RE: Wi-Fi expectations/service levels and validation

[Enfield, Chuck]

The jury is still out on whether there is such a thing as good WI-Fi..

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of LaPorte, David
Sent: Thursday, September 23, 2021 4:33 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Wi-Fi expectations/service levels and validation

Hi All,

Coming out of a very rough fall semester start that left many of our users 
suffering with "bad" Wi-Fi, we've since (understandably) been asked what 
constitutes "good" Wi-Fi.  We have not previously published information to our 
community on what they should expect or on how they can validate those 
expectations.  Does anyone have any knowledge articles or links they could 
share?

Thanks!
Dave


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing any issues in the fall with large classrooms and delayed connection times (Aruba 8.5.0.13)

[Enfield, Chuck]

Wireless Network Architect
Network Operations

(434) 592-6552

[http://www.liberty.edu/media/1616/40themail/wordmark-for-email.jpg]

Liberty University  |  Training Champions for Christ since



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Turner, Ryan H 
mailto:rhtur...@email.unc.edu>>
Sent: Wednesday, September 1, 2021 12:27 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing 
any issues in the fall with large classrooms and delayed connection times 
(Aruba 8.5.0.13)


All,



Aruba believes this is the cause of the new iOS operating system.  Our 
environment is extremely heavy iOS.  We are talking to them now and will assess 
the change.



Ryan



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Norton, Thomas (Network Operations)
Sent: Wednesday, September 1, 2021 12:17 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing 
any issues in the fall with large classrooms and delayed connection times 
(Aruba 8.5.0.13)



ha right!



Chuck beat me to it, but our limits are similar, we do allow quite a bit more 
before committing the action the arp rate.



T.J. Norton
Wireless Network Architect
Network Operations

(434) 592-6552



Liberty University  |  Training Champions for Christ since







From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Enfield, Chuck mailto:cae...@psu.edu>>
Sent: Wednesday, September 1, 2021 12:13 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing 
any issues in the fall with large classrooms and delayed connection times 
(Aruba 8.5.0.13)



Thanks to firewalls, ARP is the new ping.



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Norton, Thomas (Network Operations)
Sent: Wednesday, September 1, 2021 12:13 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing 
any issues in the fall with large classrooms and delayed connection times 
(Aruba 8.5.0.13)



Thats what we have seen as well, and the larger the subnet, the worst it gets. 
We were seeing upwards of 10k request a minuet at one point.



T.J. Norton
Wireless Network Architect
Network Operations

(434) 592-6552



Liberty University  |  Training Champions for Christ since







From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Laramie Combs mailto:comb...@appstate.edu>>
Sent: Wednesday, September 1, 2021 12:09 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing 
any issues in the fall with large classrooms and delayed connection times 
(Aruba 8.5.0.13)



Thanks TJ - it looks like the client is just walking their vlan, with excessive 
arp traffic, and thats having a bad effect.






On Wed, Sep 1, 2021 at 12:07 PM Norton, Thomas (Network Operations) 
mailto:tnort...@liberty.edu>> wrote:

Hey Laramine/Chuck,



The ARP issue most likely the Lenovo Vantage software or IOS 14. Another option 
outside of filtering is to enable prohibit ip spoofing and arp spoofing.



T.J. Norton
Wireless Network Architect
Network Operations

(434) 592-6552



Liberty University  |  Training Champions for Christ since







From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Laramie Combs mailto:comb...@appstate.edu>>
Sent: Wednesday, September 1, 2021 11:57 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing 
any issues in the fall with large classrooms and delayed connection times 
(Aruba 8.5.0.13)



HEy Chuck - would you mind sharing that arp limiting client filter with me?



We are seeing some new traffic patterns where it looks like user devices are 
just walking their subnets, and arping for everything



-Laramie



On Wed, Sep 1, 2021 at 11

Re: [WIRELESS-LAN] Wireless Scanning Apps

[Enfield, Chuck]

Wi-Fi Analyzer Pro, Network Signal Info Pro, Aruba Utilities, & nperf. Wi-Fi 
Analyzer is my go to scanner, and nperf my performance tester, but the other 
two have features I use sometimes. Between them they meet all my needs.


From: Olivier Gervais-Harreman 
Sent: Friday, September 3, 2021 3:03 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless Scanning Apps


Check out Aruba Utilities.


Olivier Gervais-Harreman, P.Eng.
Wireless Administrator | Network Operations
Simon Fraser University | Water Tower Building 224
 University Dr., Burnaby, B.C. V5A 1S6
T: 778.782.3715 | M: 778.689.2358 | 
www.sfu.ca/information-systems
Twitter: 
@sfu_it


[1599766161030]


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Hales, David 

Sent: September 3, 2021 11:51:29 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Wireless Scanning Apps

I was wondering if anyone had any free wireless scanning apps for Android that 
they currently like?  Just something free and simple you can use to check 
signal strength, SSIDs and BSSIDs around you when out in the field?  I always 
end up with a different one each time I replace my phone and was about to poke 
around the Play store again.

David Hales
Network Systems Administrator

Information Technology Services
Tennessee Tech University
1010 N. Peachtree Av., CLEM117
Cookeville, TN 38505
P: 931-372-3983
E: dha...@tntech.edu


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing any issues in the fall with large classrooms and delayed connection times (Aruba 8.5.0.13)

[Enfield, Chuck]

I’d like to suggest sending them home, but if we learned anything last year 
it’s that home wi-fi isn’t so great either.  How many times have you heard, “It 
works when I’m at home?”  Well now we know, not always.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Floyd, Brad
Sent: Thursday, September 2, 2021 1:00 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing 
any issues in the fall with large classrooms and delayed connection times 
(Aruba 8.5.0.13)

JD,
If we wrap each of them along with their devices in an aluminum foil bubble, 
each user would have their own collision domain. The MIMO reflections would be 
awesome, we wouldn’t need more than a single channel architecture, and any 
channel contention would be self-imposed. Here’s hoping we get to catch up 
again at the next post-COVID WLPC.
Thanks,
Brad

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Davis, Jonathan Alan
Sent: Thursday, September 2, 2021 11:42 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing 
any issues in the fall with large classrooms and delayed connection times 
(Aruba 8.5.0.13)


[EXTERNAL SENDER]
“That's been my experience for years.  The network works great when there are 
no students around.  My working theory is that students emit RF interference, 
but research ethics won’t let me run the tests, so we'll never know for sure.”

It’s worse than that! They are walking bags of water which absorb the good RF, 
and their devices transmit the bad RF! It’s a conspiracy I tell ya!

We’re going to work with TAC on capturing traffic during a class that is known 
to have issues. After that, we plan to change the rebalancing threshold as well.

Thanks everyone for the feedback!

JD


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Enfield, Chuck mailto:cae...@psu.edu>>
Date: Thursday, September 2, 2021 at 12:15 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing 
any issues in the fall with large classrooms and delayed connection times 
(Aruba 8.5.0.13)
I will also add that our problems did not increase linearly with client count 
on a controller.  Below 5K there was no user impact.  Around 5K problems 
started and the severity increased quickly.  I doubt there’s anything magic 
about 5K, and the threshold will be different on every network based on a 
variety of implementation details, but I’d expect that pattern to be common.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Enfield, Chuck
Sent: Thursday, September 2, 2021 11:21 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing 
any issues in the fall with large classrooms and delayed connection times 
(Aruba 8.5.0.13)

Between 5k and 6k clients on a 7240xm is where we started seeing problems. 
Lighter loaded controllers were OK.

From: "Street, Chad A" mailto:cstr...@emory.edu>>
Sent: Thursday, September 2, 2021 11:03 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing 
any issues in the fall with large classrooms and delayed connection times 
(Aruba 8.5.0.13)

We are a balanced cluster, notes about load below:


"I’m also noticing that there are much fewer clients on this controller, and 
that ratio doesn’t seem to be improving."

To this point, the action we took that seemed to help the most was adjusting 
our active client load balancing threshold.  We dropped it significantly to 
force clients to balance across controllers.  Once we got below ~5000 active 
clients per controller, we stopped seeing the mass client connection issues.

We still have a controller that hasn't taken significant load, but now that 
we've been running without major issues for the past few days, we're reluctant 
to touch the setting again.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Rob Harris 
mailto:robert.har...@culinary.edu>>
Sent: Thursday, September 2, 2021 10:59 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing 

RE: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing any issues in the fall with large classrooms and delayed connection times (Aruba 8.5.0.13)

[Enfield, Chuck]

I will also add that our problems did not increase linearly with client count 
on a controller.  Below 5K there was no user impact.  Around 5K problems 
started and the severity increased quickly.  I doubt there’s anything magic 
about 5K, and the threshold will be different on every network based on a 
variety of implementation details, but I’d expect that pattern to be common.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Enfield, Chuck
Sent: Thursday, September 2, 2021 11:21 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing 
any issues in the fall with large classrooms and delayed connection times 
(Aruba 8.5.0.13)

Between 5k and 6k clients on a 7240xm is where we started seeing problems. 
Lighter loaded controllers were OK.

From: "Street, Chad A" mailto:cstr...@emory.edu>>
Sent: Thursday, September 2, 2021 11:03 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing 
any issues in the fall with large classrooms and delayed connection times 
(Aruba 8.5.0.13)

We are a balanced cluster, notes about load below:


"I’m also noticing that there are much fewer clients on this controller, and 
that ratio doesn’t seem to be improving."

To this point, the action we took that seemed to help the most was adjusting 
our active client load balancing threshold.  We dropped it significantly to 
force clients to balance across controllers.  Once we got below ~5000 active 
clients per controller, we stopped seeing the mass client connection issues.

We still have a controller that hasn't taken significant load, but now that 
we've been running without major issues for the past few days, we're reluctant 
to touch the setting again.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Rob Harris 
mailto:robert.har...@culinary.edu>>
Sent: Thursday, September 2, 2021 10:59 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing 
any issues in the fall with large classrooms and delayed connection times 
(Aruba 8.5.0.13)


For those of you who have experienced this, what was your user load and how 
were your clusters operating (balancing, active/standby) ?



I wonder if there’s a threshold..



Thx!



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Smith, Nayef
Sent: Thursday, September 2, 2021 10:20 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing 
any issues in the fall with large classrooms and delayed connection times 
(Aruba 8.5.0.13)







"I’m also noticing that there are much fewer clients on this controller, and 
that ratio doesn’t seem to be improving."



To this point, the action we took that seemed to help the most was adjusting 
our active client load balancing threshold.  We dropped it significantly to 
force clients to balance across controllers.  Once we got below ~5000 active 
clients per controller, we stopped seeing the mass client connection issues.



We still have a controller that hasn't taken significant load, but now that 
we've been running without major issues for the past few days, we're reluctant 
to touch the setting again.





Nayef Z. Smith | Network Services | Voice: 404-727-6019



[cid:image001.png@01D79FF4.0F7F8150]



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Davis, Jonathan Alan mailto:jonath...@unc.edu>>
Sent: Thursday, September 2, 2021 9:27 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing 
any issues in the fall with large classrooms and delayed connection times 
(Aruba 8.5.0.13)



Lee, don’t you bring your bad Cisco-juju to this conversation! :-)



Now that Lee has been properly handled, this is probably a great opportunity to 
say ‘hello’ to the greater list.



Hello!



Last night, we (UNC) restarted the controller used to test the firewall policy. 
Despite Aruba’s advisory, we’ve been led to believe that restarting STM may not 
be enough, and restarting the whole controller may be required to resolve high 
STM CPU utilization.



This morning we are keeping a close eye on that controller. While STM is 
surging well past 100%, it seems

Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing any issues in the fall with large classrooms and delayed connection times (Aruba 8.5.0.13)

[Enfield, Chuck]

ssrooms and delayed connection times 
(Aruba 8.5.0.13)



But you tested in your lab, right? I love that one… put new code on a couple of 
APs, or even a few dozen. That’s supposed to somehow indicate what will happen 
at bigger load… and also maybe implies the vendor didn’t do their own “similar 
lab testing”…

“You should have tested before upgrading the whole environment…” how do you 
REALLY do that? And should you really have to? Just pondering the general state 
of things.

> On Sep 2, 2021, at 08:59, Enfield, Chuck 
> mailto:cae...@psu.edu>> wrote:
>
> That's been my experience for years.  The network works great when there are 
> no students around.  My working theory is that students emit RF interference, 
> but research ethics won’t let me run the tests, so we'll never know for sure.
>
> -Original Message-
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
>  On Behalf Of Patrick McEvilly
> Sent: Thursday, September 2, 2021 8:56 AM
> To: 
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing 
> any issues in the fall with large classrooms and delayed connection times 
> (Aruba 8.5.0.13)
>
> Speaking from experience, I would be very concerned.  We had no issues until 
> students returned and we went downhill from there.
>
>
> On 9/2/21, 8:50 AM, "The EDUCAUSE Wireless Issues Community Group Listserv 
> on behalf of Rob Harris"  robert.har...@culinary.edu<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU%20on%20behalf%20of%20robert.har...@culinary.edu>>
>  wrote:
>
>Has anyone seen any details regarding what they consider "Large" 
> environments? We upgraded during the break, but both before and after 
> versions are affected. We didn't notice this happening before, should we be 
> concerned now?
>
>The "dropped" is 0 and the stm cpu usage is in single digits, but client 
> count is really low (they come back this weekend as well), could we be in the 
> clear?
>
>(asked the SE team and opened a tac call, same questions to them)
>
>thx
>
>-Original Message-
>From: The EDUCAUSE Wireless Issues Community Group Listserv 
> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
>  On Behalf Of Jason Healy
>Sent: Thursday, September 2, 2021 8:45 AM
>To: 
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
>Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else 
> seeing any issues in the fall with large classrooms and delayed connection 
> times (Aruba 8.5.0.13)
>
>CAUTION: This email originated from outside The Culinary Institute of 
> America. Do not click links or open attachments unless you recognize the 
> sender and know the content is safe.
>
>FWIW, Aruba just posted an advisory regarding this issue:
>
>Aruba Support Advisory ARUBA-SA-20210901-PLVL04, "Wi-Fi Client 
> Connectivity Failures in Large Client Environments"
>
>Good luck to those of you hit by this. My students start coming back this 
> weekend so I'll be watching this closely!
>
>Jason
>**
>Replies to EDUCAUSE Community Group emails are sent to the entire 
> community list. If you want to reply only to the person who sent the message, 
> copy and paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunitydata=04%7C01%7Ccae104%40PSU.EDU%7C8d074518e4d44dbded4f08d96e110298%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637661841597428557%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata=ZlqC3lzdMWgYnKcohDgtGE4EVj%2BBAPD063ThuTr8sNU%3Dreserved=0<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=04%7C01%7Ccae104%40PSU.EDU%7C5730b733e395489d433508d96e22d1b2%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637661918102643346%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=ntInlVV8la08%2BM%2BiI%2BhqKulYAmLpxonwDFKRMWLm2t8%3D=0>
>
>**
>Replies to EDUCAUSE Community Group emails are sent to the entire 
> community list. If you want to reply only to the person who sent the message, 
> copy and paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunitydata=04%7C01%7Cca

RE: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing any issues in the fall with large classrooms and delayed connection times (Aruba 8.5.0.13)

[Enfield, Chuck]

When we had the problem last year, we couldn't see the high CPU usage much of 
the time.  The best way to tell if it's crashing is to look at the service 
uptime.  If it's been up for days or weeks you probably don't have the problem. 
 Hours, then you probably do.

-Original Message-
From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Rob Harris
Sent: Thursday, September 2, 2021 8:50 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing 
any issues in the fall with large classrooms and delayed connection times 
(Aruba 8.5.0.13)

Has anyone seen any details regarding what they consider "Large" environments? 
We upgraded during the break, but both before and after versions are affected. 
We didn't notice this happening before, should we be concerned now?

The "dropped" is 0 and the stm cpu usage is in single digits, but client count 
is really low (they come back this weekend as well), could we be in the clear?

(asked the SE team and opened a tac call, same questions to them)

thx

-Original Message-
From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jason Healy
Sent: Thursday, September 2, 2021 8:45 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing 
any issues in the fall with large classrooms and delayed connection times 
(Aruba 8.5.0.13)

CAUTION: This email originated from outside The Culinary Institute of America. 
Do not click links or open attachments unless you recognize the sender and know 
the content is safe.

FWIW, Aruba just posted an advisory regarding this issue:

Aruba Support Advisory ARUBA-SA-20210901-PLVL04, "Wi-Fi Client Connectivity 
Failures in Large Client Environments"

Good luck to those of you hit by this. My students start coming back this 
weekend so I'll be watching this closely!

Jason
**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunitydata=04%7C01%7Ccae104%40PSU.EDU%7Ce4da0822a6a143b7424d08d96e104391%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637661838403488619%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata=L8kDlM2Vy7try2q1QdRgBCpOJKQiKGDTkUyY8%2FevgLU%3Dreserved=0

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunitydata=04%7C01%7Ccae104%40PSU.EDU%7Ce4da0822a6a143b7424d08d96e104391%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637661838403488619%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata=L8kDlM2Vy7try2q1QdRgBCpOJKQiKGDTkUyY8%2FevgLU%3Dreserved=0

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing any issues in the fall with large classrooms and delayed connection times (Aruba 8.5.0.13)

[Enfield, Chuck]

That's been my experience for years.  The network works great when there are no 
students around.  My working theory is that students emit RF interference, but 
research ethics won’t let me run the tests, so we'll never know for sure.

-Original Message-
From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Patrick McEvilly
Sent: Thursday, September 2, 2021 8:56 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing 
any issues in the fall with large classrooms and delayed connection times 
(Aruba 8.5.0.13)

Speaking from experience, I would be very concerned.  We had no issues until 
students returned and we went downhill from there.


On 9/2/21, 8:50 AM, "The EDUCAUSE Wireless Issues Community Group Listserv on 
behalf of Rob Harris"  wrote:

Has anyone seen any details regarding what they consider "Large" 
environments? We upgraded during the break, but both before and after versions 
are affected. We didn't notice this happening before, should we be concerned 
now?

The "dropped" is 0 and the stm cpu usage is in single digits, but client 
count is really low (they come back this weekend as well), could we be in the 
clear?

(asked the SE team and opened a tac call, same questions to them)

thx

-Original Message-
From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jason Healy
Sent: Thursday, September 2, 2021 8:45 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else 
seeing any issues in the fall with large classrooms and delayed connection 
times (Aruba 8.5.0.13)

CAUTION: This email originated from outside The Culinary Institute of 
America. Do not click links or open attachments unless you recognize the sender 
and know the content is safe.

FWIW, Aruba just posted an advisory regarding this issue:

Aruba Support Advisory ARUBA-SA-20210901-PLVL04, "Wi-Fi Client Connectivity 
Failures in Large Client Environments"

Good luck to those of you hit by this. My students start coming back this 
weekend so I'll be watching this closely!

Jason
**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunitydata=04%7C01%7Ccae104%40PSU.EDU%7C8d074518e4d44dbded4f08d96e110298%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637661841597428557%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata=ZlqC3lzdMWgYnKcohDgtGE4EVj%2BBAPD063ThuTr8sNU%3Dreserved=0

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunitydata=04%7C01%7Ccae104%40PSU.EDU%7C8d074518e4d44dbded4f08d96e110298%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637661841597428557%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata=ZlqC3lzdMWgYnKcohDgtGE4EVj%2BBAPD063ThuTr8sNU%3Dreserved=0

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunitydata=04%7C01%7Ccae104%40PSU.EDU%7C8d074518e4d44dbded4f08d96e110298%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637661841597428557%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata=ZlqC3lzdMWgYnKcohDgtGE4EVj%2BBAPD063ThuTr8sNU%3Dreserved=0

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing any issues in the fall with large classrooms and delayed connection times (Aruba 8.5.0.13)

[Enfield, Chuck]

We feel your pain, Patrick!  Keep up the good fight.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Patrick McEvilly
Sent: Wednesday, September 1, 2021 5:25 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing 
any issues in the fall with large classrooms and delayed connection times 
(Aruba 8.5.0.13)

I will hold off on providing details for now but when you have to push a code 
upgrade in the middle of the day on the first day class it's been a rough day.  
We hit some major issues related to STM and then other fall out after doing the 
required code upgrade.  We pushed the changes below at 2am this morning.  It 
did help a bit, but issues resurfaced again at 10am.  We are still on a call 
with Aruba TAC and don't have anything at this time to share that would help 
others.

Patrick



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Cody Ensanian mailto:censa...@uccs.edu>>
Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Wednesday, September 1, 2021 at 5:13 PM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing 
any issues in the fall with large classrooms and delayed connection times 
(Aruba 8.5.0.13)

To all chiming in regarding the Aruba issues - thank you! I love seeing the 
collaboration and detail sharing.

Chad - will be curious to hear if you push the band-aids to production and 
re-enable airwaves, if this helps your situation.

-Cody


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Street, Chad A
Sent: Wednesday, September 1, 2021 3:01 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing 
any issues in the fall with large classrooms and delayed connection times 
(Aruba 8.5.0.13)


Cody and all...

We are also seeing STM spikes that are impacting associations.

We have also disabled all our polling ( Airwave, Orion, etc ) and reduced the 
client load balancing thresholds so that we have around 4K clients per 
controller.  This seemed to help a great deal.  After working with Aruba today, 
my understanding of the primary cause of the STM spikes is due to the MM 
polling the MCs.  With large client loads on the MCs ( combined with all the 
other SNMP polling going on ), this seems to take longer and sometimes does not 
work.  When it does not work, it bootstraps which spikes the STM process.

The suggested band-aid is to block the GUI polling traffic between the MM and 
MC.  You will lose the GUI information from your MM, but all the MC information 
is still present.  We have applied this to our lab and we are going to push to 
production tonight to see if it helps.  If it does help, we plan on turning 
back up our monitoring tools ( Airwave ).

fingers crossed

here is how to block the traffic:
cd /md/yourrootlocation
firewall-cp
 ipv4 deny any proto 6 ports 15260 15261 position 1
!

Chad
chad.str...@emory.edu

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Cody Ensanian mailto:censa...@uccs.edu>>
Sent: Wednesday, September 1, 2021 11:41 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [External] Re: [WIRELESS-LAN] Anyone else seeing any issues in the 
fall with large classrooms and delayed connection times (Aruba 8.5.0.13)


I'm hearing issues of high cpu utilization for STM on the controllers causing 
issues. Maybe check your controllers and see if you are seeing the high cpu use 
for STM. Heard earlier today from our SE that Aruba has "identified the issue 
and is working on a fix." I suggest opening the TAC case so they can track it 
better, and help them hone in on a fix better. We're seeing the high cpu use on 
one of our controllers (but this controller also has higher client load). 
However, we have not had a flood of calls to our help desk for wireless issues 
(not saying they aren't happening). Our SE also said if you're experiencing the 
issue, disabling any system or process level debugging as helped, as well as 
disabling any SNMP polling.

[cid:image001.png@01D79F56.E9F8F5D0]



-Cody

UCCS





From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Turner, Ryan H
Sent: Wednesday, September 1, 2021 9:27 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Anyone else seeing any issues 

RE: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing any issues in the fall with large classrooms and delayed connection times (Aruba 8.5.0.13)

[Enfield, Chuck]

I'm speculating a bit, but Aruba does a lot of stuff with ARP if features like 
bcast ARP suppression, convert bacst to unicast, and BC/MC optimization are 
enabled.  I assume Cisco has some similar features, but perhaps not all of 
them?  Or maybe one key feature is causing most of the trouble for Aruba.

I also know that some of the ARP processing Aruba does on the controllers helps 
reduce the amount of ARP that reaches the underpinning network.  I'm sure many 
of us have ARP policers kicking in right now.  I hate to think about what our 
switches and routers would be struggling with if the controllers didn't manage 
this stuff like they do.  We may have to pick our poison.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Turner, Ryan H
Sent: Wednesday, September 1, 2021 5:13 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing 
any issues in the fall with large classrooms and delayed connection times 
(Aruba 8.5.0.13)

Glad I brought this up.  Is it possible that Cisco environments have evaded 
this?  Seems as though the ARP flooding via iOS 14 would be something that 
would menace all the manufacturers.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Street, Chad A
Sent: Wednesday, September 1, 2021 5:01 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing 
any issues in the fall with large classrooms and delayed connection times 
(Aruba 8.5.0.13)


Cody and all...

We are also seeing STM spikes that are impacting associations.

We have also disabled all our polling ( Airwave, Orion, etc ) and reduced the 
client load balancing thresholds so that we have around 4K clients per 
controller.  This seemed to help a great deal.  After working with Aruba today, 
my understanding of the primary cause of the STM spikes is due to the MM 
polling the MCs.  With large client loads on the MCs ( combined with all the 
other SNMP polling going on ), this seems to take longer and sometimes does not 
work.  When it does not work, it bootstraps which spikes the STM process.

The suggested band-aid is to block the GUI polling traffic between the MM and 
MC.  You will lose the GUI information from your MM, but all the MC information 
is still present.  We have applied this to our lab and we are going to push to 
production tonight to see if it helps.  If it does help, we plan on turning 
back up our monitoring tools ( Airwave ).

fingers crossed

here is how to block the traffic:
cd /md/yourrootlocation
firewall-cp
 ipv4 deny any proto 6 ports 15260 15261 position 1
!

Chad
chad.str...@emory.edu

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Cody Ensanian mailto:censa...@uccs.edu>>
Sent: Wednesday, September 1, 2021 11:41 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [External] Re: [WIRELESS-LAN] Anyone else seeing any issues in the 
fall with large classrooms and delayed connection times (Aruba 8.5.0.13)


I'm hearing issues of high cpu utilization for STM on the controllers causing 
issues. Maybe check your controllers and see if you are seeing the high cpu use 
for STM. Heard earlier today from our SE that Aruba has "identified the issue 
and is working on a fix." I suggest opening the TAC case so they can track it 
better, and help them hone in on a fix better. We're seeing the high cpu use on 
one of our controllers (but this controller also has higher client load). 
However, we have not had a flood of calls to our help desk for wireless issues 
(not saying they aren't happening). Our SE also said if you're experiencing the 
issue, disabling any system or process level debugging as helped, as well as 
disabling any SNMP polling.

[cid:image001.png@01D79F55.B5EE9F70]



-Cody

UCCS





From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Turner, Ryan H
Sent: Wednesday, September 1, 2021 9:27 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Anyone else seeing any issues in the fall with large 
classrooms and delayed connection times (Aruba 8.5.0.13)



This is a stab in the dark.  With the University mostly shutdown since the 
Spring of 2020 (=not operating in standard mode and most people work from 
home), we got campus upgraded from 6.X to 8.X code base.  We've also installed 
many 515 series APs.  We are getting a large number of complaints in large 
classrooms that connecting to things like eduroam takes a long time.  Looking 
into the connection, we see many incomplete RADIUS challenges.  The general 
complaints are 'we come into the classroom, and for some folks it can take up 

RE: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing any issues in the fall with large classrooms and delayed connection times (Aruba 8.5.0.13)

[Enfield, Chuck]

Please see my 12:05 response if you missed it.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Steve Smith
Sent: Wednesday, September 1, 2021 12:00 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing 
any issues in the fall with large classrooms and delayed connection times 
(Aruba 8.5.0.13)

I wouldn't mind seeing the arp limiting client filter as well.

Thank you,
Steve

Steve Smith
Network Administrator II
Network and Telecommunications Services
Aims Community College
970.339.6565

On Wed, Sep 1, 2021 at 9:57 AM Laramie Combs 
mailto:comb...@appstate.edu>> wrote:
HEy Chuck - would you mind sharing that arp limiting client filter with me?

We are seeing some new traffic patterns where it looks like user devices are 
just walking their subnets, and arping for everything

-Laramie

On Wed, Sep 1, 2021 at 11:47 AM Enfield, Chuck 
mailto:cae...@psu.edu>> wrote:
We've seen the CPU problem, but I don't think it resulted in Auth problems 
here.  It may have and we just missed it because the more severe problems it 
caused masked them.

BTW, in our case reducing the amount of ARP calmed the CPU.  We applied a 
filter (Thank you Colin Joseph.) to limit the amount of ARP our wireless 
clients could send and it smoothed out the spikes.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Cody Ensanian
Sent: Wednesday, September 1, 2021 11:41 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Anyone else seeing any issues in the fall with 
large classrooms and delayed connection times (Aruba 8.5.0.13)

I'm hearing issues of high cpu utilization for STM on the controllers causing 
issues. Maybe check your controllers and see if you are seeing the high cpu use 
for STM. Heard earlier today from our SE that Aruba has "identified the issue 
and is working on a fix." I suggest opening the TAC case so they can track it 
better, and help them hone in on a fix better. We're seeing the high cpu use on 
one of our controllers (but this controller also has higher client load). 
However, we have not had a flood of calls to our help desk for wireless issues 
(not saying they aren't happening). Our SE also said if you're experiencing the 
issue, disabling any system or process level debugging as helped, as well as 
disabling any SNMP polling.

[cid:image001.png@01D79F2A.AE293D20]

-Cody
UCCS


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Turner, Ryan H
Sent: Wednesday, September 1, 2021 9:27 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Anyone else seeing any issues in the fall with large 
classrooms and delayed connection times (Aruba 8.5.0.13)

This is a stab in the dark.  With the University mostly shutdown since the 
Spring of 2020 (=not operating in standard mode and most people work from 
home), we got campus upgraded from 6.X to 8.X code base.  We've also installed 
many 515 series APs.  We are getting a large number of complaints in large 
classrooms that connecting to things like eduroam takes a long time.  Looking 
into the connection, we see many incomplete RADIUS challenges.  The general 
complaints are 'we come into the classroom, and for some folks it can take up 
to 5 minutes to get connected'.  The odd thing is that our RADIUS 
infrastructure is very large, polished and load shared, and we can see no 
performance issues with any of the RADIUS servers.  We have begun reducing 
power in the large classrooms to make association issues better, but so far 
that hasn't changed much.  We anticipate opening a ticket with Aruba, soon.  We 
do seem to see the most complaints in the big classrooms.  But I do keep going 
back to the RADIUS Challenges incomplete.  I know if no reason for those not to 
complete unless the connection is broken midway.

Has anyone else seen something like this?

Ryan Turner
Head of Networking
Communication Technologies | Information Technology Services
r...@unc.edu<mailto:r...@unc.edu>
+1 919 445 0113 (Office)
+1 919 274 7926 (Mobile)


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam10.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwww.educause.edu-252Fcommunity-26data-3D04-257C01-257Ccae104-2540PSU.EDU-257C23c7b4692be5427984b208d96d5eeb66-257C7cf48d453ddb4389a9c1c115

RE: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing any issues in the fall with large classrooms and delayed connection times (Aruba 8.5.0.13)

[Enfield, Chuck]

Here's what we did.  We had a pcap that suggested only about 1% of clients 
would be affected by this filter, but it cut our ARP almost in half.  We made 
the change last spring in our res halls which were almost fully occupied, and 
we've not traced user complaints back to this yet.

[cid:image001.png@01D79F29.7E132B60]

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Laramie Combs
Sent: Wednesday, September 1, 2021 11:58 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing 
any issues in the fall with large classrooms and delayed connection times 
(Aruba 8.5.0.13)

HEy Chuck - would you mind sharing that arp limiting client filter with me?

We are seeing some new traffic patterns where it looks like user devices are 
just walking their subnets, and arping for everything

-Laramie

On Wed, Sep 1, 2021 at 11:47 AM Enfield, Chuck 
mailto:cae...@psu.edu>> wrote:
We've seen the CPU problem, but I don't think it resulted in Auth problems 
here.  It may have and we just missed it because the more severe problems it 
caused masked them.

BTW, in our case reducing the amount of ARP calmed the CPU.  We applied a 
filter (Thank you Colin Joseph.) to limit the amount of ARP our wireless 
clients could send and it smoothed out the spikes.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Cody Ensanian
Sent: Wednesday, September 1, 2021 11:41 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Anyone else seeing any issues in the fall with 
large classrooms and delayed connection times (Aruba 8.5.0.13)

I'm hearing issues of high cpu utilization for STM on the controllers causing 
issues. Maybe check your controllers and see if you are seeing the high cpu use 
for STM. Heard earlier today from our SE that Aruba has "identified the issue 
and is working on a fix." I suggest opening the TAC case so they can track it 
better, and help them hone in on a fix better. We're seeing the high cpu use on 
one of our controllers (but this controller also has higher client load). 
However, we have not had a flood of calls to our help desk for wireless issues 
(not saying they aren't happening). Our SE also said if you're experiencing the 
issue, disabling any system or process level debugging as helped, as well as 
disabling any SNMP polling.

[cid:image002.png@01D79F29.7E132B60]

-Cody
UCCS


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Turner, Ryan H
Sent: Wednesday, September 1, 2021 9:27 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Anyone else seeing any issues in the fall with large 
classrooms and delayed connection times (Aruba 8.5.0.13)

This is a stab in the dark.  With the University mostly shutdown since the 
Spring of 2020 (=not operating in standard mode and most people work from 
home), we got campus upgraded from 6.X to 8.X code base.  We've also installed 
many 515 series APs.  We are getting a large number of complaints in large 
classrooms that connecting to things like eduroam takes a long time.  Looking 
into the connection, we see many incomplete RADIUS challenges.  The general 
complaints are 'we come into the classroom, and for some folks it can take up 
to 5 minutes to get connected'.  The odd thing is that our RADIUS 
infrastructure is very large, polished and load shared, and we can see no 
performance issues with any of the RADIUS servers.  We have begun reducing 
power in the large classrooms to make association issues better, but so far 
that hasn't changed much.  We anticipate opening a ticket with Aruba, soon.  We 
do seem to see the most complaints in the big classrooms.  But I do keep going 
back to the RADIUS Challenges incomplete.  I know if no reason for those not to 
complete unless the connection is broken midway.

Has anyone else seen something like this?

Ryan Turner
Head of Networking
Communication Technologies | Information Technology Services
r...@unc.edu<mailto:r...@unc.edu>
+1 919 445 0113 (Office)
+1 919 274 7926 (Mobile)


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=04%7C01%7Ccae104%40PSU.EDU%7Cbdf812520057426b3d3f08d96d614254%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637661086771803279%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=CMis8

RE: [WIRELESS-LAN] Anyone else seeing any issues in the fall with large classrooms and delayed connection times (Aruba 8.5.0.13)

[Enfield, Chuck]

We've seen the CPU problem, but I don't think it resulted in Auth problems 
here.  It may have and we just missed it because the more severe problems it 
caused masked them.

BTW, in our case reducing the amount of ARP calmed the CPU.  We applied a 
filter (Thank you Colin Joseph.) to limit the amount of ARP our wireless 
clients could send and it smoothed out the spikes.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Cody Ensanian
Sent: Wednesday, September 1, 2021 11:41 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Anyone else seeing any issues in the fall with 
large classrooms and delayed connection times (Aruba 8.5.0.13)

I'm hearing issues of high cpu utilization for STM on the controllers causing 
issues. Maybe check your controllers and see if you are seeing the high cpu use 
for STM. Heard earlier today from our SE that Aruba has "identified the issue 
and is working on a fix." I suggest opening the TAC case so they can track it 
better, and help them hone in on a fix better. We're seeing the high cpu use on 
one of our controllers (but this controller also has higher client load). 
However, we have not had a flood of calls to our help desk for wireless issues 
(not saying they aren't happening). Our SE also said if you're experiencing the 
issue, disabling any system or process level debugging as helped, as well as 
disabling any SNMP polling.

[cid:image001.png@01D79F27.2E913C50]

-Cody
UCCS


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Turner, Ryan H
Sent: Wednesday, September 1, 2021 9:27 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Anyone else seeing any issues in the fall with large 
classrooms and delayed connection times (Aruba 8.5.0.13)

This is a stab in the dark.  With the University mostly shutdown since the 
Spring of 2020 (=not operating in standard mode and most people work from 
home), we got campus upgraded from 6.X to 8.X code base.  We've also installed 
many 515 series APs.  We are getting a large number of complaints in large 
classrooms that connecting to things like eduroam takes a long time.  Looking 
into the connection, we see many incomplete RADIUS challenges.  The general 
complaints are 'we come into the classroom, and for some folks it can take up 
to 5 minutes to get connected'.  The odd thing is that our RADIUS 
infrastructure is very large, polished and load shared, and we can see no 
performance issues with any of the RADIUS servers.  We have begun reducing 
power in the large classrooms to make association issues better, but so far 
that hasn't changed much.  We anticipate opening a ticket with Aruba, soon.  We 
do seem to see the most complaints in the big classrooms.  But I do keep going 
back to the RADIUS Challenges incomplete.  I know if no reason for those not to 
complete unless the connection is broken midway.

Has anyone else seen something like this?

Ryan Turner
Head of Networking
Communication Technologies | Information Technology Services
r...@unc.edu
+1 919 445 0113 (Office)
+1 919 274 7926 (Mobile)


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] Anyone else seeing any issues in the fall with large classrooms and delayed connection times (Aruba 8.5.0.13)

[Enfield, Chuck]

We're not having any unusual problems now, but we have in the past.  Two 
suggestions I can offer are:


  *   Search your controller syslog for "Authentication server request 
timeout".  This will tell you if the controllers are sending auth requests and 
not getting replies back.  We've had this happen when RDAIUS servers report 
being fat and happy.  Best explanation I can offer is that VMs sometimes lie.
  *   Check the controller 802.1X counters to make sure they're not throttling 
authentications.  
https://community.arubanetworks.com/blogs/ssasi1/2020/10/28/how-does-auth-throttling-feature-work-and-what-are-the-associated-cli-commands.
  If this does occur, it tends to happen at times of high user mobility.
Good luck.

Chuck

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Turner, Ryan H
Sent: Wednesday, September 1, 2021 11:27 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Anyone else seeing any issues in the fall with large 
classrooms and delayed connection times (Aruba 8.5.0.13)

This is a stab in the dark.  With the University mostly shutdown since the 
Spring of 2020 (=not operating in standard mode and most people work from 
home), we got campus upgraded from 6.X to 8.X code base.  We've also installed 
many 515 series APs.  We are getting a large number of complaints in large 
classrooms that connecting to things like eduroam takes a long time.  Looking 
into the connection, we see many incomplete RADIUS challenges.  The general 
complaints are 'we come into the classroom, and for some folks it can take up 
to 5 minutes to get connected'.  The odd thing is that our RADIUS 
infrastructure is very large, polished and load shared, and we can see no 
performance issues with any of the RADIUS servers.  We have begun reducing 
power in the large classrooms to make association issues better, but so far 
that hasn't changed much.  We anticipate opening a ticket with Aruba, soon.  We 
do seem to see the most complaints in the big classrooms.  But I do keep going 
back to the RADIUS Challenges incomplete.  I know if no reason for those not to 
complete unless the connection is broken midway.

Has anyone else seen something like this?

Ryan Turner
Head of Networking
Communication Technologies | Information Technology Services
r...@unc.edu
+1 919 445 0113 (Office)
+1 919 274 7926 (Mobile)


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: Wi-Fi Calling - Promoting - Manual E911 Address required

[Enfield, Chuck]

I don't think we have any responsibility for E911 when Wi-Fi calling is used as 
an alternative to cellular coverage.  The telephony service provider 
responsible for meeting E911 obligations in that case is the cellular service 
provider.  They issue the phone number, not us.  The only info we provide about 
Wi-Fi calling is that it may be an option where cell services is poor, and we 
link to the Wi-Fi calling pages at the major cellular providers.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Johnson, Christopher
Sent: Tuesday, August 17, 2021 4:03 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Wi-Fi Calling - Promoting - Manual E911 Address required

I was curious how others have handled Wi-Fi Calling in their environments for 
BYOD/personal devices? Such as whether they promote, advertise, or just make a 
KB Article available on their public repositories. This has come up a couple 
times in the past (one just this past week) about "dead zone" locations for 
Cellular. My biggest concern is the fact the Wi-Fi Calling requires manually 
entering the E911 Address information - and the expectation that this address 
must be updated constantly via manual methods (which won't happen) - such as 
going home and to work every day (not even taking into account moving about 
campus).
Christopher Johnson
Wireless Network Engineer
Office of Technology Solutions | Illinois State University
(309) 438-8444

Stay connected with ISU IT news and tips with @ISU IT Help on 
Facebook
 and 
Twitter


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: ArubaOS 8.5.0.9 Clients not getting an address

[Enfield, Chuck]

Sorry, we had the issue on 8.6 code.  We skipped 8.5 code.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Enfield, Chuck
Sent: Thursday, July 8, 2021 1:21 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] ArubaOS 8.5.0.9 Clients not getting an address

We have not experienced this exact problem, but we've seen weird forwarding 
behaviors from AP-205's after power events.  Not all of our APs are on UPS yet, 
twice after severe thunderstorms some AP-205's stopped forwarding user traffic 
(DHCP still works, but once the client is in the user table the AP won't 
forward its traffic.)  Rebooting the AP fixes the problem.  We suspect that 
power instability is putting the APs in a weird state.  We haven't been on 
8.5.0.9 that long and have not seen the issue on that code yet, but we had it 
on two previous 8.5 releases.

This probably isn't what you have, but I figured I'd mention it in case any of 
the details line up.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jerry Bucklaew
Sent: Thursday, July 8, 2021 1:02 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] ArubaOS 8.5.0.9 Clients not getting an address

To ALL:


  We are experiencing and issue on our aruba os 8.5.0.9 code and I am 
wondering if anyone else has seen it.  Starting this week we have had 
complaints of users not getting an ip address.   It seems to be isolated to two 
buildings for the most part.On the dhcp server we see the discover and 
offer, but never a request.   On the controller packet capture we see the same 
thing, discover and offer but no request.  On a client side packet capture we 
see discover but no offer.  It seems to be ap related and a reboot of the ap 
seems to fix it, sometimes we have to reboot many ap's as a bunch in the same 
area have the issue.   For those with netinsight the insight, "no dhcp request 
after offer" seems to catch it.
For now it is only affect about 50 people out of 5k so a small number.  But 
it also seems to be affecting about 50 Ap's out of 6k, so again a small number. 
 But we really have not confirmed that it is the ap.   We have confirmed that a 
client on the same ap will continually have the problem no matter how many 
times we reboot him or de-auth him.  We have confirmed that many times if we 
get him to go to a different ap/location it does seem to clear up.


So again, just wondering if we are the only ones or if someone else has seen 
this.

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=04%7C01%7Ccae104%40PSU.EDU%7Cab56b234a1dd4a3eb95308d94234c990%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637613616769191457%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=2h69ldzS1VjDlQMlGE6pjF%2B6rl5GSGgJEgAZonugRik%3D=0>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=04%7C01%7Ccae104%40PSU.EDU%7Cab56b234a1dd4a3eb95308d94234c990%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637613616769201448%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=VKkWXhbfJBxvZXMPlDg%2FoCKBVGsBXAjFCqWWevtJiHo%3D=0>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: ArubaOS 8.5.0.9 Clients not getting an address

[Enfield, Chuck]

We have not experienced this exact problem, but we've seen weird forwarding 
behaviors from AP-205's after power events.  Not all of our APs are on UPS yet, 
twice after severe thunderstorms some AP-205's stopped forwarding user traffic 
(DHCP still works, but once the client is in the user table the AP won't 
forward its traffic.)  Rebooting the AP fixes the problem.  We suspect that 
power instability is putting the APs in a weird state.  We haven't been on 
8.5.0.9 that long and have not seen the issue on that code yet, but we had it 
on two previous 8.5 releases.

This probably isn't what you have, but I figured I'd mention it in case any of 
the details line up.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jerry Bucklaew
Sent: Thursday, July 8, 2021 1:02 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] ArubaOS 8.5.0.9 Clients not getting an address

To ALL:


  We are experiencing and issue on our aruba os 8.5.0.9 code and I am 
wondering if anyone else has seen it.  Starting this week we have had 
complaints of users not getting an ip address.   It seems to be isolated to two 
buildings for the most part.On the dhcp server we see the discover and 
offer, but never a request.   On the controller packet capture we see the same 
thing, discover and offer but no request.  On a client side packet capture we 
see discover but no offer.  It seems to be ap related and a reboot of the ap 
seems to fix it, sometimes we have to reboot many ap's as a bunch in the same 
area have the issue.   For those with netinsight the insight, "no dhcp request 
after offer" seems to catch it.
For now it is only affect about 50 people out of 5k so a small number.  But 
it also seems to be affecting about 50 Ap's out of 6k, so again a small number. 
 But we really have not confirmed that it is the ap.   We have confirmed that a 
client on the same ap will continually have the problem no matter how many 
times we reboot him or de-auth him.  We have confirmed that many times if we 
get him to go to a different ap/location it does seem to clear up.


So again, just wondering if we are the only ones or if someone else has seen 
this.

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: Xirrus and ClearPass

[Enfield, Chuck]

I don't have the Xirrus experience you're asking about, but I may be able to 
help get you started.  When you say guest integration, are you trying to do a 
captive portal or just authenticate guests that are registered in some other 
way?

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Brian Helman
Sent: Tuesday, June 29, 2021 11:50 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Xirrus and ClearPass

Hey folks,

So we're in the process of moving from Xirrus to Aruba, but I have a good 
amount of legacy Xirrus wireless that will be around for another year.  Has 
anyone integrated Xirrus with ClearPass to allow basic Guest Access?  It looks 
like the Xirrus units need to pass a MAC back to ClearPass, and that isn't 
happening.

-Brian



Brian Helman, M.Ed |  Director, ITS/Networking & InfrastructureServices
Association for Professional Administrators Chapter Secretary
Salem State University, 352 Lafayette St.,
Salem Massachusetts 01970
GPS: 42.502129, -70.894779



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: Oberon 1044 Recessed Suspended Ceiling mount experiences

[Enfield, Chuck]

We have not used that Oberon model, but I've been an Oberon customer since 2004 
and know how they do business.  They will have accounted for the back box.  If 
you install the AP according to the manufacturer's instructions, the AP's 
antenna elements will be coplanar with or below the bottom of the metal 
enclosure.  Given typical ceiling heights and the down tilt built into the 
integrated antennas of most APs, the enclosure shouldn't affect the usable 
coverage very much.  The metal back box also reduces co-channel interference 
between floors.

One caveat is that I recommend testing if you have wireless client devices 
mounted at or near ceiling height.  I don't have any experience with that, but 
the enclosure might be a factor in that circumstance.  Otherwise, you should be 
safe.

Chuck Enfield
Manager, Wireless & Cellular
Penn State IT
814-863-8715

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Smith, Nayef
Sent: Monday, June 14, 2021 9:31 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Oberon 1044 Recessed Suspended Ceiling mount experiences

I'm curious if anyone has tested or deployed any access points using the Oberon 
1044 Recessed Suspended Ceiling mounts and noticed any impact to signal?  I've 
been searching for information on signal impact but am not finding much.  The 
recessed box for this mount is metal and designed for plenum installations so 
i'm expecting some impact to signal.

Thanks in advance,
Nayef


Nayef Z. Smith | Network Services | Voice: 404-727-6019


[cid:image001.png@01D7612B.DEBFAAB0]




This e-mail message (including any attachments) is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this message (including any attachments) is strictly
prohibited.

If you have received this message in error, please contact
the sender by reply e-mail message and destroy all copies of the
original message (including attachments).

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] Apple product antenna strength vs other?

[Enfield, Chuck]

I guess I should have answered your original question too.  I'm not aware of 
any trend where Apple devices see a much weaker signal than comparable Windows 
or Android devices.  An intuitive impression based on my experience is that 
MacBooks tend to have a couple dB weaker signal than Windows laptops.  The 
difference in reported signal quality could be based on whether a statistic is 
measured or calculated and have nothing to do with the hardware.  (For example, 
a device measures the RSSI and noise floor and calculate the SNR, or it may 
measure the SNR, estimate the noise floor, and calculate the RSSI.  You can 
expect these methods to produce slightly different results in good 
circumstances, and wildly different results when the noise floor is very high.) 
 Regardless of the measurements, when I've done side-by-side comparisons of 
Windows and MacBooks, they're usually connected at the same data rate, but 
sometimes the MacBook is one rate lower, which is why I suspect a couple dB 
difference.

I'd like to reiterate; this is just my impression based on multiple 
measurements with a small number of devices in the course of routine 
troubleshooting.  If anybody's experience differs, please share.  You won't get 
an argument from me.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Enfield, Chuck
Sent: Friday, June 4, 2021 11:14 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Apple product antenna strength vs other?

Along the same lines as what Lee said, you need to make sure all the client 
devices are connecting to the same AP and radio.  I also don't recommend 
relying on bars for anything.  Perhaps there's a standard for them now, but if 
there is I'm not aware of it.  To see the connection details:


  *   On Mac, Hold the option key while clicking the wireless icon.
  *   On Android, download any of the myriad apps which provide network 
connection details.  You can also enable developer options (Google the steps), 
then enable Wi-Fi verbose logging to see more connection details right in the 
wi-fi menu on your device.
  *   On Windows, the OS reports Wi-Fi strength in % instead of dB, so I 
recommend an app.  If you haven't purchased any Wi-Fi diagnostic apps for 
Windows, then there's a free one in the app store called Wi-Fi Analyzer that 
will give you the basic info.  I wouldn't trust everything in the app (it seems 
to think all channels are 20Mhz) but I've found the other basic info (channel, 
rssi, protocol, bssid) reliable.
  *   Sadly, I'm not aware of how to get any useful network information from 
iOS devices.


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tim Tyler
Sent: Friday, June 4, 2021 10:43 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Apple product antenna strength vs other?

Chuck,
We checked bar strength.  Macs were in the 2nd out of 3 bars.  PC's were 
getting 4 out of 5.  I didn't check the phones.  We did bandwidth testing and 
Macs were below 10Mb while PC's were averaging around 150Mb.  I did check 
Airwave for possible issues.  It suggested a poor SNR value for at least one of 
the Macs.  I didn't know what to make of that since the PC's were not having 
that issue.  Health was not good.
  Also, the Macs would drop connections and sometimes have random difficulty in 
connecting.  No issues with the PC's or droids.
  It was basic testing at this point, but there was no doubt that Macs 
struggled performance wise while PC's didn't.  I do need to go back and make 
sure they are all using the same AP.  I did check on one Mac, but I didn't 
verify it for all of them.
  Tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>]
 On Behalf Of Enfield, Chuck
Sent: Friday, June 4, 2021 9:28 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Apple product antenna strength vs other?

Tim,

If you don't mind my asking, how are you assessing the performance?

Chuck Enfield
Manager, Wireless & Cellular
Penn State IT
814-863-8715

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tim Tyler
Sent: Friday, June 4, 2021 10:18 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Apple product antenna strength vs other?

Wifi experts,

We are running Aruba MM with two controllers on 8.7.3.  Our AP's are mostly 
AP-225's.
I have had complaints from one of our tech rooms that they were getting a poor 
signal.  I finally got around to testing that room out.  The location of the AP 
to this room is in an adjacent room.  When I test with Windows PC's and Droid 
phones, the signal and p

RE: [WIRELESS-LAN] Apple product antenna strength vs other?

[Enfield, Chuck]

Along the same lines as what Lee said, you need to make sure all the client 
devices are connecting to the same AP and radio.  I also don't recommend 
relying on bars for anything.  Perhaps there's a standard for them now, but if 
there is I'm not aware of it.  To see the connection details:


  *   On Mac, Hold the option key while clicking the wireless icon.
  *   On Android, download any of the myriad apps which provide network 
connection details.  You can also enable developer options (Google the steps), 
then enable Wi-Fi verbose logging to see more connection details right in the 
wi-fi menu on your device.
  *   On Windows, the OS reports Wi-Fi strength in % instead of dB, so I 
recommend an app.  If you haven't purchased any Wi-Fi diagnostic apps for 
Windows, then there's a free one in the app store called Wi-Fi Analyzer that 
will give you the basic info.  I wouldn't trust everything in the app (it seems 
to think all channels are 20Mhz) but I've found the other basic info (channel, 
rssi, protocol, bssid) reliable.
  *   Sadly, I'm not aware of how to get any useful network information from 
iOS devices.


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Tim Tyler
Sent: Friday, June 4, 2021 10:43 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Apple product antenna strength vs other?

Chuck,
We checked bar strength.  Macs were in the 2nd out of 3 bars.  PC's were 
getting 4 out of 5.  I didn't check the phones.  We did bandwidth testing and 
Macs were below 10Mb while PC's were averaging around 150Mb.  I did check 
Airwave for possible issues.  It suggested a poor SNR value for at least one of 
the Macs.  I didn't know what to make of that since the PC's were not having 
that issue.  Health was not good.
  Also, the Macs would drop connections and sometimes have random difficulty in 
connecting.  No issues with the PC's or droids.
  It was basic testing at this point, but there was no doubt that Macs 
struggled performance wise while PC's didn't.  I do need to go back and make 
sure they are all using the same AP.  I did check on one Mac, but I didn't 
verify it for all of them.
  Tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>]
 On Behalf Of Enfield, Chuck
Sent: Friday, June 4, 2021 9:28 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Apple product antenna strength vs other?

Tim,

If you don't mind my asking, how are you assessing the performance?

Chuck Enfield
Manager, Wireless & Cellular
Penn State IT
814-863-8715

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tim Tyler
Sent: Friday, June 4, 2021 10:18 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Apple product antenna strength vs other?

Wifi experts,

We are running Aruba MM with two controllers on 8.7.3.  Our AP's are mostly 
AP-225's.
I have had complaints from one of our tech rooms that they were getting a poor 
signal.  I finally got around to testing that room out.  The location of the AP 
to this room is in an adjacent room.  When I test with Windows PC's and Droid 
phones, the signal and performance is just fine.  When we tested with Macs and 
iphones, the signal strength was amazingly weak for all of them.  We tested 
with two Macs and two iphones as well as multiple PC's and Android phones.  
Only the Apple devices had weak signals.  Have any of you experienced a weaker 
antenna performance with your Apple devices on your campuses?

If I put an AP in the room, the Apple devices are fine.  But I am surprised I 
would have to do this.  I would not have expected Apple devices to have weaker 
antennas.

I did check in Airwave to make sure at least one of the Macs was still 
connecting to the same AP.  Any thoughts from anyone?


Tim Tyler
Network Engineer
Beloit College


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=04%7C01%7Ccae104%40PSU.EDU%7C3e0ceaafd3a44dab4e0f08d9276759eb%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C1%7C637584147106887200%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=%2Fm3KHvhkjqTizxwbYG57dhh4sPANhP2g4r3pQbVbKTc%3D=0>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email a

RE: [WIRELESS-LAN] Apple product antenna strength vs other?

[Enfield, Chuck]

Tim,

If you don't mind my asking, how are you assessing the performance?

Chuck Enfield
Manager, Wireless & Cellular
Penn State IT
814-863-8715

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Tim Tyler
Sent: Friday, June 4, 2021 10:18 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Apple product antenna strength vs other?

Wifi experts,

We are running Aruba MM with two controllers on 8.7.3.  Our AP's are mostly 
AP-225's.
I have had complaints from one of our tech rooms that they were getting a poor 
signal.  I finally got around to testing that room out.  The location of the AP 
to this room is in an adjacent room.  When I test with Windows PC's and Droid 
phones, the signal and performance is just fine.  When we tested with Macs and 
iphones, the signal strength was amazingly weak for all of them.  We tested 
with two Macs and two iphones as well as multiple PC's and Android phones.  
Only the Apple devices had weak signals.  Have any of you experienced a weaker 
antenna performance with your Apple devices on your campuses?

If I put an AP in the room, the Apple devices are fine.  But I am surprised I 
would have to do this.  I would not have expected Apple devices to have weaker 
antennas.

I did check in Airwave to make sure at least one of the Macs was still 
connecting to the same AP.  Any thoughts from anyone?


Tim Tyler
Network Engineer
Beloit College


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] Lead time for Wi-Fi gear?

[Enfield, Chuck]

Most of the time we receive APs in two weeks or less.  There is a supply chain 
problem right now for some AP models, but six months is much longer than any 
delays I've heard about.  You may want to contact your VAR or Aruba yet to see 
the best way to go.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Mike Atkins
Sent: Thursday, May 20, 2021 10:24 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Lead time for Wi-Fi gear?

What's the word on lead time for your Wi-Fi gear?  We are primarily Cisco but 
have some Aruba and see ship times six months out.  Is that what everyone else 
is seeing?  I know some Meraki gear can be shipped within a week or so.  I just 
wanted to get a feel from the group as to what they hear on the street.








--




Mike Atkins
Infrastructure Architect
Office of Information Technology
University of Notre Dame
Phone: 574-631-7210



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: Aruba User Experience Insight (UXI)

[Enfield, Chuck]

Hi Martin,

We've found them helpful at Penn State.  They are a nice compliment to more 
sophisticated monitoring systems.   As Rob said, they do rather basic tests, 
but I think they're appropriately priced for what they do.  They're also very 
easy to deploy and understand.  I won't besmirch any specific competing 
products, but if you've tried some of them you know there can be a long 
learning curve.  That's definitely not the case with Aruba UXI.  Their testing 
documentation is pretty good too.  I suspect most of us would benefit from 
having some of these sensors, regardless of your wireless hardware 
manufacturer.  I believe you can link them to Central, but there's no need to.  
They work fine as a stand-alone product.

They periodically test a variety of underpinnings, like auth, dns, dhcp.  It 
will also do iperf2 & 3, but you need to provide the server.  When it tests 
services, you can see things like latency, loss,  jitter, response times and 
throughput, and you can adjust the pass/fail thresholds.  I found the default 
thresholds to be too tolerant of performance issues, but was able to adjust 
them for what I expected from our network.  If a test fails it runs that test 
on an increased frequency until the problem is resolved, and it automatically 
does packet captures for the subsequent test so you can see exactly what's 
failing.  If I had one wish list item it would be the ability to increase the 
test frequency for one specific test.  The minimum interval is 20 minutes, and 
if you have an intermittent problem affecting one of the services that interval 
can make spotting it a hit and miss proposition.  Test results will be 
representative in the long run, but we all aspire to identify and fix problems 
in the near term rather than the long run.

The product seems meant to test the network to key services, not necessarily 
the services themselves.  To your question about 0365, you can test to ensure a 
response from Microsoft's login page on ports 80 and 443, but you can't 
actually log in.  You'll know your users can get to the site with reasonable 
response times, but you won't know if things like email, calendar, SharePoint, 
etc. are responding and performing well.

Hope this helps.

Chuck

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Rob Harris
Sent: Friday, April 23, 2021 8:51 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Aruba User Experience Insight (UXI)

We have remote sites that don't have full, dedicated IT staff, so these are 
very useful for basic "it's up and running" and "these sites / services are 
reachable" verification.

The tests are flexible and the support team is very responsive.


[The Culinary Institute of America]
Robert Harris
Manager - Telecom, Networks, & AV Services
Culinary Institute of America
1946 Campus Drive
Hyde Park, NY
845-451-1681
www.ciachef.edu
Food is Life
Create and Savor Yours.(tm)

Please consider the environment before printing this e-mail.




From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Martin MacLeod-Brown
Sent: Friday, April 23, 2021 3:50 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Aruba User Experience Insight (UXI)

Hi Everyone

Im reaching out to the wider community to see if anyone is using any Aruba UXI 
sensors to monitor their users Wi-Fi experience?
If you are running them...

How useful are you finding them

What are you testing?

How flexible are their tests, I could test the availability of core teaching 
sites, but can I test our sites that require authentication? Im thinking 
particularly O365 services

Any other opinions would be very useful if you have any

Thanks

Martin




**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply 

RE: [WIRELESS-LAN] WPA3/OWE as campus solution?

[Enfield, Chuck]

I agree.  I've been involved with decisions where we ask lawyers what we should 
do, and we get the easiest, low-risk answer.  We should decide what we'd like 
to do, then ask lawyers how best to do it and what the remaining risks are.  
All business decisions should be based on risk and reward.  We tend to act like 
the law defines what we must do.  That's rarely the case.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Floyd, Brad
Sent: Thursday, April 22, 2021 3:47 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

We as IT people can discuss the merits of captive portal / no captive portal, 
authentication / reasonably knowing if a device is doing something bad, etc. We 
are asked all of the time what our recommendations are in these circumstances 
and we should weigh in with our opinions. However, it seems like this 
discussion comes down to two questions that we should be asking our 
organization's legal team / advisors:


  1.  If I make this "XYZ decision in providing / maintaining our 
infrastructure", am I considered to have legally exercised "due diligence"?
  2.  If I implement the decision in #1, are you (as the legal team) able to 
reasonably defend the organization against likely legal challenges?

Every organization has different pain levels and will likely make a decision 
based on those factors. Just my 2 cents.
Thanks,
Brad

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Jeffrey D. Sessler
Sent: Thursday, April 22, 2021 2:04 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?


[EXTERNAL SENDER]
For sure, my lens is based on California law, however, the federal Fair Labor 
Standards Act and state overtime and wage payment laws also come into play 
here.  Since nonexempt (hourly) workers have ready access to the technology, 
they will be in a position to respond to e-mails and text messages or to 
otherwise engage in work activities outside their scheduled work hours. Even if 
you don't reimburse for the use of the personal device, there is the wage 
exposure of having to compensate those nonexempt employees because checking 
their work email is - well - working.   When we rolled out DUO, we had to offer 
all employees a token, and they signed a waiver if they wanted to use the DUO 
app on their personal phone for their convenience.

On the eDiscovery/litigation front, it can be difficult/impossible to ensure 
that business records stored on an employee's personal device are retained long 
enough to satisfy discovery requests.  There are also risks should that data 
not be available, and presents a whole other quagmire in the BYOD movement that 
is beyond this conversation.

Jeff


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Enfield, Chuck
Sent: Thursday, April 22, 2021 10:54 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

Jeff,

It makes sense that you think this is settled law, because in California it is 
settled law.  I don't recall all the details, but I was on a team involved with 
considering mobile device policies for Penn State, and we discussed a case in 
California around 2014/2015 that clarified California labor law.  The law 
required that employers reimburse employees for expenses, but said nothing 
about how those expenses should be calculated.  Some employers decided they 
only needed to reimburse marginal expenses, but the court decision said that's 
not the case.  So if you're required to use your device for work in California 
you're entitled to reimbursement of some kind.  As I recall, no specific 
reimbursement formula was recommended by the court in that case.  I assume 
there's been some standardization since, even if only de facto.

That, however, was a California court interpreting California law.  Our 
institution considered that ruling and concluded that Pennsylvania law was 
different and that we could discontinue our stipend and require certain 
employees to provide and use their own phones for work communications.  In the 
end, we stopped the stipend, but never implemented the mandate.  I was never 
informed precisely why we stopped short of the mandate.  That decision was made 
out of committee.

I'm confident there was no clear Federal requirement when we were discussing 
this in 2016, but if there's been case law or US Department of Labor guidance 
since then I wouldn't necessarily expect to know about it.  I'm am curious if 
anybody knows more about it.

Chuck

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Jeffrey D. Sessler
Se

RE: [WIRELESS-LAN] WPA3/OWE as campus solution?

[Enfield, Chuck]

We discussed all those issues, and no doubt it opens a smelly can of worms.  
Most of these issues come into play simply by allowing employees to use 
personal devices.  If you allow for personal device use, requiring their use 
didn't create many additional legal issues.

I feel like I need to make a disclaimer here.  I'm not a lawyer, you may recall 
me getting things very wrong regarding CALEA a couple years back.  I researched 
your comments and concluded you were right and the university attorney that 
gave me contradictory information was incorrect.  It took me long enough to be 
sure of that that I never replied to the thread to say so.  I could be wrong 
about this as well, but unlike our guest network access, which was evaluated by 
one attorney and probably didn't get very much attention from her, this issue 
was taken very seriously by the controller, HR, Risk, and General Counsel.  
Outside counsel with expertise in this area was also consulted.  I'm confident 
that whatever our legal team concluded on this issue was defensible.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jeffrey D. Sessler
Sent: Thursday, April 22, 2021 3:04 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

For sure, my lens is based on California law, however, the federal Fair Labor 
Standards Act and state overtime and wage payment laws also come into play 
here.  Since nonexempt (hourly) workers have ready access to the technology, 
they will be in a position to respond to e-mails and text messages or to 
otherwise engage in work activities outside their scheduled work hours. Even if 
you don't reimburse for the use of the personal device, there is the wage 
exposure of having to compensate those nonexempt employees because checking 
their work email is - well - working.   When we rolled out DUO, we had to offer 
all employees a token, and they signed a waiver if they wanted to use the DUO 
app on their personal phone for their convenience.

On the eDiscovery/litigation front, it can be difficult/impossible to ensure 
that business records stored on an employee's personal device are retained long 
enough to satisfy discovery requests.  There are also risks should that data 
not be available, and presents a whole other quagmire in the BYOD movement that 
is beyond this conversation.

Jeff


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Enfield, Chuck
Sent: Thursday, April 22, 2021 10:54 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

Jeff,

It makes sense that you think this is settled law, because in California it is 
settled law.  I don't recall all the details, but I was on a team involved with 
considering mobile device policies for Penn State, and we discussed a case in 
California around 2014/2015 that clarified California labor law.  The law 
required that employers reimburse employees for expenses, but said nothing 
about how those expenses should be calculated.  Some employers decided they 
only needed to reimburse marginal expenses, but the court decision said that's 
not the case.  So if you're required to use your device for work in California 
you're entitled to reimbursement of some kind.  As I recall, no specific 
reimbursement formula was recommended by the court in that case.  I assume 
there's been some standardization since, even if only de facto.

That, however, was a California court interpreting California law.  Our 
institution considered that ruling and concluded that Pennsylvania law was 
different and that we could discontinue our stipend and require certain 
employees to provide and use their own phones for work communications.  In the 
end, we stopped the stipend, but never implemented the mandate.  I was never 
informed precisely why we stopped short of the mandate.  That decision was made 
out of committee.

I'm confident there was no clear Federal requirement when we were discussing 
this in 2016, but if there's been case law or US Department of Labor guidance 
since then I wouldn't necessarily expect to know about it.  I'm am curious if 
anybody knows more about it.

Chuck

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Jeffrey D. Sessler
Sent: Thursday, April 22, 2021 1:06 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

Tim,

I would take a look at case law, where it was determined that an employer can 
not expect an employee to use their own device without compensation.  This has 
resulted in two scenarios now.  The first being that the employer provides the 
employee with a stipend to compensate them for use of their personal device.  
The second being th

RE: [WIRELESS-LAN] WPA3/OWE as campus solution?

[Enfield, Chuck]

Jeff,

It makes sense that you think this is settled law, because in California it is 
settled law.  I don't recall all the details, but I was on a team involved with 
considering mobile device policies for Penn State, and we discussed a case in 
California around 2014/2015 that clarified California labor law.  The law 
required that employers reimburse employees for expenses, but said nothing 
about how those expenses should be calculated.  Some employers decided they 
only needed to reimburse marginal expenses, but the court decision said that's 
not the case.  So if you're required to use your device for work in California 
you're entitled to reimbursement of some kind.  As I recall, no specific 
reimbursement formula was recommended by the court in that case.  I assume 
there's been some standardization since, even if only de facto.

That, however, was a California court interpreting California law.  Our 
institution considered that ruling and concluded that Pennsylvania law was 
different and that we could discontinue our stipend and require certain 
employees to provide and use their own phones for work communications.  In the 
end, we stopped the stipend, but never implemented the mandate.  I was never 
informed precisely why we stopped short of the mandate.  That decision was made 
out of committee.

I'm confident there was no clear Federal requirement when we were discussing 
this in 2016, but if there's been case law or US Department of Labor guidance 
since then I wouldn't necessarily expect to know about it.  I'm am curious if 
anybody knows more about it.

Chuck

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jeffrey D. Sessler
Sent: Thursday, April 22, 2021 1:06 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

Tim,

I would take a look at case law, where it was determined that an employer can 
not expect an employee to use their own device without compensation.  This has 
resulted in two scenarios now.  The first being that the employer provides the 
employee with a stipend to compensate them for use of their personal device.  
The second being that employers now provide the necessary devices (tools) to 
the employee in order to carry out their duties.

For example, with COVID, many employers are providing temporary stipends to 
employees to cover Internet consumption and personal cell use.

In no way shape or fashion can an employer compel the user to install or enroll 
their personal device into their employer's end-point management.  The employer 
could say it's an optional condition of the employee's desire, in a voluntary 
decision, to use that device for company business. Can't be forced.

Jeff

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tim Cappalli
Sent: Thursday, April 22, 2021 9:14 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

Well, I can tell you that is just not the reality. Sorry!


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Jeffrey D. Sessler 
mailto:j...@scrippscollege.edu>>
Sent: Thursday, April 22, 2021 12:04
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

On 2021-04-21 21:30:53+, Tim Cappalli wrote:
>  I'd also like to address the comment about post-college experience.
>
>  Most organizations these students are going to work at are going to
> require MDM or MAM on their personal devices. So I fundamentally
> disagree with the comment that they won't deal with "enrollment" post
> campus life.

On the above specifically.  In every business scenario I've encountered, and 
it's at EDU level now too, unless you are going to compensate the user for 
access/control of their device, the business has no right to require MDM.  This 
is in the same territory as requiring an employee to check business email from 
a personal device - it must be only as an employee opt-in convenience, and not 
a substitute for the business providing that person the tools they need to do 
their job.

That's a long trip version of saying that a business is going to hand their 
employee a pre-enrolled/managed company-owned device(s) where it is the 
business' responsibility to handle whatever onboarding they've established for 
their company assets.  The individual will never encounter this activity (nor 
should they) with a personal device they own.

Jeff

-Original Message-
From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Jonathan Waldrep
Sent: Wednesday, April 21, 2021 7:27 PM
To: 

RE: ISE CERT Renewal

[Enfield, Chuck]

I can't speak to ISE specifically.  But as for the future activation date, my 
guess is you'll have no problem installing the cert.  Just make sure you don't 
try to use it before the activation date because it's probably not going to 
work.  Regarding the CSR/private key issue, that's just how certs work.  The 
servers use their devices current private key to create the request, so if you 
use a CSR from the server the cert will use the same private key.  If you 
generate a CSR in openSSL, you'll be using a different private key, so you'll 
have to tell the server what that Private key is.  It's no problem.  Your cert 
authority will offer you a package that includes the private cert.  Just 
install that on your server.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Bruce Boardman
Sent: Tuesday, April 20, 2021 8:17 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] ISE CERT Renewal

We are going through Sectigo to renew RADIUS CERT for our 802.1x auth. 
environment. Cisco is a little bit nebulous regarding the activation and 
acceptance of the CERT with a future CERT valid date. The are  not clear if the 
renewal will take without a CSR (why is a  question to Cisco), but they 
indicate that in that case the private key may need to be uploaded. I don't 
want to get to the expiration day to find out that the CERT needs to be 
reissued, which would be a lengthy outage for machine auth clients needing a 
push of the new CERT.

Anybody renewed on ISE prior to the expiration of the existing CERT using a 
future CERT valid date?  Talk me off the ledge.
Thanks


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: WPA3/OWE as campus solution?

[Enfield, Chuck]

I've been floating this idea to IT leadership for years, with no interest on 
their part.  We implemented an open guest network with no rate limiting about 
18 months ago, so now any student who doesn't want to onboard doesn't have to.  
I figured that would get the bosses asking why we bother to authenticate on the 
other SSID, but still no.  It's ironic that the people who constantly stress 
the importance of customer experience and regularly complain to me about the 
onboarding experience can't be bothered to consider obvious alternatives.  I 
wouldn't be so disappointed if we discussed the pros and cons and they came to 
a different conclusion than I have, but it sounds so radical to them that they 
don't even care to discuss it.

Chuck

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Lee H Badman
Sent: Friday, April 16, 2021 10:09 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] WPA3/OWE as campus solution?

One more for you all- anyone contemplating ditching 802.1X for the BYOD side of 
your WLAN (not managed laptops and "business" clients) and simplifying with 
OWE/WPA3? Like... the open network that's actually moderately secure leveraging 
the latest security options?

Thanks,

Lee Badman | Network Architect (CWNE#200)
Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   e lhbad...@syr.edu w its.syr.edu
Campus Wireless Policy: 
https://answers.syr.edu/display/network/Wireless+Network+and+Systems
SYRACUSE UNIVERSITY
syr.edu


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] Microsoft Windows 10 CRL Check on 802.1x Authentication

[Enfield, Chuck]

OSCP stapling for RADIUS could open a big can of worms.  I know support is 
growing rapidly on web servers and web browsers, but I'm much less sure about 
RADIUS servers.  As for the client devices, I don't even know if OSCP would 
need to be supported by the OS, the supplicant, or both.  If anybody knows I'd 
be interested in learning more about how OSCP may relate to 802.1X.  If 
operating systems start to expect OSCP it could affect the way many of us use 
organizationally issued certs for auth.  It seems to me that one of the 
perceived virtues of that approach is not worrying about revocation.

I'm somewhat reassured by the fact that MS says this is a bug and not a 
feature, but things change - and quickly too.

Thanks,

Chuck

-Original Message-
From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jonathan Waldrep
Sent: Wednesday, April 14, 2021 10:33 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Microsoft Windows 10 CRL Check on 802.1x 
Authentication

On 2021-04-13 21:20:32+, Pratik Mehta wrote:
> [...]
> The problem is that Windows attempts to perform a CRL check on the 
> RADIUS server certificate during the TLS handshake and before 802.1x 
> authentication is complete. This causes the EAP session to timeout and 
> wireless connectivity to take a long time to be established (more than
> 25 seconds). It does not make sense for the supplicant to perform a 
> CRL check before wireless connectivity is established.
> [...]

 I can't speak to the specifics of the situation, but in general, the solution 
is to use OCSP stapling instead of a CRL check.

 The gist of OCSP stapling is the server contacts the CA/OCSP server to get a 
token that asserts the cert has not been revoked, and sends that with the cert 
to the client. This allows the client to verify the server's cert hasn't been 
revoked without having to connect another network resource. I've probably got 
the details there wrong, but that is the _idea_ of what is happening.

 Implementing OCSP stapling on your authentication servers may bypass the bug.

 Full disclosure: we haven't gotten around to implementing this ourselves yet, 
so there may well be dragons ahead that I am completely unaware of.

--
Jonathan Waldrep
Network Engineer
Network Infrastructure and Services
Virginia Tech

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: Museum WiFi Stealthing

[Enfield, Chuck]

We are mounting them in the walls.  Mostly above doorways where things like 
exit signs also live.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Floyd, Brad
Sent: Monday, April 12, 2021 5:50 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Museum WiFi Stealthing

Chuck,
How high is the ceiling? If I go all the way to the ~25' ceiling, I would need 
to mount an external antenna (maybe 60-degree) to the face of the box to keep 
the beamwidth from spreading into adjacent exhibit rooms by the time it gets to 
the floor. What's the cover of the box made of (are you concerned about the AP 
baking in the box)?
Thanks,
Brad

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Enfield, Chuck
Sent: Monday, April 12, 2021 4:34 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Museum WiFi Stealthing


[EXTERNAL SENDER]
The Architects for a new museum currently in design here approved this 
enclosure.

[1018-00-Wi-Fi Access Point non-metallic, low-profile, recessed, or in-wall 
mount 
enclosure]<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Foberoninc.com%2Fproducts%2F1018-00%2F=04%7C01%7Ccae104%40PSU.EDU%7C2a9b08e9b19f4028905c08d8fdfce9bf%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637538609998559035%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=ZLVMtUX1PyVhyda%2FvB3LMyIIR3xN9plrCTjndhdmwvw%3D=0>

It's not invisible, but it's relatively discrete installed in a white wall or 
ceiling.

Chuck Enfield
Manager, Wireless & Cellular
Penn State IT
814-863-8715

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Floyd, Brad
Sent: Monday, April 12, 2021 4:58 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Museum WiFi Stealthing

I would be interested in hearing from fellow Higher-Ed WiFi Wizards about any 
stealthing wizardry you might have employed for a museum deployment on your 
campus. Think about warehouse height ceilings of ~25', but a much prettier 
environment. Any links to photos would be highly appreciated.

As Lee always says, "This is not an invitation for vendors to contact me".

Thanks,
Brad


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=04%7C01%7Ccae104%40PSU.EDU%7C2a9b08e9b19f4028905c08d8fdfce9bf%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637538609998569028%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=rKVsgC3RvhoR0qbzGRBOXmU0a1WdkAp206EwK9v5VQ4%3D=0>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=04%7C01%7Ccae104%40PSU.EDU%7C2a9b08e9b19f4028905c08d8fdfce9bf%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637538609998569028%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=rKVsgC3RvhoR0qbzGRBOXmU0a1WdkAp206EwK9v5VQ4%3D=0>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=04%7C01%7Ccae104%40PSU.EDU%7C2a9b08e9b19f4028905c08d8fdfce9bf%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637538609998579023%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=YNA0K4%2BGnCUMSnndTzYLh4XBCSxp88fw6hWP09kj%2BkM%3D=0>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: Museum WiFi Stealthing

[Enfield, Chuck]

The Architects for a new museum currently in design here approved this 
enclosure.

[1018-00-Wi-Fi Access Point non-metallic, low-profile, recessed, or in-wall 
mount enclosure]

It's not invisible, but it's relatively discrete installed in a white wall or 
ceiling.

Chuck Enfield
Manager, Wireless & Cellular
Penn State IT
814-863-8715

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Floyd, Brad
Sent: Monday, April 12, 2021 4:58 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Museum WiFi Stealthing

I would be interested in hearing from fellow Higher-Ed WiFi Wizards about any 
stealthing wizardry you might have employed for a museum deployment on your 
campus. Think about warehouse height ceilings of ~25', but a much prettier 
environment. Any links to photos would be highly appreciated.

As Lee always says, "This is not an invitation for vendors to contact me".

Thanks,
Brad


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] Wi-Fi and Covid

[Enfield, Chuck]

Darn you Philippe.  I was determined to get through the day without being had.  
Better luck next year I guess.

Chuck

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Philippe Hanset
Sent: Thursday, April 1, 2021 5:03 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wi-Fi and Covid

Ok, Full Disclosure ... I was in shortage of April 1st fun :)


AFO, April's Fools Officer :)




On Apr 1, 2021, at 4:47 PM, Spurgeon, Charles E 
mailto:c.spurg...@austin.utexas.edu>> wrote:

IMHO, Exposure Notification Express is the droid to look for.
https://screenrant.com/apple-google-coronavirus-exposure-notifications-explained/

It has been adopted by a number state heath depts in the US, but there needs to 
be more.
https://9to5mac.com/2021/01/16/covid-19-exposure-notification-api-states/

This kind of contact tracing appears to be an important component when it comes 
to long term management of COVID, its variants, and the follow-on viruses that 
are inevitable.
https://www.wired.com/story/larry-brilliant-herd-immunity-end-of-pandemic/

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Jerry Bucklaew
Sent: Thursday, April 1, 2021 3:09 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wi-Fi and Covid

We had the same discussions and the same conclusion, wifi is not good for this. 
  One reason is  you can't trust the result.  You can't say a person was in a 
certain building because they may have forgot their phone, not registered yet.  
 You can't say a person was not in a building because many devices registered 
to a person are stationary and connect even when the person is not there.  So 
any data you pull is inconclusive at best.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Dan Lauing
Sent: Thursday, April 1, 2021 3:53 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wi-Fi and Covid

I don't believe Wi-Fi is a good technology for this. It's nice when you can 
reuse existing overhead, but I don't think 2.4/5/6 radio is the answer. You're 
just begging for false positives.

On Thu, Apr 1, 2021 at 2:47 PM Seth Bean 
mailto:seth.b...@mcla.edu>> wrote:
We ducked this by explaining our wireless design was created for coverage, not 
security/triangulation, which is true.  Many of our buildings do not have the 
capability to do triagulation because of AP positions.  We didn't even get into 
the privacy item, which was honestly a relief.

Seth Bean
Administrator of Networks and Telecommunications
APA Union Chapter President
Massachusetts College of Liberal Arts
413.662.5022
413.663.1276
375 Church Street
North Adams,
MA 01247
"National Top Ten
Public Liberal Arts College"
2020-2021 US News & World Report

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Lee H Badman 
<00db5b77bd95-dmarc-requ...@listserv.educause.edu>
Sent: Thursday, April 1, 2021 3:33 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Wi-Fi and Covid

CAUTION: This email originated from outside of MCLA. Do not click links or open 
attachments unless you recognize the sender and know the content is safe.

Several vendors are trying to monetize COVID... the Wi-Fi part (in my opinion) 
falls apart fairly quickly in spots when you start talking it through 

RE: [WIRELESS-LAN] Outdoor WLANs?

[Enfield, Chuck]

That's definitely true, but unless you have pervasive outdoor coverage you have 
to account for that on your indoor APs anyway.  Careful AP placement and 
trimming the low data rates on the indoor APs cuts way down on that problem.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Julian Y Koh
Sent: Thursday, March 4, 2021 2:06 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Outdoor WLANs?

I can't remember all the technical nitty-gritty details, and things may have 
changed in the past few years since, but when we were using NetInsight to help 
us plan out where our highest priority areas were for outdoor Wi-Fi, someone 
from Aruba told us that adding outdoor APs and making sure that your regular 
indoor SSIDs were set up on those APs would in many cases lead to better 
performance for people indoors.  This was (IIRC) because people walking by the 
outside of a building would try to associate to the indoor APs on your regular 
SSIDs and because the signal is marginal, overall AP performance suffers.  By 
giving the outdoor transient folks a better connection pathway, the indoor APs 
benefit.

-Julian


On Mar 4, 2021, at 12:02, Enfield, Chuck 
mailto:cae...@psu.edu>> wrote:

Hi Mike,

The problem you describe comes up regularly with requests for outdoor coverage. 
 Indoor capacity is not limitless, but, in general, it's much easier to add 
indoor capacity than outdoor.  If coverage is for casual use and best effort is 
acceptable (In other words, some coverage is better than no coverage) then no 
problem.  If, as is true in your case, there's a critical application that must 
be supported, then I take one of two positions:


  1.  If the expectation is that we must support both the critical app and 
provide wireless for general use, we don't do it.  We have network improvements 
we'd like to make but can't because of insufficient time and money, so we 
should not undertake a project if we can't be reasonably confident of success.
  2.  We'll support the critical app but won't provide SSID's for general use.

Our preference is to support all our SSID's anywhere it's reasonable to do so, 
and there are very few places we don't do that.  Unfortunately, sometimes it's 
not reasonable to do everything.  In all but the most mission-critical cases, 
that means we don't do anything.

Chuck Enfield
Manager, Wireless & Cellular
Penn State IT
814-863-8715

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Michael Dickson
Sent: Thursday, March 4, 2021 12:12 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Outdoor WLANs?

I'm wondering what folks think about adding eduroam (.1x) and guest SSIDs to 
outdoor deployments where AP device capacity would be severely undersubscribed. 
Would support for only a fraction of user devices during an event be more of a 
problem or a solution from a user experience perspective?

We're looking at expanding outdoor coverage near our athletic arenas. Design is 
primarily for vending and ticket scanners, etc. Special SSIDs will be used. 
Density coverage for all attendees is not in the spec. These areas are located 
beyond roaming distance from the main campus. I can think of both pros and cons 
for including these campus SSIDs but wonder what others think.

Thanks,
Mike



Michael Dickson

Network Engineer

Information Technology

University of Massachusetts Amherst

413-545-9639

michael.dick...@umass.edu<mailto:michael.dick...@umass.edu>

PGP: 0x16777D39
On 2/19/21 9:17 PM, Rios, Hector J wrote:
Similar to others, we also broadcast our main SSIDs outdoors. I think it is the 
best design. It keeps things consistent. To Lawson's point, seamless mobility 
could be a challenge. Depending on the size of your campus and your network, 
you might be able to have a large subnet. But for those that are unable to do 
that, then your outdoor Wi-Fi design becomes even more important. You have to 
find ways to break your campus into zones that make sense, from a roaming 
perspective. Also, some outdoor Wi-Fi deployments tend to be focused on 
coverage only, but with COVID a lot of us are finding out that we also need to 
focus on density. An outdoor AP can cover large areas, but that also means more 
clients can connect to it. And the more you try to cover the higher the 
potential for your Wi-Fi performance to suffer.

Hector Rios, Wireless Network Architect
The University of Texas at Austin | ITS

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fu

RE: [WIRELESS-LAN] Outdoor WLANs?

[Enfield, Chuck]

Hi Mike,

The problem you describe comes up regularly with requests for outdoor coverage. 
 Indoor capacity is not limitless, but, in general, it's much easier to add 
indoor capacity than outdoor.  If coverage is for casual use and best effort is 
acceptable (In other words, some coverage is better than no coverage) then no 
problem.  If, as is true in your case, there's a critical application that must 
be supported, then I take one of two positions:


  1.  If the expectation is that we must support both the critical app and 
provide wireless for general use, we don't do it.  We have network improvements 
we'd like to make but can't because of insufficient time and money, so we 
should not undertake a project if we can't be reasonably confident of success.
  2.  We'll support the critical app but won't provide SSID's for general use.

Our preference is to support all our SSID's anywhere it's reasonable to do so, 
and there are very few places we don't do that.  Unfortunately, sometimes it's 
not reasonable to do everything.  In all but the most mission-critical cases, 
that means we don't do anything.

Chuck Enfield
Manager, Wireless & Cellular
Penn State IT
814-863-8715

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Michael Dickson
Sent: Thursday, March 4, 2021 12:12 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Outdoor WLANs?

I'm wondering what folks think about adding eduroam (.1x) and guest SSIDs to 
outdoor deployments where AP device capacity would be severely undersubscribed. 
Would support for only a fraction of user devices during an event be more of a 
problem or a solution from a user experience perspective?

We're looking at expanding outdoor coverage near our athletic arenas. Design is 
primarily for vending and ticket scanners, etc. Special SSIDs will be used. 
Density coverage for all attendees is not in the spec. These areas are located 
beyond roaming distance from the main campus. I can think of both pros and cons 
for including these campus SSIDs but wonder what others think.

Thanks,
Mike


Michael Dickson

Network Engineer

Information Technology

University of Massachusetts Amherst

413-545-9639

michael.dick...@umass.edu

PGP: 0x16777D39
On 2/19/21 9:17 PM, Rios, Hector J wrote:
Similar to others, we also broadcast our main SSIDs outdoors. I think it is the 
best design. It keeps things consistent. To Lawson's point, seamless mobility 
could be a challenge. Depending on the size of your campus and your network, 
you might be able to have a large subnet. But for those that are unable to do 
that, then your outdoor Wi-Fi design becomes even more important. You have to 
find ways to break your campus into zones that make sense, from a roaming 
perspective. Also, some outdoor Wi-Fi deployments tend to be focused on 
coverage only, but with COVID a lot of us are finding out that we also need to 
focus on density. An outdoor AP can cover large areas, but that also means more 
clients can connect to it. And the more you try to cover the higher the 
potential for your Wi-Fi performance to suffer.

Hector Rios, Wireless Network Architect
The University of Texas at Austin | ITS


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: android 11 upcoming changes Feb 15th 2021

[Enfield, Chuck]

I know I’m singing to the choir when responding to you two, but it’s worth 
reminding readers that the main risk here isn’t to the network.  It’s to the 
user’s account credentials.  I’m pretty sure we think that’s important in 
higher ed too.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Tim Cappalli
Sent: Wednesday, February 3, 2021 4:31 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

For higher ed, you're absolutely right. For all other enterprise use cases, 
credential security is super important.

Unfortunately a network supplicant is not aware of the deployment type and 
can't adapt.

tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Jennifer Minella 

Sent: Wednesday, February 3, 2021 16:26
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021


There’s a fine, grey line between optimal security and usability 



___

Jennifer Minella, CISSP, HP MASE

VP of Engineering & Security

Carolina Advanced Digital, Inc.

www.cadinc.com

j...@cadinc.com

919.460.1313 Main Office

919.539.2726 Mobile/text

[CAD LOGO EMAIL SIG]



From: Tim Cappalli 
Sent: Monday, February 1, 2021 5:53 PM
Subject: Re: android 11 upcoming changes Feb 15th 2021



Jennifer, this has been extensively discussed on this list for the past few 
months which I why I said that nothing has changed since those conversations. 
This current thread makes it seem like more changes are coming in Android on 
February 15th which is NOT the case. There have been no changes since the 
December update and I'm not aware of any other changes in the Android 11 code 
train.



RE: Apple already does this: Android is the only operating system that requires 
a properly configured supplicant. Apple's TOFU model does not result in a 
proper configuration.



RE: wildcard, from the bottom of the message:



For example:

If the RADIUS server certificate’s Common Name = radius.domain.com Connect to 
these server names should be radius.domain.com



If the RADIUS server certificate’s Common Name = 
radius.lab.department.domain.com Connect to these server names should be 
*.department.domain.com or *.domain.com



They're recommending wildcard subject name matching if the environment uses a 
non-standard configuration. This is poor guidance and will result in credential 
compromise via MitM.



tim



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Jennifer Minella mailto:j...@cadinc.com>>
Sent: Monday, February 1, 2021 17:25
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021



I may disagree with some of the other feedback here…  I think this is a big 
deal.



It sounds like Google will be enforcing proper server validation for 
802.1X-secured networks, based on what Trent sent originally. I believe Apple 
already has been enforcing this for a bit.



If my guess is correct (I’ll try to find a link) then what it means is – after 
this update, you can’t tell the endpoint to ignore or bypass the server 
certificate for 802.1X (any EAP method).



The impact of this is…

  *   If you’re organization has any endpoints that have been configured to use 
a secured network but are ignoring the server’s certificate – then that will 
STOP working suddenly at the update.
  *   This setting (ignore/don’t validate server cert) is not ideal but it’s 
prevalent especially for things like BYOD or HED device onboarding, testing, 
etc. It should be fixed but this is one of those things that could have a huge 
widespread impact if the endpoints/networks aren’t configured properly now.
  *   Typically proper settings for secured 1X networks are pushed through GPO, 
MDM, or an onboarding process through vendor tools (can be a server-based tool 
or a client-based config assist tool). If that wasn’t done then the endpoints 
may not have the server certificate installed and trusted, and if that’s the 
case they will just cease to work after the device upgrade.



Tim it’s not referencing a wildcard cert; they’re still using the specific FQDN 
for the COMMON NAME. The article references the connect to domains as a 
different field which is not the certificate CN.. ?



Yeah, here are some links…

•A reddit article I hope is accurate 

RE: [WIRELESS-LAN] protecting AP's in a gym?

[Enfield, Chuck]

C0%7C0%7C637475438169883412%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000=haeZ2KrqockzOytEww295gcwhQFDaMfKGva1ODVzf4E%3D=0>

They're NEMA4 rated and we're hoping they'll handle any abuse.

--
Regards,

Bryan Shoebottom
Network & Systems Specialist

Network Services & Computer Operations
1001 Fanshawe College Blvd. London, ON N5Y 5R6
T 519.452.4430 x4904 | F 519.453.3231
bshoebot...@fanshawec.ca<mailto:bshoebot...@fanshawec.ca>

[cid:image004.png@01D6F648.486D2900]

From: Enfield, Chuck mailto:cae...@psu.edu>>
Sent: January 28, 2021 12:17 PM
Subject: Re: [EXTERNAL] [WIRELESS-LAN] protecting AP's in a gym?

We use an appropriately sized polyethylene or ABS NEMA box.  No need for fiber 
reinforcement.  I don't have sensitive enough equipment to detect any RF 
performance difference (signal strength, data rate, retry rate, etc.) between 
cover on vs. off tests.  Some of them have been painted with latex wall paint 
and that hasn't hurt performance either.  We've been using them sealed for 
years and haven't had a problem with AP reliability or service life due to 
heat, but it's also cheap and easy to drill a few ½" vent holes in the top and 
bottom if heat is a concern. (I recommend venting if it's in an unconditioned 
space.)  We've purchased them a little larger than required and haven't had to 
replace them when we life-cycled APs, but the switch to AX models is probably 
going to finally require new boxes for us.  They're cheap, flexible, and 
available off-the-shelf.

That said, I have nothing bad to say about the Oberon products others have 
suggested.

Chuck Enfield
Manager, Wireless & Cellular
Penn State IT
814-863-8715

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Mallon, Jason
Sent: Thursday, January 28, 2021 11:26 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] [EXTERNAL] [WIRELESS-LAN] protecting AP's in a gym?

Hey Tim,
We are using something similar to what is in the link, and from what I can tell 
it does a fairly good job.  We have an AP right behind one of the goals, so I 
know it has been hit a few times.

https://oberoninc.com/products/1026-20168-c/<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Foberoninc.com%2Fproducts%2F1026-20168-c%2F=04%7C01%7Ccae104%40PSU.EDU%7C27b30a0befcc4f528cab08d8c48892ec%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637475438169893406%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000=u9EWDwyxp%2BGyWsQqrGElahzEBQ5NBNLj3ML%2BdbwtnHo%3D=0>

Thanks,
Jason Mallon | Network Engineer III
[/var/folders/h2/r448cc4j4_v70yns10brx6r0gq/T/com.microsoft.Outlook/Content.MSO/90F25235.tmp]
OIT
The University of Alabama
<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ua.edu%2F=04%7C01%7Ccae104%40PSU.EDU%7C27b30a0befcc4f528cab08d8c48892ec%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637475438169893406%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000=KuAlSjrZzXUB3KljAGGS4w2H0pUo8ghIt77YaOQMv1E%3D=0>jemal...@ua.edu<mailto:jemal...@ua.edu>
[/var/folders/h2/r448cc4j4_v70yns10brx6r0gq/T/com.microsoft.Outlook/Content.MSO/8434B70B.tmp]

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Tim Tyler mailto:ty...@beloit.edu>>
Date: Thursday, January 28, 2021 at 10:21 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [EXTERNAL] [WIRELESS-LAN] protecting AP's in a gym?
Wireless managers,
  We have some Aruba 325 AP's in a gym and I am wondering what some of you use 
to protect them from physical damage such as a softball ball, etc?  Do you use 
some sort of a cage?  If so what?  If it uses metal, does it interfere with 
your signal strength?



Tim Tyler
Network Engineer
Beloit College


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=04%7C01%7Ccae104%40PSU.EDU%7C27b30a0befcc4f528cab08d8c48892ec%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637475438169903401%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000=07vFheYImj9nptUKmVOp%2FrBPcYsA26wqsaTeYudAlN0%3D=0>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to t

RE: [EXTERNAL] [WIRELESS-LAN] protecting AP's in a gym?

[Enfield, Chuck]

We use an appropriately sized polyethylene or ABS NEMA box.  No need for fiber 
reinforcement.  I don't have sensitive enough equipment to detect any RF 
performance difference (signal strength, data rate, retry rate, etc.) between 
cover on vs. off tests.  Some of them have been painted with latex wall paint 
and that hasn't hurt performance either.  We've been using them sealed for 
years and haven't had a problem with AP reliability or service life due to 
heat, but it's also cheap and easy to drill a few ½" vent holes in the top and 
bottom if heat is a concern. (I recommend venting if it's in an unconditioned 
space.)  We've purchased them a little larger than required and haven't had to 
replace them when we life-cycled APs, but the switch to AX models is probably 
going to finally require new boxes for us.  They're cheap, flexible, and 
available off-the-shelf.

That said, I have nothing bad to say about the Oberon products others have 
suggested.

Chuck Enfield
Manager, Wireless & Cellular
Penn State IT
814-863-8715

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Mallon, Jason
Sent: Thursday, January 28, 2021 11:26 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [EXTERNAL] [WIRELESS-LAN] protecting AP's in a gym?

Hey Tim,
We are using something similar to what is in the link, and from what I can tell 
it does a fairly good job.  We have an AP right behind one of the goals, so I 
know it has been hit a few times.

https://oberoninc.com/products/1026-20168-c/

Thanks,
Jason Mallon | Network Engineer III
[/var/folders/h2/r448cc4j4_v70yns10brx6r0gq/T/com.microsoft.Outlook/Content.MSO/90F25235.tmp]
OIT
The University of Alabama
jemal...@ua.edu
[/var/folders/h2/r448cc4j4_v70yns10brx6r0gq/T/com.microsoft.Outlook/Content.MSO/8434B70B.tmp]

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Tyler 
Date: Thursday, January 28, 2021 at 10:21 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: [EXTERNAL] [WIRELESS-LAN] protecting AP's in a gym?
Wireless managers,
  We have some Aruba 325 AP's in a gym and I am wondering what some of you use 
to protect them from physical damage such as a softball ball, etc?  Do you use 
some sort of a cage?  If so what?  If it uses metal, does it interfere with 
your signal strength?



Tim Tyler
Network Engineer
Beloit College


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] Issues with Zoom in Res Halls

[Enfield, Chuck]

We struggled with packet loss and many complaints of unexplained connectivity 
issues in the fall. Gaming elicited the most complaints, but Zoom was second.  
We don't know if these applications are having more problems than others, or if 
everything is working similarly and these apps are just more sensitive.  
There's evidence to suggest the latter.

We're pretty sure the loss is occurring on the controllers, but we haven't 
identified the root cause. The loss is also insufficient to explain all the 
connectivity complaints. While the symptoms are clearly distinct, it's still 
possible they share a cause, so we're focusing our attention on the loss. 
Students haven't returned yet, but I expect the problems to pick up right where 
they left off.

From: Charles Rumford 
Sent: Friday, January 22, 2021 10:22 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Issues with Zoom in Res Halls

Hey -

We have started getting reports of issues with Zoom calls in our Res Halls. Most
of the complaints have been around multiple drops during calls or lagging calls.
Our res halls are currently only at 40-50% capacity if that.

I was curious if anyone else has been seeing any issues with an increase of Zoom
calls from on campus students.


--
Charles Rumford (he/his/him)
IT Architect
ISC Tech Services
University of Pennsylvania
OpenPGP Key ID: 0xF3D8215A

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunitydata=04%7C01%7Ccae104%40PSU.EDU%7C9cc8d56d19ec4986c29c08d8bf4e2004%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637469689557575220%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000sdata=LFFFsNB5u6n87qTWzX2k8VbfaisjOwn8zwaZqA8DIKs%3Dreserved=0

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] Wireless Segmentation and NAC

[Enfield, Chuck]

Just curious, but for the respondents recommending Aruba, would that be the 
controller-based flavor or the Instant/Central flavor?  We have over 80K 
simultaneous clients in the normal times (I think.  The normal times seem so 
very long ago.) so we still need controllers for traffic aggregation, but if my 
school was the size of Moody I wouldn't want to manage controllers.  Is Instant 
a good option for a network that size?

Chuck

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Sneed, Billy (Staff)
Sent: Friday, January 22, 2021 11:11 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless Segmentation and NAC

Sounds like a fun project!
Agreed that Aruba and ClearPass are solid. They're both working well for us and 
have for a long time.

If I were to investigate a new system for wireless service and network access 
control, I'd take a very thorough look at Mist.
https://www.juniper.net/us/en/solutions/wired-wireless-access/

Regards,
Billy

--
Billy Sneed
Enterprise Architect
Information Technology Services
Middlebury College
wsn...@middlebury.edu
802.443.5769

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Rob Harris 
mailto:robert.har...@culinary.edu>>
Sent: Friday, January 22, 2021 10:12
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Wireless Segmentation and NAC

This isn't a very deep answer, but aruba with clearpass should do everything 
you're asking about.


Robert Harris
Manager - Telecom, Networks, & AV Services
Culinary Institute of America
1946 Campus Drive
Hyde Park, NY
845-451-1681
https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.ciachef.edu%2Fdata=04%7C01%7Cwsneed%40MIDDLEBURY.EDU%7Cfae82d67e4c2447ae16708d8bee82f58%7Ca1bb0a191576421dbe93b3a7d4b6dcaa%7C1%7C0%7C637469251726447721%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata=DdlBMNqSVNLYRgiE2Wi9ba%2FS0N5tEDj4zrjIRoGr1YU%3Dreserved=0
Food is Life
Create and Savor Yours.(tm)

Please consider the environment before printing this e-mail.

-Original Message-
From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Joseph Runkles
Sent: Friday, January 22, 2021 9:36 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Wireless Segmentation and NAC

Hi,

We are in the middle of conversations with vendors for a wireless overhaul as a 
relatively small school (we will end up with 1000-1200 AP's).  We are moving 
away from Cisco Aironet and currently talking with Ruckus, Extreme(aerohive), 
Juniper(Mist) and Aruba.  To further complicate things we are also going to 
replace our NAC at the same time (currently using FortiNAC/Bradford) and have 
been looking at XMC, A3, ClearPass, Cloudpath.

As we consider a re-design of the network I would love to ask some questions 
and maybe even pick some peoples brains offline.

*   What are you currently doing for network segmentation for wireless?
o   Separate vlans for staff/faculty/students/iot/gaming/guest?  Flat 
networks for each or divided up by buildings?
o   Do you terminate these vlans on the your core or distribution routers 
with ACLs in between or back on your firewalls with more granular rulesets?
o   Do you allow Byod devices by either staff or students on your 
admin/production network?
o   Do you do any posture checks (Antivirus, OS, Patches) on devices (byod 
or domain joined) before dropping them on the network.

*   AAA (pardon my ignorance)
o   What are you doing for IoT/gaming devices?  PPSK? Mac auth?
o   Are you using RADIUS?  Your own server or the vendors controller/cloud? 
Is your RADIUS providing more than Authentication?  Do you pass vlan info or 
other attributes from RADIUS?
o   Are you using AD groups or attributes to delineate 
Students/staff/faculty/Part time student employee/ect...?  Passing that 

RE: [EXTERNAL] Re: [WIRELESS-LAN] Android 11 and Cert Verification

[Enfield, Chuck]

James,

So far this has been a largely technical discussion.  I think that misses the 
point a bit.  Before you can agree on the best technical implementation you 
must first establish what you’re trying to accomplish.  So before we can decide 
how best to implement 802.1X, we must consider why we use 802.1X in the first 
place.

I can think of three reasons to provide authenticated Wi-Fi common to most 
institutions who provide it:


  1.  To limit access to institutional resources to those who require them.
  2.  To manage the risk and liability of being a network provider by being 
able to identify potential abusers on our networks.
  3.  To help protect the data privacy of our users.

This list isn’t comprehensive and a few of us may take issue with item 2, but I 
think these reasons are common and compelling.

Misconfigured 802.1X supplicants put the authentication credentials at risk.  
Insecure credentials undermine the main reasons for doing 802.1X in the first 
place.  In some ways it’s even worse than not doing 802.1X at all.  It not only 
leads to a false sense of security, but compromised credentials undermine the 
security of other authenticated systems in a way that open wi-fi does not.  I 
cringe every time some tech writer or IT leader at my institution refers to our 
802.1X SSID as “Secure Wi-Fi”, and manual configuration of Android and Windows 
devices are my main objection.  If you’re not going to ensure your 1X 
supplicants are properly configured, why use it at all?  Even if you conclude 
that there are marginal benefits of 1X despite potentially insecure 
credentials, I think you must admit that item 3 provides sufficient reason for 
Google to act.  Furthermore, while I agree that Google’s move makes the job 
harder for some of us, it finally ensures that manually configured 802.1X 
networks on Android can be trusted.

My preference would be for Google to make it easier to configure a secure 
network connection on their devices, but let’s not condemn them for requiring 
us to follow best practice.  Any institution who finds this too big a burden to 
provide 802.1X Wi-Fi may want to reconsider their network security paradigms.  
There are other viable approaches.

Chuck Enfield
Manager, Wireless & Cellular
Penn State IT

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of James Andrewartha
Sent: Saturday, January 16, 2021 9:31 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [EXTERNAL] Re: [WIRELESS-LAN] Android 11 and Cert 
Verification

I’m arguing on behalf of the many poorly-resourced environments where NPS has a 
marginal cost of zero, and that enabling TOFU would be a simple thing to 
improve their security. Most of these places don’t have the budget or expertise 
for something like CPPM (I have it and even I’m intimidated by it). Microsoft 
isn’t helping because there’s no cloud RADIUS (NPS is explicitly not supported 
in Azure). It’s the responsibility of vendors to provide accessible tools for 
security.

--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Turpin, Max
Sent: Sunday, 17 January 2021 7:49 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [EXTERNAL] Re: [WIRELESS-LAN] Android 11 and Cert 
Verification

You do have to maintain a pki or have someone else do it but CRLs are hardly 
necessary if you do identity checking as part of your radius service. If you 
want to do posture checking you will need to use some sort of agent (as far as 
I know) so that could certainly be part of your on boarding solution.

The fact that the majority of environments fail to deploy 802.1x correctly 
doesn’t take away the responsibility of institutions to fix it and provide a 
secure solution to users even if it means educating the administration and 
users on what must be done now to access the network. And as we almost all 
know, the problem is not a technical one now, but one of communication.

Max

On Jan 16, 2021, at 10:56 AM, James Andrewartha 
mailto:jandrewar...@ccgs.wa.edu.au>> wrote:

Certificate enrolment sucks for BYOD though, there’s no ongoing posture 
checking, and you have to maintain a CA and CRL.

SSH uses TOFU and is more comparable to RADIUS in that you only connect to a 
limited number of hosts with rarely changing fingerprints.

I find it curious that this change is only on Pixel devices, is that because no 
others have Android 11 or because only Google is implementing it?

--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tim Cappalli
Sent: Saturday, 16 January 2021 11:33 PM
To: 

RE: Weak Security

[Enfield, Chuck]

We stopped supporting TKIP years ago.  No issues that I’m aware of.

Chuck Enfield
Manager, Wireless & Cellular
Penn State IT
814-863-8715

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Entwistle, Bruce
Sent: Tuesday, December 1, 2020 7:14 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Weak Security

Apple devices that are updating to IOS 14 are now reporting that wireless 
security is weak.   We are currently using a combination of WPA/TKIP and 
WPA2/AES for security, but are considering the move to WPA2/AES only.  I was 
looking to see what others have done and what challenges you faced in making 
these changes.

https://discussions.apple.com/thread/251805737

Thank you
Bruce Entwistle
Network Manager
University of Redlands


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

FW: [WIRELESS-LAN] Client roaming

[Enfield, Chuck]

0>
 - How To Modernize Your Captive Network


Maybe it is just us, but we have lots of places where a 12dB delta is hard to 
achieve when designing for dual 5G radio coverage at -65 dB.  Clients end up 
skipping an AP (or two) before actually roaming.  Not to mention use case and 
behavior differences between laptops and mobile devices like phones and 
tablets.  You might notice on a laptop Zoom session, maybe not with an iPhone 
VoWi-Fi session.  Our focus was on VoWi-Fi, thinking it was the more 
challenging thing to tackle.   Remote learning is challenging those assumptions.







Mike Atkins
Network Engineer
Office of Information Technology
University of Notre Dame

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Jake Snyder
Sent: Friday, October 9, 2020 3:33 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Client roaming

On thing to keep in mind is that iOS devices start behavior poorly when they 
have no good option above -65.  That’s the threshold they prefer 5GHz and when 
you combine that with “hallway design” and “band select” you are asking for a 
bad time.

Scenario:
Client doesn’t see 5GHz above -65.  2.4Ghz looks better, client tries to 
associate and bandselect tries to send them back.  Client doesn’t think 5GHz 
meets its requirements, tries to associate on 2.4Ghz.  Round and round they go.

If you need band select for devices like iOS that prefer 5GHz, you likely don’t 
have enough 5GHz coverage, and trying to force them to 5GHz only results in 
issues.

A better approach is to have at least 6db of transmit power more on 5GHz than 
2.4.  This makes 5GHz generally look more attractive so clients naturally pick 
it, band select not needed.  You can easily do this with TPC min/max settings.

Also keep in mind when looking at your survey reports.  -65 is as measured by 
the device, not your fancy sidekick or aircheck.  Figure you need an extra 
7-10db delta to overcome the limitations of some mobiles devices.  That puts 
you -58 to -55 as measured.



Sent from my iPhone

On Oct 9, 2020, at 1:08 PM, James Helzerman 
mailto:jarh...@umich.edu>> wrote:

Best thing you can do for clients is have a 5GHz only SSID.  We moved over the 
summer to this with our main 802.1x network and it has fixed a ton of these 
roaming issues and complaints of performance.  Basically take the decision 
making out of the hands of the client, give them only one band to choose from.  
Band Select / steering may work but can lead to a lot of users issues as 
roaming can break if the client doesnt take the hint to use 5GHz.  Transitions 
with real time applications like voice can be negatively affected.

For those on our campus that have 2.4GHz only devices, we offer eduroam in both 
bands and have them use that then use AAA override to place them in the same 
network as our branded ssid giving them all the same access to resources.  Our 
branded 802.1x, MWireless, has 95% of our user devices.

-Jimmy


--
James Helzerman
Wireless Network Engineer
University of Michigan - ITS

On Fri, Oct 9, 2020 at 12:03 PM Enfield, Chuck 
mailto:cae...@psu.edu>> wrote:
FWIW, I’ve been reluctant to assume this is a new problem.  Usage patterns have 
changed in the dorms and people are spending much more time using real-time 
protocols than ever before.  Those protocols make brief connectivity issues 
very noticeable.  It’s quite possible we’ve always had these problems, but they 
rarely bothered users enough to make them open trouble tickets.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Michael Davis
Sent: Friday, October 09, 2020 10:49 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Client roaming

We're an Aruba shop and only seeing it on iOS and MacOS devices.
On 10/9/20 10:44 AM, Mallon, Jason wrote:
I have not been able to pinpoint a device type as of yet.  It seems to be 
happening across all platforms including game systems.

Thanks,
Jason Mallon | Network Engineer III


OIT
The University of Alabama
<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ua.edu%2F=02%7C01%7Ccae104%40PSU.EDU%7C2944732e79c4423356dc08d870754aa0%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637382996397530686=u6l2BWxBfAAd8vdjmNft0jQhrT3ocDJWEeSjRTUqH4s%3D=0>jemal...@ua.edu<mailto:jemal...@ua.edu>



From: The EDUCAUSE Wireless Issues Community Group Listserv 
<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Date: Friday, October 9, 2020 at 9:40 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [EXTERNAL] Re: [WIRELESS-LAN] Client roaming
We’re an Aruba shop and have noticed similar behavior.  We’re having more 
i

RE: [WIRELESS-LAN] Client roaming

[Enfield, Chuck]

/2SgyQXb<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbit.ly%2F2SgyQXb=02%7C01%7Ccae104%40PSU.EDU%7Cdd27c38f3145433fb37e08d86c927800%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C1%7C637378723632764398=MajZqPXiOwsSSxdMWXzgNlF4SZ0NyWStZkcEEzGeJ%2Fo%3D=0>
 - You Should Care About DHCP Option 51
https://apple.co/3jnEDWR<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapple.co%2F3jnEDWR=02%7C01%7Ccae104%40PSU.EDU%7Cdd27c38f3145433fb37e08d86c927800%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C1%7C637378723632764398=MkMhssneMNyFd2EUDV10yFEE29LSUIS32Jx7%2B19LT%2Bk%3D=0>
 - How To Modernize Your Captive Network


Maybe it is just us, but we have lots of places where a 12dB delta is hard to 
achieve when designing for dual 5G radio coverage at -65 dB.  Clients end up 
skipping an AP (or two) before actually roaming.  Not to mention use case and 
behavior differences between laptops and mobile devices like phones and 
tablets.  You might notice on a laptop Zoom session, maybe not with an iPhone 
VoWi-Fi session.  Our focus was on VoWi-Fi, thinking it was the more 
challenging thing to tackle.   Remote learning is challenging those assumptions.







Mike Atkins
Network Engineer
Office of Information Technology
University of Notre Dame

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Jake Snyder
Sent: Friday, October 9, 2020 3:33 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Client roaming

On thing to keep in mind is that iOS devices start behavior poorly when they 
have no good option above -65.  That’s the threshold they prefer 5GHz and when 
you combine that with “hallway design” and “band select” you are asking for a 
bad time.

Scenario:
Client doesn’t see 5GHz above -65.  2.4Ghz looks better, client tries to 
associate and bandselect tries to send them back.  Client doesn’t think 5GHz 
meets its requirements, tries to associate on 2.4Ghz.  Round and round they go.

If you need band select for devices like iOS that prefer 5GHz, you likely don’t 
have enough 5GHz coverage, and trying to force them to 5GHz only results in 
issues.

A better approach is to have at least 6db of transmit power more on 5GHz than 
2.4.  This makes 5GHz generally look more attractive so clients naturally pick 
it, band select not needed.  You can easily do this with TPC min/max settings.

Also keep in mind when looking at your survey reports.  -65 is as measured by 
the device, not your fancy sidekick or aircheck.  Figure you need an extra 
7-10db delta to overcome the limitations of some mobiles devices.  That puts 
you -58 to -55 as measured.



Sent from my iPhone

On Oct 9, 2020, at 1:08 PM, James Helzerman 
mailto:jarh...@umich.edu>> wrote:

Best thing you can do for clients is have a 5GHz only SSID.  We moved over the 
summer to this with our main 802.1x network and it has fixed a ton of these 
roaming issues and complaints of performance.  Basically take the decision 
making out of the hands of the client, give them only one band to choose from.  
Band Select / steering may work but can lead to a lot of users issues as 
roaming can break if the client doesnt take the hint to use 5GHz.  Transitions 
with real time applications like voice can be negatively affected.

For those on our campus that have 2.4GHz only devices, we offer eduroam in both 
bands and have them use that then use AAA override to place them in the same 
network as our branded ssid giving them all the same access to resources.  Our 
branded 802.1x, MWireless, has 95% of our user devices.

-Jimmy


--
James Helzerman
Wireless Network Engineer
University of Michigan - ITS

On Fri, Oct 9, 2020 at 12:03 PM Enfield, Chuck 
mailto:cae...@psu.edu>> wrote:
FWIW, I’ve been reluctant to assume this is a new problem.  Usage patterns have 
changed in the dorms and people are spending much more time using real-time 
protocols than ever before.  Those protocols make brief connectivity issues 
very noticeable.  It’s quite possible we’ve always had these problems, but they 
rarely bothered users enough to make them open trouble tickets.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Michael Davis
Sent: Friday, October 09, 2020 10:49 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Client roaming

We're an Aruba shop and only seeing it on iOS and MacOS devices.
On 10/9/20 10:44 AM, Mallon, Jason wrote:
I have not been able to pinpoint a device type as of yet.  It seems to be 
happening across all platforms including game systems.

Thanks,
Jason Mallon | Network Engineer III


OIT
The University of Alabama
<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ua.edu%2F=02%7C01%7Ccae104%40PSU.EDU%7Cdd27c38f3145

RE: [EXTERNAL] Re: [WIRELESS-LAN] Client roaming

[Enfield, Chuck]

We design to -60dBm as measured by a Fluke Aircheck,  That usually works out to 
around -63 to -65 on a MacBook and -65 to -68 on a tablet or phone.  I’m sure 
there are a few outlier devices that measure it as weaker than -70, but until 
recently it was clear that those were outliers.  If you did a packet capture 
where the coverage was up to our spec you would hardly see any probes.

We were already planning to up our standard to -55 as we deploy 11ax, but 
getting to that in our res halls means an AP in every room.  We have every 
third room right now (each AP is expected to cover through one wall).  We can’t 
afford to triple the number of APs right now, so it’s important that we find 
another solution.  Jimmy’s suggestion of a 5GHz only SSID may help, but based 
on what I know about our coverage I think we’d still have significant issues 
with roaming between different 5GHz radios.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Mallon, Jason
Sent: Friday, October 9, 2020 4:46 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [EXTERNAL] Re: [WIRELESS-LAN] Client roaming

Agreed, an iOS device at -65 starts roaming and acts wonky from time to time.  
The issue we run into a lot is, which iOS device do you design for?  Do you 
design with the iphone 11 or 10, or do you design for the frst SE, 6, or 7 that 
are four or five years old now?  With iOS devices able to get code updates for 
4 years do you still consider them a relevant device on the network, when you 
might see only a handful of them.  I went back through my tickets earlier 
today, and did notice that most complaints are from macOS and iOS devices.  As 
the wireless cards get better at what point  do you start eliminating the older 
equipment off of your network when you are BYOD?

Thanks,
Jason Mallon | Network Engineer III
[/var/folders/h2/r448cc4j4_v70yns10brx6r0gq/T/com.microsoft.Outlook/Content.MSO/90F25235.tmp]
OIT
The University of Alabama
<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ua.edu%2F=02%7C01%7Ccae104%40PSU.EDU%7C1314807c18f149dfbacf08d86c9461a7%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637378731861182412=S3RyWoyACCHV8j%2Fumld2sqOvZzD%2FgqvOoTPSLUEG6T4%3D=0>jemal...@ua.edu<mailto:jemal...@ua.edu>
[/var/folders/h2/r448cc4j4_v70yns10brx6r0gq/T/com.microsoft.Outlook/Content.MSO/8434B70B.tmp]

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Friday, October 9, 2020 at 2:32 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [EXTERNAL] Re: [WIRELESS-LAN] Client roaming
On thing to keep in mind is that iOS devices start behavior poorly when they 
have no good option above -65.  That’s the threshold they prefer 5GHz and when 
you combine that with “hallway design” and “band select” you are asking for a 
bad time.

Scenario:
Client doesn’t see 5GHz above -65.  2.4Ghz looks better, client tries to 
associate and bandselect tries to send them back.  Client doesn’t think 5GHz 
meets its requirements, tries to associate on 2.4Ghz.  Round and round they go.

If you need band select for devices like iOS that prefer 5GHz, you likely don’t 
have enough 5GHz coverage, and trying to force them to 5GHz only results in 
issues.

A better approach is to have at least 6db of transmit power more on 5GHz than 
2.4.  This makes 5GHz generally look more attractive so clients naturally pick 
it, band select not needed.  You can easily do this with TPC min/max settings.

Also keep in mind when looking at your survey reports.  -65 is as measured by 
the device, not your fancy sidekick or aircheck.  Figure you need an extra 
7-10db delta to overcome the limitations of some mobiles devices.  That puts 
you -58 to -55 as measured.



Sent from my iPhone

On Oct 9, 2020, at 1:08 PM, James Helzerman 
mailto:jarh...@umich.edu>> wrote:

Best thing you can do for clients is have a 5GHz only SSID.  We moved over the 
summer to this with our main 802.1x network and it has fixed a ton of these 
roaming issues and complaints of performance.  Basically take the decision 
making out of the hands of the client, give them only one band to choose from.  
Band Select / steering may work but can lead to a lot of users issues as 
roaming can break if the client doesnt take the hint to use 5GHz.  Transitions 
with real time applications like voice can be negatively affected.

For those on our campus that have 2.4GHz only devices, we offer eduroam in both 
bands and have them use that then use AAA override to place them in the same 
network as our branded ssid giving them all the same access to resources.  Our 
branded 802.1x, MWireless, has 95% of our user devices.

-Jimmy


--
James Helzerman
Wireless Network Engineer
University of Michigan - ITS

On Fri, Oct 9, 2020 at 12:03 PM Enfield, Chuck 
mailto:cae

RE: [WIRELESS-LAN] Client roaming

[Enfield, Chuck]

A lot of devices roam aggressively once RSSI falls below some threshold level.  
It was -70dBm for a few years.  It started on Apple products and was soon 
copied by Samsung, Microsoft, and many others.  I’ve long treated roaming 
issues where the 5GHz signal is around or weaker than -70 as coverage problems, 
and when we improved the coverage the roaming problem went away.  This year 
we’re seeing the problem where the 5GHz signal is clearly better than -70.  Not 
sure if the threshold changed on the client devices or if something else is at 
work here, but something seems different this year.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Tim Cantin
Sent: Friday, October 09, 2020 2:12 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Client roaming

We're getting hit with this too, and have a case open with Cisco on it. Next 
step is to set up some live debugging...
We have two 8510's paired for failover, upwards of 3,000 client wi-fi devices 
connected, and we've had maybe 20-30 reports that might be related to this.
We may have clients who are feeling it and putting up with it, we're hearing a 
few say "everyone on my floor" etc.
I agree there are certainly some new practices going on, with students holed up 
in their rooms on Zoom meetings all day!
Specifically on the reports we're getting, we're seeing multiple platforms 
(everything from MacOS, iOS, Windows, Androids) roaming around to the nearest 
2-5 ap's on a regular basis.
It's usually from a student who doesn't have an ap in their room - we have 
Cisco 1810W's approx every other room.
Not hearing any reports of this in NON-residential areas, which are all 
2700-series mostly out in hallways etc
Less roaming options, makes sense... hmm, maybe shut off half our 1810W's in 
the dorms? :D

T


On Fri, Oct 9, 2020 at 10:55 AM Enfield, Chuck 
mailto:cae...@psu.edu>> wrote:
FWIW, I’ve been reluctant to assume this is a new problem.  Usage patterns have 
changed in the dorms and people are spending much more time using real-time 
protocols than ever before.  Those protocols make brief connectivity issues 
very noticeable.  It’s quite possible we’ve always had these problems, but they 
rarely bothered users enough to make them open trouble tickets.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Michael Davis
Sent: Friday, October 09, 2020 10:49 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Client roaming

We're an Aruba shop and only seeing it on iOS and MacOS devices.
On 10/9/20 10:44 AM, Mallon, Jason wrote:
I have not been able to pinpoint a device type as of yet.  It seems to be 
happening across all platforms including game systems.

Thanks,
Jason Mallon | Network Engineer III
[/var/folders/h2/r448cc4j4_v70yns10brx6r0gq/T/com.microsoft.Outlook/Content.MSO/90F25235.tmp]
OIT
The University of Alabama
<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ua.edu%2F=02%7C01%7Ccae104%40PSU.EDU%7C11705879c1c145f965c308d86c7ee80e%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637378639612775231=2osDwEcKGtKlX8lKD5YpLe91emdu1aQHlnUj91TjOG8%3D=0>jemal...@ua.edu<mailto:jemal...@ua.edu>
[/var/folders/h2/r448cc4j4_v70yns10brx6r0gq/T/com.microsoft.Outlook/Content.MSO/8434B70B.tmp]

From: The EDUCAUSE Wireless Issues Community Group Listserv 
<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Date: Friday, October 9, 2020 at 9:40 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [EXTERNAL] Re: [WIRELESS-LAN] Client roaming
We’re an Aruba shop and have noticed similar behavior.  We’re having more 
incidents of intermittent connectivity issues this year than in previous years, 
and most of those clients are making questionable roaming decisions.  It’s been 
really prevalent with iOS and MacOS.  Much less on Windows and Android.  
There’s always been problems with picking a good radio when those devices first 
connect, but, historically, once they were steered to a good 5GHz radio they 
stayed there.  They’re not staying there this year.  We haven’t figured out why.

Chuck Enfield
Manager, Wireless and Cellular
Penn State IT
814.863.8715

From: The EDUCAUSE Wireless Issues Community Group Listserv 
<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
On Behalf Of Mallon, Jason
Sent: Friday, October 09, 2020 10:30 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Client roaming

Wondering if anybody else is seeing this.  We currently have devices doing a 
lot of roaming between 5 and 2.4 radios, especially in the dorms.  I would not 
think anything of it normally, but they are moving from a -52 to -58 on the 5 
radio to a -75 or worse on the 2.4 radio

RE: [WIRELESS-LAN] Client roaming

[Enfield, Chuck]

FWIW, I've been reluctant to assume this is a new problem.  Usage patterns have 
changed in the dorms and people are spending much more time using real-time 
protocols than ever before.  Those protocols make brief connectivity issues 
very noticeable.  It's quite possible we've always had these problems, but they 
rarely bothered users enough to make them open trouble tickets.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Michael Davis
Sent: Friday, October 09, 2020 10:49 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Client roaming

We're an Aruba shop and only seeing it on iOS and MacOS devices.

On 10/9/20 10:44 AM, Mallon, Jason wrote:
I have not been able to pinpoint a device type as of yet.  It seems to be 
happening across all platforms including game systems.

Thanks,
Jason Mallon | Network Engineer III
[/var/folders/h2/r448cc4j4_v70yns10brx6r0gq/T/com.microsoft.Outlook/Content.MSO/90F25235.tmp]
OIT
The University of Alabama
jemal...@ua.edu
[/var/folders/h2/r448cc4j4_v70yns10brx6r0gq/T/com.microsoft.Outlook/Content.MSO/8434B70B.tmp]

From: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Friday, October 9, 2020 at 9:40 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 

Subject: [EXTERNAL] Re: [WIRELESS-LAN] Client roaming
We're an Aruba shop and have noticed similar behavior.  We're having more 
incidents of intermittent connectivity issues this year than in previous years, 
and most of those clients are making questionable roaming decisions.  It's been 
really prevalent with iOS and MacOS.  Much less on Windows and Android.  
There's always been problems with picking a good radio when those devices first 
connect, but, historically, once they were steered to a good 5GHz radio they 
stayed there.  They're not staying there this year.  We haven't figured out why.

Chuck Enfield
Manager, Wireless and Cellular
Penn State IT
814.863.8715

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 
On Behalf Of Mallon, Jason
Sent: Friday, October 09, 2020 10:30 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Client roaming

Wondering if anybody else is seeing this.  We currently have devices doing a 
lot of roaming between 5 and 2.4 radios, especially in the dorms.  I would not 
think anything of it normally, but they are moving from a -52 to -58 on the 5 
radio to a -75 or worse on the 2.4 radio.  This doesn't seem to matter what 
SSID they are connected to.  Band select is enabled on all SSIDs.  We are 
running Cisco 8540 WLCs on 8.10.130.  Most of the complaints are coming from 
the dorms, so I am not sure if it is happening on our other controllers with an 
older code level.

Thanks,
Jason Mallon | Network Engineer III
[/var/folders/h2/r448cc4j4_v70yns10brx6r0gq/T/com.microsoft.Outlook/Content.MSO/90F25235.tmp]
OIT
The University of Alabama
jemal...@ua.edu
[/var/folders/h2/r448cc4j4_v70yns10brx6r0gq/T/com.microsoft.Outlook/Content.MSO/8434B70B.tmp]

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**

RE: Client roaming

[Enfield, Chuck]

We're an Aruba shop and have noticed similar behavior.  We're having more 
incidents of intermittent connectivity issues this year than in previous years, 
and most of those clients are making questionable roaming decisions.  It's been 
really prevalent with iOS and MacOS.  Much less on Windows and Android.  
There's always been problems with picking a good radio when those devices first 
connect, but, historically, once they were steered to a good 5GHz radio they 
stayed there.  They're not staying there this year.  We haven't figured out why.

Chuck Enfield
Manager, Wireless and Cellular
Penn State IT
814.863.8715

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Mallon, Jason
Sent: Friday, October 09, 2020 10:30 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Client roaming

Wondering if anybody else is seeing this.  We currently have devices doing a 
lot of roaming between 5 and 2.4 radios, especially in the dorms.  I would not 
think anything of it normally, but they are moving from a -52 to -58 on the 5 
radio to a -75 or worse on the 2.4 radio.  This doesn't seem to matter what 
SSID they are connected to.  Band select is enabled on all SSIDs.  We are 
running Cisco 8540 WLCs on 8.10.130.  Most of the complaints are coming from 
the dorms, so I am not sure if it is happening on our other controllers with an 
older code level.

Thanks,
Jason Mallon | Network Engineer III
[/var/folders/h2/r448cc4j4_v70yns10brx6r0gq/T/com.microsoft.Outlook/Content.MSO/90F25235.tmp]
OIT
The University of Alabama
jemal...@ua.edu
[/var/folders/h2/r448cc4j4_v70yns10brx6r0gq/T/com.microsoft.Outlook/Content.MSO/8434B70B.tmp]

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] Status of Wi-Fi 6 Client Drivers?

[Enfield, Chuck]

I don’t think waiting to enable ax features will provide much relief for the 
intel driver problem.  People don’t update their wireless drivers without a 
reason, so most of the drivers that are incompatible today will still be 
incompatible next fall.  IMHO, we're just going to have to suffer through that 
problem.

My  bigger concern is IoT stuff, which is far less likely to have a fix 
available.  Anybody have ax enabled in their dorms?  How's it working there?

Thanks,

Chuck

-Original Message-
From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Norman Elton
Sent: Wednesday, September 23, 2020 9:44 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Status of Wi-Fi 6 Client Drivers?

We uncovered the same driver issue shortly after deploying 802.11ax.
We mitigated by leaving 802.11ax enabled on the 5GHz radios, but disabling on 
the 2.4 radios. This way, compliant devices can connect and take advantage of 
5Ghz connectivity. Those devices with faulty Intel drivers can still connect, 
albeit at substantially reduced data rates. There may be some inner workings of 
802.11ax that I don't recall, but this worked for us!

This was on our Mist AP43s, limited to a single building. The rest of campus is 
running 802.11ac access points from Aerohive.

Norman Elton
William & Mary

On Wed, Sep 23, 2020 at 5:38 PM Lee H Badman 
<00db5b77bd95-dmarc-requ...@listserv.educause.edu> wrote:
>
> What is truly frustrating is that all vendors involved are likely members of 
> the Wi-Fi Alliance, whose "interoperability" testing obviously isn't getting 
> it done.
>
> One man's opinion. 
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  on behalf of Ethan Grinnell 
> 
> Sent: Wednesday, September 23, 2020 5:31:30 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Status of Wi-Fi 6 Client Drivers?
>
> I recently wanted to do testing with an affected driver and was able 
> to obtain them on OEM websites instead of directly from Intel. This 
> build has the issue with WiFi6 SSID visibility: 
> https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupp
> ort.lenovo.com%2Fus%2Fen%2Fdownloads%2FDS103594data=02%7C01%7Ccae
> 104%40PSU.EDU%7C5f85db20ad6a480d24b008d8602b46f9%7C7cf48d453ddb4389a9c
> 1c115526eb52e%7C0%7C0%7C637365086281023045sdata=45PRv3hF8%2FwfgFb
> uci2U1gIqrlC17XAGILCWUBy%2F4Qo%3Dreserved=0
>
> Also, I noticed that the Windows 10 built-in driver for many Intel 
> WiFi chips is version 17.x (It was on my test client) which didn't 
> seem to have the issue. So that's fun, it's not just versions lower 
> than some baseline build number being affected. I didn't test many 
> different builds, but it looked like 17.x was good, 18.x, 19.x, and 
> 20.x had some affected builds. More information here: 
> https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
> intel.com%2Fcontent%2Fwww%2Fus%2Fen%2Fsupport%2Farticles%2F54799%2
> Fnetwork-and-i-o%2Fwireless.htmldata=02%7C01%7Ccae104%40PSU.EDU%7
> C5f85db20ad6a480d24b008d8602b46f9%7C7cf48d453ddb4389a9c1c115526eb52e%7
> C0%7C0%7C637365086281023045sdata=lD4k2P%2BlL0%2Ba6GKJKfOCpo7OClpi
> GeJ2pLYAfUHR%2F6U%3Dreserved=0
>
> The issue is still around. Many BYOD types require users to update their own 
> drivers, which few seem to do. Windows doesn't always update the drivers 
> either, so there could potentially be lingering issues from outdated drivers 
> for a long time.
>
> Ethan Grinnell
> CCIE R #39723, BS CmpE
> Network Engineer
> Office of Information Technology, Technology Infrastructure, 
> Networking Portland State University
>
>
> On Wed, Sep 23, 2020 at 2:01 PM Mike Atkins  wrote:
>>
>> We deployed our ax capable APs without ax enabled for the same Intel driver 
>> issues.  I wanted to test something with a flawed driver recently and 
>> noticed it is no longer available from Intel.  I think Intel revamped their 
>> downloads page at the end of last year to remove all but the newest 
>> revisions of drivers.   We use SecureW2 for eduroam onboarding so we can get 
>> a sense of drivers used by Windows devices.  We will probably enable Wi-Fi 6 
>> next year if the numbers continue to look good.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Mike Atkins
>>
>> Infrastructure Architect
>>
>> Office of Information Technology
>>
>> University of Notre Dame
>>
>> Phone: 574-631-7210
>>
>>
>>
>>
>>
>>    .__o
>>
>>- _-\_<,
>>
>>---  (*)/'(*)
>>
>>
>>
>>
>>
>> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>>  On Behalf Of Nadim El-Khoury
>> Sent: Wednesday, September 23, 2020 4:41 PM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> Subject: Re: [WIRELESS-LAN] Status of Wi-Fi 6 Client Drivers?
>>
>>
>>
>> Hi Eric,
>>
>>
>>
>> One more thing that I forgot to answer. We elected to keep Wi-Fi 6 enabled 
>> and just disabled it in the vicinity of our Technical Support Center (User 
>> Support) in the Library 

RE: Mounting outdoor AP's on Lightpoles

[Enfield, Chuck]

PS - It's also possible to put the electrical wiring inside a conduit between 
the base and the fixture, in which case the comm wiring doesn't need a conduit. 
 I think this makes a neater installation, but you have to get whoever it is 
that maintains the lighting to buy into it.

PPS - The ground wires can be exposed to each other.  This is often necessary 
to bond both systems to the grounding electrode at the base of each light pole.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Enfield, Chuck
Sent: Tuesday, September 08, 2020 12:18 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Mounting outdoor AP's on Lightpoles

The pole is a conduit, but it's an electrical conduit.  Just like indoors you 
can't put power and comm in the same conduit.

We run a separate conduit inside the light poles.  A small, flexible conduit 
can be fished in after the fact if necessary.  Our poles are almost all square, 
so we can just use a weathertight SG box where we enter and exit the pole to 
keep water out of the pole.  A typical installation would involve a schedule 40 
or schedule 80 PVC conduit front the ground and up the base to a SG box near 
the bottom of the pole, another SG box high on the pole just above the desired 
AP mounting height, and a small NM conduit inside the pole connecting the two 
boxes.  The conduit work inside the pole should be performed by electricians, 
but once in place your telecom installers can do the rest.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Blake Brown
Sent: Tuesday, September 08, 2020 11:57 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Mounting outdoor AP's on Lightpoles

We would be interested in hearing about this one as well.

Thanks,
Blake

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Brian Helman 
mailto:bhel...@salemstate.edu>>
Sent: Tuesday, September 8, 2020 8:48 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] Mounting outdoor AP's on Lightpoles

External Email

The folks who have gone done the path of putting AP's on lightpoles using 
something like this mount:



https://i.ebayimg.com/images/g/nZoAAOSwo4pYJkON/s-l500.jpg<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fi.ebayimg.com%2Fimages%2Fg%2FnZoAAOSwo4pYJkON%2Fs-l500.jpg=02%7C01%7Ccae104%40PSU.EDU%7Cdf85660e9c314e6e0d7f08d85412b8cd%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637351786671578203=O5CdEPsneIarzdk5RY3cRaIr3x9wURwrzyQyCqM0nKE%3D=0>



Did any of you put the AP's on existing light posts?

How did you run low voltage copper along with the wires that support the light; 
did you go internal - is the pole consider a conduit so you can't mix or did 
you "stretch" that code a bit - or external (buddying some EMT)?  If you ran 
the low-voltage cable internally, how did you coordinate drilling the poles 
with your Facilities people to pass the low-voltage cable?



Feel free to hit me off-list.



Vendors:  Please do not call or respond with sales.  If you have a suggestion 
on how to do the installs, please provide to the group.



Thank you,

Brian



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=02%7C01%7Ccae104%40PSU.EDU%7Cdf85660e9c314e6e0d7f08d85412b8cd%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637351786671588196=JqeVmpakkIaq6aukT1hFgyRJhMZC50LS%2BFldWisJvbo%3D=0>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=02%7C01%7Ccae104%40PSU.EDU%7Cdf85660e9c314e6e0d7f08d85412b8cd%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637351786671588196=JqeVmpakkIaq6aukT1hFgyRJhMZC50LS%2BFldWisJvbo%3D=0>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2F

RE: Mounting outdoor AP's on Lightpoles

[Enfield, Chuck]

The pole is a conduit, but it's an electrical conduit.  Just like indoors you 
can't put power and comm in the same conduit.

We run a separate conduit inside the light poles.  A small, flexible conduit 
can be fished in after the fact if necessary.  Our poles are almost all square, 
so we can just use a weathertight SG box where we enter and exit the pole to 
keep water out of the pole.  A typical installation would involve a schedule 40 
or schedule 80 PVC conduit front the ground and up the base to a SG box near 
the bottom of the pole, another SG box high on the pole just above the desired 
AP mounting height, and a small NM conduit inside the pole connecting the two 
boxes.  The conduit work inside the pole should be performed by electricians, 
but once in place your telecom installers can do the rest.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Blake Brown
Sent: Tuesday, September 08, 2020 11:57 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Mounting outdoor AP's on Lightpoles

We would be interested in hearing about this one as well.

Thanks,
Blake

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Brian Helman 
mailto:bhel...@salemstate.edu>>
Sent: Tuesday, September 8, 2020 8:48 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] Mounting outdoor AP's on Lightpoles

External Email

The folks who have gone done the path of putting AP's on lightpoles using 
something like this mount:



https://i.ebayimg.com/images/g/nZoAAOSwo4pYJkON/s-l500.jpg



Did any of you put the AP's on existing light posts?

How did you run low voltage copper along with the wires that support the light; 
did you go internal - is the pole consider a conduit so you can't mix or did 
you "stretch" that code a bit - or external (buddying some EMT)?  If you ran 
the low-voltage cable internally, how did you coordinate drilling the poles 
with your Facilities people to pass the low-voltage cable?



Feel free to hit me off-list.



Vendors:  Please do not call or respond with sales.  If you have a suggestion 
on how to do the installs, please provide to the group.



Thank you,

Brian



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: Antenna mounting suggestions

[Enfield, Chuck]

PS - I also recommend bonding the AP and mount to the main conductor for the 
lightening protection system (LPS).  Without equalizing the potential a strike 
may arc from the grounding conductor of the LPS to your wireless gear which (if 
you're doing it right) will have its own ground.  Without bonding you can 
expect very different potentials during a strike, and when that close together 
arcing is likely.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Enfield, Chuck
Sent: Friday, August 28, 2020 5:29 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Antenna mounting suggestions

The library is an excellent candidate for a non-penetrating roof mount.  If you 
google it you'll find many options.  Don't get crazy with the size or you'll 
have to have a structure engineer make sure the roof can handle the spot 
loading.  I did the wind load calculations and I think a 100MPH wind could 
result in 23lb of lateral load on an AP-375, so there's no need for tons of 
ballast.  Also, put a pad of some sort (usually available where you order your 
mount) between the mount and the antenna to project the roof membrane.

For Building 2, if you're trying to cover that smallish space between the 
buildings I'd definitely recommend wall-mounted panel antennas.  Put the AP 
above the ceiling inside, drill a ¾" hole in the wall, and mount an ant-35 (or 
something similar) flat to the wall outside.  If you paint it to blend in with 
the brick it will almost disappear.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Brian Helman
Sent: Friday, August 28, 2020 3:50 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Antenna mounting suggestions

Hey everyone:

I hope you're coping with the chaos and enrollment challenges.

So we're rolling out a major wireless upgrade using Aruba gear.  A part of this 
rollout is to provide wireless coverage to a few outdoor spaces.  One of these 
spaces is a quad flanked by 2 relatively tall buildings (about 6 stories).  One 
of those buildings has a flat roof with no knee wall or parapet.  The other has 
a parapet that has glass on the outside.  Both are rubber-membrane roofs, so 
mechanical attachment isn't going to fly.  The building with the parapet only 
has about a 6' clearance between the wall and solar panels, so I only have 
about 2' to work with.

Building 1:
Flat roof
Rubber membrane
Roof has a minimal lip before you drop 6 stories
Has a penthouse that is recessed from the side of the building that I can put 
electronics on/in

Building 2:
Library
Flat roof
Rubber membrane
~40" knee wall/parapet
Rubber membrane goes almost to top of knee wall, then is capped with lead and a 
lightning ground
Outside of wall is glass

Our basic philosophy here is to separate the access points and antennas (ie use 
external antennas).  We can't attach anything to the face of the Library 
(Building 2) because of the glass and I don't really want to have to maintain 
electronics over the edge of a building anyway.  So, how are people installing 
antennas on roofs pointed down to cover quads 60+' below?  I'll figure out 
where to  put the AP's and dress in the cables.

Mounting at ground-level isn't going to work.  There is too much sidewalk and 
landscaping that would have to be disrupted.  It'd be a budget-buster.

Again, physically attaching anything isn't going to be acceptable and in 
Building 2's (Library) case, a large weighted sled will encroach on the service 
area for the solar panels.  There will be several antennae on each roof.

Here are photos.  The photo of Building 1 is a few years old.  The angle with 
the rocks isn't the side of the building I'm putting the antennae.  You can see 
that in the 2nd photo.  I just included the 1st photo because it's a better 
view of the roof:



VENDORS:  I'm already working with Aruba and an integrator.  If you have 
mounting suggestions, please let me know, but there is no sales opportunity 
here.

Thanks,
Brian


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=02%7C01%7Ccae104%40PSU.EDU%7C653717cdba154447344708d84b9954c6%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637342469211427998=L30bq2stDURJ%2FoJrzVcYq2%2BhF91gdwWXAsQeo6SYsIw%3D=0>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional par

RE: Antenna mounting suggestions

[Enfield, Chuck]

The library is an excellent candidate for a non-penetrating roof mount.  If you 
google it you'll find many options.  Don't get crazy with the size or you'll 
have to have a structure engineer make sure the roof can handle the spot 
loading.  I did the wind load calculations and I think a 100MPH wind could 
result in 23lb of lateral load on an AP-375, so there's no need for tons of 
ballast.  Also, put a pad of some sort (usually available where you order your 
mount) between the mount and the antenna to project the roof membrane.

For Building 2, if you're trying to cover that smallish space between the 
buildings I'd definitely recommend wall-mounted panel antennas.  Put the AP 
above the ceiling inside, drill a ¾" hole in the wall, and mount an ant-35 (or 
something similar) flat to the wall outside.  If you paint it to blend in with 
the brick it will almost disappear.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Brian Helman
Sent: Friday, August 28, 2020 3:50 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Antenna mounting suggestions

Hey everyone:

I hope you're coping with the chaos and enrollment challenges.

So we're rolling out a major wireless upgrade using Aruba gear.  A part of this 
rollout is to provide wireless coverage to a few outdoor spaces.  One of these 
spaces is a quad flanked by 2 relatively tall buildings (about 6 stories).  One 
of those buildings has a flat roof with no knee wall or parapet.  The other has 
a parapet that has glass on the outside.  Both are rubber-membrane roofs, so 
mechanical attachment isn't going to fly.  The building with the parapet only 
has about a 6' clearance between the wall and solar panels, so I only have 
about 2' to work with.

Building 1:
Flat roof
Rubber membrane
Roof has a minimal lip before you drop 6 stories
Has a penthouse that is recessed from the side of the building that I can put 
electronics on/in

Building 2:
Library
Flat roof
Rubber membrane
~40" knee wall/parapet
Rubber membrane goes almost to top of knee wall, then is capped with lead and a 
lightning ground
Outside of wall is glass

Our basic philosophy here is to separate the access points and antennas (ie use 
external antennas).  We can't attach anything to the face of the Library 
(Building 2) because of the glass and I don't really want to have to maintain 
electronics over the edge of a building anyway.  So, how are people installing 
antennas on roofs pointed down to cover quads 60+' below?  I'll figure out 
where to  put the AP's and dress in the cables.

Mounting at ground-level isn't going to work.  There is too much sidewalk and 
landscaping that would have to be disrupted.  It'd be a budget-buster.

Again, physically attaching anything isn't going to be acceptable and in 
Building 2's (Library) case, a large weighted sled will encroach on the service 
area for the solar panels.  There will be several antennae on each roof.

Here are photos.  The photo of Building 1 is a few years old.  The angle with 
the rocks isn't the side of the building I'm putting the antennae.  You can see 
that in the 2nd photo.  I just included the 1st photo because it's a better 
view of the roof:



VENDORS:  I'm already working with Aruba and an integrator.  If you have 
mounting suggestions, please let me know, but there is no sales opportunity 
here.

Thanks,
Brian


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] [EXT] Re: [WIRELESS-LAN] 2.4Ghz channel designations

[Enfield, Chuck]

Rather than just making fun of the stupid suggestion, it’s probably worth 
explaining what makes it stupid.

Back in the days of the 4-channel model all we cared about was throughput.  
Bandwidth was hard to come by, and maximizing it was beneficial.  Figuring out 
which was better was easy.  4 channels gave you 33% more air time.  If adding 
the fourth channel to your plan increased retries by less than 33%, you gained 
bandwidth.  You could test it in your production network and easily measure the 
difference.  I’ve tested it and it worked sometimes and didn’t work others.  
What determined the success was the AP layout and how they were channelized.  
If the AP density wasn’t too high (APs 80” to 100’ apart were common back then) 
and you carefully set your channels then 4 channels increased bandwidth.

Switch to today.  Is anybody manually choosing their channel plan?  If not, is 
your automated radio management systems designed for this?  I’m pretty sure the 
answer to both is “No.”

Furthermore, we now have lots of real-time voice and video traffic on Wi-F that 
we didn’t have in the 11b days. (Yes there were wi-fi phones back then, but 
they sucked and you better not have many of them.)  Today, retries affect 
service quality beyond just the airtime they use.  Doing anything that’s likely 
to increase retries, even a little, is going to have a disproportionate impact 
on real-time service quality.  Increasing bandwidth isn’t sufficient to make 
better Wi-Fi anymore.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Dan Lauing
Sent: Wednesday, August 26, 2020 12:45 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [EXT] Re: [WIRELESS-LAN] 2.4Ghz channel designations


I believe the basis for his idea is that, because 802.11 clients are far more 
sensitive to other 802.11 clients as opposed to noise, it's better to have 
those extra channels, whose overlapping channels would sound like noise to 
clients not on that specific channel. I am not saying I agree with this, haha.

On Wed, Aug 26, 2020 at 11:44 AM Matt Wierzgac 
mailto:mwierz...@wzcnetworking.net>> wrote:
I echo Seth’s statement.  Utilize the 5GHz radio for dense deployments, and 
shut down the 2.4GHz radios on AP’s where needed, and utilize the 3 channel 
plan.

Thanks,

Matt Wierzgac
Engineering Manager
phone: 248-378-1125
mobile: 248-504-8096
[facebook 
icon][twitter
 
icon][linkedin
 
icon]
[logo]
24371 Catherine Industrial Dr. Suite 225
Novi, MI 48375
www.wzcnetworking.net


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Seth Bean
Sent: Wednesday, August 26, 2020 12:25 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [EXT] Re: [WIRELESS-LAN] 2.4Ghz channel designations

I briefly tried the 4 channel (1,4,7,11) plan and it was awful. I have found 
shutting off the 2.4 radio in dense environments works in a 3 channel plan.

Seth Bean
Administrator of Networks and Telecommunications
MCLA APA Chapter President
Massachusetts College of Liberal Arts
413.662.5022
413.663.1276
375 Church Street
North Adams,
MA 01247


“National Top Ten
Public Liberal Arts College”
2019 US News & World Report

MCLA

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of SWARTZ, POLA 
mailto:pola_swa...@dpsk12.org>>
Sent: Wednesday, August 26, 2020 12:18:24 PM
To: 

RE: [EXT] Re: [WIRELESS-LAN] 2.4Ghz channel designations

[Enfield, Chuck]

The four-channel plan made sense when AP density was lower and before OFDM 
(back when spectral density graphs had long tails.)  I'm not sure if it was 
every really better than a 3-channel plan, but there was a case for it.  Even 
if it was better for 802.11b, 802.11g and the iPhone made it obsolete.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Seth Bean
Sent: Wednesday, August 26, 2020 12:25 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [EXT] Re: [WIRELESS-LAN] 2.4Ghz channel designations

I briefly tried the 4 channel (1,4,7,11) plan and it was awful. I have found 
shutting off the 2.4 radio in dense environments works in a 3 channel plan.

Seth Bean
Administrator of Networks and Telecommunications
MCLA APA Chapter President
Massachusetts College of Liberal Arts
413.662.5022
413.663.1276
375 Church Street
North Adams,
MA 01247


"National Top Ten
Public Liberal Arts College"
2019 US News & World Report

MCLA

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of SWARTZ, POLA 
mailto:pola_swa...@dpsk12.org>>
Sent: Wednesday, August 26, 2020 12:18:24 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] [EXT] Re: [WIRELESS-LAN] 2.4Ghz channel designations

CAUTION: This email originated from outside of MCLA. Do not click links or open 
attachments unless you recognize the sender and know the content is safe.


Amen


Smile,
Pola Swartz
WAN/Wireless Infrastructure Manager
Department of Technology Services
780 Grant St., Denver, CO 80203
#p 720-423-3603 | c 303-905-9520 | 
dpsk12.org
[http://thecommons.dpsk12.org/cms/lib/CO01900837/Centricity/Domain/42/DPS-Logo.jpg]
[http://thecommons.dpsk12.org/cms/lib/CO01900837/Centricity/Domain/42/Facebook.jpg]
 
[http://thecommons.dpsk12.org/cms/lib/CO01900837/Centricity/Domain/42/Twitter.jpg]
 

 
[http://thecommons.dpsk12.org/cms/lib/CO01900837/Centricity/Domain/42/Instagram.jpg]
 

  
[http://thecommons.dpsk12.org/cms/lib/CO01900837/Centricity/Domain/42/Youtube.jpg]
 

Students First . Integrity . Equity.  Collaboration. Accountability . Fun
Never out smart your common sense...



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Brady J. Ballstadt mailto:bjbal...@uark.edu>>
Sent: Wednesday, August 26, 2020 10:15 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [EXT] Re: [WIRELESS-LAN] 2.4Ghz channel designations


Find a new consultant.



Brady Ballstadt



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of John Rodkey mailto:rod...@westmont.edu>>
Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Wednesday, August 26, 2020 at 11:13 AM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] 2.4Ghz channel designations



For many years I have consistently used channels 1, 6, and 11 as 
non-overlapping channels wherever 2.4Ghz is 

RE: [WIRELESS-LAN] MAC Randomization, a step further...

[Enfield, Chuck]

I’ll also add that identity is what makes a private network private.  Yes, you 
can check identity at connection time then throw it away and still remain 
private, but that’s never been an option for us when designing services with 
our risk, legal and info security departments.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Julian Y Koh
Sent: Thursday, August 06, 2020 10:59 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...

On Aug 6, 2020, at 09:51, Enfield, Chuck 
mailto:cae...@psu.edu>> wrote:

How can we fulfill DMCA requirements when we can’t even identify a device, let 
alone the user?  If you want to remain anonymous, use a different network.

IANAL, and I don’t even play one on TV, but my admittedly old understanding of 
the DMCA is that it’s not necessarily mandating that you have to be able to 
identify every single device on your network.  Indeed, some institutions’ 
responses to DMCA notices has been that they don’t have the necessary 
information to be able to take action.  So IMO, assuming (which is dangerous) 
that I’m correct, that if MAC randomization puts an undue burden and/or large 
obstacles on your ability to track down a device/user and cut it off from the 
network, the DMCA alone shouldn’t be seen as a mandate to try to disable MAC 
randomization.

--
Julian Y. Koh
Associate Director, Telecommunications and Network Services
Northwestern Information Technology

2020 Ridge Avenue #331
Evanston, IL 60208
+1-847-467-5780
Northwestern IT Web Site: 
<http://www.it.northwestern.edu/<https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.it.northwestern.edu%2F=02%7C01%7Ccae104%40PSU.EDU%7Cbb94cb7e13a643e92b3c08d83a19517d%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637323227705623251=TnloADAw118uF8UF0WBRnfqL0fOJNgfjLMjQMtrTFKw%3D=0>>
PGP Public Key: 
<https://bt.ittns.northwestern.edu/julian/pgppubkey.html<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbt.ittns.northwestern.edu%2Fjulian%2Fpgppubkey.html=02%7C01%7Ccae104%40PSU.EDU%7Cbb94cb7e13a643e92b3c08d83a19517d%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637323227705623251=YGp3QvGhzeuy4IA3ZXzhXNJlUJnQ%2FN%2Fl1Nk5tIQSakg%3D=0>>


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=02%7C01%7Ccae104%40PSU.EDU%7Cbb94cb7e13a643e92b3c08d83a19517d%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637323227705633208=jm59TBi7zaabxgoDYBcnnb6P5feRwtGIEIMnZOaDazM%3D=0>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] MAC Randomization, a step further...

[Enfield, Chuck]

There are identity requests, and take downs.  Identity requests are frequent 
and come with little to know liability.  Take downs are less frequent, but 
failing to take down protected content makes the service provider liable.  Or 
plan for take downs when we can’t identify a user is to block the device.  If 
we can’t identify either we’ve got a liability problem.  It may not be a large 
risk, but I don’t think our lawyers will like it.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Julian Y Koh
Sent: Thursday, August 06, 2020 10:59 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...

On Aug 6, 2020, at 09:51, Enfield, Chuck 
mailto:cae...@psu.edu>> wrote:

How can we fulfill DMCA requirements when we can’t even identify a device, let 
alone the user?  If you want to remain anonymous, use a different network.

IANAL, and I don’t even play one on TV, but my admittedly old understanding of 
the DMCA is that it’s not necessarily mandating that you have to be able to 
identify every single device on your network.  Indeed, some institutions’ 
responses to DMCA notices has been that they don’t have the necessary 
information to be able to take action.  So IMO, assuming (which is dangerous) 
that I’m correct, that if MAC randomization puts an undue burden and/or large 
obstacles on your ability to track down a device/user and cut it off from the 
network, the DMCA alone shouldn’t be seen as a mandate to try to disable MAC 
randomization.

--
Julian Y. Koh
Associate Director, Telecommunications and Network Services
Northwestern Information Technology

2020 Ridge Avenue #331
Evanston, IL 60208
+1-847-467-5780
Northwestern IT Web Site: 
<http://www.it.northwestern.edu/<https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.it.northwestern.edu%2F=02%7C01%7Ccae104%40PSU.EDU%7Cbb94cb7e13a643e92b3c08d83a19517d%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637323227705623251=TnloADAw118uF8UF0WBRnfqL0fOJNgfjLMjQMtrTFKw%3D=0>>
PGP Public Key: 
<https://bt.ittns.northwestern.edu/julian/pgppubkey.html<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbt.ittns.northwestern.edu%2Fjulian%2Fpgppubkey.html=02%7C01%7Ccae104%40PSU.EDU%7Cbb94cb7e13a643e92b3c08d83a19517d%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637323227705623251=YGp3QvGhzeuy4IA3ZXzhXNJlUJnQ%2FN%2Fl1Nk5tIQSakg%3D=0>>


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=02%7C01%7Ccae104%40PSU.EDU%7Cbb94cb7e13a643e92b3c08d83a19517d%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637323227705633208=jm59TBi7zaabxgoDYBcnnb6P5feRwtGIEIMnZOaDazM%3D=0>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] MAC Randomization, a step further...

[Enfield, Chuck]

True, but default behavior matters.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Rios, Hector J
Sent: Tuesday, July 14, 2020 1:12 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...

Please note that MAC randomization is not just a feature of Android and iOS. It 
is supported across other operating systems.

Hector Rios, Wireless Network Architect
The University of Texas at Austin



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jonathan Miller
Sent: Tuesday, July 14, 2020 11:32 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...

For those of us using ClearPass to authenticate users to eduroam, does this 
mean that every iOS device will get registered as a new endpoint every day?  
For others, does your NAC store a client's MAC persistently?  I'm assuming that 
the answer to both is yes.

How can we plan for the impact of that on our databases?  Should we delete all 
iOS and Android devices after 48 hours?  Am I missing something obvious?

Jonathan Miller
Senior Network Analyst
Franklin and Marshall College


On Fri, Jul 10, 2020 at 4:37 PM Enfield, Chuck 
mailto:cae...@psu.edu>> wrote:
PS – My plan for supporting our guest network will be to tell any user who 
contacts us with an Apple device that the network is fine and they should 
contact Apple for device support.  I can’t get away with that for our 
enterprise network, but Apple is going to own the guest problem.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Enfield, Chuck
Sent: Friday, July 10, 2020 4:34 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...

My point wasn’t to debate Passpoint either.  I’m wondering if Apple actually 
has a plan, and if so, if they’ve bothered to tell anybody.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tim Cappalli
Sent: Friday, July 10, 2020 4:22 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...

Passpoint is not just about mobile network operators. Any identity provider can 
provision a Passpoint profile. That is the whole drive behind OpenRoaming. The 
industry goal is that every user has at least 2 Passpoint profiles on their 
devices: one tied to their enterprise/school identity and the other tied to a 
personal identity. The traditional enterprise/school onboarding process stays 
largely the same, except some additional Passpoint logic is added.

Mobile network operators / cell providers are only one (optional) piece of the 
puzzle.

Probably should start a separate thread for anything deeper on Passpoint beyond 
it being a solution for network access. Don’t want to take away from the OG 
conversation.

tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Friday, July 10, 2020 at 16:17
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...
Understood, but few Wi-Fi operators actually support Passpoint on their 
networks.  Since Apple is eliminating the alternatives, they either must be 
idiots (my bet) or have a proposal for what we should all being doing instead.

I still get really confused looks when I try to discuss Passpoint with my 
contacts at the major cellular providers, so it can’t possibly be a realistic 
option for most of us.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tim Cappalli
Sent: Friday, July 10, 2020 4:07 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...

Not sure I follow. Passpoint is an industry-wide solution for secure Wi-Fi 
roaming. Passpoint has been supported on iOS and macOS (along with Windows and 
Android) for a number of years.

I definitely don’t follow this comment: “you can’t onboard your Apple to enable 
identity-based auth.”

tim


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Friday, July 10, 2020 at 16:04
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...
So you can’t use an Apple MAC address for guest auth, and you can’t onboard 
your Apple to enable identity-based auth.  Apple must be thinking that they ca

RE: [WIRELESS-LAN] MAC Randomization, a step further...

[Enfield, Chuck]

Ahh.  I glossed right over the 24-hour part.  That’s much less distressing, but 
I’m going to have a beer anyway.

Thanks Tim.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Tim Cappalli
Sent: Friday, July 10, 2020 5:04 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...

But why would that change anything? A user on campus for a football game is 
there for less than 24 hours. The MAC address changes per ESSID, every 24 
hours. I don’t understand what changes here for that use case?

It really only impacts mid to long term guests. So I guess in your example, 
parents weekend may be the one that is affected. But even then, dropping the 
lease times would solve the problem. I believe many wireless vendors recommend 
a visitor lease time of 1-8 hours.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Friday, July 10, 2020 at 17:01
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...
Tim,
With Covid, any lease time would not be an issue. But how big were your home 
football events / tailgate parties / parent weekends at Brandeis? I’m focusing 
more on the impact of those events on the guest side of things.
Brad

From: The EDUCAUSE Wireless Issues Community Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Tim Cappalli
Sent: Friday, July 10, 2020 3:53 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [EXTERNAL]Re: [WIRELESS-LAN] MAC Randomization, a step further...

Agreed on IPv6, but even for IPv4, I imagine most folks are running short 
leases on a visitor network, so I don’t really think much changes here. If your 
leases are 12 hours or less, there should be no impact.

tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Friday, July 10, 2020 at 16:51
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...
Maybe a good use case for IPv6

From: The EDUCAUSE Wireless Issues Community Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Enfield, Chuck
Sent: Friday, July 10, 2020 3:49 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [EXTERNAL]Re: [WIRELESS-LAN] MAC Randomization, a step further...

Uhg.  Didn’t even think about that.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Eric LaCroix
Sent: Friday, July 10, 2020 4:48 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...

We’re all going to need to check the TTL on DHCP leases… some of our scopes 
will get eaten alive otherwise.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "Floyd, Brad" mailto:bfl...@mail.smu.edu>>
Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Friday, July 10, 2020 at 3:42 PM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...

Thanks Tim. I just started a conversation with my SE.
Brad

From: The EDUCAUSE Wireless Issues Community Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Tim Cappalli
Sent: Friday, July 10, 2020 2:07 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [EXTERNAL]Re: [WIRELESS-LAN] MAC Randomization, a step further...

For extended visitor use cases (over 1 day), Passpoint is really the only 
feasible solution moving forward. Aruba has a Passpoint offering/service called 
Air Pass and WBA’s OpenRoaming initiative is gaining a lot of support.

tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Friday, July 10, 2020 at 15:04
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...
Tim,
Anything in the works from Aruba about how best to deal with ClearPass Guest 
MAC Auth?
Thanks,
Brad

From: The EDUCAUSE Wireless Issues Community Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Tim Cappalli
Sent: Friday, July 10, 2020 2:01 PM
To: 

RE: [WIRELESS-LAN] MAC Randomization, a step further...

[Enfield, Chuck]

Uhg.  Didn’t even think about that.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Eric LaCroix
Sent: Friday, July 10, 2020 4:48 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...

We’re all going to need to check the TTL on DHCP leases… some of our scopes 
will get eaten alive otherwise.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of "Floyd, Brad" 

Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Friday, July 10, 2020 at 3:42 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...

Thanks Tim. I just started a conversation with my SE.
Brad

From: The EDUCAUSE Wireless Issues Community Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Tim Cappalli
Sent: Friday, July 10, 2020 2:07 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [EXTERNAL]Re: [WIRELESS-LAN] MAC Randomization, a step further...

For extended visitor use cases (over 1 day), Passpoint is really the only 
feasible solution moving forward. Aruba has a Passpoint offering/service called 
Air Pass and WBA’s OpenRoaming initiative is gaining a lot of support.

tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Friday, July 10, 2020 at 15:04
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...
Tim,
Anything in the works from Aruba about how best to deal with ClearPass Guest 
MAC Auth?
Thanks,
Brad

From: The EDUCAUSE Wireless Issues Community Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Tim Cappalli
Sent: Friday, July 10, 2020 2:01 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [EXTERNAL]Re: [WIRELESS-LAN] MAC Randomization, a step further...

Connected MAC randomization on iOS will be enabled by default, just like on 
Android (starting in 10).

Two major differences:

  1.  iOS does not expose the randomization knob (to disable it) to end users 
during initial connection. It is available after connection in the saved 
network list
  2.  On Android (version 10 and 11), the MAC is set once per ESSID for the 
lifetime of the OS instance (aka until a factory reset). On iOS 14, the MAC is 
set per ESSID and is changed once every 24 hours.

Note that Android 11 has a developer option to enable a per-connection MAC 
which likely indicates this will enabled by default or exposed to users in 
Android 12.

tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Friday, July 10, 2020 at 14:57
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] MAC Randomization, a step further...
Apple is moving forward with their privacy efforts. The next step is to 
randomize MAC addresses when connecting to an AP, not just when probing. This 
is coming soon.

https://globalreachtech.com/blog-mac-randomisation-apple/

This is from Apple. Luckily, there is a way to disable private addresses. I 
just don’t know if it will be ON by default.
https://support.apple.com/en-qa/HT211227

Happy Friday!

Hector Rios, Wireless Network Architect
The University of Texas at Austin


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 

RE: [WIRELESS-LAN] MAC Randomization, a step further...

[Enfield, Chuck]

That’s not what our guest network is for.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Friskney, Doyle N.
Sent: Friday, July 10, 2020 4:41 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...

This approach will satisfy many IT staff but not many faculty, staff, students.

doyle

Doyle Friskney Ed.D.
Senior Fellow
Kentucky Council on Post Secondary Education
Frankfort, Kentucky&
Adjunct Faculty @ University of Kentucky
College of Communication & Information
859-576-4000


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "Enfield, Chuck" mailto:cae...@psu.edu>>
Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Friday, July 10, 2020 at 4:37 PM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...

CAUTION: External Sender

PS – My plan for supporting our guest network will be to tell any user who 
contacts us with an Apple device that the network is fine and they should 
contact Apple for device support.  I can’t get away with that for our 
enterprise network, but Apple is going to own the guest problem.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Enfield, Chuck
Sent: Friday, July 10, 2020 4:34 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...

My point wasn’t to debate Passpoint either.  I’m wondering if Apple actually 
has a plan, and if so, if they’ve bothered to tell anybody.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tim Cappalli
Sent: Friday, July 10, 2020 4:22 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...

Passpoint is not just about mobile network operators. Any identity provider can 
provision a Passpoint profile. That is the whole drive behind OpenRoaming. The 
industry goal is that every user has at least 2 Passpoint profiles on their 
devices: one tied to their enterprise/school identity and the other tied to a 
personal identity. The traditional enterprise/school onboarding process stays 
largely the same, except some additional Passpoint logic is added.

Mobile network operators / cell providers are only one (optional) piece of the 
puzzle.

Probably should start a separate thread for anything deeper on Passpoint beyond 
it being a solution for network access. Don’t want to take away from the OG 
conversation.

tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Friday, July 10, 2020 at 16:17
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...
Understood, but few Wi-Fi operators actually support Passpoint on their 
networks.  Since Apple is eliminating the alternatives, they either must be 
idiots (my bet) or have a proposal for what we should all being doing instead.

I still get really confused looks when I try to discuss Passpoint with my 
contacts at the major cellular providers, so it can’t possibly be a realistic 
option for most of us.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tim Cappalli
Sent: Friday, July 10, 2020 4:07 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...

Not sure I follow. Passpoint is an industry-wide solution for secure Wi-Fi 
roaming. Passpoint has been supported on iOS and macOS (along with Windows and 
Android) for a number of years.

I definitely don’t follow this comment: “you can’t onboard your Apple to enable 
identity-based auth.”

tim


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Friday, July 10, 2020 at 16:04
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...
So you can’t use an Apple MAC address for guest auth, and you can’t onboard 
your Apple to enable identity-based auth.  Apple must be thinking that they can 
drag the entire world, kicking and screaming, into federated authentication 
that Apple products ship knowing how to do (Pa

RE: MAC Randomization, a step further...

[Enfield, Chuck]

PS - My plan for supporting our guest network will be to tell any user who 
contacts us with an Apple device that the network is fine and they should 
contact Apple for device support.  I can't get away with that for our 
enterprise network, but Apple is going to own the guest problem.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Enfield, Chuck
Sent: Friday, July 10, 2020 4:34 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...

My point wasn't to debate Passpoint either.  I'm wondering if Apple actually 
has a plan, and if so, if they've bothered to tell anybody.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tim Cappalli
Sent: Friday, July 10, 2020 4:22 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...

Passpoint is not just about mobile network operators. Any identity provider can 
provision a Passpoint profile. That is the whole drive behind OpenRoaming. The 
industry goal is that every user has at least 2 Passpoint profiles on their 
devices: one tied to their enterprise/school identity and the other tied to a 
personal identity. The traditional enterprise/school onboarding process stays 
largely the same, except some additional Passpoint logic is added.

Mobile network operators / cell providers are only one (optional) piece of the 
puzzle.

Probably should start a separate thread for anything deeper on Passpoint beyond 
it being a solution for network access. Don't want to take away from the OG 
conversation.

tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Friday, July 10, 2020 at 16:17
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...
Understood, but few Wi-Fi operators actually support Passpoint on their 
networks.  Since Apple is eliminating the alternatives, they either must be 
idiots (my bet) or have a proposal for what we should all being doing instead.

I still get really confused looks when I try to discuss Passpoint with my 
contacts at the major cellular providers, so it can't possibly be a realistic 
option for most of us.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tim Cappalli
Sent: Friday, July 10, 2020 4:07 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...

Not sure I follow. Passpoint is an industry-wide solution for secure Wi-Fi 
roaming. Passpoint has been supported on iOS and macOS (along with Windows and 
Android) for a number of years.

I definitely don't follow this comment: "you can't onboard your Apple to enable 
identity-based auth."

tim


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Friday, July 10, 2020 at 16:04
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...
So you can't use an Apple MAC address for guest auth, and you can't onboard 
your Apple to enable identity-based auth.  Apple must be thinking that they can 
drag the entire world, kicking and screaming, into federated authentication 
that Apple products ship knowing how to do (Passpoint, openroaming, etc.).  Do 
they have a proposal for this that I missed?

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Rios, Hector J
Sent: Friday, July 10, 2020 2:56 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] MAC Randomization, a step further...

Apple is moving forward with their privacy efforts. The next step is to 
randomize MAC addresses when connecting to an AP, not just when probing. This 
is coming soon.

https://globalreachtech.com/blog-mac-randomisation-apple/<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fglobalreachtech.com%2Fblog-mac-randomisation-apple%2F=02%7C01%7Ccae104%40PSU.EDU%7Ca9284e2c0a794995ac5908d82510a1cc%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637300100654162898=YYg3ta4HdGGQEMjoKx2%2BtnO64a0xadqJDr26LWHwJ7w%3D=0>

This is from Apple. Luckily, there is a way to disable private addresses. I 
just don't know if it will be ON by default.
https://support.apple.com/en-qa/HT211227<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.apple.com%2Fen-qa%2FHT211227=02%7C01%7Ccae104%40PSU.EDU%7Ca9284

RE: MAC Randomization, a step further...

[Enfield, Chuck]

My point wasn't to debate Passpoint either.  I'm wondering if Apple actually 
has a plan, and if so, if they've bothered to tell anybody.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Tim Cappalli
Sent: Friday, July 10, 2020 4:22 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...

Passpoint is not just about mobile network operators. Any identity provider can 
provision a Passpoint profile. That is the whole drive behind OpenRoaming. The 
industry goal is that every user has at least 2 Passpoint profiles on their 
devices: one tied to their enterprise/school identity and the other tied to a 
personal identity. The traditional enterprise/school onboarding process stays 
largely the same, except some additional Passpoint logic is added.

Mobile network operators / cell providers are only one (optional) piece of the 
puzzle.

Probably should start a separate thread for anything deeper on Passpoint beyond 
it being a solution for network access. Don't want to take away from the OG 
conversation.

tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Friday, July 10, 2020 at 16:17
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...
Understood, but few Wi-Fi operators actually support Passpoint on their 
networks.  Since Apple is eliminating the alternatives, they either must be 
idiots (my bet) or have a proposal for what we should all being doing instead.

I still get really confused looks when I try to discuss Passpoint with my 
contacts at the major cellular providers, so it can't possibly be a realistic 
option for most of us.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tim Cappalli
Sent: Friday, July 10, 2020 4:07 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...

Not sure I follow. Passpoint is an industry-wide solution for secure Wi-Fi 
roaming. Passpoint has been supported on iOS and macOS (along with Windows and 
Android) for a number of years.

I definitely don't follow this comment: "you can't onboard your Apple to enable 
identity-based auth."

tim


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Friday, July 10, 2020 at 16:04
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...
So you can't use an Apple MAC address for guest auth, and you can't onboard 
your Apple to enable identity-based auth.  Apple must be thinking that they can 
drag the entire world, kicking and screaming, into federated authentication 
that Apple products ship knowing how to do (Passpoint, openroaming, etc.).  Do 
they have a proposal for this that I missed?

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Rios, Hector J
Sent: Friday, July 10, 2020 2:56 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] MAC Randomization, a step further...

Apple is moving forward with their privacy efforts. The next step is to 
randomize MAC addresses when connecting to an AP, not just when probing. This 
is coming soon.

https://globalreachtech.com/blog-mac-randomisation-apple/

This is from Apple. Luckily, there is a way to disable private addresses. I 
just don't know if it will be ON by default.
https://support.apple.com/en-qa/HT211227

Happy Friday!

Hector Rios, Wireless Network Architect
The University of Texas at Austin


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 

RE: MAC Randomization, a step further...

[Enfield, Chuck]

Understood, but few Wi-Fi operators actually support Passpoint on their 
networks.  Since Apple is eliminating the alternatives, they either must be 
idiots (my bet) or have a proposal for what we should all being doing instead.

I still get really confused looks when I try to discuss Passpoint with my 
contacts at the major cellular providers, so it can't possibly be a realistic 
option for most of us.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Tim Cappalli
Sent: Friday, July 10, 2020 4:07 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...

Not sure I follow. Passpoint is an industry-wide solution for secure Wi-Fi 
roaming. Passpoint has been supported on iOS and macOS (along with Windows and 
Android) for a number of years.

I definitely don't follow this comment: "you can't onboard your Apple to enable 
identity-based auth."

tim


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Friday, July 10, 2020 at 16:04
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...
So you can't use an Apple MAC address for guest auth, and you can't onboard 
your Apple to enable identity-based auth.  Apple must be thinking that they can 
drag the entire world, kicking and screaming, into federated authentication 
that Apple products ship knowing how to do (Passpoint, openroaming, etc.).  Do 
they have a proposal for this that I missed?

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Rios, Hector J
Sent: Friday, July 10, 2020 2:56 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] MAC Randomization, a step further...

Apple is moving forward with their privacy efforts. The next step is to 
randomize MAC addresses when connecting to an AP, not just when probing. This 
is coming soon.

https://globalreachtech.com/blog-mac-randomisation-apple/

This is from Apple. Luckily, there is a way to disable private addresses. I 
just don't know if it will be ON by default.
https://support.apple.com/en-qa/HT211227

Happy Friday!

Hector Rios, Wireless Network Architect
The University of Texas at Austin


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste 

RE: MAC Randomization, a step further...

[Enfield, Chuck]

So you can't use an Apple MAC address for guest auth, and you can't onboard 
your Apple to enable identity-based auth.  Apple must be thinking that they can 
drag the entire world, kicking and screaming, into federated authentication 
that Apple products ship knowing how to do (Passpoint, openroaming, etc.).  Do 
they have a proposal for this that I missed?

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Rios, Hector J
Sent: Friday, July 10, 2020 2:56 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] MAC Randomization, a step further...

Apple is moving forward with their privacy efforts. The next step is to 
randomize MAC addresses when connecting to an AP, not just when probing. This 
is coming soon.

https://globalreachtech.com/blog-mac-randomisation-apple/

This is from Apple. Luckily, there is a way to disable private addresses. I 
just don't know if it will be ON by default.
https://support.apple.com/en-qa/HT211227

Happy Friday!

Hector Rios, Wireless Network Architect
The University of Texas at Austin


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] ArubaOS 8.5.0.7

[Enfield, Chuck]

I hear 10.2.0.4 should be stable. 

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Adam Forsyth
Sent: Tuesday, March 31, 2020 4:40 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] ArubaOS 8.5.0.7

All I wish for is that one day they'll have a version that they think is stable 
enough to call a conservative release and which supports the AP515 (which they 
started selling more than a year ago.

They have an 8.6.0.3 out as well.  Does anyone know the logic of who should 
want to be using 8.6 code vs 8.5 code.  I guess I didn't know that logic for 
8.4 code either.  We switched to that when we bought some AP515's, and then I 
switched from the 8.4 branch to the 8.5 branch when it seemed like the 
consensus on this list was that lots of people were having trouble with 8.4 and 
were having better luck with 8.5

On Tue, Mar 31, 2020 at 2:17 PM Cesar Fernandez 
mailto:cfernan...@sandiego.edu>> wrote:
Antonio,

Thank you for feedback.  I really hope this version is stable.  The 8.5 code 
has been quite challenging.  Please let us know if you experience any major 
issues.


Cesar Fernandez
Sr. Network Engineer
University of San Diego



On Mon, Mar 30, 2020 at 2:19 PM Antonio Garcia 
mailto:aagar...@scu.edu>> wrote:
We just upgraded to 8.5.0.7 this past Friday so far so good. We also 
experienced two of our MDs crash and we had to take one MD out of the cluster 
due to it being unstable. We had been running 8.5.0.5 without issues, no new MD 
crashes. Aruba stated the crash was due to a corrupt AMON packet. I 
reintroduced the MD that was offline without issues and then upgrade the 
cluster to 8.5.0.7.

On Mon, Mar 30, 2020 at 1:28 PM Steve Fletty 
mailto:fle...@umn.edu>> wrote:
At the University of Minnesota, we're running 8.5.0.5 in production. We have 
8.5.0.7 in our lab. No issues with 8.5.0.7 so far. Been running close to a 
week, but not a lot of users on campus.

On Mon, Mar 30, 2020 at 2:24 PM Cesar Fernandez 
mailto:cfernan...@sandiego.edu>> wrote:

Hi Everyone,

We are an Aruba wireless shop currently running ArubaOS 8.5.0.1 on an 
Active/Standby MM pair with 4 MD controllers.  Ever since we upgraded to the 
8.5 code we've encountered several critical issues requiring upgrades, and 
subsequent downgrades, between various 8.5.0.X versions. We have been on 
8.5.0.1 for the better part of the school year as it has been the most stable 
for our environment.  A couple weeks before the COVID-19 crisis, 3 of our 4 MD 
controllers randomly crashed.  TAC is now recommending that we upgrade to 
8.5.0.7, which was released last week.

Are there any universities on this list that have recently upgraded to 8.5.0.7? 
If so, what has been your experience?

I understand most campuses are only seeing a fraction of the normal wireless 
traffic load as most students are currently not on campus - so any feedback 
would be greatly appreciated.


Cesar Fernandez
Sr. Network Engineer
University of San Diego


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community


--
Steve Fletty
Network Engineer
Office of Information Technology (OIT)
University of Minnesota
Phone: 612-625-1048
Email: fle...@umn.edu

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community


--
Error! Filename not 

RE: [WIRELESS-LAN] How does your enterprise do your wireless door locks?

[Enfield, Chuck]

I’m not a lock guy, but I was in a meeting where our ASSA reseller said that 
the power-only cabling for the PoE locks is much more reliable than the old 
stuff.  I can’t validate the accuracy of that statement, but our lock guys have 
seen and evaluated it and they seem to have more confidence in it.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Michael Gregory
Sent: Tuesday, March 31, 2020 3:36 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] How does your enterprise do your wireless door 
locks?




For our new residence buildings we are using the PoE version for power and 
communications.

The WiFi service for the residence buildings is provided by a 3rd party so we 
can't control or manage the

RF space or have a secure SSID/Vlan.



The door hinges for PoE are expensive, unreliable and can't be repaired, just 
replaced. A better solution is a

Concealed Electrical Power Transfere (CEPT) that can also house a data cable. 
Lower cost and easier to repair.



The next challenge is the integration of the locks with Lenel (Access Control) 
and StaRez (Residences Management).



Michael Gregory

Network Architect | Infrastructure Services

Simon Fraser University


On 2020-03-31 12:05 p.m., Jim Pampinella wrote:
Have they talked about how they are going to power the Wi-Fi locks? There are 
several options, battery, external low voltage power and PoE. At Syracuse we 
have a mixture of all three with the external low voltage power being the most 
common. PoE has been discussed and in a few places installed, but no one 
(including me) wants to own the cable going through the door and door frame.  
While they have PoE rated hinges they are triple the cost and the support from 
the vendors has been less than desirable.

Jim Pampinella
IT Manager
Network and Wiring Services
T 315.443.5768   M 315.420.2246
japam...@syr.edu
004 Machinery Hall, Syracuse, NY 13244
syracuse.edu
 | 
its.syr.edu/
Syracuse University

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 
On Behalf Of Lee H Badman
Sent: Tuesday, March 31, 2020 2:54 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] How does your enterprise do your wireless door 
locks?

Same locks. We started on dedicated 802.1X SSID, then moved them to main SSID 
(is not eduroam here) using VLAN steering to get them into their own private IP 
space. They seem to handle PEAP with MS-CHAPv2 quite nicely. No idea on TLS.

Lee Badman | Network Architect (CWNE#200)
Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   e lhbad...@syr.edu w its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Jess Walczak
Sent: Tuesday, March 31, 2020 2:47 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] How does your enterprise do your wireless door locks?

Sending out a question as to how you do your wifi that serves your wireless 
door locks.  Do you have them on your branded wifi/eduroam, their own SSID, or 
a shared IoT or infrastructure SSID?  Is it a hidden SSID?  Do you have them 
using a simple PSK or do you onboard it with a tool like ISE or Clearpass.  Do 
you install a cert?

Our institution has purchased Assa Abloy model IN120 door locks.  We are a 
Cisco shop and we have ISE, so we could easily onboard using their Mac Address 
Bypass device profiling, but that would consume an expensive license, so 
perhaps other folks have done something simpler and found it to work well and 
to be enough security/segmentation.

Thanks!--JW

Jess Walczak
Network Engineer
Innovation & Technology Services
University of St. Thomas | 
stthomas.edu


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and 

RE: [WIRELESS-LAN] How does your enterprise do your wireless door locks?

[Enfield, Chuck]

Was use a separate hidden 1x SSID.  Auth is the same as for our main SSID and 
the username is used to put the client in either the lock role or the deny all 
role. We could do something similar on our MAIN SSID, but I try to avoid 
multiple VLANs on an SSID in anticipations of maybe someday dual-stacking.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jess Walczak
Sent: Tuesday, March 31, 2020 2:47 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] How does your enterprise do your wireless door locks?

Sending out a question as to how you do your wifi that serves your wireless 
door locks.  Do you have them on your branded wifi/eduroam, their own SSID, or 
a shared IoT or infrastructure SSID?  Is it a hidden SSID?  Do you have them 
using a simple PSK or do you onboard it with a tool like ISE or Clearpass.  Do 
you install a cert?

Our institution has purchased Assa Abloy model IN120 door locks.  We are a 
Cisco shop and we have ISE, so we could easily onboard using their Mac Address 
Bypass device profiling, but that would consume an expensive license, so 
perhaps other folks have done something simpler and found it to work well and 
to be enough security/segmentation.

Thanks!--JW

Jess Walczak
Network Engineer
Innovation & Technology Services
University of St. Thomas | 
stthomas.edu


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] ArubaOS 8.5.0.7

[Enfield, Chuck]

We’re considering 8.5.0.7 for some minor bug fixes, but we’ve been on 8.5.0.6 
for about 6 weeks and have no major problems.

Chuck

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Cesar Fernandez
Sent: Monday, March 30, 2020 3:15 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] ArubaOS 8.5.0.7


Hi Everyone,

We are an Aruba wireless shop currently running ArubaOS 8.5.0.1 on an 
Active/Standby MM pair with 4 MD controllers.  Ever since we upgraded to the 
8.5 code we've encountered several critical issues requiring upgrades, and 
subsequent downgrades, between various 8.5.0.X versions. We have been on 
8.5.0.1 for the better part of the school year as it has been the most stable 
for our environment.  A couple weeks before the COVID-19 crisis, 3 of our 4 MD 
controllers randomly crashed.  TAC is now recommending that we upgrade to 
8.5.0.7, which was released last week.

Are there any universities on this list that have recently upgraded to 8.5.0.7? 
If so, what has been your experience?

I understand most campuses are only seeing a fraction of the normal wireless 
traffic load as most students are currently not on campus - so any feedback 
would be greatly appreciated.


Cesar Fernandez
Sr. Network Engineer
University of San Diego


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: Requesting arena Wi-Fi feedback

[Enfield, Chuck]

File this under every cloud has a silver lining, but our basketball team is 
doing well for the first time since 2011 and there's been many more events than 
usual over 5K attendance.  I haven't be involved in any conversations about 
this, but I suspect the decision to cut corners is getting second guessed by 
somebody.

From: Allen Toms 
Sent: Thursday, March 5, 2020 8:39 AM
To: Enfield, Chuck ; WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: Requesting arena Wi-Fi feedback

Good morning, Chuck
   I find it very interesting that the installation was optimized for much less 
than full capacity. With your scenario, that's smart! Good guidance on the AP 
placement. We have a full bowl catwalk, so likely mounting points for the bowl 
APs. Nobody likes the monthly charge, but I can certainly see the wisdom of 
off-loading the labor and liability for managing the separate network. I had 
never considered the network implications of pre-determined contracts with 
entertainers.

Thank you so much for sharing the details of your installation.


[LSU]<https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.lsu.edu%2F=02%7C01%7Ccae104%40PSU.EDU%7C475987f3d0324ef8cfb508d7c10aa226%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637190123725485816=PKyz165vLcY4RzPcQyEXEZkfH%2FrcNuICYgmGdhxEkvg%3D=0>

Allen Toms
Wireless Network Manager
Information Technology Services
Louisiana State University
200 Frey Computing Services , Baton Rouge, LA  70803
office 225-578-3763
alt...@lsu.edu<mailto:alt...@lsu.edu> | 
lsu.edu<https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.lsu.edu%2F=02%7C01%7Ccae104%40PSU.EDU%7C475987f3d0324ef8cfb508d7c10aa226%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637190123725495815=iuadg4Yo7crwr7F1eWa2cWlhdUaEaZ02a8N%2BsrIgA4Y%3D=0>


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Enfield, Chuck mailto:cae...@psu.edu>>
Sent: Thursday, March 5, 2020 6:14 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Requesting arena Wi-Fi feedback


The people who run our 16,000 seat arena contract with AT for the Wi-Fi 
there.  I was engaged in the requirements development, contract negotiations, 
and some of the implementation planning.  I've also been involved periodically 
with troubleshooting.  I have a decent idea what's going on there, but I'm not 
necessarily privy to daily operational challenges.  Here's my brain dump, but 
I'm warning you - it's not much of a brain.



--Rough cost of installation?  Is there an ongoing cost to the arena Wi-Fi 
provider? How much/month/year?

Our Arena seat up to 16,000, but only one or two events a year get close to 
that attendance.  80% of the vents are 5000 or less, so we save some money by 
designing for that capacity with the understanding that Wi-Fi would perform 
poorly for larger events.  AT actually overdesigned slightly, so the network 
is acceptable for events up to 6000-7000, depending on the floorplan.  Three 
years ago the proposal for the full monte was about $1.3M OT and $5K monthly.



--Description of the implementation (number and type of AP's, controllers, 
cabling, mounting points, etc.)

Unfortunately, I didn't retain a copy of the proposal, but the current 
implementation and full preproposal was mostly overhead APs in "the bowl"  If 
your arena is similar to ours, there will also be a of APs at the gates (both 
inside and out), in the concourses, and back of house, so don't overlook those 
areas.



--How do customers connect to the arena Wi-Fi?

Captive Portal



--Do customers have to download an app on their device?

We declined a custom app, but when considering it we never discussed making it 
required - it would have been an option for an improved fan experience.



--Is there a service fee to the customer for any of the services provided? For 
season ticket holders?

No.



--What degree of security (no authentication, splash page requesting what info, 
etc.)?

By connecting users agree to T's.  Liability for network use is AT's rather 
than ours.



--Separate network or integrated into campus network?

Separate



--How is the arena Wi-Fi traffic drained to the internet?

We have a dedicated ISP circuit from AT  We could have used our internet 
access to reduce the operating cost, but there were reasons not to at the time. 
 A separate ISP connection from AT costs significantly more than most of us 
pay for our internet bandwidth.  AT's solution only uses the ISP to get 
traffic from the arena to an AT POP where it gets NAT'd onto AT addresses, 
so there's almost no risk in using your IPs for this network.



--What value-added services are being utilized from the arena Wi-Fi solution?

None



--Did extra personnel need to be hir

RE: Requesting arena Wi-Fi feedback

[Enfield, Chuck]

The people who run our 16,000 seat arena contract with AT for the Wi-Fi 
there.  I was engaged in the requirements development, contract negotiations, 
and some of the implementation planning.  I've also been involved periodically 
with troubleshooting.  I have a decent idea what's going on there, but I'm not 
necessarily privy to daily operational challenges.  Here's my brain dump, but 
I'm warning you - it's not much of a brain.


--Rough cost of installation?  Is there an ongoing cost to the arena Wi-Fi 
provider? How much/month/year?

Our Arena seat up to 16,000, but only one or two events a year get close to 
that attendance.  80% of the vents are 5000 or less, so we save some money by 
designing for that capacity with the understanding that Wi-Fi would perform 
poorly for larger events.  AT actually overdesigned slightly, so the network 
is acceptable for events up to 6000-7000, depending on the floorplan.  Three 
years ago the proposal for the full monte was about $1.3M OT and $5K monthly.



--Description of the implementation (number and type of AP's, controllers, 
cabling, mounting points, etc.)

Unfortunately, I didn't retain a copy of the proposal, but the current 
implementation and full preproposal was mostly overhead APs in "the bowl"  If 
your arena is similar to ours, there will also be a of APs at the gates (both 
inside and out), in the concourses, and back of house, so don't overlook those 
areas.



--How do customers connect to the arena Wi-Fi?

Captive Portal



--Do customers have to download an app on their device?

We declined a custom app, but when considering it we never discussed making it 
required - it would have been an option for an improved fan experience.



--Is there a service fee to the customer for any of the services provided? For 
season ticket holders?

No.



--What degree of security (no authentication, splash page requesting what info, 
etc.)?

By connecting users agree to T's.  Liability for network use is AT's rather 
than ours.



--Separate network or integrated into campus network?

Separate



--How is the arena Wi-Fi traffic drained to the internet?

We have a dedicated ISP circuit from AT  We could have used our internet 
access to reduce the operating cost, but there were reasons not to at the time. 
 A separate ISP connection from AT costs significantly more than most of us 
pay for our internet bandwidth.  AT's solution only uses the ISP to get 
traffic from the arena to an AT POP where it gets NAT'd onto AT addresses, 
so there's almost no risk in using your IPs for this network.



--What value-added services are being utilized from the arena Wi-Fi solution?

None



--Did extra personnel need to be hired on to manage the solution?

Because we outsourced, No.  There is a significant effort involved with 
managing this network.  Testing an tuning the RF, changing AP settings for 
different sized event and floorplans in the bowl, customizing settings 
back-of-house to meet the contractual requirements of the talent, coordinating 
RF with wireless controls in the arena and event-specific wireless equipment 
brought in by the talent, etc.  Almost every event gets an adjustment of some 
mind.  Most of them are the same type of thing over and over again, but it will 
take some time to do right.  Keep in mind that the talent will sometimes have 
riders in the contract that include network requirements.  You won't be 
consulted about these.  The contracts will get signed and you'll have to 
fulfill the requirements.



--Have you seen a notable change in customer feedback after the implementation?

Yes.  Except for the events we know are too large for the network we deployed, 
feedback has been positive.



--What elements of the installation went well, what did not?

Our arena is heavily used year-round, so finding time to do the installation 
was challenging.  They scheduled a two-week shut-down for a variety of work in 
the venue, during which most of the Wi-Fi installation work was completed.  
Unfortunately, it couldn't be entirely finished that quickly, so the remain 
work dragged out month with intermittent activity as the venue's schedule 
allowed.

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: Xbox One and WPA3

[Enfield, Chuck]

I’m not saying this is what you have, but around October we started getting 
XboxOne issues.  If you run the network test on the console you get an error 
forming the Teredo tunnel.  Neither a soft nor hard reset of the console fixes 
it, but switching networks seems to.  In our case we have the user connect to 
guest, then move back to the IoT SSID, and that seems to fix it.

FWIW, this seems to correlate with an update of Call of Duty Modern Warfare and 
there’s chat in the forums about that update having the same effect on home 
networks.

I can’t provide much more precise detail because I didn’t work on it myself.

Chuck

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Mallon, Jason
Sent: Wednesday, March 4, 2020 10:06 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Xbox One and WPA3

Hey everybody,
We are currently testing WPA3 in a couple of our dorms and academic buildings 
using 8.10.112 on the Cisco 8540 controller.  We started hitting bugs with the 
1815w on 8.5.140 and were encouraged to upgrade to 8.8 or 8.10 per TAC.  
Through discussions with our SE we found that 8.10 is going to be the long live 
release and decided to go that path.  We tested what we could in the office, 
and there were no issues with this.  We have been running this code since last 
year without any issues.  At some point after the semester started we started 
getting tickets for Xbox One that are on the 8.10 code level.  I know the SSID 
is functioning properly because of all the other devices that are connected 
including PS4s.  All of the Xbox owners that have complained have given the 
same error message.  Just curious if anybody else is seeing this issue.

“your security protocol will not work xbox one "Your console supports WPA/WPA2 
(personal), WPA2 (personal), and WEP network security protocols, but your 
router is using something else. You'll need to change your routers 
configuration.""

Thanks,
Jason Mallon | Network Engineer III
[/var/folders/h2/r448cc4j4_v70yns10brx6r0gq/T/com.microsoft.Outlook/Content.MSO/90F25235.tmp]
OIT
The University of Alabama
jemal...@ua.edu
[/var/folders/h2/r448cc4j4_v70yns10brx6r0gq/T/com.microsoft.Outlook/Content.MSO/8434B70B.tmp]

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] Ex: Re: [WIRELESS-LAN] neighbors 'jamming' 2.4GHz spectrum

[Enfield, Chuck]

I'm inclined to agree with you, Hunter - so you're probably wrong. :-)

-Original Message-
From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Hunter Fuller
Sent: Wednesday, January 29, 2020 2:18 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Ex: Re: [WIRELESS-LAN] neighbors 'jamming' 2.4GHz 
spectrum

Chuck, that all makes sense, but I don't think the earlier quote would
bother the FCC. I'm talking about this one that David provided:

"Personal wireless access points, network switches, and routers are
not permitted on campus as they can interfere with the functioning of
the campus network."

This seems pretty enforceable, and it clearly doesn't have to do with
unlicensed spectrum, because network switches and wired routers are
prohibited by this quote, even though they don't have anything to do
with Wi-Fi.

It seems Draconian to me, but it also seems safe to enforce, for
Universities that have passed such a policy. But as some have
mentioned, this is the WIRELESS-LAN list, rather than the LAWYER list,
so of course I'm just speculating.

--
Hunter Fuller
Router Jockey
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering

On Wed, Jan 29, 2020 at 12:53 PM Enfield, Chuck  wrote:
>
> The difference between Mi-Fi and sandwiches is that there's no Federal 
> Sandwich Commission claiming exclusive authority to regulate sandwiches.  Our 
> institutions are free to pass policies consistent with the law, but it's 
> clear from this thread that we don’t know precisely what the law allows in 
> this case.
>
>
>
> Here's the relevant excerpt from Penn State’s policy manual:
>
>
>
> The University also reserves the right to control and/or manage use of the 
> frequency spectrum within the boundaries of all University locations. 
> Individuals of the University are required to report transmitting devices and 
> their characteristics to University officials, if so requested. The 
> University reserves the right to require those units or individuals found to 
> have such devices that interfere or are suspected to interfere with operation 
> of centrally managed University systems, to discontinue use of such devices, 
> and, if necessary, to remove them from University property.
>
>
>
> I have concerns about this policy that would keep me from trying to enforce 
> it:
>
>
>
> The University must manage the spectrum assigned to it, but I'm pretty sure 
> the FCC controls the spectrum and that the unlicensed spectrum isn’t ours to 
> manage.
> Who are these university officials that can request reporting?  I have no 
> reason to think I or my staff are among them, but perhaps we are.
> I suspect the University can ban categories of devices from campus as it sees 
> fit, including RF transmitters.  If instead of making this about spectrum we 
> just banned RF transmitters of any kind, or even specific kinds, we could 
> probably get away with it.  But we’re on much shakier ground if we allow such 
> devices and choose to selectively prohibit them based on what we deem to be 
> adverse effects on the spectrum associated with their legal use.  That’s a 
> backhanded way of controlling the unlicensed spectrum and I don’t think the 
> FCC will like it.
>
>
>
> Nevertheless, if concern #2 was addressed I’d be willing to attempt 
> enforcement.  Our Office of General Counsel is responsible for making sure 
> our policies are legal – not me.
>
>
>
> Chuck Enfield
>
> Manager, Wireless & Cellular
>
> Penn State IT
>
> 119L USB2, UP, PA 16802
>
> Office: 814.863.8715
>
>
>
> -Original Message-
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  On Behalf Of Hunter Fuller
> Sent: Wednesday, January 29, 2020 12:22 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Ex: Re: [WIRELESS-LAN] neighbors 'jamming' 2.4GHz 
> spectrum
>
>
>
> I'm not sure everyone is really speaking the same language here.
>
>
>
> If my University passed a policy that said students can't have sandwiches on 
> campus, that would be enforceable and they could even be subject to 
> disciplinary committee if they brought a sandwich to campus.
>
>
>
> If you replace a sandwich with a Mi-Fi device, I'm not sure how that's any 
> different.
>
>
>
> That being said, we do not have such a policy - just one forbidding them from 
> connecting their routers and such to our network. That's fine for us, and we 
> just try to educate people - 90% of the time it works every time.
>
>
>
> --
>
> Hunter Fuller
>
> Router Jockey
>
> VBH Annex B-5
>
> +1 256 824 5331
>
>
>
> Offi

RE: [WIRELESS-LAN] Ex: Re: [WIRELESS-LAN] neighbors 'jamming' 2.4GHz spectrum

[Enfield, Chuck]

The difference between Mi-Fi and sandwiches is that there's no Federal Sandwich 
Commission claiming exclusive authority to regulate sandwiches.  Our 
institutions are free to pass policies consistent with the law, but it's clear 
from this thread that we don’t know precisely what the law allows in this case.



Here's the relevant excerpt from Penn State’s policy manual:



The University also reserves the right to control and/or manage use of the 
frequency spectrum within the boundaries of all University locations. 
Individuals of the University are required to report transmitting devices and 
their characteristics to University officials, if so requested. The University 
reserves the right to require those units or individuals found to have such 
devices that interfere or are suspected to interfere with operation of 
centrally managed University systems, to discontinue use of such devices, and, 
if necessary, to remove them from University property.



I have concerns about this policy that would keep me from trying to enforce it:



  1.  The University must manage the spectrum assigned to it, but I'm pretty 
sure the FCC controls the spectrum and that the unlicensed spectrum isn’t ours 
to manage.
  2.  Who are these university officials that can request reporting?  I have no 
reason to think I or my staff are among them, but perhaps we are.
  3.  I suspect the University can ban categories of devices from campus as it 
sees fit, including RF transmitters.  If instead of making this about spectrum 
we just banned RF transmitters of any kind, or even specific kinds, we could 
probably get away with it.  But we’re on much shakier ground if we allow such 
devices and choose to selectively prohibit them based on what we deem to be 
adverse effects on the spectrum associated with their legal use.  That’s a 
backhanded way of controlling the unlicensed spectrum and I don’t think the FCC 
will like it.



Nevertheless, if concern #2 was addressed I’d be willing to attempt 
enforcement.  Our Office of General Counsel is responsible for making sure our 
policies are legal – not me.

Chuck Enfield
Manager, Wireless & Cellular
Penn State IT
119L USB2, UP, PA 16802
Office: 814.863.8715


-Original Message-
From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Hunter Fuller
Sent: Wednesday, January 29, 2020 12:22 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Ex: Re: [WIRELESS-LAN] neighbors 'jamming' 2.4GHz 
spectrum



I'm not sure everyone is really speaking the same language here.



If my University passed a policy that said students can't have sandwiches on 
campus, that would be enforceable and they could even be subject to 
disciplinary committee if they brought a sandwich to campus.



If you replace a sandwich with a Mi-Fi device, I'm not sure how that's any 
different.



That being said, we do not have such a policy - just one forbidding them from 
connecting their routers and such to our network. That's fine for us, and we 
just try to educate people - 90% of the time it works every time.



--

Hunter Fuller

Router Jockey

VBH Annex B-5

+1 256 824 5331



Office of Information Technology

The University of Alabama in Huntsville

Network Engineering



On Wed, Jan 29, 2020 at 9:52 AM Jake Snyder 
mailto:jsnyde...@gmail.com>> wrote:

>

> Unfortunately, aside from talking to the person there isn’t much you can do.  
> The person in question isn’t “jamming,” they are using spectrum and 
> completely entitled to do so.

>

> Simplistically, you can prevent devices the university owns from connecting 
> to it. Beyond that, you venture into the grey area.

>

> Best course is to go talk to the person, educate them, and hope they are 
> reasonable. realistically, you cause as much impact to them as they do to you.

>

> Sent from my iPhone

>

> On Jan 29, 2020, at 8:22 AM, Dom Colangelo 
> mailto:dcolang...@omadatechnologies.com>> 
> wrote:

>

> 

>

> I came across this 2015 article on the Marriot penalty and subsequent FCC 
> public notice – there’s a lot of grey area as it relates with higher 
> education, and it seems many are forming their own interpretations.

>

>

>

> --

> ---

>

> 

> Dom Colangelo

>

> Systems Engineer

>

> Omada Technologies

>

> Cell: (617)-446-3945

>

> dcolang...@omadatechnologies.com

>

>

>

>

>

> From: The EDUCAUSE Wireless Issues Community Group Listserv

> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
>  On Behalf Of Michael Holden

> Sent: Wednesday, January 29, 2020 10:07 AM

> To: 
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU

> Subject: Re: [WIRELESS-LAN] Ex: Re: [WIRELESS-LAN] neighbors 'jamming'

> 2.4GHz spectrum

>

>

>

> Aruba gives the following warning when doing containment / deauth

>

>

>

> The Federal Communications 

RE: rules for mis-behaving wireless clients

[Enfield, Chuck]

We're an Aruba shop.  We "blacklist" client devices that fail three consecutive 
auths for a period of 15 seconds.  The thinking is that if you fail three times 
you need to do "something" to fix it and that something will take longer than 
15 seconds.  We think this approach is transparent to the user.  It doesn't 
eliminate all the bad traffic, but when you consider that a client with a saved 
bad credential can fail authentication between three and ten times a second you 
can see that it significantly reduces it.

We used to blacklist for 60 seconds.  Our reasoning was the same, but what we 
figured out was that some users fixed their problem in less than 60 seconds and 
were still blacklisted when they tried again.  This led them to believe, 
falsely, that their fix didn't work.  We've seen no adverse consequences to the 
15 second blacklist since making that change.

Chuck

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Hales, David
Sent: Wednesday, November 20, 2019 12:21 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] rules for mis-behaving wireless clients

Our wireless authentication system came with a default that would lock out 
clients that failed 10 authentication attempts in a row for an hour.  It caused 
some pretty heavy helpdesk hate.  If the lockout doesn't come with some way of 
notifying the user that they're locked out and how long the lockout lasts, I'd 
recommend keeping the lockout time fairly short.  We moved ours to 10 minutes 
and it doesn't cause very much trouble for us now.  Making sure the 1st line of 
support (helpdesk) knows how it works is critical to easing aggravation levels 
from customers.

David Hales
Network Systems Administrator
Information Technology Services
1010 N. Peachtree
Clement Hall 117
Cookeville, TN 38505
P 931-372-3983
F 931-372-6130
E dha...@tntech.edu
www.tntech.edu/its
[Tennessee Tech 
Logo]
[TTU Facebook] 

 [TTU Twitter]  

 [TTU Instagram]  

 [TTU Youtube]  

 [TTU Pintrest] 


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Joseph M. Karam
Sent: Wednesday, November 20, 2019 11:17 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] rules for mis-behaving wireless clients


External Email Warning

This email originated from outside the university. Please use caution when 
opening attachments, clicking links, or responding to requests.


Hello Everyone,

Are there any general recommendations/best practices on rules for misconfigured 
wireless devices for connecting to your wireless infrastructure?  For example, 
we have many mis-configured eduroam clients that are just continually sending 
authentication requests.We would like to define a rule in our wireless 
infrastructure that says something like, "if the device failed authentication 
20 times in 1 minute, do not allow it to authenticate again for 10 minutes".
 Has anyone had good or bad experiences with defining these types of policies?

Thank you,

Joe

RE: Wi-Fi in the Elevator Car

[Enfield, Chuck]

I don't have any experience with it, but cat-6 traveling cables are available 
so it's possible to put an AP in the car.  I wouldn't anticipate anything but 
the usual Wi-Fi problems if you put the AP in the car.

-Original Message-
From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Curtis K. Larsen
Sent: Tuesday, November 5, 2019 1:26 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Wi-Fi in the Elevator Car

Hello,

Has anyone designed Wi-Fi specifically to work in the elevator car itself?  
Willing to share your experience?

Thanks,

--
Curtis K. Larsen
Senior Wi-Fi Network Engineer
University of Utah Network Services
CWNA, CWDP, CWSP, CWAP
Office 801-587-1313


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunitydata=02%7C01%7Ccae104%40PSU.EDU%7Ca06607d7f25a40a4d34808d762201bed%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C1%7C637085762367187214sdata=7kadPi1X2naPIRv%2FeUUzc8UXU3%2F5AmzDwcf8i5dn91M%3Dreserved=0

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID

[Enfield, Chuck]

My main reason for worrying about people broadcasting our SSIDs is usability.

The $64 question for security is whether or not the Aruba IDS would detect a 
well-executed evil twin attack.  If the twin uses not just your ESSID but a 
valid BSSID from one of your APs in an area where the “spoofed” AP can’t detect 
it, would the IDS figure it out?  If so, then there may be some value in 
enabling automatic mitigation.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Sidharth Nandury
Sent: Monday, October 28, 2019 12:56 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID

Thank you for the response.

Thomas,
I'm definitely going to share the FCC announcement with my management and 
security officer to ensure that they are aware of this. That being said, we are 
not trying to prevent anyone from using a hotspot, but like Chuck mentioned are 
trying to protect our users from connecting to counterfeit "well-known" campus 
SSIDs. My thought is to only add "well-known" SSIDs in our list of protected 
networks.

Chuck,
Airwave can be an option for alerting, but as you said, it needs manual 
intervention. If our security officer decides to go against implementing this, 
my next suggestion would be using Airwave for manual intervention. Something 
else I can think of is the polling intervals duration and immediacy of action. 
If there is a malicious individual trying to broadcast a known-network, 
wouldn't we want to have immediate action to be taken, rather than having to 
wait for the airwave polling interval, receive an email notification, turn 
around and maybe have some kind of text alert to immediately alert us to take 
action? Thoughts?

Regards,
Sid

On Mon, Oct 28, 2019 at 12:08 PM Enfield, Chuck 
mailto:cae...@psu.edu>> wrote:
Most of the time if somebody is using one of your well-known SSID’s on campus 
it’s either out of ignorance or benign experimentation.  Rouge mitigation of 
those devices is unlikely to attract the attention of the FCC, and even if it 
does, I doubt you’ll get in any trouble for it.  The FCC has cracked down on 
property owners acting like they own the spectrum within their facilities.  I 
suspect an effort to protect users from what may reasonably be characterized as 
“counterfeit” networks would be viewed in a different light.  They may still 
tell you to knock it off, but penalties seem really unlikely.

On the other hand, have you considered an Airwave alert to bring these device 
to your attention and mitigating by manual intervention?  If your institution 
is anything like ours you’ll see very few of these.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Thomas Carter
Sent: Monday, October 28, 2019 11:53 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID

The short answer is don’t do this. The longer answer is the FCC frowns on rogue 
mitigation:
https://nakedsecurity.sophos.com/2015/08/19/fcc-fines-company-75-for-disabling-conference-hotspots/<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnakedsecurity.sophos.com%2F2015%2F08%2F19%2Ffcc-fines-company-75-for-disabling-conference-hotspots%2F=02%7C01%7Ccae104%40PSU.EDU%7C4b37afea33a44d07033308d75bc7b030%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078785539367454=YsBhtcqVWA9GD6aFnYun6U3xXmLKXiKv6FcNeW2cxjU%3D=0>
Look at the notice from the FCC down about ½ the page.


Thomas Carter
Network & Operations Manager / IT
Austin College
900 North Grand Avenue
Sherman, TX 75090
Phone: 903-813-2564
www.austincollege.edu<https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.austincollege.edu%2F=02%7C01%7Ccae104%40PSU.EDU%7C4b37afea33a44d07033308d75bc7b030%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078785539377449=cHC14Zo%2BU96LwtnPeQ576WtRUGOIDPx7yawwtNOd8ro%3D=0>

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Sidharth Nandury
Sent: Monday, October 28, 2019 10:34 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID

All,

We have been asked to look into rogue WAP detection and mitigation. We are an 
Aruba shop for wireless and are running v6.5.4.12. After doing some research 
and looking at Airheads posts, it lead to me a configuration called "Protect 
SSID" in the IDS profile. Though I have successfully tested this in a lab 
environment and it seems to be "protecting" valid SSID's (ones that I have 
configured), I am a little apprehensive about simply turning this on due to the 
ramifications that it might cause.

I am wondering if anyone here has used this setting to help with mitigating 
rogu

RE: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID

[Enfield, Chuck]

Most of the time if somebody is using one of your well-known SSID’s on campus 
it’s either out of ignorance or benign experimentation.  Rouge mitigation of 
those devices is unlikely to attract the attention of the FCC, and even if it 
does, I doubt you’ll get in any trouble for it.  The FCC has cracked down on 
property owners acting like they own the spectrum within their facilities.  I 
suspect an effort to protect users from what may reasonably be characterized as 
“counterfeit” networks would be viewed in a different light.  They may still 
tell you to knock it off, but penalties seem really unlikely.

On the other hand, have you considered an Airwave alert to bring these device 
to your attention and mitigating by manual intervention?  If your institution 
is anything like ours you’ll see very few of these.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Thomas Carter
Sent: Monday, October 28, 2019 11:53 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID

The short answer is don’t do this. The longer answer is the FCC frowns on rogue 
mitigation:
https://nakedsecurity.sophos.com/2015/08/19/fcc-fines-company-75-for-disabling-conference-hotspots/
Look at the notice from the FCC down about ½ the page.


Thomas Carter
Network & Operations Manager / IT
Austin College
900 North Grand Avenue
Sherman, TX 75090
Phone: 903-813-2564
www.austincollege.edu

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Sidharth Nandury
Sent: Monday, October 28, 2019 10:34 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID

All,

We have been asked to look into rogue WAP detection and mitigation. We are an 
Aruba shop for wireless and are running v6.5.4.12. After doing some research 
and looking at Airheads posts, it lead to me a configuration called "Protect 
SSID" in the IDS profile. Though I have successfully tested this in a lab 
environment and it seems to be "protecting" valid SSID's (ones that I have 
configured), I am a little apprehensive about simply turning this on due to the 
ramifications that it might cause.

I am wondering if anyone here has used this setting to help with mitigating 
rogue SSID broadcasts and protecting your clients connecting to these rogue 
WAPs. I would also love to hear about any pitfalls with turning this on, and 
any other gotchas that I might need to keep in mind other suggestions about 
rogue WAP detection and mitigation, I would love to hear them. Please feel free 
to reach me off this list if you wish.

Please let me know if any additional information is needed on my end. Thank you 
for your time.

Regards,
Sid

--
[Image removed by sender. Denison University 
Logo]

Sidharth S. Nandury
Network Engineer
Information Technology Services

100 West College Street, Granville, OH 
43023
 | Fellows 
003C
Office: 740-587-5533 | Mobile: 516-314-4413

RE: Wi-Fi Design Consulting

[Enfield, Chuck]

Yes. 

Routine demand is pretty low, but we have 5000+ at a few events each year.  The 
aesthetic concerns are relaxed for temporary APs, so the best solution may be a 
mix of permanent APs for coverage and temporary APs for capacity.  We’re 
keeping an open mind.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Bryan Ward
Sent: Wednesday, October 9, 2019 3:04 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wi-Fi Design Consulting

Permanent or Temporary?

--
Bryan Ward
Network Engineer
Dartmouth College Network Services
603-646-2245
bryan.w...@dartmouth.edu<mailto:bryan.w...@dartmouth.edu>

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Enfield, Chuck
Sent: Wednesday, October 9, 2019 2:48 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Wi-Fi Design Consulting

Hi Folks,

We’re interested in providing Wi-Fi coverage for large events on the mall in 
front of our main administrative building.  The campus architects are concerned 
about aesthetics and are looking to hire design firms who can address the total 
system design, including Wi-Fi coverage, radio stealthing, power distribution, 
and network backhaul.  Can anybody recommend any firms that can handle that 
full scope of work?

Any vendors who can provide references from similar jobs should feel free to 
contact me off-list.

Thanks,

Chuck Enfield
Manager, Wireless & Cellular
Penn State IT
119L USB2, UP, PA 16802
Office: 814.863.8715

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=02%7C01%7Ccae104%40PSU.EDU%7Ca5abf2a322f449714dd708d74ceb7af0%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637062446585125127=OPpJ4IjvT2D%2FV5iN1112X6w1q3I08vXJyTNfCX6qmbg%3D=0>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=02%7C01%7Ccae104%40PSU.EDU%7Ca5abf2a322f449714dd708d74ceb7af0%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637062446585135114=%2BeOKN9jFcP6cy%2F1yUwqkUxmHFh%2BK%2BtymuryVmQBIg04%3D=0>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Wi-Fi Design Consulting

[Enfield, Chuck]

Hi Folks,

We’re interested in providing Wi-Fi coverage for large events on the mall in 
front of our main administrative building.  The campus architects are concerned 
about aesthetics and are looking to hire design firms who can address the total 
system design, including Wi-Fi coverage, radio stealthing, power distribution, 
and network backhaul.  Can anybody recommend any firms that can handle that 
full scope of work?

Any vendors who can provide references from similar jobs should feel free to 
contact me off-list.

Thanks,

Chuck Enfield
Manager, Wireless & Cellular
Penn State IT
119L USB2, UP, PA 16802
Office: 814.863.8715

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] Feasibility of an open SSID for student use

[Enfield, Chuck]

The problem with out of band notifications is that you don’t know who is on an 
unauthenticated network.  Certainly it’s more than just students.

I’m not suggesting you should change to captive portal.  While the statute is 
reasonably clear on how to qualify for the protections, it’s unclear how much 
risk is assumed by operating without those protections.  As long as you made an 
informed choice, I won’t argue with you.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Coehoorn, Joel
Sent: Friday, September 13, 2019 9:47 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

We also run a completely open SSID. There is a captive portal, but it's at the 
gateway rather than the wireless controller, so the same mechanism can also 
handle wired connections, and it's only used for enforcement. New visitors can 
get on the network without seeing the captive page.

>  to get the protections afforded to ISP’s under DMCA we need to inform users 
> that they’re not allowed to share copyrighted materials and that their 
> connection will be blocked if they do.

We handle the notification out-of-band for our students.  We have to notify 
them; we don't necessarily have to use a captive portal to do it right at 
connection time. The information is included with the account activation for 
new students, repeated during orientation, repeated again via e-mail near the 
start of each term, repeated again on the gateway capture page for early 
offenses, and included in the student handbook.

If it were to come to the point of a block, we can give specific devices a 
capture page with no way to click through. But our policy also includes this 
text:

Internet access today is more than a simple privilege, but is now necessary for 
continued successful progress in academic pursuits. Student actions which 
require the Department of Information Technology and the Office of Student 
Development to conclude it is no longer appropriate to allow a student to 
continue using the campus network may therefore result in dismissal of the 
student

[Image removed by sender.]

Joel Coehoorn
Director of Information Technology
402.363.5603
jcoeho...@york.edu<mailto:jcoeho...@york.edu>
Please contact helpd...@york.edu<mailto:helpd...@york.edu> for technical 
assistance.

The mission of York College is to transform lives through Christ-centered 
education and to equip students for lifelong service to God, family, and society


On Fri, Sep 13, 2019 at 7:42 AM Enfield, Chuck 
mailto:cae...@psu.edu>> wrote:
“We run eduroam and a completely open guest SSID. The open SSID has no captive 
portal, no click through terms of services, and no restrictions on Internet 
access for content or speed.”

I’m jealous Felix.  I made a strong push for this approach, but General Counsel 
stopped it.  FWIW, I think they got it right, but life would be easier and 
users would be happier your way.

Their rationale is that to get the protections afforded to ISP’s under DMCA we 
need to inform users that they’re not allowed to share copyrighted materials 
and that their connection will be blocked if they do.  For account holders we 
make them agree to these terms and more when they activate their account.  But 
if the network doesn’t require an account this notification seems to demand a 
captive portal.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Felix Windt
Sent: Friday, September 13, 2019 8:26 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

I’d pay a fair price for an easily administered solution that lets us roll out 
PPSK in the dorms and deploy broadcast/multicast domains scoped to specific 
users.

We run eduroam and a completely open guest SSID. The open SSID has no captive 
portal, no click through terms of services, and no restrictions on Internet 
access for content or speed. That SSID bridges through to VLANs in a DMZ, and 
its only real restriction is that it can only reach proper public IP addresses 
on campus, plus 2-3 applications on private IPs that are specifically 
permitted. That’s enforced on the firewalls between campus and the DMZ.
We do see quite a lot of students on that SSID permanently. As a huge amount of 
our student applications are either cloud hosted or available on the public 
Internet, that works just fine for them. We’d prefer them on eduroam, but user 
experience trumps our preferences. The only real problem are devices such as 
Sonos sound bars, Google appliances, and other devices that will only support 
PSKs for wireless. For those we don’t have a solution right now.

Once WPA3/OWE is out and widely supported I genuinely don’t know how much we’ll 
care about where devices are. At that point it seems not just more u

RE: Feasibility of an open SSID for student use

[Enfield, Chuck]

Hi William.

“Most need no instructions and figure it out on their own,” may not be the 
virtue you think it is.  How many of these users figuring it out on their own 
are validating your RADIUS server certs?  Self-configuration invites MiM 
attacks that can harvest account credentials.  It’s precisely the security 
weakness of 1x I cautioned about earlier.

Furthermore, providing an onboarding option that configures the devices 
correctly doesn’t prevent users from self-configuring.  A good on-boarding 
solution will be widely used and will reduce the overall risk, but it doesn’t 
eliminate the problem.  TLS is the only EAP type that doesn’t have this 
weakness.

Chuck

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Green, William C
Sent: Thursday, September 12, 2019 7:27 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

We’ve found its easier for our community to onboard to our 802.1x SSID with the 
native supplicant of the device, rather than download and run an installer (are 
dropping the installer).  Most need no instructions and figure it out on their 
own.

While we offer an iPSK SSID, it is not as easy— person must go to web site to 
enroll a MAC address and get a key.  Predominantly in the residence halls so 
far (TVs, speakers, printers, game consoles, etc).  Also a smattering of 
devices that don’t support 802.1x (making our researchers happy).  I’m waiting 
to hear how iPSK has improved battery life for IOT projects.


William Green, Director of Networking and Telecommunications
The University of Texas at Austin | ITS | 512-475-9295 | 
it.utexas.edu
 | 
gr...@austin.utexas.edu

[https://bowtie.mailbutler.io/tracking/hit/86e1e4b1-b7df-4ccf-a04b-7e44956f1dac/00a68dc9-0807-49d1-8b76-8f1103242cae/t.gif]

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] Feasibility of an open SSID for student use

[Enfield, Chuck]

Seconded.

And for those who think that security is more important than the user 
experience in some cases, I wouldn’t argue, but I would point out that an 
improperly configured 1x device puts the user’s credentials at risk.  802.1x 
isn’t all upside from a security perspective either.

Chuck

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jeffrey D. Sessler
Sent: Thursday, September 12, 2019 1:46 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

I’ve never been a fan of the complicated onboarding. It’s intrusive, and unlike 
any other wireless experience an individual will encounter in their life i.e. 
any other wifi-enabled location/venue.
With the growing trend of EDUs moving to SaaS and other Cloud solutions, 
wireless will be nothing but a gateway to those external services. When it’s 
easier to consume those services via one’s own unlimited-data cellular 
connection, or go to Starbucks, it may be time for us (EDU’s) to reevaluate our 
approach.

Besides a purely open network, the next-best (same?) experience to home would 
be something like PPSK or for the Cisco folks IPSK. You get something slightly 
better than an open network, but it’s PSK and all of those wonderful IoT 
devices just work. My crystal ball wish is to have that PPSK/IPSK solution then 
group that user’s devices into a private virtual home network, providing 
something that approaches their home experience.

Jeff

From: "wireless-lan@listserv.educause.edu"  
on behalf of Kurtis Olsen 
Reply-To: "wireless-lan@listserv.educause.edu" 

Date: Thursday, September 12, 2019 at 9:27 AM
To: "wireless-lan@listserv.educause.edu" 
Subject: [WIRELESS-LAN] Feasibility of an open SSID for student use

We have been receiving a lot of complaints about a complicated onboarding 
process and have been asked to look at providing an Open SSID that has little 
to no onboarding.  I see an advantage being the ease of connecting but I have 
some concerns, mainly about providing a secure environment.
Our current onboarding process works like this.  Users connect to our 
Wolverine-WIFI SSID.  They then authenticate through our NAC solution which 
forces laptops to download a client.  This client scans their device for 
Antivirus and OS updates.  If it fails the scan they have access to get these 
updates.  Once it passes they are moved to our wireless production vLan.  There 
are no clients or scans for cellular devices at this time.  Users then of the 
option to join our Wolverine-Secure which authenticates by cert using 
SecureW2’s services.

I am curious if anyone else is using a completely open network for their 
general population or any other suggestions of how this can be simplified.

Kurtis Olsen
Director – Network & Telecom
Utah Valley University
800 W University Prkway
Orem, UT 84058
801-863-8000



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Temperature Sensor with PAP Support

[Enfield, Chuck]

Hi Folks,

Does anybody know of a temperature sensor that supports EAP-TTLS-PAP?

Thanks,

Chuck Enfield
Manager, Wireless Engineering
Enterprise Networking & Communication Services
The Pennsylvania State University
119L, USB2, UP, PA 16802
ph: 814.863.8715
fx: 814.865.3988



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Wireless Only in Student Housing?

[Enfield, Chuck]

Q. - If someone brings in a later gen PS4 and has connectivity issues, will 
your staff lay hands on the device to resolve the connectivity concern? Or is 
the approach just to say that the devices has been known to be compatible in 
the past and verify that the network is working properly?

A. – At Penn State, the answer is yes.  We’ll lay hands on it and do our best 
to get it working, but, ultimately, we can’t be responsible for the end users’ 
devices.  If the network is working correctly, we’ve met our obligations.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 On Behalf Of Chris Adams (IT)
Sent: Monday, August 27, 2018 11:32 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless Only in Student Housing?

This raises an interesting point, somewhat tangential to the original 
conversation.

How do you determine & maintain a list of “supported” residential network 
devices? If someone brings in a later gen PS4 and has connectivity issues, will 
your staff lay hands on the device to resolve the connectivity concern? Or is 
the approach just to say that the devices has been known to be compatible in 
the past and verify that the network is working properly?

We’ve had more tickets about ROKU TVs this fall than any other quantity of 
incidents, and trying to find a happy medium of providing connectivity VS 
supporting every device under the sun has been a point of controversy.


Thanks,

Chris Adams, M.S., CISSP

Associate CIO, Network & Telecom
Division of Information Technology
University of North Georgia

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Osborne, Bruce W (Network Operations)
Sent: Monday, August 27, 2018 9:46 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Wireless Only in Student Housing?

When we initially went from wired/wireless to wireless + port request, we 
initially pulled out $1million worth of switches to be reused in other projects.

We have since moved to wireless only. In some cases of clients with poor NICs 
we provide temporary USB based loaner NICs. We have a list of supported 
wireless solutions for desktop systems. For gaming systems these days almost 
all can use wireless if the system if properly designed. This year we have 
dropped official support for the 1st Gen 2.4 only PS4 due to misbehaving 
wireless.

Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Enfield, Chuck [mailto:cae...@psu.edu]
Sent: Friday, August 24, 2018 2:52 PM
Subject: Re: Wireless Only in Student Housing?

I don’t want to hijack Dan’s thread, but I wouldn’t mind adding to it if he 
doesn’t mind.

I know from previous threads that lots of schools have gone Wi-Fi-only, and 
issues are minimal.  But, as an institution that has both wired and wireless 
enabled throughout the residence halls, about 15% of our residents still plug 
in.  It was easy for us to do both because we were really late to provide 
Wi-Fi, so our legacy wired network is still serviceable.  At some point in the 
next couple years we’ll have to decide whether or not to replace it.  That 
requires an assessment of the value proposition.  15% use seems to suggest that 
there’s still significant value in providing wired connectivity, but I’m not 
sure it satisfactorily answers the question.  It’s safe to assume that some 
users really want that wired connection for good reasons, and other users who 
prefer a wired connection if it’s available, but really wouldn’t miss it if it 
wasn’t.  It’s to determine how many each make up that 15%.

I’m curious to hear from institutions that provide wired connections upon 
request.  If you do that, how many get requested?  Is it free, or is there a 
charge?  If a charge, how much?  …and anything else illuminating you can 
no-doubt contribute.

Thanks,

Chuck


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Entwistle, Bruce
Sent: Friday, August 24, 2018 2:16 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Wireless Only in Student Housing?

Last year we converted our first residence hall to wireless only and there were 
minimal challenges.   You could consider installing the small hospitality APs 
in the rooms and then there would be wired ports available if necessary.

Bruce Entwistle
Network Manager
University of Redlands


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Daniel Wurst
Sent: Friday, August 24, 2018 11:12 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Wireless Only in Student Housing?

RE: [WIRELESS-LAN] Wireless Only in Student Housing?

[Enfield, Chuck]

Thanks Jacob.  That’s exactly the kind of info I was hoping for.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 On Behalf Of Barros, Jacob
Sent: Monday, August 27, 2018 8:37 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless Only in Student Housing?

We are still providing wired connections as desired.  I believe 8% is our trend 
through the years but my impression from the first two weeks of school is that 
number is climbing.  Physical connections are free and we offer an ethernet 
cable for free as well.   The beginning of our on ground undergrad semester is 
busy with connections, but very little maintenance afterward.  Gamers consider 
it a value and it costs us very little.  We've built two new dorms in the last 
five years and did pull cables to rooms in anticipation of having a full 
hospitality to room deployment in the future.




Jacob Barros

Associate Director of IT, Network and Operations

Email: jkbar...@grace.edu<mailto:jkbar...@grace.edu>

Phone: 574.372.5100 ext. 6178

[https://lh4.googleusercontent.com/UL13vM331_cldE--6pe0tmF8xi10XejwQWh_iIo3_WnKqa3GNTj7qfC8zMm-AathAnMQoUG1LNv5GzD35OyxQ_x_V2RG30D4r5ucKFdYJkE1-Z-d98UW1NPWapbWxgOAi68e0c7q]



On Fri, Aug 24, 2018 at 2:51 PM, Enfield, Chuck 
mailto:cae...@psu.edu>> wrote:
I don’t want to hijack Dan’s thread, but I wouldn’t mind adding to it if he 
doesn’t mind.

I know from previous threads that lots of schools have gone Wi-Fi-only, and 
issues are minimal.  But, as an institution that has both wired and wireless 
enabled throughout the residence halls, about 15% of our residents still plug 
in.  It was easy for us to do both because we were really late to provide 
Wi-Fi, so our legacy wired network is still serviceable.  At some point in the 
next couple years we’ll have to decide whether or not to replace it.  That 
requires an assessment of the value proposition.  15% use seems to suggest that 
there’s still significant value in providing wired connectivity, but I’m not 
sure it satisfactorily answers the question.  It’s safe to assume that some 
users really want that wired connection for good reasons, and other users who 
prefer a wired connection if it’s available, but really wouldn’t miss it if it 
wasn’t.  It’s to determine how many each make up that 15%.

I’m curious to hear from institutions that provide wired connections upon 
request.  If you do that, how many get requested?  Is it free, or is there a 
charge?  If a charge, how much?  …and anything else illuminating you can 
no-doubt contribute.

Thanks,

Chuck


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Entwistle, Bruce
Sent: Friday, August 24, 2018 2:16 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Wireless Only in Student Housing?

Last year we converted our first residence hall to wireless only and there were 
minimal challenges.   You could consider installing the small hospitality APs 
in the rooms and then there would be wired ports available if necessary.

Bruce Entwistle
Network Manager
University of Redlands


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Daniel Wurst
Sent: Friday, August 24, 2018 11:12 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Wireless Only in Student Housing?

Hi All,

We are looking into building a new student housing building and are considering 
going Wifi only for network connectivity. We were wondering if anyone else has 
gone the route of only allowing network connectivity via wireless. If so, can 
you share your experience, lessons learned, and advice.

Thank you,

Dan
--
Daniel Wurst
Network Engineer
Denison University
wur...@denison.edu<mailto:wur...@denison.edu>
740-587-6229

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fdiscuss=02%7C01%7Ccae104%40psu.edu%7C60e4da34373f40f79d5208d60c19c81e%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C636709702215955666=8%2FVSAKazmkyseMuSUV1NTv4vdYuvqEq3vEVoZZucgXQ%3D=0>.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fdiscuss=02%7C01%7Ccae104%40psu.edu%7C60e4da34373f40f79d5208d60c19c81e%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C636709702215955666=8%2FVSAKazmkyseMuSUV1NTv4vdYuvqEq3vEVoZZucgXQ%3D=0>.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu

RE: [WIRELESS-LAN] Wireless Only in Student Housing?

[Enfield, Chuck]

I don’t want to hijack Dan’s thread, but I wouldn’t mind adding to it if he 
doesn’t mind.

I know from previous threads that lots of schools have gone Wi-Fi-only, and 
issues are minimal.  But, as an institution that has both wired and wireless 
enabled throughout the residence halls, about 15% of our residents still plug 
in.  It was easy for us to do both because we were really late to provide 
Wi-Fi, so our legacy wired network is still serviceable.  At some point in the 
next couple years we’ll have to decide whether or not to replace it.  That 
requires an assessment of the value proposition.  15% use seems to suggest that 
there’s still significant value in providing wired connectivity, but I’m not 
sure it satisfactorily answers the question.  It’s safe to assume that some 
users really want that wired connection for good reasons, and other users who 
prefer a wired connection if it’s available, but really wouldn’t miss it if it 
wasn’t.  It’s to determine how many each make up that 15%.

I’m curious to hear from institutions that provide wired connections upon 
request.  If you do that, how many get requested?  Is it free, or is there a 
charge?  If a charge, how much?  …and anything else illuminating you can 
no-doubt contribute.

Thanks,

Chuck


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 On Behalf Of Entwistle, Bruce
Sent: Friday, August 24, 2018 2:16 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless Only in Student Housing?

Last year we converted our first residence hall to wireless only and there were 
minimal challenges.   You could consider installing the small hospitality APs 
in the rooms and then there would be wired ports available if necessary.

Bruce Entwistle
Network Manager
University of Redlands


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Daniel Wurst
Sent: Friday, August 24, 2018 11:12 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Wireless Only in Student Housing?

Hi All,

We are looking into building a new student housing building and are considering 
going Wifi only for network connectivity. We were wondering if anyone else has 
gone the route of only allowing network connectivity via wireless. If so, can 
you share your experience, lessons learned, and advice.

Thank you,

Dan
--
Daniel Wurst
Network Engineer
Denison University
wur...@denison.edu
740-587-6229

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] Issues with Windows 10

[Enfield, Chuck]

We had a cert issue a few years back.  Our intermediate cert authority got a 
root cert of their own and it started getting deployed with major operating 
systems.  Devices that had the new root cert wouldn't use the old root cert, so 
server validation failed.  I don’t see how reinstalling the wireless driver 
would correct that problem, so I'm not saying you have the same issue.  It's 
just something to check for.

Chuck

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 On Behalf Of Charles Rumford
Sent: Monday, July 30, 2018 11:25 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Issues with Windows 10

On 07/30/2018 11:22 AM, Turner, Ryan H wrote:
> We aren't running your method, but we also haven't heard of any mass 
> scale issues (doesn't mean there isn't).  What did SecureW2 say?


They are telling us that it's an issue with our cert stack, which I'm having a 
hard time believing.

We have a call with them this afternoon to try and figure it out before we 
deploy in the morning.


--
Charles Rumford
Senior Network Engineer
ISC Tech Services
University of Pennsylvania
OpenPGP Key ID: 0x173F5F3A (2018/07/05)


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] The strategic importance of 5GHz

[Enfield, Chuck]

I doubt it has anything to do with power over signaling conductors.  If that
can work on endspan, it should work just fine on midspan.  If the
transmission performance of the midspan is good enough, there's no reason a
midspan couldn't use the detection methods specified for endspan to provide
power with GigE.  If otherwise 3af compatible, such a device would simply
exceed the requirements of the standard.  Apparently the PowerDsine 6000G
and 3001G do that.  Maybe others will too.

I don't know the reason that midspan power for GigE was excluded from the
standard, but I'm happy to venture a guess.  I assume the required data
transmission performance made it too difficult for some manufacturers to do
it.  From a transmission perspective, the minimum requirements for 3af
devices seem to be aimed at maintaining cat-5 performance.  Since a
continuous 90m cat-5 link is barely up to the task of 1000BASE-T, the
requirement that a midspan device would support GigE on that same cat-5 link
was probably a dealbreaker.  At the risk of looking foolish by
prognosticating, I see 802.3at including midspans for 1000BASE-T, but only
on cat-5e or higher cable.  

Chuck

-Original Message-
From: Frank Bulk - iNAME [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, June 27, 2007 8:43 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] The strategic importance of 5GHz

Chuck:

If I understand what you're saying, midspan can only inject power on unused
powers, and since GigE uses all four pairs, PoE for GigE needs to be driven
from endspans using what Wikipedia calls 'phantom power'
(http://en.wikipedia.org/wiki/Power_over_Ethernet).  Is that right?

Frank


-Original Message-
From: Enfield, Chuck [mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 27, 2007 2:41 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] The strategic importance of 5GHz

Sorry, I've been using midspan power so long I sometimes forget there are
other options.  I don't have time to look it up, but I'm reasonably sure
that 802.3af doesn't include midspan power for 1000BASE-T.  Much has been
made of the fact that 802.3at will.

That's not to say there are no midspan devices out there that comply with
3af AND do power for GigE.  If they can get adequate transmission
performance through the interconnect, there's no reason it shouldn't work.
I'll have to look into the PowerDsine PSE.

Chuck

-Original Message-
From: Philippe Hanset [mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 27, 2007 11:16 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] The strategic importance of 5GHz

If you look for instance at a PowerDsine 6000 serie Midspan power injector,
it is 802.3af compliant, and supports GigE. That's what we buy today in
preparation for 802.11n. (and crossing our fingers ;-) I have a secret hope
that 802.11b/g will be for coverage, (the Iphone will decide!) 802.11n at 5
Ghz for performance and who knowns what will happened to 802.11a (cheap
point-to-point?) Hopefully the 15 watts of 802.3af will suffice for b/g and
n at 5Ghz on one AP!

Philippe Hanset
University of Tennessee


On Wed, 27 Jun 2007, Enfield, Chuck wrote:

 Since we can't do 3af power with GigE, that one connection would have 
 to be 100Mb.  If we're going to use two cables for power let's hope 
 we'll be given the chance to use two data channels as well.

 Chuck

 -Original Message-
 From: Tomo [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, June 27, 2007 4:14 AM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] The strategic importance of 5GHz

 The Airwave webinar (for which a link was sent round last week) 
 mentioned that some vendors are looking at providing two Ethernet 
 sockets on MIMO / 802.11n Access Points, so they could draw 2 x 
 802.3af power connections and one live Ethernet connection.

 _

 Tomo | Senior Network  Telecommunications Infrastructure Engineer 
 Direct
 line: +44 (0)20 7000  | Email: [EMAIL PROTECTED]

 www.london.edu


  -Original Message-
  From: Frank Bulk - iNAME [mailto:[EMAIL PROTECTED]
  Sent: 27 June 2007 02:32
  To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
  Subject: Re: [WIRELESS-LAN] The strategic importance of 5GHz
 
  Dale:
 
  I've heard from at least one vendor that a b/g radio with and 
  802.11n radio may operate within 802.3af power limits.  But I've 
  heard nothing absolutely definite so far and I anticipate that we'll 
  know more by the end of
 the
  summer as these products move from short-run samples to production.
 
  The whole 802.11n PoE and GigE port thing really puts most
 organizations
  into a pickle...they can cheat with using 100BaseT at the edge but 
  if
 you
  really want to do full 802.11n on two radios it's going to 
  necessitate
 a
  midspan, PoE injectors, or a new switch (and that will be at least a
 year
  away).  If vendors can make an AP with an 802.11b/g radio and an
 802.11n
  radio operate

RE: [WIRELESS-LAN] The strategic importance of 5GHz

[Enfield, Chuck]

Since we can't do 3af power with GigE, that one connection would have to be
100Mb.  If we're going to use two cables for power let's hope we'll be given
the chance to use two data channels as well.

Chuck

-Original Message-
From: Tomo [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, June 27, 2007 4:14 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] The strategic importance of 5GHz

The Airwave webinar (for which a link was sent round last week) mentioned
that some vendors are looking at providing two Ethernet sockets on MIMO /
802.11n Access Points, so they could draw 2 x 802.3af power connections and
one live Ethernet connection.

_
 
Tomo | Senior Network  Telecommunications Infrastructure Engineer Direct
line: +44 (0)20 7000  | Email: [EMAIL PROTECTED]
 
www.london.edu
 

 -Original Message-
 From: Frank Bulk - iNAME [mailto:[EMAIL PROTECTED]
 Sent: 27 June 2007 02:32
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] The strategic importance of 5GHz
 
 Dale:
 
 I've heard from at least one vendor that a b/g radio with and 802.11n 
 radio may operate within 802.3af power limits.  But I've heard nothing 
 absolutely definite so far and I anticipate that we'll know more by 
 the end of
the
 summer as these products move from short-run samples to production.
 
 The whole 802.11n PoE and GigE port thing really puts most
organizations
 into a pickle...they can cheat with using 100BaseT at the edge but if
you
 really want to do full 802.11n on two radios it's going to necessitate
a
 midspan, PoE injectors, or a new switch (and that will be at least a
year
 away).  If vendors can make an AP with an 802.11b/g radio and an
802.11n
 radio operate within 802.3af power limits that should give
organizations
 the
 breathing room they need to upgrade their edge switching
infrastructure
 over
 the next 3-5 years.
 
 Frank
 
 -Original Message-
 From: Dale W. Carder [mailto:[EMAIL PROTECTED]
 Sent: Tuesday, June 26, 2007 3:55 PM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] The strategic importance of 5GHz
 
 On Jun 25, 2007, at 11:57 AM, Enfield, Chuck wrote:
  We currently only have one UTP cable to an AP location.
 
  The alternative is one GigE drop with either local power or 
  proprietary UTP based power (including possible pre-standard 
  802.3at).
 
 One thing we did for the last 3 years is to pull siamese cable to each 
 AP location, setting up the infrastructure in advance for a technology 
 change.
 
 What will probably screw us as you mention is not enough PoE via
802.3af.
 Having an AP with bg on 2.4 and MIMO on 5 will probably require
802.3at.
 So in addition to replacing your AP's, you are now also forklifting
your
 PoE switches...
 
 Dale
 
 **
 Participation and subscription information for this EDUCAUSE
Constituent
 Group discussion list can be found at http://www.educause.edu/groups/.
 
 **
 Participation and subscription information for this EDUCAUSE
Constituent
 Group discussion list can be found at http://www.educause.edu/groups/.
 
 __
 
 This email has been scanned by the MessageLabs Email Security System 
 on behalf of the London Business School community.
 For more information please visit http://www.messagelabs.com/email 
 __

__

This email has been scanned by the MessageLabs Email Security System on
behalf of the London Business School community.
For more information please visit http://www.messagelabs.com/email
__

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] The strategic importance of 5GHz

[Enfield, Chuck]

Sorry, I've been using midspan power so long I sometimes forget there are
other options.  I don't have time to look it up, but I'm reasonably sure
that 802.3af doesn't include midspan power for 1000BASE-T.  Much has been
made of the fact that 802.3at will.

That's not to say there are no midspan devices out there that comply with
3af AND do power for GigE.  If they can get adequate transmission
performance through the interconnect, there's no reason it shouldn't work.
I'll have to look into the PowerDsine PSE.

Chuck

-Original Message-
From: Philippe Hanset [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, June 27, 2007 11:16 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] The strategic importance of 5GHz

If you look for instance at a PowerDsine 6000 serie Midspan power injector,
it is 802.3af compliant, and supports GigE. That's what we buy today in
preparation for 802.11n. (and crossing our fingers ;-) I have a secret hope
that 802.11b/g will be for coverage, (the Iphone will decide!) 802.11n at 5
Ghz for performance and who knowns what will happened to 802.11a (cheap
point-to-point?) Hopefully the 15 watts of 802.3af will suffice for b/g and
n at 5Ghz on one AP!

Philippe Hanset
University of Tennessee


On Wed, 27 Jun 2007, Enfield, Chuck wrote:

 Since we can't do 3af power with GigE, that one connection would have 
 to be 100Mb.  If we're going to use two cables for power let's hope 
 we'll be given the chance to use two data channels as well.

 Chuck

 -Original Message-
 From: Tomo [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, June 27, 2007 4:14 AM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] The strategic importance of 5GHz

 The Airwave webinar (for which a link was sent round last week) 
 mentioned that some vendors are looking at providing two Ethernet 
 sockets on MIMO / 802.11n Access Points, so they could draw 2 x 
 802.3af power connections and one live Ethernet connection.

 _

 Tomo | Senior Network  Telecommunications Infrastructure Engineer 
 Direct
 line: +44 (0)20 7000  | Email: [EMAIL PROTECTED]

 www.london.edu


  -Original Message-
  From: Frank Bulk - iNAME [mailto:[EMAIL PROTECTED]
  Sent: 27 June 2007 02:32
  To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
  Subject: Re: [WIRELESS-LAN] The strategic importance of 5GHz
 
  Dale:
 
  I've heard from at least one vendor that a b/g radio with and 
  802.11n radio may operate within 802.3af power limits.  But I've 
  heard nothing absolutely definite so far and I anticipate that we'll 
  know more by the end of
 the
  summer as these products move from short-run samples to production.
 
  The whole 802.11n PoE and GigE port thing really puts most
 organizations
  into a pickle...they can cheat with using 100BaseT at the edge but 
  if
 you
  really want to do full 802.11n on two radios it's going to 
  necessitate
 a
  midspan, PoE injectors, or a new switch (and that will be at least a
 year
  away).  If vendors can make an AP with an 802.11b/g radio and an
 802.11n
  radio operate within 802.3af power limits that should give
 organizations
  the
  breathing room they need to upgrade their edge switching
 infrastructure
  over
  the next 3-5 years.
 
  Frank
 
  -Original Message-
  From: Dale W. Carder [mailto:[EMAIL PROTECTED]
  Sent: Tuesday, June 26, 2007 3:55 PM
  To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
  Subject: Re: [WIRELESS-LAN] The strategic importance of 5GHz
 
  On Jun 25, 2007, at 11:57 AM, Enfield, Chuck wrote:
   We currently only have one UTP cable to an AP location.
  
   The alternative is one GigE drop with either local power or 
   proprietary UTP based power (including possible pre-standard 
   802.3at).
 
  One thing we did for the last 3 years is to pull siamese cable to 
  each AP location, setting up the infrastructure in advance for a 
  technology change.
 
  What will probably screw us as you mention is not enough PoE via
 802.3af.
  Having an AP with bg on 2.4 and MIMO on 5 will probably require
 802.3at.
  So in addition to replacing your AP's, you are now also forklifting
 your
  PoE switches...
 
  Dale
 
  **
  Participation and subscription information for this EDUCAUSE
 Constituent
  Group discussion list can be found at http://www.educause.edu/groups/.
 
  **
  Participation and subscription information for this EDUCAUSE
 Constituent
  Group discussion list can be found at http://www.educause.edu/groups/.
 
  
  __
 
  This email has been scanned by the MessageLabs Email Security System 
  on behalf of the London Business School community.
  For more information please visit http://www.messagelabs.com/email 
  
  __

 __

 This email has been scanned by the MessageLabs Email Security

RE: [WIRELESS-LAN] The strategic importance of 5GHz

[Enfield, Chuck]

Hi Frank,

Thanks for bringing up cabling.  I've been operating under the assumption
that there would be some new cabling involved with the transition to
802.11n.  It's not clear to me yet if it will make sense to locate n APs
in the same places as our current a/g, but I'm guessing an optimal (you're
free to pick what you're optimizing for) 802.11n-only layout will demand
different locations.

Assuming we do go with the same locations, bandwidth and/or power demands
may still require additional cables.  We currently only have one UTP cable
to an AP location.  If we don't want a potential bottleneck where the AP
meets the wired LAN, we'll need either two 100Mb connections (though in a
dual-band, 4-spatial stream environment, that still may be a bottleneck) or
a single GigE.  I don't know what the common vendor options will be, but two
cat-5's with 100Tx and 802.3af power should adequately meet both demands.
The alternative is one GigE drop with either local power or proprietary UTP
based power (including possible pre-standard 802.3at).  I'm not sure which
will solution will have the highest TCO, but pulling new cable doesn't
strike me as a bad solution.

Chuck

-Original Message-
From: Frank Bulk [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 21, 2007 1:32 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] The strategic importance of 5GHz

Thanks for sharing your thoughts.  You're right, the initial price points
I'm hearing suggest a 50% to 75% premium over dual-radio, dual-band APs
today.  There's been a lot of Meru love on this listserv, so let me bring
the romance down a notch by suggesting that their opening price of $1500 for
a pre-802.11n AP is an absolutely astonishing example of value pricing.
Cisco and Aruba shared some possible price ranges with me and upon hearing
them I felt only more sure than ever that most enterprises will not delay
their summer purchases for pre-802.11n capable APs and that the majority of
pre-802.11n APs sold this fall will be to enterprises trialing a few units.


That said, I do think the most likely long-term solution is to replace
existing APs with a dual-radio AP, one radio using a 2.4 GHz 802.11b/g and
the other using 2.4 GHz and 5 GHz 802.11n.  Some might be tempted to overlay
their existing wireless infrastructure with a separate single radio,
dual-band 802.11n AP, but that will require separate Ethernet cables runs
and legacy clients running against the 2.4 GHz or 5 GHz bands will
substantially reduce the performance advantage.  Of course, if you wait 3
years then most of the legacy clients in a Higher Ed organization will have
naturally aged out with 802.11n clients and it's not as much of a concern.
Then the question is how much capacity you want, and the more radios you
have the more channels that can be used.

Regards,

Frank

-Original Message-
From: Enfield, Chuck [mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 20, 2007 3:41 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] The strategic importance of 5GHz

I started responding to the thread titled The strategic importance of
802.11a an quickly got off topic.  Frank covered that topic quite well, so
I'd like to change the subject from g vs. a to 2.4GHz vs. 5GHz.

I'd like to discourage the use of 2.4GHz, 802.11n APs.  Since we all have to
buy new hardware for 802.11n anyway, this is probably our best opportunity
to get away from all the limitations of the 2.4GHz band.  I believe the best
way to avoid migration path issues from a/g to n will be to roll out
802.11n at 5GHz and retain 802.11g for legacy clients.  I'm concerned that
because MIMO APs cost more and dual-band APs cost more, dual-band MIMO APs
will cost much more.  A substantial premium for dual-band, 802.11n APs will
lead people to buy single-band devices.  If we're counting on n to support
legacy clients, that band will have to be 2.4GHz.  If we get any significant
distance down that path, we may be stuck at 2.4GHz until the next technology
comes out.  I know the standard is being developed around backward
compatibility, but that doesn't mean we have to use it.  If we can convince
vendors that we don't need 802.11n to support legacy clients there's hope
for affordable 5GHz 802.11n.

I can envision two ways to support legacy clients without using 802.11n.
One is to leave our existing 802.11b/g infrastructures in place for legacy
clients.  I know none of us want to support two infrastructures, but until
we replace everything we'll be doing that anyway.  We can hope that the
advantages of 802.11n will be so great that everybody will upgrade their
clients before the roll-out is even completed (yes, I'm being
uncharacteristically optimistic).  The other is ask manufacturers to provide
a relatively cheap 802.11g radio in a 5GHz, 802.11n AP.  The obvious
drawback to that is paying extra for a radio we hope not to use, but it
shouldn't be a tremendous premium.

I hope to get lots of feedback

The strategic importance of 5GHz

[Enfield, Chuck]

I started responding to the thread titled The strategic importance of
802.11a an quickly got off topic.  Frank covered that topic quite well, so
I'd like to change the subject from g vs. a to 2.4GHz vs. 5GHz.

I'd like to discourage the use of 2.4GHz, 802.11n APs.  Since we all have to
buy new hardware for 802.11n anyway, this is probably our best opportunity
to get away from all the limitations of the 2.4GHz band.  I believe the best
way to avoid migration path issues from a/g to n will be to roll out
802.11n at 5GHz and retain 802.11g for legacy clients.  I'm concerned that
because MIMO APs cost more and dual-band APs cost more, dual-band MIMO APs
will cost much more.  A substantial premium for dual-band, 802.11n APs will
lead people to buy single-band devices.  If we're counting on n to support
legacy clients, that band will have to be 2.4GHz.  If we get any significant
distance down that path, we may be stuck at 2.4GHz until the next technology
comes out.  I know the standard is being developed around backward
compatibility, but that doesn't mean we have to use it.  If we can convince
vendors that we don't need 802.11n to support legacy clients there's hope
for affordable 5GHz 802.11n.

I can envision two ways to support legacy clients without using 802.11n.
One is to leave our existing 802.11b/g infrastructures in place for legacy
clients.  I know none of us want to support two infrastructures, but until
we replace everything we'll be doing that anyway.  We can hope that the
advantages of 802.11n will be so great that everybody will upgrade their
clients before the roll-out is even completed (yes, I'm being
uncharacteristically optimistic).  The other is ask manufacturers to provide
a relatively cheap 802.11g radio in a 5GHz, 802.11n AP.  The obvious
drawback to that is paying extra for a radio we hope not to use, but it
shouldn't be a tremendous premium.

I hope to get lots of feedback on this, even if it's just to tell me I'm
nuts.  I've been saying for years that the future is at 5GHz, but I fear
we're in danger of missing another opportunity to exploit that potential.

Chuck Enfield
Sr. Communications Engineer
Penn State University
Telecommunications  Networking Services
110 USB2, UP, PA 16802
Ph. (814) 863-8715
Fx. (814) 865-3988

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] wireless 'clickers'

[Enfield, Chuck]

Title: Message



I 
can't claim any experience with the system you mention, but I can make some 
suggestions you may find useful in doing an theoretical analysis. If 
you're mistrustful of suchanalyses, exhaustive testing is probably your 
only option.

The 
real issue is notif thesystems will interfere, but if that 
interference will be detrimental. Whether or not you can find a way to 
channelize your response system such that interference with your WLAN will be 
insignificant may depend on the density of the response system deployment. 
I'm assuming that the 82 channels are from 2.401GHz to 2.482GHz. If the 
response system transmittershave a reasonably low output power (100mw) 
and good out-of-band power roll-off, you should be able to use any channel above 
2.474GHzwithno harm to channel 11 transmissions. If you can't 
get the out-of-band info from the manufacturer, it can probably be inferred from 
their recommendations on channel separation for adjacent systems and the 
system's receiver sensitivity. If the response system's Rx sensitivity is 
similar to that of an 802.11 radio (~-90dB) and you can use adjacent or nearly 
adjacent channels in adjacent rooms, I wouldn't worry too much about it. 
If theyrecommend skipping more thana fewchannels between 
adjacent systems, it mayindicate that there is significant power well 
outside the 1Mhzbandwidth and I would be concerned about the effect on my 
WLAN unless you can get separation comparable to what they suggest for the 
response system. If the response system can use nearby channels, there may 
be room for several systems in the space above channel 11 
alone.

Even 
assuming a narrow channel for the response system it may be impossible to select 
enough non-detrimental channels if you have a high density of both APs and 
response systems. It is not clear to me what effect the response system 
may have on 802.11 if the selected channel falls near the center of an 802.11 
channel. Evena very well behaved 1Mhz-wide signal has the potential 
to foul up as many as 5 OFDM subcarriers. I don't know enough about the 
technologypredict how often convolution codingwill 
besufficient to overcome this, so I can'tsay what effect it may have 
on BER.However, if you canchannelize the response system such 
thatall channels fall at least 10Mhz from the center frequencyof any 
nearby APs you would be interfering primarily with the pilot carriers of the 
OFDM signal, which should have minimal effect on the WLAN's performance. 
This seems very possible in an 802.11 environment that uses only channels 1, 6, 
 11, so long as there aren't too many separate response systems you need to 
find channels for. I would expect a greater effect from such a channel 
plan in a DSSS environment at the higher data rates, but unless the response 
system is very active I wouldn't expect the BER to increase by more than 
1-2%. You'll have to decide if that effect on a diminshing user group 
concerns you or not. I would expect enough redundancy to overcome this 
interference at the low DSSS data rates used when the AP is in DSSS-OFDM 
mode.

Inany case, I would be equally concerned about 
the effect of the WLAN on the response system, but is seems like that should be 
relatively easy to test. If you can arrange a product demo, you could 
bring an AP and a couple laptops to generate a good quantity of 802.11 traffic 
and see if it fouls up the response system. It may be possible to do 
aquick and easytest of the effect of the response system on the WLAN 
too if you can get enough users on the rsponse system at the same time to 
satisfy your concerns. I've found it difficult to arrange for that kind of 
help.

I'm sure this isn't the clear recommendation you had 
inmind, but I hope it helps anyway.

Chuck 
Enfield
Sr. 
Communications Engineer
PSU, 
Information Technology Services
Suite 
110, University Support Bldg. 2
University Park, PA 
16802
ph. (814) 
863-8715
fx. (814) 
865-3988

  
  -Original Message-From: Jamie Savage 
  [mailto:[EMAIL PROTECTED] Sent: Monday, January 16, 2006 4:04 
  PMTo: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUSubject: 
  [WIRELESS-LAN] wireless 'clickers'We're currently investigating a Group Response System 
  where a class of students would be given wireless response keypads where they 
  would enter various thingsanswers to questions etc. This particular 
  system runs in the 2.4ghz range (of course) and although the company claims 
  minimal interference.I'm wondering. They claim, that because their 
  units use fixed frequency (as opposed to spread spectrum) and can be 
  configured to use 1 of 82 channels of 1 MHz in width, they can work on 
  channels 'in-between or above the non-overlapping WLAN hotspots' channels. 
   In the non-overlapping WLAN scenario they say they can be configured to 
  avoid interference which I read to mean..they can't completely eliminate 
  interference. Has anyone had experience with these types of 
  devices? 

RE: [WIRELESS-LAN] Issue with RF collision Domains

[Enfield, Chuck]

Title: Message



It's 
correct that some of the Cisco APs can do this, but the client card must 
supportCisco's Aeronet Extensions. There are quite a few cards that 
do this, but many of Cisco's major competitors in theWLAN 
industryaren't interested in becoming "Cisco Compatible"for obvious 
reasons. I'm not aware of any standards based means of client power 
control, but would love to find one. I've thought aboutsetting the 
access point to a regulatory domain thatoperates within FCC rules but at a 
lower maximum power, thereby using 802.11d features to reduce client transmit 
levels.I haven't looked fora such a regulatory domain 
yet and there's a good chance that no suitable one exists.

It's 
not quite fair to say you won't gain a thing by turning down your AP 
power. Typically, the AP does more talking than the clients. The 
extent to which that's true varies by the type of use, but I'm not aware of any 
cases where clients transmit more than the AP. Also, clients typically 
have smaller collision domains than do APs even when the output power is the 
same due to being only 2 or 3 feet above the floor. If your analysis leads 
you to believe you would benefit considerably from a little more aggregate 
bandwidth, a microcell type of design strategy may be in order. It's good 
to be aware, however, that a modest performance increase can require a large 
cost increase and there's a finite bandwidth limit regardless how much cash 
you're willing to spend. My opinion is microcells rarely provide good bang 
for the buck.

Chuck Enfield
Sr. Communications 
Engineer
PSU, Information Technology 
Services
Suite 110, University Support Bldg. 
2
University Park, PA 
16802
ph. (814) 
863-8715
fx. (814) 865-3988


  
  -Original Message-From: M. Sjulstad 
  [mailto:[EMAIL PROTECTED] Sent: Thursday, November 17, 2005 
  12:59 PMTo: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUSubject: 
  Re: [WIRELESS-LAN] Issue with RF collision Domains
  I believe you can limit the client's transmit power with AP's... at least 
  with cisco 1220 g radios. I do this in at least one situation where I have 
  secure administrative wireless network within an environment where most of the 
  building is an academic and open wireless network. 
  MS 
  _ 
  M. Sjulstad 
  Network/Electronics Engineer - IIT Dept. 
  St. Olaf College 
  Northfield, MN 55057 
  _ 
  1-507-646-3835 
  [EMAIL PROTECTED] 
  www.stolaf.edu/people/sjulstad 
  On Nov 17, 2005, at 11:28 AM, Stephen Holland wrote: 
  Hello my Name is Stephen Holland and I am from Northeastern University. 

  Glad to be part of the list. 
  I am struggling with the whole concept of the microcell. 
  For example I have three classrooms side by side end to end distance of 100 
  
  feet. Each classroom has 40 users. I have been asked to size at 20 users 
  
  per AP. 
  --100 feet- 
  | | | | | 
  | 1 | 2 | 3 | 50 Feet 
  | (1) | (6) | (11) | | 
  I could cover the three classrooms with AP's set to channels 1,6,11 but 

  that would give me a density of 40 users per AP. I could add more AP's to 
  
  bring up the density but I question whether I will gain anything by doing 
  
  so. Well you can adjust the transmit power to limit the cell size you 
  can't adjust the client power level. If you have a transmit level of 0dBM 
  
  on the AP and a client power level of 15dBM the client is going to be heard 
  
  a lot further. Assuming I could knock down the transmit power enough to 

  cover a single classroom(unlikely!) I still have client issues. If a client 
  
  transmits on channel 6 in classroom 3 it will be heard in classroom 2 and 
  
  classroom 1.If this is the case than I am sharing bandwidth on 
  channel 6 and I have not gained a thing by adding more AP's. 
  
  --100 feet- 
  | | | | | 
  | 1 | 2 | 3 | 50 Feet 
  | (1)(11) | (6)  (1) | (11) (6)| | 
  I bring this up because I get more and more requests for densities of 20 
  
  users per AP in locations like the one above. I am of the opinion that 
  adding more AP's won't help increase bandwidth. If this is the case why 

  would I spend the money to add more AP's?. How have others dealt with the 
  
  above situation?. 
  Thanks 
  Steveh 
  ** 
  Participation and subscription information for this EDUCAUSE Constituent 
  Group discussion list can be found at http://www.educause.edu/groups/. 

**
Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Wireless enclosures

[Enfield, Chuck]

-Original Message-
From: Timothy J. Fairlie [mailto:[EMAIL PROTECTED]
Sent: Tuesday, January 06, 2004 12:32 PM
To: [EMAIL PROTECTED]
Subject: Re: [WIRELESS-LAN] Wireless enclosures


We just used 12x12x4 PVC junction boxes that we got from a local electrical
supplier (8x8 versions are available too)

We got the larger ones because we mounted a wall jack (and even power
outlets in some cases) right inside each box with the AP.

Nothing fancy about em, they were inexpensive. we replaced the standard
cover screws with tamper-proof screws we got from Home Depot, painted 'em to
match the wall and nobody even notices they are there.


T..

Timothy J. Fairlie
Director, Network and Communication Services
Rider University[EMAIL PROTECTED]

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/cg/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/cg/.

RE: [WIRELESS-LAN] 802.11g question

[Enfield, Chuck]

-Original Message-
From: Daniel Medina [mailto:[EMAIL PROTECTED]
Sent: Wednesday, December 03, 2003 10:12 AM
To: [EMAIL PROTECTED]
Subject: Re: [WIRELESS-LAN] 802.11g question


 An article from O'Reilly claims that the AP just doesn't become a b AP,
though performance is significantly degraded.

When Is 54 Not Equal to 54? A Look at 802.11a, b, and g Throughput
http://www.oreillynet.com/pub/a/wireless/2003/08/08/wireless_throughput.html

On Wed, Dec 03, 2003 at 10:41:00AM -0400, Matt Ashfield (UNB) wrote:
 Hi All,

 I was hoping someone could clear something up. When an 802.11g Access
 Point (for example, Avaya) has an 802.11b client talking to it, does
 that effectively revert the access point from g to a b because of
 the b client?

 Thanks

 Matt
 [EMAIL PROTECTED]

--
Dan Medina

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/cg/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/cg/.

RE: [WIRELESS-LAN] AP radio interference

[Enfield, Chuck]

You are right to be concerned about interference between AP's because of the
effect it can have on throughput.  Two AP's that interfere with each other
will have the roughly the same total throughput capacity as a single AP, and
who wants one for the price of two.  You are also partially correct that the
extent of the interference is related to the distance between AP's, but not
for the reason most people think.  In an AP only environment (let's forget
clients for a minute), two AP's on the same channel will either interfere or
not based on the receiver sensitivity and the received signal strength.
Once two AP's are close enough to interfere, the interference will not be
made worse by moving them closer together.  For example, lets assume we have
two identical AP's on the same channel (AP-1  AP-2) with a received signal
strength (RSSI) from AP-2 at AP-1 of -80dB.  If the receiver sensitivity of
AP-1 is less than -80dB, say -90dB, AP-2 will interfere with AP-1.  If the
receiver sensitivity is greater than -80dB, say -70dB, AP-2 will not
interfere with AP-1. If the RSSI is greater than the receiver sensitivity,
it doesn't really matter by how much.  Be aware that this is a simplified
account of what actually happens.  Most late-model enterprise type radios
employ some manner of DSP to eliminate some of this interference, but that
doesn't change the yes/no nature of interference, only the signal level at
which interference is a factor.

Unfortunately, our networks don't consist solely of AP's, and network
clients complicate the issue tremendously.  For a given radio, the factors
that will determine the achievable throughput are the transmission rate and
the size of the collision domain.  Unlike the wired networks of old, where
the collision domain was the same for every node on the network segment,
WLAN collision domains are determined by RF signal propagation and are
different for each radio.  Consider again our AP's from above.  If the AP's
are far enough apart so that the coverage areas (region within which a
client can associate with the AP) don't overlap, AP-1's collision domain is
not affected by the presence of AP-2 or it's clients.  If however the
coverage areas do overlap, the clients in the overlapping region are in the
collision domain for both AP's.  So, if there are 30 clients associated to
each AP and coverage areas don't overlap, the collision domain for each AP
is 31 nodes.  If, with the same number of clients, the coverage areas
overlap by 1/3, each collision domain is 41 nodes.  In the latter case,
network performance will be worse than the number of users associated to
each AP would suggest.  This is why moving AP's closer together can
negatively affect throughput.  It's not so much the magnitude of the
interfering signal, but the size of the collision domain.

Finally, you must also consider the size of each client's collision domain.
This is especially true if high-gain directional antennas are employed.
These narrow beam antennas are capable of producing non-overlapping cells
with large amounts of area in close proximity to each other.  Picture the
coverage area of our two AP's as adjacent oversized lanes on a bowling
alley.  It's quite possible to have 15 clients (30mW radios with omni
antennas) in each lane that can only see one AP, but can see every other
client.  In that case the collision domain for each AP is 16 nodes, but for
each client it's 31.  Again, performance will be worse than the number of
users associated to each AP would suggest.

The good news is that for low client densities using applications with
modest bandwidth  QOS requirements, throughput may not be as important as
everyone makes it out to be.  However, may need to consider all of the
factors in a high client density environment, especially if 802.11 phones or
other streaming apps are being used.  My advice is to keep your AP's from
interfering with each other, since that's easily controllable, and the
extent to which you worry about clients is up to you.  I know I didn't
exactly answer your question, but I strongly believe that only you can.
Every design in the WLAN business is a one-off, where performance, expense,
ease of use, ease of administration, etc. are traded off against one
another.  You should be suspect of anyone who says they have THE answer.

Chuck Enfield
Sr. Communications Engineer
PSU, Information Technology Services
110 USB 2
UP, PA 16802
Ph. 814.863-8715
Fx. 814.863-9851

-Original Message-
From: James Savage [mailto:[EMAIL PROTECTED]
Sent: Thursday, November 13, 2003 4:02 PM
To: [EMAIL PROTECTED]
Subject: Re: [WIRELESS-LAN] AP radio interference


I'd love to use 5g radios but that's not going to happen.  I've considered
preaching the 11a gospel to the other institution on the chance they might
convert  ;+)

...thanks for the responseJ

On Thu, 13 Nov 2003, John J. Brassil wrote:

 It works OK - our engineering school recently completed a new wing
 that has a large central