we see there.
> 
> Q. FYI:   I noticed that  "over-the-ds" setting changed when we upgraded from 
> 8.5 to 8.10.121.0.  There may be other settings that changed as well.
> 
> A. One of the engineers mentioned another setting was different (sorry, can't 
> remember which it was), but then he called me right back and said that wasn't 
> the issue. I believe there was something he found in the logs based on the 
> conversation, so hopefully we'll have more info soon. It might've been beacon 
> related, but I could have that planted in my head from an earlier post.
> 
> Q. There was a memory leak in the AP. Clients were not moving from 
> authentication to the AP through the association phase on the 
> controller.(these terms seem backwards to me backwards -- authentication is 
> finding the AP, association is the 802.1x/radius part). The AP was not 
> forwarding the association PDU to the controller (so the radius servers never 
> got to see request let alone send a rejection). Rebooting the AP at the time 
> /might/ fix the problem, but if a large number of clients immediately 
> connected to the newly rebooted AP it ran out memory and became 
> semi-operational again. I'd check the AP rather than the controller logs to 
> see what it's reporting.
> 
> A. There's not an AP model on the campus that we've found the behavior any 
> different. In our office where we test, it's a 2802 ... but the issue exists 
> with the 3800's and even the new 9100's as well.
> 
> Q. Have you tested your Android devices with FT disabled? (instead of FT 
> Adaptive). I would be curious to hear what results you get.
> 
> A. We haven't seen any issues with Android devices (yet), but we don't have 
> enough on the campus to say for sure. We did go Adaptive at the suggestion of 
> Cisco and a Presidio engineer because of some issues with iPads. So, I 
> wouldn't be keen to change that.
> 
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] eduroam ssid on RTS

2018-08-20 Thread Ciesinski, Nick 
We use Cisco 829’s for vehicles here, mainly squad cars, and have just been 
asked to add wifi hotspots to some shuttle busses.  My plan is to use the same 
Cisco 829’s for that as well.  For our currently deployed 829’s we use cellular 
unlimited data plans from ATT and Verizon.  The units connect back to campus 
via a FlexVPN config on the routers to two ASR1000’s acting as redundant hubs.  
We use BGP within the FlexVPN to exchange routes on the 829’s and the campus.  
Depending on the particular setup we either tunnel all traffic back do campus 
or only tunnel campus bound traffic.  We do this by setting up different BGP 
dynamic listen ranges with different peer-group configurations to determine 
what routes we send to the particular 829.

We use the built in AP on the 829.  While it is only 802.11n AP I doubt you 
will find a cellular carrier who can transmit/receive at the full rate of 
802.11n for it to matter, if you do let me know what carrier that is :)

We have the AP’s in autonomous mode vs capwap back to the controller.  While it 
has been considered to run them via capwap we currently are not just to be 
consistent as we also use the 829 wifi radios for wifi backhaul as a work group 
bridge (WGB) and just wanted to maintain consistency with the mode the AP is in 
on the 829’s.  Plus there is no additional capwap overhead to worry about.  You 
still have the ability on the autonomous config to point to a RADIUS server for 
authentication so you can still utilize eduroam for 802.1x.

We have been able to use these same 829’s on some camera trailers as well where 
they are constantly transmitting video over cellular and haven’t had any issues 
with the unlimited data plans.  Each carrier is different how they handle 
unlimited plans.  For instance some may throttle after a certain amount on the 
entire network while others based on tower.  With something mobile like a bus 
its probably going to not be a issue of being throttled if its a carrier by 
tower since your constantly moving.  Some, such as ATT have told me they only 
throttle you if the tower is congested and you are above a certain mostly 
bandwidth usage.

Happy to talk more with you about what we have done.

Nick Ciesinski

On Aug 16, 2018, at 9:08 AM, Watson,Nancy A 
mailto:nwat...@ufl.edu>> wrote:


We have eduroam on our Cisco Campus Controllers working well.  I need to 
transition from campus to a bus and have that be a good experience over 4G.  I 
am looking for someone that has done eduroam on buses and how they approached 
that.


I am testing mobile routers on the bus, included in the test are pepwave, 
cradlepoint and cisco 829.  I am using a Cisco AP with the non-Cisco vendor to 
build a capwap tunnel back to campus over 4G.  On the Cisco 829 I am using an 
embedded ap with capwap tunnel.  I also have a dmvpn 829 setup with embedded ap.


There may be another solution that I am missing.


Thank you for your response.

Nancy



 Nancy Watson
 Engineer, Network Services - UFIT
 nwat...@ufl.edu, (352) 273-1057

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Yahya M. Jaber 
mailto:yahya.ja...@kaust.edu.sa>>
Sent: Thursday, August 16, 2018 9:24 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] eduroam ssid on RTS

Hi Nancy,

To be exact, what kind of info do you want? How to setup eduroam? How to setup 
wifi on buses?

Yahya Jaber.
Sr. Wireless Engineer
IT Network & Communications – Engineering
Building 14, Level 3, Rm 308-WS07
KAUST 23955-6900 Thuwal, KSA

Email yahya.ja...@kaust.edu.sa
Office +966 (0) 12 8081237
Mobile +966 (0) 558697555
On Call Rotation Mobile: +966 54 470 1177

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Watson,Nancy A
Sent: Thursday, August 16, 2018 15:10
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] eduroam ssid on RTS


​I am involved in a joint project with RTS to run eduroam on  the city buses 
that pass through our campus to service the students.  We are currently a Cisco 
Shop and I was curious if anyone has done anything like this with Cisco or any 
other vendor.


Thanks,
Nancy

 Nancy Watson
 Engineer, Network Services - UFIT
 nwat...@ufl.edu, (352) 273-1057
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Cisco Code Version

2017-08-06 Thread Ciesinski, Nick 
I think it may be possible but there are a few hurdles to get over.  Cisco is 
using the catch all RADIUS attribute cisco-av-pair for the IPSK which means the 
return value has to be formatted a certain way and not just returning a PSK.


You first need to return a value of psk-mode=ascii which is easy since its the 
same for every device.  Then you need to return the actual PSK formatted as 
psk=.  I have never seen a option within ISE (nor ACS from my 
remembrance) to be able to build a value; it's ether all manually typed in or 
all gotten from another source.  This would mean actually storing "psk=" as a attribute value in your AD. Obviously not that hard to do if you 
are already writing your own interface to get items into AD in the first place.


What I am unsure about is the ability to actually send back a value you get 
from AD in the RADIUS return result.  While in ISE I can choose a AD attribute 
from the selection criteria I don't know if it will actually send the value for 
the particular user/device or just the attribute name from AD.  I have seen ISE 
allow you to select things like AD:Objectname but instead of it returning a 
value it returns "AD:Objectname".  It's been years since I have used ACS but 
recall it working similar when building your rules and return results.


It is worth testing in a lab to see what it will actually return, if its the 
actual value from AD i'd say your good to go.


Nick



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Hunter Fuller <hf0...@uah.edu>
Sent: Friday, August 4, 2017 4:59 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco Code Version

You're right, I had misread that.

Upon reading it that way, though, isn't that fine too? The person's device 
reports its MAC, and then ACS or any other RADIUS just responds with that MAC's 
owner's assigned PSK. If the device's MAC isn't known, we just respond with an 
empty or garbage PSK to prevent them authenticating.

On Fri, Aug 4, 2017 at 4:13 PM Ciesinski, Nick 
<ciesi...@uww.edu<mailto:ciesi...@uww.edu>> wrote:
I think your going to have the same problem with ACS as there is with ISE.  The 
controller does not send the PSK the user used to the RADIUS server for 
verification/validation.  Instead the RADIUS server will send back the PSK 
value the user/device should be using and the WLC does the 
verification/validation based on that return value.

Nick

On Aug 4, 2017, at 4:02 PM, Hunter Fuller 
<hf0...@uah.edu<mailto:hf0...@uah.edu>> wrote:

Yep - we use Cisco ACS, backed with AD. Should be able to just add another rule 
to our ruleset, then configure iPSK on the controllers. Then it would check the 
PSK against AD, as the machine password for the machine account. (We already 
make machine accounts for registered MACs of game consoles, etc.)

On Wed, Aug 2, 2017 at 7:31 PM Joachim Tingvold 
<joac...@tingvold.com<mailto:joac...@tingvold.com>> wrote:
On 1 Aug 2017, at 17:33, Ciesinski, Nick wrote:
> While WLC 8.5 did add IPSK it is probably safe to say its rather
> worthless for most at this time.  For those who have used ISE if you
> watch the video on how they make IPSK work it isn’t feasible to give
> each of your users their own PSK key to connect to wireless.  The
> current implementation within ISE required no feature additions to ISE
> to make it work.  All they do is have a rule to classify a device
> and/or user and then send a particular PSK value that it should be
> using.  This is a 100% manual process  for each device and/or user as
> nothing is baked into ISE to have a user register their account or
> device(s) and be presented a PSK to use.

IPSK *and* ISE might be "worthless" when combined, but IPSK in it self
is not (even in it's current implementation). The limitations you're
talking about is purely with ISE, and not IPSK.

We use ClearPass, and we can easily query an SQL-server with MAC<->PSK
mappings, yielding unique PSKs based on MAC-adresses. This SQL DB could
be fed via whatever systems that already exists (CMDB or whatnot), or
you could spend an hour making a simple web-frontend.

The only thing holding us back upgrading to 8.5 "right away" (only to
get IPSK) is the same concern Lee has; not touching it until MR3 or
similar, purely for stability reasons (-:

--
Joachim

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.
--

--
Hunter Fuller
Network Engineer
VBH Annex B-5
+1 256 824 5331<tel:(256)%20824-5331>

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found

Re: [WIRELESS-LAN] Cisco Code Version

2017-08-04 Thread Ciesinski, Nick 
I think your going to have the same problem with ACS as there is with ISE.  The 
controller does not send the PSK the user used to the RADIUS server for 
verification/validation.  Instead the RADIUS server will send back the PSK 
value the user/device should be using and the WLC does the 
verification/validation based on that return value.

Nick

On Aug 4, 2017, at 4:02 PM, Hunter Fuller 
<hf0...@uah.edu<mailto:hf0...@uah.edu>> wrote:

Yep - we use Cisco ACS, backed with AD. Should be able to just add another rule 
to our ruleset, then configure iPSK on the controllers. Then it would check the 
PSK against AD, as the machine password for the machine account. (We already 
make machine accounts for registered MACs of game consoles, etc.)

On Wed, Aug 2, 2017 at 7:31 PM Joachim Tingvold 
<joac...@tingvold.com<mailto:joac...@tingvold.com>> wrote:
On 1 Aug 2017, at 17:33, Ciesinski, Nick wrote:
> While WLC 8.5 did add IPSK it is probably safe to say its rather
> worthless for most at this time.  For those who have used ISE if you
> watch the video on how they make IPSK work it isn’t feasible to give
> each of your users their own PSK key to connect to wireless.  The
> current implementation within ISE required no feature additions to ISE
> to make it work.  All they do is have a rule to classify a device
> and/or user and then send a particular PSK value that it should be
> using.  This is a 100% manual process  for each device and/or user as
> nothing is baked into ISE to have a user register their account or
> device(s) and be presented a PSK to use.

IPSK *and* ISE might be "worthless" when combined, but IPSK in it self
is not (even in it's current implementation). The limitations you're
talking about is purely with ISE, and not IPSK.

We use ClearPass, and we can easily query an SQL-server with MAC<->PSK
mappings, yielding unique PSKs based on MAC-adresses. This SQL DB could
be fed via whatever systems that already exists (CMDB or whatnot), or
you could spend an hour making a simple web-frontend.

The only thing holding us back upgrading to 8.5 "right away" (only to
get IPSK) is the same concern Lee has; not touching it until MR3 or
similar, purely for stability reasons (-:

--
Joachim

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.
--

--
Hunter Fuller
Network Engineer
VBH Annex B-5
+1 256 824 5331<tel:(256)%20824-5331>

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Cisco Code Version

2017-08-01 Thread Ciesinski, Nick 
While WLC 8.5 did add IPSK it is probably safe to say its rather worthless for 
most at this time.  For those who have used ISE if you watch the video on how 
they make IPSK work it isn’t feasible to give each of your users their own PSK 
key to connect to wireless.  The current implementation within ISE required no 
feature additions to ISE to make it work.  All they do is have a rule to 
classify a device and/or user and then send a particular PSK value that it 
should be using.  This is a 100% manual process  for each device and/or user as 
nothing is baked into ISE to have a user register their account or device(s) 
and be presented a PSK to use.

Whats there now is good for having multiple PSK’s for different device types or 
user bases (such as all students) it isn’t that PPSK solution like others have. 
 Hopefully a ISE improvement will come at some point in the near future to 
allow a true per user PSK experience.

Granted using a 3rd party RADIUS server and writing your own interface would 
allow you issue a PSK per user not everyone has time for that.

--
Nick Ciesinski, Network Architect
University of Wisconsin - Whitewater
Office: MG208A | Phone: 262-472-7774
E-mail: ciesi...@uww.edu | SIP: 
ciesi...@uww.edu
PGP Key ID: 0x83042F05
--

On Jul 31, 2017, at 11:13 PM, Jason Cook 
> wrote:

Thanks, I am aware it’s any radius server so it seems I identified my issue a 
bit hastily./… or not at all ☺
It’s been a while since I played with an Aerohive AP but 3 years ago it was so 
easy to get this up and running on a single AP with different vlans and there’s 
self-registration as well. There were enterprise concerns about how that scales 
and redundancy back then and I haven’t followed the progress of that.

The radius method means it’s not quite an out of the box solution that was so 
simple with PPSK, but perhaps this is architecture requirements…  I guess it 
might be that easy if your using ICE. We are pretty keen to use this at some 
level, ideally with self-rego offering. Using freeradius I’m sure we can 
achieve this, but ongoing management could become interesting/a fair bit of 
development for the self-rego. No doubt we’ll look further into it in a couple 
of months once a few other priorities are ticked off

Regards

--
Jason Cook
Technology Services
The University of Adelaide, AUSTRALIA 5005
Ph: +61 8 8313 4800

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Samuel Clements
Sent: Tuesday, 1 August 2017 11:51 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco Code Version

From the iPSK config guide at:

http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-5/b_Identity_PSK_Feature_Deployment_Guide.pdf

"IPSK can be configured on any AAA serer that supports Cisco av-pair."

 -Sam
This email sent from a mobile computing device. Please excuse typos and brevity.

On Jul 31, 2017, at 8:40 PM, Mccormick, Kevin 
> wrote:
I just looked at the IPSK video from CIsco here.

https://www.youtube.com/watch?v=deEv-aNXfL0

Not 100% sure ISE is required by the sound of the video.

They say a radius serve such as ISE, and of course Cisco is going to try and 
sell you ISE.

They are using two Cisco-AV-Pairs which are psk-mode=ascii and psk=, 
along with MAC filtering and AAA override.

You maybe able to pass those Cisco-AV-Pairs with any radius server.

Kevin 
McCormick
Network Administrator
University Technology - Western Illinois University
ke-mccorm...@wiu.edu | (309) 
298-1335 | Morgan Hall 106b
Connect with uTech: Website | 
Facebook | 
Twitter
[http://www.wiu.edu/university_technology/images/signatures/currentimage.jpg]

On Mon, Jul 31, 2017 at 6:57 PM, Jason Cook 
> wrote:
There is a lot of resolved caveats in the 160 release for the 2800/3800 series. 
We’ve only got a handful of 2800’s operational but a lot to be installed, have 
hit 1 issue but haven’t identified it with a known bug yet.

Despite showing “users connected” to an AP, new users couldn’t join. I 
certainly couldn’t and you wouldn’t necessarily connect to a neighbouring AP 
with strong signal. Rebooting the AP resolved it, came across it on 2 out of 16 
AP’s last week. Due to impact we couldn’t get right into troubleshooting or 
logging a case, but intend to if it returns. Hopefully it’s not on critically 
locate AP’s this time

At this stage likely we’ll be testing and migrating to 8.2.160 (from 8.2.151) 
in the next few weeks

Was keen to begin playing with

Re: [WIRELESS-LAN] Cisco ISE 2.0 Warning

2015-12-03 Thread Ciesinski, Nick 
Jeff,

I have run into a bunch of other issues, I would say none are service impacting 
like the ones I mentioned earlier.  The rumor I heard is the second issue about 
ciphers will be resolved in patch 2 and the plan is they will add the old 
ciphers back in as they work through a long term plan.   Some of the other 
issues I have seen are license usage counts are all messed up, it isn’t 
acknowledging the accounting stop.  Some high load alarms on monitoring nodes 
(seems to be fixed with TAC making some changes on the oracle setup on the 
boxes), and sometimes the live log screen is slow to load (still working 
through this one).

We did get the TACACS license and plan to start working on the migration of 
TACACS stuff from our ACS deployment.  Working through the issues put TACACS in 
the backseat for a little bit.

Nick


On Dec 3, 2015, at 9:12 AM, Jeff Obrizok 
<jeff.obri...@marist.edu<mailto:jeff.obri...@marist.edu>> wrote:

Thanks for the intel.  I was told to wait for ISE 2.0 Patch 1 (which will now 
be patch 2, because of that emergency patch).

Any other issues you are experiencing?  Did you get the TACACS license for it?

Thanks,
Jeff Obrizok
Marist College


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
[mailto:The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>]
 On Behalf Of Ciesinski, Nick <ciesi...@uww.edu<mailto:ciesi...@uww.edu>>
Sent: Tuesday, December 1, 2015 10:58 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Cisco ISE 2.0 Warning



For those of you who are using the Cisco Identity Service Engine (ISE) product 
I wanted to provide some warnings to anyone thinking about moving to the 2.0 
release. There are several EAP device connectivity issues that could impact 
your site.

First, when ISE 2.0 was released it added support for TLS 1.2 in EAP messages. 
Somehow with all the summer news from Google about them adding TLS 1.2 in 
Android 6.0 (Marshmallow) Cisco missed testing Android 6.0 before ISE 2.0 
release and as such Android 6.0 clients couldn’t connect. To make matters worse 
the Windows 10 big November update either added or modified its EAP TLS 1.2 
support and machines that upgraded had the same fate as the Android 6.0 
clients; not able to connect. The good news is Cisco released a patch last week 
for ISE 2.0 to fix the TLS 1.2 problems for these devices, so make sure you 
install that patch right away, it is the onl y thing the patch fixes. The Cisco 
bug on this issue is CSCuw88770

In addition to the issues with Android 6.0 and Windows 10, ISE 2.0 removed all 
legacy RC4 and DES ciphers. This causes issues with any device that does not 
support newer more secure ciphers in their EAP messages. The devices will not 
be able to connect with any EAP method as they can’t complete the handshake. In 
our testing this impacted all Cisco Wireless 792X phones in addition to some 
Windows Point Of Sale Embedded OS machines. For the Windows POS devices we 
where able to find a update from Microsoft to add newer cipher support. I am 
sure there are more devices then this that will have issue but these are the 
devices we found in testing. This issue is not fixed yet. The Cisco bug on this 
issue is CSCux27365.

Hope this helps anyone thinking about going to ISE 2.0!

Nick Ciesinski
University of Wisconsin - Whitewater


**
Participation and subscription inform ation for this EDUCAUSE Constituent Group 
discussion list can be found at 
http://www.educause.edu/groups/.<http://www.educause.edu/groups/>
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Cisco ISE 2.0 Warning

2015-12-01 Thread Ciesinski, Nick 
For those of you who are using the Cisco Identity Service Engine (ISE) product 
I wanted to provide some warnings to anyone thinking about moving to the 2.0 
release.  There are several EAP device connectivity issues that could impact 
your site.

First, when ISE 2.0 was released it added support for TLS 1.2 in EAP messages.  
Somehow with all the summer news from Google about them adding TLS 1.2 in 
Android 6.0 (Marshmallow) Cisco missed testing Android 6.0 before ISE 2.0 
release and as such Android 6.0 clients couldn’t connect.  To make matters 
worse the Windows 10 big November update either added or modified its EAP TLS 
1.2 support and machines that upgraded had the same fate as the Android 6.0 
clients; not able to connect.  The good news is Cisco released a patch last 
week for ISE 2.0 to fix the TLS 1.2 problems for these devices, so make sure 
you install that patch right away, it is the only thing the patch fixes.  The 
Cisco bug on this issue is CSCuw88770

In addition to the issues with Android 6.0 and Windows 10, ISE 2.0 removed all 
legacy RC4 and DES ciphers.  This causes issues with any device that does not 
support newer more secure ciphers in their EAP messages.  The devices will not 
be able to connect with any EAP method as they can’t complete the handshake.  
In our testing this impacted all Cisco Wireless 792X phones in addition to some 
Windows Point Of Sale Embedded OS machines.  For the Windows POS devices we 
where able to find a update from Microsoft to add newer cipher support.  I am 
sure there are more devices then this that will have issue but these are the 
devices we found in testing.  This issue is not fixed yet.  The Cisco bug on 
this issue is CSCux27365.

Hope this helps anyone thinking about going to ISE 2.0!

Nick Ciesinski
University of Wisconsin - Whitewater


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Wireless Options in Athletic Buses

2015-11-18 Thread Ciesinski, Nick 
Daniel,

Several years back Cisco had a similar setup in some transportation busses for 
their Cisco Live conference to showcase some technology.  The devices would 
give wifi access to passengers over cellular when away from the conference 
center and when the bus got close it would switch over to the conference wifi 
for the backhaul.  They also had a small camera in the bus transmitting footage 
back to the demo booth.

They did this with Cisco 819 hardened routers.  Since then we have implemented 
a similar setup in our police squads.  While it works great the only concern I 
would have for a bus load of students is the speed of the cellular connection 
and carrier download caps and overage billing.

If you want to know more about what we did let me know.

Nick Ciesinski
University of Wisconsin - Whitewater

On Nov 18, 2015, at 11:56 AM, Daniel Wurst 
> wrote:

Hi,

This is my first post in this group.  I have really enjoyed being a part of 
this group and have learned quite a bit so you thank you to all members.

Recently I was asked If there was a way we could supply wireless connectivity 
in our athletic buses for student athletes as they travel to sporting events.  
My thoughts would be some kind of cellular network hot spot that the students 
could log into with their devices.

I was wondering if other Universities have attempted anything like this or have 
any hot spot devices they would recommend for this use.

Appreciate any feedback on this topic.

Thank you,

--
Daniel Wurst
Network Engineer II
Denison University
Fellows 003B
wur...@denison.edu
740-587-6229
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Measuring RADIUS Auths

2015-10-16 Thread Ciesinski, Nick 
This is the access key  AV3Q6TQB  I can’t add you for some reason.  Did you ID 
change in CCW?

Nick
On Oct 16, 2015, at 10:11 AM, Walter Reynolds 
> wrote:

Since you mention in the thread that you have Cisco with Freeradius backend, I 
thought I would point out that if you are doing PEAP/MSChapv2 that the 
bottleneck is winbind/samba and that it is based on auth's per second, not 
purely auth request that show up in total request.

That being said, our heaviest loaded Freeradius box seems to be hitting max and 
we have hit as high as 150 auths/sec with an average of 80/sec over a minute 
window.

Stand alone Two processor Quad core Intel Xeon X5570  @ 2.93GHz with 6Gb ram

A VM single Quad core with 8Gb ram seems to be peaking at 80/sec with a one 
minute avg of 60/sec



Walter Reynolds
Principal Systems Security Development Engineer
Information and Technology Services
University of Michigan
(734) 615-9438

On Thu, Oct 15, 2015 at 5:08 PM, Charles Rumford 
> wrote:
I’m currently embarking on a project to determine the number of RADIUS auths 
per minute each one of my controllers is generating to plan for the capacity I 
need for my RADIUS servers.

I was curious if anyone has embarked on a similar journey and tried to measure 
auth rates coming from their controllers?

I have a couple of ideas that I’m up for sharing, but I wanted to see if anyone 
else has done this.

Thanks!


Charles Rumford
Network Engineer/Senior Wireless Engineer
ISC Network Operations
University of Pennsylvania
OpenPGP Key ID: 0xF3D8215A
(p) 215-746-2808


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] iPhone6s Can't Browse/Re-direct Whilst in Captive Portal with Webauth

2015-09-28 Thread Ciesinski, Nick 
Curtis,

I have a iPhone 6S on 9.0.1 and don’t have the issue, but, our helpdesk has 
reported to me a few users who do have this same issue.  It wasn’t limited to 
iPhone 6S’s though just iOS 9.0.1

Nick Ciesinski

> On Sep 28, 2015, at 1:35 PM, Curtis K. Larsen  
> wrote:
> 
> Hello,
> 
> A new iphone (iOS9.0.1 Build 13A405) can't browse any pages in our guest 
> captive portal. The portal uses webauth and RADIUS-NAC. All other devices 
> seem to work fine and get re-directed when they browse to any Http site. For 
> some strange reason only this iPhone6S will not. 
> 
> Also, any sites permitted thru our Pre-Auth-ACL are not being allowed, yet 
> for all other devices it seems to work fine.  Anyone else seeing this?
> 
> 
> Thanks,
> 
> Curtis Larsen
> University of Utah IT/CIS
> Sr. Network Engineer
> Office 801-587-1313
> 
> 
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Sanity check- spontaneously changing WLC configs- is it just us?

2015-09-14 Thread Ciesinski, Nick 
Lee,


  *   APs renaming themselves  - YES
  *   Clean Air getting wholesale disabled on a controller - NO
  *   APs that way back when were config’d with static IP addresses, but that 
have been using DHCP for years, going back to showing static IPs configs - NO
  *   APs taking themselves out of a given AP group to default - NO

Let me add one that we see not on your list.


  *   APs that had a controller preference order set remove all controllers and 
go back to the default blank setting.

Nick Ciesinski



On Sep 14, 2015, at 2:24 PM, Lee H Badman 
> wrote:

Not so much looking for a solution here, but wondering if anyone else has seen 
similar. Having been on the Cisco thin thrill ride for almost a decade now, 
I’ve always been of the mind that gremlins like to make odd little config 
changes over time in the WLCs. Lately I’ve found:


  *   APs renaming themselves
  *   Clean Air getting wholesale disabled on a controller
  *   APs that way back when were config’d with static IP addresses, but that 
have been using DHCP for years, going back to showing static IPs configs
  *   APs taking themselves out of a given AP group to default


The odd thing is lack of pattern. An AP or two from a controller or a building, 
but not others from the same general grouping. Basically configs that have been 
in place for months or years and several code versions just changing on a small 
percentage of APs with no seeming rhyme or reason. Very few hands are allowed 
anywhere near the important parts of the soup, and I know it’s not a matter of 
human error.

Does anyone else experience anything like this?

-Lee

Lee Badman | Network Architect
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Outside venues

2014-12-04 Thread Ciesinski, Nick 
Hector,

I am curious to know how you are connecting the 1530's to power.  We are right 
now all 155X's for the outdoor AP's but I was looking at the 1530's because 
their price point was better.  The one thing I was concerned with though was 
that they are DC power input vs AC power input.  For many locations we have the 
AP mounted on a building so this is ok but we have several in a mesh that 
connect to our parking lot light poles and I don't know the feasibility of 
putting a AD/DC converter in the power pole.  Unless I missed it I also didn't 
see a outdoor rated converter Cisco sells for these. So I am curious to know 
your experience with powering them.

Nick Ciesinski
University of Wisconsin - Whitewater

From: Hector J Rios hr...@lsu.edumailto:hr...@lsu.edu
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Date: Thursday, December 4, 2014 1:23 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Outside venues

We have used 1520s in the past and they have worked well. We recently installed 
a couple of 1530s with external antennas and their coverage is really good. The 
plus with the 1530s is their form-factor. The 1520s and the predecessors where 
tanks. The 1530s are considerably smaller. Depending on your requirements, the 
1530s with internal antennas are very convenient, but you are not going to have 
as good of a coverage as the ones with the external antennas.

Finally, consider additional costs for your outdoor deployment. A couple of 
years ago we deployed a good number of outdoor mesh radios and the expense for 
the power requirements was significant. Other costs to bear in mind are 
maintenance. If you hang these radios on poles, know that you will be needing a 
lift to get to those radios when they have issues. For us, our contractor 
charges a minimum of $500 to get us a bucket truck. And if you live in the 
southern states, just pray your radios don’t have issues during the summer. 
Otherwise, bring lots of towels and prepare to sweat.

Hector Rios
Louisiana State University

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Stooksberry, Tom
Sent: Wednesday, December 03, 2014 1:47 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Outside venues

I would like to ask what everyone is doing for their outdoor areas with respect 
to WiFi.  We have several very nice venues that would benefit from 
connectivity.  Some are relatively close to networked buildings and some are 
fairly remote from such structures. We are a Cisco shop and are thinking about 
installing some AP1532’s but due diligence begs me to pick other brains for 
alternative and maybe better ideas.

Tom Stooksberry
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Cisco AVC- anyone using it for real in prod?

2014-08-12 Thread Ciesinski, Nick 
Lee,

We have been doing AVC for a few years now to drop P2P.  We are doing it on a 
ASR1k though not the WLC.   We used to use a SCE engine to do it which is where 
the AVC/NBAR2 stuff came from.  We find we don't need to update protocol packs 
that often.

Nick Ciesinski

From: Chad Burnham cburn...@du.edumailto:cburn...@du.edu
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Date: Tuesday, August 12, 2014 10:40 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco AVC- anyone using it for real in prod?

HI Lee,

Getting it humming this month – on a pair of ASR 1006 Routers (sorry not in 
Wireless).
We have Prime Infrastructure (2.1) managing it.

We removed our Anagrans this summer to move to this.

We just upgraded ASR this AM to support it. Will let you know in a month.
I am scheduled to talk/present @ WestNet about our experiences in January.

Signatures = Protocol Packs. You can update them without rebooting the router.

CB

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Tuesday, August 12, 2014 9:28 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Cisco AVC- anyone using it for real in prod?


​We are using Cisco's WLAN application visibility, but doing little with it 
beyond the occasional looking in.  Elsewhere, we use Palo Alto boxes to shape 
traffic, but are interested in getting the controllers more involved in a prod 
role.



Is anyone relying on AVC to drop traffic like P2P in prod? Is it working well 
for you? How often do you find signature updates available? Any other 
thoughts/comments on experiences, successes, or frustrations with using AVC for 
real- especially on large networks?



Thanks-



Lee Badman




Lee H. Badman
Network Architect/Wireless TME
ITS, Syracuse University
315.443.3003
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.