Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the headaches?

[Dale W. Carder]

Thus spake Jeffrey D. Sessler (j...@scrippscollege.edu) on Tue, Mar 01, 2016 at 
07:04:11PM +:
> Dale,
> 
> For the malware blacklist, I’s suggest taking a look at OpenDNS Umbrella. I 
> asked about it here about a year back, and we implemented about three months 
> ago. You send all your client DNS requests through OpenDNS (directly, or have 
> your DNS servers forward to OpenDNS), and they block sites based on 
> categories, with the default covering security threats e.g. Malware, Bots, 
> etc. For the user, when they hit a blocked site they are redirected to a page 
> explaining what happened and why. 
> 
> It was terrifying to see what our endpoints were visiting, but comforting to 
> have the added layer of protection, especially for guest or IoT devices that 
> don’t have protection by default. It’s licensed based on staff/faculty FTE 
> and students come along for free. It also has an optional agent that extends 
> the protection to devices operating off-campus e.g. User traveling with a 
> laptop.

Putting an agent on anyone's device here is typically out of the question.
Many are personally owned as well.

Did I mention I was skeptical? ;-)  Maybe the technology is amazing, but 
with approx 22k FTE on just this one campus and about another 20k across
the others, it's hard to make a budget justification to use taxpayer money 
to "protect" machines for 8 hours a day when they will just get infected at 
home.  These are sort of the constraints we face, and in a threat based
model are not at the top of the list for the general population.  (our
restricted environments are a whole different world, just very small in 
scope)

For anyone who is actually interested in these sorts of things, I would
recommend starting here (from 2007):
https://collaboration.opengroup.org/jericho/commandments_v1.2.pdf

Dale

 
 
 
> On 3/1/16, 10:42 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
> on behalf of Dale W. Carder" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of 
> dwcar...@wisc.edu> wrote:
> 
> >Thus spake Lee H Badman (lhbad...@syr.edu) on Tue, Mar 01, 2016 at 
> >06:19:55PM +:
> >> Interesting discussion- so on the free and open WLAN, do you send them off 
> >> to only the Internet, and deny important apps on campus? Do you require 
> >> VPN or 2-factor for  bursar account access etc from that network?
> >
> >We do block things that I would characterize as ddos amplification 
> >vectors, and we block inbound SYN so discourage (unintentional) servers.  
> >We have started to look into some filtering capabilities on a firewall
> >where there is some sort of blacklist for known malware sites (I am
> >highly skeptical of such things, but if we can do it for low cost and
> >provide a high value to our users, so be it).  
> >
> >VPN is pretty much not used in the general case.  Security is handled
> >at the application layer.  Your IP address is not an authorization token,
> >and none of the few hundred virtual firewalls we run blindly allow much
> >of anything through be it from wireless or from dept 'a' to dept 'b'.
> >
> >Dale 
> > 
> > 
> > 
> >> -Original Message-
> >> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> >> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dale W. Carder
> >> Sent: Tuesday, March 01, 2016 1:06 PM
> >> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> >> Subject: Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the 
> >> headaches?
> >> 
> >> There are of course lots of vendors selling lots of products to solve 
> >> lots of "problems".  
> >> 
> >> I will also echo everything that Jeff has said below.  We read what our
> >> requirements were and the educause community at the time was quite
> >> active on this front, leading to the excellent summary on their site.
> >> 
> >> So, yes, we operate one of these big open wireless love fests. ;-)
> >> 
> >> Dale
> >> 
> >> Thus spake Lee H Badman (lhbad...@syr.edu) on Tue, Mar 01, 2016 at 
> >> 05:45:18PM +:
> >> > ​So... you open up a big wireless free love ranch, and let everything 
> >> > and everything on. How to keep 10K users off of each others devices? I'm 
> >> > not poo-pooing, just asking!
> >> > 
> >> > 
> >> > -Lee
> >> > 
> >> > From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> >> > <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Jeffrey D. Sessler 
> >> > <j...@scripps

Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the headaches?

[Dale W. Carder]

There are of course lots of vendors selling lots of products to solve 
lots of "problems".  

I will also echo everything that Jeff has said below.  We read what our
requirements were and the educause community at the time was quite
active on this front, leading to the excellent summary on their site.

So, yes, we operate one of these big open wireless love fests. ;-)

Dale

Thus spake Lee H Badman (lhbad...@syr.edu) on Tue, Mar 01, 2016 at 05:45:18PM 
+:
> ​So... you open up a big wireless free love ranch, and let everything and 
> everything on. How to keep 10K users off of each others devices? I'm not 
> poo-pooing, just asking!
> 
> 
> -Lee
> 
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>  on behalf of Jeffrey D. Sessler 
> 
> Sent: Tuesday, March 1, 2016 12:37 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the 
> headaches?
> 
> I think your legal needs to revisit their position. There are a number of 
> great articles about the EDU requirements of DMCA. A university is every bit 
> the ISP, and in fact, there is no legal obligation under the DMCA for student 
> enforcement as you are but the transit for their data. Most all campuses use 
> it as a teaching moment, but it’s not a requirement. You also have no 
> obligation to identify someone – If you rotate logs every 15 days and the 
> request comes in on the 16th day, you can respond that you have no data. This 
> is also no obligation to match an IP with a person.
> 
> Jeff
> 
> From: 
> "wireless-lan@listserv.educause.edu"
>  
> >
>  on behalf of Mike Cunningham 
> >
> Reply-To: 
> "wireless-lan@listserv.educause.edu"
>  
> >
> Date: Tuesday, March 1, 2016 at 9:31 AM
> To: 
> "wireless-lan@listserv.educause.edu"
>  
> >
> Subject: Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the 
> headaches?
> 
> Talk to your campus legal office before opening your wifi to the world. We 
> asked ours about this and were strongly advised against it. Contracting with 
> a local telecom company to provide free wifi would be better. A college or 
> university is not an ISP like a Verizon or AT or Comcast is. If someone is 
> abusing the campus network you’re responsible for their action. If law 
> enforcement comes knocking on your door asking about network traffic 
> originating from you campus you need to be able to point to a person or at 
> least a room and say “there”. If it was a guest on campus for a short period 
> of time you still need to be able to identify who that guest was. At least 
> that is the interpretation of current law according to our legal office.
> 
> Mike Cunningham
> Pennsylvania College of Technology
> 
> 
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of David R. Morton
> Sent: Tuesday, March 01, 2016 12:21 PM
> To: 
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the 
> headaches?
> 
> Joel, thanks for the detailed reply. I agree that Personal PSK is an 
> interesting idea, but it may fall apart at scale (we see 200k+ devices per 
> week), security, implementation or other burdens. My thoughts about on 
> boarding, user name as part of the credential/password have been along the 
> same lines as yours. While we wouldn’t put all of their devices on the same 
> VLAN, I would see them being able to access their printers, chrome cast, 
> AppleTV, etc. The later is already possible using something like ClearPass 
> and AirGroup.
> 
> We’ve been engaged in some conversations with our vendor about how to solve 
> this problem, but so far there isn’t anything to report.
> 
> As an aside, we are also keeping an eye on MAC randomization and how this 
> might impact systems based on MAC for authentication and other headaches.
> 
> David
> 
> 
> 
> 
> 
> David Morton
> Director, Mobile Communications
> Service Owner: Wi-Fi, Mobile & HuskyTV
> University of Washington
> dmor...@u.washington.edu
> tel 206.221.7814
> 
> On Mar 1, 2016, at 9:02 AM, Coehoorn, Joel 
> > wrote:
> 
> Ruckus supports a PPSK variant, as well.
> 
> I'm just gonna put this out there. I have this idea in my head for an ideal 
> wifi service. It starts with personal pre-shared key (PPSK), but it's 
> something I don't 

Re: [WIRELESS-LAN] IPv6 on wireless experiences?

[Dale W. Carder]

 From: Frank Bulk frnk...@iname.commailto:frnk...@iname.com
 
 How do I find out what the limit on the ND table size is?

for cat6k:
 show mls cef maximum-routes

Also, you may want to tweak some other parameters, for example we set

  ipv6 verify unicast source reachable-via rx (ONLY on 2T, n7k, asr9k)
  ipv6 link-local fe80::1 (nx-os)
  ipv6 address FE80::1 link-local (ios / ios-xr)
  ipv6 nd ns-interval 5000
  ipv6 nd reachable-time 90
  ipv6 pim dr-priority 4294967294

...among others

Dale

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] guest wireless

[Dale W. Carder]

Thus spake Mark Reboli (mreb...@misericordia.edu) on Tue, Sep 09, 2014 at 
03:40:33PM +:
 I am looking for information on what people do with guest wireless.  Do you 
 have open wireless on your campus?  Do you have a password that everyone 
 knows?  Do you create special passwords for groups?  Any assistance would be 
 helpful.

For our guests they can use eduroam, otherwise there is an open ssid and 
a click-through aup captive portal where they submit their name, email 
address and reason for requesting network access.

Guests get the same network access as everyone else, and we do not filter 
nor rate limit their traffic.  

Dale

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] guest wireless

[Dale W. Carder]

Thus spake Peter P Morrissey (ppmor...@syr.edu) on Wed, Sep 10, 2014 at 
04:55:59PM +:
 So you actually act like you like your guests! :) What a concept.

Our director once made the comment that after spending however many
millions on the last upgrade that it better darn well work better 
than the coffee shop across the street. ;-)

Dale

 
 -Original Message-
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dale W. Carder
 Sent: Wednesday, September 10, 2014 11:58 AM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] guest wireless
 
 Thus spake Mark Reboli (mreb...@misericordia.edu) on Tue, Sep 09, 2014 at 
 03:40:33PM +:
  I am looking for information on what people do with guest wireless.  Do you 
  have open wireless on your campus?  Do you have a password that everyone 
  knows?  Do you create special passwords for groups?  Any assistance would 
  be helpful.
 
 For our guests they can use eduroam, otherwise there is an open ssid and a 
 click-through aup captive portal where they submit their name, email address 
 and reason for requesting network access.
 
 Guests get the same network access as everyone else, and we do not filter nor 
 rate limit their traffic.  
 
 Dale
 
 **
 Participation and subscription information for this EDUCAUSE Constituent 
 Group discussion list can be found at http://www.educause.edu/groups/.
 
 **
 Participation and subscription information for this EDUCAUSE Constituent 
 Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] RFC6598

[Dale W. Carder]

Thus spake Mike King (m...@mpking.com) on Fri, Mar 28, 2014 at 10:09:42AM -0400:
 My interpretation of that RFC (Thanks hadn't seen that one before) is that
 it is essentially reserved for Server Providers (Carriers).  This would
 exclude most of the users of this list from using it.  Also, it seems that
 if Customers would adopt this address space, they would be causing
 themselves significant routing issues if they're carrier implemented it
 later.  This is even called out in the RFC.
 
 I think if anyone used it, they'd be causing themselves problems they don't
 need.

I also believe that to be correct.

Dale

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Guest Network Access Policy

[Dale W. Carder]

Thus spake Alexander, David (alexa...@ohio.edu) on Thu, Jan 16, 2014 at 
04:55:41PM -0500:
 
 1)  Do you allow guests on your wireless network?

yes
 
 a.   If you allow guests, what steps do they need to take to gain access 
 to the network (eg. sponsorship, MAC registration, open network)?

eduroam (preferred), otherwise mac registration via captive portal
 
 b.  If you require sponsorship or device registration, can you explain 
 the process or give me a pointer to your policy?

Here's some screen shots from the captive portal:
https://kb.wisc.edu/page.php?id=22915
 
 2)  Is your wireless network completely open in any part of your campus 
 (eg. Library, student center, event spaces, athletic fields, etc.)?

We use the above process everywhere.

Dale

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] 802.11AC Future Infrastructure

[Dale W. Carder]

We had thousands of those, wired for usoc on the wallplate side, a splitter 
to send 2 pairs to two station cables with usoc on one and 568b on the 
station end.  We had this for our entire cat-3 plant, and some of the
early cat-5 (non-e) terminated on 110 blocks.  I don't miss that any more 
than I miss faculty putting 10base2 on rg-59.

Dale

Thus spake John York (yo...@brcc.edu) on Wed, Dec 18, 2013 at 09:42:27PM +:
 Years ago I “got creative” and made some patch cables that allowed me to put 
 two 10M hosts on a single jack instead of pulling new cables.  The boss said 
 unkind things and shoved a notebook of the TIA-568 spec in my face.  Ah, the 
 bad old days…;-)
 John
 
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey Sessler
 Sent: Wednesday, December 18, 2013 4:07 PM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] 802.11AC Future Infrastructure
 
 There is also the option, if you're a vendor that owns both ends (AP and 
 Switch) to do something creative with only a single Cat5/6.
 
 Jeff
 
 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] 802.1x vs web-portal

[Dale W. Carder]

On our captive portal we just run a cron job once a day to pull the
latest OCSP IP addresses to be whitelisted, and never have had a problem
with SSL.

Dale


Thus spake Hanset, Philippe C (phan...@utk.edu) on Mon, Dec 02, 2013 at 
06:58:24PM +:
 Many places have problems with OSCP... they don't let users that join the 
 portal
 check for the OCSP validity (forget to allow for this in firewall) of the 
 portal's certificate. That will make some OSes that
 don't automatically switch to CRL fail.
 Or worse, certificate providers change the IP address of their OCSP servers, 
 and portals and firewall were
 configured with a static IP address of the OCSP servers... that can make 
 portals fail as well.
 It would be nice to allow to check everything by name, but some firewalls are 
 still finicky about that!
 
 Philippe Hanset
 www.eduroam.us
 
 
 
 On Dec 2, 2013, at 1:02 PM, Osborne, Bruce W (Network Services) 
 bosbo...@liberty.edu
  wrote:
 
  Why do you say there are portal issues with https? Other than certificate 
  error messages, http  https redirects work fine with Aruba wireless. I 
  know I had issues with https  portals a few years ago when I tried portals 
  with Cisco LWAP APs.
  
  
  Bruce Osborne
  Network Engineer
  IT Network Services
   (434) 592-4229
   
  Liberty University  |  Training Champions for Christ since 1971
  
  -Original Message-
  From: Arran Cudbard-Bell [mailto:a.cudba...@freeradius.org] 
  Sent: Friday, November 29, 2013 2:25 PM
  Subject: Re: 802.1x vs web-portal
  
  On 19 Nov 2013, at 21:00, Ken LeCompte lecom...@oit.rutgers.edu wrote:
  
  One major consideration is that the use of https for more and more 
  webpages is resulting in more confused users not getting redirected to 
  captive portal login pages.
  
  A workaround for some devices would be to to add a WISPr responder to the 
  portal. It will work will all recent iOS and OSX devices, some Windows 
  Phones, and Windows 8/8.1.
  
  http://msdn.microsoft.com/en-us/library/windows/hardware/dn408675.aspx
  
  There is no perfect solution to portal redirection, but WISPr does seem a 
  good way forward.
  
  -Arran
  
  Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team
  
  **
  Participation and subscription information for this EDUCAUSE Constituent 
  Group discussion list can be found at http://www.educause.edu/groups/.
  
  **
  Participation and subscription information for this EDUCAUSE Constituent 
  Group discussion list can be found at http://www.educause.edu/groups/.
  
 
 **
 Participation and subscription information for this EDUCAUSE Constituent 
 Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Sickness for rf (802.11)

[Dale W. Carder]

Do they request the same from Starbucks/McDonalds/Grocery store/ etc.?

Dale

Thus spake Hurt,Trenton W. (trent.h...@louisville.edu) on Sat, Aug 31, 2013 at 
02:40:26PM +:
 So I had to turn off aps for a person on my campus for areas they where 
 visiting due to rf sickness.  They provided a dr note too.  Has anyone every 
 had a request for something like this?  
 
 Sent from my iPhone
 **
 Participation and subscription information for this EDUCAUSE Constituent 
 Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Wireless Research Position at the University of Wisconsin

[Dale W. Carder]

Hey Folks,

I'd like to share this unique job opportunity to support wireless 
research in our Computer Science Dept.  Please feel free to pass it
along.

http://www.ohr.wisc.edu/pvl/pv_074882.html

best,
 Dale


--
Dale W. Carder - Sr. Network Engineer
University of Wisconsin  /  WiscNet
http://net.doit.wisc.edu/~dwcarder

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] PacketFence

[Dale W. Carder]

The last time I looked at it (years and years ago), it used dns spoofing to 
capture/redirect clients?  My first thought was that it would not work w/
dnssec, so I haven't looked at it since and would be curious if that
changed.

Dale


Thus spake Johnson, Neil M (neil-john...@uiowa.edu) on Thu, Apr 12, 2012 at 
02:16:12PM +:
 I would be interested in talking to anyone about their experiences using
 packetfence (http://www.packetfence.org) to register guest users on their
 wireless network.
 
 Thanks.
 -Neil
 
 -- 
 Neil Johnson
 Network Engineer
 The University of Iowa
 Phone: 319 384-0938
 Fax: 319 335-2951
 Mobile: 319 540-2081
 E-Mail: neil-john...@uiowa.edu
 
 **
 Participation and subscription information for this EDUCAUSE Constituent 
 Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Blocking Chatty protocols

[Dale W. Carder]

We filter mdns, slp, upnp, ssdp, etc.  Many of these are ttl=1 multicasts 
that chew up cpu time on our routers.  

On the aruba system we have broadcast-filter arp and all configured since 
we have approx an ipv4 /18's worth of clients chattering away.

Dale

Thus spake Johnson, Neil M (neil-john...@uiowa.edu) on Tue, Mar 13, 2012 at 
02:05:22PM +:
 We don't filter it yet, but Princeton has some pretty good pages with good 
 justifications for blocking (or getting users to disable these protocols).
 
 For example:
 
 http://www.net.princeton.edu/filters/ssdp.html
 
 The following link lays out the other protocols they filter.
 
 http://www.net.princeton.edu/filters
 
 -Neil
 
 On Mar 13, 2012, at 7:47 AM, Kellogg, Brian D. wrote:
 
 I?ve blocked SSDP on my LANs and WLAN for a couple years without any issues.
 
 -Brian
 
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Brian David
 Sent: Tuesday, March 13, 2012 8:31 AM
 To: 
 WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Blocking Chatty protocols
 
 We were wondering what other schools are doing with these protocol?(SSDP, 
 NetBIOS, mDNS, etc.)
 I need to make the case for blocking some of these for Faculty/Staff and 
 Students?I was wondering about SSDP for example..
 What does it break when blocked? Any feedback would be appreciated.
 
 Brian J David
 Network Systems Engineer
 Boston College
 
 ** Participation and subscription information for this EDUCAUSE 
 Constituent Group discussion list can be found at 
 http://www.educause.edu/groups/.
 ** Participation and subscription information for this EDUCAUSE 
 Constituent Group discussion list can be found at 
 http://www.educause.edu/groups/.
 
 
 
 **
 Participation and subscription information for this EDUCAUSE Constituent 
 Group discussion list can be found at http://www.educause.edu/groups/.
 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] SSIDs, devices and guests

[Dale W. Carder]

Hi Bob,

On Jan 19, 2012, at 12:27 PM, Bob Williamson wrote:
 Management wants an SSID for guests which does not require a password.  My 
 corporate reaction is “that is crazy”.  My secondary/new to academia reaction 
 is “why not”.

Welcome aboard!

 If the guests network is completely separated from the internal network, 
 severely limited in bandwidth, web filtered, protocol/applications blocked 
 etc.  Who cares?  The only potential issue I could see is web filtering can’t 
 stop everything.

If you're looking for another point of reference, we take a different 
stance.  Our guests are on the same IP space as everyone else, have full 
bandwidth available, no web filtering, no url blocking, only rudimentary 
firewalling (plus port 22 is still open to the world), and access for up 
to 7 days based on an email address self-registration, up to 30 days 
with a temporary account available from most clerical staff, or 
indefinitely longer with faculty sponsorship or more formal appointment.

Our director of network services has a great quote on the order of
We didn't spend $'n' million for this network to perform worse than 
what you find across the street at Starbucks.

I encourage my competitors to continue making their networks unusable.

Dale

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] selectively disabling wireless in classrooms

[Dale W. Carder]

Thus spake Gogan, James P (go...@email.unc.edu) on Fri, Sep 23, 2011 at 
12:21:32PM +:
 Well, it's that time of year again 
 
 the time when we get calls from a handful of faculty who want the ability to 
 disable the wireless access point that covers their classroom during specific 
 class periods (they also want cellular coverage disabled during those times 
 -- yeah, right ..).When I point out that the AP that covers their 
 classroom may also provide coverage for the one next door, or that with a 
 controller-based architecture, shutting off one access point would likely 
 just increase the signal coverage area of adjacent APs, the response I 
 usually get back is well, I KNOW that other universities are doing it, so 
  FIX IT.
 
 So, let me ask my biennial question: what ARE other universities doing in 
 this regard?I was specifically given U of Michigan as an example.
 Anyone know what they're doing? Any successful implementation details 
 from anyone dealing with this issue are welcome.

We deny all requests and send them a link to this page (which we also
have linked off our captive portal page):
http://www.doit.wisc.edu/network/wireless/classroom-advice-for-faculty.aspx

--
Dale W. Carder - Sr. Network Engineer
University of Wisconsin  /  WiscNet
http://net.doit.wisc.edu/~dwcarder

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] ATT WiFi

[Dale W. Carder]

For the price of tuition you'd think that would apply to the classroom
too!  ;-)

Dale


Thus spake Lee H Badman (lhbad...@syr.edu) on Thu, Jul 21, 2011 at 02:20:47PM 
-0400:
 For the matter, for the price of tickets and beer, why not actually watch the 
 game when you're at the stadium instead of doing Facebook on your iPhone?
 
 :)
 
 -Lee
 
 
 
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hanset, Philippe C
 Sent: Thursday, July 21, 2011 2:11 PM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] ATT WiFi
 
 Shouldn't Universities foot the Wi-Fi bill and make ATT pay to carry the 
 SSID?
 (ATT needs that capacity anyway if they want to service those thousands of 
 people
 with smartphones)
 That will give Universities the freedom to carry additional services when the 
 time comes.
 
 Another thing to remember: ATT has limits on their 3G data plan of 2 Gigs 
 (or 4 Gigs if you a have the hotspot plan)
 (with the exception of grandfathered customers that have unlimited plans)
 
 Verizon and Sprint provide unlimited data over 3G on smartphones.
 
 So, it is in the interest of ATT customers to join Wi-Fi if they don't want 
 to exhaust their quotas and pay $10/extra Gig.
 Looking at these 2 cost models (Sprint/Verizon VS ATT),  it looks like ATT 
 needs the Wi-Fi capacity to sustain the demand.
 Or is it that they just want to provide a better experience on 3G and offload 
 data as much as possible to Wi-Fi
 by providing incentives?
 
 I experienced a few days ago an interesting problem: I was trying to download 
 an iTunes album
 and received a message warning me that files larger than 20 Mbytes have to be 
 downloaded over Wi-Fi.
 This was with an iPhone on ATT.
 Not being in proximity of a free Wi-Fi hotspot, I had to turn on the hotspot 
 feature of my iphone, and use iTUnes
 on my laptop, over the same 3G network. No limit this time ;-)
 
 Why is ATT so afraid of data usage?
 
 Philippe
 
 
 
 
 On Jul 21, 2011, at 1:30 PM, Dewitt Latimer wrote:
 
 
 The stadium DAS projects with WiFi where the lead integrator is covering the 
 cost of the WiFi are usually locked down in one form or another.  The lead 
 integrator would have no way to recover their investment if it was left wide 
 open. Most schools have not built out WiFi in stadiums except in limited ways 
 (eg ticket scanners, POS, other locked-down infrastructure needs). You get 
 the occasional club boxes that have WiFi that is locked with a common key 
 (usually give us more money). So unless the school is going to foot the 
 WiFi cost for 7 days a year (which they're not), I don't see what the big 
 deal is for stadium WiFi being parceled out to the carriers.
 
 I also don't fault ATT for being out in the lead for having a pretty well 
 branded WiFi hotspot service. I wish the others would catch up!
 
 -d
 
 On Thu, Jul 21, 2011 at 1:20 PM, Holland, Ryan C. 
 holland@osu.edumailto:holland@osu.edu wrote:
 To answer Lee's question, yes, there has been value. The transient users that 
 use the attwifi service are the responsibility of ATT and not the 
 university. This is a value-add for us.
 
 
 ==
 Ryan Holland
 Network Engineer, Wireless
 Office of the Chief Information Officer
 The Ohio State University
 614-292-9906tel:614-292-9906   
 holland@osu.edumailto:holland@osu.edu
 
 Submit a Kudos to an OCIO 
 employee!http://www.surveygizmo.com/s/514095/giveociokudos
 
 On Jul 21, 2011, at 1:08 PM, Lee H Badman wrote:
 
 
 This is where I gotta plug our Bluesocket box for guest access. They worked 
 with us to develop a simple SMS you your password mechanism, and I can't 
 imagine a simpler guest portal for people to use. The ATT model does seem 
 interesting, but to Phillipe's point, I'm not digging the single carrier 
 thing.
 
 
 
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
  On Behalf Of Hanset, Philippe C
 Sent: Thursday, July 21, 2011 1:01 PM
 To: 
 WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] ATT WiFi
 
 Overlaying ATT Wi-Fi over the wireless network to me seems like the same 
 problem as
 a vendor specific DAS.
 Only ATT customers can really use the infrastructure unless you are willing 
 to pay a la carte for the service.
 What's next? Verizon Wi-Fi, Sprint Wi-Fi... or a web page where you have to 
 pick the vendor of your choice
 in a long list (highly sensitive to MITM).
 With models like eduroam, at least all RE people can join the network while 
 traveling around.
 
 What we really need is eduroam for other users as well! (I'm working on it ;-)
 
 Philippe
 
 Philippe Hanset
 Univ. of TN, Knoxville
 www.eduroamus.orghttp://www.eduroamus.org/
 
 
 
 On Jul 21, 2011, at 12:28 PM, Dewitt Latimer wrote:
 
 As a person who travels to many campuses, I can tell 

Re: [WIRELESS-LAN] Wifi and spectrometers?

[Dale W. Carder]

Thus spake Daniel Eklund (daniel.ekl...@wayne.edu) on Tue, Feb 22, 2011 at 
11:56:00AM -0500:
 We have ubiquitous Wifi coverage in both 2.4 and 5Ghz spectrum in all our 
 science buildings and have had no complaints of interference with equipment.

Ditto.  And since the chemistry buildings in particular are built so the labs 
inside them it can explode with only minor consequence, we have an absurdly 
high amount of power and coverage.

The only thing I remember encountering as alleged wifi interference was the 
neutron detector on the nuclear reactor reading very high false values, which 
turned out to be a subtle, intermittent ground loop.

Dale

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Client tracking and privacy concerns

[Dale W. Carder]

Thus spake Lee H Badman (lhbad...@syr.edu) on Wed, May 05, 2010 at 09:53:21AM 
-0400:
 So... regardless of whether you use WCS, AirWave or something else, if 802.1x 
 clients come up by user name or ID in the system and can be located on 
 floorplans, etc, is anyone hearing privacy concerns regarding who is allowed 
 to see the management system.

Absolutely.  We limit who has access to airwave such as only the
helpdesk's full-time staff.  Even without floor plan integration there
are still privacy concerns at coarse resolution.  Was a person in
class today, or still in the dorms?  etc...

We have policies in place regarding IT's access to sensitive data.
Employees have to sign this when hired as well.

Dale

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] wireless DHCP lease time

[Dale W. Carder]

We have quite a few wireless networks set to 15 minutes
with no adverse affects.

Dale


On Sep 30, 2009, at 3:43 PM, Ryan Holland wrote:


Philippe,

We saw improvement moving from 1 hour to 30 minutes with no foreseen  
adverse affects. We are testing a few subnets on 15 minute leases,  
as it would be more practical to avoid any waste of leases for the  
5 minute email/facebook check on an iPhone/iPod-Touch. I'll let you  
know if we run into problems.


Our setup is similar, with an external DHCP server running ISC, and  
we're of course using Aruba as well. Our aaa timers are 15 minutes  
(900 seconds).


--
Ryan Holland
Network Engineer, Wireless
CIO - Infrastructure
614-292-9906   holland@osu.edu

On Sep 30, 2009, at 4:33 PM, Philippe Hanset wrote:


What a timely discussion!

This morning we noticed that our pools (Aruba VLAN pools, 32* /24)  
were being filled from 70 to 90%.
Our lease time is 3 hours. As most of you, we have been hammered by  
Iphone/Ipod-touch (~4000 registered at the moment)

For a campus population of 30,000 (25,000 students 5000 fac/staff).

Has anyone seen issues with 30 or 40 minutes DHCP leases on an  
Aruba infrastructure ?

(we don't run DHCP on Aruba, but on ISC DHCP)
What AAA timeout have you implemented? (show AAA timers... in our  
case we have 1800 sec)
(we had to shorten the AAA timeout as well because our User  
licenses were being exhausted

... Iphone again ;-)

Thank you

Philippe Hanset
Univ. of TN


On Sep 30, 2009, at 2:52 PM, Steve Hess wrote:

We run 4 /23's (one per class) with 4 day lease times.  It's very  
tight right now for freshmen and sophomore's but lots of room for  
juniors and seniors.  Each class is about 350-450 students.  I'm  
looking to add another /23 per class to provide some head room.   
We run 4 day lease times for the forensic aspect of it.


Definitely seeing more wireless devices this year.  Upperclassmen  
are registering computers.  Underclassmen are registering a  
computer (or two), an iPhone/iPod, and a gaming device.  For those  
of you running the /22's and /20's, you don't see performance  
issues with broadcast domain's that large?  Our wireless vendor  
(Alcatel/Aruba) highly suggested shrinking the broadcast domain  
(we had been running one /22 for all students).



Steve


heath.barnhart wrote:
We run 30 minute leases for most of SSIDs, no problems. We saw an  
unexpected boost in wireless usage this semester though, and had  
to go from /22 networks to /20 to accommodate the new users and  
leave room for expansion.


Heath

Garrett Harmon wrote:
We're running into some issues at the ramp up of a quarter with  
our DHCP lease time attempting to utilize the /24's we currently  
pool for our main essid. We moved from 1hr. to 30 minutes, but  
are still running out of leases occasionally. For instance, we  
have 160 users in a /24, but due to the transient nature of  
wireless/classes leases that are used for a brief moment the  
cycle isn't quite efficient enough.


What is everyone else using for wireless DHCP lease times? I  
know I can just add another /24 to the pool, but the networks  
are not being utilized enough. We want to try 15 minutes but are  
wondering if we will start to run into issues related with that?  
Your input is greatly appreciated!!



*Garrett Harmon*
Network Engineer
Office of Information Technology
The Ohio State University
614.292.2122 (o)
614.747.5539 (c)

** Participation and subscription information for this  
EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ 
.







--
---
Steve Hess
Network Administrator
Wheaton College
Phone: 508-286-3404
Fax: 508-286-8270
---

** Participation and subscription information for this  
EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ 
.





Spam
Not spam
Forget previous vote
** Participation and subscription information for this  
EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ 
.




** Participation and subscription information for this  
EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ 
.




**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] NAT/PAT

[Dale W. Carder]

On Jul 13, 2009, at 1:47 PM, Bentley, Douglas wrote:
What is everyone doing around IP space?  We are currently using  
public IP space (close to 5000).  We were using Nat but that didn’t  
work because of all the identification and tracking issue.  We are  
using Cisco as our wireless solution here.


We have a bit over a /17 of public ip space currently
assigned to wireless.  I still don't see a compelling
reason to run nat.

Dale

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] wired/wireless business model question

[Dale W. Carder]

On Jan 27, 2009, at 3:47 PM, Philippe Hanset wrote:
Our current business model relies on charged for wired ports to  
fund wireless.


Obviously this current business model is outdated, and needs a major  
revision.


What are other schools doing?

-IT fee per employee


This is what we do for our main campus network, and is
extremely simple in operation.  What makes it work is
a continual collaborative dialogue with campus entities
on setting priorities for this central pool of funding.

With this we provide/include a wide range of stuff
- 90,000+ access ports
- ~95% wireless coverage
- gig-e connections wherever needed
- 10g, where appropriately justified
- fiber, where appropriately justified
- additional horizontal cable installed where justified
- server room / cluster switches
- we provide all needed cables
- dns/dhcp, etc
- firewalls (virtualized) everywhere
- 24x7 noc, 24x7 engineers  field techs on-call
- a pile of hot-spare equipment ready to go
- seemingly limitless consulting
- all-you-can-eat bandwidth, zero traffic shaping anywhere
  -- this includes the dorms!

The only things I can think of that are not included is:
- UPS hardware  battery replacement costs, but we'll take
care of monitoring  performing any maintenance
- getting a lambda on our optical transport system, in which case
we work on splitting the capital costs.

Dale

--
Dale W. Carder - Network Engineer
University of Wisconsin / WiscNet
http://net.doit.wisc.edu/~dwcarder

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Detecting Stolen Laptops...

[Dale W. Carder]

On Dec 9, 2008, at 11:05 PM, Hector J Rios wrote:
We’ve never been successful in recovering a stolen laptop. So far  
the thieves have been smart enough not to ever bring those laptops  
back into our campus. I’m curious to know if any of you have come  
up with a way to automate the detection of a wireless device.  
Something like waiting for a laptop’s MAC to come on the wireless  
network and immediately sending an email to an operator.


I wrote a program that listens to mac address learned traps
from our edge switches.  After years of it running, I think
we found a misplaced (not stolen) laptop only once.

I figure the stolen ones all go to ebay.

Dale
**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Windows Wireless Clients- strange behavior after recent Windows Updates?

[Dale W. Carder]

On Nov 5, 2008, at 2:31 AM, Jeroen van Ingen wrote:


But that's quite easy to solve: put all your AP's in a database and  
make
scripted config changes using SNMP... we manage over 800 fat AP's  
that

way, but the method would scale to thousands :-)


This is basically what we're doing to manage 2,300 fat AP's.


We'll probably move to centralized within a year, but only because of
the L3 mobility it offers


ditto here, too.

Dale

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Wireless authentication for guests/visitors - something along the lines of hotel gatekeeper?

[Dale W. Carder]

On Jun 5, 2008, at 12:45 PM, Chuck Braden wrote:
They generally bring their own resources which might have various  
peer-to-peer clients and the associated content.


Welcome to the internet ;-)


Theses customers are not required to 'register' or authenticate.


You will want to double check that how you authorize your users
fits with your response to CALEA.

The more rapid response of the copyright enforcement organizations  
to identify content has necessitated the need...


Are you talking about RIAA's cease and desist, or pre-settlement
letters?  For the former, we have on average about (2) weeks of data
before logs rotate out.  For the latter, we require a subpoena.

If that involves purchasing a specific wireless router to direct the  
session to at the time of the IP being issued please indicate which  
vendors or models those are.


It kind of sounds like you are looking for records of traffic,
as in flows?  Could you use netflow export from your routers
to provide this data?  There are many open-source tools to
collect and process netflow data.

Dale

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Wireless authentication for guests/visitors - something along the lines of hotel gatekeeper?

[Dale W. Carder]

On Jun 5, 2008, at 1:15 PM, Scholz, Greg wrote:


So...in your case, even if you can't or won't block carte blanche like
this I suggest somehow setting up a ssid/vlan/security profile or
whatever for these types of users and do not let them do anything  
except

minimal connectivity to the web. (e.g. http, https, dns, IPSec)



It sounds disappointing to me that a user could do more
on the internet at a coffee shop than on your network.
Is there really a business case for blocking all of this?

But maybe this is just my land-grant academic freedom bias.

Dale

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Wireless authentication for guests/visitors - something along the lines of hotel gatekeeper?

[Dale W. Carder]

On Jun 5, 2008, at 2:22 PM, Chuck Braden wrote:


You will want to double check that how you authorize your users

fits with your response to CALEA.

I am at a loss to understand the relevance. We dont have this  
traffic routed through a digital phone exchange.  Does CALEA  
specifically concern that?


Here's some links to relevant material:
http://www.educause.edu/FederalPolicyProgram/CALEAFrequentlyAskedQuestions/9354
http://connect.educause.edu/term_view/CALEA?time=1212702107


Could you use netflow export from your routers

to provide this data?

Response from our wide area network staff...

I am pretty sure MAC is not exported in the Netflow V5 records, just
IP source and destination information.

Can someone provide me something that Netflow 5 DOES provide that  
would identify these connections? Or, is there a version that does  
provide MAC addresses, and which version would that be?


A common approach is to record the arp tables from your edge
routers every 'n' minutes via SNMP (netToMedia table).  Then
you can link that data with netflow using the ip address and
timestamp.  Depending on how often you need to look at the
data, you can do this correlation by hand or use SQL.

Dale

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] many clients, one room

[Dale W. Carder]

On Apr 23, 2008, at 10:41 AM, Lee, Steven wrote:


We also held a bake-off with the big 3 LWAPP vendors.  The results
showed that these solutions were no better and sometimes worse than  
what

we could achieve with manual tinkering of our IOS AP's.

snip

We came to a decision that the cost of moving to LWAPP outweighed the
benefits at this time, even with the added burden of manually
fine-tuning each AP.  I'd rather not be in this position, but I  
haven't

found a controller system that meets our needs.


Same story here, more or less.

In addition, we found that the controllers don't yet scale
to the point where it's not a kludge to support a good
number of SSID's or copious roaming.

Dale

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Using 4 channels rather then 3 for the 2.4ghz wifi

[Dale W. Carder]

On Feb 21, 2008, at 2:03 PM, Urrea, Nick wrote:
We have a large study room at UC Hastings which accommodates up to  
150 students.

On average I see about 80-100 users using the wifi in the room.
To load balance the wifi in the room I have setup 4 APs.
Right now we use the 3 non-overlapping 2.4ghz channels, 1, 6, and 11.
The 4 APs are line of sight with each.
Do you think it would be a good idea to go to 4 channels instead 3
Ex: (1, 4, 8, 11)


No, if you're using 802.11g.

If there's searchable archives for this list, you might
be able to find a previous discussion we had on it here.

Dale

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] The Aesthetics of 11n?

[Dale W. Carder]

On Jan 17, 2008, at 8:04 AM, Lee H Badman wrote:

At risk of sounding silly- is anyone wrestling with the appearance  
of early 11n products? Contrast any of the current offerings with  
the MIMO antennas versus the likes of the Cisco 1130 (integrated  
antennas) from an aesthetics perspective, and the 11n stuff seems  
ugly and utilitarian.


Lucky for us most of our buildings are ugly and utilitarian!

Seriously though, most of our installs are into a ceiling-tile box
and the antennas just hang down.  Where we do wall mount, those are
into an enclosure (sometimes painted) as well.

We haven't worked on getting new box styles to facilitate 'n' AP's,
since we're waiting on IEEE standardization and 2nd-gen products.

Dale

--
Dale W. Carder - Network Engineer
University of Wisconsin - Madison / WiscNet
http://net.doit.wisc.edu/~dwcarder

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] The Aesthetics of 11n?

[Dale W. Carder]

On Jan 17, 2008, at 6:06 PM, Frank Bulk wrote:

I think what the vendors are offering now will work
with the final standard with minimal or no compatibility issues.


If it's anything like the pre-g crap that was on the market
before that was standardized, then this is a fallacy.  The
hardware might have been close enough, but it took months
for some client vendors to get it right *after* it was
standardized.

We have standards for a reason, folks.

Dale

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] 802.11n

[Dale W. Carder]

On Jan 11, 2008, at 9:48 AM, Lee H Badman wrote:

Actually, we did get a verbal commitment to that very notion  
yesterday from one of the more visible 11n vendors, but would have  
to see if that would be put in writing if we ever did proceed down  
that road.


For hardware or software replacement?

Rumors of hardware that can do (3) spatial streams
is only now hitting the trade rags.

Dale

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] 802.11n tied to 802.3at

[Dale W. Carder]

On Nov 18, 2007, at 7:06 PM, Kevin Miller wrote:

One thing to note is that 300Mbps as a symbol rate is only possible  
with 40MHz channels (versus the 20MHz standard width for 802.11a/b/ 
g) .. which in 2.4GHz takes you from 3 non-overlapping to 1 non- 
overlapping. In 5GHz you have at least 8 40MHz non-overlapping  
channels.


Likewise, does anyone have a feel for which bands within
5GHz will be commonly used indoors?

Dale

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] The strategic importance of 5GHz

[Dale W. Carder]

On Jun 27, 2007, at 10:15 AM, Philippe Hanset wrote:


Hopefully the 15 watts of 802.3af will suffice for b/g and n at 5Ghz
on one AP!


This is my worry, too.  I guess we wait and see!

Dale

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] The strategic importance of 5GHz

[Dale W. Carder]

On Jun 25, 2007, at 11:57 AM, Enfield, Chuck wrote:

We currently only have one UTP cable to an AP location.

The alternative is one GigE drop with either local power or  
proprietary UTP

based power (including possible pre-standard 802.3at).


One thing we did for the last 3 years is to pull siamese cable to each
AP location, setting up the infrastructure in advance for a technology
change.

What will probably screw us as you mention is not enough PoE via  
802.3af.

Having an AP with bg on 2.4 and MIMO on 5 will probably require 802.3at.
So in addition to replacing your AP's, you are now also forklifting your
PoE switches...

Dale

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] The strategic importance of 802.11a

[Dale W. Carder]

I think Frank is spot-on.  Wait for 'n', and don't bother
with 'a' unless you need to.

On Jun 18, 2007, at 5:27 PM, Frank Bulk wrote:
From two sources of anecdotal evidence it appears that those  
educational

institutions that have deployed 802.11a for a year or two are getting
between 30 to 50% of their Wi-Fi client population to use it


We saw approx 25% in public spaces like libraries during peak
times.  This is a big advantage for critical user-density areas.
One or two of our libraries get packed at finals time.  Having
one quarter of your users not on 2.4 makes the investment
worthwhile in these areas.

We also did some consultations with groups that were doing
bulk laptop purchases to include 'a' support, and we put
the 'a' radio in the ap's in those areas.  Same issue,
coordinate the offloading 2.4 where you can/need to, and
everybody wins.

Dale

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Advantages of Controller-based Wireless

[Dale W. Carder]

(Catching up on email, sorry for the delayed post)

On Jun 14, 2007, at 11:17 PM, Tom Zeller wrote:
Different vendor products offer different extra gravy.  But in  
general, I

see CBW as providing only a few benefits.


Ditto.  From the demos I have witnessed, the controllers are in my
mind VERY immature (some are simply sh*t) at least for large-scale
deployments.

1) True mobility - If you wireless LAN is small enough to have all  
users on

a single subnet, you have that anyway.


Some of the controllers offer mobility with varying caveats you
have to weigh.

2) The ability to pop different groups of users onto different  
vlans without

plumbing all those vlans to every access point.


Be careful, as there are limits to how many vlans are supported in
these systems.

I'm not sure I agree these are must have for smaller  
deployments.  We did
just fine with per-AP management until we were approaching 100 or  
so.  For

the most part, we didn't have to log into them all that often.


Maybe just the opposite?  The smaller enterprise might want the  
controller

because they don't have the ability to build the appropriate management
infrastructure themselves.  Point and click can be of value.

However, realizing we were going to have 100s and eventually 1000s  
of APs we
bought Airwave's AMP product, which provides an excellent central  
management
platform for stand-alone APs (if you buy brands they support, which  
is most,

maybe all, of the major brands).


We also bought Airwave's AMP.  It is very, very slick.  We bought it
because it could generate the reports we were looking for without
having to do it ourselves.  But I would NOT say that we are using it
for more than as an MRTG replacement plus troubleshooting users and
load.

I don't see the centralized management aspect of CBW to be the  
driving force

for us.


Ditto.  We chose fat AP's because we could ping/snmp/login to them
like anything else.  The same scripts (custom stuff on top of rancid,
and a few monitoring apps) that we have managing hundreds of
routers and thousands of switches can also manage our 1,715 AP's
on campus with little additional effort.

What a controller does not buy you is easy integration into other
enterprise management systems.  It's yet another console for the NOC
(if you can expose the interface to them at all) and that sucks. Or
you're going to waste time on this integration that will in the end
cost you double.

The carrot for us to move to controllers is when they are of telco-ish
quality, support about 1,000 vlans arbitrarily placed throughout, allow
thousands of users to roam everywhere, and provide magical load  
balancing.

Some controllers are close, but not quite.

Dale

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Cisco vs. Meru article

[Dale W. Carder]

On Jun 14, 2007, at 1:34 PM, Kevin Whitney wrote:


Any thoughts or advice on implementing/selecting a wireless system for
use in a High School environment ?


Hi Kevin,

In talking to IT staff from K-12's at our (WiscNet's) last conference,
one interesting thing I found was that technology has to work
on the first try.  For example, a demo or document sharing done
via wireless when it's not working or too slow can severely interrupt
a lesson plan, and most teachers will only tolerate their lesson plans
being burnt once or twice.

The point that was hammered over and over was professionaly done design
(usually outsourced for K-12's) site surveys done before and after
installation.  A large part of that design process, as others
have mentioned is planning upfront for user density.  A few classrooms
back to back covered by only a few AP's may not work under load.

For pros  cons on central controller vs fat AP's, you should hands
down go with a central controller unless you are a programmer willing to
write tools to monitor and automate tasks and your labor doesn't figure
into the real cost of the wireless install.  You will still probably
want to use a controller later anyway, as that's the only place where
new feature development is really occurring.

Dale
University of Wisconsin  WiscNet

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Playing Well With Others

[Dale W. Carder]

Hey Steve,

On Apr 23, 2007, at 10:55 AM, Steve Fletty wrote:
Do any of you face issues with dealing with municipal wireless  
initiatives impinging on your air space?
The University of Minnesota has a large footprint in in Minneapolis  
and St. Paul. The city of Minneapolis is deploying a mesh solution  
which will eventually be bumping up against our borders.


Similar story here in Madison WI, except it's been about a year.

Is anyone else dealing with a situation like this? I'm just  
wondering what issues people may have run into and what cooperative  
iniatives or problems you may have run into.


The first thing we did was to arrange a meeting with the vendor
that was hired.  From them we got their basic architecture and
deployment plans.  We were quite concerned about overlapping
interference (like you probably are), and we were especially
concerned about near the stadium where we do wireless handheld
ticket taking.

They had no real interest in cooperating except if we were to
partner (read: pay).  They didn't understand peering.  We
didn't understand how they were going to compete with the free
networks that permeate our downtown (ours, coffee shops, etc).

Anyway, now they are probably on the road to bankruptcy, and we
never saw any substantual interference because they have so few
customers and such bad coverage.  It's hard to run a business
in 2.4GHz.

http://www.thedailypage.com/isthmus/article.php?article=6346

Dale

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] wireless guest access

[Dale W. Carder]

Thus spake Kevin Lanning ([EMAIL PROTECTED]) on Mon, Feb 26, 2007 at 12:46:48PM 
-0500:
 Wondering what academic institutions are doing these days regarding 
 wireless access for guests?

In general, a person not affiliated with the institution may not 
use our network.

However, anyone on payroll (including students) can authorize 
individual guest access by generating a temporary ID that will
only allow access through a captive portal.

http://www.doit.wisc.edu/security/policies/guest_NetID.asp
http://www.doit.wisc.edu/services/guestid/index.asp

The id can last up from 1-31 days.  It they need access for longer,
there is a more formal affiliation procedure used (that can also
optionally allow access to other systems).

One nice thing I like about our system is that it can generate many
id's at once which is crucial for conferences.

Dale

--
Dale W. Carder - Network Engineer
University of Wisconsin at Madison
http://net.doit.wisc.edu/~dwcarder

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] EOL of WiLAN controllers (a month or two after purchasing - what do you do?)

[Dale W. Carder]

Thus spake Lelio Fulgenzi ([EMAIL PROTECTED]) on Mon, Feb 19, 2007 at 
01:07:25PM -0500:
 This is for those who buy Cisco products.
 
 We bought a Cisco 2006 controller last year, say late November, early 
 December. It's not been EOL'ed.
 
 Just wondering what experience others have had

Sign an NDA and get product roadmaps before buying anything from 
anyone.  

Cisco, in particular, tends NOT to announce an EOL of a products until 
months/years after removing all the developers from a project.  I've
seen this for a couple of product lines where new features just suddenly
stop, and then magicly in 6 months something takes that product's place.
Only then is an EOL announced because there is something new to sell
you as an upgrade path.

Dale


Dale W. Carder - Network Engineer   | DoIT Network Services
University of Wisconsin at Madison  | [EMAIL PROTECTED] 
(608) 263-3628 | 24hr NOC: 263-4188 | http://net.doit.wisc.edu/~dwcarder

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] EOL of WiLAN controllers (a month or two after purchasing - what do you do?)

[Dale W. Carder]

Wow, that sinks.

I would call your SE's boss.  In our region at least, they actually 
tend to listen.

Dale



Thus spake Lelio Fulgenzi ([EMAIL PROTECTED]) on Mon, Feb 19, 2007 at 
03:33:11PM -0500:
 we had an NDA product update in december. they neglected to tell us anything. 
 :(
 
 
 
 Lelio Fulgenzi, B.A.
 Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
 (519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)
 ^^ 
 ...there's no such thing as a bad timbit...
 
   - Original Message - 
   From: Dale W. Carder 
   To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
   Sent: Monday, February 19, 2007 3:27 PM
   Subject: Re: [WIRELESS-LAN] EOL of WiLAN controllers (a month or two after 
 purchasing - what do you do?)
 
 
   Thus spake Lelio Fulgenzi ([EMAIL PROTECTED]) on Mon, Feb 19, 2007 at 
 01:07:25PM -0500:
This is for those who buy Cisco products.

We bought a Cisco 2006 controller last year, say late November, early 
 December. It's not been EOL'ed.

Just wondering what experience others have had
 
   Sign an NDA and get product roadmaps before buying anything from 
   anyone.  
 
   Cisco, in particular, tends NOT to announce an EOL of a products until 
   months/years after removing all the developers from a project.  I've
   seen this for a couple of product lines where new features just suddenly
   stop, and then magicly in 6 months something takes that product's place.
   Only then is an EOL announced because there is something new to sell
   you as an upgrade path.
 
   Dale
 
   
   Dale W. Carder - Network Engineer   | DoIT Network Services
   University of Wisconsin at Madison  | [EMAIL PROTECTED] 
   (608) 263-3628 | 24hr NOC: 263-4188 | http://net.doit.wisc.edu/~dwcarder
 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] using four channels instead of three

[Dale W. Carder]

It was written:

4 Simultaneous Channels Okay For 802.11b


It's important to understand the differences of 3 channel vs
4 channel spacing for 802.11b vs 802.11g.

Take a look at the transmit spectral mask shown in Figure 96
of IEEE 802.11 1999.  At 11 MHz away from the frequency center you
have to be down -30 dB, and at 22 MHz away from center you have
to be down -50 dB.

Here's a good document describing this for 802.11b and shows
the differences in the xmit mask for 802.11g.  Note that it
is easier to get away with 4 channel spacing with b's CCK
compared to g's OFDM.

http://www.cisco.com/en/US/products/hw/wireless/ps430/ 
prod_technical_reference09186a00802846a2.html


In a nutshell, 4 channel spacing is not really a problem for 'b',
provided you're starting out with a low noise floor.  If you're
concerned about throughput on 802.11g, you may not want to use 4
channel spacing.

Dale

--
Dale W. Carder - Network Engineer
University of Wisconsin at Madison
http://net.doit.wisc.edu/~dwcarder

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Linksys APs as enterprise solution

[Dale W. Carder]

On Sep 11, 2006, at 12:18 PM, Philippe Hanset wrote:

It has been mentioned that devices with less potent CPUs
have a harder time to deal with big broadcast traffic.
(our Cisco SE likes to remind me about that. Is it to
sell a LWAPP system, or is it a fact?)


Um, I seem to recall huge subnets on thinnet with what would
now be considered ancient cpu's working fine in yesteryear.


If you have other measures that one can use to reduce Broadcast,
please share with the list.


Private vlans + proxy arp.  You could make each building a
private vlan knowing that traffic between those vlans would
be very small.  You could proxy-arp at the router to enable
those hosts to talk to each other.

Some AP's can let you disable multicast support, but some edge
switches support ACL's where you could prune multicast or
broadcast packets to your liking.

I don't have enough time to debate multicast over wireless ;-)

Dale

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Wireless Usage Report

[Dale W. Carder]

On Aug 2, 2006, at 5:43 PM, William Green wrote:

I'd be interested in knowing other institution's wireless usage.


I took a brief look at our usage for the last schoolyear here:
http://net.doit.wisc.edu/~dwcarder/uwnet0506.txt
http://net.doit.wisc.edu/~dwcarder/05-06.png

Dale


--
Dale W. Carder - Network Engineer
University of Wisconsin at Madison
http://net.doit.wisc.edu/~dwcarder

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] portal authentication?

[Dale W. Carder]

Thus spake Matt Ashfield ([EMAIL PROTECTED]) on Tue, May 09, 2006 at 01:42:44PM 
-0300:
 
 If so, what portal software are you using? Is there a reliable open-source
 package available? Does it handle guest access? 

We're using a package we developed called Captivator.  More info
can be found here:

http://net.doit.wisc.edu/~dwcarder/captivator/

It does not have an integrated guest access feature (we add guests
via ldap), but anyone with a moderate level of perl clue could 
easily put that in.

Dale


Dale W. Carder - Network Engineer   | DoIT Network Services
University of Wisconsin at Madison  | [EMAIL PROTECTED] 
(608) 263-3628 | 24hr NOC: 263-4188 | http://net.doit.wisc.edu/~dwcarder

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] WiFi Client Tracking software/hardware

[Dale W. Carder]

On Apr 7, 2006, at 1:42 PM, Scott Smith wrote:
I was wondering what software/hardware anyone uses to track  
Wireless Clients?  Specifically say if the device was stolen and  
was needing to be tracked?


Do your switches support mac address learn traps?

Dale


Dale W. Carder - Network Engineer
University of Wisconsin at Madison
http://net.doit.wisc.edu/~dwcarder

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Guest access

[Dale W. Carder]

 From: Entwistle, Bruce [mailto:[EMAIL PROTECTED] 
 Subject: [WIRELESS-LAN] Guest access
 
 We have some ideas how we would like to handle this issue but are curious as 
 to
 what others have done to accommodate these guest connections.  Please
 let me know.

We hand out guest accounts to authorized users of the network.

Currently, anyone on payroll (including students) can authorize guest
id's.  As soon as the web interface is updated, anyone can generate
guest id's.  This gets around a key issue we see which is that students
are giving out their login credentials to their friends so they can
access the network.  So we still handle all authentication, but
authorization will work more /realisticly/.

All users have the option using our VPN service (vendor c's vpn 3k)
to encrypt their traffic or they can authenticate to our login gateway.
The login gateway is used both for the wireless networks plus more and 
more datajacks in public areas.

We do not differentiate the level of service we provide on our network.  
Faculty, staff, researchers, students, guests, and whoever is otherwise
authorized are all valid users of our network and we do not DEGRADE our 
service to any of these user groups.  I challenge peer public intitutions 
to stop this practice.  

Dale


Dale W. Carder - Network Engineer   | DoIT Network Services
University of Wisconsin at Madison  | [EMAIL PROTECTED] 
(608) 263-3628 | 24hr NOC: 263-4188 | http://net.doit.wisc.edu/~dwcarder

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Theories on a massive problem on our WLAN?

[Dale W. Carder]

Thus spake Lee Badman ([EMAIL PROTECTED]) on Mon, Mar 13, 2006 at 12:47:51PM 
-0500:
 Wondering if anyone in the group cares to hazard a theory.

Sure, as long as you don't hold me to it!

Sounds like IAPP is freaking out.  I've heard rumors of this.
I think for example, you can get an IAPP storm by putting a 
  loopback interface on an IOS ap in heavyweight mode.

In general, cisco ap's aren't known for scaling to high numbers
of AP's on the same subnet due to this sort of chatter between
them and the amount of state info they all think they need to
carry.  So, I would look hard at splitting up into a lot more
layer 3.

See if sh iapp statistics as any clues.

Did you get a sniffer trace?  I think ethereal can decode IAPP.

Make sure you filter IAPP with ACL's where needed, too.  

Can you enable multicast storm control on the 3500 platform?

I wouldn't exactly expect this to get fixed either since Cisco
is basicly throwing away everything and trying again with the
company they bought to replace aironet.  IMHO, of course.

Dale


Dale W. Carder - Network Engineer   | DoIT Network Services
University of Wisconsin at Madison  | [EMAIL PROTECTED] 
(608) 263-3628 | 24hr NOC: 263-4188 | http://net.doit.wisc.edu/~dwcarder

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Paint that attenuates Radio Signals

[Dale W. Carder]

I've always wondered how well marine anti-fouling paints would work.
They typically have copper or tin mixed in them.

Dale

On Feb 15, 2006, at 11:10 AM, Enfield, Chuck wrote:
I haven't used the product, but a glance at the product info  
indicates to me

that it has limited efficacy.



--
Dale W. Carder - Network Engineer
University of Wisconsin at Madison
http://net.doit.wisc.edu/~dwcarder

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Cisco Self-Healing- does it work?

[Dale W. Carder]

On Dec 6, 2005, at 8:55 AM, Lee Badman wrote:
I am contemplating piloting a rather large new building to use  
Cisco's WLSE/AP self healing features- have had some success with  
it in small test areas. Wondering if anyone is using it on a larger  
scale and has either gotten comfortable with it or has experienced  
pain as a result.


I'll be blunt.

Our opinion of the WLSE and WLSM stuff is that it is largely a solution
looking for a problem in this arena.  We tried a WLSE for a while a year
ago and it was nothing but worthless pain and overall a half-baked piece
of junk.

For how often you actually expect the RF footprint to change, an AP  
go down,

for all of the effort to set up and deal with all of the WLSE/WLSM crap,
importing map graphics, I can have a 24x7 tech log into and set power  
levels,
reboot an AP remotely via a POE switch, or even do a truck roll to  
replace
an AP for a lot less cost and all using monitoring infrastructure  
already

in place.

Select your channels and coverage maps with good pre and post deployment
site surveys.  Have those maps available to the NOC.  You can set client
power levels (for clients that obey) via the IOS cli.  We have large
buildings (libraries in particular) with 100% coverage, lots of AP's,
lots of clients (A,B and G), some 24x7, and nothing that has ever  
required

self healing mumbo-jumbo.  Save your money on marketing buzzwords, and
spend it on quality RF design and tools.

Note that for all of the Aironet engineers' effort, more or less all of
the CCX/WDS/WLSE/WLSM architecture is or will be junk now with the
Airospace equipment and the lightweight AP model which all of the
vendors are at or are moving towards.  Cisco has always lagged behind
other vendors in wireless technology (which is fine by them, as it lets
the others take the risks in a fast moving market).

Dale

--
Dale W. Carder - Network Engineer
University of Wisconsin at Madison
http://net.doit.wisc.edu/~dwcarder

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Cisco Self-Healing- does it work?

[Dale W. Carder]

Maybe I just wasn't clear enough not to start a debate!

I guess I'm just coming from the crusty old engineer approach of:
1) Identify problem
2) Identify solution

What problem are looking to solve with Self-healing?  Is it
worth it?

I would be very interested in what you find about how it reports
what it detects plus what it's doing about it so that the operational
staff knows exactly what is going on.  Does it push information
via syslog, snmp trap, etc, or do you have to query it?  Is it
actually doing the right thing?  How do you manage and maintain it?
How can it be integrated with your other systems?

I also hope to steer away any .edu from WLSE/WLSM who hasn't already
deployed it.  As others have noted, it is doomed.

When Rusty, myself, and others from our group went about our wireless
redesign, we really did take a pessimistic approach.  We are holding
off to a large extent on wireless infrastructure features until the
market shakes out a bit more.

This is also why we chose the heavyweight IOS AP's.  We already have
tools to manage a few thousand IOS devices.  Throw in a thousand+
IOS AP's into that system and we can utilize the same backend tools
we already have developed for configuration management, code upgrades,
monitoring, etc.  We did get Airwave for better user reporting.  Then
after the depreciation cycle in two years or so from now, begin to take
a look at what the various thin AP controllers can do at that time.

Effectively dealing with voice, qos, crypto, fast roaming, client side
supplicants, scalability and resiliency of controllers, integration
with cell phones, etc., all needs to come a long way.

Dale

--
Dale W. Carder - Network Engineer
University of Wisconsin at Madison
http://net.doit.wisc.edu/~dwcarder

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

PC's bridging wired to wireless

[Dale W. Carder]

Much related to the question about PC's set up for ad-hoc mode,
has anyone experienced PC's bridging a wireless connection to
the wired network?  This is probably becuase the user has
internet sharing setup for home or is otherwise misconfigured.

This seems to be a problem in 1 or 2 of our buildings, where
there must be an abundance of wired ports available.  As we
have bpdu-guard enabled on the switchports, the network doesn't
get into a loop state, but this has the side effect of taking 
the AP down.  

We can to some degree figure out what machine it is by watching
roams from the reports via Airwave AMP and also from mac address
learn/remove traps from the switches.

When we have seen this, the user must usualy only use the
wired connection because their mac address is not in our
database, so we basicly can't figure out who it is.

Has anyone else had this sort of problem?  And besides user
education, etc, what can you do in the network to protect 
from this?

Dale


Dale W. Carder - Network Engineer   | DoIT Network Services
University of Wisconsin at Madison  | [EMAIL PROTECTED] 
(608) 263-3628 | 24hr NOC: 263-4188 | http://net.doit.wisc.edu/~dwcarder

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Dectecting ad-hoc networks in dorms

[Dale W. Carder]

Thus spake Dave Molta ([EMAIL PROTECTED]) on Wed, Oct 05, 2005 at 10:20:22AM 
-0400:
 
 We've also got a sneak-preview review of Airwave Management Platform (AMP)
 version 4.0 scheduled. If anyone out there would be willing to talk to me
 about their experiences with earlier versions of this system and provide
 some impressions about the value of the new features, please let me know and
 I will get in touch.

Hi Dave,

We've worked quite a bit with AMP version 3, and we have worked with
Airwave's engineers quite a bit to get things on the backend working
better like filesystem partitions, and supporting RHEL 4.

From what I have heard, it sounds like one of the big things AMP 4
offers is more advanced report generation and searching through the
data.

Feel free to give me a ring or get in touch via email.

Dale


Dale W. Carder - Network Engineer   | DoIT Network Services
University of Wisconsin at Madison  | [EMAIL PROTECTED] 
(608) 263-3628 | 24hr NOC: 263-4188 | http://net.doit.wisc.edu/~dwcarder

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Wireless Open Access- not sponsored guest access

[Dale W. Carder]

UW Madison's wireless network is closed.  The motivation for this
is for accountability.  Guest ID's can be created by any employee,
which at least tracks who is accountable for their guest's actions.
Here's the policy:
http://www.doit.wisc.edu/security/policies/guest_NetID.asp

To get a guest ID, all one has to do is go to a webpage and fill
out a form.  Within a few minutes, the new ID is live.  There is
also a form to generate a bulk set of ID's fast, especially for
conferences.

Like I said, our motivation for this guest approach was for
accountability.  We have had to go through the data to track 
down problems (like dealing with virii) and problem people doing
naughty things.

I think there is a downside to the Guest ID approach, which is
that I know students tend to give out their id's to their friends
so they can get access too.  Our approach to guest ID's doesn't
seem to address this motivation.  There has been some informal
talk about allowing anyone to sponsor a guest.

This fall, VPN will be heavily promoted for wireless access, but
still not required sigh.  We hear about how hard VPN is, and it's 
frankly because the clients suck.  I think 802.1x is just as bad 
at this point too.  

So, users that don't have a VPN client, as well as guests (especially
from corporate America) who can't otherwise install a VPN client
can go through a captive portal for net access, although it is
heaviliy filtered.  We found all of the existing captive portal
solutions lacking (we really wanted a layer 2 solution) and built 
our own.  It will also be used for all public access datajacks
such as those in classrooms and conference rooms.

http://net.doit.wisc.edu/~dwcarder/captivator/

Dale



Dale W. Carder - Network Engineer   | DoIT Network Services
University of Wisconsin at Madison  | [EMAIL PROTECTED] 
(608) 263-3628 | 24hr NOC: 263-4188 | http://net.doit.wisc.edu/~dwcarder



Dale W. Carder - Network Engineer   | DoIT Network Services
University of Wisconsin at Madison  | [EMAIL PROTECTED] 
(608) 263-3628 | 24hr NOC: 263-4188 | http://net.doit.wisc.edu/~dwcarder

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.