Re: [EXTERNAL] [WIRELESS-LAN] Fast Transition Enable

[Curtis K. Larsen]

I like the idea of making our branded 1X WLAN enabled and leaving eduroam and 
our IoT/PSK WLAN disabled.  Then we tell them they can use a WLAN with fewer 
features until their device gets newer capabilities.



-Curtis


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Rios, Hector J 

Sent: Wednesday, July 28, 2021 4:35 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] [EXTERNAL] [WIRELESS-LAN] Fast Transition Enable


The challenge with testing FT, either “enabled” or “adaptive” is that it will 
most likely work with the few devices you can test with, but the minute you 
enable it and expose it to all your client devices, there will be some that 
will just not play nice. At that point you either revert your config, or take a 
stance of “this is what we support moving forward, so, sorry”. It’s the nature 
of the game.



Hector Rios, UT Austin







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Dennis Xu
Sent: Wednesday, July 28, 2021 2:05 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [EXTERNAL] [WIRELESS-LAN] Fast Transition Enable



Thanks for all the information.



We might want to test the FT “enabled” setting.



Dennis Xu



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Steve J Wenger
Sent: Monday, July 26, 2021 3:00 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [EXTERNAL] [WIRELESS-LAN] Fast Transition Enable



CAUTION: This email originated from outside of the University of Guelph. Do not 
click links or open attachments unless you recognize the sender and know the 
content is safe. If in doubt, forward suspicious emails to 
ith...@uoguelph.ca



We learned that FT “Adaptive Enabled” was on by default when we deployed IOS-XE 
17.3.  Certain Motorola cell phones had difficulty connecting intermittently, 
regardless if the phones were Android 10 or 11.  When we set FT to “disabled”, 
the Android clients in question were able to connect and roam between AP’s and 
buildings without problems.  Discovered this only after reading about the Cisco 
bug CSCvu24770.  Have not tried to set FT to “enabled” to experiment yet.



Thanks,



Steve Wenger

Viterbo University

Wi-Fi / Telecom Administrator | Instructional and Information Technology

608-796-3950

[EmailSignatureLogo]

www.viterbo.edu | 900 Viterbo Drive, La Crosse, WI  
54601



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Jason Mallon
Sent: Monday, July 26, 2021 1:46 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [EXTERNAL] [WIRELESS-LAN] Fast Transition Enable



EXTERNAL: This email originated from a sender outside of Viterbo. Use caution 
when clicking on links or opening attachments.

We have FT enabled on ours, and it allowed the Andorid devices to connect that 
were unable to while we had FT adaptive.  I have not heard, up to this point, 
of any devices failing to connect since we made the swap a couple months ago.





Jason Mallon

Network Engineer

Office of Information Technology
The University of 
Alabama
jemal...@ua.edu

[The University of Alabama stacked logo with box 
A]







From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Dennis Xu mailto:d...@uoguelph.ca>>
Date: Monday, July 26, 2021 at 1:19 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [EXTERNAL] [WIRELESS-LAN] Fast Transition Enable

Hi,



Has anyone set Fast Transition to enable for Cisco WLCs? Have you had any 
compatibility issues with client devices with FT enabled? I am asking because 
of the Android bug CSCvu24770 which caused some Android devices not able to 
connect with adaptive FT.



Thanks.



Dennis

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want 

Re: Onboarding android 10 and 11

[Curtis K. Larsen]

Interesting.  I just tried this with the Cloudpath Enrollment System on on 
Android 11 with Pixel 3.  I don't see any issue.  I am doing EAP-TLS - maybe 
that is the difference?

-Curtis


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Dennis Xu 
Sent: Tuesday, July 13, 2021 6:42 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] Onboarding android 10 and 11


We are dealing the same issue. The new JoinNow UI since this year for Android 
10 and 11 is very difficult to go through, but it looks like there is no other 
onboarding solutions around. The Eduroam CAT is very easy to use (like the old 
JoinNow) but it is only for eduroam SSID.



Dennis Xu





From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Marsen Nuzi
Sent: Friday, July 9, 2021 8:41 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Onboarding android 10 and 11



CAUTION: This email originated from outside of the University of Guelph. Do not 
click links or open attachments unless you recognize the sender and know the 
content is safe. If in doubt, forward suspicious emails to 
ith...@uoguelph.ca



Hello everyone,

We noticed that android 11 had issues onboarding to our secure SSID, and in 
particular it could not connect to it but it stays to whatever SSID is already 
connected to. After a quick call with secure w2 we were told that there is a 
workaround which seems very tedious especially for the average user. Users have 
to uninstall the secure w2 join app and start the process all over again and 
with more steps. I was curious how is everyone else dealing with this issue and 
if they have found something easier.

Thanks



Marsen Nuzi
Information Technology

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [External] [WIRELESS-LAN] Placement mapping of APs

[Curtis K. Larsen]

We do AP placements, (and more) in Ekahau.  It imports nicely into DNAC (with a 
rare horizontal to vertical map flipping problem that we are working on with 
Cisco).  Since Cisco has done the work to map from ekahau .json files with x,y 
coordinates and AP names and model numbers - it seems logical that they can 
also go the other way (export from DNAC to Ekahau).  We are working with some 
programming resources from Cisco on this right now.  Our goal is to be able to 
use Ekahau reports for cable installers, and AP name configuration then import 
to DNAC and then export at anytime from DNAC to Ekahau to generate a new 
installation report complete with x,y coordinates, AP Names and model numbers.  
I think we will achieve this goal soon.  Once that happens - only adjustments 
to existing buildings require moving APs on any maps -never one for one 
placements again.

Thanks,



--
Curtis K. Larsen
Wireless Network Engineer III
Infrastructure Ops
The University of Utah
Office 801-587-1313
Mobile 801-425-7528


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Smith, Nayef 

Sent: Thursday, June 24, 2021 8:05 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] [External] [WIRELESS-LAN] Placement mapping of APs

To the point of "hours of remapping everything", we were very successful 
leveraging intern/work study for this type of work several years ago.  When we 
have to do this again, i'll be running the same playbook.  4-6 student workers 
knocked it out over the summer.  You can do something similar over the school 
year, but it will likely take a little longer.  They enjoyed the work including 
the opportunity to visit locations and do site surveys as needed.

Nayef Z. Smith | Network Services | Voice: 404-727-6019

[cid:166b6de8-b664-4646-ba56-7ea0f42e810f]

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Christina Klam 
Sent: Wednesday, June 16, 2021 2:52 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: [External] [WIRELESS-LAN] Placement mapping of APs

All,
For the upteenth time, we will need to re-map all of our access points in a 
Cisco GUI.   Originally they were in Prime.  Then we got DNAC and were told to 
migrate them there.  But, just found out that you cannot export the mappings 
(blank maps yes, mappings no) from DNACv1 to DNACv2.   And as the sync is only 
one way, Prime to DNAC, we cannot seamlessly return to Prime.

Until Cisco gets their act together, we will do the re-mapping in Prime and 
have that be our source of truth.   My question to the community is this.   How 
do you handle the AP placement mappings?   If there is a better way that 
manually dragging the images to the proper location, I would love to hear it.   
I see that you can use GPS coordinates but how can you get accurate coordinates 
inside a building?   Ideally, I would like to create a spreadsheet of AP and 
locations and then upload it to said system.  This way if Prime database gets 
corrupted (which has happened) or DNACv2-v3 also is not seamless, we do not 
have to spend the hours remapping everything ... again.

Christina Klam
Network Engineer
Institute for Advanced Study
1 Einstein Dr
Princeton, NJ 08540
(m) +1 609-751-7899
(o) +1 609-734-8154
ck...@ias.edu


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=04%7C01%7Cnayef.z.smith%40EMORY.EDU%7C0f68dd04e9f34486b7ac08d930f7e5d1%7Ce004fb9cb0a4424fbcd0322606d5df38%7C0%7C0%7C637594663534825532%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=FDFa3WLv1gMi%2FBulJtUY12fIcpzhFfu%2B4O4dXnBcsOY%3D=0>



This e-mail message (including any attachments) is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this message (including any attachments) is strictly
prohibited.

If you have received this message in error, please contact
the sender by reply e-mail message and destroy all copies of the
original message (including attachments).

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE

Re: [External] [WIRELESS-LAN] Zebra ZD500 Wireless Label Printers

[Curtis K. Larsen]

haha nope.


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Phill Solomon 
<0150915d379b-dmarc-requ...@listserv.educause.edu>
Sent: Thursday, June 3, 2021 4:13 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] [External] [WIRELESS-LAN] Zebra ZD500 Wireless 
Label Printers


Mac Randomization?





Phill Solomon

Senior Technical Lead (Network Engineering)

Deakin University, IS - AV & Networks,  ICT Infrastructure Services, eSolutions



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Street, Chad A
Sent: Friday, 4 June 2021 5:29 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [External] [WIRELESS-LAN] Zebra ZD500 Wireless 
Label Printers



We are seeing very interesting things with telemetry systems using the same OID 
as zebra printers.   re: ÿ



If you are seeing similar --  
chad.str...@emory.edu<mailto:chad.str...@emory.edu>



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Curtis K. Larsen 
mailto:curtis.k.lar...@utah.edu>>
Sent: Thursday, June 3, 2021 3:23 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [External] [WIRELESS-LAN] Zebra ZD500 Wireless Label Printers



We're seeing some interesting behaviors with these on Cisco infrastructure.  If 
you have them and you run Cisco I'd love to show you some debugs and pcaps and 
compare notes.  Please contact me off-list if you are interested.



Thanks,



--

Curtis K. Larsen
Wireless Network Engineer III

Infrastructure Ops

The University of Utah

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=04%7C01%7Ccstree2%40EMORY.EDU%7C0043259bfdfd4115147008d926c508db%7Ce004fb9cb0a4424fbcd0322606d5df38%7C0%7C0%7C637583449982194677%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=BQeRjxM3BaRMj6I2UZ7%2BfJk0W0Id80J4xp00ajK7pZ8%3D=0>





This e-mail message (including any attachments) is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this message (including any attachments) is strictly
prohibited.

If you have received this message in error, please contact
the sender by reply e-mail message and destroy all copies of the
original message (including attachments).

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Important Notice: The contents of this email are intended solely for the named 
addressee and are confidential; any unauthorised use, reproduction or storage 
of the contents is expressly prohibited. If you have received this email in 
error, please delete it and any attachments immediately and advise the sender 
by return email or telephone.

Deakin University does not warrant that this email and any attachments are 
error or virus free.

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Zebra ZD500 Wireless Label Printers

[Curtis K. Larsen]

We're seeing some interesting behaviors with these on Cisco infrastructure.  If 
you have them and you run Cisco I'd love to show you some debugs and pcaps and 
compare notes.  Please contact me off-list if you are interested.

Thanks,


--
Curtis K. Larsen
Wireless Network Engineer III
Infrastructure Ops
The University of Utah


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: Cisco 8540 Code Recommendation, Based on Stability?

[Curtis K. Larsen]

Lee,

There is no such thing as stable code anymore.  Good luck.


Thanks,

Curtis


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Rios, Hector J 

Sent: Wednesday, June 2, 2021 3:49 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] Cisco 8540 Code Recommendation, Based on Stability?


We recently upgraded to 8.10.151 and have no complaints. But then again code 
stability depends on so many factors. We have 8540s, and a mix of 9120s, 2700s, 
2800, and 1562s.



Hector Rios, UT Austin







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Lee H Badman
Sent: Wednesday, June 2, 2021 9:40 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Cisco 8540 Code Recommendation, Based on Stability?



Hi all,



After a tumultuous series of code versions, awhile back we settled on 8.5.151.0 
and hung on to it like grim death because it was very, very reliable.



Given that 8.5 code goes end-of-support at end of 2021, combined with latest 
rounds of announced vulnerabilities, I’m looking for recommendations in the 
8.10 train based on wanting stability above all. We have 3800s and 3700s 
currently, likely to stay that way through the next academic year.



Has anyone found an 8.10. code version for the 8540 that supports the 3700 and 
3800 while providing good daily stability?



Thanks,





Lee Badman | Network Architect (CWNE#200)

Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244

t 315.443.3003   e lhbad...@syr.edu w its.syr.edu

Campus Wireless Policy: 
https://answers.syr.edu/display/network/Wireless+Network+and+Systems

SYRACUSE UNIVERSITY
syr.edu





This message is from an external sender. Learn more about why this 
matters.



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Rate Limits on Guest Wi-Fi

[Curtis K. Larsen]

Hello,

Curious to know if any have removed or recently raised the rate limit on the 
Guest Wi-Fi network at your institution, particularly large universities or 
hospitals.  If you have taken that step how is it going?  Also curious to hear 
what speeds you rate limit to if it is rate limited and how you came to that 
conclusion.

Thanks,


--
Curtis K. Larsen
Wireless Network Engineer III
The University of Utah


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] WLAN onboarding

[Curtis K. Larsen]

Hi Lee,

We have used the Cloudpath Enrollment System (Ruckus now) since it's release 
(2009?) for EAP-TLS onboarding, and they added PEAP capabilities a few years 
back.  I think it has been very versatile and amazingly simple to maintain.  
The only drawbacks have been a lag of a few weeks sometimes (rarely but it has 
happened) when an OS changes their supplicant, and Windows flagged their exe as 
a virus twice over a ten year period (luckily a manual cert download could 
bypass that).  We looked at secureW2 about a year ago, and in my opinion it is 
the best in the space (probably doesn't get flagged as a virus, haha), but the 
cost was many, many times more than Cloudpath for our large campus and hospital 
org.  We have also been able to use Cloudpath not just for 802.1X onboarding, 
but also to send i-PSK registrations to Cisco ISE on our IoT SSID.  Let me know 
if you'd like to see how we use it sometime.

Thanks,


--
Curtis K. Larsen
Wireless Network Engineer III
The University of Utah


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Lee H Badman 
<00db5b77bd95-dmarc-requ...@listserv.educause.edu>
Sent: Wednesday, April 7, 2021 9:30 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] WLAN onboarding

Thanks, Philippe. I didn’t realize CAT would accommodate non-eduroam SSIDs. 
That’s huge.

Lee Badman (mobile)

On Apr 7, 2021, at 10:55 AM, Philippe Hanset 
<005cd62f91b7-dmarc-requ...@listserv.educause.edu> wrote:

 Lee,

Based on your timeframe you might also want to consider the new development 
that is done in Europe called “geteduroam”.
https://www.geteduroam.app
It is App based and will feed from CAT but it is based on EAP-TLS or on 
EAP-TTLS/PEAP if preferred.

So you could start with CAT  and username/password (CAT allows you to provision 
eduroam and other SSIDs as well) and evolve later to EAP-TLS.

Philippe


Philippe Hanset, CEO
www.anyroam.net<http://www.anyroam.net>
Operator of eduroam-US
+1 (865) 236-0770






On Apr 7, 2021, at 10:05 AM, Lee H Badman 
<00db5b77bd95-dmarc-requ...@listserv.educause.edu<mailto:00db5b77bd95-dmarc-requ...@listserv.educause.edu>>
 wrote:


Hello everyone, hope your semesters are going along smoothly and that you are 
all staying healthy. As always- this message is not an invite for vendors to 
contact me.



Looking out down our short timeline, we need to make a number of decisions 
about various aspects of our WLAN operations. One of these decision points is 
if/how to do the 802.1X onboarding after our current solution goes End of 
Everything at year’s end. To that end, I’m looking for any and all feedback on 
these questions:

- If you are using PEAP/MS-CHAP v2, what is your onboarder of choice (even if 
none, with manual config as methodology)?

-If you are doing PEAP-TLS, what is your onboarder of choice?

-Have you recently piloted any onboarders that you just hate for any reason?

-For those using eduroam as your 802.1X environment, have you found the free 
configuration tool to be reliable? Any downsides to using it at scale?



Interested in 3rd party, native, whatever.



Thanks as always,



Lee Badman



Lee Badman | Network Architect (CWNE#200)

Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244

t 315.443.3003   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu<http://its.syr.edu>

Campus Wireless Policy: 
https://answers.syr.edu/display/network/Wireless+Network+and+Systems

SYRACUSE UNIVERSITY
syr.edu<http://syr.edu>



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: Openroaming - anyone connected?

[Curtis K. Larsen]

It is on my radar, I'm hoping to convince our institution to connect at some 
point.  I suspect we would use it for all types of users eventually, but hoping 
mainly to make the user experience as easy AND secure as possible.

Thanks.


--
Curtis K. Larsen
Wireless Network Engineer III
Infrastructure Ops
The University of Utah
Office 801-587-1313
Mobile 801-425-7528


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Phill Solomon 
<0150915d379b-dmarc-requ...@listserv.educause.edu>
Sent: Sunday, August 16, 2020 7:19 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: [WIRELESS-LAN] Openroaming - anyone connected?


Hello all,



One of the items on the radar for us is OpenRoaming, is there anyone connected, 
or looking into connecting?



And if you are connected are you using it as an extension for students / staff 
or just for visitors.?



Thanks in advance,



Kind regards,



Phill Solomon

Senior Network Engineer

IS - AV & Networks

ICT Infrastructure Services, eSolutions

Planned Leave: NA



[cid:image001.png@01D37676.7B6F3320]



Deakin University

301 Burwood Highway, Burwood

VIC 3125, Australia.

• Phone: +61 3 924 46069 
• E-mail: 
phill.solo...@deakin.edu.au<mailto:phill.solo...@deakin.edu.au>



Deakin University CRICOS Provider Code 00113B



Important Notice: The contents of this email are intended solely for the named 
addressee and are confidential; any unauthorised use, reproduction or storage 
of the contents is expressly prohibited. If you have received this email in 
error, please delete it and any attachments immediately and advise the sender 
by return email or telephone.

Deakin University does not warrant that this email and any attachments are 
error or virus free.



Important Notice: The contents of this email are intended solely for the named 
addressee and are confidential; any unauthorised use, reproduction or storage 
of the contents is expressly prohibited. If you have received this email in 
error, please delete it and any attachments immediately and advise the sender 
by return email or telephone.

Deakin University does not warrant that this email and any attachments are 
error or virus free.

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] securew2 and all the devices that don't support it.

[Curtis K. Larsen]

We use Cloudpath, and ISE.  For the non WPA2-Enterprise devices, or even some 
that are unusually painful to setup - we send them to Cloudpath to register the 
MAC address, then Cloudpath sends an API call with the MAC, user account, and a 
dynamically generated PSK to an interim Linux box which sends it to ISE.  The 
interim Linux box is only there because Cloudpath originally did not accept API 
calls back from ISE (maybe it does now?) confirming the device had been 
registered, and because we found no direct way to generate iPSKs in ISE.

We then have the Cisco WLC configured for i-PSK against ISE for the non 
WPA2-Enterprise WLAN.  There is also an i-PSK Manager out there that I intend 
to play with at some point:  
https://community.cisco.com/t5/security-documents/ipsk-identity-pre-shared-key-manager-portal-server-for-ise/ta-p/3904265

Good luck.


Thanks,

Curtis
[https://kxiwq67737.i.lithium.com/t5/image/serverpage/image-id/47654iB50DFA4030D5D0F9?v=1.0]
iPSK (Identity Pre-Shared-Key) Manager ... - Cisco 
Community
Introduction PSK (Pre-Shared-Key) WLAN is widely used for consumer & enterprise 
IoT onboarding as most of IoT device doesn’t support 802.1X. While PSK WLAN 
provides easy way to onboard IoT, it also introduces challenge as it doesn’t 
provide security that many enterprise requires due to limitation o...
community.cisco.com



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Klingaman, Ryan 

Sent: Tuesday, May 26, 2020 4:15 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: [WIRELESS-LAN] securew2 and all the devices that don't support it.

I have been a long time user of Ruckus and Cloudpath and have been looking into 
Aruba and Clearpass lately. I see from this list that there are a few colleges 
that use securew2 in place of something like Clearpass or Cloudpath.

My question is for those that use it, what is your solution for the gaming 
consoles, media players, virtual assistants, etc.?

Do you only support hardwired on those devices (if they support that option)?

Do you have a custom solution tied into the API of the wireless Vendor?

Do you use two solutions such as Clearpass and Securew2?

Thanks,

Ryan

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)

[Curtis K. Larsen]

We use 1700 as well for our CoA stuff against the Cisco 8540 with PacketFence.


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Turner, Ryan H 

Sent: Friday, April 17, 2020 10:01 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)


I reversed that.  The standard is 3799, and I know Cisco tends to use 1700.  
But I see plenty of documentation on 3799 for Cisco.  I’ll confirm.



From: Turner, Ryan H
Sent: Friday, April 17, 2020 12:00 PM
To: The EDUCAUSE Wireless Issues Community Group Listserv 

Subject: RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)



So apparently that changed.  If you search on Cisco, you will note that they 
seemed to go away from the default port.  I do not think we would be getting a 
properly formatted NAK if we were sending to the wrong port.  But I am going to 
ask the other institution to validate that.



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Abhiramms
Sent: Friday, April 17, 2020 11:25 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)



Ryan,



Have you tried UDP port 1700.

As far as I can remember, the default port when adding a radius client for a 
cisco device was 1700.



Also - I usually refer to this link that has the different CoA pcaps captured 
from a cisco perspective:



https://drive.google.com/drive/mobile/folders/1wYJhxkCoessGu03O__77cLWEJokBWJt9?usp=sharing



Source - 
https://wirelesslywired.com/2018/01/18/deconstructing-the-radius-coa-process/



Thanks

Abhi



On Apr 17, 2020, at 8:07 AM, Turner, Ryan H 
mailto:rhtur...@email.unc.edu>> wrote:



Thank you Felix.  We do have this attribute present.  Let me see if I can get 
it removed.



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Felix Windt
Sent: Friday, April 17, 2020 9:52 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)



This is off the cuff, but in the past I’ve had issues with Cisco WLCs taking 
CoAs when the Event-Timestamp attribute was present.



thx,

felix



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "Turner, Ryan H" 
mailto:rhtur...@email.unc.edu>>
Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Friday, April 17, 2020 at 9:26 AM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)



We currently use Extreme Network Access Control.  We have had this for 14 years 
and it works very well.  We integrated it with Aruba wireless years ago, and we 
are able to send back filter IDs on the initial authentication to change roles, 
as well as issue disconnects to the user, forcing them to reauthenticate to 
their new policy (for example, a user is online and doing something bad, we 
send a disconnect message to the controllers and the user reconnects and 
authenticates with the new role).



We are now having to integrate with another institutions Cisco wireless 
controllers.  We have the authentication stuff working great.  But we are 
unable to get the disconnect/CoA to work.  We believe we have the correct 
format (xx-xx-xx-xx-xx-xx) and we are utilizing the correct port for 3587 (I 
think it is UDP 3799 off the top of my head).  We are getting back NAKs, and 
the message indicated is ‘invalid attributes’.  We aren’t sure what attributes 
to send back for the disconnect.  Obviously the other third party NACs have to 
do this correctly, but I’ve been unable to find documentation.  Extreme has 
some old documentation, but it appears wrong.  Any experts out there on this?  
Anyone willing to do a reauthentication from their NAC to their controllers and 
send us the packet trace?  If we know what attributes you are sending, that is 
likely what we need to make this work.



I’ve opened a ticket to Extreme, and I’ve asked the other institution to open a 
ticket with Cisco.  But this may get me results quicker.



Thanks!



Ryan Turner

Head of Networking

Communication Technologies | Information Technology Services

r...@unc.edu

+1 919 445 0113 (Office)

+1 919 274 7926 (Mobile)



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and 

Re: [WIRELESS-LAN] New and separate SSID for 2.4Ghz?

[Curtis K. Larsen]

Hi James,

We've been slowly marching down this path for about a year and a half.  We have 
a branded WPA2-Enterprise SSID, eduroam, and an i-PSK SSID.  After applying a 
new 5GHz-Only design we communicate the benefits to building occupants and 
migrate our branded SSID (which 90% of users already connect to) in that 
building to 5GHz-Only.  Then eduroam and our i-PSK SSID remain dual-band.

We are 50+ buildings into the process out of 250-ish.  In our first 40 
buildings (IT bldg, student housing, union, library) I think we got one ticket 
for an Android phone, and pointed the user to eduroam.  In our last 10 
buildings (primarily hospitals) I think we got 2 tickets - one for a small 
batch of laptops, and one for an ultrasound machine.  We pointed the Client 
Manager to Amazon/Campus store for a 5GHz Wi-Fi dongle and put the ultrasound 
device on our i-PSK SSID ...and on we go to the next set of buildings.

User experience was night/day for us in our new IT building - much, much 
better.  Stats indicate much lower channel utilization and many fewer 
interference sources.  My only recommendation would be to have proof that the 
RF design supports the change (for even the least-capable 5GHz device) before 
you do it, and to have several rock-solid fallback plans for the 2.4 only 
devices/use cases.  The gotchas are the time and cost to get the AP density 
up-to-snuff organization-wide.  Honestly, I'm not sure if the entire campus 
will ever reach the goal at the rate we're going - but it sure has been nice to 
eliminate many of the most common problems from some of our most 
mission-critical buildings.

Thanks,

--
Curtis K. Larsen
Network Engineer III
Infrastructure Ops
CWNA, CWDP, CWSP, CWAP
The University of Utah


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Jake Snyder 

Sent: Friday, January 31, 2020 4:38 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] New and separate SSID for 2.4Ghz?

A fun story that happened to me at a university:

They did as you propose.  2.4GHz only and 5GHz only separate SSIDs.  first week 
of school they had ~80% of clients on 5GHz.

About three weeks before the end of the semester, Wi-Fi complaints have gone 
up, and the percentage of clients on 2.4GHz had grown to 50%.  This is when i 
got a call to come look at it.

Over the course of the semester, a DHCP outage and internet circuit outage led 
folks to try “to see if the other network was working.”  But, when students 
arrived on campus every morning, they picked up the 2.4GHz only network first.  
Then they spend all day, because client won’t leave the 2.4GHz SSID while it’s 
present.

I asked for a 2 minute outage for the 2.4GHz network.  I disabled it for 2 
minute and then re-enabled.  10 minutes later it was back to 80% 5GHz and 20% 
2.4GHz.

The moral of the story: you can’t out engineer people’s behavior.  When things 
break, when they experience issues, they will try to work around it.  As much 
as some folks might imagine their networks are perfect, I’ve yet to find one 
that is.

The best way to overcome this, have a 5GHz only SSID and a Dual Band SSID.  
That way if students do choose to connect to the other SSID, they have a way 
for their device to make a better choice most of the time.  This also ensures 
that you can do the Apple Watch with a 2.4GHz radio without dramatically 
hurting their iPhone’s connectivity.

In summary:
Use dual band instead of a 2.4 GHz only network
Make sure 5GHz is 6db greater than 2.4GHz in transmit power.

I would also add, make sure you don’t use band steering on either network.

Jake Snyder



Sent from my iPad

On Jan 31, 2020, at 4:13 PM, Seddon, James 
<0159faeb9fd9-dmarc-requ...@listserv.educause.edu> wrote:


Happy Friday, everyone!

In high density areas of our campus (library, center of campus 
food courts, large lecture halls, etc), we often turn off some 2.4Ghz radios to 
help avoid co-channel interference issues.

We think we’re seeing behavior where client devices in motion attach to an AP 
in 2.4, then stubbornly hang on to that frequency (and sometimes AP), even if 
they end up in a location with a much stronger 5 Ghz signal from a closer AP.   
And of course, with the messy nature of the 2.4 band, they’re even more 
susceptible to interference using a weak signal from a distant AP.

We do have Cisco’s band steering already in play, but we think it might be of 
limited benefit in situations like this.  Our general advice is for clients to 
prefer 5.0GHz when they can.  But we think most users are just letting their 
devices do what they want, and we really have no control over that.

We’re considering converting our main SSIDs to offer 5 GHz only.   And then 
creating a new SSID that offers 2.4 service (MainSSID2-4, or Legacy2-4, or 
something).

Because we believe we have good 5.0GHz coverage, we think this change would be 
invisible to most

Re: [WIRELESS-LAN] [EXT] [WIRELESS-LAN] Wi-Fi in the Elevator Car

[Curtis K. Larsen]

Hmmm... Good to know.  The bldg I am working on is about 5 floors if I remember 
right.  Probably too long for ethernet.  I'm thinking about this solution 
recommended by Luke Jenkins:

http://www.veracityglobal.com/products/ethernet-over-coax-devices/highwire.aspx

It says:  "Because coaxial cable will coil and bend properly, unlike Cat 5 
cable, HIGHWIRE provides an ideal means to provide network access to elevator 
carriages, for VoIP, security, lift panel and other devices."


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of John Turner 

Sent: Tuesday, November 5, 2019 1:55 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [EXT] [WIRELESS-LAN] Wi-Fi in the Elevator Car

I have designed and deployed in car WiFi for a few folks - one we had a Cat 5 
cable that was part of the traveler cable (so certified from a movement 
perspective) and the other we had a pair that I used a DSL converter on to get 
a few MB of traffic for the AP.

These were all 10+ story buildings.

The AP channel was fixed and discrete from the ones used on each floor - each 
car in the bank used the same channel and power setup - rarely did the cars 
stay on the same floor except in the late evening - Signal was basically 
blocked in the shaft anyway other than when the doors opened.

Results were pretty good for the times and good enough to keep a VoIP call 
going in optimal situations (excluding client generated issues)

We looked at P2P from the top of the shaft, but then I visited the top of one 
of the shafts and realized the dust and grease and access issues made it a 
non-starter.



On Tue, Nov 5, 2019 at 2:00 PM Michael Cole 
mailto:mc...@clarku.edu>> wrote:
You'd think this would be pretty straight forward, but with the codes for 
elevators and life safety you might not be able to get a cable in the wiring 
bundle for the car. Or if you can, will the cable take the constant bending and 
unbending...  the Aruba airheads talked about 2 different options, an access 
point in the car, and one on the top of the elevator shaft with a directional 
antenna.

https://community.arubanetworks.com/t5/Wireless-Access/Coverage-in-elevator-shaft/td-p/196269

-Original Message-
From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Curtis K. Larsen
Sent: Tuesday, November 05, 2019 1:26 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [EXT] [WIRELESS-LAN] Wi-Fi in the Elevator Car

Hello,

Has anyone designed Wi-Fi specifically to work in the elevator car itself?  
Willing to share your experience?

Thanks,

--
Curtis K. Larsen
Senior Wi-Fi Network Engineer
University of Utah Network Services
CWNA, CWDP, CWSP, CWAP
Office 801-587-1313


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunitydata=02%7C01%7Cmcole%40CLARKU.EDU%7C655653d2a1444e2abf1008d762201be3%7Cb5b2263d68aa453eb972aa1421410f80%7C1%7C1%7C637085762352749423sdata=Rkd01wdYlSIVgZxijMF52kCJn2IIYV8ya%2FE8%2BB7aL3c%3Dreserved=0

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


--
John Turner - Head of Customer Success
jtur...@nyansa.com<mailto:jtur...@nyansa.com>
(339) 225-0198
Join the Voyers Slack Community!<https://voyers-slack.nyansa.com/>
[https://docs.google.com/uc?export=download=1-LU1cRoYaaGK1sJz0s6vxSeY91ProTS2=0Bx8ReCzAhqUpWEpGZjIzRGJmcWdpYzFVYnR3dEJDLytCeFVBPQ]

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Wi-Fi in the Elevator Car

[Curtis K. Larsen]

Hello,

Has anyone designed Wi-Fi specifically to work in the elevator car itself?  
Willing to share your experience?

Thanks,

--
Curtis K. Larsen
Senior Wi-Fi Network Engineer
University of Utah Network Services
CWNA, CWDP, CWSP, CWAP
Office 801-587-1313


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

P2P Blocking Approaches

[Curtis K. Larsen]

Hello, I am wondering if any have tried to implement P2P blocking via some 
other method than just toggling the button on the WLC for the whole WLAN.  
Imagine that within a given WLAN you must allow P2P for some clients but are 
required to deny it for others.  Now let's suppose that you don't want to use 
dynamic VLAN assignment or VRF's plus Firewalls.  Any other approaches?

There is a P2P Blocking section in this Cisco iPSK Deployment guide:  
https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-8/b_Identity_PSK_Feature_Deployment_Guide.html

Has anyone tried anything like this yet?  Let me know.

Thanks,

--
Curtis K. Larsen
Senior Wi-Fi Network Engineer
University of Utah
CWNA, CWDP, CWSP, CWAP
Office 801-587-1313


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] Performance improvements from hallway to in-room

[Curtis K. Larsen]

Here are some interesting links on this topic:

World Health Organization:  
https://www.who.int/peh-emf/publications/facts/fs304/en/

Wi-Fi Alliance:  https://www.wi-fi.org/wi-fi-and-health

Cisco 1815W Install Guide:   "7.87 inches of separation"   
https://www.cisco.com/c/en/us/td/docs/wireless/access_point/1815/quick/guide/ap1815wgetstart.html

https://www.forbes.com/sites/quora/2016/05/19/a-radiation-oncologist-says-everything-you-need-to-hear-about-wifi-and-cancer-risk/#53d25dde7267

https://www.cdc.gov/nceh/radiation/nonionizing_radiation.html


...On the other side of the argument ...you can find stuff like this:


https://www.theepochtimes.com/tuning-in-to-microwave-sickness_2925499.html


Thanks,

Curtis


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Turner, Ryan H 

Sent: Friday, September 6, 2019 11:39 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Performance improvements from hallway to in-room

Maybe this is the reason he is a ‘former’ colleague :)

It reality I’m not a doctor or RF researcher.  There have been plenty of 
instances in history where we thought something was safe to be proven wrong 
later.  I try to take a softer approach.

Ryan Turner
Head of Networking, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

On Sep 6, 2019, at 1:32 PM, Jonathan Miller 
mailto:jmill...@fandm.edu>> wrote:

One of my former colleagues told a story that he referred a scared/angry parent 
to one of these:



It was enough to make them happy :)

Jonathan Miller
Network Analyst
Franklin and Marshall College


On Fri, Sep 6, 2019 at 12:26 PM Hall, Rand 
mailto:ha...@merrimack.edu>> wrote:
Random data point: we replaced 375 dorm APs this summer and 3 had tape over the 
LED

Rand

Rand P. Hall
Director, Network Services askIT!
Merrimack College
978-837-3532
rand.h...@merrimack.edu

If I had an hour to save the world, I would spend 55 minutes defining the 
problem and five minutes finding solutions. – Einstein


On Thu, Sep 5, 2019 at 5:53 PM Hunter Fuller 
mailto:hf0...@uah.edu>> wrote:
Sometimes I wonder if we're the only campus that doesn't get that type
of thing. We used to have a few "can you turn off this LED" before we
just turned all of them off by default.

--
Hunter Fuller
Router Jockey
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering

On Thu, Sep 5, 2019 at 3:26 PM Christopher Brizzell
<0113a07d9d59-dmarc-requ...@listserv.educause.edu>
 wrote:
>
> Just be ready for some amount of backlash from an angry/ignorant parent. 
> Every year (including yesterday) we have parents contact us saying we needed 
> to remove all APs from bedrooms because of the health risk to the students 
> living in those spaces.
>
>
>
> Thank you for the information, however. Any amount of proof to help solidify 
> our decision helps.
>
>
>
>
>
> Chris Brizzell
>
> Assistant Director of Network and Technical Services and Network Administrator
>
> Skidmore College
>
> cbriz...@skidmore.edu
>
> 518-580-5994
>
>
>
>
>
>
>
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
>  On Behalf Of Turner, Ryan H
> Sent: Thursday, September 5, 2019 1:43 PM
> To: 
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] Performance improvements from hallway to in-room
>
>
>
> All:
>
>
>
> We all know that moving from hallway deployments to in-room deployments pays 
> dividends.  This summer we started doing some re-cabling work on smaller 
> dorms to move from hallway to in-room.   We also went away from Aruba higher 
> performance APs to the hospitality APs for these locations.  Even though the 
> AP cost is significantly less, the cabling costs made this move a premium 
> option.  Nonetheless, thanks to data provided to us from Nyansa Voyance, we 
> are able to clearly demonstrate to Housing that these funds were well spent.  
> After the changes, these dorms went from some of the worst performing 
> locations on campus to some of the best.  When you look at the graphs below, 
> the Y axis is percentage of users that are affected by poor wifi performance 
> (I believe Nyansa measures this as clients that experience a 25% retransmit 
> rate from the AP to client).  With Nyansa, it determines behavior on usage 
> level.  So when you see the dashed line, it means that usage was below or 
> above the threshold during that time frame.  I picked the usage level that 
> would show the most complete picture, but going from low/medium/high all show 
> the same improvement levels.
>
>
>
> Carmichael:
>
>
>
>
>
> Lewis:
>
>
>
> Everett:
>
>
>
> Ryan Turner
>
> Head of Networking
>
> The 

Re: Cisco AP2800 failure rate

[Curtis K. Larsen]

We just turned up a new building with about 80 APs.  6 of them were stuck 
"waiting for uplink".  We think it's this bug:  
https://quickview.cloudapps.cisco.com/quickview/bug/CSCva34879


--
Curtis K. Larsen
Senior Network Engineer
University of Utah IT/CIS
Office 801-587-1313



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of Daniel Joseph Infantino 

Sent: Thursday, August 16, 2018 8:59 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco AP2800 failure rate

We have had hundreds come to us recently that were in various stages of reboot 
loop right out of the box – Cisco designed a custom patch for us because they 
claimed it was a bug with early 8.5 code. It seems to me that it must be 
something related to the hardware or the manner in which they were prepped at 
factory, because we never changed our environment.  Pre- Spring 2018 we had no 
problems with new 2802’s joining. So, even though we might not have the exact 
same problem – I suspect that QA has not been wonderful on these.. Curious what 
code you are running?  Are the units bricked, or just rebooting? Cisco may be 
able to do a similar patch for you so that you don’t have to RMA seventy units.


Daniel Infantino
Sr. Wireless Engineer
Networking and Telecommunications
Clemson University
864-656-2609

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 On Behalf Of Sam Ziadeh
Sent: Thursday, August 16, 2018 9:30 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Cisco AP2800 failure rate

Is anyone else seeing a high rate of Cisco AP 2800 failures? Out of a batch of 
~500 recently installed Aps, we have had roughly 70 fail. Some were online for 
a month, but some only a few days.
Typically they will fail after a powercycle or loss of power.
We are working with Cisco on this, but I’m curious if this is a more wide 
spread problem.

-
Sam Ziadeh
Manager, Network Engineering & Architecture
University Networking & Infrastructure
Information Technology Services
Louisiana State University
(225) 578-0074
szia...@lsu.edu<mailto:szia...@lsu.edu>

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: Apple TV alternative?

[Curtis K. Larsen]

Most Apple TVs purchased in the last few years can use bluetooth for discovery 
instead of the network, but failing that Airtame is a decent option.  
https://airtame.com

Thanks,

--
Curtis K. Larsen
Senior Network Engineer
University of Utah IT/CIS
Office 801-587-1313




From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of Joseph Bernard 

Sent: Wednesday, June 20, 2018 8:27 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Apple TV alternative?

Does anyone have success with a device that is $200 or less that works with 
Apple devices to share video and works with an enterprise wifi network 
(802.1x/PEAP)?

Thanks,
Joseph Bernard

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Aironet 1560,2800, and 3800 Series Access Points Fail to Pass Traffic (field notice 5/29/18)

[Curtis K. Larsen]

I saw this once after a power outage caused the AP to reboot.  Another reboot 
fixed it.

-Curtis


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of Lee H Badman 

Sent: Monday, June 11, 2018 8:41 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Aironet 1560,2800, and 3800 Series Access Points 
Fail to Pass Traffic (field notice 5/29/18)

We did see at least one instance of this at end of last year, moved off of the 
problem code.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 On Behalf Of Will Dawes
Sent: Monday, June 11, 2018 10:21 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Aironet 1560,2800, and 3800 Series Access Points Fail 
to Pass Traffic (field notice 5/29/18)

Has anyone noticed any evidence of Cisco late model access points 
(2800/3800/1560) with the issue of associated clients not able to ping default 
gateway, and then not pass traffic?

It’s Cisco TAC field notice FN70208 5/29/2018. Bug ID CSCve57121.

--
Will Dawes
Wireless Network Engineer
- CWNA (Certified Wireless Network Administrator)
- ECSE  (Ekahau Certified Survey Engineer)
ITS / Network and Engineering Architecture
Louisiana State University
200 Frey Computing Services Center, Baton Rouge, LA  70803
office 225.578.5926
wda...@lsu.edu

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] DHCP Lease Times

[Curtis K. Larsen]

Thanks Lawson.

Curious how you decided on two hours.  Was that because session times are 
usually one hour?  I like the idea of scopes with 50% utilization.  Also very 
important to watch CPU/load and keep it low.  

In this scenario it does mean if your DHCP service fails - every user in your 
environment will be impacted within one hour right.  How hard would it be to 
buy yourself more time in that regard?  What would be the downside of say 24 
hour leases?

Thanks,

Curtis


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Lawson Cassels 
<loca...@ilstu.edu>
Sent: Tuesday, May 8, 2018 8:58 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] DHCP Lease Times

We have a wireless system that sees roughly 30K unique clients pass
through each day. Our address space is set up as a single large /17, as
the Aruba controllers are extremely effective at controlling multicast
and broadcast... no need to segment the IP space in my opinion.

We have the default lease time set to 2 hours, with a maximum of 3
hours. Our address space typically sits at about 50% utilization. We
feel that this is a good configuration, as it leaves extra space for
special events, unknown emergencies, or address depletion attacks. The
load on our Bluecat DHCP servers is well under 25% and they are
extremely low end hardware, so it doesn't seem like 2 hours is too short.

Lawson Cassels
Network Engineer
Infrastructure, Operations, and Networking
Illinois State University
p: 309-438-4318

On 5/8/2018 7:52 AM, Ian Lyons wrote:
> If you have Airwave one of the may "dials" is how long is your average 
> connection.
>
> Mine is 28 minutes.
>
> I set my lease time for WiFi for 1 hour. I have a /19, which might be 
> overkill, but with AD based DNS, I have poor insight into the things that go 
> bump in the night (for DNS)
>
> If Cisco, I think there was a Prime option for this data too
>
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> On Behalf Of Curtis K. Larsen
> Sent: Monday, May 7, 2018 7:17 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] DHCP Lease Times
>
> Hello,
>
> I'm curious to see what process/algorithm others use when determining DHCP 
> lease times for your Wi-Fi networks.  Assuming plenty of IP addresses, what 
> DHCP lease time is ideal to assign to clients in a WLAN with 90,000 unique 
> clients/day, where avg. user spends 3hrs connected , but some (maybe 20%) go 
> several days, Keep in mind that 90% are the same user/device every day.
>
> What level of DHCP pool utilization do you think is best?  Have you found any 
> industry documentation on this?  Thanks in advance.
>
> -Curtis
>
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/discuss.
>
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: DHCP Lease Times

[Curtis K. Larsen]

I have run a report in Cisco Prime that shows the duration of the "last 
session".  Based on this report I think our average is around three hours 
...but it varies a lot.  A /19 is pretty big.  We have some /20's right now and 
I am thinking about possibly going bigger.  

It seems the rule most admins are following is to find the average session time 
and make your DHCP lease twice that time.  My thinking is a little different 
than that.  I think you should provide the maximum lease time you can while 
keeping your scopes less than 50% depleted.  My goals are:  (1)  To reduce 
unnecessary DHCPDISCOVER messages because the client can simply renew 
(especially when 90% are the same clients everyday), and (2)  Reduce the 
likelihood of impact to clients from a DHCP failure by maximizing the amount of 
time between DHCPRENEWs for clients.  In other words, if the entire DHCP 
service fails and my renew time is 12 hours away - the DHCP admins have a 
little more time to resolve things.  Thoughts?


Thanks,

Curtis



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Ian Lyons <ily...@rollins.edu>
Sent: Tuesday, May 8, 2018 6:52 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] DHCP Lease Times

If you have Airwave one of the may "dials" is how long is your average 
connection.

Mine is 28 minutes.

I set my lease time for WiFi for 1 hour. I have a /19, which might be overkill, 
but with AD based DNS, I have poor insight into the things that go bump in the 
night (for DNS)

If Cisco, I think there was a Prime option for this data too

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> On Behalf Of Curtis K. Larsen
Sent: Monday, May 7, 2018 7:17 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] DHCP Lease Times

Hello,

I'm curious to see what process/algorithm others use when determining DHCP 
lease times for your Wi-Fi networks.  Assuming plenty of IP addresses, what 
DHCP lease time is ideal to assign to clients in a WLAN with 90,000 unique 
clients/day, where avg. user spends 3hrs connected , but some (maybe 20%) go 
several days, Keep in mind that 90% are the same user/device every day.

What level of DHCP pool utilization do you think is best?  Have you found any 
industry documentation on this?  Thanks in advance.

-Curtis

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

DHCP Lease Times

[Curtis K. Larsen]

Hello,

I'm curious to see what process/algorithm others use when determining DHCP 
lease times for your Wi-Fi networks.  Assuming plenty of IP addresses, what 
DHCP lease time is ideal to assign to clients in a WLAN with 90,000 unique 
clients/day, where avg. user spends 3hrs connected , but some (maybe 20%) go 
several days, Keep in mind that 90% are the same user/device every day.

What level of DHCP pool utilization do you think is best?  Have you found any 
industry documentation on this?  Thanks in advance.

-Curtis

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: Cisco Channel Width

[Curtis K. Larsen]

Good Call  haha.  Toyota Prius for the win!

-Curtis


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Osborne, Bruce W (Network 
Operations) <bosbo...@liberty.edu>
Sent: Monday, January 22, 2018 6:05 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco Channel Width


You misspelled Toyota Prius  Why throw away extra fuel and have higher 
maintenance issues?


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

-Original Message-
From: Curtis K. Larsen [mailto:curtis.k.lar...@utah.edu]
Sent: Friday, January 19, 2018 11:51 AM
Subject: Re: Cisco Channel Width

In our organization (Cisco) we've seen improvements in reliability and user 
experience after switching from 40's to 20's.  I've seen an overall reduction 
in channel utilization, and CCI.  Everything we do is focused on reliability.  
I can't remember being asked for higher speeds than what we were offering and 
utilization reports indicate 20's are under-utilized.  I agree with Jeff on one 
thing though - the Toyota Corolla would be a more appropriate purchase.

-Curtis


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of GT Hill <g...@gthill.com>
Sent: Friday, January 19, 2018 9:02 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco Channel Width

This is very anecdotal, but I have personally seen a large university go from 
20/40 to all 20 MHz and it have a 30% improvement in end user performance. 
Everyone’s mileage will vary but given the data I’ve seen no way would I run 80 
MHz channels except in VERY limited scenarios.

If I were implementing a network today I would start at 20 MHz and move UP as 
scenarios presented themselves, NOT the other way around.

GT

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "Jeffrey D. Sessler" 
<j...@scrippscollege.edu<mailto:j...@scrippscollege.edu>>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Friday, January 19, 2018 at 9:14 AM
To: 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Cisco Channel Width

Been running that option (Best) for a long time. No downside that I’ve found 
and after a few passes it’s very stable with channel width. Even in our dense 
AP deployment residential areas, most all of our WAPs are running at 80Mhz  - 
our students having mostly 11ac devices. The bandwidth use in our residential 
went way up as a result.

As to clients getting kicked off when the width changes, Cisco’s magic sauce 
tries to prevent this from happening (it’s detailed in the white papers). The 
code also makes decisions based on the client mix it sees e.g. if it sees a 
majority of 802.11n clients around a WAP, it won’t run that AP at 80Mhz. If the 
WAP is mostly 11ac, it will.

Running a static 20Mhz plan, in my opinion, is just tossing away performance 
and client experience. You wouldn’t purchase an 800HP supercar only to 
permanently disable half of its cylinders.

Jeff

From: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Les Ridgley 
<les.ridg...@newcastle.edu.au<mailto:les.ridg...@newcastle.edu.au>>
Reply-To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Thursday, January 18, 2018 at 6:45 PM
To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] Cisco Channel Width

Hi All,
For those Cisco shops – has anyone configured the “BEST” parameter for channel 
width that would like to share their experiences or thoughts on the benefits or 
otherwise .

We have been advised to use 20Mhz as a campus wide setting, however DBS appears 
to offer significant benefits that would allow us to make better use of our 
802.11ac AP’s.  We are currently running two 8540 WLC’s with around 2,500 
access points with a mix of 3600 – 3700 -3800 and 1810 access points.

Thanks in advance,
Les
--
Les Ridgley
Senior Communications Officer (Network Operations),

IT Services
Resources Division
The University of Newcastle
University Drive, Callaghan

Re: [WIRELESS-LAN] Cisco Channel Width

[Curtis K. Larsen]

In our organization (Cisco) we've seen improvements in reliability and user 
experience after switching from 40's to 20's.  I've seen an overall reduction 
in channel utilization, and CCI.  Everything we do is focused on reliability.  
I can't remember being asked for higher speeds than what we were offering and 
utilization reports indicate 20's are under-utilized.  I agree with Jeff on one 
thing though - the Toyota Corolla would be a more appropriate purchase.

-Curtis


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of GT Hill 
Sent: Friday, January 19, 2018 9:02 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco Channel Width

This is very anecdotal, but I have personally seen a large university go from 
20/40 to all 20 MHz and it have a 30% improvement in end user performance. 
Everyone’s mileage will vary but given the data I’ve seen no way would I run 80 
MHz channels except in VERY limited scenarios.

If I were implementing a network today I would start at 20 MHz and move UP as 
scenarios presented themselves, NOT the other way around.

GT

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
on behalf of "Jeffrey D. Sessler" 
>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>
Date: Friday, January 19, 2018 at 9:14 AM
To: 
>
Subject: Re: [WIRELESS-LAN] Cisco Channel Width

Been running that option (Best) for a long time. No downside that I’ve found 
and after a few passes it’s very stable with channel width. Even in our dense 
AP deployment residential areas, most all of our WAPs are running at 80Mhz  - 
our students having mostly 11ac devices. The bandwidth use in our residential 
went way up as a result.

As to clients getting kicked off when the width changes, Cisco’s magic sauce 
tries to prevent this from happening (it’s detailed in the white papers). The 
code also makes decisions based on the client mix it sees e.g. if it sees a 
majority of 802.11n clients around a WAP, it won’t run that AP at 80Mhz. If the 
WAP is mostly 11ac, it will.

Running a static 20Mhz plan, in my opinion, is just tossing away performance 
and client experience. You wouldn’t purchase an 800HP supercar only to 
permanently disable half of its cylinders.

Jeff

From: 
"wireless-lan@listserv.educause.edu" 
> 
on behalf of Les Ridgley 
>
Reply-To: 
"wireless-lan@listserv.educause.edu" 
>
Date: Thursday, January 18, 2018 at 6:45 PM
To: 
"wireless-lan@listserv.educause.edu" 
>
Subject: [WIRELESS-LAN] Cisco Channel Width

Hi All,
For those Cisco shops – has anyone configured the “BEST” parameter for channel 
width that would like to share their experiences or thoughts on the benefits or 
otherwise .

We have been advised to use 20Mhz as a campus wide setting, however DBS appears 
to offer significant benefits that would allow us to make better use of our 
802.11ac AP’s.  We are currently running two 8540 WLC’s with around 2,500 
access points with a mix of 3600 – 3700 -3800 and 1810 access points.

Thanks in advance,
Les
--
Les Ridgley
Senior Communications Officer (Network Operations),

IT Services
Resources Division
The University of Newcastle
University Drive, Callaghan NSW 2308
les.ridg...@newcastle.edu.au,
Phone +61 2 4921 6598
Fax: +61 2 4921 6910

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Another Cisco WLC Code Thread

[Curtis K. Larsen]

We're also on 8.3.133 with 8540's and 3500,3600,3700,3800, and some 1810's.  
Things are pretty good and stable and have been for a while.  I guess it must 
be time to start testing 8.5 in the lab and a few remote sites.

Thanks,

Curtis


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of Jess Walczak 

Sent: Tuesday, December 19, 2017 4:34 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Another Cisco WLC Code Thread

We've been very fortunate with no issues observed while running 8.3.133.0 on 
pairs of 8540's, 8510's, and 5508's, that run 1142, 2702, 2802, 1562, and 702w. 
 Now that we are testing the 1815w out, we've had to run 8.5.105.0 on a lone 
5508 and I upgraded it to 8.5.110.0 just last night without issue.

Thanks!--JW

On Dec 19, 2017 3:42 PM, "Entwistle, Bruce" 
> wrote:
Is sounds like we have a similar assortment of APs and we have been running 
8.2.160.0 for the current semester and it seems stable.

Bruce Entwistle
Network Manager
University of Redlands


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
 On Behalf Of Britton Anderson
Sent: Tuesday, December 19, 2017 12:43 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Another Cisco WLC Code Thread

Happy Holidays,

Like many others I'm sure, I've been studying all of the email threads from 
this list to see if anyone has settled on any of the current code releases on 
their controllers. With all of the bugs disabling several AP models, we have 
been holding off our code upgrade and wireless migration.

I have a plan to move about half of our wireless APs off of a pair of WiSM2s to 
our new 8540's next week. We've had the 8540's up since the summer running on 
8.4.100.0 seemingly without many issues. It's been pretty stable but there has 
only been about 80 APs on it for our Fall semester. That code release is now 
deferred and we've looked at going up to 8.5.110.0 which released just a few 
days ago. Release notes list the open caveats, and there are several that still 
impact the 3500/3600/3700 lines pretty hard. 8.6.101.0 released a day after, 
and its even more grim.

Has anyone found anything stable? We have a pretty wide deployment of APs, but 
most of them are 3500/3600/3700s with a fleet of 702W/1810W in residences. We 
simply don't have the manpower to run around and console into APs that lose 
their marbles, and our time slot to move forward is narrowing by the day.

And more importantly, I would like to sleep better over the holidays, like we 
all would I'm sure.

Thanks for the input,
Britton

Britton Anderson |

 Lead Network Communications Specialist |

 University of Alaska |

 907.450.8250


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: WLC Mobility Groups

[Curtis K. Larsen]

Interesting.  Thanks for the response - this is similar to our setup.  Do you 
find that APs from one Mobility group can see and detect AP's from another 
group as rogues?  How do you handle that?  Do you have trouble ensuring that 
APs get assigned to the proper WLC?  If an AP from mobility group A is 
accidentally joined to a WLC from mobility group B then fast-roaming is broken 
for those clients.  How do you handle that issue?  Thanks for your response.

-Curtis

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Watters, John 
<john.watt...@ua.edu>
Sent: Tuesday, November 14, 2017 1:39 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WLC Mobility Groups

We are using Cisco Mobility Groups though our implementation is somewhat 
smaller than yours. We use MPLS with three on-campus MPLS areas. Each of the 
three areas has a couple of 8510 controllers and about 3K APs. Each area also 
has its own Mobility Group.. Initially we were afraid that users would have 
problems in an area that could see a wireless signal from more than one area. 
These would be mostly outdoor though there is some bleed over from adjacent 
buildings that are in different areas. We have not had single complaint re this 
possible problem though in the 5+ years  that we have been in this 
configuration.



I will be glad to give you more info off list if this would possibly be of help.


John Watters
Network Engineer, Office of Information Technology
The University of Alabama<https://www.ua.edu/>
A115 Gordon Palmer Hall
Box 870346
Tuscaloosa, AL 35487
Office: 205-348-3992
john.watt...@ua.edu<mailto:john.watt...@ua.edu>



-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Curtis K. Larsen
Sent: Monday, November 13, 2017 5:37 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] WLC Mobility Groups



Hi All,



Several years ago before the advent of the "bonjour gateway" and the "multicast 
vlan" feature and before I understood the difference between multicast-unicast 
and multicast-multicast we got hammered by multicast pretty good - some wired 
uplinks were flogged with just CAPWAP/multicast overhead.  At that time we had 
a single mobility group for all of our WLCs and multicast going everywhere.  
Long story short - I broke up the mobility groups, etc, etc. and things 
improved by leaps and bounds.



Fast forward several years later and with half as many controllers and probably 
twice as many APs but having much better tools for controlling multicast I find 
myself wanting to try a single mobility group again.  I am wondering if any of 
you out there are using a single mobility group with 5 or more WLCs and 7-10K 
or more APs on your campus.  If so - I'd love to exchange a few emails with you 
off list.



Thanks,



--

Curtis K. Larsen

Senior Network Engineer

University of Utah IT/CIS

Office 801-587-1313



**

Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] WLC Mobility Groups

[Curtis K. Larsen]

Yes I remember having similar PMK messages.  Thanks for the input.

-Curtis


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Jung Suk Park 
<jungp...@umd.edu>
Sent: Tuesday, November 14, 2017 7:34 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WLC Mobility Groups

Hello Curtis,

Based on my experiences, there are limitations like how many clients and APs 
and authentication information can be handled by one controller under mobility 
group.
I found a document for RF group's limitations, but could not find anything for 
a mobility group.

We used to have 2 dozens of 5508s with about 5K access points under one 
mobility group, but couldn't see if it worked or not.
However, while I was debugging something else, I saw a lot of PMK related 
errors/logs and it indicated that the controller could not handle all those 
information from other mobility group WLCs.

I personally won't try to put more than 4 WLCs under one mobility group if WLCs 
are running with max capacity.

I hope it helps.

Jung Park




On Mon, Nov 13, 2017 at 6:36 PM, Curtis K. Larsen 
<curtis.k.lar...@utah.edu<mailto:curtis.k.lar...@utah.edu>> wrote:
Hi All,

Several years ago before the advent of the "bonjour gateway" and the "multicast 
vlan" feature and before I understood the difference between multicast-unicast 
and multicast-multicast we got hammered by multicast pretty good - some wired 
uplinks were flogged with just CAPWAP/multicast overhead.  At that time we had 
a single mobility group for all of our WLCs and multicast going everywhere.  
Long story short - I broke up the mobility groups, etc, etc. and things 
improved by leaps and bounds.

Fast forward several years later and with half as many controllers and probably 
twice as many APs but having much better tools for controlling multicast I find 
myself wanting to try a single mobility group again.  I am wondering if any of 
you out there are using a single mobility group with 5 or more WLCs and 7-10K 
or more APs on your campus.  If so - I'd love to exchange a few emails with you 
off list.

Thanks,

--
Curtis K. Larsen
Senior Network Engineer
University of Utah IT/CIS
Office 801-587-1313

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

WLC Mobility Groups

[Curtis K. Larsen]

Hi All,

Several years ago before the advent of the "bonjour gateway" and the "multicast 
vlan" feature and before I understood the difference between multicast-unicast 
and multicast-multicast we got hammered by multicast pretty good - some wired 
uplinks were flogged with just CAPWAP/multicast overhead.  At that time we had 
a single mobility group for all of our WLCs and multicast going everywhere.  
Long story short - I broke up the mobility groups, etc, etc. and things 
improved by leaps and bounds.  

Fast forward several years later and with half as many controllers and probably 
twice as many APs but having much better tools for controlling multicast I find 
myself wanting to try a single mobility group again.  I am wondering if any of 
you out there are using a single mobility group with 5 or more WLCs and 7-10K 
or more APs on your campus.  If so - I'd love to exchange a few emails with you 
off list.  

Thanks,

--
Curtis K. Larsen
Senior Network Engineer
University of Utah IT/CIS
Office 801-587-1313

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Wireless Door Locks?

[Curtis K. Larsen]

We had an interesting experience with Wi-Fi door locks for a new building.  We 
met with the vendor a year before the building was complete.  We asked if the 
locks could connect on 5GHz and were told it was coming soon, we asked if the 
locks could do 802.1x with EAP-TLS and got blank stares.  So we asked if we 
could test one a few months before the building was up.  When we tested we 
found the devices had only support for 2.4GHz, and EAP-TLS would not work 
because the device did not have enough NVRAM to store a 2048 bit certificate. 

The vendor scurried to release a new device that supported 5GHz and could store 
a certificate just after the building opened.  We finally had  them all 
connecting with WPA2-Enterprise on 5GHz with 3 year certs only to find the 
batteries were draining about ten times as fast as advertised.  What was the 
vendor solution?  Put them on 2.4GHz.  

Anyway, I learned my lesson.  We now have an ESSID for IoT devices which will 
use 2.4GHz, simple encryption, and low data rates for a long time.  We intend 
to use Cisco's I-PSK in the future and to put all IoT devices there to keep 
them away from our Primary ESSID which is becoming 5GHz only, uses WPA2-ENT, 
and incorporates higher minimum basic rates.

Thanks,

Curtis


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of Chris Adams (IT) 

Sent: Monday, November 6, 2017 8:07 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless Door Locks?

Chuck,

I think one of the biggest considerations for Wi-Fi locks is having a SLA or 
MOU for how network operations & maintenance would interact with the party 
responsible for the locks. The main justification for using Wi-Fi locks (that 
I’ve heard, anyway) is the reduced cost of bringing the doors “online.” Rather 
than cabling to each door, the onus for connectivity becomes an IT and 
Networking responsibility. With true out-of-band doors, if the wireless or 
network is down or under maintenance, no one’s access is affected. In the end, 
leveraging the wireless network to support these locks adds value to the 
network, but may add complexity to how it’s maintained.

Most of this can be mitigated by cached credentials, etc, but is something to 
consider.


Thanks,

Chris Adams, CISSP

Assistant CIO, Network & Telecom
Division of Information Technology
University of North Georgia
E-Mail: chris.ad...@ung.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Chuck Enfield
Sent: Monday, November 6, 2017 9:47 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless Door Locks?

Hi Greg,

Locks tend to have a very low network duty-cycle, so interference between the 
802.15.4 network and 2.4GHz Wi-Fi will be minimal.  That said, it may be worth 
considering Wi-Fi locks instead.  That will ensure that they play well with 
other Wi-Fi devices and will spare the institution the cost of installing and 
managing a separate network for locks.

On the down side of using Wi-Fi locks, the refresh cycle for Wi-Fi is shorter 
than for locks.  If you have a bunch of locks reliant on outdated features it 
could hamper Wi-Fi performance down the road.  The refresh cycle would have to 
be discussed with your facilities management, and/or security people.

To the group, can you think of any other advantages/disadvantages of putting 
the locks on Wi-Fi?

Chuck

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Monday, November 6, 2017 9:09 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless Door Locks?

It’s not what you’re asking, but we are using ASSA-ABLOY .11n locks. Fairly 
easy to support.
Lee Badman (mobile)

On Nov 6, 2017, at 8:32 AM, Gregory Fuller 
> wrote:
Haven't seen any recent discussion here about wireless door locks.  Our 
physical access team is looking to install some wireless door locks in an 
administrative building.  I can see it growing past this building pretty 
rapidly and want to make sure they aren't putting in something that is going to 
cause us headaches.

They are looking to install Aperio "HUB's" as they call them:

https://vo-general.s3.amazonaws.com/53aee5c6-9690-4c74-a82a-09f1d0f1ec68/d0vBYdO5QWWKURZqvp0w_AA%20Aperio%20Family%20Brochure.pdf?AWSAccessKeyId=AKIAJ3YBR5GY2XF7YLGQ=1582662909=inline%3B%20filename%3DAA%20Aperio%20Family%20Brochure.pdf=application%2Fpdf=920fJFxmRxXi9vkJ7zrIVHZao9o%3D


This appears to be using some variant of 802.15.4, which has the ability to run 
between our 802.11g/n 2.4Ghz channels, but will cause co-channel interference.  
I'm a bit concerned that there will be 

eduroam Requests Not Received at Border Firewall

[Curtis K. Larsen]

Hi Guys,

I have an issue when I send requests via the eduroam website realm test tool 
(eapol_test) and for some of them I get a "No response" or "Timeout" result, 
and other times a success without changing the client configuration parameters. 
 Doing a tcpdump at my server and matching up errors from the realm test tool 
sometimes not a single packet is seen from the eduroam servers, other times a 
partial number of packets are seen, and sometimes all packets are seen in which 
case my server returns an Access-Accept and all is well.  

I then go to my border firewall and see the same matching packet counts as at 
my server.  Basically, I run the eapol_test from the website and sometimes 
nothing is seen at my border firewall, sometimes half the normal 
access-challenges occur, and then when I see the normal number of packets there 
is a corresponding number of packets on my backend server and a successful 
authentication at my server.  One thing that is interesting but maybe not too 
relevant is that it seems to affect remote EAP-TLS connections twice as often 
as remote PEAP connections ...but both are sporadic.  Local authentications on 
the other hand are fast and successful 100%.   I am finding myself 
unfortunately needing to troubleshoot the internet at this point.  Anyway, I 
guess my questions for the group are:

1)  If you run the tests from the eduroam realm test tool are the results 
consistently successful against your servers?
2)  Is anyone aware of maybe a problem with the way the website runs the 
eapol_test script that sometimes would cause no request to even be sent?
3)  If two or three Access-Challenge requests are sent from my servers to the 
eduroam servers, I see them leave my border firewall, and I never get a reply 
back what am I to do?


Thanks,


--
Curtis K. Larsen
Senior Wi-Fi Network Engineer
University of Utah IT/CIS
Office 801-587-1313
**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

iOS 11.0.1 Captive Network Assitant Behavior

[Curtis K. Larsen]

Has anyone noticed a difference in Apple's CNA behavior on iOS 11.0.1?  It 
seems when the user clicks a link whilst still in the captive browser it opens 
it in the real Safari browser.  The problem is the real Safari browser is only 
found behind the captive browser which takes up the full screen.  So the user 
has to click the blue "Done" link in order to see the URL you linked to.  If a 
user doesn't happen to notice the blue "Done" link they may think the captive 
portal is just broken or hung.

In iOS 10.3.3 the link would redirect and load the linked page staying inside 
the captive browser for the duration.  Just sharing an observation.


Thanks,

--
Curtis K. Larsen
Senior Network Engineer
University of Utah IT/CIS
Office 801-587-1313

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Two RF Questions

[Curtis K. Larsen]

>From the Cisco/Apple Design Guide Here:  https://goo.gl/5bGWks

"It is therefore not yet recommended to use 80 MHz channel width design. If 
necessary, it should only be
considered for low AP density deployments where co-channel interference can be 
easily avoided."

I personally like the approach here:  https://goo.gl/FcPHFq

– More channels means more capacity
– 80MHz – small deployment with no interference
– 40MHz – with thick walls, one floor, and/or small deployments
– 20MHz – by default


Thanks,

Curtis


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of Jeffrey D. Sessler 

Sent: Tuesday, September 26, 2017 1:08 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Two RF Questions

Jake,

GT’s statement doesn’t speak to the quality of the university’s WiFi design, 
only that this change made a difference. Again, without the context, I still 
assert it’s meaningless.

Jeff

From: "wireless-lan@listserv.educause.edu"  
on behalf of Jake Snyder 
Reply-To: "wireless-lan@listserv.educause.edu" 

Date: Tuesday, September 26, 2017 at 11:49 AM
To: "wireless-lan@listserv.educause.edu" 
Subject: Re: [WIRELESS-LAN] Two RF Questions

Jeff,
Take in context that GT works for a company that builds a tool to quantify 
wireless problems based in depth packet analysis.  So when he says he sees 35% 
improvement, there’s a lot of data that goes into it.
Sent from my iPhone

On Sep 26, 2017, at 12:41 PM, Jeffrey D. Sessler 
> wrote:
“After a switch to 20 MHz only, there was a 35% improvement in end-user Wi-Fi 
experience.”

I would argue that this is a meaningless statement without context, and 
probably a bad question to ask a user in the first place. What does the user 
think “experience” means i.e. the ability to connect or how well their 
speedtest performs? It’s not specific enough to draw a conclusion.

For example:

  1.  If 1/3 of my users had a device that could not associate because of how 
the primary channel was selected in a 40 or 80 MHz wide deployment, then those 
people would not be happy. If I then change to 20 MHz only, allowing those 
users with the problematic device to connect, there will obviously be a 
significant improvement in those user’s WiFi experience. The other users may 
still be happy because they can still connect.
  2.  If my buildings are open-concept (no walls/doors), and I have 24 AP’s on 
a 1000 sq/ft floor plan, and statically set to 80 MHz channels, then the 
end-user WiFi experience is going to be really poor. If I then switch all those 
APs to 20 Mhz only, of course it’s going to be a huge improvement. Clearly, it 
was a poor design, and less about the channel width and more about the person 
who thought they knew better.

Of course, if the survey questions were more specific, and had questions like, 
“Do you consistently receive the highest 4K stream rate from NetFlix”, the 
satisfaction for this question may trend down.

Jeff



From: 
"wireless-lan@listserv.educause.edu" 
> 
on behalf of GT Hill >
Reply-To: 
"wireless-lan@listserv.educause.edu" 
>
Date: Tuesday, September 26, 2017 at 8:47 AM
To: 
"wireless-lan@listserv.educause.edu" 
>
Subject: Re: [WIRELESS-LAN] Two RF Questions

I know that this is just one example, but I was at a large university site 
(Cisco Wi-Fi) that was running 20/40 channelization. After a switch to 20 MHz 
only, there was a 35% improvement in end-user Wi-Fi experience.

Jake – One feature that I think many people agree is missing in FRA is the 
ability to dynamically turn off a radio. In some cases an extra radio in either 
band hurts more than it helps.

And to just stir the pot a bit, I wish there were SMALLER than 20 MHz 
channelization. In many high density environments 20 MHz is just too big. Give 
me some more radios at smaller channel sizes and I’ll show you a spectacular 
Wi-Fi network. :-)

GT

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
on behalf of Jake Snyder >
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>
Date: Tuesday, September 26, 2017 at 9:39 AM
To: 

Re: [WIRELESS-LAN] Defeating Android 8.X Captive Portal detection

[Curtis K. Larsen]

My comment had more to do with standardized captive browser behavior across 
operating systems than ease of use.  Unless you are inferring that all of EDU 
go without a captive portal.  Most of the public places I visit have a captive 
portal so I'd say the same questions apply there too.

-Curtis


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Jeffrey D. Sessler 
<j...@scrippscollege.edu>
Sent: Wednesday, September 6, 2017 11:53 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Defeating Android 8.X Captive Portal detection

On 9/6/17, 8:46 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv on 
behalf of Curtis K. Larsen" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of 
curtis.k.lar...@utah.edu> wrote:



It would be really nice if Google would join the club and allow their 
captive browser to switch to a full browser after the internet is reachable, 
but until then I think it's the best we can do.





I’d argue, that again, why are we in EDU making it so hard for users with these 
devices to get access to WIFi? It those devices work in every other setting, be 
it at Starbucks, Panara, Hospitals, HomeDepot, and so on… Then EDU is doing 
something wrong.



The vendors will continue to support/do what’s most compatible with “the rest 
of the world” so it’s up to EDU to come to terms with why we are so different, 
and so device hostile.



Jeff

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: Defeating Android 8.X Captive Portal detection

[Curtis K. Larsen]

We had the same problem.   We even discovered Android phones that were set to 
proxy (web-caching feature) requests to google.com so they would never even 
see/accept the captive portal AUP at all.  We switched to WiSPr (all blocked) 
and then the problem was that as soon as the internet became reachable the 
captive browser shuts down.  It occurs on both Android 6.0+ and ChromeOS.We 
had three developers trying to code around it with javascript but with no 
success.  

Eventually, we settled on the best guest user experience being that a user gets 
prompted with WiSPr authentication (everything blocked) so they know they have 
to accept an agreement.  After that we re-direct the operating systems that 
allow redirecting while removing the blocks so they switch to a full/real 
browser to complete onboarding steps if they choose.  

It would be really nice if Google would join the club and allow their captive 
browser to switch to a full browser after the internet is reachable, but until 
then I think it's the best we can do.


--
Curtis K. Larsen
Senior Wi-Fi Network Engineer
University of Utah IT/CIS



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Turner, Ryan H 
<rhtur...@email.unc.edu>
Sent: Wednesday, September 6, 2017 7:51 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Defeating Android 8.X Captive Portal detection

We haven’t had the problem with OSX.  I worked hard to get rid of captive 
portal detection on all browsers.  Everything has been great, until now.

We have a setup like this:

We use a pfSense firewall on an onboarding SSID.  Users have 2 states:  
unauthenticated and authenticated.  Prior to be authorized (which requires 
logging in on a web portal), their connection is extremely limited except with 
whatever holes I have poked through to defeat captive portal detection and make 
things smoother.  One they are authenticated, there is NO ACL on the back-end, 
but I do blackhole a bunch of popular sites (through DNS redirection) so people 
will not use the onboarding SSID for browsing.  For the new Android, with our 
setup, the pseudo browser remains open, even post authentication (which 
probably means one of those black holes sites I have is being checked and still 
doesn’t indicate connectivity).

My ‘workaround’ for the moment is to allow google.com to go through…  which is 
not a good one.  Since google.com is most people’s default page, it means they 
will NOT get a wireless redirect to login and authenticate until they browse 
somewhere else.  So I don’t think I am going to keep this.  I may just have to 
add some verbage to the login page that educate android users, but it will 
probably only be read 1 out of 10 times.

I really hate how it feels like we are having to constantly work against google 
with this stuff…


Ryan Turner
Manager of Network Operations
ITS Communication Technologies
The University of North Carolina at Chapel Hill

r...@unc.edu<mailto:r...@unc.edu>
+1 919 445 0113 Office
+1 919 274 7926 Mobile



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Wyatt Schill
Sent: Tuesday, September 5, 2017 4:53 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Defeating Android 8.X Captive Portal detection

This is the same problem we have with Mac laptops, the ‘pseudo’ browser will 
allow the user to run through the whole onboarding process until the final 
download step where it refuses to allow the user to download a config file.

Our only fixes are to continually educate users to close the ‘pseudo’ browser 
and open a full version of safari, or to add pre-auth acls to allow the device 
to fully access the apple urls it is checking so that the ‘pseudo’ browser 
never pops up and the user manually opens a standard browser to get the initial 
captive portal.

Looks like android will need something similar.  (although we already have some 
of google open to allow guests to use google credentials to authenticate, so it 
probably won’t be much extra to add)

Wyatt Schill
Senior Network Engineer
CCNA-Security, CCNP-R
Green River College
12401 SE 320th St. Auburn, WA 98092
wsch...@greenriver.edu<mailto:wsch...@greenriver.edu>
[Green River new official mascot logoEmail]

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Turner, Ryan H
Sent: Tuesday, September 5, 2017 1:34 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Defeating Android 8.X Captive Portal detection

Even though Android is only 7% of our install base, it amounts to 75% of my 
problems…

It ‘appears’ on first glance that google has changed the captive portal 
detection on version 8.  It ‘appears’ (very early into this, so this may 

Re: Defeating Android 8.X Captive Portal detection

[Curtis K. Larsen]

After running into this issue a few times we decided to start users out in a 
captive portal with WiSPr, and then after they accept the AUP we remove the 
preauth ACL - then at least for Macs/Windows they are re-directed to complete 
the TLS onboarding process and they can download the necessary profile, cert, 
etc..  Of course after we remove the pre-auth ACL for Android (6.0 and above) 
it just shuts down the browser.  So, we decided to send Android 6.0 and above 
users to a different captive portal (based on browser user-agent) and advertise 
the onboarding URL up front - just telling them to visit the URL after their 
browser closes.


Thanks,

Curtis



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of Wyatt Schill 

Sent: Tuesday, September 5, 2017 2:52 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Defeating Android 8.X Captive Portal detection

This is the same problem we have with Mac laptops, the ‘pseudo’ browser will 
allow the user to run through the whole onboarding process until the final 
download step where it refuses to allow the user to download a config file.

Our only fixes are to continually educate users to close the ‘pseudo’ browser 
and open a full version of safari, or to add pre-auth acls to allow the device 
to fully access the apple urls it is checking so that the ‘pseudo’ browser 
never pops up and the user manually opens a standard browser to get the initial 
captive portal.

Looks like android will need something similar.  (although we already have some 
of google open to allow guests to use google credentials to authenticate, so it 
probably won’t be much extra to add)

Wyatt Schill
Senior Network Engineer
CCNA-Security, CCNP-R
Green River College
12401 SE 320th St. Auburn, WA 98092
wsch...@greenriver.edu
[Green River new official mascot logoEmail]

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Turner, Ryan H
Sent: Tuesday, September 5, 2017 1:34 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Defeating Android 8.X Captive Portal detection

Even though Android is only 7% of our install base, it amounts to 75% of my 
problems…

It ‘appears’ on first glance that google has changed the captive portal 
detection on version 8.  It ‘appears’ (very early into this, so this may 
change) that google now checks for both a generate_204 on both 
connectivitycheck.gstatic.com and a gen_204 on 
www.google.com.  Why is this a problem?

We, as many people do, have a onboarding SSID.  TLS requires proper onboarding. 
  That means that we need to process people through the portal in an orderly 
manner to get them where they need to go.   When Android 8.X detects a captive 
portal, it will prompt the user to ‘sign in’.  This process opens a pseudo 
browser (a browser that is limited in what it can do) to the captive portal 
login.  After the user logs in, the user stays inside of the ‘pseudo’ browser.  
The browser has limited powers, and apparently will not allow the user to 
download or install an agent or configuration files.  You can see the problem…  
They will get to the onboarding page, and nothing will work.

I’ve managed to ‘by pass’ the problem, but it isn’t ideal.  Has anyone else 
seen this with commercial portals and figured out ways around it?

It is possible all of this is in error, but I just got done with a bunch of 
packet captures that seems to validate this.  I only have one Oreo user in my 
vicinity, so I will need to get my hands on a few more to see if this really is 
an issue, or just bad luck.

Ryan Turner
Manager of Network Operations
ITS Communication Technologies
The University of North Carolina at Chapel Hill

r...@unc.edu
+1 919 445 0113 Office
+1 919 274 7926 Mobile

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: 5GHz Micro Adapters

[Curtis K. Larsen]

I carry a couple of these for those occasions when an end-user laptop radio is 
fubar and they don't believe it:

https://www.amazon.com/Linksys-Wireless-Mini-Adapter-AE6000/dp/B00BWT1IFE/ref=sr_1_1?ie=UTF8=1503960935=8-1-spons=Linksys+AE6000=1

The drivers autoinstall on Windows.

I have not measured the performance but it seems decent when I have used it.  
Few people these days I think will apply the effort to research and replace the 
internal radio.


Thanks,

--
Curtis K. Larsen
Senior Network Engineer
University of Utah IT/CIS


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Johnson, Christopher 
<cbjo...@ilstu.edu>
Sent: Monday, August 28, 2017 4:47 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] 5GHz Micro Adapters

Good Evening,


1.   Has anyone had any experience and would recommend a particular 5GHz 
Wifi Micro USB adapter for students that have a Windows Laptop with a 2.4GHz 
only integrated adapter?

2.   How is the quality/performance of a 5GHz Micro USB Adapter?

a.   I can’t imagine it performing as well as a laptop with Wi-Fi antennas 
integrated throughout the monitor.

b.   Would it be better to recommended the internal Wi-Fi NIC be swapped 
out for another compatible model – although I could see this being an issue if 
the antennas weren’t dual-band capable.

Thank you and have a great night!

Christopher Johnson
Wireless Network Engineer
AT Infrastructure Operations & Networking (ION)
Illinois State University
(309) 438-8444
Stay connected with ISU IT news and tips with @ISU IT Help on 
Facebook<https://www.facebook.com/ISUITHelp/> and 
Twitter<https://twitter.com/ISUITHelp>

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] EAP-TLS

[Curtis K. Larsen]

I'm not sure the two have to be mutually exclusive.  You could let people 
connect initially with PEAP and then re-direct them to complete the TLS 
onboarding process.  Obviously they could still lose their password but it 
would be exposed for a shorter time period and they'd likely not have to 
re-provision for a year or two.  I guess you could also do this with iPSK,PPSK, 
DPSK and not expose the password at all.

Thanks,

--
Curtis K. Larsen
Senior Network Engineer
University of Utah IT/CIS



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Lee H Badman 
<lhbad...@syr.edu>
Sent: Monday, August 14, 2017 11:28 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-TLS

One interesting trade-off: if I have good AD credentials and pop up a new Mac 
or Windows machine without any kind of onboarding in play, I will get on the 
network quickly one way or the other with PEAP/MS-CHAPv2. . Maybe I'm prompted 
to accept the server, but I'll get on. This is good and bad. I got on, but not 
the way that the Security and Network folks might have wanted me to get on- 
because the cert stuff is optional with PEAP/MS-CHAPv2 on non-AD machines that 
you don't control. That's arguably bad.

But... I got on. And I got authentication and encryption, without IT 
intervention. From the user perspective, this is good. I didn't have to 
onboard, I didn't need IT help. I wasn't stranded if I didn't understand what 
the onboarding SSID is all about, etc.

With TLS- you get properly onboarded, or you're sucking wind until you do. But 
once you do, TLS' advantages kick in as described in this thread. But that 
"easy on" thing is gone... no matter how simple you make TLS onboarding, it 
still requires end users to comprehend it. So, to me, part of going to TLS is 
with the understanding that occasionally someone will be stranded by their own 
lack of understanding the process, that somebody may be someone important 
and/or vocal, the stranding will occur at the worst time of day and in the 
worst circumstance in accordance with Murphey's Law, and there will be some 
increase in related  trouble calls.

None of this negates TLS' value, but at the same time you have to go into it 
with your eyes open to the perspective of the BYOD crowd on campus versus what 
they are currently accustomed to.

One man's o-pinion.

-Lee

Lee Badman | Network Architect

Certified Wireless Network Expert (#200)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w its.syr.edu
SYRACUSE UNIVERSITY
syr.edu


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Curtis K. Larsen
Sent: Monday, August 14, 2017 1:11 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-TLS

Excellent Point.  We did some testing with LDAP group lookups, etc. vs. 
checking for an attribute in a user certificate for authorization and found the 
performance to be significantly better for the same number of authentications 
when *not* having to wait for LDAP.  Another benefit is not having to worry 
about users that have trouble typing passwords/getting their account locked out 
for failed attempts.


--
Curtis K. Larsen
Senior Network Engineer
University of Utah IT/CIS



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Curtis, Bruce 
<bruce.cur...@ndsu.edu>
Sent: Monday, August 14, 2017 10:56 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-TLS

> On Aug 11, 2017, at 7:45 AM, Bucklaew, Jerry <j...@buffalo.edu> wrote:
>
> To ALL:
>
>
>
>
>
>I am going to amend my initial request to "does anyone have any other 
> reasons to switch to eap-tls besides the ones I list below"? I am trying to 
> build a case for switching and want to gather all the benefits.

  One other benefit that I haven't seen mentioned in the thread yet is that 
EAP-TLS removes dependency on Active Directory or other identity box.
  So an outage or slowdown of Active Directory (or other external box) does not 
affect RADIUS and wireless logins.


> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Bucklaew, Jerry
> Sent: Thursday, August 10, 2017 3:36 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] EAP-TLS
>
>
>
> Lee,
>
>
>
>I want to state first that I am not, by any means, an expert on all of the 
> authentication standards and protocols.  I was hoping someone would have a 
> document that would help better articulate the goals and

Re: [WIRELESS-LAN] EAP-TLS

[Curtis K. Larsen]

Excellent Point.  We did some testing with LDAP group lookups, etc. vs. 
checking for an attribute in a user certificate for authorization and found the 
performance to be significantly better for the same number of authentications 
when *not* having to wait for LDAP.  Another benefit is not having to worry 
about users that have trouble typing passwords/getting their account locked out 
for failed attempts. 


--
Curtis K. Larsen
Senior Network Engineer
University of Utah IT/CIS



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Curtis, Bruce 
<bruce.cur...@ndsu.edu>
Sent: Monday, August 14, 2017 10:56 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-TLS

> On Aug 11, 2017, at 7:45 AM, Bucklaew, Jerry <j...@buffalo.edu> wrote:
>
> To ALL:
>
>
>
>
>
>I am going to amend my initial request to “does anyone have any other 
> reasons to switch to eap-tls besides the ones I list below”? I am trying to 
> build a case for switching and want to gather all the benefits.

  One other benefit that I haven’t seen mentioned in the thread yet is that 
EAP-TLS removes dependency on Active Directory or other identity box.
  So an outage or slowdown of Active Directory (or other external box) does not 
affect RADIUS and wireless logins.


> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Bucklaew, Jerry
> Sent: Thursday, August 10, 2017 3:36 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] EAP-TLS
>
>
>
> Lee,
>
>
>
>I want to state first that I am not, by any means, an expert on all of the 
> authentication standards and protocols.  I was hoping someone would have a 
> document that would help better articulate the goals and benefits.
>
>
>
> We have been a eap-peap shop for years and I have always been told that 
> eap-tls (cert based authentication) is more secure and you should do that.  I 
> never had the time to deal with it and putting up a cert based infrastructure 
> just seemed daunting.   I finally have some time and have started to play 
> with it.  We are an Aruba shop and the clearpass Onboard system seems pretty 
> simple to implement and get EAP-TLS working.
>
>
>
> Now to the why.   It seems that the ability to separate username/password 
> from network authentication has some benefits.   If a user changes his 
> username/password it no longer affects his network connectivity.  If we want 
> to blacklist a device it will be easy as each device will have its own cert. 
> So we can blacklist one device and let the rest still on.  We could do those 
> things today but it is just a little harder to do with eap-peap.   We can 
> also get users out of storing their usernames and passwords, because everyone 
> does it with eap-peap. The thought process went, if you are going to run an 
> on-board process anyway, why not onboard with eap-tls.  On the wireless side 
> that is really all I have.  I have always been told it is more secure so have 
> always thought I should try and get there.
>
>
>
> Now, we are also moving to wired authentication on every port.   We are 
> supporting both mac auth and 802.1x (eap-peap).  We did this to get the 
> project moving and get all ports to some type of authentication.  Now 802.1x 
> on the wired side is just plain difficult.  Nothing except macs are setup for 
> it out of the box.   You need admin rights on the machine to set it up (which 
> many people on the wired side don’t have) and you almost have to run through 
> some type of onboard process to do it in mass.   You have to deal with stuff 
> like network logons and mounting drives before authentication. We also don’t 
> want the users storing usernames and password and everyone will because no 
> one wants to type it in every time.   I am back to the if you are going to 
> run through an onboard process anyway, will certs make it a little easier.   
> It gives you the username/password separation.   The ability to revoke per 
> device, and once onboarded, never have to be bothered again (until the cert 
> expires).
>
>
>
> I am not really concerned about peap being deprecated, it will be around 
> forever.   I am not really concerned about usernames and passwords being 
> stolen because of eap-peap, there are so many easier ways to do that.  It 
> guess it is really the username/password separation and the “thought” that it 
> is the most secure method.
>
>
>
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
> Sent: Thursday, August 10, 2

Re: [WIRELESS-LAN] Cisco 3800 Series APs

[Curtis K. Larsen]

We had this same issue.  Although I think it was affecting Macbooks originally 
and then migrated to Windows a few months later.  But yes, it seems to have to 
do with the Creators update but TAC said the new default will be 1250 anyway.

Thanks,

--
Curtis K. Larsen
Senior Network Engineer
University of Utah IT/CIS
Office 801-587-1313


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Gavin Pyle 
<gp...@greenriver.edu>
Sent: Thursday, July 6, 2017 9:08 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco 3800 Series APs

We recently replaced the APs in one of our buildings with 2802’s and 
experienced slow throughput on Windows 10 devices.  We had one older 3602 AP in 
the building that we didn’t replace and found that when the same clients 
connected to it, they didn’t experience any issues.  This post on Cisco’s 
support 
forums<https://supportforums.cisco.com/discussion/13089001/packet-loss-2800-ap> 
suggested that modifying the “Global TCP Adjust MSS” setting on the controller 
to 1250 may resolve the issue, so we adjusted the MTU on a couple of Windows 10 
laptops first to test and it did resolve the issue, so we modified the setting 
on the controller.

We’re on WLC 5520, software version 8.3.102.0.  We didn’t test with a full 
range of devices, however it seemed to only affect Windows 10 devices with the 
Creator update.  Other devices we tested were iPhones, Android phones, and Mac 
Laptops, and they didn’t seem to have any issues.
Gavin Pyle
Network Engineer
Information Technology
Green River College

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jason Watts
Sent: Thursday, July 6, 2017 5:34 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco 3800 Series APs

Well that is troubling. We are about to deploy around 200 of them. Is anyone 
else experiencing similar issues to this on 2802's?

--
Jason Watts
Pratt Institute, Academic Computing
Senior Network Administrator



Sent from my iPhone

On Jul 6, 2017, at 7:23 AM, Scharloo, Gertjan 
<g.schar...@uva.nl<mailto:g.schar...@uva.nl>> wrote:
Hi Bryan,

The University of Amsterdam and Amsterdam University of Applied Sciences are 
currently using 2802i Access Points since December 1, 2016 to gain experience 
with this new type of Access Point. (Only on the 9th and 10th floors)

The access points have been problematic from the start, and still there are 
complaints from end users that we can’t solve or identify properly. The same 
users can work without problems on other floors where we have 2702i Access 
Points stationed in this property.
We are currently dealing with client disconnections on the floors/buildings 
with AP2802i. This disconnection occurs 2-3 hours, sometimes more frequently. 
Many of our clients are effected. Another issue which is subpart of this issue 
is: the clients are connected but there is no traffic flow. These clients have 
laptop from different vendors for example Dell, Apple with different (updated) 
drivers. -The users stay connected but cannot transmit any data.

Two months ago, we have started a new software release 8.2.154.17 and we were 
hoping to fix our client disconnect issue only with the 2802i AP, but the 
problem became worse. We have started a Tac CASE (severity 2)


Regards

Gertjan Scharloo
ICT Consultant
_

Universiteit van Amsterdam | Hogeschool van Amsterdam

ICT Services
Leeuwenburg | kamer A9.44
Weesperzijde 190 | 1097 DZ Amsterdam
+31 (0)20 525 4885
Mobiel : +31(0) 61013-5880
www.uva.nl<http://www.uva.nl/>
uva.nl/profile/g.scharloo<http://uva.nl/profile/g.scharloo>
Beschikbaar : Ma | - | Wo | Do | Vr |


From: wireless-lan 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Bryan Ward 
<bryan.w...@dartmouth.edu<mailto:bryan.w...@dartmouth.edu>>
Reply-To: wireless-lan 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Wednesday, 5 July 2017 at 18:07
To: wireless-lan 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] Cisco 3800 Series APs

Couldn’t find a recent discussion on the list archives, so I’ll ask my question.

For those of you that have Cisco 3800 series APs in production, how have they 
been working for you recently?
We currently purchase 3700 series APs as our standard for new installs and 
replacement of our 3500 series APs, but are now considering switching to the 
3800 series.
I heard there were a lot of issues with them at first, but was wondering if 
they’re still troublesome now that they’ve been out in the wild for some time.
Also, does anyone currently have issues using Prime to manage them?

Thanks all,

--
Bryan Ward
Network Engine

Re: Cisco 3800 Series APs

[Curtis K. Larsen]

The code reliability is pretty good now.  We're running 8.3.121.0 (for the RTLS 
capability) with ~300 3800 series APs.  A couple of lessons learned:

1-  Make sure your AP MSS is adjusted (1363 to 1250 in our case) or you'll see 
slow (like 2Mbps down) speeds on some devices with these APs but not others.
2-  Also remember they still don't have remote spectrum analysis working on 
these, and it seems they are 6-12 months out on delivering it.


Thanks,

--
Curtis K. Larsen
Senior Network Engineer
University of Utah IT/CIS
Office 801-587-1313


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Bryan Ward 
<bryan.w...@dartmouth.edu>
Sent: Wednesday, July 5, 2017 10:07 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Cisco 3800 Series APs

Couldn’t find a recent discussion on the list archives, so I’ll ask my question.

For those of you that have Cisco 3800 series APs in production, how have they 
been working for you recently?
We currently purchase 3700 series APs as our standard for new installs and 
replacement of our 3500 series APs, but are now considering switching to the 
3800 series.
I heard there were a lot of issues with them at first, but was wondering if 
they’re still troublesome now that they’ve been out in the wild for some time.
Also, does anyone currently have issues using Prime to manage them?

Thanks all,

--
Bryan Ward
Network Engineer
Dartmouth College Network Services
603-646-2245
bryan.w...@dartmouth.edu<mailto:bryan.w...@dartmouth.edu>

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Use of Airtame on school environment

[Curtis K. Larsen]

We have a few Airtame devices (not a full scale deployment) and in general they 
work well.  Unicast discovery using DNS names in a hierarchical network is a 
beautiful thing in my opinion not to mention they do not have the scan off 
channel to 149 for the airdrop protocol problem.  I think they can also use 
multicast if you want them to.  The OS support is very broad, even Chromebooks 
and Ubuntu work.  One negative is that I think you cannot share the whole 
screen on Android - just a PPT or DOC, etc. unlike the Chromecast which allows 
sharing the whole screen.

Thanks,

--
Curtis K. Larsen
Senior Network Engineer
University of Utah IT/CIS



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Luiz Zicarelli 
<luiz.zicare...@graded.br>
Sent: Thursday, May 18, 2017 9:51 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Use of Airtame on school environment

Dear all,

we are exploring replacing our 130+ apple tvs with Airtame 
(www.airtame.com<http://www.airtame.com>). Has anyone tested this so far? Seems 
to be very straight forward bu we are concerned about its performance within a 
segmented network environment. We are an Aruba shop, with Airgroup.

Appreciate any comments.
[https://docs.google.com/uc?export=download=0BwWvSuTDVhMKY21DUUExMXAxcnc=0BwWvSuTDVhMKa0JZU1lMWW5yNEpQRnFJYmZhVUhGaFJ1ZExzPQ]
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

[Curtis K. Larsen]

It matters to your PEAP user that might lose his credentials while connecting 
to our network on our property even though he was told it was a "secure" 
connection.  I'm talking about preventing the attack to the degree possible by 
not providing a service that incorporates the vulnerable component in the first 
place.  

I'm simply saying that before we added eduroam to our collection of ESSID's - 
we did not have to worry about that specific issue because we controlled the 
whole service end-to-end.  We've been running eduroam for like 5-6 years but 
with that eduroam ESSID - there are additional ramifications.  Yes an EAP-TLS 
issue could arise but if/when it does I can change all of the service 
(including the EAP type used) for my own ESSID where my reach only extends so 
far with eduroam.

Also, 5-6 years ago I was not aware of a non-eduroam method to allow guests to 
quickly provision for EAP-TLS, but now I am.  It is easy to provision guests 
off the street with EAP-TLS connections today and I can reach a much larger 
portion of the population than has eduroam credentials (at least so far).

Thanks,

Curtis



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Hunter Fuller <hf0...@uah.edu>
Sent: Friday, April 28, 2017 12:39 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

Curtis,

That makes sense. But, if a user set up an evil twin on your campus, it would 
not matter, because you are using EAP-TLS, right? So you're not vulnerable to 
the attack where a user's credentials might be exposed.

If they wanted to exploit some other flaw that can be exploited via evil twin, 
they could still do it to your branded network.

It is also possible that I am totally misinformed on this, because we run PEAP, 
so it's a totally different beast with different mitigations.

On Fri, Apr 28, 2017 at 10:17 AM Curtis K. Larsen 
<curtis.k.lar...@utah.edu<mailto:curtis.k.lar...@utah.edu>> wrote:
I guess it boils down to an attacker being less likely to setup a fake AP/evil 
twin on the property of an institution that does not support PEAP vs. one that 
does.

-Curtis


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Hunter Fuller <hf0...@uah.edu<mailto:hf0...@uah.edu>>
Sent: Friday, April 28, 2017 8:51 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

I'm still not sure I follow.

It sounds like, in your current config, you have your constituents use EAP-TLS, 
and cannot use PEAP. Meanwhile your visitors use whatever their home 
institution offers.

If you ran with only the eduroam ESSID, you could run with the same config. 
Your constituents are unable to use PEAP, and must use EAP-TLS home and abroad. 
At the same time, your visitors continue to use whatever their home institution 
offers. This is a viable config.

I understand keeping two ESSIDs for branding though of course. We were lucky as 
we didn't have branded ESSIDs before eduroam either. So it was no loss to move 
to eduroam.

On Fri, Apr 28, 2017 at 09:41 Curtis K. Larsen 
<curtis.k.lar...@utah.edu<mailto:curtis.k.lar...@utah.edu><mailto:curtis.k.lar...@utah.edu<mailto:curtis.k.lar...@utah.edu>>>
 wrote:
My point is not that eduroam mandates a given EAP type.  My point is that if a 
given EAP type presents a vulnerability to users that will come into my 
institution's property but I allow it anyway so that another institution's 
configuration will be compatible - then I have surrendered a better security 
stance to facilitate that compatibility.  This is because the SSID is the same.

On the other hand, if I have a unique university SSID - I can easily choose the 
EAP type and thus mitigate the vulnerability more fully - this is now easy to 
do with various onboarding tools.  With HS 2.0 the roaming agreements can still 
be in place and we don't care about the SSID.  To me that sounds like the best 
of both worlds.

-Curtis


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU><mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>>
 on behalf of Cappalli, Tim (Aruba Security) 
<t...@hpe.com<mailto:t...@hpe.com><mailto:t...@hpe.com<mailto:t...@hpe.com>>>
Sent: Friday, April 28, 2017 3:54 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU><mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSE

Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

[Curtis K. Larsen]

I guess it boils down to an attacker being less likely to setup a fake AP/evil 
twin on the property of an institution that does not support PEAP vs. one that 
does.

-Curtis


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Hunter Fuller <hf0...@uah.edu>
Sent: Friday, April 28, 2017 8:51 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

I'm still not sure I follow.

It sounds like, in your current config, you have your constituents use EAP-TLS, 
and cannot use PEAP. Meanwhile your visitors use whatever their home 
institution offers.

If you ran with only the eduroam ESSID, you could run with the same config. 
Your constituents are unable to use PEAP, and must use EAP-TLS home and abroad. 
At the same time, your visitors continue to use whatever their home institution 
offers. This is a viable config.

I understand keeping two ESSIDs for branding though of course. We were lucky as 
we didn't have branded ESSIDs before eduroam either. So it was no loss to move 
to eduroam.

On Fri, Apr 28, 2017 at 09:41 Curtis K. Larsen 
<curtis.k.lar...@utah.edu<mailto:curtis.k.lar...@utah.edu>> wrote:
My point is not that eduroam mandates a given EAP type.  My point is that if a 
given EAP type presents a vulnerability to users that will come into my 
institution's property but I allow it anyway so that another institution's 
configuration will be compatible - then I have surrendered a better security 
stance to facilitate that compatibility.  This is because the SSID is the same.

On the other hand, if I have a unique university SSID - I can easily choose the 
EAP type and thus mitigate the vulnerability more fully - this is now easy to 
do with various onboarding tools.  With HS 2.0 the roaming agreements can still 
be in place and we don't care about the SSID.  To me that sounds like the best 
of both worlds.

-Curtis


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Cappalli, Tim (Aruba Security) <t...@hpe.com<mailto:t...@hpe.com>>
Sent: Friday, April 28, 2017 3:54 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

Can you elaborate on this comment?

“whereas with eduroam we were kind of locked-in to the PEAP model.”

Eduroam is EAP agnostic.




On 4/27/17, 10:57 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
on behalf of Curtis K. Larsen" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
on behalf of curtis.k.lar...@utah.edu<mailto:curtis.k.lar...@utah.edu>> wrote:

We also use eduroam and a university SSID and one benefit I've seen is that 
when our CISO decided to deprecate PEAP due to the "fake AP/MITM - exposed 
password" issue and favor EAP-TLS - we could easily control our own destiny 
with our own SSID whereas with eduroam we were kind of locked-in to the PEAP 
model.  Lesser security will often result when universal compatibility is the 
goal.  I mean we could force our own users to use EAP-TLS at home and abroad 
but in my opinion we could not truly say that we've done everything possible to 
mitigate the PEAP vulnerability while still propping up a PEAP SSID org-wide 
even if PEAP only ends up being used by visitors.

We currently offer long-term EAP-TLS connections on our university SSID to 
any guest willing to provide an SMS number (Cloudpath Feature).  It turns out 
that the SMS-capable phone carrying population is much larger than those with 
eduroam credentials so far, and phone numbers are possibly more valuable to 
administrators than AD credentials of participating institutions in resolving 
issues.  In my opinion, as onboarding solutions mature the SSID becomes less 
important, and who knows maybe with Hotspot 2.0 completely irrelevant?  
Something to consider at least when making that decision anyway.

--
Curtis K. Larsen
Senior Network Engineer
University of Utah IT/CIS
Office 801-587-1313

___
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Les Ridgley 
<les.ridg...@newcastle.edu.au<mailto:les.ridg...@newcastle.edu.au>>
Sent: Thursday, April 27, 2017 10:10 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

We retained both the eduroam SSID and the university one for the reasons of 
branding and more importantly f

Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

[Curtis K. Larsen]

My point is not that eduroam mandates a given EAP type.  My point is that if a 
given EAP type presents a vulnerability to users that will come into my 
institution's property but I allow it anyway so that another institution's 
configuration will be compatible - then I have surrendered a better security 
stance to facilitate that compatibility.  This is because the SSID is the same.

On the other hand, if I have a unique university SSID - I can easily choose the 
EAP type and thus mitigate the vulnerability more fully - this is now easy to 
do with various onboarding tools.  With HS 2.0 the roaming agreements can still 
be in place and we don't care about the SSID.  To me that sounds like the best 
of both worlds.

-Curtis


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Cappalli, Tim (Aruba 
Security) <t...@hpe.com>
Sent: Friday, April 28, 2017 3:54 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

Can you elaborate on this comment?

“whereas with eduroam we were kind of locked-in to the PEAP model.”

Eduroam is EAP agnostic.




On 4/27/17, 10:57 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
on behalf of Curtis K. Larsen" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of 
curtis.k.lar...@utah.edu> wrote:

We also use eduroam and a university SSID and one benefit I've seen is that 
when our CISO decided to deprecate PEAP due to the "fake AP/MITM - exposed 
password" issue and favor EAP-TLS - we could easily control our own destiny 
with our own SSID whereas with eduroam we were kind of locked-in to the PEAP 
model.  Lesser security will often result when universal compatibility is the 
goal.  I mean we could force our own users to use EAP-TLS at home and abroad 
but in my opinion we could not truly say that we've done everything possible to 
mitigate the PEAP vulnerability while still propping up a PEAP SSID org-wide 
even if PEAP only ends up being used by visitors.

We currently offer long-term EAP-TLS connections on our university SSID to 
any guest willing to provide an SMS number (Cloudpath Feature).  It turns out 
that the SMS-capable phone carrying population is much larger than those with 
eduroam credentials so far, and phone numbers are possibly more valuable to 
administrators than AD credentials of participating institutions in resolving 
issues.  In my opinion, as onboarding solutions mature the SSID becomes less 
important, and who knows maybe with Hotspot 2.0 completely irrelevant?  
Something to consider at least when making that decision anyway.

--
Curtis K. Larsen
Senior Network Engineer
University of Utah IT/CIS
Office 801-587-1313

___
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Les Ridgley 
<les.ridg...@newcastle.edu.au>
Sent: Thursday, April 27, 2017 10:10 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

We retained both the eduroam SSID and the university one for the reasons of 
branding and more importantly for us, to ensure that our users on a site that 
has multiple institutions broadcasting the eduroam SSID we could guarantee 
connection to our network by using the university SSID.

Had we only broadcast the eduroam SSID there was the possibility that the 
user could unknowingly connect to another institutions eduroam SSID and then 
not have the same access to system resources that they would experience had 
they connected to our SSID.

We have not experienced significant support difficulties and allow the 
users to use either SSID at their own discretion.

HTH,
Les.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Brian Helman
Sent: Friday, 28 April 2017 1:26 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Eduroam adoption (and migration process)


A related question came up today when discussing whether or not to get rid 
of our branded SSID or not once eduroam is up and running on our network.  
Specifically:

For those who decided to keep both the branded and eduroam SSID's (and 
assuming they are identical in terms of access for your institutional users) -- 
have there been any issues in doing so?  For example, does it cause confusion 
to users or doesn't it matter to them?  Any support issues either with the 
people directly supporting the users and/or managing the wireless network?  If 
you decided to keep both .. do you regret this decision or are you 
happy/neutral with it?

Conversely, if you DID decide to go with only the eduroam SSID, has anyone 
regretted this decision?

We're j

Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

[Curtis K. Larsen]

We also use eduroam and a university SSID and one benefit I've seen is that 
when our CISO decided to deprecate PEAP due to the "fake AP/MITM - exposed 
password" issue and favor EAP-TLS - we could easily control our own destiny 
with our own SSID whereas with eduroam we were kind of locked-in to the PEAP 
model.  Lesser security will often result when universal compatibility is the 
goal.  I mean we could force our own users to use EAP-TLS at home and abroad 
but in my opinion we could not truly say that we've done everything possible to 
mitigate the PEAP vulnerability while still propping up a PEAP SSID org-wide 
even if PEAP only ends up being used by visitors.

We currently offer long-term EAP-TLS connections on our university SSID to any 
guest willing to provide an SMS number (Cloudpath Feature).  It turns out that 
the SMS-capable phone carrying population is much larger than those with 
eduroam credentials so far, and phone numbers are possibly more valuable to 
administrators than AD credentials of participating institutions in resolving 
issues.  In my opinion, as onboarding solutions mature the SSID becomes less 
important, and who knows maybe with Hotspot 2.0 completely irrelevant?  
Something to consider at least when making that decision anyway.

--
Curtis K. Larsen
Senior Network Engineer
University of Utah IT/CIS
Office 801-587-1313

___
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Les Ridgley 
<les.ridg...@newcastle.edu.au>
Sent: Thursday, April 27, 2017 10:10 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

We retained both the eduroam SSID and the university one for the reasons of 
branding and more importantly for us, to ensure that our users on a site that 
has multiple institutions broadcasting the eduroam SSID we could guarantee 
connection to our network by using the university SSID.

Had we only broadcast the eduroam SSID there was the possibility that the user 
could unknowingly connect to another institutions eduroam SSID and then not 
have the same access to system resources that they would experience had they 
connected to our SSID.

We have not experienced significant support difficulties and allow the users to 
use either SSID at their own discretion.

HTH,
Les.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Brian Helman
Sent: Friday, 28 April 2017 1:26 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Eduroam adoption (and migration process)


A related question came up today when discussing whether or not to get rid of 
our branded SSID or not once eduroam is up and running on our network.  
Specifically:

For those who decided to keep both the branded and eduroam SSID's (and assuming 
they are identical in terms of access for your institutional users) -- have 
there been any issues in doing so?  For example, does it cause confusion to 
users or doesn't it matter to them?  Any support issues either with the people 
directly supporting the users and/or managing the wireless network?  If you 
decided to keep both .. do you regret this decision or are you happy/neutral 
with it?

Conversely, if you DID decide to go with only the eduroam SSID, has anyone 
regretted this decision?

We're just trying to get a fuller understanding before we decide to remove the 
branded SSID.  We do think that's what people will look for .. especially those 
not familiar with eduroam.

Thanks!

-Brian



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Brian Helman 
[bhel...@salemstate.edu]
Sent: Tuesday, April 25, 2017 1:57 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Eduroam adoption (and migration process)
Ahh, I see.  They are separate networks.  We are using a NAC to place users in 
their proper vlan, so there’s no differentiation between our current university 
ssid and eduroam.

By the way, I keep writing “EDUROAM”.  I know it’s “eduroam” .. it’s just habit 
from typing “EDUCAUSE”.

Thanks!

-Brian

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John Heartlein
Sent: Tuesday, April 25, 2017 1:52 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

Hello Brian.  SLU-users has more direct access to internal services like file 
and print services that we didn't want to provide to eduroam users.  If we were 
ever to lock down SLU-users more to require VPN access to all internal 
resources, I think we'd recommend re-evaluating our SSIDs.

On Mon, Apr 24, 2017 at 8:14 AM, Brian Helman 
<bhel...@salemstate.edu<mailto:bhel...@salemstate.edu>> wrote:
John,

Do

Skype For Business With Cisco WLAN ?

[Curtis K. Larsen]

Hi All,

Wondering if any have successfully optimized their Cisco WLAN for Skype for 
Business and are willing to share tips on or off list.  I found this guide 
http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-1/Lync_SDN/b_Lync-Client-Server-in-Cisco-Wireless-LAN.html
 but was hoping for a shortcut haha.

Thanks,

Curtis

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: Microsoft NPS as RADIUS for 802.1X Wi-Fi?

[Curtis K. Larsen]

Ditto.  But technically we use PacketFence which uses FreeRADIUS under the 
hood.  We had the same realm stripping problem with ISE 2-3 yrs. ago.  We use 
realm stripping internally as well as when proxying externally.  I understand 
the external realm stripping was fixed long ago.  Not sure if internal realm 
stripping is still an issue.


--
Curtis K. Larsen
Senior Network Engineer
University of Utah IT/CIS
Office 801-587-1313


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Dennis Xu <d...@uoguelph.ca>
Sent: Wednesday, November 16, 2016 10:50 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

We have migrated our ACS servers to FreeRADIUS with success. We looked into NPS 
and the roadblock was the realm suffix stripping. We need to strip username 
d...@uoguelph.ca to just 'dxu' before authenticate with active directory. NPS 
only strips the outer PEAP identity but not inner identity.  Also NPS can strip 
the realm when it is running as proxy but not in local processing mode. See 
following discussion for more detail. We were seeing the exact same behavior:

https://social.technet.microsoft.com/Forums/windowsserver/en-US/e73183d4-7b2f-48a7-9246-97ed711e8e8d/eappeapmschapv2-realm-stripping?forum=winserverNAP


Dennis Xu, MASc, CCIE #13056
Analyst 3, Network Infrastructure
Computing and Communications Services(CCS)
University of Guelph

519-824-4120 Ext 56217
d...@uoguelph.ca
www.uoguelph.ca/ccs



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Lee H Badman 
<lhbad...@syr.edu>
Sent: Wednesday, November 16, 2016 9:40:08 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

Hello to the awesome group.

We’ve used Cisco ACS with general satisfaction for many years as the RADIUS 
solution for our very, very large WLAN’s 802.1X authentication. We also have 
Aruba Clearpass in-house for guest wireless, and have poked around at ISE a 
bit. We’re weighing replacing our aging ACS environment, but as many of you 
know times are changing. When you shop for RADIUS, you have to wade through the 
fog of NAC systems because everything is getting ever more “feature rich”. For 
major vendors, RADIUS is just a slice of NAC now, and since everybody “is a 
software company!” licensing can be ugly. I’m not slamming those who find value 
in the many interesting features that the likes of ISE and Clearpass offer, but 
I also can’t help but be drawn to Microsoft NPS when I think about going 
forward with simple RADIUS.

Way back when, we avoided Microsoft in this role as the reporting wasn’t 
particularly strong when it came time to troubleshoot clients. We *may* have 
found relief to this through Splunk, and also enjoy a robust Windows server 
environment staffed by absolutely brilliant MS-minded veteran admins.

All that being said- is anyone using NPS as their RADIUS solution for a large 
secure WLAN environment? Can you share likes, dislikes, regrets, endorsements, 
horror stories, tales of success, etc?


(Any vendor reps lurking- no, I’m not open to hearing about other RADIUS 
solutions. Please, no calls or emails)


Kind regards-

Lee Badman | CWNE #200 | Network Architect

Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] TLS Onboarding Vendors

[Curtis K. Larsen]

RELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors

Ryan,

No doubt we’re seeing better support, my question about PPSK was just 
that… a question. I’m looking at options going forward to solve the ongoing 
divide between the devices that do and do not support these advanced methods. 
For students (which is my focus), the advantages/disadvantages between the 
options don’t matter when their devices have to be dealt with differently.

On face value, PPSK appears to solve the problem for the user, removing 
barriers at the college that don’t exist at their home. While I agree that TLS 
configuration isn’t difficult, it’s still far harder than just entering a PPSK, 
and not everything supports TLS. We’ve been wishing for better support from 
device makers for a decade, and each year we take a few steps forward, and then 
a few backward.

Our vendor is rumored to be adding enterprise-scalable PPSK support 
early next year, so I was really curious to know if others had this option, 
would it influence the deployment of TLS. Right or wrong, it’s influenced mine, 
so I wasn’t sure if I was an outlier or were others of the same mindset.

Jeff

On 11/2/16, 3:49 PM, "The EDUCAUSE Wireless Issues Constituent Group 
Listserv on behalf of Turner, Ryan H" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on 
behalf of rhtur...@email.unc.edu> wrote:

Jeff,

I think that actually advanced EAP methods have turned the corner.  
Manufacturers are making onboarding easier.  I think you are under the 
impression that configuring a device for certificates is a big process. It 
takes most people less than 5 minutes, and they do this once a year.

Just in our area, UNC and NC State, representing over 60,000 
students are TLS.  Duke is moving that way.

I haven't spoken to anyone recently even remotely considering PPSK. 
 I've heard plenty starting to explore TLS.

Ryan Turner
Manager of Network Operations, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

> On Nov 1, 2016, at 6:31 PM, Jeffrey D. Sessler 
<j...@scrippscollege.edu> wrote:
>
> I think the distinction between enterprise and residential 
blurred with the advent of SaaS and the cloud. No longer did an employee need 
to be “at the office” to enter their hours worked in the time and attendance 
system, or as an administrator, you no longer had to run the accounting 
application from your office computer. It’s difficult for me to name anything 
we’re doing here now that isn’t some form of web-based SaaS model, where the 
expectation is that an employee (baring overtime rules) can access these 
systems from any location. If an employee can access these systems from 
Starbucks for the 16 hours a day they aren’t at work, what’s the point of 
WPA2-ent for the other 8?
>
> I’m of the mindset that WAP2-Enterprise may in fact be an 
endangered species. I think most will come to accept that something like PPSK 
is “good enough”. Users don’t want significant barriers to getting access to 
what they need, and once those barriers reach a certain level, the user will 
absolutely find alternatives i.e. I’ve visited many colleges where it was 
easier to use my MiFi hotspot then to be forced thru a cumbersome on-boarding 
system where there are restrictions be it on services available or data rates.
>
> Taken to the extreme. At the point you no longer have a local 
data center and everything is SaaS, can an argument for WPA2-ent still be made?
>
> Jeff
>
    > On 11/1/16, 3:03 PM, "The EDUCAUSE Wireless Issues Constituent 
Group Listserv on behalf of Curtis K. Larsen" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of curtis.k.lar...@utah.edu> 
wrote:
>
>Well, I think users in general expect that when they connect 
to the "Secure" wireless network - it is both encrypted, and they are not being 
impersonated.  If not, maybe you could allow them to opt-out after accepting 
the risk.  Often these are the same credentials that staff use to login and set 
the direct deposit for their paycheck, credentials faculty use to post grades, 
and students use to add/drop classes.  The business could also opt-out if they 
are willing to accept the risk.  But as the Enterprise Wireless Engineer you 
should at least make everyone aware that with PPSK there are still risks.  
Also, I just think one of these standards was intended to be mostly for 
residential purposes and the other for mostly enterprise purposes.  When you 
look at federated authentication as in eduroam or hotspot 2.0, etc. WPA2-Ent. 
just seems to fit better long-term.  I

Re: Certificate Expiration and IoT (Door Locks)

[Curtis K. Larsen]

We crossed this bridge already but the quantity of door locks was a lot lower.  
We issued 5 yr certs to the locks and told the dept. that they (or their 
vendor) need to update/patch firmware on devices at least that often so they 
can update the cert at the same time.  Our server cert will expire before then 
(not part of the chain) but the CA cert (part of the chain) will be valid for 
at least 10 years beyond that.  So, as long as the FQDN and CN remain the same 
for the server cert then there is no problem.  We used our existing 1x SSID, 
but a different VLAN and associated security policy.  We used Cloudpath and 
deployed EAP-TLS certs for these - it's not hard.

--
Curtis K. Larsen
Senior Network Engineer
University of Utah IT/CIS


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Johnson, Neil M 
<neil-john...@uiowa.edu>
Sent: Wednesday, November 2, 2016 9:17 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Certificate Expiration and IoT (Door Locks)

Our housing department is pushing pretty hard to replace keyed locks on dorm 
room doors with Wi-Fi connected proximity card locks (a pilot this summer and 
then eventually rolling out to ~3,000 rooms).

The locks would be “offline” locks that cache valid cards locally and only 
connect to the Wi-Fi network periodically for updates and when presented with a 
non-cached card.

While the locks support multiple methods for authenticating to the wireless 
network (everything from a PSK to PEAP/MSCHAPv2 to EAP-TLS), I think EAP-TLS is 
probably the most secure method for these devices.

My thinking is to setup a private PKI and generate a client cert for every 
lock. However, I have two issues concerning EAP-TLS.


1.   What should I use for a client certificate expiration date?
Our key and access folks don’t want to update the locks client certs very 
often. (They will have to touch each lock on a regular basis to replace 
batteries, but don’t want to have to connect a computer to the locks every 
year).
The same question applies for the server certificate expiration.


2.   Should I advertise a separate SSID?
We currently use eduroam as our primary campus SSID.  I would prefer not to 
have to add an additional SSID just for these devices, but their use case seems 
different enough to warrant one.

If your institution has implemented or thinking about implementing Wi-Fi 
connected locks, I’d appreciate your feedback.

Thanks.
-Neil

--
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319-384-0938
e-mail: neil-john...@uiowa.edu<mailto:neil-john...@uiowa.edu>


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] TLS Onboarding Vendors

[Curtis K. Larsen]

Today disk encryption is built-in and enabled by default for my smartphone 
without me doing a thing.  One day I believe I'll un-box a smartphone that 
already has a certificate probably provided by my carrier that allows me to 
seamlessly roam (because of some already established peering agreement) to my 
WPA2-Ent. University WLAN.  I won't think about Wi-Fi roaming any more then 
than I think about cellular roaming today.  PPSK will likely still require 
onboarding.  In the meantime, ANYROAM, and eduroam are getting us close.  You 
might be surprised how many guest users are already choosing encryption when 
given the choice at a simple captive portal.

-Curtis


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Jeffrey D. Sessler 
<j...@scrippscollege.edu>
Sent: Tuesday, November 1, 2016 4:31 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors

I think the distinction between enterprise and residential blurred with the 
advent of SaaS and the cloud. No longer did an employee need to be “at the 
office” to enter their hours worked in the time and attendance system, or as an 
administrator, you no longer had to run the accounting application from your 
office computer. It’s difficult for me to name anything we’re doing here now 
that isn’t some form of web-based SaaS model, where the expectation is that an 
employee (baring overtime rules) can access these systems from any location. If 
an employee can access these systems from Starbucks for the 16 hours a day they 
aren’t at work, what’s the point of WPA2-ent for the other 8?

I’m of the mindset that WAP2-Enterprise may in fact be an endangered species. I 
think most will come to accept that something like PPSK is “good enough”. Users 
don’t want significant barriers to getting access to what they need, and once 
those barriers reach a certain level, the user will absolutely find 
alternatives i.e. I’ve visited many colleges where it was easier to use my MiFi 
hotspot then to be forced thru a cumbersome on-boarding system where there are 
restrictions be it on services available or data rates.

Taken to the extreme. At the point you no longer have a local data center and 
everything is SaaS, can an argument for WPA2-ent still be made?

Jeff

On 11/1/16, 3:03 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
on behalf of Curtis K. Larsen" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of 
curtis.k.lar...@utah.edu> wrote:

Well, I think users in general expect that when they connect to the 
"Secure" wireless network - it is both encrypted, and they are not being 
impersonated.  If not, maybe you could allow them to opt-out after accepting 
the risk.  Often these are the same credentials that staff use to login and set 
the direct deposit for their paycheck, credentials faculty use to post grades, 
and students use to add/drop classes.  The business could also opt-out if they 
are willing to accept the risk.  But as the Enterprise Wireless Engineer you 
should at least make everyone aware that with PPSK there are still risks.  
Also, I just think one of these standards was intended to be mostly for 
residential purposes and the other for mostly enterprise purposes.  When you 
look at federated authentication as in eduroam or hotspot 2.0, etc. WPA2-Ent. 
just seems to fit better long-term.  In short, I think the difficult/expensive 
parts of PKI/EAP-TLS have recently become a lot easier and I think they'll 
continue to do so.

-Curtis


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Chuck Enfield <chu...@psu.edu>
Sent: Tuesday, November 1, 2016 2:54 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors

"If we can agree that most applications today (including ones that involve
FERPA or PII) are web-based (let’s toss in cloud too), and a user can access
them from any location including at home on a PSK protected SSID (or
cellular connection, or open network at Starbucks), does forcing WPA2-Ent at
the campus actually result in reduced risk?  Is there cost justification for
the infrastructure (staff, hardware, software) necessary to implement
EAP-TLS (or alternatives)?"

Where's the like button?  FWIW, I still like enterprise encryption and
authentication for keeping people off of my network.  I's nevertheless
useful to remind ourselves of precisely what the value is, and it's not
protecting the data.

Chuck

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
Sent: Tuesday, November 01, 2016 4:41 P

Re: TLS Onboarding Vendors

[Curtis K. Larsen]

Well, I think users in general expect that when they connect to the "Secure" 
wireless network - it is both encrypted, and they are not being impersonated.  
If not, maybe you could allow them to opt-out after accepting the risk.  Often 
these are the same credentials that staff use to login and set the direct 
deposit for their paycheck, credentials faculty use to post grades, and 
students use to add/drop classes.  The business could also opt-out if they are 
willing to accept the risk.  But as the Enterprise Wireless Engineer you should 
at least make everyone aware that with PPSK there are still risks.  Also, I 
just think one of these standards was intended to be mostly for residential 
purposes and the other for mostly enterprise purposes.  When you look at 
federated authentication as in eduroam or hotspot 2.0, etc. WPA2-Ent. just 
seems to fit better long-term.  In short, I think the difficult/expensive parts 
of PKI/EAP-TLS have recently become a lot easier and I think they'll continue 
to do so.

-Curtis
 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Chuck Enfield <chu...@psu.edu>
Sent: Tuesday, November 1, 2016 2:54 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors

"If we can agree that most applications today (including ones that involve
FERPA or PII) are web-based (let’s toss in cloud too), and a user can access
them from any location including at home on a PSK protected SSID (or
cellular connection, or open network at Starbucks), does forcing WPA2-Ent at
the campus actually result in reduced risk?  Is there cost justification for
the infrastructure (staff, hardware, software) necessary to implement
EAP-TLS (or alternatives)?"

Where's the like button?  FWIW, I still like enterprise encryption and
authentication for keeping people off of my network.  I's nevertheless
useful to remind ourselves of precisely what the value is, and it's not
protecting the data.

Chuck

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
Sent: Tuesday, November 01, 2016 4:41 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors

Curtis,

If we can agree that most applications today (including ones that involve
FERPA or PII) are web-based (let’s toss in cloud too), and a user can access
them from any location including at home on a PSK protected SSID (or
cellular connection, or open network at Starbucks), does forcing WPA2-Ent at
the campus actually result in reduced risk?  Is there cost justification for
the infrastructure (staff, hardware, software) necessary to implement
EAP-TLS (or alternatives)?

Our Admissions process starts with getting Common App (filled out by
student/parents at home on a website and includes a lot of sensitive info),
that data feeds into Slate (another cloud-based Admissions package), then
feeds into financial-aid and the SiS (again web-based for the users). The
bulk of the PII/FERPA items have then been collected outside of the college
envirnoment, from connections that may have Starbucks level of protection. I’m
trying to see the justification of WPA2-Ent, but it’s a hard sell – sure, I
know there can be advantages, but are they necessary and/or justified? Is
PPSK good enough for everyone. Is it good enough for students and their
devices?

Jeff

On 11/1/16, 8:56 AM, "The EDUCAUSE Wireless Issues Constituent Group
Listserv on behalf of Curtis K. Larsen" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
on behalf of curtis.k.lar...@utah.edu> wrote:

I personally would *not* prefer PPSK for devices that are WPA2-Ent.
(EAP-TLS) capable.  PPSK has a nice niche in the IoT device category for
devices that do not support WPA2-Ent. (EAP-TLS) in my opinion, and we'll be
anxious to use it there when our vendor delivers ...but the same
vulnerabilities around a regular WPA2-PSK are still there (de-auths, brute
forcing).  So, for IoT in student housing (game consoles, and roku devices
that only do PSK) maybe PPSK is the appropriate new level of security
because sensitive data is unlikely, but for the most common devices (Phone,
Laptop, Tablet, etc.) where users are more likely to access and transmit
FERPA, PHI, etc. WPA2-Enterprise with EAP-TLS seems more appropriate.  From
what I can tell it is probably easier to implement EAP-TLS than PPSK amongst
the fully-managed portion of that device class anyway (thinking GPO here).
In my ideal world I would have 3 SSID's  One Guest SSID unencrypted, One
PPSK SSID that accommodates all of the non-dot1x capable devices that are
not guest users, and one dot1x WPA2-Ent (EAP-TLS) SSID for traditional
Student/Faculty/Staff devices (Phone, Laptop, Tablet).  Then someday in the
future Hotspot 2.0/802.11u would convert many of t

Re: [WIRELESS-LAN] TLS Onboarding Vendors

[Curtis K. Larsen]

I personally would *not* prefer PPSK for devices that are WPA2-Ent. (EAP-TLS) 
capable.  PPSK has a nice niche in the IoT device category for devices that do 
not support WPA2-Ent. (EAP-TLS) in my opinion, and we'll be anxious to use it 
there when our vendor delivers ...but the same vulnerabilities around a regular 
WPA2-PSK are still there (de-auths, brute forcing).  So, for IoT in student 
housing (game consoles, and roku devices that only do PSK) maybe PPSK is the 
appropriate new level of security because sensitive data is unlikely, but for 
the most common devices (Phone, Laptop, Tablet, etc.) where users are more 
likely to access and transmit FERPA, PHI, etc. WPA2-Enterprise with EAP-TLS 
seems more appropriate.  From what I can tell it is probably easier to 
implement EAP-TLS than PPSK amongst the fully-managed portion of that device 
class anyway (thinking GPO here).  In my ideal world I would have 3 SSID's  One 
Guest SSID unencrypted, One PPSK SSID that accommodates all of the non-dot1x 
capable devices that are not guest users, and one dot1x WPA2-Ent (EAP-TLS) SSID 
for traditional Student/Faculty/Staff devices (Phone, Laptop, Tablet).  Then 
someday in the future Hotspot 2.0/802.11u would convert many of the 
un-encrypted guests over to encrypted without any captive portal interaction.


--
Curtis K. Larsen
Senior Network Engineer
University of Utah IT/CIS


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Coehoorn, Joel 
<jcoeho...@york.edu>
Sent: Tuesday, November 1, 2016 8:33 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors

> If those using or considering TLS had the option of PPSK (personal pre-shared 
> key), would you opt for PPSK instead?

Definitely. I think it's a much more user-friendly option, while providing 
similar control and security as TLS.




[http://www.york.edu/Portals/0/Images/Logo/YorkCollegeLogoSmall.jpg]


Joel Coehoorn
Director of Information Technology
402.363.5603
jcoeho...@york.edu<mailto:jcoeho...@york.edu>




The mission of York College is to transform lives through Christ-centered 
education and to equip students for lifelong service to God, family, and society

On Tue, Nov 1, 2016 at 9:12 AM, Jeffrey D. Sessler 
<j...@scrippscollege.edu<mailto:j...@scrippscollege.edu>> wrote:
Just curious. If those using or considering TLS had the option of PPSK 
(personal pre-shared key), would you opt for PPSK instead?

Jeff

On 10/31/16, 9:27 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
on behalf of Bruce Boardman" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
on behalf of board...@syr.edu<mailto:board...@syr.edu>> wrote:

We are using Cloud Path for onboarding, but we are considering other 
options if and when we go to EAP TLS. We may get it baked in if we use ISE or 
Clear Pass but I considering other standalone options as well. Anybody have  
experience or thoughts they'd like to share. Thanks

Bruce Boardman Networking Syracuse University 315 
412-4156<tel:315%20412-4156> Skype board...@syr.edu<mailto:board...@syr.edu>

**
Participation and subscription information for this EDUCAUSE Constituent 
Group discussion list can be found at http://www.educause.edu/groups/.



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] TLS Onboarding Vendors

[Curtis K. Larsen]

We're pleased with the Cloudpath onboarding experience for EAP-TLS for the 
traditional supported platforms including  iOS, Android, Windows, OSX, ChromeOS 
and Linux.  One pleasant surprise was that we were able to delegate onboarding 
of several IoT devices with non- traditional operating systems to various IT 
staff.  I'm not sure this work would be off-loaded so easily with other 
well-known solutions.  I understand PacketFence also may be doing EAP-TLS 
onboarding now too and I haven't tried that but we've been happy with them for 
other RADIUS services in general.


--
Curtis K. Larsen
Senior Network Engineer
University of Utah IT/CIS

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Eric Brewer 
<ebre...@smith.edu>
Sent: Monday, October 31, 2016 11:41 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors

Even though we DO use Clearpass, we're using Cloudpath for onboarding to EAP 
TLS.  We like the Cloudpath user experience and ease of 
configuration/troubleshooting.

- Eric

On Mon, Oct 31, 2016 at 12:27 PM, Bruce Boardman 
<board...@syr.edu<mailto:board...@syr.edu>> wrote:
We are using Cloud Path for onboarding, but we are considering other options if 
and when we go to EAP TLS. We may get it baked in if we use ISE or Clear Pass 
but I considering other standalone options as well. Anybody have  experience or 
thoughts they'd like to share. Thanks

Bruce Boardman Networking Syracuse University 315 412-4156<tel:315%20412-4156> 
Skype board...@syr.edu<mailto:board...@syr.edu>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: Captive portal trouble with LG phones

[Curtis K. Larsen]

We use PacketFence on our captive portal and I have not seen this issue or any 
reports of it.  Let me know if you have more detail on this - I'll keep an eye 
out for it.

Thanks,


--
Curtis K. Larsen
Senior Network Engineer
University of Utah IT/CIS
Office 801-587-1313





From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Thomas Carter 
<tcar...@austincollege.edu>
Sent: Monday, October 10, 2016 1:39 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Captive portal trouble with LG phones

We use PacketFence as our NAC and have a captive portal to allow users to 
self-register their devices. In the past couple of weeks we’ve had problems 
with the latest LG phones (other Androids work fine) disconnecting in the 
middle of a captive portal session; it won’t stay connected long enough to 
register the device. It seems similar to the old Apple “success.html” test for 
internet connectivity, but I haven’t been able to determine if that is the 
case. Has anyone else seen this issue with new LG phones?

Thomas Carter
Network & Operations Manager / IT
Austin College
900 North Grand Avenue
Sherman, TX 75090
Phone: 903-813-2564
www.austincollege.edu<http://www.austincollege.edu/>
[http://www.austincollege.edu/images/AusColl_Logo_Email.gif]

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: 802.1x certificate authentication

[Curtis K. Larsen]

The Android experience is still good in my opinion, just weaker than iOS when 
you incorporate the Play Store.  (I think ISE links to the Play Store too).  
Luckily, Cloudpath has the option of directly downloading the certs instead of 
requiring the app from the Play Store.  Of course, a profile based option (What 
Google does with ChromeOS) negates the need for any link to the Play Store.

-Curtis


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Turner, Ryan H 
<rhtur...@email.unc.edu>
Sent: Wednesday, September 21, 2016 10:03 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] 802.1x certificate authentication

Android is definitely 'the' problem.  In our stats, you can see that they are 
only 10% of the clients we onboard, but are closer to 90% of the trouble 
tickets.  We were a Cloudpath customer and made the switch to SecureW2 (the 
android experience was a big reason).

Ryan

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Curtis K. Larsen
Sent: Wednesday, September 21, 2016 11:55 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] 802.1x certificate authentication

We've been offering EAP-TLS for about 2 years.  It's been the only supported 
option for BYOD for just over a year.  Personally, I think the user experience 
is pretty good across all devices  (Android is weaker but still not bad).  I've 
heard rumblings that Android might be changing to a profile method more similar 
to ChromeOS ...so that would probably improve things.  Our stats are eerily 
similar to Ryan's but we use the Cloudpath Enrollment System, and we have not 
disabled PEAP yet.

Thanks,

--
Curtis K. Larsen
Senior Network Engineer
University of Utah IT/CIS



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Turner, Ryan H 
<rhtur...@email.unc.edu>
Sent: Wednesday, September 21, 2016 7:53 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] 802.1x certificate authentication

We are a very experienced shop with TLS.  We've been using certificates for 4 
years.  We now use the SecureW2 onboarding platform to perform the operation, 
and we have been VERY happy with the results.  Attached below is our statistics 
for onboarding from the Fall of 2015 to today.  I would be happy to help you 
out.  My contact information is below.  In short, we've onboarded over 160,000 
devices in the last two years (over 300k in 4).

[cid:image001.jpg@01D213EE.09553910]


Ryan Turner
Manager of Network Operations
ITS Communication Technologies
The University of North Carolina at Chapel Hill

r...@unc.edu<mailto:r...@unc.edu>
+1 919 445 0113 Office
+1 919 274 7926 Mobile



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Muraca, Peppino P.
Sent: Wednesday, September 21, 2016 8:39 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] 802.1x certificate authentication

Hello all,  I was wondering who or if anyone is using 802.1x cert auth for all 
wireless devices, and if you are, what is the experience with student devices ?

We are currently 802.1x username password , and have been thinking about the 
going the cer route. I feel the cert auth is still a painful experience for 
DYOD devices.

Thank you
Pino

Peppino Muraca
Sr. Network Administrator
Stonehill College
508-565-1193
pmur...@stonehill.edu<mailto:pmur...@stonehill.edu>
  (OO=[][]=OO)



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F=01%7C01%7Crhturner%40email.unc.edu%7C0342ed2d3b6649f18ec208d3e237d0b2%7C58b3d54f16c942d3af081fcabd095666%7C1=ysMJchqMYCtLKm9TdNY%2BN6OVzQL6kOBQXDBCdUMYW%2B4%3D=0<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F=01%7C01%7Crhturner%40email.unc.edu%7Cab5faee7f3934ca14b2d08d3e21c6186%7C58b3d54f16c942d3af081fcabd095666%7C1=5%2B61MsU%2BNA0aTmcOTTqOmxfw9AJPKl51ZAuLVNkcLA8%3D=0>.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F=01%7C01%7Crhturner%40email.unc.edu%7C0342ed2d3b6649f18ec208d3e237d0b2%7C58b3d54f16c942d3af081fcabd095666%7C1=ysMJchqMYCtLKm9TdNY%2BN6OVzQL6kOBQXDBCdUMYW%2B4%3D=0.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at 
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgr

Re: 802.1x certificate authentication

[Curtis K. Larsen]

We've been offering EAP-TLS for about 2 years.  It's been the only supported 
option for BYOD for just over a year.  Personally, I think the user experience 
is pretty good across all devices  (Android is weaker but still not bad).  I've 
heard rumblings that Android might be changing to a profile method more similar 
to ChromeOS ...so that would probably improve things.  Our stats are eerily 
similar to Ryan's but we use the Cloudpath Enrollment System, and we have not 
disabled PEAP yet.

Thanks,

--
Curtis K. Larsen
Senior Network Engineer
University of Utah IT/CIS



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Turner, Ryan H 
<rhtur...@email.unc.edu>
Sent: Wednesday, September 21, 2016 7:53 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] 802.1x certificate authentication

We are a very experienced shop with TLS.  We’ve been using certificates for 4 
years.  We now use the SecureW2 onboarding platform to perform the operation, 
and we have been VERY happy with the results.  Attached below is our statistics 
for onboarding from the Fall of 2015 to today.  I would be happy to help you 
out.  My contact information is below.  In short, we’ve onboarded over 160,000 
devices in the last two years (over 300k in 4).

[cid:image001.jpg@01D213EE.09553910]


Ryan Turner
Manager of Network Operations
ITS Communication Technologies
The University of North Carolina at Chapel Hill

r...@unc.edu<mailto:r...@unc.edu>
+1 919 445 0113 Office
+1 919 274 7926 Mobile



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Muraca, Peppino P.
Sent: Wednesday, September 21, 2016 8:39 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] 802.1x certificate authentication

Hello all,  I was wondering who or if anyone is using 802.1x cert auth for all 
wireless devices, and if you are, what is the experience with student devices ?

We are currently 802.1x username password , and have been thinking about the 
going the cer route. I feel the cert auth is still a painful experience for 
DYOD devices.

Thank you
Pino

Peppino Muraca
Sr. Network Administrator
Stonehill College
508-565-1193
pmur...@stonehill.edu<mailto:pmur...@stonehill.edu>
  (OO=[][]=OO)



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fgroups%2F=01%7C01%7Crhturner%40email.unc.edu%7Cab5faee7f3934ca14b2d08d3e21c6186%7C58b3d54f16c942d3af081fcabd095666%7C1=5%2B61MsU%2BNA0aTmcOTTqOmxfw9AJPKl51ZAuLVNkcLA8%3D=0>.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] FreeRADIUS server scaling for 802.1x

[Curtis K. Larsen]

Yes we do.

-Curtis


On Fri, July 22, 2016 8:20 am, Frans Panken wrote:
> Hi Curtis, Eriks,
>
> A bit off-topic but I plucked up the courage to aks you anyway: do you
> also use this solution to place clients who misbehave (or likely have
> viruses, malware) in quarantaine?
>
> -Frans
>
>
> Op 19/07/16 om 17:09 schreef Curtis K. Larsen:
>> Nice slides.  This is pretty similar to what we do.  We're also using 
>> PacketFence/FreeRADIUS.
>> The
>> graphing of the authentications is key to understanding/scaling things in my 
>> opinion.
>>
>>
>> Thanks,
>>
>> Curtis
>>
>>
>> On Tue, July 19, 2016 8:46 am, Eriks Rugelis wrote:
>>> David,
>>> For what it is worth, here is a presentation on scaling of Wi-Fi 
>>> authentication which we
>>> created
>>> for this year's CANHEIT conference.
>>>
>>> https://canheit-hpcs2016.exordo.com/files/papers/145/presentation_files/1/CANHEIT2016_AuthBigWiFi.pptx
>>>
>>> We use Packetfence, which uses FreeRADIUS under the covers but adds a layer 
>>> of context
>>> switching
>>> which you wouldn't otherwise have if using only FreeRADIUS by itself.
>>>
>>> Feel free to ask questions, either on the list or directly via email.
>>> ---
>>> Eriks Rugelis
>>> Manager, Network Development, University Information Technology
>>> York University, Toronto
>>>
>>> **
>>> Participation and subscription information for this EDUCAUSE Constituent 
>>> Group discussion list
>>> can
>>> be found at http://www.educause.edu/groups/.
>>>
>> **
>> Participation and subscription information for this EDUCAUSE Constituent 
>> Group discussion list
>> can be found at http://www.educause.edu/groups/.
>
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can
> be found at http://www.educause.edu/groups/.
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] FreeRADIUS server scaling for 802.1x

[Curtis K. Larsen]

Nice slides.  This is pretty similar to what we do.  We're also using 
PacketFence/FreeRADIUS.  The
graphing of the authentications is key to understanding/scaling things in my 
opinion.


Thanks,

Curtis


On Tue, July 19, 2016 8:46 am, Eriks Rugelis wrote:
> David,
> For what it is worth, here is a presentation on scaling of Wi-Fi 
> authentication which we created
> for this year's CANHEIT conference.
>
> https://canheit-hpcs2016.exordo.com/files/papers/145/presentation_files/1/CANHEIT2016_AuthBigWiFi.pptx
>
> We use Packetfence, which uses FreeRADIUS under the covers but adds a layer 
> of context switching
> which you wouldn't otherwise have if using only FreeRADIUS by itself.
>
> Feel free to ask questions, either on the list or directly via email.
> ---
> Eriks Rugelis
> Manager, Network Development, University Information Technology
> York University, Toronto
>
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can
> be found at http://www.educause.edu/groups/.
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Bulk export Cisco Prime maps with AP locations?

[Curtis K. Larsen]

Hello,

Wondering if anyone has discovered a good way to bulk export Cisco Prime floor 
plans including AP
locations?  I know you can export the maps with XML and re-import into another 
instance of Prime,
but in this case we just want to export for viewing outside Cisco Prime.  
Really we're just
looking for a decent alternative to taking screen shots floor by floor of 220 
buildings.  A REST
API maybe, or some direct database dunmp script?  I'm hoping someone has 
already blazed this trail
for me.  Let me know.

Thanks,

-- 
Curtis K. Larsen
Senior Network Engineer
University of Utah IT/CIS

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] RADIUS Servers Load Balancing

[Curtis K. Larsen]

We have 10 back-end FreeRADIUS VM's (5 in each data center) and two front-end 
FreeRADIUS Load
balancers (1 in each DC).  We've used this config successfully for about 6 
years.  FreeRADIUS
natively load balances quite well and we do it based on calling-station-id so 
it is sticky and
balanced very evenly.  In fact, we tried at one point to use Netscalers and 
found that FreeRADIUS
handled the health-checking aspects a little better and provided better 
visibility with graphs
using graphite/tessera , radsniff, etc.  We normally do about 300 requests/sec 
as well, but I've
seen it as high as 1,000 the first two weeks of school.

We get commercial support from PacketFence/Inverse on this configuration.


Thanks,

-- 
Curtis K. Larsen
Senior Network Engineer
University of Utah IT/CIS



On Wed, July 6, 2016 9:07 am, Joe Rogers wrote:
>
> We're running a cluster of 8 FreeRADIUS servers behind two pairs of
> Citrix Netscaler's in different data centers which inject two anycast-IP
> VIPs into our backbone routing tables.  This has worked very well in our
> environment for many years.  If a Netscaler fails or the member servers
> behind it fail, the route is simply withdrawn and traffic switches over
> to the other data center's Netscalers.  We made sure to keep sessions
> 'sticky' to a given server as long as everything is operating normally.
> We use the NAS IP addr for persistence.  It doesn't provide perfectly
> even load-balancing over the servers (some NAS' are busier than
> others).  But, it worked well enough for us.  The servers generally see
> around 300 requests/sec (auth and acct combined) during a normal semester.
>
> *Joe Rogers*
> Associate Director, Network Engineering
>
> University of South Florida – Information Technology
> 4202 E. Fowler Avenue, SVC4010, Tampa, FL, 33620
> j...@usf.edu | Tel: (813) 974-7369
> www.usf.edu/it | Facebook: /USF Information Technology | Twitter: @ USF_IT
>
> On 07/06/2016 09:16 AM, Dennis Xu wrote:
>> Hello,
>> Has anyone had success stories about deploying RADIUS servers behind
>> load balancers to support large number of concurrent 802.1X users? We
>> just deployed 5 FreeRADIUS servers behind Cisco ACE and observed
>> packets drop issues at ACE. By far, I suspect the issue was caused by
>> the RADIUS stickiness(by calling-station-ID). Has anyone deployed
>> RADIUS load balancing without using stickiness?
>>
>> Thanks.
>>
>>
>> Dennis Xu, MASc, CCIE #13056
>> Analyst 3, Network Infrastructure
>> Computing and Communications Services(CCS)
>> University of Guelph
>>
>> 519-824-4120 Ext 56217
>> d...@uoguelph.ca
>> www.uoguelph.ca/ccs
>>
>> ** Participation and subscription information for this
>> EDUCAUSE Constituent Group discussion list can be found at
>> http://www.educause.edu/groups/.
>>
>
>
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can
> be found at http://www.educause.edu/groups/.
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Captive Portals, WISPr, and https Re-directs

[Curtis K. Larsen]

Thanks Bibin,

I have played with this configuration some in the past.  With this config if 
your users have
https://www.google.com for their homepage do they get prompted for an invalid 
security
certificate?  I think that's where I left that option last.  Also, it looks 
like you're enabling
WISPr so that probably means that clients using the Captive Network Assistant 
for example can't
download anything?  That is my second problem.

The ideal solution for this in my mind would use WISPr initially but re-direct 
when it comes time
to download a WPA2-Enterprise mobileconfig or get an app from the Google 
playstore, etc.  Maybe a
better option does not exist yet...

Thanks,

Curtis


On Wed, June 29, 2016 11:48 am, Bibin George wrote:
> For https redirect you need this command on the wlc
> config network web-auth https-redirect enable
>
> I have these three enable in controller
> Web Auth Captive-Bypass   .. Enable
> Web Auth Secure Web  ... Enable
> Web Auth Secure Redirection  ... Enable
>
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Curtis K. Larsen
> Sent: Wednesday, June 29, 2016 12:39 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] Captive Portals, WISPr, and https Re-directs
>
> Hello,
>
> I am curious about what people are doing for their Guest captive portals.  In 
> my case, It's been a
> bit of a battle to combine usability and security.  For example, if I try to 
> keep a session
> completely captive before guiding the user through the onboarding process 
> that means disabling
> WISPr or "web-auth captive-bypass" in Cisco WLC terms so that a user can get 
> to the play store
> during onboarding.
>
> Of course, disabling this makes it so that the client browser does not 
> automatically pop-up to
> notify the user to accept an AUP or complete the onboarding process, etc.  
> Since the browser does
> not pop-up and auto-re-direct that means a user must 1) open a browser, and 
> 2) type on non-https
> address in order for the web-redirect to work.  I think too many users have 
> an https website for
> their homepage ie. https://www.google.com so this means they never get to the 
> re-driect page
> unless they understand to type a non-https URL.
>
> So, I am playing with a scenario right now that uses WISPr first, then 
> re-directs to the
> onboarding process.  This works rather nicely for iOS, OSX, and Windows, but 
> Android and ChromeOS
> want to shut down the WISPr browser after my re-direct. :(
>
> Just curious:
>
> Does your captive portal offer WISPr?  If so, how are you allowing devices to 
> the Play Store?
>
> If no WISPr, have you found some other way to make https re-directs work for 
> users?
>
> Let me know.
>
> Thanks,
>
> Curtis
>
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can
> be found at http://www.educause.edu/groups/.
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] eduroam ssid

[Curtis K. Larsen]

The key phrase there being ..."on properly setup clients".  Which implies that 
there exists
improperly setup clients.  In many cases there are more improperly setup than 
properly setup.

Thanks,

Curtis

On Tue, June 21, 2016 8:58 am, Jeremy Mooney wrote:
> Exactly. Once you've done that, you've effectively mitigated the attack on
> properly setup clients.
>
> On Mon, Jun 20, 2016 at 6:42 PM, Philippe Hanset <phan...@anyroam.net>
> wrote:
>
>> Jeremy,
>>
>>
>> You can still help your users with PEAP (and that will help at remote
>> locations or on campus as well) by forcing them to on-board their original
>> eduroam config via an installer (e.g. CAT or a commercial one).
>> With Operating Systems using profiles you can lock the config so that
>> users won’t be able to authenticate if the RADIUS infrastructure
>> certificate is incorrect (case of MiTM attacks).
>> Now, if the user has the ability to delete the installed profile and to
>> manually join eduroam there is nothing to prevent that.
>>
>> This “locking” mechanism of the infrastructure certificate  is a feature
>> of automatic installers  that network operators tend to overlook.
>> We often have eduroam operators telling us that they don’t need to use CAT
>> (cat.eduroam.org, it’s free!) since OSes are doing such a good job at
>> prompting users
>> for credentials. True, but those same OSes are not good at preventing MiTM
>> attacks.
>>
>> Philippe
>> www.eduroam.us
>>
>>
>>
>> On Jun 20, 2016, at 7:19 PM, Jeremy Mooney <j-moo...@bethel.edu
>> <j-moo...@bethel.edu>> wrote:
>>
>> How would you plan to mitigate for your users at remote institutions if
>> they're not verifying the certificate? It seems you can only prevent at at
>> the IdP side of your radius infrastructure, and your clients can only trust
>> they're talking to that server by verifying the certificate. If they don't
>> verify the certificate, anyone can claim to be your server and just allow
>> PEAP without you ever seeing the traffic. Technically that's also the case
>> locally (someone else stands up an AP) and you could at most maybe see it
>> happened but not block it (at least without going into the legal minefield
>> of active rogue mitigation).
>>
>> I'd think that the best you can hope for (without solving the problem of
>> users falling for phishing/MitM in general) is just only allowing EAP-TLS
>> so any client with a working config for your institution won't use PEAP,
>> but that doesn't require blocking PEAP on the SP side.
>>
>>
>> On Mon, Jun 20, 2016 at 5:00 PM, Curtis K. Larsen <
>> curtis.k.lar...@utah.edu> wrote:
>>
>>> It's done on the RADIUS server, that's kind of my point.  You have a
>>> service in your environment
>>> that may pose risk to some and you can't control it.
>>>
>>> I can mitigate the PEAP vulnerability for our users on campus, and our
>>> users at remote
>>> institutions, but I cannot mitigate that same vulnerability for another
>>> institutions' users on my
>>> campus.
>>>
>>> -Curtis
>>>
>>>
>>> On Mon, June 20, 2016 3:50 pm, Chuck Enfield wrote:
>>> > How would you disable PEAP on the eduroam SSID?  I've never noticed a
>>> > setting for that.
>>> >
>>> > -Original Message-
>>> > From: The EDUCAUSE Wireless Issues Constituent Group Listserv
>>> > [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Curtis K.
>>> Larsen
>>> > Sent: Monday, June 20, 2016 5:19 PM
>>> > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>>> > Subject: Re: [WIRELESS-LAN] eduroam ssid
>>> >
>>> > Yes it does work.  That's the problem - PEAP is vulnerable to Evil Twin
>>> > attacks so we are disabling PEAP.  Doing that on eduroam would break all
>>> > institutions that still offer it.  Leaving it enabled exposes users at
>>> our
>>> > institution.
>>> >
>>> > -Curtis
>>> >
>>> > ____________
>>> > From: Johnson, Neil M [neil-john...@uiowa.edu]
>>> > Sent: Monday, June 20, 2016 2:52 PM
>>> > To: Curtis K. Larsen
>>> > Cc: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>>> > Subject: Re: [WIRELESS-LAN] eduroam ssid
>>> >
>>> > eduroam should work with just about any authentication method that uses
>>> > EAP (PEAP,TLS,TTLS) etc.
>>> >
>>> > So if your are

Re: [WIRELESS-LAN] eduroam ssid

[Curtis K. Larsen]

Philippe,

I agree with you that EAP-TLS is by far the best way to avoid Evil Twin 
attacks.  I also think
your suggestion here is a very clever improvement for PEAP for many eduroam 
admins.

Since eduroam is almost synonymous with the "secure wireless network" at most 
institutions, I
think whomever maintains the compliance document (from 2011) you referred to 
earlier should be
careful to gradually update the security recommendations, and at some point 
turn them into best
practices.  The one you just mentioned would be a great start.

I think there are too many users out there connecting to the "secure" wireless 
network not
realizing it could be the most likely place for their username and password to 
be stolen.

Thanks,

Curtis


On Tue, June 21, 2016 4:25 am, Philippe Hanset wrote:
> Curtis,
>
> Your comments made me think of a work around to make PEAP a little better 
> with CAT!
>
> Indeed EAP-TLS is by far the best way to avoid MiTM attacks, but for 
> institutions not willing to
> deal with EAP-TLS (cost of installer etc…),
> Here is what one can do with CAT to promote the usage of the installer:
>
> In the CAT installer you can specify a fixed outer-identity (same for 
> everyone) either of
> anonymous@realm or *@realm (* being a long string…but be careful some 
> OSes do not accept
> this, but they all accept anonymous)
> You can then configure your home RADIUS server to only accept requests of the 
> form anonymous@realm
> or *@realm and not accept username@realm.
>
> Users trying to configure manually will not succeed and will have to use the 
> CAT tool and be
> configured properly with a locked infrastructure certificate.
>
> Some crafty people might end up guessing the outer identity (by sniffing 
> packets), but hopefully
> those ones are smart enough to know not to accept evil twins RADIUS certs.
>
> This is not 100%, but it can definitely help!
>
> Philippe
> www.eduroam.us
>
>
>> On Jun 20, 2016, at 8:03 PM, Curtis K. Larsen <curtis.k.lar...@utah.edu> 
>> wrote:
>>
>> The PEAP vulnerability is only mitigated by requiring EAP-TLS and disabling 
>> PEAP.  (It may help
>> a
>> little to recommend the CAT tool or similar, but not much)  We've 
>> recommended similar tools for
>> 9
>> years - I know the take rates - they aren't great.  Why?  Because it is 
>> optional.
>>
>> All I am pointing out is that one cannot say that they have completely 
>> mitigated 100% the PEAP
>> vulnerability while still running eduroam.  I can say that for my primary 
>> SSID.
>>
>> Thanks,
>>
>> Curtis
>>
>>
>> On Mon, June 20, 2016 5:19 pm, Jeremy Mooney wrote:
>>> How would you plan to mitigate for your users at remote institutions if
>>> they're not verifying the certificate? It seems you can only prevent at at
>>> the IdP side of your radius infrastructure, and your clients can only trust
>>> they're talking to that server by verifying the certificate. If they don't
>>> verify the certificate, anyone can claim to be your server and just allow
>>> PEAP without you ever seeing the traffic. Technically that's also the case
>>> locally (someone else stands up an AP) and you could at most maybe see it
>>> happened but not block it (at least without going into the legal minefield
>>> of active rogue mitigation).
>>>
>>> I'd think that the best you can hope for (without solving the problem of
>>> users falling for phishing/MitM in general) is just only allowing EAP-TLS
>>> so any client with a working config for your institution won't use PEAP,
>>> but that doesn't require blocking PEAP on the SP side.
>>>
>>>
>>> On Mon, Jun 20, 2016 at 5:00 PM, Curtis K. Larsen <curtis.k.lar...@utah.edu>
>>> wrote:
>>>
>>>> It's done on the RADIUS server, that's kind of my point.  You have a
>>>> service in your environment
>>>> that may pose risk to some and you can't control it.
>>>>
>>>> I can mitigate the PEAP vulnerability for our users on campus, and our
>>>> users at remote
>>>> institutions, but I cannot mitigate that same vulnerability for another
>>>> institutions' users on my
>>>> campus.
>>>>
>>>> -Curtis
>>>>
>>>>
>>>> On Mon, June 20, 2016 3:50 pm, Chuck Enfield wrote:
>>>>> How would you disable PEAP on the eduroam SSID?  I've never noticed a
>>>>> setting for that.
>>>>>
>>>>> -Original Message-
>>>>> From: The EDUCAU

Re: [WIRELESS-LAN] eduroam ssid

[Curtis K. Larsen]

The PEAP vulnerability is only mitigated by requiring EAP-TLS and disabling 
PEAP.  (It may help a
little to recommend the CAT tool or similar, but not much)  We've recommended 
similar tools for 9
years - I know the take rates - they aren't great.  Why?  Because it is 
optional.

All I am pointing out is that one cannot say that they have completely 
mitigated 100% the PEAP
vulnerability while still running eduroam.  I can say that for my primary SSID.

Thanks,

Curtis


On Mon, June 20, 2016 5:19 pm, Jeremy Mooney wrote:
> How would you plan to mitigate for your users at remote institutions if
> they're not verifying the certificate? It seems you can only prevent at at
> the IdP side of your radius infrastructure, and your clients can only trust
> they're talking to that server by verifying the certificate. If they don't
> verify the certificate, anyone can claim to be your server and just allow
> PEAP without you ever seeing the traffic. Technically that's also the case
> locally (someone else stands up an AP) and you could at most maybe see it
> happened but not block it (at least without going into the legal minefield
> of active rogue mitigation).
>
> I'd think that the best you can hope for (without solving the problem of
> users falling for phishing/MitM in general) is just only allowing EAP-TLS
> so any client with a working config for your institution won't use PEAP,
> but that doesn't require blocking PEAP on the SP side.
>
>
> On Mon, Jun 20, 2016 at 5:00 PM, Curtis K. Larsen <curtis.k.lar...@utah.edu>
> wrote:
>
>> It's done on the RADIUS server, that's kind of my point.  You have a
>> service in your environment
>> that may pose risk to some and you can't control it.
>>
>> I can mitigate the PEAP vulnerability for our users on campus, and our
>> users at remote
>> institutions, but I cannot mitigate that same vulnerability for another
>> institutions' users on my
>> campus.
>>
>> -Curtis
>>
>>
>> On Mon, June 20, 2016 3:50 pm, Chuck Enfield wrote:
>> > How would you disable PEAP on the eduroam SSID?  I've never noticed a
>> > setting for that.
>> >
>> > -Original Message-
>> > From: The EDUCAUSE Wireless Issues Constituent Group Listserv
>> > [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Curtis K.
>> Larsen
>> > Sent: Monday, June 20, 2016 5:19 PM
>> > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> > Subject: Re: [WIRELESS-LAN] eduroam ssid
>> >
>> > Yes it does work.  That's the problem - PEAP is vulnerable to Evil Twin
>> > attacks so we are disabling PEAP.  Doing that on eduroam would break all
>> > institutions that still offer it.  Leaving it enabled exposes users at
>> our
>> > institution.
>> >
>> > -Curtis
>> >
>> > 
>> > From: Johnson, Neil M [neil-john...@uiowa.edu]
>> > Sent: Monday, June 20, 2016 2:52 PM
>> > To: Curtis K. Larsen
>> > Cc: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> > Subject: Re: [WIRELESS-LAN] eduroam ssid
>> >
>> > eduroam should work with just about any authentication method that uses
>> > EAP (PEAP,TLS,TTLS) etc.
>> >
>> > So if your are say moving to TLS (Client certificates) it should still
>> > just work.
>> >
>> > -Neil
>> >
>> > --
>> > Neil Johnson
>> > Network Engineer
>> > The University of Iowa
>> > Phone: 319 384-0938
>> > Fax: 319 335-2951
>> > E-Mail: neil-john...@uiowa.edu
>> >
>> >
>> >
>> >> On Jun 17, 2016, at 10:19 AM, Curtis K. Larsen
>> > <curtis.k.lar...@utah.edu> wrote:
>> >>
>> >> We're beginning to run into this problem as well.  Luckily, eduroam is
>> >> not our primary SSID so at least the critical business functions
>> >> continue to work fine on a separate SSID.  My guess is that we'll end up
>> > turning eduroam off at those remote locations if problems get reported.
>> >>
>> >> In talking with the eduroam admin from the other institution they
>> >> mentioned that when this occurs in Europe the solution has been to
>> >> change the name of the SSID.  Is this really allowed?  If so, I'm
>> >> sold!  Then we can start using our primary SSID with eduroam
>> >> credentials!  This is what I always thought eduroam should have been.
>> >> To me the value was always in the universal credential
>> >> *NOT* the SSID name.  That was always a drawback for me especially as
>> >> sup

Re: [WIRELESS-LAN] eduroam ssid

[Curtis K. Larsen]

It's done on the RADIUS server, that's kind of my point.  You have a service in 
your environment
that may pose risk to some and you can't control it.

I can mitigate the PEAP vulnerability for our users on campus, and our users at 
remote
institutions, but I cannot mitigate that same vulnerability for another 
institutions' users on my
campus.

-Curtis


On Mon, June 20, 2016 3:50 pm, Chuck Enfield wrote:
> How would you disable PEAP on the eduroam SSID?  I've never noticed a
> setting for that.
>
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Curtis K. Larsen
> Sent: Monday, June 20, 2016 5:19 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] eduroam ssid
>
> Yes it does work.  That's the problem - PEAP is vulnerable to Evil Twin
> attacks so we are disabling PEAP.  Doing that on eduroam would break all
> institutions that still offer it.  Leaving it enabled exposes users at our
> institution.
>
> -Curtis
>
> 
> From: Johnson, Neil M [neil-john...@uiowa.edu]
> Sent: Monday, June 20, 2016 2:52 PM
> To: Curtis K. Larsen
> Cc: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] eduroam ssid
>
> eduroam should work with just about any authentication method that uses
> EAP (PEAP,TLS,TTLS) etc.
>
> So if your are say moving to TLS (Client certificates) it should still
> just work.
>
> -Neil
>
> --
> Neil Johnson
> Network Engineer
> The University of Iowa
> Phone: 319 384-0938
> Fax: 319 335-2951
> E-Mail: neil-john...@uiowa.edu
>
>
>
>> On Jun 17, 2016, at 10:19 AM, Curtis K. Larsen
> <curtis.k.lar...@utah.edu> wrote:
>>
>> We're beginning to run into this problem as well.  Luckily, eduroam is
>> not our primary SSID so at least the critical business functions
>> continue to work fine on a separate SSID.  My guess is that we'll end up
> turning eduroam off at those remote locations if problems get reported.
>>
>> In talking with the eduroam admin from the other institution they
>> mentioned that when this occurs in Europe the solution has been to
>> change the name of the SSID.  Is this really allowed?  If so, I'm
>> sold!  Then we can start using our primary SSID with eduroam
>> credentials!  This is what I always thought eduroam should have been.
>> To me the value was always in the universal credential
>> *NOT* the SSID name.  That was always a drawback for me especially as
>> supplicants become easier to configure.
>>
>> The other problem that we're going to run into soon is that we will be
>> phasing out PEAP on our main SSID to mitigate against the evil twin
>> vulnerability, but what do we do with eduroam?  I mean I guess you
>> could say it is the remote institution's problem, or the user's
>> problem if they connect to an evil twin on your campus because they're
>> not validating the server.  But if the evil twin is on your campus it
> seems you have at least some responsibility in the matter.  But as it
> stands, eduroam will leave a bit of a gaping security hole for us.
>>
>> --
>> Curtis K. Larsen
>> Senior Network Engineer
>> University of Utah IT/CIS
>>
>>
>>
>> On Fri, June 17, 2016 7:35 am, Turner, Ryan H wrote:
>>> Yes.  We have a satellite school at UNC Asheville.  Up until
>>> recently, UNC Asheville was not running eduroam, and UNC Chapel Hill
> was the only occupant of a couple of buildings on campus.
>>> UNC Asheville adopted eduroam and wanted to move into adjoining spaces.
> So we were going to have
>>> the situation where UNC Chapel Hill folks might attach to the wrong
>>> institution's eduroam and vice versa.  We ended up bridging the two
>>> networks together through a single link, and based on realm, UNC
>>> Asheville will terminate UNC Chapel Hill folks directly to our
>>> network (through trunked vlans).  It is nice, because now anywhere on
>>> UNC Asheville campus, UNC Chapel Hill folks have UNC Chapel Hill IP
> space.  Because it made sense, we actually turned off our access points
> and allowed UNC Asheville to provide wireless in our areas (so we wouldn't
> have competing wireless).
>>>
>>>
>>> Ryan Turner
>>> Manager of Network Operations
>>> ITS Communication Technologies
>>> The University of North Carolina at Chapel Hill
>>>
>>> r...@unc.edu<mailto:r...@unc.edu>
>>> +1 919 445 0113 Office
>>> +1 919 274 7926 Mobile
>>>
>>>
>>>
>>> From: The EDUCAUSE W

RE: [WIRELESS-LAN] eduroam ssid

[Curtis K. Larsen]

Yes it does work.  That's the problem - PEAP is vulnerable to Evil Twin attacks 
so we are disabling PEAP.  Doing that on eduroam would break all institutions 
that still offer it.  Leaving it enabled exposes users at our institution.

-Curtis


From: Johnson, Neil M [neil-john...@uiowa.edu]
Sent: Monday, June 20, 2016 2:52 PM
To: Curtis K. Larsen
Cc: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] eduroam ssid

eduroam should work with just about any authentication method that uses EAP 
(PEAP,TLS,TTLS) etc.

So if your are say moving to TLS (Client certificates) it should still just 
work.

-Neil

--
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
E-Mail: neil-john...@uiowa.edu



> On Jun 17, 2016, at 10:19 AM, Curtis K. Larsen <curtis.k.lar...@utah.edu> 
> wrote:
>
> We're beginning to run into this problem as well.  Luckily, eduroam is not 
> our primary SSID so at
> least the critical business functions continue to work fine on a separate 
> SSID.  My guess is that
> we'll end up turning eduroam off at those remote locations if problems get 
> reported.
>
> In talking with the eduroam admin from the other institution they mentioned 
> that when this occurs
> in Europe the solution has been to change the name of the SSID.  Is this 
> really allowed?  If so,
> I'm sold!  Then we can start using our primary SSID with eduroam credentials! 
>  This is what I
> always thought eduroam should have been.  To me the value was always in the 
> universal credential
> *NOT* the SSID name.  That was always a drawback for me especially as 
> supplicants become easier to
> configure.
>
> The other problem that we're going to run into soon is that we will be 
> phasing out PEAP on our
> main SSID to mitigate against the evil twin vulnerability, but what do we do 
> with eduroam?  I mean
> I guess you could say it is the remote institution's problem, or the user's 
> problem if they
> connect to an evil twin on your campus because they're not validating the 
> server.  But if the evil
> twin is on your campus it seems you have at least some responsibility in the 
> matter.  But as it
> stands, eduroam will leave a bit of a gaping security hole for us.
>
> --
> Curtis K. Larsen
> Senior Network Engineer
> University of Utah IT/CIS
>
>
>
> On Fri, June 17, 2016 7:35 am, Turner, Ryan H wrote:
>> Yes.  We have a satellite school at UNC Asheville.  Up until recently, UNC 
>> Asheville was not
>> running eduroam, and UNC Chapel Hill was the only occupant of a couple of 
>> buildings on campus.
>> UNC Asheville adopted eduroam and wanted to move into adjoining spaces.   So 
>> we were going to have
>> the situation where UNC Chapel Hill folks might attach to the wrong 
>> institution’s eduroam and
>> vice versa.  We ended up bridging the two networks together through a single 
>> link, and based on
>> realm, UNC Asheville will terminate UNC Chapel Hill folks directly to our 
>> network (through trunked
>> vlans).  It is nice, because now anywhere on UNC Asheville campus, UNC 
>> Chapel Hill folks have UNC
>> Chapel Hill IP space.  Because it made sense, we actually turned off our 
>> access points and allowed
>> UNC Asheville to provide wireless in our areas (so we wouldn’t have 
>> competing wireless).
>>
>>
>> Ryan Turner
>> Manager of Network Operations
>> ITS Communication Technologies
>> The University of North Carolina at Chapel Hill
>>
>> r...@unc.edu<mailto:r...@unc.edu>
>> +1 919 445 0113 Office
>> +1 919 274 7926 Mobile
>>
>>
>>
>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv
>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Becker, Jason
>> Sent: Thursday, June 16, 2016 11:45 PM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> Subject: [WIRELESS-LAN] eduroam ssid
>>
>> Has anyone ran into this situation…
>>
>> We are an eduroam participating school and have multiple buildings that are 
>> either across the road
>> or sometimes sidewalk that another University owns.  The other school is 
>> wanting to join eduroam
>> so my issue is when we are both broadcasting the same ssid in possibly the 
>> same airspace.  I have
>> a felling this is going to cause many problems as clients could bounce back 
>> and forth between
>> systems.
>>
>> If you had to deal with this I like to hear your thoughts on it.
>>
>> --
>> Thanks,
>> Jason Becker
>> Network Systems Engineer
>> Washington University in St. Louis
>&g

Re: [WIRELESS-LAN] eduroam ssid

[Curtis K. Larsen]

We're beginning to run into this problem as well.  Luckily, eduroam is not our 
primary SSID so at
least the critical business functions continue to work fine on a separate SSID. 
 My guess is that
we'll end up turning eduroam off at those remote locations if problems get 
reported.

In talking with the eduroam admin from the other institution they mentioned 
that when this occurs
in Europe the solution has been to change the name of the SSID.  Is this really 
allowed?  If so,
I'm sold!  Then we can start using our primary SSID with eduroam credentials!  
This is what I
always thought eduroam should have been.  To me the value was always in the 
universal credential
*NOT* the SSID name.  That was always a drawback for me especially as 
supplicants become easier to
configure.

The other problem that we're going to run into soon is that we will be phasing 
out PEAP on our
main SSID to mitigate against the evil twin vulnerability, but what do we do 
with eduroam?  I mean
I guess you could say it is the remote institution's problem, or the user's 
problem if they
connect to an evil twin on your campus because they're not validating the 
server.  But if the evil
twin is on your campus it seems you have at least some responsibility in the 
matter.  But as it
stands, eduroam will leave a bit of a gaping security hole for us.

-- 
Curtis K. Larsen
Senior Network Engineer
University of Utah IT/CIS



On Fri, June 17, 2016 7:35 am, Turner, Ryan H wrote:
> Yes.  We have a satellite school at UNC Asheville.  Up until recently, UNC 
> Asheville was not
> running eduroam, and UNC Chapel Hill was the only occupant of a couple of 
> buildings on campus.
> UNC Asheville adopted eduroam and wanted to move into adjoining spaces.   So 
> we were going to have
>  the situation where UNC Chapel Hill folks might attach to the wrong 
> institution’s eduroam and
> vice versa.  We ended up bridging the two networks together through a single 
> link, and based on
> realm, UNC Asheville will terminate UNC Chapel Hill folks directly to our 
> network (through trunked
> vlans).  It is nice, because now anywhere on UNC Asheville campus, UNC Chapel 
> Hill folks have UNC
> Chapel Hill IP space.  Because it made sense, we actually turned off our 
> access points and allowed
> UNC Asheville to provide wireless in our areas (so we wouldn’t have competing 
> wireless).
>
>
> Ryan Turner
> Manager of Network Operations
> ITS Communication Technologies
> The University of North Carolina at Chapel Hill
>
> r...@unc.edu<mailto:r...@unc.edu>
> +1 919 445 0113 Office
> +1 919 274 7926 Mobile
>
>
>
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Becker, Jason
> Sent: Thursday, June 16, 2016 11:45 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] eduroam ssid
>
> Has anyone ran into this situation…
>
> We are an eduroam participating school and have multiple buildings that are 
> either across the road
> or sometimes sidewalk that another University owns.  The other school is 
> wanting to join eduroam
> so my issue is when we are both broadcasting the same ssid in possibly the 
> same airspace.  I have
> a felling this is going to cause many problems as clients could bounce back 
> and forth between
> systems.
>
> If you had to deal with this I like to hear your thoughts on it.
>
> --
> Thanks,
> Jason Becker
> Network Systems Engineer
> Washington University in St. Louis
> jbec...@wustl.edu<mailto:jbec...@wustl.edu>
> 314-935-5006
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group
> discussion list can be found at
> http://www.educause.edu/groups/<https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.educause.edu%2fgroups%2f=01%7c01%7crhturner%40email.unc.edu%7ccb70500b292d4427293208d39661db4b%7c58b3d54f16c942d3af081fcabd095666%7c1=qGNRUEHsNMv7sMBIsc4xSekkNTdOESCI%2fPCz87RzRZY%3d>.
>
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can
> be found at http://www.educause.edu/groups/.
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Servers on Guest Networks

[Curtis K. Larsen]

Interesting Hunter,

Are the Xboxes the only use case causing you to look at this?  I'm trying to 
identify as many use
cases as possible before we apply the inbound deny.  Let me know.

Thanks,

Curtis


On Wed, June 8, 2016 3:45 pm, Hunter Fuller wrote:
> We are looking at giving users the option to use a wide-open ESSID for
> their Xboxes. The user would register the MAC, and we would put them
> into a wide-open-inbound area with public addresses, for the best
> experience. But we would limit some outgoing stuff (Google, our LMS,
> etc.) to try to nudge people toward eduroam (our 802.1X solution).
> None of this is in production but it's the direction I think we are
> leaning when we discontinue our legacy PSK ESSIDs.
>
> --
> Hunter Fuller
> Network Engineer
> VBRH Annex B-1
> +1 256 824 5331
>
> Office of Information Technology
> The University of Alabama in Huntsville
> Systems and Infrastructure
>
>
> On Tue, Jun 7, 2016 at 6:34 PM, Curtis K. Larsen
> <curtis.k.lar...@utah.edu> wrote:
>> Hello,
>>
>> We're looking at a default deny inbound and possibly opening ports as 
>> required later on the
>> guest wireless network.  If you have already done this I am curious to know 
>> what you and your
>> user community defined as being required on the guest network.
>>
>> I think primary drivers might include devices that are not capable of 
>> WPA2-Enterprise *and*
>> needing to run a service.  Google cloud printers come to mind, someone also 
>> mentioned
>> multi-player Xbox?  Do you have other examples or use cases for allowing 
>> services like
>> http/https from the internet to your guest wireless network?  If so, please 
>> share.
>>
>> Thanks,
>>
>> Curtis
>> **
>> Participation and subscription information for this EDUCAUSE Constituent 
>> Group discussion list
>> can be found at http://www.educause.edu/groups/.
>
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can
> be found at http://www.educause.edu/groups/.
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Servers on Guest Networks

[Curtis K. Larsen]

Very good point Jeff.  I may be worrying for nothing.

Thanks,

Curtis


On Wed, June 8, 2016 11:22 am, Jeffrey D. Sessler wrote:
> Most of the IoT devices use external cloud services, where the device 
> establishes a connection
> outbound with the external service. As such, your typical “established” rules 
> take care of the
> rest. For something like the XBOX, the games tend to pick the best host for 
> multiplayer (if it’s
> doing xbox<->xbox communications), so it will take the one that’s wide open 
> vs one that is
> blocking all inbound connections (MS calls it strict NAT). Pretty much any 
> XBOX on a home network
> is going to use UPnP to open up all the necessary ports, allowing a “strict 
> NAT” XBOX to connect
> to it.
>
> Even for something like Google Cloud Print – the device e.g. Printer, opens 
> an outbound connection
> to Google, and communication happens over that persistent connection. Again, 
> as long as your
> firewall/ACL has an allow for established connections, this works as it 
> should. It’s always the
> device establishing the outbound connection rather than the external service 
> trying to establish
> an inbound connection.
>
> If anything, the need to poke holes is diminishing. Device/service companies 
> realize that the
> average person isn’t going to know how to poke holes in their router, and a 
> corporation is
> unlikely to do so at all. Thus, everything is about the device establishing 
> the connection
> outbound, and communication occurring on that persistent connection.
>
>
> Jeff
>
> On 6/8/16, 8:37 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
> on behalf of Curtis
> K. Larsen" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of 
> curtis.k.lar...@utah.edu> wrote:
>
> So today we have the 1x student, faculty, staff network, and the open guest 
> network only.  So
> essentially the "guest" network doubles as the non-1x option.  We are 
> contemplating a PSK network
> that could accommodate registered non-1x devices for students in student 
> housing areas for
> example
> and that could solve some of these problems, but that is farther out and not 
> the main point of my
> post.
>
> My original question was for those that do have the default deny inbound 
> already (and it sounds
> like the majority are doing this).  What are the top requests that you get 
> for exceptions to the
> rule, if any?  We want to forecast a little and understand what might break 
> when we add the deny
> inbound.  And, yes we've been looking at flow data and AVC dat from the WLC.
>
> My concern is that particularly in housing areas (but also some on campus) 
> the number of devices
> that act like a server in some way, requiring inbound connections is probably 
> growing.  The
> multi-player xbox explanation is interesting.  Any other common examples 
> you've seen?
>
> Thanks,
>
> Curtis
>
>
> On Wed, June 8, 2016 7:59 am, Thomas Carter wrote:
>> What do you consider a "guest" network? I ask, because we have a "guest" 
>> network that is just
>> for
>> use by people not directly associated with the college (i.e. not faculty, 
>> staff, or a student).
>> Saying that, we don't have enough public IP space to give out public IPs or 
>> even 1-1 nat, so
>> all
>> traffic (guest and internal) uses traditional NAT with default deny inbound. 
>> The only real
>> issues
>> we've had are related to Xbox multiplayer; the person on campus cannot host 
>> the game, but can
>> join
>> someone else's game. With so many free/cheap cloud options, things like 
>> physical "servers" run
>> by
>> students seems to be a thing of the past.
>>
>> Thomas Carter
>> Network & Operations Manager
>> Austin College
>>
>>
>> -Original Message-
>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv
>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Curtis K. Larsen
>> Sent: Tuesday, June 7, 2016 6:34 PM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> Subject: [WIRELESS-LAN] Servers on Guest Networks
>>
>> Hello,
>>
>> We're looking at a default deny inbound and possibly opening ports as 
>> required later on the
>> guest
>> wireless network.  If you have already done this I am curious to know what 
>> you and your user
>> community defined as being required on the guest network.
>>
>> I think primary drivers might include devices that are not capable of 
>> WPA2-Enterprise *and*
>> needing to run a service.  Google cloud printers come to mind, someo

Re: [WIRELESS-LAN] Servers on Guest Networks

[Curtis K. Larsen]

So today we have the 1x student, faculty, staff network, and the open guest 
network only.  So
essentially the "guest" network doubles as the non-1x option.  We are 
contemplating a PSK network
that could accommodate registered non-1x devices for students in student 
housing areas for example
and that could solve some of these problems, but that is farther out and not 
the main point of my
post.

My original question was for those that do have the default deny inbound 
already (and it sounds
like the majority are doing this).  What are the top requests that you get for 
exceptions to the
rule, if any?  We want to forecast a little and understand what might break 
when we add the deny
inbound.  And, yes we've been looking at flow data and AVC dat from the WLC.

My concern is that particularly in housing areas (but also some on campus) the 
number of devices
that act like a server in some way, requiring inbound connections is probably 
growing.  The
multi-player xbox explanation is interesting.  Any other common examples you've 
seen?

Thanks,

Curtis


On Wed, June 8, 2016 7:59 am, Thomas Carter wrote:
> What do you consider a "guest" network? I ask, because we have a "guest" 
> network that is just for
> use by people not directly associated with the college (i.e. not faculty, 
> staff, or a student).
> Saying that, we don't have enough public IP space to give out public IPs or 
> even 1-1 nat, so all
> traffic (guest and internal) uses traditional NAT with default deny inbound. 
> The only real issues
> we've had are related to Xbox multiplayer; the person on campus cannot host 
> the game, but can join
> someone else's game. With so many free/cheap cloud options, things like 
> physical "servers" run by
> students seems to be a thing of the past.
>
> Thomas Carter
> Network & Operations Manager
> Austin College
>
>
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Curtis K. Larsen
> Sent: Tuesday, June 7, 2016 6:34 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] Servers on Guest Networks
>
> Hello,
>
> We're looking at a default deny inbound and possibly opening ports as 
> required later on the guest
> wireless network.  If you have already done this I am curious to know what 
> you and your user
> community defined as being required on the guest network.
>
> I think primary drivers might include devices that are not capable of 
> WPA2-Enterprise *and*
> needing to run a service.  Google cloud printers come to mind, someone also 
> mentioned multi-player
> Xbox?  Do you have other examples or use cases for allowing services like 
> http/https from the
> internet to your guest wireless network?  If so, please share.
>
> Thanks,
>
> Curtis
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can
> be found at http://www.educause.edu/groups/.
>
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can
> be found at http://www.educause.edu/groups/.
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Servers on Guest Networks

[Curtis K. Larsen]

Hello,

We're looking at a default deny inbound and possibly opening ports as required 
later on the guest wireless network.  If you have already done this I am 
curious to know what you and your user community defined as being required on 
the guest network.

I think primary drivers might include devices that are not capable of 
WPA2-Enterprise *and* needing to run a service.  Google cloud printers come to 
mind, someone also mentioned multi-player Xbox?  Do you have other examples or 
use cases for allowing services like http/https from the internet to your guest 
wireless network?  If so, please share.

Thanks,

Curtis
**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Recent Radius Meltdowns

[Curtis K. Larsen]

About a year and a half ago I did pretty exhaustive testing of RADIUS load with 
the Spirent
traffic generator and with the assistance of PacketFence developers.  
(PacketFence is also based
on FreeRADIUS).  They suggested we tweak the MaxConcurrentAPI setting on our 
test AD server.  So
we did, but unfortunately it seemed to make no difference at all in the number 
of authentications
per second we could process from the load generator.

One thing we found though was that if we ran the authentications against a flat 
file on the RADIUS
server itself we could process six times more authentications.  The bottom line 
is that whether it
is SAMBA, NTLM, AD, or network latency itself I can't say - but I do know that 
if I eliminate all
of them performance increases dramatically.

Bottom line:  Use EAP-TLS, and avoid checking LDAP/AD except when absolutely 
necessary.  PEAP is
vulnerable to fake AP/MITM attacks anyway.

If you must check AD all the time - get a lot of servers, load balance them, 
monitor and graph
authentications down to the second.  That way you'll be more likely to identify 
the cause of an
issue.

Thanks,

-- 
Curtis K. Larsen
Sr. Network Engineer
University of Utah IT/CIS



On Thu, March 10, 2016 1:44 pm, Jake Snyder wrote:
> If AD is not keeping up with the NTLM requests, giving the DCs more NTLM 
> worker threads can help
> it keep up with higher loads.
>
> Working with TAC we found specifically in the ACS logs that it was waiting 
> for Windows to respond.
>
> As far as number of devices, they weren't showing increases over earlier in 
> the week or previous
> weeks.
>
> Thanks
> Jake Snyder
>
>
> Sent from my iPhone
>
>> On Mar 10, 2016, at 12:21 PM, Matthew Newton <m...@leicester.ac.uk> wrote:
>>
>> Hi,
>>
>>> On Thu, Mar 10, 2016 at 10:54:59AM -0800, Jake Snyder wrote:
>>> That's for the great info on FreeRadius.  I don't think this is
>>> the case in what I'm seeing that, which is specifically that
>>> Windows AD is not keeping up with NTLM.
>>
>> OK, that's interesting. I think the issue that others have seen on
>> this would look like that - and certainly the symptoms sound the
>> same as you described - so I'm wondering how you came to the
>> conclusion that it's AD itself rather than something between AD
>> and ACS.
>>
>> However, I'm not at all familiar with ACS - I guess it sits on a
>> member server and probably calls LsaLogonUser directly - so there
>> is the communication between the member server and the DC, though
>> I guess that /should/ be fairly slick in theory...
>>
>>> These are customers with environments that are relatively stable
>>> and have been performing well for extended periods of time with
>>> similar user counts.  These are also well below the 256 radius
>>> session limit.
>>
>> I'd throw in the consideration of student numbers as well. We
>> always hit our peak number of wireless clients in February/March
>> each year, so this is the time problems often show up. Why this
>> time of year I have no idea! Probably all the new Christmas
>> presents being connected. :)
>>
>>> The MaxConcurrentAPI raises the number of worker threads in AD
>>> so that it NTLM on the DC can keep up with the incoming
>>> requests.  Why did the performance of NTLM change recently?  I
>>> have no idea, but it appears it has.
>>
>> I believe MaxConcurrentAPI helped some people[0] who were having
>> problems with the FreeRADIUS/Samba setup as well, so again I'm not
>> entirely sure it's a pointer to AD having necessarily changed.
>>
>> Maybe reviewing all Windows patches applied to the DCs and ACS
>> servers in the last 3 months and see if anything seems relevant?
>> But I'm not sure how easy this is to do.
>>
>> It's seems very likely to me that sites are seeing a combination
>> of problems, which could be all of WLC running out of RADIUS IDs,
>> ntlm_auth/Samba as well as MaxConcurrentAPI - so it wouldn't
>> surprise me if different things seem to fix the same symptoms for
>> different sites. It's just that the ACS sites don't have the
>> ntlm_auth component of the problem, so it may have taken a few
>> more months of load before the issue reared its head!
>>
>> Cheers,
>>
>> Matthew
>>
>>
>> [0] see e.g. 
>> https://lists.freeradius.org/pipermail/freeradius-users/2015-March/075969.html
>>
>> --
>> Matthew Newton, Ph.D. <m...@le.ac.uk>
>>
>> Systems Specialist, Infrastructure Services,
>> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
>>
>> For IT help conta

Cisco WLC Running Mixed-Mode (802.11r+OKC) ?

[Curtis K. Larsen]

Hello,

I'm just wondering who is running their WLC with 802.11r and also allowing
the OKC clients on the same SSID.  Ideally, this would allow the Windows
clients to perform cached roams (not go back to the RADIUS server) like
always *and* finally allow the OSX clients to do the same.

I'm hesitant to enable this because of the caveat here:

http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_01001101.html

"Legacy clients cannot associate with a WLAN that has 802.11r enabled if
the driver of the supplicant that is responsible for parsing the Robust
Security Network Information Exchange (RSN IE) is old ..."

But then again in the same paragraph...

"Another workaround is to have two SSIDs with the same name but with
different security settings (FT and non-FT)."

Is anyone doing this?  If so, I'd like to hear lessons learned on or off
the list.

Thanks,

-- 
Curtis K. Larsen
Sr. Network Engineer
University of Utah IT/CIS
Office 801-587-1313
Cell 801-425-7528

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Cisco Small Cell Solution

[Curtis K. Larsen]

My understanding is that the carrier still supports the Cisco small cell 
solution.  In fact, only a carrier can purchase the modules, and right now only 
they decide if, when, and where to install the modules, and they control them.  
All of that is fine by me, but it's just taking a long time to bring carriers 
on, and even when it does it's one carrier per module.

Has anyone had any success with the MobileAccess VE (Cisco Partner) solution?  
It was similar to the small cell module in that you could use the existing 
CAT5e/6 cable to the AP, but I think it would allow for more carriers, and 
maybe more control of when and where to put the VE "Access Pods".


Thanks,

Curtis


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Smith, Todd 
[todd.sm...@camc.org]
Sent: Wednesday, November 18, 2015 11:15 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco Small Cell Solution

I have used Wilson gear before and it really doesn’t work well here since there 
is little outdoor signal to amplify.  Wi-Fi calling might be the future but it 
still requires a voice-grade Wi-Fi network to work well and it requires handset 
support for it.  Both of those are issues not easily corrected.

A small cell solution from someone, like Alcatel-Lucent or Cisco would provide 
3G/4G signal wherever you need it without carrier support.

Todd

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dexter Caldwell
Sent: Wednesday, November 18, 2015 12:29
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco Small Cell Solution

We’re just doing local building cellular boosters.  Relatively inexpensive ( 
http://www.amazon.com/Wilson-Electronics-Indoor-Cellular-Booster/dp/B00IWW9AB8/ref=sr_1_1?ie=UTF8=1418307096=8-1=wilson+cell+phone+booster
 ) and we do them on an as-needed basis usually by targeting high complaint 
buildings or areas.  Some have a limit on the type of carrier, but you can hit 
the most popular carrier in use and the complaints go away.   It’s been working 
well for us for the last year or two.

Also, companies like Republic Wireless are changing the game in cellular 
phones.  They only use cellular as a backup to wifi and the call can roam 
seamlessly back and forth.   They’re a niche player, but I’ve used them 
personally and its’ been great as an IT person to have cell coverage in the 
dungeons of our campus networks where to cellular coverage ever reached and my 
staff would have to come upstairs or outside just to use their phones.  
T-Mobile has been doing some of this as well.I know we don’t select 
people’s carriers, but the point is that the technology is changing in ways 
that make a large DAS rollout or expensive mass deployment really unnecessary.


CONFIDENTIALITY NOTICE: The information contained in this
message may
be privileged and confidential. If this e-mail contains protected
health information, you are hereby notified that any dissemination,
distribution or copying of this communication is strictly prohibited,
except as permitted by law. If you have received this communication in
error, please notify the sender immediately by replying to this message
and deleting it from your computer. Thank you.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Ruckus has purchased Cloudpath

[Curtis K. Larsen]

I have to be honest - not really excited to see this.  We've been using 
Cloudpath Networks for 8 years including the Enrollment System with EAP-TLS for 
a year - and I've been super pleased with it.  I hope they intend to support 
non-Ruckus vendors for a long time and keep Kevin Koster running things.

Curtis Larsen
University Of Utah IT/CIS
Sr. Network Engineer
Office 801-587-1313


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Coehoorn, Joel 
[jcoeho...@york.edu]
Sent: Thursday, October 22, 2015 9:02 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Ruckus has purchased Cloudpath

Best case scenario: Ruckus' awesome Dynamic PSK feature gets rolled into 
Cloudpath for the rest of us and the pricing comes down in an effort to use 
CloudPath to eventually sway customers towards Ruckus hardware. Worst case: 
Cloudpath effectively goes Ruckus-only, leaving us to move to either Secure-W2, 
Cisco ISE, or Aruba ClearPass.




[http://www.york.edu/Portals/0/Images/Logo/YorkCollegeLogoSmall.jpg]


Joel Coehoorn
Director of Information Technology
402.363.5603
jcoeho...@york.edu




The mission of York College is to transform lives through Christ-centered 
education and to equip students for lifelong service to God, family, and society

On Thu, Oct 22, 2015 at 9:58 AM, Frank Sweetser 
> wrote:
Well that's... interesting.

Anyone heard any rumors about what their roadmap might be?  These acquisitions 
of an independent service by a larger portfolio company rarely seem to well for 
customers of the independent service if you're not also a customer of the large 
one.

Frank Sweetser fs at wpi.edu|  For every problem, there is 
a solution that
Manager of Network Operations   |  is simple, elegant, and wrong.
Worcester Polytechnic Institute |   - HL Mencken

On 10/22/2015 10:43 AM, Lee H Badman wrote:
FYI.
*Lee Badman*| Network Architect
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
*t* 315.443.3003 *f* 315.443.4325 *e* 
_lhbadman@syr.edu_
> *w* 
its.syr.edu
*SYRACUSE UNIVERSITY
*syr.edu
** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] iPhone6s Can't Browse/Re-direct Whilst in Captive Portal with Webauth

[Curtis K. Larsen]

Thanks for your help everyone.  It turns out it was an app called "ADBLOCK" 
installed on the device.  Removing it has fixed the problem.

Thanks,

Curtis Larsen
University of Utah IT/CIS
Sr. Network Engineer



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of David R. Morton 
[dmor...@uw.edu]
Sent: Monday, September 28, 2015 1:31 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] iPhone6s Can't Browse/Re-direct Whilst in Captive 
Portal with Webauth

Try turning off Wi-Fi assist. It is at the very bottom of the cellular section 
and is on by default.


David Morton
Director, Mobile Communications
Service Owner: mobile, HuskyTV, Wi-Fi
University of Washington, UWIT
dmor...@uw.edu<mailto:dmor...@uw.edu>

On Sep 28, 2015, at 11:36 AM, Curtis K. Larsen 
<curtis.k.lar...@utah.edu<mailto:curtis.k.lar...@utah.edu>> wrote:

Hello,

A new iphone (iOS9.0.1 Build 13A405) can't browse any pages in our guest 
captive portal. The portal uses webauth and RADIUS-NAC. All other devices seem 
to work fine and get re-directed when they browse to any Http site. For some 
strange reason only this iPhone6S will not.

Also, any sites permitted thru our Pre-Auth-ACL are not being allowed, yet for 
all other devices it seems to work fine.  Anyone else seeing this?


Thanks,

Curtis Larsen
University of Utah IT/CIS
Sr. Network Engineer
Office 801-587-1313



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

iPhone6s Can't Browse/Re-direct Whilst in Captive Portal with Webauth

[Curtis K. Larsen]

Hello,

A new iphone (iOS9.0.1 Build 13A405) can't browse any pages in our guest 
captive portal. The portal uses webauth and RADIUS-NAC. All other devices seem 
to work fine and get re-directed when they browse to any Http site. For some 
strange reason only this iPhone6S will not. 

Also, any sites permitted thru our Pre-Auth-ACL are not being allowed, yet for 
all other devices it seems to work fine.  Anyone else seeing this?


Thanks,

Curtis Larsen
University of Utah IT/CIS
Sr. Network Engineer
Office 801-587-1313



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Cisco WLC RADIUS Packet ID Bug

[Curtis K. Larsen]

> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Earl Barfield
> Sent: Friday, September 25, 2015 6:25 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Cisco WLC RADIUS Packet ID Bug
> 
> > Date:Thu, 24 Sep 2015 15:30:59 +0000
> > From:"Curtis K. Larsen" <curtis.k.lar...@utah.edu>
> > Subject: Cisco WLC RADIUS Packet ID Bug
> >
> > Hi Guys,
> >
> > I have a TAC case open on this but It looks like once a week or so
> > when the perfect storm arises we are hitting this one for a couple of
> > minutes:  CSCuo96366
> >
> > ---
> > WLC sends Radius packets with same ID without doing Radius ID check
> > CSCuo96366
> > Description
> > Symptom:
> > Clients are not able to Authenticate at Peak loads when using FreeRadius.
> >
> > Conditions:
> > Using Freed radius (most susceptible), we observe at high auth rate and if
> Radius server is not responding to all Radius packets in seq order or if the
> server is slow, WLC when wraps around 0-255 Radius ID's, it does not do a
> check when posting new packet.
> >
> > So essentially you have 2 packets with same ID being presented to AAA
> server.
> > ---
> >
> > The funny thing is that 9 of 10 WLC's are working fine against the
> > same servers at the same time - the problem only happens on one WLC.
> > When it occurs we see this in the logs (Notice the same ID number 253
> > below)
> >
> > servername radiusd[23964]: Discarding conflicting packet from client (IP of
> WLC) port 32770 - ID: 253 due to recent request 57345605.
> > servername radiusd[23964]: Discarding conflicting packet from client
> > (IP of WLC) port 32770 - ID: 253 due to recent request 57347264
> >
> > Wondering if other Cisco WLC customers see this since I know a lot of you
> are using FreeRADIUS, or FreeRADIUS-based authentication servers.  If so,
> let me know of any solutions and/or work-arounds.
> 
> 
> 
> Oh, Man!   I spent 18 months waiting for Cisco to fix this, sending
> packet trace after packet trace and talking to anyone who would listen.
> 
> They finally fixed this is in 8.1 by using eight different UDP source ports
> (hashed on client mac) to send radius requests to the freeradius
> server.   This has been an absolutely HUGE improvement to our users!!!
> 
> Previously, we would have a cascde chain reaction at almost every class
> change when thousands of students would relocate and then all
> authenticate to Wifi within a minute or two.
> 
> The first conflicting packet would get discarded, causing a timeout.
> The second discarded conflicting packet would again cause a timeout.
> The third would cause the WiSM to failover to the other radius server and
> stupidly spew all the half-completed EAP conversations to the newly
> active radius server, which would ignore them.   The WiSM interpreted
> this as more timeouts and failed to the tertiary radius server.
> 
> All this re-auth and failover caused utter havoc and it went on for five
> minutes or so at every class change.
> 
> We added radius servers, dedicated AD servers to serve the radius
> servers.   The only workaround that really helped before the fix in 8.1
> code was to add controllers in order to keep the number of clients per
> controller down.
> 
> I could talk about this forever after spending a year swimming in
> radius packet decodes.   Suffice it to say: Get to 8.1 code ASAP!!!
> 
> I don't care what other bugs it may or may not have, this outweighs them all
> for us.


Well, thanks for your persistence which it sounds like we will now benefit 
from.  I am glad that there is a fix in 8.1 code, however it is unfortunate 
that the bug notes do not currently indicate a fix in any code version 
whatsoever.


Thanks,

Curtis Larsen
University of Utah IT/CIS
Sr. Network Engineer


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Cisco WLC RADIUS Packet ID Bug

[Curtis K. Larsen]

Hi Guys,

I have a TAC case open on this but It looks like once a week or so when the 
perfect storm arises we are hitting this one for a couple of minutes:  
CSCuo96366

---
WLC sends Radius packets with same ID without doing Radius ID check
CSCuo96366
Description
Symptom:
Clients are not able to Authenticate at Peak loads when using FreeRadius.

Conditions:
Using Freed radius (most susceptible), we observe at high auth rate and if 
Radius server is not responding to all Radius packets in seq order or if the 
server is slow, WLC when wraps around 0-255 Radius ID's, it does not do a check 
when posting new packet.

So essentially you have 2 packets with same ID being presented to AAA server.
---

The funny thing is that 9 of 10 WLC's are working fine against the same servers 
at the same time - the problem only happens on one WLC.  When it occurs we see 
this in the logs (Notice the same ID number 253 below)

servername radiusd[23964]: Discarding conflicting packet from client (IP of 
WLC) port 32770 - ID: 253 due to recent request 57345605.
servername radiusd[23964]: Discarding conflicting packet from client (IP of 
WLC) port 32770 - ID: 253 due to recent request 57347264

Wondering if other Cisco WLC customers see this since I know a lot of you are 
using FreeRADIUS, or FreeRADIUS-based authentication servers.  If so, let me 
know of any solutions and/or work-arounds.


Thanks,

Curtis Larsen
University of Utah IT/CIS
Sr. Network Engineer
**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

FreeRADIUS Diffie-Hellman Keys and iOS9

[Curtis K. Larsen]

Hello,

Are any other FreeRADIUS users planning to upgrade to 2048 bit Diffie-Hellman 
keys before the iOS9 release?  Just came across these and thinking it's a must 
do ASAP:

https://support.apple.com/en-us/HT204932
https://community.jisc.ac.uk/blogs/8021x-clients-and-radius-server-supporting-bigger-diffie-hellman-dh-keys


Thanks,

Curtis Larsen
University IT/CIS
Sr. Network Engineer



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Cisco Wireless AP's Radio Down

[Curtis K. Larsen]

We had this occur when we upgraded WLC's from one code version to another.  It 
only happened on Foundry PoE switches, and the fix was to upgrade code on the 
foundry switch, use a PoE injector, and/or in some cases change the AP setting 
to "Pre-standard 802.3af switches".

It was easier to find which ones were having trouble via the CLI commands:

show advanced 802.11b summary
show advanced 802.11a summary

Good luck.

Curtis Larsen
University of Utah IT/CIS
Sr. Network Engineer



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Gregg Heimer [ghei...@mc3.edu]
Sent: Thursday, September 10, 2015 10:32 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Cisco Wireless AP's Radio Down

Anyone with Cisco APs and Cisco Prime get these odd alerts from PI that state 
the radio is administratively up but operationally down with a reason of 
unknown?  I have been getting a slew of these lately.  We have introduced quite 
a few 1702’s into our environment and I am wondering if there is some issue 
with recalculation, or something that triggers a radio reset to resolve a 
different issue?  Below is the alert notification.  Cisco forums haven’t been 
much help, so I figured I’d take a shot at the group.  Thanks!



Virtual Domain: ROOT-DOMAIN



PI has detected a change in one or more alarms of category AP and severity 
Critical in Virtual Domain ROOT-DOMAIN.

The new severity of the following items is Clear:



1. Alarm Condition:Radio administratively up and operationally down

Message: '802.11a/n/ac' interface of AP 'AP01-' associated to controller 
‘XX (172.X.X.X)' is down. Reason: Unknown - Device Name: ‘X Failure 
Source: AP AP01-, Interface 802.11a/n/ac





___
Gregg Heimer
Sr. Network Engineer
Montgomery County Community College
340 Dekalb Pike
Blue Bell, PA 19422
ghei...@mc3.edu
215.641.6442




Montgomery County Community College is proud to be designated as an Achieving 
the Dream Leader College for its commitment to student access and success.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Config Archive / Diff / Change Management

[Curtis K. Larsen]

Hello,

I'm looking for a tool that emails when WLC or Switch configs are changed for a 
growing Network team mostly to keep everyone abreast of changes.  Years ago 
(like 8 years ago) we used RANCID, an open source product that was quite nice, 
but I have a feeling there are maybe a few better options these days.  What we 
like about RANCID was that it was free, that it sent emails with line by line 
configuration diff on the changed device, and that it worked with other 
non-Cisco products as well.  We have some Foundy switches, a lot of Juniper 
firewalls, etc.  Please let me know if you know of anything that fits the bill.


Thanks,

Curtis Larsen
University of Utah
Sr. Network Engineer

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Network Authentication question

[Curtis K. Larsen]

Plus 1 for Cloudpath.  Very Flexible, customizable, intuitive product.  You can 
run it on premise or in the cloud.  I've seen competing products with way too 
many bells and whistles but neglecting the basic features that everyone needs.

Curtis Larsen
University of Utah
Sr. Network Engineer


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Steven D. Veron 
[sve...@lamar.edu]
Sent: Wednesday, June 24, 2015 11:06 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Network Authentication question

I don't remember who said it to give them credit, but give me Cloudpath or give 
me death. So far the only issues have been device issues that no vendor can 
overcome.


Steven D Veron
Senior Network Analyst
Lamar University
Office- 409-880-2386
Cell- 409-351-5961
steven.ve...@lamar.edu





From: Frank Sweetser f...@wpi.edu
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Sent: Wednesday, June 24, 2015 9:56:03 AM
Subject: Re: [WIRELESS-LAN] Network Authentication question

We're in the early stages of doing Aruba ClearPass.  It's a very flexible
RADIUS system at it's core, which means that a) it appears to be able to
handle every use case we've thrown at it, including integrating with home-brew
backend systems, and b) there's a lot of initial setup work to accommodate all
of that flexibility.  Guest network access is also a very strong point, and is
also where we're initially deploying it (More specifically, we're using it to
handle multi-vendor guest wireless networks while we transition from Juniper
to Aruba).  It also includes onboarding and MDM functionality, but we haven't
looked into them yet.

Cloudpath is an excellent onboarding system - we've been using it for about
three years now.  Their RADIUS side is fairly new, and has a pretty targeted
use case - authenticating cert based users, and handling a MAC RADIUS style
registration database for non 1x capable devices.  That might be good enough
for you, but if you do anything fancy like require registration in an IPAM
system, you're probably going to run into limitations in a hurry.

Feel free to let me know if you have any follow up questions, or I'd be happy
to chat via phone.

Frank Sweetser fs at wpi.edu|  For every problem, there is a solution that
Manager of Network Operations   |  is simple, elegant, and wrong.
Worcester Polytechnic Institute |   - HL Mencken

On 06/24/2015 10:44 AM, Williams, Matthew wrote:
 We’re looking into a few RADIUS solutions and I was wondering if any of you
 had any experience with the following products and what your thoughts are on 
 them:

 Cisco ISE

 Aruba ClearPass

 Extreme NetSight

 Cloudpath XPressConnect ES

 Any input would be appreciated.  Thanks.

 Respectfully,

 Matthew Williams

 IT Manager, Wireless

 Kent State University

 Office: (330) 672-7246

 Mobile: (330) 469-0445

 ** Participation and subscription information for this EDUCAUSE
 Constituent Group discussion list can be found at
 http://www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.


CONFIDENTIALITY: Any information contained in this e-mail
(including attachments) is the property of The State of Texas and
unauthorized disclosure or use is prohibited. Sending, receiving or
forwarding of confidential, proprietary and privileged information is
prohibited under Lamar Policy. If you received this e-mail in error,
please notify the sender and delete this e-mail from your system.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] google play ACL

[Curtis K. Larsen]

We have the same problem using Cloudpath and Cisco WLC's with a PacketFence 
Guest Captive Portal.  I am looking at a different approach though because like 
Ryan said - it will be a constant battle updating the ever-changing ACL's.  
This is a battle we will lose.
 
I'm trying to see if I can have PacketFence change the Pre-auth ACL to the 
Post-auth ACL just before the page where the user is presented with the play 
store download.  Essentially, the idea is that once they realize they can't get 
out - they start using the onboarding process, and then at the last page when 
they click continue it takes them to the app download, but also the 
continue button initiates the change from Pre-auth to Post-auth ACL allowing 
them to get to everything.

So at that point yes a user could get out, but my bet is that they are not 
interested in trying to get out - they are just trying to complete the 
onboarding process now.  If it works on the first try they'll stick with it - 
if not, they'll go for the guest network anyway before ever submitting a ticket 
and letting us know we have to add yet another URL to the Pre-auth ACL .  Also, 
since we already recorded their username, voucher or phone number in the 
onboarding process, if they do get out at least they are not anonymous.  We 
know a few things about them and can contact them.  Plus they'd have to go 
through the same annoying process every 24 hours if they really wanted to abuse 
the system.

In short, I'd rather have a process that works every time for users that follow 
it than have one that fails often so users choose not to follow it.


Curtis Larsen
University of Utah IT/CIS
Sr. Network Engineer


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Bruce Curtis 
[bruce.cur...@ndsu.edu]
Sent: Saturday, May 30, 2015 6:28 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] google play ACL

  We have the same problem.  I plan to give up on trying to keep track of the 
various things that need to be allowed.

  As part of the process to have a cert generated and downloaded our users have 
to log into a web page.  I plan to only allow access to the Internet after they 
have logged in to the web page.  To discourage using this method to access the 
Internet rather than configuring WPA2 on their device we will have a short 
timeout so that they would have to enter their ID and password every X minutes. 
 In addition the device we are using to redirect to our web page makes it 
fairly easy to block access to Facebook and Twitter etc.

On May 29, 2015, at 9:25 AM, Jacob Bennefield jacob.bennefi...@lamar.edu 
wrote:

 We have been working with Ruckus and Cloudpath on this issue as well.  These 
 are the web addresses we allow to make google play and a few other things 
 accessible.  You basically have to open up everything to google but google.com

 2  ocsp.digicert.comEditClone
 3  crl3.digicert.com   EditClone
 4  crl4.digicert.com   EditClone
 5  *.play.google.com   EditClone
 6  *.ssl.gstatic.com   EditClone
 7  *.android.clients.google.com EditClone
 8  *.googleusercontent.com   EditClone
 9  *.ggpht.com  EditClone
 10   *.geotrust.com EditClone
 11   *.appengine.google.com EditClone
 12   *.settings.crashlytics.comEditClone
 13   *.googleapis.comEditClone
 14   *.cloud.google.comEditClone
 15   *.gvt1.com EditClone
 16   *.android.com  EditClone
 17   passwordreset.lamar.eduEditClone
 18   *.amazon.com  EditClone



 Jacob Bennefield, BBA
 Manager of Network Services
 Lamar University
 jacob.bennefi...@lamar.edu
 Phone: 409-880-7997

 From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Turner, Ryan H
 Sent: Friday, May 29, 2015 9:01 AM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: [WIRELESS-LAN] google play ACL

 Hello all,

 I’ve asked this question in the past, got some answers, attempted to 
 implement some solutions, and have ultimately been disappointed with the 
 results…

 Our problem:  We have a limited access onboarding SSID.  Currently, users 
 must download the cloudpath agent directly from OUR server, requiring them to 
 configure their devices to allow non google market place applications.  I am 
 attempting to streamline the onboarding process by allowing access to google 
 play directly 

OSX Re-Prompts to Select a Certificate When Multiple Exist

[Curtis K. Larsen]

Hi all,

For those running EAP-TLS - I am wondering if you've seen this.

If an OSX 10.10.2, or 10.10.3 device already has other certificates from iCloud 
or similar in their keychain, and then they add the eap-tls user cert - upon 
waking their device from sleep they get prompted to select a certificate.  
This happens repeatedly even though the user tells the OS to remember this 
information on the same prompt, and the check box is also enabled in 
NetworksWiFiadvanced to Remember networks this computer has joined.  

If the user selects the eap-tls cert it does of course connect but it is an 
annoyance to constantly have to re-select when they never had to do anything 
like that with PEAP.  Have any by chance encountered this issue?  Found a fix 
or work-around?  If so please let me know.

Thanks,

Curtis Larsen
University of Utah IT/CIS
Network Engineer III

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Cloudpath ES4

[Curtis K. Larsen]

We've used the wizard for years, and we're in pilot mode with the ES, and 
EAP-TLS right now.  We use the ES for onboarding with PacketFence/FreeRADIUS 
doing the back-end authentications/NAC quarantine.  We support both PEAP and 
EAP-TLS at the moment.

So far the experience has been positive.  We've seen a couple of issues with a 
corrupt cert store on Android -fixed by re-onbaording.  It would be nice if 
Google would implement profiles for Android more like iOS or even Chrome OS 
have.  The guest options with SMS are really nice/flexible too.  We also use 
the guest sponsoring capability in case a guest does not have cell coverage to 
self-onboard.  The ability to offer a self-onboard choice to long term 
vendors/contractors for WPA2-Enterprise is handy as well.

I'd like to see Cloudpath add some permission level views to the admin console 
(like read-only for helpdesk).  As far as I can tell it's all or nothing right 
now.

Thanks,

Curtis Larsen
University of Utah
Network Engineer III


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Frank Sweetser [f...@wpi.edu]
Sent: Thursday, March 12, 2015 6:54 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cloudpath ES4

We've always been some form of certificates (well, before that we were
WEP...).  We wanted to avoid PEAP to make sure that we didn't encourage users
(students in particular) to leave their username and passwords lying around on
devices.

Cloudpath did a pretty good job in articulating why they believe EAP-TLS
produces a better overall user experience when compared with PEAP:

http://techfieldday.com/appearance/cloudpath-networks-presents-at-wireless-field-day-6/

The one black spot on EAP-TLS I will warn you of is android devices.  The
android certificate store is opaque, and fragile.

The opaque part is that from the perspective of a user, and most applications,
it's a one way black box.  You dump certificates in, but there does not appear
to be any way to enumerate the user certificates installed, only the CA list.
  Recent versions of the XpressConnect app will display a list of certificates
that it believes it has installed, but I don't know of any good way to verify
or look for what other certificates are present.

The fragile part is even more exciting.  Android itself requires a secure
screen lock before it will store certificates, and not all screen lock types
meet this criteria.  If you play around with your screen lock settings after
loading certificates, we've seen cases where the store is locked and/or
corrupted, sometimes to the point where the phone has to be factory defaulted
to fix.

Overall, though, using certificates on the vast majority of devices with good
solid support for them has worked out very well for us.

Frank Sweetser fs at wpi.edu|  For every problem, there is a solution that
Manager of Network Operations   |  is simple, elegant, and wrong.
Worcester Polytechnic Institute |   - HL Mencken

On 3/11/2015 7:16 PM, Jason Cook wrote:
 HI Frank,

 Great, thanks for detailed feedback.. Sounds worth a trial at the very least.

 That covers most of our questions for the moment, did you migrate from a 
 PEAP/MsCHAP environment when moving to cloudpath?  If so was it a better 
 experience for users?

 Regards

 Jason

 --
 Jason Cook
 The University of Adelaide, AUSTRALIA 5005
 Ph: +61 8 8313 4800

 -Original Message-
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Frank Sweetser
 Sent: Wednesday, 11 March 2015 2:08 PM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] Cloudpath ES4

 Hi Jason,

 we've been on ES3 for a while now, and are planning on moving to ES4 in 
 production this week.  First, your questions:

- We've been exclusively on EAP-TLS fore wireless since before we moved to 
 Cloudpath, and it's worked on very well.  The multiple certificate templates 
 and workflows give you quite a bit of flexibility in who gets what (different 
 CAs for student vs staff, different expiration period, etc).  The server acts 
 as an OCSP responder, so you can easily revoke any specific certificates, 
 allowing you to knock a single device offline rather than all devices owned 
 by a given user.  In addition, it can also use the OCSP checks to track 
 certificate usage, and send out notices to users who are actively using 
 certificates coming up on expiration in the near future.

 If you have other registration systems, you can also trigger a server side 
 HTTP callout on certificate issuance.  We have this as a tie in to our IPAM 
 system, automating that portion of it completely and allowing our users to 
 skip several steps.

- We haven't gone live on Cloudpath based guests, but have mocked it up in 
 the lab, and it should work.  While I don't believe they have a whole 

Windows Phone 8.0 and EAP-TLS

[Curtis K. Larsen]

Hello,

We are pilot testing migration to EAP-TLS and I have discovered a user with a 
Windows 8.0 phone that does support PEAP, but not EAP-TLS.  A little googling 
turns up something called an Enterprise Feature pack whch apparently brings 
with it support for EAP-TLS.  The problem is I can't seem to find where to 
download this.

Does anyone know how to obtain the Enterprise feature pack for Windows Phone 
8.0?  Let me know.

Thanks,

Curtis Larsen
University of Utah
Network Engineer III


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] New Device Activation WLAN

[Curtis K. Larsen]

We are using the ACL's returned from PacketFence on a Guest WLAN which is 
configured using MAC-filtering and RADIUS-NAC.  I just tested this with the DNS 
ACL and it is working fine.


Thanks,

Curtis Larsen
University of Utah
Wireless Network Engineer


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Dennis Xu [d...@uoguelph.ca]
Sent: Friday, January 09, 2015 8:32 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] New Device Activation WLAN

I did not have any luck with dns acl feature without having ISE. Our onboarding 
SSID is using local web authentication(versus central web authentication or 
Radius NAC) and I couldn't make the DNS ACL work in our setup. I opened a case 
with TAC and found out actually DNS ACL has to work in central web 
authentication setup(needs ISE to return the redirect-ACL attribute to WLC). 
This point was not clear written in 7.6 configuration guide, but they fixed it 
and made it clear in the 8.0 configuration guide.

http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_0110101.html

DNS-based ACLs work only when RADIUS NAC (central web authentication or 
posture) are done on the SSID. DNS-based ACLs do not work with local web 
authentication or any other form of ACL other than a redirect-ACL used in the 
case of RADIUS NAC.

Has anyone successfully deployed the Cisco WLC DNS ACL feature?

---
Dennis Xu, MASc, CCIE #13056
Analyst 3, Network Infrastructure
Computing and Communications Services(CCS)
University of Guelph

519-824-4120 Ext 56217
d...@uoguelph.ca
www.uoguelph.ca/ccs


From: Trent Hurt trent.h...@louisville.edu
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Sent: Thursday, January 8, 2015 8:53:41 PM
Subject: Re: [WIRELESS-LAN] New Device Activation WLAN

7.6 and up have dns acl feature…

http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-6/configuration-guide/b_cg76/b_cg76_chapter_0110101.html#concept_AEEDD6D25578413784092B48A4636163



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Britton Anderson
Sent: Thursday, January 08, 2015 8:42 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] New Device Activation WLAN

These devices prompt for a wireless network during the activation process, but 
won't let a webauth succeed.

I like Hunter's idea of adding the Apple/Google/Antivirus sites to the 
pre-webauth ACL. Cisco WLC's won't let you use DNS names for ACL entries, d'oh! 
Is there a known list of these hosts somewhere before I go sniffing wireless 
traffic?

Thanks,
Britton


Britton Andersonmailto:blanders...@alaska.edu |

 Senior Network Communications Specialist |

 University of Alaskahttp://www.alaska.edu/oit |

 907.450.8250



On Thu, Jan 8, 2015 at 4:24 PM, Mike King 
m...@mpking.commailto:m...@mpking.com wrote:
Maybe I'm over simplifying this, but for the average user, don't those 
devices have to be activated BEFORE you can see the settings screen?

Mike

On Thu, Jan 8, 2015 at 6:31 PM, Hunter Fuller 
hf0...@uah.edumailto:hf0...@uah.edu wrote:

This is what we do. While not authenticated to wireless you can still get to a 
few places - Microsoft, apple, Google search, antivirus vendors.

--
Hunter Fuller
OIT

Sent from my phone.
On Jan 8, 2015 5:11 PM, Frank Sweetser f...@wpi.edumailto:f...@wpi.edu 
wrote:
We already have an unencrypted ssid for students to get to our onboarding 
system (Cloudpath). Our plan for this summer is to poke enough firewall holes 
for students to also run through the device activation process. If we were to 
try to impose any kind of device security policies, we would do it in the 
onboarding process.
On January 8, 2015 5:54:01 PM EST, Britton Anderson 
blanders...@alaska.edumailto:blanders...@alaska.edu wrote:
I just wanted to ask the question to see what all of you are doing at your 
institutions to handle users activating new devices. New iOS devices for 
example have to reach out to iCloud to validate themselves and make sure 
they're not stolen. Android now with version 5 is very similar, having to reach 
out to the mothership and join to a Google account.

Are any of you doing an SSID-Activate WLAN, or requiring clients to bring it 
by your respective Help Desks for activation?

Right now, we are requiring anyone that wants a device activated to have our 
Desktop techs touch it and give them pointers to secure it. However, we've lost 
some budget, and some employees, and they can't keep a guy in the office to 
handle that influx of people anymore. And I don't want the headache of a wide 
open WLAN everywhere, and none of the devices will allow the webauth 
transaction to happen before the device ! is activated.

Thanks,
--Britton

Britton Andersonmailto:blanders...@alaska.edu |

 Senior Network Communications Specialist |

 University of 

WPA2-Enterprise Thermostats?

[Curtis K. Larsen]

Hello,

Wondering if anyone has come across a 802.1x capable Wi-Fi thermostat.  
Preferably from Honeywell.  ...Still trying to avoid the PSK here whenever 
possible.  Let me know.

Thanks,

Curtis Larsen
University of Utah


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RADIUS Monitoring

[Curtis K. Larsen]

I am trying to be proactive regarding scaling of RADIUS servers as we move to a 
new load-balanced environment.  The idea is to know when we are getting close 
to a threshold and need to add another VM, allocate more CPU, RAM, etc.

I've used a traffic generator to simulate authentications against our 
FreeRADIUS VM's and so I know the max. number of auths/sec. that a server can 
handle and I've seen that the server will start to reject clients when it can't 
handle the load.  So I am thinking a dashboard that graphs the auths per 
second, and pie chart that shows successful vs. failed requests with some 
alerting would allow us to preempt load/growth issues.  It seems this info 
wouldn't be too difficult to grab from syslog and graph on a web page somehow.  
I am just wondering if any of you have already done this or something like this 
that you could share before I re-invent the wheel.  Let me know.

Thanks,

Curtis Larsen
University of Utah



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: RADIUS Monitoring

[Curtis K. Larsen]

Very Helpful - Thank you.


-Curtis


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Joshua Coleman 
[josh...@housing.ufl.edu]
Sent: Wednesday, October 08, 2014 10:47 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] RADIUS Monitoring

For gathering the data it's easier to use radclient
http://wiki.freeradius.org/config/Status

For Graphing/Alerts we use Cacti
http://www.horoa.net/2013/09/installation-du-template-cacti-pour-freeradius2/?lang=eng

But we were already using Cacti so YMMV.




Joshua Coleman | Network Infrastructure Engineer

University of Florida Department of Housing and Residence Education

PO Box 112100 | Gainesville, FL 32611-2100

office 352.392.2171 x12053 | fax 352.392.6819 | josh...@housing.ufl.edu

StrengthsQuest Top 5: Ideation, Strategic, Analytical, Adaptability, 
Intellection - Find out more - 
http://www.strengthsquest.com/content/141728/index.aspx

Please consider the environment before printing this email.

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Curtis K. Larsen
Sent: Wednesday, October 08, 2014 12:13 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] RADIUS Monitoring

I am trying to be proactive regarding scaling of RADIUS servers as we move to a 
new load-balanced environment.  The idea is to know when we are getting close 
to a threshold and need to add another VM, allocate more CPU, RAM, etc.

I've used a traffic generator to simulate authentications against our 
FreeRADIUS VM's and so I know the max. number of auths/sec. that a server can 
handle and I've seen that the server will start to reject clients when it can't 
handle the load.  So I am thinking a dashboard that graphs the auths per 
second, and pie chart that shows successful vs. failed requests with some 
alerting would allow us to preempt load/growth issues.  It seems this info 
wouldn't be too difficult to grab from syslog and graph on a web page somehow.  
I am just wondering if any of you have already done this or something like this 
that you could share before I re-invent the wheel.  Let me know.

Thanks,

Curtis Larsen
University of Utah



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: RADIUS Monitoring

[Curtis K. Larsen]

Max auths/sec. against local file = ~60.  
Max auths/sec. against AD = ~30.

I am hoping to make some optimizations to AD that will close that gap a bit 
...we'll see.

-Curtis


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Wang, Yu [ywan...@fsu.edu]
Sent: Wednesday, October 08, 2014 11:41 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] RADIUS Monitoring

We use radclient and Cacti as well but with snmp poll. Since Cacti's default 
pull interval is 5min, we get less accurate data/graphs than paid tool PRTG, 
which allows as short as 30 sec interval pull.

The nice part of Cacti is you can stack several graphs into one graph to give 
you total auths/sec.

BTW, what is the maximum auths/sec you have seen on your freeradius servers? Do 
you do EAP?

Yu Wang

Network Architect
Information Technology Services
The Florida State University
850-645-6810
yu.w...@fsu.edu


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Curtis K. Larsen
Sent: Wednesday, October 08, 2014 1:11 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] RADIUS Monitoring

Very Helpful - Thank you.


-Curtis


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Joshua Coleman 
[josh...@housing.ufl.edu]
Sent: Wednesday, October 08, 2014 10:47 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] RADIUS Monitoring

For gathering the data it's easier to use radclient 
http://wiki.freeradius.org/config/Status

For Graphing/Alerts we use Cacti
http://www.horoa.net/2013/09/installation-du-template-cacti-pour-freeradius2/?lang=eng

But we were already using Cacti so YMMV.




Joshua Coleman | Network Infrastructure Engineer

University of Florida Department of Housing and Residence Education

PO Box 112100 | Gainesville, FL 32611-2100

office 352.392.2171 x12053 | fax 352.392.6819 | josh...@housing.ufl.edu

StrengthsQuest Top 5: Ideation, Strategic, Analytical, Adaptability, 
Intellection - Find out more - 
http://www.strengthsquest.com/content/141728/index.aspx

Please consider the environment before printing this email.

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Curtis K. Larsen
Sent: Wednesday, October 08, 2014 12:13 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] RADIUS Monitoring

I am trying to be proactive regarding scaling of RADIUS servers as we move to a 
new load-balanced environment.  The idea is to know when we are getting close 
to a threshold and need to add another VM, allocate more CPU, RAM, etc.

I've used a traffic generator to simulate authentications against our 
FreeRADIUS VM's and so I know the max. number of auths/sec. that a server can 
handle and I've seen that the server will start to reject clients when it can't 
handle the load.  So I am thinking a dashboard that graphs the auths per 
second, and pie chart that shows successful vs. failed requests with some 
alerting would allow us to preempt load/growth issues.  It seems this info 
wouldn't be too difficult to grab from syslog and graph on a web page somehow.  
I am just wondering if any of you have already done this or something like this 
that you could share before I re-invent the wheel.  Let me know.

Thanks,

Curtis Larsen
University of Utah



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

CWSP, CWAP, CWDP Trainining Recommendations?

[Curtis K. Larsen]

Hello,

I'm looking to schedule one of the CWNP trainings.  Wondering if anyone has 
feedback - good, bad or otherwise on the different training partners.  I had a 
good experience with Eight-O-Two Technology Solutions on the CWNA, but they 
don't seem to schedule trainings as often as I'd like.  Let me know your 
thoughts.  below is a list of training partners in the US:

Eight-O-Two Technology Solutions
Global Knowledge
Indigenous
NetCertExpert
Praemittias Defense Solutions
SRT Wireless
Training Solutions Group
Wireless Training and Solutions, LLC

Thanks,

Curtis 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Radios Shutdown After WLC Upgrade

[Curtis K. Larsen]

Prime showed the radios down, the WLC GUI showed the radios down, the WLC CLI 
command show advanced 802.11b summary showed that they were Adminstratively 
*enabled* but Operationally *down*.

We just tried rolling the code on a test WLC to 7.6.120.0 and still have the 
same issue on those specific AP's.  Again, it has only happened on 1142's 
connected to non-cisco switches thus far.

-Curtis



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Alan Nord 
[an...@macalester.edu]
Sent: Thursday, July 17, 2014 6:32 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Radios Shutdown After WLC Upgrade

Running 7.6.120.6 for three weeks; it appears all of our radios are up.  How 
did you identify that you had radios that were disabled?  We are running 1142s, 
2602s and 3602s.  Ran into the show stopping bug in 7.6.120.0, but special 
release has been solid.


On Wed, Jul 16, 2014 at 10:42 PM, Watters, John 
john.watt...@ua.edumailto:john.watt...@ua.edu wrote:
No. Only Cisco switches.

Sent from my iPhone

On Jul 16, 2014, at 5:53 PM, Curtis K. Larsen 
curtis.k.lar...@utah.edumailto:curtis.k.lar...@utah.edumailto:curtis.k.lar...@utah.edumailto:curtis.k.lar...@utah.edu
 wrote:

Are your 1142's connected to any non-Cisco switches?


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
 on behalf of Danny Eaton 
[dannyea...@rice.edumailto:dannyea...@rice.edumailto:dannyea...@rice.edumailto:dannyea...@rice.edu]
Sent: Wednesday, July 16, 2014 4:51 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Radios Shutdown After WLC Upgrade

We've been on 7.6.120.6 for a few weeks and have not seen fhis issue running a 
mix of 1142 3502 and 3702 aps on two ha cluster in a pair of 650 with sup720 3c 
in non vss mode.


Sent via the Samsung Galaxy Mega™, an ATT 4G LTE smartphone


 Original message 
From: Watters, John
Date:16/07/2014 17:32 (GMT-06:00)
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Radios Shutdown After WLC Upgrade

Not a lot of help, but -- we are on 7.6.120.0 with 1142s in our mix (about 55% 
of 3800 APs). We have not seen this problem.

-jcw

---
John Watters  The University of Alabama
  Office of Information Technology
  205-348-3992tel:205-348-3992


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
 On Behalf Of Curtis K. Larsen
Sent: Wednesday, July 16, 2014 5:23 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Radios Shutdown After WLC Upgrade

Hello,

Wondering if anyone else running Cisco has run into this:

After upgrading controllers from 7.4.121.0 to 7.6.120.6 about 3% (~100) of our 
AP's joined the WLC but both radios are shut down.  If you try to re-enable the 
radios via the WLC or directly SSH'ed to the AP they auto-disable again.  
Disabling, and re-enabling the switchport does nothing, and rebooting the AP 
does nothing.  Intentionally disabling one radio on the AP does not help 
either.  The switch shows it is providing 15.4 watts of PoE.

We are split evenly between 1142's, 3500's, and 3600's and have mostly Cisco 
switches, but have only seen the issue on some 1142 series AP's, and some 
Foundry PoE switches.  In some cases another 1142 is working fine on the same 
switch, and if we walk over and connect another 1142 it works fine on the same 
port.  The current work-around is to move AP's back to a WLC on 7.4 code.

I have a TAC case open, and 7.6.120.6 is a special build but we were encouraged 
to go to it in order to avoid the catastrophic web-auth, and severe RADIUS-NAC 
bugs.

Let me know if you have any suggestions.

Thanks,

Curtis Larsen
University of Utah
Wireless Network Engineer


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

!DSPAM:911,53c6fd8e123908915719284!


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can

RE: [WIRELESS-LAN] Radios Shutdown After WLC Upgrade

[Curtis K. Larsen]

Yes, we tried toggling that setting back and forth.


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Joe Roth 
[jr...@binghamton.edu]
Sent: Thursday, July 17, 2014 1:34 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Radios Shutdown After WLC Upgrade

Curtis,

Have you tried changing the power injector state to override for those 1142's?


On Thu, Jul 17, 2014 at 3:26 PM, Curtis K. Larsen 
curtis.k.lar...@utah.edumailto:curtis.k.lar...@utah.edu wrote:
Prime showed the radios down, the WLC GUI showed the radios down, the WLC CLI 
command show advanced 802.11b summary showed that they were Adminstratively 
*enabled* but Operationally *down*.

We just tried rolling the code on a test WLC to 7.6.120.0 and still have the 
same issue on those specific AP's.  Again, it has only happened on 1142's 
connected to non-cisco switches thus far.

-Curtis



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] 
on behalf of Alan Nord [an...@macalester.edumailto:an...@macalester.edu]
Sent: Thursday, July 17, 2014 6:32 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU

Subject: Re: [WIRELESS-LAN] Radios Shutdown After WLC Upgrade

Running 7.6.120.6 for three weeks; it appears all of our radios are up.  How 
did you identify that you had radios that were disabled?  We are running 1142s, 
2602s and 3602s.  Ran into the show stopping bug in 7.6.120.0, but special 
release has been solid.


On Wed, Jul 16, 2014 at 10:42 PM, Watters, John 
john.watt...@ua.edumailto:john.watt...@ua.edu wrote:
No. Only Cisco switches.

Sent from my iPhone

On Jul 16, 2014, at 5:53 PM, Curtis K. Larsen 
curtis.k.lar...@utah.edumailto:curtis.k.lar...@utah.edumailto:curtis.k.lar...@utah.edumailto:curtis.k.lar...@utah.edu
 wrote:

Are your 1142's connected to any non-Cisco switches?


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
 on behalf of Danny Eaton 
[dannyea...@rice.edumailto:dannyea...@rice.edumailto:dannyea...@rice.edumailto:dannyea...@rice.edu]
Sent: Wednesday, July 16, 2014 4:51 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Radios Shutdown After WLC Upgrade

We've been on 7.6.120.6 for a few weeks and have not seen fhis issue running a 
mix of 1142 3502 and 3702 aps on two ha cluster in a pair of 650 with sup720 3c 
in non vss mode.


Sent via the Samsung Galaxy Mega™, an ATT 4G LTE smartphone


 Original message 
From: Watters, John
Date:16/07/2014 17:32 (GMT-06:00)
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Radios Shutdown After WLC Upgrade

Not a lot of help, but -- we are on 7.6.120.0 with 1142s in our mix (about 55% 
of 3800 APs). We have not seen this problem.

-jcw

---
John Watters  The University of Alabama
  Office of Information Technology
  205-348-3992tel:205-348-3992


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
 On Behalf Of Curtis K. Larsen
Sent: Wednesday, July 16, 2014 5:23 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Radios Shutdown After WLC Upgrade

Hello,

Wondering if anyone else running Cisco has run into this:

After upgrading controllers from 7.4.121.0 to 7.6.120.6 about 3% (~100) of our 
AP's joined the WLC but both radios are shut down.  If you try to re-enable the 
radios via the WLC or directly SSH'ed to the AP they auto-disable again.  
Disabling, and re-enabling the switchport does nothing, and rebooting the AP 
does nothing.  Intentionally disabling one radio on the AP does not help 
either.  The switch shows it is providing 15.4 watts of PoE.

We are split evenly between 1142's, 3500's, and 3600's and have mostly Cisco 
switches, but have only seen the issue on some 1142 series AP's, and some 
Foundry PoE switches.  In some cases another 1142 is working fine on the same 
switch, and if we walk over and connect another 1142 it works fine on the same 
port.  The current work-around is to move AP's back to a WLC on 7.4 code.

I have a TAC case open, and 7.6.120.6 is a special build

RE: [WIRELESS-LAN] Radios Shutdown After WLC Upgrade

[Curtis K. Larsen]

Jeff,

These are good ideas.  I have not yet tried a factory reset or moving the AP to 
a different switch yet.  The code was pre-downloaded to the AP's and on the 7.4 
code it does show up as the backup image right now.  I will try your ideas, 
and we are also trying a PoE injector to see if we can further isolate where 
the problem lies.

My guess is that these are the very first batch of 1142's that Cisco produced, 
but I haven't found a way to confirm this.

We have already replaced about half of our 1142's ...but since we are replacing 
them with 3700's - the WLC of course needs to be running the 7.6MR2 or better 
now.  I will report what we find.


Thanks,

Curtis



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Jeffrey Sessler 
[j...@scrippscollege.edu]
Sent: Thursday, July 17, 2014 11:44 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Radios Shutdown After WLC Upgrade

Have you reset the config to factory? Maybe something is lurking in the config 
file that's causing the issue. If you plug the AP into another switch does it 
have the same issue?

Is the 7.6 code in the problem AP's corrupt i.e. did you do a pre-download to 
them? If you look at one of the problem AP's when it's back on a 7.4 WLC, do 
you see the 7.6 code still there in the secondary slot? Maybe delete it and let 
it add again.

For the problem 1142's - are they all from the same hardware version e.g. v1?

1142's will get no further software fixes as off Oct 2014, so you may want to 
consider replacing them sooner rather than later.

I recently updated to 7.6.120.6, and I had two 1142's that didn't come back 
from the update. Had to shut/no shut the port, then they rejoined. No problems 
with the radios being down.

Jeff

 Curtis K. Larsen curtis.k.lar...@utah.edu 07/16/14 3:23 PM 
Hello,

Wondering if anyone else running Cisco has run into this:

After upgrading controllers from 7.4.121.0 to 7.6.120.6 about 3% (~100) of our 
AP's joined the WLC but both radios are shut down. If you try to re-enable the 
radios via the WLC or directly SSH'ed to the AP they auto-disable again. 
Disabling, and re-enabling the switchport does nothing, and rebooting the AP 
does nothing. Intentionally disabling one radio on the AP does not help either. 
The switch shows it is providing 15.4 watts of PoE.

We are split evenly between 1142's, 3500's, and 3600's and have mostly Cisco 
switches, but have only seen the issue on some 1142 series AP's, and some 
Foundry PoE switches. In some cases another 1142 is working fine on the same 
switch, and if we walk over and connect another 1142 it works fine on the same 
port. The current work-around is to move AP's back to a WLC on 7.4 code.

I have a TAC case open, and 7.6.120.6 is a special build but we were encouraged 
to go to it in order to avoid the catastrophic web-auth, and severe RADIUS-NAC 
bugs.

Let me know if you have any suggestions.

Thanks,

Curtis Larsen
University of Utah
Wireless Network Engineer


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Radios Shutdown After WLC Upgrade

[Curtis K. Larsen]

Hello,

Wondering if anyone else running Cisco has run into this:

After upgrading controllers from 7.4.121.0 to 7.6.120.6 about 3% (~100) of our 
AP's joined the WLC but both radios are shut down.  If you try to re-enable the 
radios via the WLC or directly SSH'ed to the AP they auto-disable again.  
Disabling, and re-enabling the switchport does nothing, and rebooting the AP 
does nothing.  Intentionally disabling one radio on the AP does not help 
either.  The switch shows it is providing 15.4 watts of PoE.

We are split evenly between 1142's, 3500's, and 3600's and have mostly Cisco 
switches, but have only seen the issue on some 1142 series AP's, and some 
Foundry PoE switches.  In some cases another 1142 is working fine on the same 
switch, and if we walk over and connect another 1142 it works fine on the same 
port.  The current work-around is to move AP's back to a WLC on 7.4 code.

I have a TAC case open, and 7.6.120.6 is a special build but we were encouraged 
to go to it in order to avoid the catastrophic web-auth, and severe RADIUS-NAC 
bugs.

Let me know if you have any suggestions.

Thanks,

Curtis Larsen
University of Utah
Wireless Network Engineer


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Radios Shutdown After WLC Upgrade

[Curtis K. Larsen]

Are your 1142's connected to any non-Cisco switches?


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Danny Eaton 
[dannyea...@rice.edu]
Sent: Wednesday, July 16, 2014 4:51 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Radios Shutdown After WLC Upgrade

We've been on 7.6.120.6 for a few weeks and have not seen fhis issue running a 
mix of 1142 3502 and 3702 aps on two ha cluster in a pair of 650 with sup720 3c 
in non vss mode.


Sent via the Samsung Galaxy Mega™, an ATT 4G LTE smartphone


 Original message 
From: Watters, John
Date:16/07/2014 17:32 (GMT-06:00)
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Radios Shutdown After WLC Upgrade

Not a lot of help, but -- we are on 7.6.120.0 with 1142s in our mix (about 55% 
of 3800 APs). We have not seen this problem.

-jcw

---
John Watters  The University of Alabama
  Office of Information Technology
  205-348-3992


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Curtis K. Larsen
Sent: Wednesday, July 16, 2014 5:23 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Radios Shutdown After WLC Upgrade

Hello,

Wondering if anyone else running Cisco has run into this:

After upgrading controllers from 7.4.121.0 to 7.6.120.6 about 3% (~100) of our 
AP's joined the WLC but both radios are shut down.  If you try to re-enable the 
radios via the WLC or directly SSH'ed to the AP they auto-disable again.  
Disabling, and re-enabling the switchport does nothing, and rebooting the AP 
does nothing.  Intentionally disabling one radio on the AP does not help 
either.  The switch shows it is providing 15.4 watts of PoE.

We are split evenly between 1142's, 3500's, and 3600's and have mostly Cisco 
switches, but have only seen the issue on some 1142 series AP's, and some 
Foundry PoE switches.  In some cases another 1142 is working fine on the same 
switch, and if we walk over and connect another 1142 it works fine on the same 
port.  The current work-around is to move AP's back to a WLC on 7.4 code.

I have a TAC case open, and 7.6.120.6 is a special build but we were encouraged 
to go to it in order to avoid the catastrophic web-auth, and severe RADIUS-NAC 
bugs.

Let me know if you have any suggestions.

Thanks,

Curtis Larsen
University of Utah
Wireless Network Engineer


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

!DSPAM:911,53c6fd8e123908915719284!



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Cloud Path Enrollment System

[Curtis K. Larsen]

Hello,

I am currently running a demo of the Cloud Path Enrollment System and I have to 
say that I am amazed at the capabilities they have packed into this tool.  I 
really like the workflow for onboarding almost anything/anyone, and I like the 
focus on moving to EAP-TLS which I think is inevitable if not urgent.  The 
integration with my existing RADIUS, and Controller environment is also nice, 
However, I am concerned about their support which seems a bit under-trained, 
and less than responsive so far.  (It could be that this is because I have not 
yet purchased the product ...so I am on the get to later list ...not sure).

Anyway, I am just wondering if there are any other ES customers out there 
willing to share their experience either on, or off-list.  What are the 
strengths, what are the weaknesses in your mind?  What problems have you 
solved, or encountered, and how has their support helped you through them?

Thanks,

Curtis Larsen
University of Utah 
Wireless Network Engineer


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: apple tv wired/wireless

[Curtis K. Larsen]

Looks similar to the Ruckus Dynamic PSK:  
http://theruckusroom.typepad.com/files/dynamic-psk-fs.pdf

I wonder if/when we will see something similar from Cisco.


Curtis Larsen
University of Utah
Wireless Network Engineer


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Jason Cook 
[jason.c...@adelaide.edu.au]
Sent: Monday, June 16, 2014 5:34 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] apple tv wired/wireless

We only have a few 10 approved devices and they connect via  a PSK network. It 
was the easiest method at the time, though it will be concerning to manage if 
it grows. Centrally we are going with Mersive Solstice, so anything built by 
central IT includes that and hopefully that will keep down the Apple TV’s. 
Cisco for wireless.

I’m interested if anyway is using Aerohive on campus, and if so have you tried 
using their PPSK? It’s simple client connectivity of PSK with some of the power 
of dot1x.  I think something like this would be great for supporting devices 
that struggle with dot1x as each device can be given it’s own password.
http://www.aerohive.com/solutions/technology-behind-solution/simplified-strong-authentication



On 6/13/14, 9:30 AM, Hurt,Trenton W. 
trent.h...@louisville.edumailto:trent.h...@louisville.edu wrote:

For the folks that have apple tvs on campus.  How are they connecting to the 
network?  Wired/wireless


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.