RE: [WIRELESS-LAN] Cisco WiSM2 Association issues
Hi Everyone, Thanks for all the interesting insight and troubleshooting attempts. My colleague is still struggling with this issue and the only benefit thus far is that his android is affected. So thankfully we have a good test candidate. He has been working with TAC and I don't know what debug information he has seen, but I do know that TAC believes everything is okay and it should work! Clearly it is not. He cannot associate on an Open SSID, or a Secured SSID with WPA2 AES/PSK. We are not running IPv6, so this was globally disabled already. And the most recent attempt was that we had that changed was Allow AAA Override to become unchecked. This did not resolve the issue either. While I can tolerate a person or two having issues, it is the unknown of how many more are out there who will have issues. We had plans to begin moving buildings using WiSM1 controllers over to the new WiSM2 controllers and I am very reluctant to do that now. I suspect/hope this case will be escalated soon and If we find a solution I will share it with everyone here. In the meantime if you have other ideas, please let me know! Thanks! Daniel Foerst Assistant Director, Networks Security The Catholic University of America Washington, DC 20064 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Jithin Kesavan [j.kesa...@unsw.edu.au] Sent: Tuesday, October 01, 2013 11:04 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Cisco WiSM2 Association issues Hi Daniel, We here at UNSW have been experiencing similar issues for the past few weeks, ever since we upgraded WLC code from 7.2 to 7.5. Basically, what we have found is that this is affecting only Android version 4.1.2 e.g.: Samsung S3 or Galaxy Note 2 etc. Samsung S4 or Galaxy Note 3 running Android 4.2.2 is not affected in our case. We have a mix of different SSIDs. The main one runs 802.1x/WPA2 authenticating against a bunch of radius servers. We have other SSIDs using Web authentication and Pre-shared keys. We even tried on our test SSIDs with open access. Irrespective of the security setting on the WLAN, the device attempts to connect, fails and eventually comes up with Authentication error occurred. We have a test WiSM2 running 7.2 code. As soon as we move the AP to the test WiSM2, the device can connect without any issues. Last week we raised a TAC request and ran some debug outputs which showed the following: IPv6_Msg_Task: Sep 24 12:01:38.564: 90:18:7c:a8:6b:de Link Local address fe80::9218:7cff:fea8:6bde updated to mscb. Not Advancing pem state.Current state: mscb in apfMsMmInitial mobility state and client state APF_MS_STATE_A *SNMPTask: Sep 24 12:08:04.220: 90:18:7c:a8:6b:de Central Switch = TRUE *SNMPTask: Sep 24 12:08:04.220: 90:18:7c:a8:6b:de Central Switch = TRUE TAC engineer suggested disabling IPv6 globally on the controllers which at the time fixed the issue; only for the issue to resurface after a few days. The only thing is I don't see anything in particular from the debug client MAC addr command on the controller. I have re-opened the TAC case, and am waiting for their response. One thing to note is that Android 4.2.2 devices were experiencing similar issues when it was first reported to us, but there was a software update for 4.2 which came sometime in the last month or so, after which the problem seems to have disappeared. Cheers Jithin Jithin Kesavan Senior Network Engineer UNSW IT THE UNIVERSITY OF NEW SOUTH WALES UNSW SYDNEY NSW 2052 AUSTRALIA Phone: +61 2 9385 1154 Mobile: 040 171 3334 Email: j.kesa...@unsw.edu.aumailto:j.kesa...@unsw.edu.au Website: http://www.it.unsw.edu.auhttp://www.it.unsw.edu.au/ On 1/10/13 7:05 AM, Foerst, Daniel P. foe...@cua.edumailto:foe...@cua.edu wrote: Hi all, We are experiencing an odd issue as of late. A client with an Android device (HTC One) is able to associate to a wireless access point joined to a Cisco WiSM1 controller that is running 7.0.235.3 code, but when the AP is joined to a WiSM2 with 7.5.0 code it is unable to join. The most I have heard that it attempts to connect until ultimately it gives up. If the AP is migrated back to a WiSM1 the issue clears and the client is able to associate, receive and IP address, and use the network. The WLAN is an open SSID currently operating without any security so we know that isn't interfering. A TAC case has been opened to investigate this issue, however I wanted to see if anyone else has experienced this yet. Typically I wouldn't give it much thought, but it we have also seen some of our student base experience this same issue with a Windows 8 tablet (not sure if it was RT or not). Where my colleague and his HTC one is able to move the AP back to a WiSM1 and work around the issue, the student doesn't have that luxury as all APs in his/her residence hall are 2602e APs and require a WiSM2
Cisco WiSM2 Association issues
Hi all, We are experiencing an odd issue as of late. A client with an Android device (HTC One) is able to associate to a wireless access point joined to a Cisco WiSM1 controller that is running 7.0.235.3 code, but when the AP is joined to a WiSM2 with 7.5.0 code it is unable to join. The most I have heard that it attempts to connect until ultimately it gives up. If the AP is migrated back to a WiSM1 the issue clears and the client is able to associate, receive and IP address, and use the network. The WLAN is an open SSID currently operating without any security so we know that isn't interfering. A TAC case has been opened to investigate this issue, however I wanted to see if anyone else has experienced this yet. Typically I wouldn't give it much thought, but it we have also seen some of our student base experience this same issue with a Windows 8 tablet (not sure if it was RT or not). Where my colleague and his HTC one is able to move the AP back to a WiSM1 and work around the issue, the student doesn't have that luxury as all APs in his/her residence hall are 2602e APs and require a WiSM2 controller. After experiencing this issue we are hesitant to move other residence halls currently operating on WiSM1s to the new WiSM2 controllers. Thanks much! Daniel Foerst Assistant Director, Networks Security The Catholic University of America Washington, DC 20064 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Cisco WiSM2 Association issues
I do not see the AP being in a different RF Group. At least this isn't jumping out at me when I look at the individual AP details. The RF Group name is the same between the WiSM1 and the WiSM2 controllers. On WiSM1 we have disabled the lower speeds 1Mbps to 11Mbps. On the WiSM2 we are currently running with defaults. So one would think that if there were issues, it would be seen on the WiSM1. I will need to check the debug client macaddr tomorrow when I am in the office. Thanks! -dan From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Tristan Gulyas [tristan.gul...@monash.edu] Sent: Monday, September 30, 2013 7:56 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Cisco WiSM2 Association issues Hi, Is the AP in an RF group with different settings to the global configuration? What does your debug client macaddr tell you? Tristan --- Tristan Gulyas tristan.gul...@monash.edumailto:tristan.gul...@monash.edu Wireless Network Engineer M: +61 403224484 eSolutions divisionP: +61 3 9902 9092 Building 205 Monash University 3800 Australia On 01/10/2013, at 7:05 AM, Foerst, Daniel P. foe...@cua.edumailto:foe...@cua.edu wrote: Hi all, We are experiencing an odd issue as of late. A client with an Android device (HTC One) is able to associate to a wireless access point joined to a Cisco WiSM1 controller that is running 7.0.235.3 code, but when the AP is joined to a WiSM2 with 7.5.0 code it is unable to join. The most I have heard that it attempts to connect until ultimately it gives up. If the AP is migrated back to a WiSM1 the issue clears and the client is able to associate, receive and IP address, and use the network. The WLAN is an open SSID currently operating without any security so we know that isn't interfering. A TAC case has been opened to investigate this issue, however I wanted to see if anyone else has experienced this yet. Typically I wouldn't give it much thought, but it we have also seen some of our student base experience this same issue with a Windows 8 tablet (not sure if it was RT or not). Where my colleague and his HTC one is able to move the AP back to a WiSM1 and work around the issue, the student doesn't have that luxury as all APs in his/her residence hall are 2602e APs and require a WiSM2 controller. After experiencing this issue we are hesitant to move other residence halls currently operating on WiSM1s to the new WiSM2 controllers. Thanks much! Daniel Foerst Assistant Director, Networks Security The Catholic University of America Washington, DC 20064 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] WiSM2 HA issues
We just implemented WiSM2s in our Residential network this week running 7.5.102.0 with SSO HA enabled on Wednesday afternoon. So far the only issue I have seen, and I don't have any hard evidence on it, has been Apple devices having difficulties obtain IP addresses. This issue was reported over different types of devices from MacBook Pros to iPhones and I think an iPad or two. Not certain what the issue was at the time, I modified the WLAN from providing IP address from an Interface Group consisting of two VLANs - one VLAN was a /21, the other was two /22s using Microsoft DHCP as a superscope. I changed the interface on the WLAN to the /22s (no real reason, just selected it) and I haven't heard of any other issues. In fact I saw the client count jump from 12 clients to 27 at the time and all received IPs. Prior to the modification, only 8 or 9 of the 12 clients had IPs, the remaining clients were reported as having IPs of 0.0.0.0 even after several refreshes. At this time these are totally open networks, so security should be causing this issue and our NAC appliance will be activated in the next week or two. I am obviously worried that Interface Groups are going to be a bigger issue in 7.5.x as we use them in 7.0.x on our old WiSM1 modules which will be replaced in the coming weeks. -dan Daniel Foerst The Catholic University of America From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Joe Roth Sent: Friday, August 16, 2013 3:24 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WiSM2 HA issues One of our analysts is working with TAC and was told today that we may be hitting a known bug, though she hasn't provided the ID yet. She is going to review our logs and sh tech, she said that the recommendation could be going to 7.5. On Fri, Aug 16, 2013 at 12:44 PM, Joe Rogers j...@usf.edumailto:j...@usf.edu wrote: FWIW, I know you specifically mentioned 7.3 and 7.4, but we ran 7.5 for several weeks in a SSO HA configuration between a pair of WiSM2's in a 6500 with Sup720's and had no issues. It was handling ~600 AP's and a couple thousand concurrent users. Joe Rogers University of South Florida On 08/16/2013 11:13 AM, Joe Roth wrote: I was wondering if anyone was running WiSM2's that are paired with an HA SKU model doing AP-SSO. We have had issues with our WiSM2's failing over to the HA peer randomly. This has happened in both 7.3 and 7.4 versions. We have seen a couple of different error messages in prime when this happens. One was regarding the WiSM2 not being able to reach the gateway, the other said that the WiSM2 could not reach it's peer. This happens during off peak times as well. We have three different pairs, and we have seen this issue with all of them, they are all in separate 6500 chassis, so I don't think that it is a chassis specific issue, or specific to one WiSM2 in particular. Two of the WiSMs have 900+ APs, the third has about 300, so it doesn't seem to be load related. Has anyone had a similar experience and found a fix, or is anyone running this successfully without any issues? I dug up a couple of posts on the Cisco forums, but they don't outline a fix. We do have a TAC case open and we are trying to get it escalated to level 2, this hasn't turned up much yet. Thanks. -- Joe Roth Networking Group Binghamton University Ph. 607-777-7528tel:607-777-7528 Fax 607-777-4009tel:607-777-4009 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- Joe Roth Networking Group Binghamton University Ph. 607-777-7528 Fax 607-777-4009 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] using Microsoft Radius to authenticate user AND computer?
Actually, This is something I too am trying to setup. Craig, would you mind sharing your IAS setup with me as well? I have been tasked with doing this setup, however I am not ever sure where to begin. E.g. Do I need a CA or can this just be performed through straight radius using PEAP. Perhaps it is something else? I am in the very early stages of looking at this, but we have a 2003 2008 IAS setup. Thanks! -dan Daniel Foerst Network Security The Catholic University of America Washington, DC 20064 On 2/7/13 9:06 AM, Ashfield, Matt (NBCC) matt.ashfi...@nbcc.ca wrote: What Craig is saying is what we *thought* we had working. We must be missing something in our setup. Craig, would it be possible to contact you or someone in your shop offline of this list to discuss? Thanks Matt -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Craig Pluchinsky Sent: Thursday, February 07, 2013 8:53 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] using Microsoft Radius to authenticate user AND computer? We do something like this with laptops. The machines are a member of a domain and have a group policy set that Authentication Mode is User or Computer authentication. Then on the radius server (Microsoft IAS) we have a rule for computers and a rule for domain users. When the laptop is first turned on it auth's as the computer account. When the user logs in it re-auths as the user account. --- Craig Pluchinsky IT Services Indiana University of Pennsylvania 724-357-3327 On Thu, 7 Feb 2013, Ashfield, Matt (NBCC) wrote: Well ideally, the scenario we¹d like is: Computer boots up to login screen. User logs in, and is at that point (or earlier) connected/authenticated to wifi by way of having authenticated the computer and the user credentials. At that point, login scripts and whatnot are able to run as the windows OS loads. I¹m sure this is not a unique situation. Is anyone else doing something similar? Thanks Matt From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Heath Barnhart Sent: Wednesday, February 06, 2013 5:32 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] using Microsoft Radius to authenticate user AND computer? Reading this technet page it looks like you can specify a condition of the computer being in a Machine Group and User being in User Group. I'm not an AD guy, so I don't understand the difference between the two groups, but as I recall different condition types are evaluated with an AND, so in theory you could do it that way. I'm interested in this as well, but haven't had time to play with it. Heath Barnhart, CCNA ITS Network Administrator Washburn University Topeka, KS On 02/06/2013 02:25 PM, Ashfield, Matt (NBCC) wrote: Hello We have Cisco 5508 controllers using Microsoft 2008r2 radius back-end. What we¹d like to do is authenticate the device (make sure it is a domain PC) as well as the user (make sure they are a domain user). From what I can tell, it seems like we can do 1 or the other, but not both. It may be possible with a different Radius server from what I¹ve read (Cisco ACS seems to have a wizard for this), but I¹m wondering if anyone is doing this today using MSoft¹s radius server? Any info you can provide is appreciated. Thanks Matt ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Problems in the Dorms
Hi Shayne, That sounds like quite the pickle you are in and I'm sorry I don't have much of a technical resolution. However let me ask this: You do not have a policy disallowing them bringing their own devices, but do you have a policy disallowing anyone using your network from connecting equipment that will interfere with the University network? If so, you have the ability to envoke the clause by completely disconnecting (if it needs to go that far) the residential space and mandate that all equipment be shutdown, after which you can bring a one building up at a time and search for rogue devices, note their MAC addresses and disallow those devices to the network. Then, perhaps through NAC, allow each student only one device on the network until the situation is better resolved. Second question: Have you tried going back a code version or more to see if the issue resolves? Obviously you will want to rewrite your policies after the trouble is resolved and I know what I suggest is difficult to do, but if you are essentially offering little to no service, then my draconian steps are not much worse to help resolve the situation. Sadly you sometimes need to amputate if normal methods of treatment are not bringing results, but only if it is absolutely necessary. -dan From: Ghere, Shayne sgh...@bumail.bradley.edumailto:sgh...@bumail.bradley.edu Reply-To: WIRELESS-LAN@LISTSERV. EDU WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Date: Sat, 22 Oct 2011 17:52:40 -0500 To: WIRELESS-LAN@LISTSERV. EDU WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Problems in the Dorms Hello, We currently provide wireless for all our Dorms using Cisco 1142N AP’s, 1 WCS and 3 WLC5508’s. We have roughly 375 AP’s in the dorms but more than 450 rogue AP’s that the students brought with them. Since we have no policy to disallow them bringing their own devices, we now have a mess. What we’re seeing are the AP’s either completely rebooting, radios shutting down then coming back up, or if the students are able to connect they get dropped after a few minutes. On the Academic side of the University we don’t see this problem, however all the AP’s are disassociating with the controllers every hour, then reassociating again. The WLC’s are running 7.0.116.0 and the WCS is running 7.0.172.0. It appears that since upgrading the controllers to 7.0.116.0 the problems started with the disassociating/reassociating with no explanation. We are using WS-C2960S-PoE switches fibered to the core (6509) and have spent almost 28 hours on the phone with Cisco Tac looking at logs/packet captures and configuration review. Nothing is misconfigured and the packet captures show the following from one of the AP’s: Oct 19 20:55:54.918: %CAPWAP-3-EVENTLOG: Retransmission Count= 3 Max Re-Transmission Value=3 *Oct 19 20:55:54.918: %CAPWAP-3-EVENTLOG: Max retransmission count exceeded going back to DISCOVER mode. *Oct 19 20:55:54.918: %CAPWAP-3-EVENTLOG: The function which Posted the message to send out of the box is wtpSendEchoReques and of Type=1 ., 1)19 20:55:54.918: %CAPWAP-3-EVENTLOG: Retransmission count for packet exceeded max(CAPWAP_ECHO_REQUEST *Oct 19 20:55:54.918: %CAPWAP-3-EVENTLOG: GOING BACK TO DISCOVER MODE *Oct 19 20:55:54.962: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 136.176.x.x:5246 *Oct 19 20:55:54.962: %CAPWAP-3-EVENTLOG: CAPWAP State: DTLS Teardown. *Oct 19 20:55:54.963: %CAPWAP-3-EVENTLOG: DTLS session cleanup completed. Restarting capwap state machine. *Oct 19 20:55:55.006: %WIDS-5-DISABLED: IDS Signature is removed and disabled. *Oct 19 20:55:55.008: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY *Oct 19 20:55:55.008: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY *Oct 19 20:55:55.063: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down *Oct 19 20:55:55.063: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down *Oct 19 20:55:55.065: %CAPWAP-3-EVENTLOG: CAPWAP state not up. Abort sending channel and power levels info.136:176:x.x *Oct 19 20:55:55.074: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset *Oct 19 20:55:55.075: %CAPWAP-3-EVENTLOG: CAPWAP state not up. Abort sending channel and power levels info.136:176:x.x We’re completely at a loss since none of the switch ports, trunk ports or the WLC’s are showing dropped packets. Has anyone run into this problem and found a work around? I would greatly appreciate any help in this matter! Thanks Shayne - Bradley University T. Shayne Ghere, CCNA Network Engineer 1501 W. Bradley Ave. Morgan Hall, Suite 205 Peoria, IL 61625 sgh...@bradley.edumailto:sgh...@bradley.edu (309) 677-3094 ofc. (309) 677-3460 fax Class 2011 FBI CA Graduate ** Participation and subscription information for this EDUCAUSE Constituent Group discussion
RE: Cisco wireless web authentication portal
We piloted it last academic year in one building on campus and have since expanded coverage to all areas on campus. I do not have numbers for the total number of concurrent users, but I know that it is certainly not above 100 users. We operated it on two WISM modules using 7.0.98.0 code all last year and just upgraded to 7.0.116.0 code across all our controllers (10) campus wide. The only issue I have consistently griped about, yet I have not spent much time at all to resolve, has been that if your browser has a default website (home page) defined, it does not open and certainly does not redirect to the Cisco Controller Web authentication page. One must manually enter a new website for the captive authentication to redirect/take effect. -dan From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Kellogg, Brian D. Sent: Monday, August 22, 2011 9:36 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Cisco wireless web authentication portal We use it for ~2000 users and it has worked well. We use a 24 hour timeout as well. Running version 6.0.202 code on our version one WISM. Fyi, Brian From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John York Sent: Monday, August 22, 2011 9:31 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: Cisco wireless web authentication portal We are using it on our 5508, but in a much smaller installation (1 controller, 50 AP's, ~150 users peak.) I've complained about problems with it in the past, but since we went to 7.0.116.0 it's done very well for us. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Joe Roth Sent: Monday, August 22, 2011 9:24 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Cisco wireless web authentication portal Has anyone on the list used the built in web authentication in the Cisco WLAN infrastructure? At peak time we see 5000+ authenticated MAC addresses across 12 wireless controllers (6 WiSM blades). We were thinking of implementing the web authentication using LDAP as a backup in the event that our NAC system fails. We would maybe do something like a 24 hour time-out. The idea is just to make sure that only campus affiliated users were connecting to our SSID. Thanks, --Joe -- Joe Roth Networking Group Binghamton University Ph. 607-777-7528 Fax 607-777-4009 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] off-topic: does anyone do voip ?
Bruce, I too would like to attend if you do a WebEx. Daniel Foerst Assistant Director, Networks Security The Catholic University of America Washington, DC 20064 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Kay Sandacz Sent: Wednesday, April 06, 2011 3:06 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] off-topic: does anyone do voip ? I'd also like to attend such a Webex. Thanks -kay- On Apr 6, 2011, at 12:18 PM, John Kaftan jkaf...@utica.edumailto:jkaf...@utica.edu wrote: Bruce: If your engineer does a Webex I’m in. John Kaftan Infrastructure Manager Utica College 315.792.3102 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Trevor Wallis Sent: Wednesday, April 06, 2011 9:19 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] off-topic: does anyone do voip ? We deployed Cisco VoIP (Cisco Unified Communications Manager and Unity Voicemail) two years ago and are very satisfied with the results. It sounds like Bruce from Liberty (see below) uses a broader range of products that we do, so his offer of a WebEx for interested parties is great… Thanks, Bruce. I’m also available for off-list contact if anyone has further questions. Regards, Trevor Trevor A. Wallis Vice President of Campus Technology Chief Information Officer image001.jpg Southern Seminary 2825 Lexington Road Louisville, KY 40280 Phone: 502.897.4193 Fax: 502.897.4125 twal...@sbts.edumailto:twal...@sbts.edu Don't be a phishing victim – Southern Seminary and other reputable organizations will never use email to ask for your password, social security number or confidential personal information. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W Sent: Wednesday, April 06, 2011 7:08 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] off-topic: does anyone do voip ? At Liberty University, we completed our Cisco VoIP deployment a few years ago. We have call centers WebEx, and integration with Microsoft Outlook and IP Commumicator (instant messaging). One of our VoIP engineers would ne happy to do a WebEx session to discuss some of the challenges and opportunities. Please email me off list and I will pass your information to one of our VoIP engineers. Bruce Osborne Wireless Network Engineer IT Network Services (434) 592-4229 LIBERTY UNIVERSITY 40 Years of Training Champions for Christ: 1971-2011 From: Matt Ashfield [m...@unb.camailto:m...@unb.ca] Sent: Tuesday, April 05, 2011 12:55 PM Subject: off-topic: does anyone do voip ? Hi We’re looking into doing VOIP on our campus, and are trying to gather some information. Given this list is a Higher Ed list, I thought I’d try here. I am wondering if anyone on this list has already implemented VOIP on their campus and are willing to talk briefly off-line from this list about it. If so, please let me know. Thanks! Matt Ashfield Network Analyst ITS - Communications and Network Services University of New Brunswick m...@unb.camailto:m...@unb.ca ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Cisco WISM and Dorm wireless
Hi Randy, We finished our wireless deployment into the residential space this past summer. We deployed a Cisco WiSM solution in our residential router and manually divided up the Aps to specific controllers with appropriate failovers. We haven’t seen much trouble with our solution, but I am certain there is a dead spot here or there. Before deployment we had a site survey done of the buildings that would be covered to determine the best AP location and for coverage. We were 100% determined to have Aps installed in the hall space above ceiling tiles and connected to external antennas. This solution has worked well as we have yet to see an AP/Antenna disturbed and due to the coloring of the antennas (white/off white) it is quite difficult to actually see where the antenna is unless you are practically standing below it. We have ~285 access points throughout our residential space split between two WiSM modules. When we began deployment we were installing Cisco 1131 and 1242 access points. We used the 1131s very sparingly, but the 1242 are our main AP deployment; these aps also utilize the Cisco AIR-ANT5959 antenna. In the last two buildings we moved up to the Cisco 1142 Aps and these are ceiling mounted in the center of a hard ceiling. At the time Cisco did not offer an external antenna option as we would have preferred, but the students have left the Aps along. I think they are more than aware that if they were to tinker with an AP they are essentially hurting themselves. Another thing with the 1142 has been no need to change our PoE switches as the 1142 uses the same amount of power as the 1131s and 1242s which was a major win for us as we hate power injectors and stay away from them if we can. As for density, we planned to more or less light the building. Our Aps are installed so that if one AP were to go down there would be little to no noticeable change. Management can be performed using the controller purchasing the Cisco Wireless Control System. I find that this is really only good for identifying AP locations on a map should an AP go down or for making mass changes for AP configurations. There are other features, but I have never had enough time to play with the system. The built in site survey tool is a neat idea, but I do not believe it is robust enough and I continue to rely on AirMagnet or a commissioned site survey. Many times the latter choice. Anyhow, I hope this helps! -dan Daniel Foerst Assistant Director, Networks Security The Catholic University of America Washington, DC 20064 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Randy Ethridge Sent: Monday, March 28, 2011 3:59 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Cisco WISM and Dorm wireless We are adding wireless to our dorm space and I would like to know how other schools are running their wireless infrastructure in the dorms. Our dorms are the typical cinder block rooms stacked ontop of each other. We are a cisco shop and will be using the WISM and lightweight aps. Are you running your system manually or is the controller doing a good job? How dense is your ap deployment and what is the location of the ap (in the rooms or in the hallways)? What feedback do you get from the users (good or bad)? Thanks. Randy Ethridge Network Engineer V Information Services Eastern Illinois University rlethri...@eiu.edumailto:rlethri...@eiu.edu Proud to say I am EIU EIU THINKS GREEN: Before printing this e-mail think if it is necessary ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] WPA and Wireless LAN Server Certificate?
Hi Toivo, A couple of years ago we too were setting this up and actually ended up with the Verisign Wireless LAN Server Certificate. I didn't see any particular difference between this and a web certificate, but perhaps I don't; know what to look for. What I did encounter was that the CA verisign used to sign the cert changed / was no longer valid and their response / the only work around at the time was to configure clients to not validate the certificate. I am uncertain if this was ever resolved, but we abandoned this method of secure communications as the demand for accessing network resources was determined to be non-existent and instructing use of the wired network to those users that wanted network resource access. What is to come in the future who knows, but we are planning that this may become necessary again. Sorry I don't have any advice on the documentation. Daniel Foerst Manager, Networks Security The Catholic University of America Washington, DC 20064 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Toivo Voll Sent: Tuesday, November 18, 2008 2:08 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] WPA and Wireless LAN Server Certificate? Until now we've been using our regular web / SSL certificate for WPA / PEAP/MSCHAP purposes, and predictably have run into the usability issues with certificate trust prompts on the client end. (We use Cisco LWAPP / Freeradius). It appears VeriSign has a specific Wireless LAN Server Certificate, and apparently there is work done in IETF regarding WLAN specific extensions in certificates. After a fair bit of googling I've been unable to find out just what the difference between a vanilla SSL certificate and a Wireless LAN Server Certificate is. Presumably the WLAN certificates won't prompt for the certificate trust, but what other difference, if any, is there? Are there providers other than VeriSign for these certificates? (Thawte, for example, seems to refer back to VeriSign for such certs.) Here's the uninformative product page: http://www.verisign.com/ssl/buy-ssl-certificates/specialized-ssl-certifi cates/wireless-lan-security/ Any advice or links to documentation on the matter would be greatly appreciated. -- Toivo Voll Network Administrator Information Technology Communications University of South Florida ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- BEGIN-ANTISPAM-VOTING-LINKS -- Teach CanIt if this mail (ID 226818403) is spam: Spam:http://canit.cua.edu/b.php?c=si=226818403m=25b780db56a4 Not spam:http://canit.cua.edu/b.php?c=ni=226818403m=25b780db56a4 Forget vote: http://canit.cua.edu/b.php?c=fi=226818403m=25b780db56a4 -- END-ANTISPAM-VOTING-LINKS ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Cisco Wireless Controller
Hi Mike, We run 4.2.130 on our WISM blades. Our 4404 stand alone controllers are running 4.2.60 where we have at least one WLAN using WPA2-PSK AES and TKIP without any issues. Other WLANs are Open and no issues are experienced there. Our APs are 1010s (very few), 1242s and 1131s. Daniel Foerst Manager, Networks Security The Catholic University of America Washington, DC 20064 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Manoj Abeysekera Sent: Wednesday, October 08, 2008 2:55 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Cisco Wireless Controller Mike, We run 4.2.130. I was told by Cisco Engineer to downgrade to this version as we had a nightmare with 5.x. However we still get Clients disconnected at random intervals(Radio seems to reset somehow forcing clients to roam to nearby LAP's). Cisco has no clue and i wonder why not many people have called them yet. WLC's 4404 AP's 1230 Open Network Let me know if you find a cure.. Good Luck! Manoj American U. Mike King [EMAIL PROTECTED] Sent by: The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 10/08/2008 02:44 PM Please respond to The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU To WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU cc Subject [WIRELESS-LAN] Cisco Wireless Controller So Cisco LWAPP people, Currently we're on 4.1.185.0 http://4.1.185.0/ . It's a 4402 controller, with 1131AG access points. Anyone made the leap to one of the 4.2, 5.0 , or 5.1 trains without seriously regretting it? We've had some random disconnects with clients. It's pretty common, happening to most all users. We're running WPA-PSK, so it's not an 802.1x issue. Before we involve TAC, we figured we should upgrade to a new code train. Mike ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. http://www.educause.edu/groups/ ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. Spam http://canit.cua.edu/b.php?c=si=219242729m=ea5480ff72db Not spam http://canit.cua.edu/b.php?c=ni=219242729m=ea5480ff72db Forget previous vote http://canit.cua.edu/b.php?c=fi=219242729m=ea5480ff72db ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
