Re: [WIRELESS-LAN] EAP-TLS Windows 8 and 10 Problems
We found a bug with the CloudPath onboarding and microsoft cert checking. We are using Microsoft NPS for the RADIUS server and it would randomly start saying that the certificate had been revoked. Cloudpath released an update for fix this issue. Upgrading the Enrollment Server fixed this for us. --- Craig Pluchinsky IT Services Indiana University of Pennsylvania 724-357-3327 On Thu, 24 Sep 2015, Kevin McCormick wrote: I know many of you are using EAP-TLS and CloudPath on boarding. We have ran in to an issue where some Windows 8 and 10 machines will say the server said the certificates are revoked, but they are not revoked. We have checked the things like time being correct. We did discover the command 'certutil -f –urlfetch -verify cert_name.cer' will work just fine on Windows 7, but crashes on Windows 8 and Windows 10. The event viewer is showing these errors. "The certificate received from the remote server has been revoked. This means that the certificate authority that issued the certificate has invalidated it. The SSL connection request has failed. The attached data contains the server certificate." -- Attached is the root CA. "A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 44. The Windows SChannel error state is 552." I have tried googling the problem and and have come up empty. CouldPath has told our security admin that our university seems to be the only one having this issue. Makes me wonder if our certs are being generated with incorrect settings for Windows 8 and Windows 10. What algorithm and key length are you using? Any suggestions? Kevin McCormick uTech Network Services Western Illinois University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Apple TV display mirroring spectrum use in HD wifi
What version of ipad are you using? I tried it with an ipad 2 running latest ios with apple tv 3rd gen with latest os and couldn't get it to find the apple tv via airplay. It does work with ipad 3 and above. Also you don't really pair the device, it just discovers the apple tv over bluetooth. --- Craig Pluchinsky IT Services Indiana University of Pennsylvania 724-357-3327 On Wed, 12 Mar 2014, Matt Williams wrote: Has anyone else had an issue getting the iPad to pair with the AppleTV via BlueTooth? I've udpated both to the required versions, but they both just sit there spinning their wheels when trying to discover. Respectfully, Matthew Will Williams Assistant Director, Networking Bucknell University 570.577.1491 On Tue, Mar 11, 2014 at 2:48 PM, Jason Heffner jdh...@psu.edu wrote: I’ve not seen anything in OSX yet, but I’ve not installed the very latest 10.9.3 update. I came across the bluetooth discovery in iOS when I was testing out the beta. It hasn’t gotten any hype and was hoping that it would be leaked so I could talk about before it was released. We talked about doing the same thing with Bluetooth LE, then held off since Apple was going to release it. On Mar 11, 2014, at 2:32 PM, Hurt,Trenton W. trent.h...@louisville.edu wrote: Seems to be that way I can’t get my osx to see the apple tv but can see it from iOS 7.1 devices via Bluetooth. Here is different website with some screens of doing airplay via Bluetooth http://www.afp548.com/2014/03/10/hidden-airplay-feature-in-the-appletv-6-1-ios-7-1-update/ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey Sessler Sent: Tuesday, March 11, 2014 2:21 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Apple TV display mirroring spectrum use in HD wifi I'll bet support in 10.9 will be in the next patch. I don't think Apple even mentions this new feature in the release notes. Jeff On Tuesday, March 11, 2014 at 11:13 AM, in message 108be36f63e8cc4c8c84a5dce1c0d2a1b33c7...@exmbx07.ad.louisville.edu, Hurt,Trenton W. trent.h...@louisville.edu wrote: Have you been able to get an osx 10.9 to see the apple tv via Bluetooth? -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jason Heffner Sent: Tuesday, March 11, 2014 8:48 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Apple TV display mirroring spectrum use in HD wifi Apple just released discovery over bluetooth in iOS 6.1. This is a major hurdle for most institutions as it no longer requires bonjour for discovery but instead relies on bluetooth. I've tested it and it works well. I wonder if they will add this support into OSX soon. http://gadgets.ndtv.com/tv/news/apple-tv-61-update-brings-airplay-security-option-discovery-over-bluetooth-and-more-494249 This certainly doesn't invalidate our work on our Mirror App, but for some it may be the missing piece which we were also providing. Mirror will also allow you to use AirServer and provides a way to connect to AppleTVs from remote locations. Either way, it's about time Apple! Jason On Jan 16, 2014, at 12:59 PM, Jason Heffner jdh...@psu.edu wrote: Hi everyone, We took a slightly different approach to solve our issue with the AppleTV specifically at Penn State. We do have a Doceri deployment but recently we have released a PSU Airplay iOS enterprise app to allow mirroring to AppleTVs w/o having bonjour enabled. Since I saw this topic come up I thought it was a good time to share. If interested you can find out more on a recent blog entry I wrote up on the specifics. http://sites.psu.edu/jasonheffner/2014/01/10/airplay-without-bonjour-o n-enterprise-wireless-networks/ Thanks, Jason p: (814) 865-1840, c: (814) 777-7665 Systems Administrator Teaching and Learning with Technology, Information Technology Services The Pennsylvania State University On Jan 16, 2014, at 11:19 AM, Tim Cappalli cappa...@brandeis.edu wrote: Yes, ClearPass and AirGroup allows a user to define up to 10 other users that can see their personal device. image001.png Tim Cappalli | ACCP / ACMP / CCNA Network Engineer | Brandeis University cappa...@brandeis.edu | (617) 701-7149 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of James Andrewartha Sent: Thursday, January 16, 2014 10:23 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Apple TV display mirroring spectrum use in HD wifi Hi Bruce, On 16/01/14 8:50 PM, Osborne, Bruce W (Network Services) bosbo...@liberty.edu wrote: You said, Sure, I wish you could drop Apple
Re: [WIRELESS-LAN] Cisco PI 1.3 patch fix chrome issues
We applied the patch yesterday and it fixed the issue. --- Craig Pluchinsky IT Services Indiana University of Pennsylvania 724-357-3327 On Fri, 6 Sep 2013, Alan Nord wrote: Anyone apply this patch? I see that it is no longer available on the download site. On Thu, Sep 5, 2013 at 11:39 AM, Hurt,Trenton W. trent.h...@louisville.edu wrote: Cisco published a patch yesterday that fixes the google chrome frame issue. software.cisco.com/download/release.html?mdfid=284652876flowid=39423softwareid=284272933release=1.3.0relind =AVAILABLErellifecycle=reltype=all Sent from my iPhone -- Alan Nord, CCNAInfrastructure Manager Information Technology Services Macalester College 1600 Grand Avenue St. Paul, MN 55105 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] using Microsoft Radius to authenticate user AND computer?
We do something like this with laptops. The machines are a member of a domain and have a group policy set that Authentication Mode is User or Computer authentication. Then on the radius server (Microsoft IAS) we have a rule for computers and a rule for domain users. When the laptop is first turned on it auth's as the computer account. When the user logs in it re-auths as the user account. --- Craig Pluchinsky IT Services Indiana University of Pennsylvania 724-357-3327 On Thu, 7 Feb 2013, Ashfield, Matt (NBCC) wrote: Well ideally, the scenario we’d like is: Computer boots up to login screen. User logs in, and is at that point (or earlier) connected/authenticated to wifi by way of having authenticated the computer and the user credentials. At that point, login scripts and whatnot are able to run as the windows OS loads. I’m sure this is not a unique situation. Is anyone else doing something similar? Thanks Matt From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Heath Barnhart Sent: Wednesday, February 06, 2013 5:32 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] using Microsoft Radius to authenticate user AND computer? Reading this technet page it looks like you can specify a condition of the computer being in a Machine Group and User being in User Group. I'm not an AD guy, so I don't understand the difference between the two groups, but as I recall different condition types are evaluated with an AND, so in theory you could do it that way. I'm interested in this as well, but haven't had time to play with it. Heath Barnhart, CCNA ITS Network Administrator Washburn University Topeka, KS On 02/06/2013 02:25 PM, Ashfield, Matt (NBCC) wrote: Hello We have Cisco 5508 controllers using Microsoft 2008r2 radius back-end. What we’d like to do is authenticate the device (make sure it is a domain PC) as well as the user (make sure they are a domain user). From what I can tell, it seems like we can do 1 or the other, but not both. It may be possible with a different Radius server from what I’ve read (Cisco ACS seems to have a wizard for this), but I’m wondering if anyone is doing this today using MSoft’s radius server? Any info you can provide is appreciated. Thanks Matt ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV support for instructors.
What if you did something with DNS service discovery and setup dns records for appletv? We did this for airprint and doing a few quick google searches it looks like it may be possible with apple tv. http://grouper.ieee.org/groups/1722/contributions/Bonjour%20Device%20Discovery.pdf --- Craig Pluchinsky IT Services Indiana University of Pennsylvania 724-357-3327 On Tue, 3 Jul 2012, Mike King wrote: I voiced that solution and was shot down. If I do a separate SSID, on the same VLAN as the Apple TV, I'd still have to turn Multicast on on the controller, but I wouldn't have to roll out a PIM-SM deployment. Mike On Tue, Jul 3, 2012 at 10:03 AM, Hanset, Philippe C phan...@utk.edu wrote: Mike, For a one off and minimal investment, I would bring up an Open-WRT or DDRT AP (or any affordable AP that is capable of doing WPA2-enterprise) independent from your regular infrastructure and make people join a dedicated subnet for that room (use NAT, and WPA2-enterprise). Connect the Apple TV to the wired port of the AP and broadcast a dedicated SSID. With WPA2-enterprise joining your RADIUS server you can make it secure. It is a dirty solution, electromagnetically speaking, but quick. If the conference room has too may users for one AP, create a dedicated SSID just for that conference room on your existing infrastructure and terminate the VLAN of that SSID on the same VLAN as the AppleTV Philippe Hanset Univ. of TN www.eduroamus.org On Jul 3, 2012, at 9:06 AM, Mike King wrote: So I have Cisco Wireless, and I've just been asked to make Airplay work in a conference room. We do not have multicast enable (anywhere). Asking for details, I've been told it's only this one conference room. (I someone believe this, as it the only one that has a projector that get's any use) Suggestions for this as a one off? I have idea's one what to do for a campus wide deployment, but that will take me significantly longer to deploy, and my boss is asking me to have this done this week. Right now, we have a single WPA2/enterprise SSID, and the apple TV will most likely be wired (not required) Mike ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Alternatives to XpressConnect
, Williams, Mr. Michael wrote: We have tutorials available for our users, but our helpdesk folks still have to spend a lot of time manually configuring the wireless supplicant for some of our less tech savvy users. Does anyone have a solution to this problem? Here at NU, our Technology Support Services coded up a Windows utility that we use for this purpose. http://www.it.northwestern.edu/oncampus/wireless/wireless-connections/ Here's another tool that might be of interest: http://sourceforge.net/projects/su1x/ Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- --- Craig Pluchinsky IT Services Indiana University of Pennsylvania 724-357-3327 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
IAS Access-Reject
We are using IAS as our RADIUS server. On either a mac or windows client if you specify the username as your domain with a backslash, domain\, IAS discards the request but never sends an Access-Reject back to the client. This causes the client to keep trying to authenticate. IAS will eventually lose connection to the domain controller and try another one. I see Domain controller dc1.ourdomain.com for domain OURDOMAIN is not responsive. IAS switches to other DCs. in the system event log. During this period when it loses connection all other clients can't authenticate. Has anyone else seen this? We've tried installing KB946813 but that didn't fix it. --- Craig Pluchinsky IT Services Indiana University of Pennsylvania 724-357-3327 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] IAS Logging
On my windows xp pro sp2 laptop with KB917021 and KB893357 that has a working 802.1x setup I intentionally entered a wrong password for my AD account and locked it out. Searched the IAS logs saw a bunch of Reason-Code16 (IAS_AUTH_FAILURE) then I saw the Reason-Code 36. Maybe it's something on the client end? - Original Message - From: Howd, Walt [EMAIL PROTECTED] To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Sent: Thursday, March 06, 2008 5:35 PM Subject: Re: [WIRELESS-LAN] IAS Logging We have a similar setup (Cisco LWAPP environment, controllers logging to IAS) and have seen the same issue. If you find anything useful, I would be interested. Walt Howd Network Systems Admin Information Technology Services Truman State University SunGard Higher Education Managed Services 100 East Normal Street Kirksville, MO 63501 [EMAIL PROTECTED] -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Craig Pluchinsky Sent: Thursday, March 06, 2008 3:12 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] IAS Logging Currently we have an 802.1x wireless network setup with Cisco APs, Cisco Wireless Lan Controllers and Microsoft IAS as our RADIUS server. We are seeing issues where a users active directory account is being locked out because of too many incorrect password attempts. This is being logged in the security event log on the server but not in the IAS logs. The security event log does not show a mac address or machine name. IAS should be logging a Reason-Code 36 IAS_ACCOUNT_LOCKED_OUT in the IAS log. The problem is the client looks like it is incorrectly configured so it keeps trying to authenticate every few seconds keeping the users active directory account locked out. We then have to track down the mac address either with a packet sniffer or find it in WCS and add it to the disabled clients list on the controllers to keep it from repeatedly trying to connect and locking the active directory account out. Any ideas as to why IAS is not logging this error? If it logged in the IAS logs we could then get the mac address from the Calling-Station-ID. --- Craig Pluchinsky IT Services Indiana University of Pennsylvania ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
IAS Logging
Currently we have an 802.1x wireless network setup with Cisco APs, Cisco Wireless Lan Controllers and Microsoft IAS as our RADIUS server. We are seeing issues where a users active directory account is being locked out because of too many incorrect password attempts. This is being logged in the security event log on the server but not in the IAS logs. The security event log does not show a mac address or machine name. IAS should be logging a Reason-Code 36 IAS_ACCOUNT_LOCKED_OUT in the IAS log. The problem is the client looks like it is incorrectly configured so it keeps trying to authenticate every few seconds keeping the users active directory account locked out. We then have to track down the mac address either with a packet sniffer or find it in WCS and add it to the disabled clients list on the controllers to keep it from repeatedly trying to connect and locking the active directory account out. Any ideas as to why IAS is not logging this error? If it logged in the IAS logs we could then get the mac address from the Calling-Station-ID. --- Craig Pluchinsky IT Services Indiana University of Pennsylvania ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.