Re: [WIRELESS-LAN] Who has transitioned away from Aruba, and why?

[David Morton]

Ryan, we have been experiencing some of the very same issues. Since installing 
515s and resulting 8.5.x code in our offices (always our first step to any 
migration) we too have experienced unexplained periods of no connectivity. In 
most or all the cases I’ve personally experienced, I believe that I remain 
connected at an 802.11 standpoint but will have that 30 seconds to a couple of 
minutes of no IP connectivity. We have now deployed 515s and 8.5.x in one of 
our residence halls so I am concerned about their experience as well. Just 
before the holiday break we had a series of very high-profile outages that 
impacted our students leading up to and during finals week. The issue got so 
bad that our CIO had to issue a letter to students explaining the problem and 
what we are doing about it. This is the first time that this level of 
communication was needed in my 15 years at the UW using Aruba.

We too are a heavy Juniper shop and have recently received a MIST demo kit. We 
haven’t done anything with it yet due to lack of resources, but if things 
continue on the current path we may give it a more serious look.

David


David Morton
Director, Network & Telecom Design/Architecture
University of Washington
dmorton @uw.edu
tel 206.221.7814

PS I am currently on medical leave so if you wish to reply off-list, please 
direct it to Amel Caldwell, amelc@ uw.edu<http://uw.edu>

On Jan 9, 2020, at 8:15 AM, Turner, Ryan H 
mailto:rhtur...@email.unc.edu>> wrote:

All:

We’ve been an Aruba shop for a very long time and have around 10,000 access 
points.  While every relationship with vendors have their ups and downs, my 
frustration with the Aruba is finally peaking to the point that I am 
considering making the enormous move to choose a different vendor.  The biggest 
reason is with the 8.X code train, and bugs that we just don’t consider 
appropriate to use in production.  It has been one thing after the other, and 
my extremely talented and qualified Network Architect (Keith Miller) might as 
well be on the Aruba payroll as much work as he has been doing for them to 
solve bugs.  Just when we think we have one fixed, another one crops up.

The big one as of late is with 515s running 8.5 code train.  We have them 
deployed in one of our IT buildings.  Periodically, people that are connected 
to these APs in the 5G band will stop working.  To the user, they are browsing 
a site, then it becomes unresponsive.  If they are on their phone, they will 
disconnect from wifi and everything works fine on cell.  Nothing makes an 
802.11 network look worse than switching to cell and seeing a problem resolve.  
Normally, if the users disconnect then reconnect, their problems will go ahead 
(but I think they end up connecting in the 2.4G band).   We’ve been working on 
this problem with them for months.  It always seems as though we have to prove 
there is a real issue.  I’m fed up with it.  We are a sophisticated shop.  If 
we have a problem, 9 times out of 10 when we bring it to the vendor, it is a 
real problem.  I’m extra frustrated that due to issues we’ve seen in ResNet on 
the 8.3X train that we don’t want to abandon our 6 train on main campus.  To 
Aruba’s credit, we purchased around 1,000 515s last year (I think around 
February).  When they could not get good code to support them on, Aruba bought 
back half of them.  I asked for them to buy back half because I thought for 
sure with the 315s that we would have instead, the issues would be fixed by the 
time the 315s ran out.  Not looking to be the case.

So, with that rant over, we are seriously considering looking to move away from 
Aruba (unless they get their act together really soon).  There are other bugs 
I’m not even mentioning here.  For those of you that made the switch to another 
vendor, I would be curious how long the honeymoon lasted, what were your 
motivators, and were you happy with the overall results?  Of course, this is a 
great opportunity to plug your vendor.  As I see it, we have 3 choices….  
Something from Cisco (we had Cisco long ago and dumped them for bugs), 
something from Extreme (we are a huge Extreme shop so this makes sense), 
something from Juniper (Mist).

Thanks,
Ryan Turner
Head of Networking
The University of North Carolina at Chapel Hill
+1 919 445 0113 Office
+1 919 274 7926 Mobile
r...@unc.edu<mailto:r...@unc.edu>


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription in

Re: [WIRELESS-LAN] Offline/Spare Gear Inventory Size

[David Morton]

We are on Aruba and keep very little in planned, offline inventory. Most APs 
have a lifetime warranty and we don’t seem many storm related failures. Much 
like Chuck, our normal deployment stocks can provide spares when needed. We 
will then send any defective units back to Aruba for warranty replacement.

David




On Feb 26, 2018, at 10:20 AM, Trinklein, Jason R 
> wrote:

Hi All,

I’m curious to know the size of your spare gear inventories. Do you keep a 
percentage of each model of AP in inventory, and what is your reasoning? 
Storms? Last minute/emergency wireless coverage needs?

What percentage of your live gear do you keep as offline inventory? (100 live 
APs with 1 inventory AP = 1% offline inventory).

With Xirrus, we had an offline inventory of more than 10% of live inventory. We 
kept that inventory to cover the high failure rate of the equipment, the 
incidence of hurricanes and lightning strikes in our area, the broad range of 
AP models on campus, and last minute large events in low coverage areas.

We are evaluating the minimum offline inventory for our new Aruba gear as we 
finish up the vendor switch. I have been thinking 1-2%, but I want to see what 
you guys do first, and why.

Thank you,
--
Jason Trinklein
Wireless Engineering Manager
College of Charleston
81 St. Philip Street | Office 311D | Charleston, SC 29403
trinkle...@cofc.edu | (843) 300–8009

DID YOU KNOW? The Princeton Review selected the College of Charleston as one of 
50 schools focused on providing students with practical experiences that take 
their academics to the next level.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] PEAP vs TLS

[David Morton]

Thanks Bruce.

David



On Feb 26, 2018, at 8:31 AM, Curtis, Bruce 
<bruce.cur...@ndsu.edu<mailto:bruce.cur...@ndsu.edu>> wrote:



On Feb 23, 2018, at 10:58 AM, David Morton 
<dmor...@uw.edu<mailto:dmor...@uw.edu>> wrote:

We currently use EAP-PEAP for our eduroam/802.1x, but are now considering 
adding EAP-TLS to the mix. We have several potential PKIs that we could use, 
but all of them will take some work to get them ready for a production launch. 
Given that resources are limited, I’m looking for some data points about others 
who have moved, are thinking of moving or have decided not to adopt EAP-TLS.

To help gather some data can you please answer this short survey?

Do you:

- Support 802.1x? -

Yes.


If yes, do you:

- use EAP-PEAP on campus? -

Yes.


- use EAP-TLS on campus? -

Yes.

- What PKI/CA do you use: -

- If both, why and is one preferred? -

We were mainly using EAP-TLS with some devices using EAP-TTLS.

We will be turning off EAP-TTLS soon.

We enabled EAP-PEAP recently because our help desk reported a significant 
percentage of Android devices had issues with EAP-TLS.

Also a smaller percentage of Windows machines had problems with EAP-TLS but it 
was decided to use EAP-PEAP for Windows devices.

We continue to use EAP-TLS for Apple devices, both iOS and Mac OS.

EAP-TLS has the advantage that a man in the middle attack can not steal a 
password, even if a user turns off the “check server certificate” verification.
Also with EAP-TLS devices do not have to be reconfigured if a password is 
changed.

So EAP-PEAP is installed on Android and Windows devices by default with 
CloudPath and EAP-TLS is installed by default on Apple devices with CloudPath.
People still have the option of configuring EAP-TLS for Android and Windows 
devices and EAP-PEAL for Apple devices but that requires that they configure 
that manually rather than with the installer.

- If only PEAP, are you planning EAP-TLS? -

Brief description of why you’re doing what you’re doing and anything else that 
might be helpful:



Thank you in advance


David




David Morton
Director, Networks & Telecommunications
Services: Wi-Fi, Wired, Telephony, Mobile & HuskyTV
University of Washington
dmor...@uw.edu<mailto:dmor...@uw.edu>
tel 206.221.7814

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.


---
Bruce Curtis 
bruce.cur...@ndsu.edu<mailto:bruce.cur...@ndsu.edu>
Certified NetAnalyst II701-231-8527
North Dakota State University


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

PEAP vs TLS

[David Morton]

We currently use EAP-PEAP for our eduroam/802.1x, but are now considering 
adding EAP-TLS to the mix. We have several potential PKIs that we could use, 
but all of them will take some work to get them ready for a production launch. 
Given that resources are limited, I’m looking for some data points about others 
who have moved, are thinking of moving or have decided not to adopt EAP-TLS.

To help gather some data can you please answer this short survey?

Do you:

- Support 802.1x? -

If yes, do you:

- use EAP-PEAP on campus? -

- use EAP-TLS on campus? -
- What PKI/CA do you use: -

- If both, why and is one preferred? -

- If only PEAP, are you planning EAP-TLS? -

Brief description of why you’re doing what you’re doing and anything else that 
might be helpful:



Thank you in advance


David




David Morton
Director, Networks & Telecommunications
Services: Wi-Fi, Wired, Telephony, Mobile & HuskyTV
University of Washington
dmor...@uw.edu<mailto:dmor...@uw.edu>
tel 206.221.7814


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Nyansa vs 7Signal vs ?

[David Morton]

I'm a fan of Netinsight (aka Rasa) from Aruba. We get some very useful and 
actionable data that we haven't seen before. I think they are very close to 
official launch.

Recommend looking at them.

David Morton
Director, Networks & Telecommunications
Services: wired, mobile, telecom, HuskyTV, Wi-Fi
University of Washington, UWIT
dmor...@uw.edu<mailto:dmor...@uw.edu>

On Jul 25, 2017, at 9:33 AM, James Andrewartha 
<jandrewar...@ccgs.wa.edu.au<mailto:jandrewar...@ccgs.wa.edu.au>> wrote:

Hi Jason,

No comments, but Nyansa and Cape (another hardware-based wifi monitoring 
company, but perhaps US-only since they use T-Mobile uplinks?) are at Mobility 
Field Day 2 this week. You’ve reminded me to take another look at 7Signal 
though; per Caston’s post, we already have a solution that overlaps with Nyansa 
so I won’t be investigating that. Also because my budget is capital-focused 
currently which means I need physical items to stick asset tags on, and 11ac 
Wave 2 APs don’t excite me at all (the only MU-MIMO capable device on campus is 
my personal phone).

Thanks,

--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Jason Cook 
<jason.c...@adelaide.edu.au<mailto:jason.c...@adelaide.edu.au>>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Tuesday, 25 July 2017 at 3:02 pm
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] Nyansa vs 7Signal vs ?

Hi All,

There’s been plenty of positives mentioned about Nyansa in recent discussions. 
I’m wondering if anyone out there has experience at both 7signal and Nyansa or 
any other systems that do wireless monitoring/alerting in a more detailed way 
than vendor provided gear. The approach for these 2 are obviously quite 
different with I guess varying advantages. Don’t need much detail, just general 
thoughts is good.

Regards

Jason

--
Jason Cook
Technology Services
The University of Adelaide, AUSTRALIA 5005
Ph: +61 8 8313 4800
e-mail: 
jason.c...@adelaide.edu.au<mailto:jason.c...@adelaide.edu.au<mailto:jason.c...@adelaide.edu.au%3cmailto:jason.c...@adelaide.edu.au>>

CRICOS Provider Number 00123M
---
This email message is intended only for the addressee(s) and contains 
information which may be confidential and/or copyright.  If you are not the 
intended recipient please do not read, save, forward, disclose, or copy the 
contents of this email. If this email has been sent to you in error, please 
notify the sender by reply email and delete this email and any copies or links 
to this email completely and immediately from your system.  No representation 
is made that this email is free of viruses.  Virus scanning is recommended and 
is the responsibility of the recipient.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Nyansa

[David Morton]

I’d like to join as well.

David




David Morton
Director, Network & Telecom Design/Architecture
Service Owner: Wi-Fi, Wired, Telephony, Mobile & HuskyTV
University of Washington
dmor...@uw.edu<mailto:dmor...@uw.edu>
tel 206.221.7814

On Feb 10, 2017, at 12:10 PM, Chuck Enfield 
<chu...@psu.edu<mailto:chu...@psu.edu>> wrote:

Please reply if you’d like to join the call.  Doug and Lee are the guests of 
honor, but I’ll do my best to accommodate as many other schedules as possible.

From: Sullivan, Don [mailto:dsulli...@samford.edu]
Sent: Friday, February 10, 2017 3:08 PM
To: Chuck Enfield <chu...@psu.edu<mailto:chu...@psu.edu>>; 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: RE: [WIRELESS-LAN] Nyansa

I’m game.

Don Sullivan
Network Administrator
205-726-2111
dsulli...@samford.edu<mailto:dsulli...@samford.edu>

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Chuck Enfield
Sent: Friday, February 10, 2017 2:06 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Nyansa

Any chance we could make it a conference call?  I’ll set up a bridge.

Chuck Enfield
Manager, Wireless Engineering
Enterprise Networking & Communication Services
The Pennsylvania State University
110H, USB2, UP, PA 16802
ph: 814.863.8715
fx: 814.865.3988

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Sullivan, Don
Sent: Friday, February 10, 2017 3:03 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Nyansa

Lee,

I would be happy to have a chat with you about it. Probably better off list for 
me.

Don Sullivan
Network Administrator
205-726-2111
dsulli...@samford.edu<mailto:dsulli...@samford.edu>

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Friday, February 10, 2017 1:58 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Nyansa

Looking to talk with other schools that have objectively evaluated Nyansa with 
an installed appliance. Curious how what criteria you used to decide whether it 
was bringing you value, and if you bit on it, did it continue to bring value 
after the purchase.

I have it in test and am aware of the feature set and what it promises to do, 
but am looking for testimonials on what it has really exposed that you could 
take action on, how it fits with other tools that you have, and whether you 
have found it to be worth the cost.

On or off list is fine.

Thanks!

Lee Badman

Lee Badman | Network Architect

Adjunct Instructor | CWNE #200
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu<http://its.syr.edu>
SYRACUSE UNIVERSITY
syr.edu<http://syr.edu>



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_discuss=DwMFAg=GTxgfYI6i4KYikqC6GK_Jzn2mYGEh-v4HEPYCyQcJzU=gESFfxkz83JEIAAPJ78hwRDbYXa0egqYOhaeRMDNKZQ=qsyU3o10Cz6rvcuJmP6iOgTUc5LXLn7vL89B3UnNKL0=L0lwB9QE1L_CiE0-RRb2MBFIPutBT5uWGn2BMCd0Y9c=>.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_discuss=DwMFAg=GTxgfYI6i4KYikqC6GK_Jzn2mYGEh-v4HEPYCyQcJzU=gESFfxkz83JEIAAPJ78hwRDbYXa0egqYOhaeRMDNKZQ=vyHlJgM5ChtmMXhqIWBMZrL-Plak8Gn69iU7dTZFW0I=UdTpl0ouKE1m9fC3CVLiD7LZlBjsFAtMkcloEnMXFrs=>.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_discuss=DwMFAg=GTxgfYI6i4KYikqC6GK_Jzn2mYGEh-v4HEPYCyQcJzU=gESFfxkz83JEIAAPJ78hwRDbYXa0egqYOhaeRMDNKZQ=vyHlJgM5ChtmMXhqIWBMZrL-Plak8Gn69iU7dTZFW0I=UdTpl0ouKE1m9fC3CVLiD7LZlBjsFAtMkcloEnMXFrs=>.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] FreeRADIUS server scaling for 802.1x

[David Morton]

Thank you Eriks and Curtis, this information is very helpful.

We aren’t using Packetfence, but rather a mix of ClearPass and a customized 
FreeRADIUS. As we move from a relatively small numbers of eduroam users on 
campus to actively promoting it for on-campus use we have been running various 
models to predict load and we don’t have a good way to determine the load 
capacity of the FreeRADIUS portion of the architecture.

Anyone else who has thoughts or suggestions, please feel free to chime in.

David


David Morton
Director, Mobile Communications
Service Owner: Wi-Fi, Mobile & HuskyTV
University of Washington
dmor...@u.washington.edu<mailto:dmor...@u.washington.edu>


On Jul 19, 2016, at 8:42 AM, Eriks Rugelis 
<er...@yorku.ca<mailto:er...@yorku.ca>> wrote:

Curtis K. Larsen wrote:
Nice slides.  This is pretty similar to what we do.  We're also using 
PacketFence/FreeRADIUS.  The
graphing of the authentications is key to understanding/scaling things in my 
opinion.

Actually, with respect to our current deployment architecture, we are standing 
on your shoulders.   I want to thank you for that and also for driving Inverse 
to implementing the activity and performance graphs in Packetfence.

I cannot overstate how valuable we find the ability to track and correlate 
authentication workload, authentication server performance and back-end (Active 
Directory) server performance!
---
Eriks Rugelis
Manager, Network Development, University Information Technology
York University, Toronto

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

FreeRADIUS server scaling for 802.1x

[David Morton]

I am curious how folks are calculating peak load and number of RADIUS servers 
needed to support your eduroam & other 802.1x usage. We currently have a peak 
of around 65k of concurrent users across our network. Most of those users are 
using a MAC based auth captive portal.

As we begin to steering users to eduroam for on campus use, we are trying to 
model load and the number of FreeRADIUS needed to support that load. I know 
that there are a lot of variables in answering this question, but I’d really 
like to get input and better understand what others are doing.

Feel free to reply either on or off list depending on what you are willing to 
share publicly.

Thank you

David



David Morton
Director, Mobile Communications
Service Owner: Wi-Fi, Mobile & HuskyTV
University of Washington
dmor...@u.washington.edu<mailto:dmor...@u.washington.edu>



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Wireless Printers/Wi-Fi Direct, couple of other devices

[David Morton]

FYI, we have roughly:

12,977 iPhones
8,783 iPod touches
3,880 Androids
1,852 iPads
338 Win Mobile
804 Blackberry
330 Symbian
19 Palm OS

You can see more stats at www.freshlymobile.com

We gather these stats from our wifi registration system. It looks at the 
browser user agent when they register.

David





David Morton
Director, Mobile Communications
University of Washington
dmor...@u.washington.edu
tel 206.221.7814


--
www.freshlymobile.com
 a fresh look at mobility
--
On Feb 16, 2011, at 1:39 PM, Marcelo Lew wrote:

 At the moment, I have two Nintendos, 44 XBoxen, 373 iPods, 787 iPhones,
 144 iPads, 14 Palms, 183 Androids, 37 Playstations, 9 Windows Mobile devices, 
 11 Nokias, and 34 Blackberries on my network, that I know of...
 
 How are you getting these specific stats?
 
 Marcelo Lew
 Wireless Enterprise Administrator
 University Technology Services
 University of Denver
 Desk: (303) 871-6523
 Cell: (303) 669-4217
 Fax:  (303) 871-5900
 Email: m...@du.edu
 
 
 -Original Message-
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Cal Frye
 Sent: Wednesday, February 16, 2011 8:13 AM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] Wireless Printers/Wi-Fi Direct, couple of other 
 devices
 
 On 2/16/11 7:45 AM, Brian Helman wrote:
 We are trying to avoid adding non-workstation systems to the wireless
 network.  My philosophy is, if the system isn't mobile, it should be
 wired.  That's why my XBox and Wii have ethernet cables at home too!
 
 Of course, that's a large exception ;-)
 
 At the moment, I have two Nintendos, 44 XBoxen, 373 iPods, 787 iPhones,
 144 iPads, 14 Palms, 183 Androids, 37 Playstations, 9 Windows Mobile
 devices, 11 Nokias, and 34 Blackberries on my network, that I know of...
 
 -- 
 Best regards
 -- Cal Frye, Network Administrator, Oberlin College
   Mudd Library, x.56930 -- CIT will NEVER ask you for your password!
 
   www.calfrye.com,  www.oberlin.edu/cit/
 
 Life is a long lesson in humility. -- James M. Barrie.
 
 **
 Participation and subscription information for this EDUCAUSE Constituent 
 Group discussion list can be found at http://www.educause.edu/groups/.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 .

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Wireless Bakeoff

[David Morton]

Did they solve a high density problem that the others couldn't? My impression 
with Xirrus is that might be a solution to consider to in a larger open space 
with higher density, but that a solution with multiple APs with decent auto 
radio management capabilities would solve the issue as well (and perhaps 
better).

David




_
David Morton
Director, Mobile Communications
University of Washington
dmor...@u.washington.edu
tel 206.221.7814

 
 
 On Oct 4, 2010, at 11:00 AM, heath.barnhart wrote:
 
 Same here.
 
 Heath
 
 On 10/4/2010 12:50 PM, Ammar Abdulahad wrote:
 
 We are using Xirrus in our entire campus including residential halls. 
 Xirrus really solved the issues we were having in high density areas.
  
  
 Ammar Abdulahad
 IT Service Delivery
 Lawrence Technological University
 
 
  
 On Mon, Oct 4, 2010 at 12:35 PM, Huels, Chris cjhu...@wustl.edu wrote:
 All,
 
 Currently Washington University uses Meru for wireless. In order to migrate 
 to 802.11n, we will have to replace all of the access points and look at 
 replacing the controllers to accommodate the throughput. This has given us 
 the opportunity to go back and assess other vendors that offer enterprise 
 wireless solutions. The vendors that we are looking into are Meru, Aruba, 
 and Cisco. I would like to get input from this group on some pros and cons 
 of each, or are there other vendors that have been working well? Any input 
 would be helpful.
 
 Thanks
 Chris
 ** Participation and subscription information for this EDUCAUSE 
 Constituent Group discussion list can be found at 
 http://www.educause.edu/groups/.
 
 ** Participation and subscription information for this EDUCAUSE 
 Constituent Group discussion list can be found at 
 http://www.educause.edu/groups/.
 
 
 
 -- 
 Heath Barnhart, CCNA
 Network Administrator
 Information Systems and Services
 Washburn University
 Topeka, KS 66621
 ** Participation and subscription information for this EDUCAUSE 
 Constituent Group discussion list can be found at 
 http://www.educause.edu/groups/.
 
 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Sr. Network Engineer - Wifi focused

[David Morton]

We are looking for a Sr. Network Engineer in our Technology Management group at the University of Washington. The UW is a dynamic environment with the opportunity to work on many interesting projects.I've posted the text of the job description below or you can view it and apply via the following link:https://uwhires.admin.washington.edu/eng/candidates/default.cfm?szCategory=JobProfileszOrderID=67444szlocationID=88If you have any questions, please let me know.David_David MortonDirector, Mobile CommunicationsUniversity of Washingtondmor...@u.washington.edutel 206.221.7814www.freshlymobile.com a fresh look at mobilityNETWORK ENGINEER-WirelessReq #:67444Department:UW INFORMATION TECHNOLOGYAppointing Department Web Address:https://www.washington.edu/uwit/index.htmlJob Location:Seattle CampusPosting Date:08/26/2010Closing Info:Open Until FilledSalary:Salary is commensurate with experience and education.The University of Washington (UW) is proud to be one of the nation’s premier educational and research institutions. Our people are the most important asset in our pursuit of achieving excellence in education, research, and community service. Our staff not only enjoys outstanding benefits and professional growth opportunities, but also an environment noted for diversity, community involvement, intellectual excitement, artistic pursuits, and natural beauty.UW Information Technology has an outstanding opportunity for a Network Engineer.Responsibilities:A Network Engineer is expected to be a network professional with experience in complex data and telecommunications systems design, development, management, and evaluation. Domain expertise ranges from Radio Frequency, WLAN, Layer 2/3, WLAN controller design, implementation, protocols and architecture.Position Complexities:Must have in depth knowledge to architect, design, implement and maintain 802.11a/b/g/n wireless networks and supporting hardware, security mechanisms, wireless data technologies, RF analysis equipment, network sniffers, and protocols. Experience with wireless site surveys, RF design and behaviors, access points, networking setup and troubleshooting skills are essential. Experience working with RF analysis equipment, power meters, spectrum analyzers, and/or signal generators is required.In addition to wireless technologies, the applicant must have complete understanding of layer 2/3 networking, from network design and implementation to troubleshooting complex wired ethernet networks, as support of campus wired networks is required.A Network Engineer is expected to have expertise in contemporary network technologies and protocols including TCP/IP, OSPF, IPv4, QoS, and VoIP.Duties:Network Engineers are responsible for data communication system planning, design, development, installation and operations, as well as escalated technical support for the Network Operations Center staff. They provide consultation to the University on data and telecommunications network services and systems, participate in requirements definition process, design and implement appropriate solutions, and identify and solve operational problems relating to networks and distributed communication systems and servers. Other characteristic responsibilities include: identify existing and emerging technologies and evaluate their applicability to UW's needs, and participate in projects to deploy state-of-the-art networks.As a UW employee, you will enjoy generous benefits and work/life programs. For detailed information on Benefits for this position,click here.Requirements:Bachelor's degree, or equivalent experience, in communication engineering, computer science or related field.Required Minimum Work Experience:Four years experience in network engineering, implementation, or operations.Additional Minimums:A highly disciplined troubleshooting methodology, paying close attention to detail, maintaining detailed configuration and testing documentation, with good verbal and written communication skills.Experience must include design, deployment, and support of a large WLAN infrastructure, testing wireless products including access points and client devices for evaluation, documentation, integration, customer support documentation, and product development.Experience with AAA, IP mobility (Moble IP), SNMP, IP network security, VLAN, and IP utilization management.Excellent understanding of interconnection and troubleshooting techniques for WAN/LAN hardware to include routers, LAN switches, wireless access points. Equivalent education/experience will substitute for all minimum qualifications except when there are legal requirements, such as a license/certification/registration.Desired:Experience with ArubaOS software and associated Aruba WLAN infrastructure.Working within a hospital or healthcare environment.Condition of Employment:Must be able to respond to network outages, scheduled installations, and maintenance 

Re: [WIRELESS-LAN] 802.1X accounting, PEAP outer identity

[David Morton]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Unfortunately it is the design of PEAP (and TTLS) to offer separate  
inner and outer identities. There has been a lot of discussion in the  
IEEE about how to better support service provider billing in these  
instances, but I don't know what came of those discussions. Perhaps  
someone else on the list knows.


David


David Morton
Director, Security Solutions
Technology Engineering, CC
University of Washington
[EMAIL PROTECTED]
http://staff.washington.edu/dmorton/blog
tel 206.221.7814



On Jun 1, 2006, at 3:27 PM, Julian Y. Koh wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

How are people handling accounting records for your 802.1X wireless  
networks?
 We're in the process of rolling out EAP-PEAP, and everything is  
fine in
terms of our RADIUS accounting records from the APs as long as the  
users
leave the Outer Identity field blank - we end up with their real  
usernames
in the accounting records.  However, as soon as they fill in  
anything for
Outer Identity (Mac OS X) or Roaming Identity (Intel Wireless  
utility),
that text is what ends up in our accounting records.  Obviously  
this is
suboptimal in terms of relying on our accounting records for true  
accounting

of who was where on our network.  Is there any way around this?

FWIW, we're using Cisco 1200 APs with a WLSM/WLSE combo, Steel  
Belted RADIUS

talking to an Active Directory back end.

Thanks in advance!


-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.0.6 (Build 6060)
Comment: http://bt.ittns.northwestern.edu/julian/pgppubkey.html

iQA/AwUBRH9ptA5UB5zJHgFjEQKANgCcDrXkDHD7v+CDJmulrxHcTtVWSdsAn0sj
GgvPA4nr9fM5cY5s0cNVuNly
=TiAV
-END PGP SIGNATURE-

--
Julian Y. Koh  
mailto:[EMAIL PROTECTED]
Network Engineer   phone: 
847-467-5780
Telecommunications and Network Services Northwestern  
University
PGP Public Key:http://bt.ittns.northwestern.edu/julian/ 
pgppubkey.html


**
Participation and subscription information for this EDUCAUSE  
Constituent Group discussion list can be found at http:// 
www.educause.edu/groups/.


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFEf2tdv56EHSc/epsRArhhAJ9XU4+IWMvAt8YUdGpzXncVY7HLSwCff9cb
baU9+fqnNrGzb8KUk7LK3o0=
=0EIY
-END PGP SIGNATURE-

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] 802.1X accounting, PEAP outer identity

[David Morton]

You and Julian are, of course, right about both Radiator and SBR. I  
was thinking about the problem from a different angle, where the PEAP/ 
TTLS session was terminating on a foreign system (as is the case with  
roaming, commercial service providers or a distributed education  
environment).


Thanks setting the record straight. This topic also reminds me of  
Benard Aboba's excellent site on related subjects at http:// 
www.drizzle.com/~aboba/IEEE?


David


On Jun 1, 2006, at 4:18 PM, Michael Griego wrote:

If, in the RADIUS Access-Accept, a User-Name attribute is included,  
then, according to the spec, the NAS *must* use that value in any  
accounting records.  So, if you can get your RADIUS server to  
return the User-Name used in the inner exchange as the User-Name in  
the final Access-Accept, then the NAS should use that in the  
accounting records.


FreeRADIUS does this by way of a use-tunneled-reply option in the  
PEAP module setup.


--Mike


On Jun 1, 2006, at 5:27 PM, Julian Y. Koh wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

How are people handling accounting records for your 802.1X  
wireless networks?
 We're in the process of rolling out EAP-PEAP, and everything is  
fine in
terms of our RADIUS accounting records from the APs as long as the  
users
leave the Outer Identity field blank - we end up with their real  
usernames
in the accounting records.  However, as soon as they fill in  
anything for
Outer Identity (Mac OS X) or Roaming Identity (Intel Wireless  
utility),
that text is what ends up in our accounting records.  Obviously  
this is
suboptimal in terms of relying on our accounting records for true  
accounting

of who was where on our network.  Is there any way around this?

FWIW, we're using Cisco 1200 APs with a WLSM/WLSE combo, Steel  
Belted RADIUS

talking to an Active Directory back end.

Thanks in advance!


-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.0.6 (Build 6060)
Comment: http://bt.ittns.northwestern.edu/julian/pgppubkey.html

iQA/AwUBRH9ptA5UB5zJHgFjEQKANgCcDrXkDHD7v+CDJmulrxHcTtVWSdsAn0sj
GgvPA4nr9fM5cY5s0cNVuNly
=TiAV
-END PGP SIGNATURE-

--
Julian Y. Koh  
mailto:[EMAIL PROTECTED]
Network Engineer   phone: 
847-467-5780
Telecommunications and Network Services Northwestern  
University
PGP Public Key:http://bt.ittns.northwestern.edu/julian/ 
pgppubkey.html


**
Participation and subscription information for this EDUCAUSE  
Constituent Group discussion list can be found at http:// 
www.educause.edu/groups/.



**
Participation and subscription information for this EDUCAUSE  
Constituent Group discussion list can be found at http:// 
www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Paint that attenuates Radio Signals

[David Morton]

While I haven't tried that particular product, I have use other types  
of paint to attenuate RF (don't recall the commercial names).  They  
worked fairly well, but since they blocked a pretty wide range of  
frequencies you might have unintended consequences. For example, cell  
phones signals were also attenuated.


David




On Feb 9, 2006, at 1:17 PM, Stephen Holland wrote:


Has anybody heard of a product from Force Field Wireless that can be
painted on walls to attenuate Radio Signals like WiFI?.

I happened to find a link to it by accident and I'm curious as to how
effective it is.

Thanks

Steve Holland
Network Engineer
Northeastern University

**
Participation and subscription information for this EDUCAUSE  
Constituent Group discussion list can be found at http:// 
www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Vivato

[David Morton]

At a previous employer, we look to products from Ottawa based Belair networks (http://www.belairnetworks.com/) among others. They don't currently make use of smart antenna technology, but build a good, solid product that provided a fairly large coverage area.David David MortonDirector, ITI Security SolutionsUniversity of Washington[EMAIL PROTECTED]tel 206.221.7814 On Dec 19, 2005, at 7:47 AM, Ryan Lininger wrote:I'm surprised by this news.  I thought that Vivato had a pretty good product.  We are looking for a solution to implement wireless campus wide and Vivato looked pretty good until this news hit the stands Friday.  Are there any other companies out there that can compete with Vivato's product?  We have been looking at another company called 5G wireless (http://www.5gwireless.com) but I've read mixed reviews and my interactions with the company have been mixed.What other companies do people recommend for indoor and outdoor wireless deployments?Ryan LiningerNetwork Systems EngineerDenison University[EMAIL PROTECTED]King, Michael wrote: I just got an email from a contact at Vivato.  He forwarded this to me,with the note that his doors close tommorrowLast Call for Vivato? 12.15.05Everyone is talking about rumors of the imminent demise of Vivato Inc.,one of the startups that originally kick-started the wireless LAN switchmovement.Multiple sources [ed. note: It's even on the message-board!] have toldUnstrung that the company is expected to close down by the end of theyear, with December 20 looking like the most likely date.We spoke to Vivato last week when these rumors first got too loud toignore, and a spokesman denied them then. No one has yet replied tocalls today.The firm is said to be looking for a buyer, but it is not clear whatprospects are out there.Of course, Vivato has been pronounced dead in the water before and comeback. But the wireless whisperers we've spoken to insist that theinvestor community is now saying that Vivato will close its doors soon.Vivato's closure could be seen as something of an end of an era for theWLAN market. The firm was one of the first to promote the idea of acentrally-managed "wireless LAN switch" network for enterprise users.(See Vivato Plans Ambitious WLAN.)But unlike successful startups, such as Airespace and Aruba WirelessNetworks that followed in its wake, Vivato proposed to "light up"offices with one powerful box that used "beam-steering" technology toprovide radio coverage over hundreds of square feet. (See WLAN Switches:The Brains Behind 802.11?.) The other players in this space preferred touse a central switch to manage a network of "dumb" access points. (SeeVivato's Switch Bitch and Switch Tiff Heats Up .)But in practice, providing coverage in an office-space filled with cubesand other radio-dampening obstacles proved to be a tricky task for theVivato. So the firm repositioned itself as a company that could providecoverage for stadiums, conference centers, and outdoor areas. (SeeVivato's New Broom and Vivato Goes Wide.)But despite winning some contracts, the company has remained troubled.In April, the firm hired a new "crisis CEO" to restructure the company.(See Vivato Hires Crisis CEO.)Since its foundation in December 2000, Vivato has scored around $67million in funding from investors like Intel Capital and U.S. VenturePartners.- Dan Jones, Site Editor, UnstrungCopyright (c) 2000-2005 Light Reading, Inc. - All rights reserved.www.unstrung.com**Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.  **Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. **
Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] [SCFN] offtopic VoIP eavesdropping (fwd)

[David Morton]

I want to echo John's comments about the need for better VoIP  
security and 802.11r is still at least 18 months away. It is worth  
noting that there are some proprietary solutions from Cisco and  
others if you need something in the mean time.  The standard  
disclaimers about proprietary solutions apply, but they are available  
if they fit your environment.


David


David Morton
Director, ITI Security Solutions
University of Washington

On Nov 29, 2005, at 2:02 PM, Jonn Martell wrote:


Agreed. There are a couple of important components.
The first is 802.1x but as important is fast roaming (secure  
handoffs between APs).  IEEE 802.11r is still a work in progress.  
PMK-caching  is the way to facilitate secure fast roaming in  
current generation products but it's likely not going to appear for  
WPA devices (not sure exactly why?)


It appears the handset vendors will have to support WPA2. We're  
seeing a number of interesting handsets which are starting to just  
now support WPA but not WPA2. In many cases WPA2 will require brand  
new handsets which have yet to see the light of day.  Needless to  
say, we aren't buying a lot of expensive VOIP wireless handsets  
right now but we are testing several... :-)


Our VOIP over Wireless pilot uses WPA-PSK and we won't release  
devices that exposes the PSK. I think that's the best way to deploy  
secure VOIP over wireless in the short term. Not ideal, as Frank  
says, vendors aren't very far along.


My prediction is that secure VOIP (at the application layer) will  
open the floodgates on all VOIP (including VOIP over wireless)...   
We're already starting to see this with Skype... The days for  
insecure VOIP are numbered IMHO.


... Jonn Martell, Manager UBC Wireless (Wireless and VOIP Project  
Manager)


on 11/29/2005 1:41 PM Frank Bulk said the following:

Hear-hear, but the Wi-Fi handset vendors are by far and large not  
that far

long in the thought process

Frank
-Original Message-
From: Michael Griego [mailto:[EMAIL PROTECTED] Sent: Tuesday,  
November 29, 2005 2:33 PM

To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [SCFN] offtopic VoIP eavesdropping  
(fwd)


This highlights the exact reasons that VoFi systems *should* use  
802.1x
authentication with per-station keys.  That way, each handset has  
its own
key to encrypt its traffic over the air with, stopping the easy  
sniffing of

traffic passing through the air.  This, of course, does nothing for
beyond-the-AP sniffing, but it is presumed that is handled by  
other security

measures in the environment.

--Mike

---
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas



Lee Barken wrote:


Any comments?  (Originally sent to socalfreenet.org)

-- Forwarded message --
Date: Tue, 29 Nov 2005 09:20:11 -0800 (PST)
From: Lee Barken [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: [SCFN] offtopic VoIP eavesdropping

This is somewhat offtopic for a wireless list-- but kinda  
relevent considering our plans to implement VoIP in our wireless  
clouds


VoIP, in essence, uses CLEARTEXT protocols... making passive  
capture trivial in a wireless environment. (?)  What is the  
risk that somebody will capture unauthorized recordings of voice  
communication?  Is there a legal precendent for prohibiting  
wiretapping in a digital



environment?


http://oreka.sourceforge.net/

The open source, cross-platform audio stream recording and  
retrieval system Oreka is a modular and cross-platform system for  
recording and retrieval of audio streams. The project currently  
supports VoIP and sound device based capture. Recordings metadata  
can be stored in any mainstream database.  Retrieval of captured  
sessions is web based.


Record VoIP RTP sessions by passively listening to network  
packets. Both sides of a conversation are mixed together and each  
call is logged as a separate audio file. When SIP or Cisco Skinny  
(SCCP) signalling is detected, the associated metadata is also  
extracted.


Take it easy,
  -Lee


___
SoCalFreeNet.org General Discussion List To unsubscribe, please  
visit: http://socalfreenet.org/mailman/listinfo/ 
discuss_socalfreenet.org


**
Participation and subscription information for this EDUCAUSE  
Constituent


Group discussion list can be found at http://www.educause.edu/ 
groups/.


**
Participation and subscription information for this EDUCAUSE  
Constituent
Group discussion list can be found at http://www.educause.edu/ 
groups/.


**
Participation and subscription information for this EDUCAUSE  
Constituent Group discussion list can be found at http:// 
www.educause.edu/groups/.




**
Participation and subscription information for this EDUCAUSE  
Constituent Group discussion list can be found at http:// 
www.educause.edu/groups/.


**
Participation and subscription

Re: [WIRELESS-LAN] 802.1x authentication on wired network

[David Morton]

If you're not using ACS, there are three Radius attributes that can  
be used to put a user in a particular VLAN. I don't recall the  
attribute numbers off the top of my head, but I am sure you can find  
them on Cisco's web site.  I know that they are also in the Microsoft  
Wireless Provisioning Server documentation (which you can find on  
Microsoft's web site.)


David


David Morton
Director, Security Solution
University of Washington


On Nov 28, 2005, at 5:14 AM, David Warner wrote:


Matt,

Inside the Cisco ACS server(and other radius servers I assume) you  
can specify which vlan a group should be associated with.  The  
dot1x configuration on the switch will then use that information to  
set the vlan when a user successfully authenticates.


dave warner


At 09:50 AM 11/25/2005, Matt Ashfield wrote:
Just out of curiosity, what is the mechanism that places the user  
in the
specified vlan? Namely, which component sets the switch port to be  
part that

a specified vlan?

Thanks

Matt
[EMAIL PROTECTED]

-Original Message-
From: David Warner [mailto:[EMAIL PROTECTED]
Sent: November 21, 2005 4:53 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] 802.1x authentication on wired network

I've been testing the 802.1x authentication on Cisco catalyst  
switches with
the ACS radius server with an Active Directory authentication  
database and
a Microsoft windows XP client machine.  I would like to  
authenticate users

based on AD info and place the computer in the authorized vlan.

I have found that I am unable to use the windows credentials for  
dot1x
authentication when a new user is using a machine.  The process of  
logging
into the machine and changing the user's vlan often causes the  
machine to
be unable to obtain an IP address through DHCP.  Cisco has  
recommended to
not use the Windows credentials and use the separate dot1x  
authentication

but we were hoping to avoid multiple logins.

Another issue is that the current windows xp implementation stores  
the
dot1x credentials in the registry.  The username, password and  
domain are
all cached in  current_user\software\microsoft\eapol\UserEapInfo.   
Unless

this entry is deleted it is always used to determine the user
credentials.  This is also a problem when a different person tries  
to use

the same machine in a lab or classroom shared machine.

Has anyone encountered these problems on the wired side of the  
network and

found a workaround.

TIA

**
Participation and subscription information for this EDUCAUSE  
Constituent
Group discussion list can be found at http://www.educause.edu/ 
groups/.


**
Participation and subscription information for this EDUCAUSE  
Constituent Group discussion list can be found at http:// 
www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE  
Constituent Group discussion list can be found at http:// 
www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.