Re: spurious cpi report of mass AP disassociation
> Date:Mon, 11 Sep 2017 17:48:58 -0700 > From:Mark Duling <mark.dul...@biola.edu> > Subject: Re: spurious cpi report of mass AP disassociation > > Thanks for all the replies everyone. Well I'm not used to looking at AP > logs, but ... After such an event, log into the controller and run 'show ap summary' the list of APs shows up in the order that the APs joined the controller so the ones at the end of the list are the newest ones to join. Pick one of the bottom of the list and run 'show ap config general ' and look for the join info near the bottom eg: > AP Up Time. 1 days, 21 h 15 m 05 s > AP LWAPP Up Time... 1 days, 21 h 13 m 10 s > Join Date and Time. Wed Sep 13 16:03:59 2017 > Join Taken Time 0 days, 00 h 01 m 54 s Is the APs dropped and joined, then it will be evident from the Join Time. If the AP rebooted, then it will be evident from the AP Up Time. If neither, then you had a false alarm from Prime. -- Earl Barfield -- Academic & Research Tech / Information Technology Georgia Institute of Technology, Atlanta Georgia, 30332 Internet: earl.barfi...@oit.gatech.edue...@gatech.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
Re: Radius Transaction Times
Date:Fri, 5 May 2017 14:19:47 + From:"Watters, John" <john.watt...@ua.edu> Subject: Re: Radius Transaction Times We have been having RADIUS problems for a while. After a lot of cussing and gnashing of teeth I got the RADIUS folks to build three new servers (all virtual). These were put into the same IP address spaces as our Cisco 8510 controllers. We are running MPLS with our campus divided into three areas, soon to become four since we acquired 100+ acres of adjacent land that used to be the State mental health hospital complex). The WLCs, RADIUS servers, and APs are all in a global VRF in each area. In addition these new RADIUS servers (running FreeRadius) had code upgrades that provided caching which cut down dramatically on their calls to our LDAP servers (we do not use AD for this function). We have found that the new RADIUS servers perform well enough to drastically cut down our timeout & retry values. And, they are not failing over to the other listed RADIUS servers at all. I have been looking at the stats, adding the results into a spreadsheet for comparison, and resetting the stats on a daily basis for about a week now. Very impressive results compared to what they were in the past. Zero failovers to the backup RADIUS servers) Now, the slow RADIUS performers are the few where we allow areas to run their own RADIUS authentication (e.g., Athletics and a State funded traffic accident center). The following are stats for the last 24 hours for the primary RADIUS servers in each MPLS area. Note that our last day of finals was yesterday. So overall usage is down somewhat from previous days. All controllers are 8510s running Cisco 8.0.140.0 due to a few older APs that we are phasing out this summer. We also run Cisco controllers and freeradius with Active Directory back0-end. We had horrible horrible HORRIBLE radius performance problems back around 8.0 code. I forget the exact version but the version that fixed it introduced the concept of what Cisco calls "radius queues" but it really just a range of UDP source ports to distribute the queries across. Run this command on your controller: 'show radius queue' If you don't see multiple Source Ports, then upgrade WLC code **ASAFP** >show radius queue Max Radius Queues Per Server. 8 Source Port numbers used 32769 32770 32771 32772 32773 32774 32775 32776 Max Radius Buffers Available. 4064 Currently number of Buffers consumed 1 Radius Authentication Messages Stats Total Auth Req sent(allocated).. 71786156 Total Auth Resp rcvd(freed). 71786155 Total Auth Req Pkts Dropped(no buffer).. 0 Radius Accounting Messages Stats Total Acct Req sent(allocated).. 0 Total Acct Resp rcvd(freed). 0 Total Acct Req Pkts Dropped(no buffer).. 0 The problem that we had was, when classes changed and everyone moved locations and then reconnected to Wifi, more than 256 login conversations were going on at once.This overflowed the radius_id 8-bit counter and confused the controller and radius server about which user was being authed. Since radius is UDP and does not have a TCP session to keep track, the only unique identifiers are the source IP, source mac, dest ip, dest mac and radius_id 8-bit counter. Since the source and dest it always the same, the 8-bit counter is all you've got. The controller would flush both conversations and force them to restart auth which cascaded out of control. Then it would failover to another radius server and start spewing all the half-completed auth conversations at the new radius server which, of course, had no knowledge of the partially completed conversations. Thus, this radius server would fail out and the WLC would go on to the next. Wifi was unusable for upwards of five or ten minutes at the top of each hour. Natives were gathering at the door with pitchforks and knives. We were scared. -- Earl Barfield -- Academic & Research Tech / Information Technology Georgia Institute of Technology, Atlanta Georgia, 30332 Internet: earl.barfi...@oit.gatech.edue...@gatech.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
Aruba controller loading
I know that the Aruba / Hewlett Packard literature says that you can support 2000 APs on their biggest controller (7240XM). Is anyone actually running that many APs per controller in real production? If not, then how may APs per controller do you run? For relative size info, we're a diverse higher-ed installation with about 5000 APs and peak simultaneous user counts right about 30,000. Thanks. -- Earl Barfield -- Academic & Research Tech / Information Technology Georgia Institute of Technology, Atlanta Georgia, 30332 Internet: earl.barfi...@oit.gatech.edue...@gatech.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
Re: Helpdesk Troubleshooting of Wireless Issues,>
Date:Wed, 1 Mar 2017 17:41:45 + From:Bryan Sherwood <bryan.sherw...@nau.edu> Subject: Re: Helpdesk Troubleshooting of Wireless Issues We take a slightly different approach to what has already been shared when it comes to students. When students in either a residence hall or other campus building call in, our student employees on the phone collect the following: · Drivers (check for updates, ensure that correct drivers are installed) · Power Settings (ensure that maximum performance is chosen for battery and plugged in) · Delete/Re-Add Saved Wireless Networks · Disable Link-Layers · Disable Printer/File Sharing One of our clever engineers went a step further and wrote a little web page that gathers much of this information automatically and creates a helpdesk ticket. The user who is having problems, assuming he can get connected at all, can browse to the debug web page. The script then reaches out to the XML API in Airwave Management Platform and gathers information such as which AP they are associated to, which neighbors that AP can see (rogue and managed, etc). We do not gather driver version of the client or anything like that, just concentrating on the infrastructure pieces. This way we at least get a helpdesk ticket with the users correct IP address, mac address, etc. from which to start an investigation. -- Earl Barfield -- Academic & Research Tech / Information Technology Georgia Institute of Technology, Atlanta Georgia, 30332 Internet: earl.barfi...@oit.gatech.edue...@gatech.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
Re: Cisco 8540s, and 8.3.102 Code
On 09/21/16 00:00, WIRELESS-LAN automatic digest system wrote: Date:Tue, 20 Sep 2016 10:25:06 -0600 From:Luke Jenkins<ljenk...@weber.edu> Subject: Re: Cisco 8540s, and 8.3.102 Code Have you gotten bug IDs for the FRA and 11k issues? No, not yet. I'm not convinced that its related to 11k and maybe not even related to FRA. Its possible that we're suffering from Bug CSCus83638 and the act of disabling FRA just reset everything enough to start working fo a while and it will slowly taper off again. I need to get a copy of the 8.2.124.x to try. Each change we make a TAC's request seems to fix things for a while but then it slowly shows the symptoms again, namely a dearth of 5GHz assoc clients in high density areas where there should be many. This seems to only be happening on our AP3800s and we have an important academic building that is recently upgraded to all AP3802Is. Tac keeps wanting us to try different things but we're trying to be considerate of the folks in that building trying to get instruction done. Our other buildings with AP3802s are not heavily dense so we don't see this same problem. For example, in the low density buildings, our AP3802s never switch into FRA mode with both radios on 5GHz band. We're not sure if dual-5GHZ is a requisite for this bug but its seemed to coincide on the ones that we checked. I'm trying to pull some of that trend data out of the Airwave Management Platform database and see if we have a correlation. -- Earl Barfield -- Academic & Research Tech / Information Technology Georgia Institute of Technology, Atlanta Georgia, 30332 Internet: earl.barfi...@oit.gatech.edue...@gatech.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: Cisco 8540s, and 8.3.102 Code
Date:Mon, 19 Sep 2016 10:03:18 -0400 From:Garret Peirce <pei...@maine.edu> Subject: Re: Cisco 8540s, and 8.3.102 Code We run 8.3 on some new 8540s. We moved to 8.3 to resolve a DFS issue in 8.2 (CSCuy45955 - AP stops xmitting beacons after some # of DFS events). This is fairly silent btw, look for a dearth of 5G clients and/or cleanair being down. We're seeing similar symptoms and user complaints with 5G clients being unable to connect on the AP3802 Access Points. We saw this on 8.2.121.0 code and now also on 8.2.121.11. I'll have to go double-check but I'm sure that we were seeing beacons from both radios. Cisco had us disable FRA and now they've asked us to disable 11k Assisted Roaming Prediction Optimization. In your environment, do you have 11k and Assisted Roaming Prediction Optimization enabled when you observed this problem? -- Earl Barfield -- Academic & Research Tech / Information Technology Georgia Institute of Technology, Atlanta Georgia, 30332 Internet: earl.barfi...@oit.gatech.edue...@gatech.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Turning off 2.4 on a select SSID?
On 04/07/2016 09:24 AM, Hector J Rios wrote: I guess this brings up another good question, and that is, what is the percentage of 5GHz vs 2.4GHz you all see in your institutions? For us is still 50-50. And it’s been like that for a while. I still see new laptops that only come with 2.4GHz adapters. While it can be useful to track what percentage of connections use 5GHz radios, we've found that a better question to ask is "What percentage of 5GHz-capable clients are actually connecting at 5GHz". In our environment, it varies wildly by building: some as high as 95% of sessions and others, such as our outdoor spaces, down close to zero. We focus our resources on improving the 5GHz coverage in the buildings with the lower percentages. All this data is in the Airwave Management Platform database. It just takes a little gentle coaxing to get it out. In our high density spaces, we have many many APs on 5GHz with directional antennas, along with turning of lower data rates and raising RxSOP to limit the cell size. We turn off 2.4GHz radios on all but a few APs in the room, From the user side, this should look about like APs with multiple 5GHz radios. We're using Cisco AP3702Es right now but we're anxious to take a look at the upcoming AP3802Es that should allow us to use fewer APs to but the same number of 5GHz antennas serving a room. -- Earl Barfield -- Academic & Research Tech / Information Technology Georgia Institute of Technology, Atlanta Georgia, 30332 Internet: earl.barfi...@oit.gatech.edue...@gatech.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: Recent Radius Meltdowns
Date:Wed, 9 Mar 2016 14:05:07 -0700 From:Jake Snyder <jsnyde...@gmail.com> Subject: Recent Radius Meltdowns Just wanted to throw this out to the educause community to see if others are seeing this. Although this is not ultimately a problem with Higher Ed, the large scale RADIUS deployments in higher ed resulting in more impact Several weeks ago we had a higher ed customer who's Radius environment started periodically melting down. The customer was running Cisco Infrastructure and ACS 5.x on the back end. I'm curious whether this customer was running WLC 8.1 code or something older? Although slightly different environment, we had horrible horrible radius problems under WLC 8.0 code that were improved tremendously when we upgraded to 8.1 and enabled the multiple radius queues (Cisco speak for multiple UDP source ports). If anything (radius server, users, Active Directory, etc) slows down the auth process, then you're going to have more auth sessions in progress simultaneously. There is an 8-bit field in the radius auth packlet called radius_id that the controller and radius server use to keep straight which auth session is which. If you exceed 255 radius auth sessions in progress per queue, then meltdown is inevitable. More queues allows more auth sessions. (Hotel-WLC) >show radius queue summary Max Radius Queues Per Server. 8 Source Port numbers used 32769 32770 32771 32772 32773 32774 32775 32776 Max Radius Buffers Available. 4064 Currently number of Buffers consumed 11 Radius Authentication Messages Stats Total Auth Req sent(allocated).. 13588897 Total Auth Resp rcvd(freed). 13588897 Total Auth Req Pkts Dropped(no buffer).. 0 Radius Accounting Messages Stats Total Acct Req sent(allocated).. 0 Total Acct Resp rcvd(freed). 0 Total Acct Req Pkts Dropped(no buffer).. 0 -- Earl Barfield -- Academic & Research Tech / Information Technology Georgia Institute of Technology, Atlanta Georgia, 30332 Internet: earl.barfi...@oit.gatech.edue...@gatech.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: Naming conventions for WLAN devices
We use - (eg 100-170) or - - for rooms that have more than one AP in them (eg 166-144-1). We got away from using building names many years ago because they keep renaming that damned buildings every time a new donor wanted his name associated with a building ( or an old donor went bankrupt and stopped donating :-) ). We have official and static building numbers that have proven reliable and non-changing. -- Earl Barfield -- Academic & Research Tech / Information Technology Georgia Institute of Technology, Atlanta Georgia, 30332 Internet: earl.barfi...@oit.gatech.edue...@gatech.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: Measuring RADIUS Auths
Date:Fri, 16 Oct 2015 18:21:19 +
From:"Mattson III, Ken V." <kenmatt...@creighton.edu>
Subject: Re: Measuring RADIUS Auths
I am pretty sure it is raw ("The number of RADIUS Access-Request packets sent to
this server. This does not include retransmissions.").
1.3.6.1.4.1.14179.2.5.3.1.8.3 is the retransmissions.
http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en=Translate=bsnRadiusAuthClientAccessRetransmissions#oidContent
Output from a snmpbulkwalk on one of our controllers:
.1.3.6.1.4.1.14179.2.5.3.1.7.3 = Counter32: 93421076
.1.3.6.1.4.1.14179.2.5.3.1.7.4 = Counter32: 0
.1.3.6.1.4.1.14179.2.5.3.1.8.3 = Counter32: 31652
.1.3.6.1.4.1.14179.2.5.3.1.8.4 = Counter32: 0
If you are doing EAP-PEAPv0/MS-CHAPv2 then there will be many (a dozen
or so) Access-Request packets sent per user authorization occurrence.
The WiSM sends Access-Request (type 1) and the radius server answers
with Auth-Challenge (type 11). This repeats back and forth many times
until the radius server finally answers the final Auth-Request with
either an Auth-Accept (type 2) or Auth-Reject (type 3).
Just be clear what you're counting when comparing with other
institutions or you will be off by quite a bit. Apples-to-apples, etc.
--
Earl Barfield -- Academic & Research Tech / Information Technology
Georgia Institute of Technology, Atlanta Georgia, 30332
Internet: earl.barfi...@oit.gatech.edue...@gatech.edu
**
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
Re: Cisco WLC RADIUS Packet ID Bug
Date:Fri, 25 Sep 2015 16:46:34 + From:"Curtis K. Larsen"<curtis.k.lar...@utah.edu> Subject: Re: Cisco WLC RADIUS Packet ID Bug Well, thanks for your persistence which it sounds like we will now benefit from. I am glad that there is a fix in 8.1 code, however it is unfortunate that the bug notes do not currently indicate a fix in any code version whatsoever. Thanks, The BugID we were given was CSCuj88508 which is a duplicate of CSCus51456 which says fixed in 8.1.110.149 and 8.1.102.0. We're now running 8.1.102.0 and the fix is definitely in there. We've also loaded up 8.1.111.0 and confirmed that the fix is there as well. Any fixed version will show multiple Source Port numbers used in the output of 'show radius queue'. This is on by default in the fixed versions but can be toggled back and forth with 'config radius ext-source-ports [enable/disable]' (Rich-core-WiSM-B) >show radius queue Max Radius Queues Per Server. 8 Source Port numbers used 32770 32771 32772 32773 32774 32775 32776 32777 Max Radius Buffers Available. 4064 Num buffers used by Auth msgs... 0 Num buffers used by Acct msgs... 0 Radius Authentication Messages Stats Total Auth Req (allocated) sent 72680808 Total Auth Resp (freed) rcvd 72680808 Total Auth Req Pkts Dropped (no buffer). 0 Radius Accounting Messages Stats Total Acct Req (allocated) sent. 0 Total Acct Resp (Freed) rcvd 0 Total Acct Req Pkts Dropped (no buffer)..... 0 -- Earl Barfield -- Academic & Research Tech / Information Technology Georgia Institute of Technology, Atlanta Georgia, 30332 Internet: earl.barfi...@oit.gatech.edue...@gatech.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: Cisco WLC RADIUS Packet ID Bug
Date:Thu, 24 Sep 2015 15:30:59 + From:"Curtis K. Larsen" <curtis.k.lar...@utah.edu> Subject: Cisco WLC RADIUS Packet ID Bug Hi Guys, I have a TAC case open on this but It looks like once a week or so when the perfect storm arises we are hitting this one for a couple of minutes: CSCuo96366 --- WLC sends Radius packets with same ID without doing Radius ID check CSCuo96366 Description Symptom: Clients are not able to Authenticate at Peak loads when using FreeRadius. Conditions: Using Freed radius (most susceptible), we observe at high auth rate and if Radius server is not responding to all Radius packets in seq order or if the server is slow, WLC when wraps around 0-255 Radius ID's, it does not do a check when posting new packet. So essentially you have 2 packets with same ID being presented to AAA server. --- The funny thing is that 9 of 10 WLC's are working fine against the same servers at the same time - the problem only happens on one WLC. When it occurs we see this in the logs (Notice the same ID number 253 below) servername radiusd[23964]: Discarding conflicting packet from client (IP of WLC) port 32770 - ID: 253 due to recent request 57345605. servername radiusd[23964]: Discarding conflicting packet from client (IP of WLC) port 32770 - ID: 253 due to recent request 57347264 Wondering if other Cisco WLC customers see this since I know a lot of you are using FreeRADIUS, or FreeRADIUS-based authentication servers. If so, let me know of any solutions and/or work-arounds. Oh, Man! I spent 18 months waiting for Cisco to fix this, sending packet trace after packet trace and talking to anyone who would listen. They finally fixed this is in 8.1 by using eight different UDP source ports (hashed on client mac) to send radius requests to the freeradius server. This has been an absolutely HUGE improvement to our users!!! Previously, we would have a cascde chain reaction at almost every class change when thousands of students would relocate and then all authenticate to Wifi within a minute or two. The first conflicting packet would get discarded, causing a timeout. The second discarded conflicting packet would again cause a timeout. The third would cause the WiSM to failover to the other radius server and stupidly spew all the half-completed EAP conversations to the newly active radius server, which would ignore them. The WiSM interpreted this as more timeouts and failed to the tertiary radius server. All this re-auth and failover caused utter havoc and it went on for five minutes or so at every class change. We added radius servers, dedicated AD servers to serve the radius servers. The only workaround that really helped before the fix in 8.1 code was to add controllers in order to keep the number of clients per controller down. I could talk about this forever after spending a year swimming in radius packet decodes. Suffice it to say: Get to 8.1 code ASAP!!! I don't care what other bugs it may or may not have, this outweighs them all for us. -- Earl Barfield -- Academic & Research Tech / Information Technology Georgia Institute of Technology, Atlanta Georgia, 30332 Internet: earl.barfi...@oit.gatech.edue...@gatech.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: WIRELESS-LAN Digest - 24 Apr 2014 to 25 Apr 2014 (#2014-88)
On 04/26/14 00:00, WIRELESS-LAN automatic digest system wrote: Date:Fri, 25 Apr 2014 17:49:42 -0700 From:Mike Albanomike.alb...@unlv.edu Subject: Disabled 2.4 Radios not staying disabled Anyone else seeing this? Cisco Wism2's ver. 7.6.100.10 (though I believe it affects all 7.6) When I disable radios config 802.11b disable ap_name the radios turn themselves back on after a config ap reset or power outage, changing AP Group's etc. Basically, when the AP reboots, the radio re-enables itself. TAC case pending. Mike Albano Yes, we saw this back with 7.4.103.6.It only did this if the AP had a non-default RF profile.We opened a tac case (in Jun 2013) but I don't see that a bugid was ever assigned. As a workaround, I wrote a simple script that periodically queries our Airwave Management Platform server and alerts me if any radios are not in the desired state. -- Earl Barfield -- Academic Research Tech / Information Technology Georgia Institute of Technology, Atlanta Georgia, 30332 Internet: earl.barfi...@oit.gatech.edue...@gatech.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: Horizontal AP mounting options
We are deploying a bunch of 1602's and 2602's and they recommend mounting t= hem horizontally. There are areas where they need to be wall mounted and no= ne of the ceiling mounts or brackets are an option. They recommend the Ober= on P/N 1029-00, . It looks a bit overpriced for what it is and ugly IMO. http://www.oberonwireless.com/hard-lid_wall-mounted-access-point-enclosures= .php http://www.provantage.com/oberon-1029-00~7OBER009.htm http://www.provantage.com/oberon-1029-00%7E7OBER009.htm Does anyone know of any other options? We've used shelf brackets like these. http://www.homedepot.com/p/Richelieu-Hardware-White-Heavy-Duty-Shelf-Bracket-12-In-494W12B/202205509 Mount them upside-down and attach the AP mounting bracket to the shelf bracket with self-drilling screws. They're pretty unobtrusive, especially in places with high ceilings. The white color blends in with the access points and all the other junk mounted up there: smoke detectors, security cameras, motion detectors, fire alarms, etc., etc. -- Earl Barfield -- Academic Research Tech / Information Technology Georgia Institute of Technology, Atlanta Georgia, 30332 Internet: earl.barfi...@oit.gatech.edue...@gatech.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: WIRELESS-LAN - Cisco APs losing CAPWAP session
Date:Tue, 31 Jan 2012 08:29:57 -0500 From:Dan Brissondbris...@uvm.edu Subject: Cisco APs losing CAPWAP session I'm curious if any Cisco users out there are experiencing or have experienced what we're seeing on our campus. This past summer we installed 3502i's in all of our residence halls - approximately 500 total. Ever since the students have moved in, we will get messages from WCS stating that AP XYZ is down and disassociated from the controller. When I check out the AP, the uptime is fine, but the CAPWAP join time is for like 30 seconds, or however long it took me to check. We've tracked this and it is totally random as to what AP will drop, which makes troubleshooting this very tough. The log on the AP isn't helpful. I'm working with TAC who suggests that keepalives are getting missed. I'm not sure why that would be the case since we have another 500 or so APs on the admin side that very rarely drop. Adding to that, when the students left for break, the AP drops stopped. They came back, and sure enough, the drops start up again. I will say that the AP always joins back immediately, but for the time that it does drop A) I'm sure connectivity is affected in that area and B) we get an email. Anyone experiencing this? Wow, Deja vu! I had almost exactly the same problem a few years ago and it nearly drove me nuts. It turned out to be unrelated to the wireless. The wired network switches in the dorms were configured for dynamic vlan steering based upon a response from a radius server. The radius server would randomly glitch and return the wrong vlan for one or more of the ports that the wireless access points were plugged into, which would sever the connection between the AP and controller. I pulled most of my hair out before finally figuring it out by sniffing the radius queries and responses and meticulously matching them up and Aha!!. You really remember the problems that leave skid marks across your backside! :-) -- Earl Barfield -- Academic Research Tech / Information Technology Georgia Institute of Technology, Atlanta Georgia, 30332 Internet: earl.barfi...@oit.gatech.edue...@gatech.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Size of LWAPP management subnet
I'm curious about how many LWAPP access points and controllers my peers are running in a single vlan/broadcast domain? Cisco engineers keep telling me that they recommend a maximum of 100 APs in a subnet and to keep the WLCs on a different subnet/vlan from the LWAPP APs. That would be a lot of router interfaces to setup in my environment. Maybe that's their goal, eh? :-) We're still got the one big vlan model leftover from the thick AP days. We've split up the user space into several smaller vlans/subnets depending on SSID, WPA vlan override, etc., but the management interfaces and WLCs are still in the big ole' vlan that spans all over campus. This configuration has worked well for us. The simplicity of it makes troubleshooting and switch management much easier. The LWAPP network is back-end and has no router interface, only the APs, WiSMs, Airwave Management Platform have interfaces on it. We're still running 5.2.193.0 code and starting to consider a migration path to the newer 7.0 WLC code. My nightmare scenario is that the 7.0 code introduces some additional latency sensitivity or multicast traffic or broadcast traffic that overwhelms our network and it all grinds to a halt. I can't really get any usable advice from Cisco because their engineers tend to fall over when I tell them how many APs I'm running in a single broadcast domain. :-) Am I the only one still out here on this limb? -- Earl Barfield -- Academic Research Tech / Information Technology Georgia Institute of Technology, Atlanta Georgia, 30332 Internet: earl.barfi...@oit.gatech.edue...@gatech.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Aruba vs HP vs Meraki
From:Mike King m...@mpking.com Subject: Re: Aruba vs HP vs Meraki Based on that line, I had two images pop in my mind: The first one was Lee Swinging two 1142n (one in each hand) like a ninja. 1142? Come on, now, think big! The AP1252 weighs over six pounds and has six antennas sticking out like some sort of medieval flail! -- Earl Barfield -- Academic Research Tech / Information Technology Georgia Institute of Technology, Atlanta Georgia, 30332 Internet: earl.barfi...@oit.gatech.edue...@gatech.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Self-assigned IP on Macs
Date:Thu, 27 Aug 2009 15:58:39 -0500 From:Hector J Rios hr...@lsu.edu Subject: Self-assigned IP on Macs... Have you guys run into this issue? We run Cisco's lightweight APs on WiSMs running code 5.2.193. Mac will associate to our APs but just won't obtain an IP address. In the end it assigns itself a self-assigned IP. We are seeing this on a lot of new MacBooks and MacBookPros running 10.5.8. If we associate the computer to an autonomous AP it works fine. If we boot it in safe mode it works fine too. Everything else it just fails. I had the same problem after ugrading from 4.2.something to 5.2.193.0. Uncheck Enable DHCP Proxy under controller-advanced-DHCP and see if that fixes it. It worked for me. -- Earl Barfield -- Academic Research Tech / Information Technology Georgia Institute of Technology, Atlanta Georgia, 30332 Internet: earl.barfi...@oit.gatech.edue...@gatech.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Cisco Aironet 1140 vs 1250
Date: Mon, 16 Feb 2009 22:09:59 -0600 From: Rob Crockett crocke...@obu.edu Subject: Cisco Aironet 1140 vs 1250 I'm interested in knowing experiences others have had in deploying the = new Cisco Aironet 1140s. I've got an AP1140 for eval and the biggest reason that I haven't done more with it is because it requires version 5.2 software on the Wireless Lan Controllers. Look back a month or so in the list archives for the religious wars about 4.2 vs 5.x, etc. The AP1142 is more aesthetically pleasing and a bit cheaper than the AP1252 so I'm sure we'll end up using them eventually just like we switched from AP1200 to AP1130s when the AP1130s came out. It's just a matter of getting to the 5.2 code, which has some significant changes in how you select which APs carry which SSIDs. WLAN override is either gone or different in 5.2. I think you're supposed to use WLAN AP Groups instead. The Cisco PWRINJ3 power injectors that we use for the AP1200 and AP1130 do not work with the AP1140 so you have to buy the more expensive PWRINJ4 unless you have 802.1af capable POE switches or some other power injector (mid-span) solution. Also, there is no IOS (thick) version of code for the AP1140 which makes site-surveying with it considerably more difficult. I guess you have to lug a controller around with you or otherwise arrange for connectivity from a survey AP back to a controller. Alternatives there include predictive site surveys, surveying with an AP1250 and hoping that they are similar, or just guessing at AP placement. BTW, there is a pricing promotion on the ten-pack of AP1142s through the end of April. I think it's 10% off on the APs but the power injectors are not discounted so its a little less than 10% off overall. -- Earl Barfield -- Academic Research Tech / Information Technology Georgia Institute of Technology, Atlanta Georgia, 30332 Internet: earl.barfi...@oit.gatech.edue...@gatech.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Cisco Aironet 1140 vs 1250
Johnson, Bruce T wrote: Hi Everyone, The following Cisco wireless LAN software was recently published: IOS c1140-rcvk9w8-tar.124-18a.JA1.tar http://ftp-sj.cisco.com/swc/esd/02/crypto/3DES/282439881/contract/c1140-rcvk9w8- tar.124-18a.JA1.tar https://phsexchweb.partners.org/exchweb/bin/redir.asp?URL=http://ftp-sj.cisco.c om/swc/esd/02/crypto/3DES/282439881/contract/c1140-rcvk9w8-tar.124-18a.JA1.tar That is LWAPP Upgrade and Recovery Image, not autonomous IOS. You still need LWAPP controller to use AP1140. I hope they come out with autonomous IOS or at least some sore of basic autonomous beacon-only mode in order to do site surveys. -- Earl Barfield -- Academic Research Tech / Information Technology Georgia Institute of Technology, Atlanta Georgia, 30332 Internet: earl.barfi...@oit.gatech.edue...@gatech.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Cisco Aironet 1140 vs 1250
My Cisco sales guy just told me that Autonomous IOS firmware for the AP1140 should be out sometime in April. -- Earl Barfield -- Academic Research Tech / Information Technology Georgia Institute of Technology, Atlanta Georgia, 30332 Internet: earl.barfi...@oit.gatech.edue...@gatech.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Question on layer 3 size
Date:Thu, 24 Apr 2008 09:57:47 -0400 From:Jim Glassford [EMAIL PROTECTED] Subject: Question on layer 3 size Greetings, Cisco 4402 and 4404 Wireless Lan Controllers with a mixer of Cisco light weight access points. Currently running a 22 bit mask for the 1022 hosts on one SSID/VLAN. Would welcome any real world experience about increasing to a 21 bit mask for the 2046 hosts or larger on one SSID/VLAN with Cisco WLCs and lwaps. We've got two /20 address ranges for client addresses and we've seen no problems. Just FYI, we've also got a /16 10.x.y.z address space for the LWAPP access points and we have seen problems with that. We've got 2200+ APs on a single vlan that is spanned all over campus. All was fine until some version of code between 4.1 and 4.2.61.0, I'm not sure of the exact rev. The problem was that the WiSMs would sporadically be overwhelmed by all the broadcast traffic and would fail to answer arp requests in a timely manner sometimes up to 90 seconds. As you can imagine, this caused all sorts of problems. I've got the Cisco bugid here somewhere if anyone needs it. This was fixed in rev 4.2.112.0. No problems since. -- Earl Barfield -- Academic Research Tech / Information Technology Georgia Institute of Technology, Atlanta Georgia, 30332 Internet: [EMAIL PROTECTED][EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Upgrade 1200 to lwapp
From:Simon Kissler [EMAIL PROTECTED] Okay, so I've been trying to figure this out and figured I may as well ask. Where is the cost benefit of the using the controllers and LWAPPs. The controllers aren't cheap and the APs don't get cheaper even though they are light ? I assume there are some management benefits in this kind of solution, but have you found them to be worth the money ? Are there other benefits that aren't as obvious to me that are ? I like the idea of making management easier and just like any technologist like shiny new toys, but in the context of overall funding priorities with aging network equipment in places and other challenges find it hard to justify since our APs mostly just work and require little touching beyond initial config and occasional firmware upgrades. What about this am I missing ? -Simon Management is much easier,especially if you have multiple SSIDs on multiple VLANS. With thick APs, you have to trunk each VLAN to each AP which can be a daunting and error-prone task. If one of the VLANs is discontiguous between your core and a single AP, there's no easy way to tell unless a user complains and can tell you which AP he was associated to when he lost connectivity. With the Wireless Lan Controllers, you only have to trunk the multiple client-traffic VLANs to the controllers. -- Earl Barfield -- Academic Research Tech / Information Technology Georgia Institute of Technology, Atlanta Georgia, 30332 Internet: [EMAIL PROTECTED][EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Resetting LWAPP Device to Defaults
Date:Mon, 19 Feb 2007 15:57:10 -0500 From:Christopher M. Bomba [EMAIL PROTECTED] Subject: Resetting LWAPP Device to Defaults Has anyone had experience with resetting LWAPP access points to factory defaults. We have a problem of when you add multiple controllers to a mobility group and the access points learn about those other controllers that they sometimes jump over to the other controllers. We are going to remove the controllers from the mobility group, and reset the access points to factory defaults so they forget about the controllers they once knew about. When we reset the access points they came back up and didn't have a name (which should be right). They didn't have any configuration as well. I pushed a template to the access point that told them what the primary controller they should use and the WLAN override information. When I rebooted the access point once more and it came back up. It seemed to know its location string already? It must have not wiped that clean with the factory reset. Does anyone know for sure what we can do to reset the access points to factory defaults and make sure the access points is as dumb as the day it came out of the box? What kind of AP? I've had to do this with Cisco AP1200 and AP1130 APs that ran IOS and were converted to LWAPP firmware. There is a file, the name of which escapes me, that resides in the flash on the AP. If you have an AP that's capable of running IOS firmware, you can convert it back to IOS and remove the file(s) from flash: You can also remove the Manufacturer Installed Cert (MIC), which then requires you to generate self-signed cert and then configure the WLC to accept that self-signed cert. Been there, done that. :-) -- Earl Barfield -- Academic Research Tech / Information Technology Georgia Institute of Technology, Atlanta Georgia, 30332 Internet: [EMAIL PROTECTED][EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Guest access
Bill, Very interesting. I would like to research your comment a commercial carrier that rides our same access points with a little more detail. You can contact me offline if you wish.=20 I'm sure they do the same thing that we do here at Georgia Tech: We have a guest SSID configured on our Cisco APs with no security and broadcast SSID. This traffic is bridged at layer two to a local WISP that provides DHCP, DNS, AUTHn, AUTHz, etc. The guest users end up in the ISP's address space, not ours. I think GSU is even using the same WISP that we do. -- Earl Barfield -- Academic Research Technologies / Information Technology Georgia Institute of Technology, Atlanta Georgia, 30332 Internet: [EMAIL PROTECTED][EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: WIRELESS-LAN Digest [Another RADIUS Question (802.1x)]
Date:Thu, 23 Mar 2006 15:33:20 -0500 From:Keith Moores [EMAIL PROTECTED] Subject: Re: WIRELESS-LAN [Another RADIUS Question (802.1x)] We are running 12.3(4)JA... but we also run 12.2(15)XR2 on our older 350 APs, we haven't had a problem with Apple clients before. The problem we are having only occurs with the MacBook Pro's AirPort Extreme card (its probably an intel wireless chipset), not the original AirPort Extreme card (broadcom chipset) that the PowerPC Macs use. The problem only appears for networks using 802.1X WEP encryption, no encryption or WPA (802.1X TKIP) work fine for the MacBook Pro. Our APs encrypted VLAN accepts the following Authentication methods: -Open Authentication + EAP -Network EAP This sounds suspiciously similar to our Apple problems with 12.3(4)JA. I dug up the email from our Cisco engineer that put us on the right path. I'd suggest that you try IOS 12.3(7)JA2 and see if the problem persists. Email from Cisco (8-15-05): I found that you have run into bug CSCei12722 in verion 12.3.4(JA) That bug has been resolved in version 12.3.7(JA). Please upgrade the IOS on the AP and you should be fine. Also, I have verified 3 other TAC SRs that have the exact same issue with the exact same wireless adapters. So my confidence level is high for this fix. -- Earl Barfield -- Academic Research Technologies / Information Technology Georgia Institute of Technology, Atlanta Georgia, 30332 Internet: [EMAIL PROTECTED][EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: WIRELESS-LAN [Another RADIUS Question (802.1x)]
From:Keith Moores [EMAIL PROTECTED] Subject: Re: Another RADIUS Question (802.1x) 802.1X WEP appears to be the problem with the MacBook Pro rather than a specific flavor of EAP. We just tested a yet to be released (hopefully soon) software update from Apple that fixes the problem. -Keith What version of IOS are you running on your APs? We had problems with some variant of 12.3(4) that would not play nice with Apple's Airport Extreme card. There was a bug in Cisco's firmware with regards to open vs shared authentications. The PC clients seemed to overlook it, but Apple's refused to associate. If you turned off WEP, it worked, which made it appear to be a WEP problem. Anyway, IOS 12.3(7) fixed the problem. We're happily running 12.3(7)JA2 now. -- Earl Barfield -- Academic Research Technologies / Information Technology Georgia Institute of Technology, Atlanta Georgia, 30332 Internet: [EMAIL PROTECTED][EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] AirWave inquiry
. Anyway, back to security: We definitely don't allow anyone to log into the box that doesn't need to. A simple 'ps' will show you passwords to the database, etc. Only admins and the noc can get a shell on the box. We review the nightly incremental backups to see which files have changed to detect any mischief. We run the iptables firewall that comes with RHEL and keep the machine locked down tight. ssh only from my workstation and the noc. https accesss only from on-campus. A few ports open for ntp and our backup software and everything else is closed off. Inquiring minds want to know (and want to get the statistics we need to manage the network). I'd love to get tuning info on the Postgres database. It's bound to need some different settings running in 16GB of RAM than what it has at 6GB. Database profiling and optimizing could surely improve performance. All that said, I really love the product. This is like the product that we would write in-house if we had to do it. Add to it the fact that Airwave engineers are so responsive to our requests and needs and that's why we dropped the big bucks for a monster server and another license to run the package. Ask me in a few weeks if the new server is noticeable faster. Crossing my fingers :-) -- Earl Barfield -- Academic Research Technologies / Information Technology Georgia Institute of Technology, Atlanta Georgia, 30332 Internet: [EMAIL PROTECTED][EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Outdoor wireless coverage on campus?
I'm interested in any outdoor wireless deployments on campuses. Here at Georgia Tech, we have a dozen or so outdoor access points covering some key locations and a bus route. Our APs are YDI WiPOP in a Box that is a Proxim AP2000 in a weatherproof enclosure with amplifier and power supply, connected to antennas mounted on non-penetrating sleds on rooftops. We've got wired ethernet connected to each outdoor access point and all APs are on the same subnet so that roaming is as seamless as possible. We're about to embark on a project to cover much more of our outdoor campus areas and I'm curious if anyone else on this list has already done this. I'd love to swap info and lessons learned, either on the list or via private email if you prefer. Questions for which we need to come up with answers: Which users are targeted? - Buses? - Police cars? - Students? - Faculty/Staff? - Visitors? Which areas do we want to cover? Build it and they will come - Additional bus routes? - Green spaces? What kinds of access points should we use? - 802.11b or 802.11g - YDI WiPOPs (What we have now, but no longer available YDI is now Terabeam) - Cobble together our own enclosures for Cisco AP-1200s - Cisco 1300 Outdoor - BelAir? - Anything else? Large cell versus small cell - We're currently doing the largest cells possible with amps and gain antennas - We could get better coverage with lots and lots of lower powered APs but it would cost more and installation could be troublesome in some areas. Where will access points be mounted? - Do we continue with mounting them on rooftop sleds and running conduit to nearest data closet for connectivity? - What about using 802.11a uplinks to the APs in places where it will be difficult to run conduit? - What are the odds that Facilities would allow us to mount to light poles? Who will do site surveys? - Definitely want to get these done before leaves fall -- Earl Barfield -- Academic Research Technologies / Information Technology Georgia Institute of Technology, Atlanta Georgia, 30332 Internet: [EMAIL PROTECTED][EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless Open Access- not sponsored guest access
Guest access- - How do you sponsor visiting guest? - Any self-service mechanisms for staff and faculty to quickly get a visitor on the wireless network without having to contact someone in IT? - Any guest access horror stories? We support [at least] two wireless SSIDs on our equipment. The private one goes to our captive portal which issues IP address within Ga Tech address space and requires users to authenticate against our kerberos realm before passing packets to our networks or the internet. The public SSID is broadcast and has no security. It is bridged at layer two to a VLAN that is handed off to a local wireless ISP who handles the traffic. The ISP issues DHCP addresses in their address space and sells access to public users. Users can purchase access online with a credit card or purchase discounted passes through the ISP. Conference and even organizers on campus can choose to purchase access passes in bulk and include them as one of the immenities to conference attendees, etc. I believe Georgia State University, also here in Atlanta, has a similar arrangement with the same ISP. -- Earl Barfield -- Academic Research Technologies / Information Technology Georgia Institute of Technology, Atlanta Georgia, 30332 Internet: [EMAIL PROTECTED][EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: WIRELESS-LAN Digest - Physical network security on ethernet cable
From:Scott Ritter [EMAIL PROTECTED] Subject: Physical network security on ethernet cable I need help solving a problem. I am hoping to tap in to the experience of someone else on this list. We have several APs (1 problem child in particular) that used exposed wire plans for their ethernet connection. The problem is they keep getting unplugged! So far we have tried tagging cables with Do Not Unplug labels, changing color of cables to something bright and important looking. Still no improvement. I was hoping to find a solution to physically secure the jack so that it can not be removed except by approved staff members. The wire plan jacks are in a public area, so I also need to keep the aesthetics reasonably tasteful and clean. Hubbell makes a tamper resistant ethernet wall jack. Check out http://www.hubbell-premise.com/PressRoom/PressReleaseDetail.asp?ID=71 That might help on one end of the cable. If they're unplugging the patch cable from the AP, then I'm not sure what to do about that. I guess you could glue it in, but that would cause problems if you ever had to troubleshoot or replace the unit. There are locking enclosures that you can put the AP in. How about a (fake or real) security camera that watches the AP? -- Earl Barfield -- Academic Research Technologies / Information Technology Georgia Institute of Technology, Atlanta Georgia, 30332 Internet: [EMAIL PROTECTED][EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Find Dead Access-Points
Does anyone know of an ethernet circuit finder. Not a toner, since this requires to know both ends. (and I only know the end in my equipment room) The idea is to be able to locate a dead Access-Point with wrong maps by following the path of its ethernet cable. The only tool that I can think of that would be even remotely helpful is a TDR (time domain reflectrometer?). A TDR would tell you how long the cable is. You would then at least know approximately how far away the unit is. Any cable tester has that capability, as does Fluke's NetTool. Outside plant people use metal detectors to trace the path of conduit but that is essentially unusable inside a building. I'm afraid someone is going to have to tug a cable and watch for movement somewhere done the line and repeat until you find the dead box. Accurate maps are a good thing. Maybe we should lobby the vendors to include a GPS locator in each unit? We find that accurate labels on the patch panels (and apropriate corporal punishment for anyone who doesn't label the ports) goes a long way. What kind of APs do you have? If you have Cisco APs, you can blink the lights on the AP with the command 'led flash' and turn it back off with 'led flash disable'. This would let you verify your maps. Even if your AP is dead, you could eliminate all the ones that are in the correct location and narrow down your search for the missing one. Do you have APs hidden above the ceiling or something where you can't just walk around and look for them? If the AP is up and working, you might try using Airmagnet or Netstumbler to search for the wireless MAC address and go to where the signal is strongest. -- Earl Barfield -- Academic Research Technologies / Information Technology Georgia Institute of Technology, Atlanta Georgia, 30332 Internet: [EMAIL PROTECTED][EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/.
