Re: [WIRELESS-LAN] eduroam testing
Jerry, Chad (from eduroam-US) must have asked you for a test account from your institution. We use those accounts to test the connectivity of your institution AND also monitor the service against your RADIUS server. I'll ask him to contact you...this is part of our standard procedure to enable the service with an institution. Philippe Hanset www.eduroam.us On Jul 2, 2014, at 9:52 AM, Jerry Bucklaew j...@buffalo.edu wrote: On 07/02/2014 09:47 AM, Matt Williams wrote: The folks over at eduroam-us set us up with a test account. Perhaps they can do the same for you? Yes, we have a test account, but that test our ssid proxy to them. Not our users at another campus proxy authentication to us. I had them test to a text account we had but that does not text end to end, it still only test from the middle radius server to a static account on our radius server. I want to make sure the end to end works as we have had issues with this server and the ad look ups in the past. Also I have this server doing other things so I have special configs that I hope will not interfere with the authentication. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Stadium WiFi
May I ask you all some numbers... How many seats/AP did you plan for your NCAA stadium? Philippe Philippe Hanset www.eduroam.ushttp://www.eduroam.us On May 8, 2014, at 8:20 AM, Lee H Badman lhbad...@syr.edumailto:lhbad...@syr.edu wrote: Mike makes great points. Having done our own domed stadium, I would also add: be realistic in your expectations at the university level. You'll never pull off NFL-grade WiFi without and NFL-grade budget, and the paradigm goes far beyond just WLAN design. The fan experience usually requires additional/dedicated staff, a team on sight at every game (including nights and weekends) and only really becomes worth the effort if it generates big $$. Or, you could get decent WI-Fi in the venue (still challenging) but not go all-in on apps and revenue generation which makes things considerably simpler. But whatever you do, take a serious look at your internal partners- what does your Athletics department actually want? Are their ideas realistic (again, few of us have the deep pockets pro teams have) or is IT driving the notion while Athletics nods along because it seems interesting? If ever there was a place where the proverbial CAPEX + OPEX = TCO thing came into play, it's in stadium wireless. Knowing what comes after the installation and who/how it's funded, staffed, and operated needs to be factored in early. Lee H. Badman Network Architect/Wireless TME ITS, Syracuse University 315.443.3003 From: The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of Mike Albano mike.alb...@unlv.edumailto:mike.alb...@unlv.edu Sent: Wednesday, May 7, 2014 8:13 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Stadium WiFi I've been looking at Stadium WiFi as well. There's a lot of moving parts to it. More than just good WiFi (apps, digital signage, Kiosks etc.)...you need to identify what your trying to accomplish, and go from there. For us, the stadium is used year-round, and hosts many events in addition to our Campus events. It is a multi-purpose facility, so is dynamic in nature. If you're looking to enhance the Fan Experience a DAS-only solution won't get you all the bells whistles. The hotness/all the rage is surrounding Location Based services (What's the closest bathroom, concession sales w/ out leaving seat, seat-upsales, shortest bathroom line etc). You'll want/need an 'app' if you want to really engage the Fans. The most successful stadiums (NFL, NBA etc.) seem to have both...a good DAS 802.11 WiFi system in place. You can find statistics on-line for 802.11 uptake at Superbowls and major events. Not surprisingly, it's growing. You can also find article referencing student attendance going down at campus'. Speculation is that lack of a connection (wifi or other), being 'disconnected' is driving them away. I'll refrain from vendor-wars and who's better. I can comment off-list on specific parts of systems that I prefer in one over another, but as with most things, there is no clear winner. Some links: http://www.techrepublic.com/article/how-sports-teams-are-scrambling-to-keep-millennials-coming-to-games/#. http://www.rcrwireless.com/article/20140205/networks/extreme-networks-boosted-by-enterasys-acquisition/ (statis by Extreme, WiFi by Cisco) http://wlanbook.com/stadium-wifi-list/ http://wirednot.wordpress.com/2014/01/22/whats-the-big-deal-with-stadium-wi-fi-let-me-spell-it-out-for-you/ http://online.wsj.com/news/articles/SB10001424052702303369904579423792725267978 (hey, look who won worst!) http://vimeo.com/89430966 (Chuck Lukaszewski talking Ultra-HD WiFi) Mike Albano On Wed, May 7, 2014 at 12:23 PM, Ball, Erik b...@xavier.edumailto:b...@xavier.edu wrote: It’s been about a year since Stadium WiFi has come up on this list, so I wanted to see if there has been any movement towards a large scale stadium WiFi deployment by anyone? We looked into this a little less than a year ago, and it would be quite pricey given that it would be really only utilized 1 season of the year. However, the topic is coming up again (as part of envisioning the perfect fan experience), and it would be nice to see where other people stood on this. If so, can you share where you are at in the process, and the vendor that you selected? However, it sounds like working through cellular/DAS arrangements has been more popular/widespread than bothering with stadium WiFi. If you chose DAS, without bothering with 802.11 coverage, did that satisfy people? Thanks, Erik ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found
Re: [WIRELESS-LAN] Stadium WiFi
Oops never mind... This link has some good info about seats/AP http://wlanbook.com/stadium-wifi-list/ Thanks to Mike Albano for providing this! On May 8, 2014, at 10:12 AM, Hanset, Philippe C phan...@utk.edumailto:phan...@utk.edu wrote: May I ask you all some numbers... How many seats/AP did you plan for your NCAA stadium? Philippe Philippe Hanset www.eduroam.ushttp://www.eduroam.us/ On May 8, 2014, at 8:20 AM, Lee H Badman lhbad...@syr.edumailto:lhbad...@syr.edu wrote: Mike makes great points. Having done our own domed stadium, I would also add: be realistic in your expectations at the university level. You'll never pull off NFL-grade WiFi without and NFL-grade budget, and the paradigm goes far beyond just WLAN design. The fan experience usually requires additional/dedicated staff, a team on sight at every game (including nights and weekends) and only really becomes worth the effort if it generates big $$. Or, you could get decent WI-Fi in the venue (still challenging) but not go all-in on apps and revenue generation which makes things considerably simpler. But whatever you do, take a serious look at your internal partners- what does your Athletics department actually want? Are their ideas realistic (again, few of us have the deep pockets pro teams have) or is IT driving the notion while Athletics nods along because it seems interesting? If ever there was a place where the proverbial CAPEX + OPEX = TCO thing came into play, it's in stadium wireless. Knowing what comes after the installation and who/how it's funded, staffed, and operated needs to be factored in early. Lee H. Badman Network Architect/Wireless TME ITS, Syracuse University 315.443.3003 From: The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of Mike Albano mike.alb...@unlv.edumailto:mike.alb...@unlv.edu Sent: Wednesday, May 7, 2014 8:13 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Stadium WiFi I've been looking at Stadium WiFi as well. There's a lot of moving parts to it. More than just good WiFi (apps, digital signage, Kiosks etc.)...you need to identify what your trying to accomplish, and go from there. For us, the stadium is used year-round, and hosts many events in addition to our Campus events. It is a multi-purpose facility, so is dynamic in nature. If you're looking to enhance the Fan Experience a DAS-only solution won't get you all the bells whistles. The hotness/all the rage is surrounding Location Based services (What's the closest bathroom, concession sales w/ out leaving seat, seat-upsales, shortest bathroom line etc). You'll want/need an 'app' if you want to really engage the Fans. The most successful stadiums (NFL, NBA etc.) seem to have both...a good DAS 802.11 WiFi system in place. You can find statistics on-line for 802.11 uptake at Superbowls and major events. Not surprisingly, it's growing. You can also find article referencing student attendance going down at campus'. Speculation is that lack of a connection (wifi or other), being 'disconnected' is driving them away. I'll refrain from vendor-wars and who's better. I can comment off-list on specific parts of systems that I prefer in one over another, but as with most things, there is no clear winner. Some links: http://www.techrepublic.com/article/how-sports-teams-are-scrambling-to-keep-millennials-coming-to-games/#. http://www.rcrwireless.com/article/20140205/networks/extreme-networks-boosted-by-enterasys-acquisition/ (statis by Extreme, WiFi by Cisco) http://wlanbook.com/stadium-wifi-list/ http://wirednot.wordpress.com/2014/01/22/whats-the-big-deal-with-stadium-wi-fi-let-me-spell-it-out-for-you/ http://online.wsj.com/news/articles/SB10001424052702303369904579423792725267978 (hey, look who won worst!) http://vimeo.com/89430966 (Chuck Lukaszewski talking Ultra-HD WiFi) Mike Albano On Wed, May 7, 2014 at 12:23 PM, Ball, Erik b...@xavier.edumailto:b...@xavier.edu wrote: It’s been about a year since Stadium WiFi has come up on this list, so I wanted to see if there has been any movement towards a large scale stadium WiFi deployment by anyone? We looked into this a little less than a year ago, and it would be quite pricey given that it would be really only utilized 1 season of the year. However, the topic is coming up again (as part of envisioning the perfect fan experience), and it would be nice to see where other people stood on this. If so, can you share where you are at in the process, and the vendor that you selected? However, it sounds like working through cellular/DAS arrangements has been more popular/widespread than bothering with stadium WiFi. If you chose DAS, without bothering with 802.11 coverage, did that satisfy people? Thanks, Erik ** Participation and subscription information
Re: [WIRELESS-LAN] Cisco Prime Infraestructure 2.1 available
I would go to Curaçao myself ;-) and Bonaire has great diving! (hint: ABC... Dutch Caribbean...though only Bonaire is a municipality of the Netherlands) Philippe Hanset www.eduroam.us On Apr 25, 2014, at 9:02 AM, Osborne, Bruce W (Network Services) bosbo...@liberty.edu wrote: tl:dr It means that it's time to move to Aruba :D Bruce Osborne Network Engineer - Wireless Team IT Network Services (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 -Original Message- From: Lee H Badman [mailto:lhbad...@syr.edu] Sent: Thursday, April 24, 2014 8:26 AM Subject: Re: Cisco Prime Infraestructure 2.1 available I'm a literate man, and for the life of me I can't make sense of . Prime Infrastructure 2.1 does not support any features that are introduced in Cisco WLC Releases 7.5.102.0 and 7.6.100.0 except the new access point platforms and the new mobility feature. -Lee Badman -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Francisco J. Medina Jimenez Sent: Thursday, April 24, 2014 7:49 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Cisco Prime Infraestructure 2.1 available Hi, 1) Features supported: http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/2-1/release/notes/cpi_rn.html#pgfId-76626 Prime Infrastructure 2.1 enables you to manage Cisco WLC Releases 7.5.102.0 and 7.6.100.0 with the features of Cisco WLC 7.4.121.0 and earlier releases. Prime Infrastructure 2.1 does not support any features that are introduced in Cisco WLC Releases 7.5.102.0 and 7.6.100.0 except the new access point platforms and the new mobility feature. Prime Infrastructure 2.1 supports the following access points: 3700I/E,3700P,Cisco AP3600 with 802.11ac,702 I,1530I/E, 3600P 2) Upgrade path: http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/2-1/quickstart/guide/cpi_qsg.html#pgfId-56675 You can upgrade the following Cisco Prime Infrastructure (and predecessor) products to Cisco Prime Infrastructure 2.1: Cisco Prime Infrastructure 2.0.0.0.294, Cisco Prime Infrastructure 1.3.0.20 There is no upgrade path from version 1.4.x to version 2.1 at present. Regards. Fran. -- Francisco J. Medina Jiménez Universidad de Granada Centro de Informática y Redes de Comunicaciones Campus Fuentenueva. Edificio Mecenas 18071 - Granada - Spain ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
802.1X and Heartbleed...
All, We have been informing eduroam connected schools in the US that were vulnerable to heartbleed (about 10 schools were vulnerable out of 180 connected to eduroam-US, less than 5%). The eduroam federation did testing for all eduroam-connected campuses to evaluate the level of vulnerability and we have informed each RADIUS administrator independently. This said, ANY campus that operates a 802.1X network and uses a RADIUS server using OpenSSL could be potentially at risk since an attacker can access the RADIUS server via the local WPA/WAP2-enterprise network. It does require for the attacker to be physically on campus and join the SSID, but the risk still exists! Please analyze your systems for the vulnerability (look into the version of OpenSSL that you are running) and take the appropriate measures. Here are a few links about Heartbleed and RADIUS http://freeradius.org/security.html http://www.open.com.au/pipermail/radiator-announce/2014-April/24.html https://confluence.terena.org/display/H2eduroam/heartbleed-note Thank you, Philippe Philippe Hanset www.eduroam.us ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 802.1X and Heartbleed...
Bad math... 10 out of 180 is more than 5% ! Sorry! On Apr 15, 2014, at 1:16 PM, Hanset, Philippe C phan...@utk.edu wrote: All, We have been informing eduroam connected schools in the US that were vulnerable to heartbleed (about 10 schools were vulnerable out of 180 connected to eduroam-US, less than 5%). The eduroam federation did testing for all eduroam-connected campuses to evaluate the level of vulnerability and we have informed each RADIUS administrator independently. This said, ANY campus that operates a 802.1X network and uses a RADIUS server using OpenSSL could be potentially at risk since an attacker can access the RADIUS server via the local WPA/WAP2-enterprise network. It does require for the attacker to be physically on campus and join the SSID, but the risk still exists! Please analyze your systems for the vulnerability (look into the version of OpenSSL that you are running) and take the appropriate measures. Here are a few links about Heartbleed and RADIUS http://freeradius.org/security.html http://www.open.com.au/pipermail/radiator-announce/2014-April/24.html https://confluence.terena.org/display/H2eduroam/heartbleed-note Thank you, Philippe Philippe Hanset www.eduroam.us ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 802.1X and Heartbleed...
Jason, Since the RADIUS server terminates the EAP session, it will be vulnerable to the attack. Philippe On Apr 15, 2014, at 3:16 PM, Jason Watts jwa...@pratt.edu wrote: I'm not sure it's common that clients speak directly to a radius server. Usually there is a NAS in between whether it be VPN concentrator, switch, wireless controller/AP etc. If your clients reside on subnets that have no visibility to the Radius server and NAS management subnets then you'd only need to check your NAS devices for OpenSSL related vulnerabilities, no? -- Jason Watts Pratt Institute, Academic Computing Senior Network Administrator p. 718-399-4219 f. 718-399-3416 Hanset, Philippe C wrote: All, We have been informing eduroam connected schools in the US that were vulnerable to heartbleed (about 10 schools were vulnerable out of 180 connected to eduroam-US, less than 5%). The eduroam federation did testing for all eduroam-connected campuses to evaluate the level of vulnerability and we have informed each RADIUS administrator independently. This said, ANY campus that operates a 802.1X network and uses a RADIUS server using OpenSSL could be potentially at risk since an attacker can access the RADIUS server via the local WPA/WAP2-enterprise network. It does require for the attacker to be physically on campus and join the SSID, but the risk still exists! Please analyze your systems for the vulnerability (look into the version of OpenSSL that you are running) and take the appropriate measures. Here are a few links about Heartbleed and RADIUS http://freeradius.org/security.html http://www.open.com.au/pipermail/radiator-announce/2014-April/24.html https://confluence.terena.org/display/H2eduroam/heartbleed-note Thank you, Philippe Philippe Hanset www.eduroam.us ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Aruba RAPs
Great for Branch Offices where you want you control traffic to be send to the campus controllers but the user traffic to stay on the local network/broadband (especially important if people need to access a lot of digital resources local to the Branch office). We used them for Agricultural Extensions. We figured a cost per AP on a controller (includes cost of controller + licenses + Airwave + 5 years of support, ) + Cost of the AP itself. Then we either have a local IT person or we use a remote contractor (but we also make sure to have someone that can reboot stuff locally ..known remote hands ...get a few phones numbers and reference them!!!) In the old days, I always made sure to have a FAX number... that way when we had an AP going down I would call the FAX machine to see if it were a Power Outage! But FAX machines are disappearing, so always have a few local numbers of people that can be called (and reference it in your on-call documentation) Philippe Philippe Hanset www.eduroam.ushttp://www.eduroam.us On Mar 28, 2014, at 10:57 AM, Turner, Ryan H rhtur...@email.unc.edumailto:rhtur...@email.unc.edu wrote: Can those of you that use Remote Access Points give me the common use cases that you are seeing them used, how you are charging for them, and support issues you generally receive from them? We are considering starting to do some RAP deployment here, and I’m wondering how much of a can of worms I am opening. Thanks! Ryan H Turner Senior Network Engineer The University of North Carolina at Chapel Hill CB 1150 Chapel Hill, NC 27599 +1 919 445 0113 Office +1 919 274 7926 Mobile ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Question about the connection of iphone users (eduroam)
No Problem Danny. I'm just breathing again ;-) On Mar 10, 2014, at 2:43 PM, Danny Eaton dannyea...@rice.edu wrote: You are correct, my apologies. @rice.edu goes to 'staff' or 'student', @*.* goes to visitor. That setup is similar to what we're doing - if any of our @rice.edu users join the eduroam, we then assign them in either the 'staff/faculty' or 'student' role/VLAN group which maps to a specific MPLS/VPN. If someone from @*.edu joins, they get assigned to our 'visitor' role/VLAN group which also maps to our visitor MPLS/VPN. Danny, @rice.edu gets assigned to specific VLANs @*.edu gets assigned to visitor VLANs What about @other-RE-domains (.ac.it, .nih.gov, nyser.net,...)? Are you really selecting on @*.edu, or you are passing all others to the visitor VLAN? Thanks, Philippe www.eduroam.us We've been considering this problem as part of our eduroam deployment (we're still in the configuring and testing stage, no services offered yet), and we decided one of our goals would be that instead of trying to force students to pick the right one, that we would instead configure the network side so that our users didn't have to care. Remember that the identity provided for eduroam has the university name as the realm. Our plan is to take any users that identify with our realm of wpi..edu to the eduroam SSID, and send back a RADIUS attribute that drops them on the same VLAN as our primary university SSID. (In our case we're also keying off of the client MAC address and correlating with our IPAM registration database, but that's an optional extra step.) That way any of our users can connect to either the university SSID or eduroam and get exactly the same connectivity, while any external eduroam guests get dropped onto our guest VLAN. Simple, clean, and completely transparent to our users. Frank Sweetser fs at wpi.edu| For every problem, there is a solution that Manager of Network Operations | is simple, elegant, and wrong. Worcester Polytechnic Institute | - HL Mencken On 03/10/2014 11:51 AM, Linchuan Yang wrote: Dear All Good morning. We noticed that most our iphone clients connect to the eduroam SSID automatically when they step into the campus (not our normal SSID for students, faculty, and staff). And the encryption and security settings are same between these two SSIDs. These clients have to manually change the wireless configuration on the iphones, and they can connect to our normal SSID. We are using Cisco WLCs, and other devices (e.g. laptops, Android, etc.) do not have this problem. Do you have the similar issue with your wireless network? Is there any connection strategies of iphone? Thank you, and have a nice day. Yours, Linchuan Yang (Antony) Wireless Networking Analyst Network Assessment and Integration, IITS-Concordia University Tel: (514)848-2424 ext. 7664 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. !DSPAM:911,531e06ee44331756218522! ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Question about the connection of iphone users (eduroam)
Linchuan, Patrick, If you use the solution from Frank Sweetser or Danny Eaton, you really don't care which SSID your own users are latched on your campus. Regardless of the SSID, make sure that your own users are being assigned to the same VLANs that they would be have been assigned had they joined the regular secure SSID from your University. When we talk to institutions about eduroam we tell them that there is really no need to create additional subnets if there is already a secure network and a visitor network on campus (unless some specific designs require so). You can assign users with @local-school to the secure subnets/VLANs and assign user with @everything-else to your visitor subnets/VLANs. And if you have a privileged relation with another neighboring campus you can also assign the secure VLANs to that REALM (@theneighboringcampuswithwhomwehaveaprivilegedrelation) of that campus. This method tends to make it easy on Firewall rules and subnet/VLAN creation. You have to mess around with your Wi-Fi management system (e.g. controller etc...) and your RADIUS though! This said...always make sure that you require the eduroam SSID to force the usage of the REALM (a condition that you can enforce in RADIUS), regardless if local or not! (we forgot to do that initially at UTK, and we ended up with travelers not having a great eduroam experience) Philippe Philippe Hanset www.eduroam.ushttp://www.eduroam.us On Mar 10, 2014, at 12:00 PM, Knee, Patrick pk...@mun.camailto:pk...@mun.ca wrote: We have the same issue, because our “main” SSID comes after eduroam (alphabetically, our main ssid begins with a “f”). From what we found, anyone that has both eduroam and the “main” SSID configured on a iPhone, or iPad, will latch to eduroam, and requires manual interaction to switch. From my understanding, the best way to “correct” the issue is to re-name the ssid so that it comes before eduroam. There may be other methods, but from what I recall, none are 100% certain of working. Patrick Knee Network Administrator Computing Communications Memorial University www.mun.ca/cchttp://www.mun.ca/cc From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Linchuan Yang Sent: Monday, March 10, 2014 1:22 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Question about the connection of iphone users (eduroam) Dear All Good morning. We noticed that most our iphone clients connect to the “eduroam” SSID automatically when they step into the campus (not our normal SSID for students, faculty, and staff). And the encryption and security settings are same between these two SSIDs. These clients have to manually change the wireless configuration on the iphones, and they can connect to our normal SSID. We are using Cisco WLCs, and other devices (e.g. laptops, Android, etc.) do not have this problem. Do you have the similar issue with your wireless network? Is there any connection strategies of iphone? Thank you, and have a nice day. Yours, Linchuan Yang (Antony) Wireless Networking Analyst Network Assessment and Integration, IITS-Concordia University Tel: (514)848-2424 ext. 7664 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless Guest Account Provision Type:
Eric, The eduroam team (www.eduroam.ushttp://www.eduroam.us) is developing a system to help with visitors that do not have eduroam credentials, using the security and power of 802.1X. Which can address your question... Why register everywhere you go? We have tried to approach owners of hotspots (e.g coffee shop etc...) to try to have them carry the eduroam SSID. Very few of them were interested because eduroam doesn't cover many of their users (read: the interest decreases exponentially as the distance from the campus increases). So, we came up with ANYROAM credentials (roaming credentials for visitors), and we are trying to convince Hotspots to carry ANYROAM and eduroam at the same time (we are doing a pilot in Knoxville, TN). The principle is simple: Use your social credentials (or create your own) to load an EAP-TLS certificate that will be valid: 1) At every ANYROAM hotspot (no geographical limit) 2) At schools that have eduroam and decide to also accept ANYROAM credentials. We plan to reinforce the Social Credentials with a Micro-Payment by credit card to link both identifiers. (or a school can get a bag of ANYROAM tokens for visitors that they want to sponsor directly) This system has many advantage: -ANYROAM and eduroam are completely complementary -It enables campuses to use ANYROAM credentials to welcome visitors (and that can be done on the existing eduroam SSID!!) -One Quick and secure provisioning of visitors (one EAP-TLS cert can work at thousands of locations) -It could greatly increase the adoption of eduroam beyond the campus -Handling visitors with 802.1X gives the campus (or the HotSpot) a lot of controls (or contact us if it's out of control) -Users join instantly without having to discover SSIDs or registration methods -The eduroam generation will be able to enjoy a system they know after they graduate (or you can give ANYROAM credentials to alumni) -Ready for HotSpot2.0! We will see how our first pilot develops in Knoxville... Our intention is to create roaming ecosystems around campuses to benefit both communities: non-edu and edu. Philippe p.s. CloudPath Networks is providing the Enrollment System for EAP-TLS certs Philippe Hanset www.eduroam.ushttp://www.eduroam.us On Mar 3, 2014, at 12:30 PM, Eric Wohlford ewohlf...@bluefield.edumailto:ewohlf...@bluefield.edu wrote: Hello All, First let me apologize if similar postings have been made I could not find any with these questions in the archives. We have been asked to look into Self-Provisioning of Guest Accounts, and we are not all that sure where to start. Most of the solutions I have seen are tied to the Wireless Vendors. Currently we are using Ruckus Wireless and it’s built in Guest Access for this which is a sponsor based system. It’s actually a very simple system. Our Questions: 1. If you use a self-provision system whom is your vendor, or is it homegrown? 2. What are your Security Concerns, and are you a Sponsor Based system or a Self-Provisioning system? 3. What is your staff to user ratio? Thank you, My Pleasure to Serve, Eric R. Wohlford, MBA MCDST, MCP, A+, Network+ ___ Manager of Network Services Bluefield College 3000 College Drive Bluefield, VA Office – 276.326.4278 Fax – 276.326.4288 www.bluefield.edux-msg://89/www.bluefield.edu image001.gif ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] DAS Wireless
University of Tennessee Knoxville entered into such an agreement. Their interest was to cover the Stadium. It's done, and it seems to work well. There are many providers of such service, and UTK used a competitive bidding. Two things that I can remember from that agreement: -Once the initial contract is signed (revenue sharing, infrastructure, etc...), it takes also a long time to sign a contract with each carrier that will join the shared infrastructure. -Also, the late Dewitt Latimer was always warning campuses: If carriers are interested in one particular location of your campus (because they can reach other interesting locations from there), make sure to negotiate a complete coverage, don't allow a partial one that is only in the interest of the carrier! Be ready for many back and forth between the two legal department! Philippe Hanset www.eduroam.ushttp://www.eduroam.us On Feb 10, 2014, at 11:22 AM, Ray DeJean r...@selu.edumailto:r...@selu.edu wrote: All, We've been approached by wireless company to install a DAS (distributed antenna system) throughout our campus. They would then market the system to local carriers, which would increase their coverage (we have pretty poor ATT service on campus). There would be revenue sharing and they've offered to assist in expanding our 802.11 coverage as well. Just wondering if anyone else has entered into a similar agreement with a wireless company, and how it's working out for you. thanks, Ray -- Ray DeJean Systems Engineer Southeastern Louisiana University email: r...@selu.edumailto:r...@selu.edu http://r-a-y.orghttp://r-a-y.org/ ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] DAS Wireless
Only a carrier neutral DAS in the stadium (~105,000 seats). On Feb 10, 2014, at 5:38 PM, Watters, John john.watt...@ua.edumailto:john.watt...@ua.edu wrote: Did they only do DAS in your stadium? Or, did they also do 802.11 there and/or other places? We have a DAS system in our stadium that ATT and Verizon jointly funded. It seems to be doing fairly well. They share a rather small room for their head-end stuff. It’s interesting to see the differences between the equipment used by these two carriers. -jcw image002.jpg John Watters The University of Alabama Office of Information Technology 205-348-3992 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:l...@listserv.educause.edu] On Behalf Of Hanset, Philippe C Sent: Monday, February 10, 2014 4:24 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] DAS Wireless University of Tennessee Knoxville entered into such an agreement. Their interest was to cover the Stadium. It's done, and it seems to work well. There are many providers of such service, and UTK used a competitive bidding. Two things that I can remember from that agreement: -Once the initial contract is signed (revenue sharing, infrastructure, etc...), it takes also a long time to sign a contract with each carrier that will join the shared infrastructure. -Also, the late Dewitt Latimer was always warning campuses: If carriers are interested in one particular location of your campus (because they can reach other interesting locations from there), make sure to negotiate a complete coverage, don't allow a partial one that is only in the interest of the carrier! Be ready for many back and forth between the two legal department! Philippe Hanset www.eduroam.ushttp://www.eduroam.us/ On Feb 10, 2014, at 11:22 AM, Ray DeJean r...@selu.edumailto:r...@selu.edu wrote: All, We've been approached by wireless company to install a DAS (distributed antenna system) throughout our campus. They would then market the system to local carriers, which would increase their coverage (we have pretty poor ATT service on campus). There would be revenue sharing and they've offered to assist in expanding our 802.11 coverage as well. Just wondering if anyone else has entered into a similar agreement with a wireless company, and how it's working out for you. thanks, Ray -- Ray DeJean Systems Engineer Southeastern Louisiana University email: r...@selu.edumailto:r...@selu.edu http://r-a-y.orghttp://r-a-y.org/ ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] How many drops 802.11ac phase 2
Is the main justification for two drops due to power/bandwidth/the-two? With many services and most killer apps going to the cloud, I would suspect that the bandwidth to the WAN is so limiting, that this excess of capacity on Wireless is a complete overkill (a vendor driven non-sense). Yes, those 802.11ac Phase2 APs can generate a lot more than 1 Gbps, but that's is shared bandwidth (half-duplex), and your uplink is 1 Gbps full-duplex (2 Gbps in Cisco math as we said in the old days). So, you really plan to also uplink your switches with 40 Gbps, and then a core at many times 100 Gbps, all connected to your ISP at a few Gbps... something doesn't add up here. Am I alone making bad accounting here? Philippe Hanset www.eduroam.ushttp://www.eduroam.us On Feb 7, 2014, at 9:58 AM, James Robert Kennon jken...@gsu.edumailto:jken...@gsu.edu wrote: We just made a call on a new building and decided not to incur cost of 2 cables per drop at this time. Hope we don't regret it later. From: Lee H Badman lhbad...@syr.edumailto:lhbad...@syr.edu Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Date: Fri, 7 Feb 2014 14:56:31 + To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] How many drops 802.11ac phase 2 We'll be running two, until some sanity emerges. From: The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of Brian David brian.da...@bc.edumailto:brian.da...@bc.edu Sent: Friday, February 7, 2014 9:54 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] How many drops 802.11ac phase 2 All, I wanted to see how many people were planning on running 2 drops to 802.11ac phase 2 access points? Currently we are just doing a one for one swap when replacing an older a/b/g AP’s with 802.11ac phase 1 AP’s When you have new construction, do you plan on running 2 drops so when phase 2 come into play you will be all set for it? Brian J David Network Systems Boston College image003.jpg ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Informal Report From a new eduroam Environment
Lee, I have yet to encounter a WLAN admin that wasn't intrigued by the diversity of visitors when eduroam is enabled. And this is the low season for eduroam at the moment! Check the graph of the US top levels at https://www.eduroam.us/node/232 If I may ask, how many non eduroam visitors do you encounter on your WLAN per day? You mentioned 40 from eduroam, I wonder if it is representative at all in term of visitors. Thank you for sharing those stats. Philippe www.eduroam.ushttp://www.eduroam.us (This equals around 100 unique clients- most we’ve seen concurrent is just under 40.) Though just a spit in the bucket of our 20K concurrent daily WLAN client peak, the diversity of schools on the list is pretty thought-provoking. -Lee Badman Syracuse University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 802.11AC Future Infrastructure
And the WLAN industry also does strange math ;-) A lot of services are going to the Cloud, mostly using your pipe to the Internet. It seems that, progressively or even rapidly, the limiting factor is not Wi-Fi anymore but rather the pipe to the internet. 1 Gbps to each Wireless AP is a lot of bandwidth! and a lot of oversubscription all around (edge, distribution, core, WAN) Unless you plan to distribute UHDTV (8K TV) to your dorms, I wouldn't worry about getting more than 1 Gbps to each AP for a long time. Also most of 802.11ac APs are fine with 802.3af! Philippe Hanset www.eduroam.ushttp://www.eduroam.us On Dec 18, 2013, at 12:56 PM, Lee H Badman lhbad...@syr.edumailto:lhbad...@syr.edu wrote: The WLAN industry is doing an absolutely horrible, almost shameful job of managing the message on cabling for 11ac, says I. Lee Badman Network Architect/Wireless TME ITS, Syracuse University 315.443.3003 -Original Message- From: Turner, Ryan H [rhtur...@email.unc.edumailto:rhtur...@email.unc.edu] Received: Wednesday, 18 Dec 2013, 12:52 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] Subject: Re: [WIRELESS-LAN] 802.11AC Future Infrastructure BTW… Before anyone jumps on me, I understand the purpose of the question. It’s great to know the best practices for the ‘what if’ situation. Ryan H Turner Senior Network Engineer The University of North Carolina at Chapel Hill CB 1150 Chapel Hill, NC 27599 +1 919 445 0113 Office +1 919 274 7926 Mobile From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:l...@listserv.educause.edu] On Behalf Of Turner, Ryan H Sent: Wednesday, December 18, 2013 12:47 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.11AC Future Infrastructure Call me naïve, but I think 10 gig uplinks for ac WAPs is serious overkill. We have almost 4,500 switches across campus, most with 1 gig user uplinks, and the vast majority are perfectly fine with 1G (heck, we could swap a good number of those for 100 Meg, and they’d barely notice). These are switches with 48+ connected devices, all at 1 gig. So, for most access points that will be seeing far less users than a traditional edge switch with a one gig uplink, I don’t see the need to go crazy with the feed speed. I could see deploying 2 single gig links to the .ac access points, but not 10 gig. Exceptions to this ‘could’ be very dense classroom environments with a lot of access points (there are exceptions to everything). Ryan H Turner Senior Network Engineer The University of North Carolina at Chapel Hill CB 1150 Chapel Hill, NC 27599 +1 919 445 0113 Office +1 919 274 7926 Mobile From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Stewart, Joe Sent: Wednesday, December 18, 2013 12:40 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] 802.11AC Future Infrastructure As this technology begins to be deployed is anyone out there planning ahead for wave two of this? I know it’s not going to happen for a while but I’m curious if there are folks in the process of new construction where you have the option to add the infrastructure now to support the 10Gbps. If so, has there been any documentation on what cable type would be recommended for this? (ex. CAT6A or CAT7). Thanks, Joe Stewart Network Specialist I Information Systems and Network Services Claremont McKenna College 325 E. 8th Street, Roberts South #12 Claremont, CA 91711 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 802.1x vs web-portal
Many places have problems with OSCP... they don't let users that join the portal check for the OCSP validity (forget to allow for this in firewall) of the portal's certificate. That will make some OSes that don't automatically switch to CRL fail. Or worse, certificate providers change the IP address of their OCSP servers, and portals and firewall were configured with a static IP address of the OCSP servers... that can make portals fail as well. It would be nice to allow to check everything by name, but some firewalls are still finicky about that! Philippe Hanset www.eduroam.us On Dec 2, 2013, at 1:02 PM, Osborne, Bruce W (Network Services) bosbo...@liberty.edu wrote: Why do you say there are portal issues with https? Other than certificate error messages, http https redirects work fine with Aruba wireless. I know I had issues with https portals a few years ago when I tried portals with Cisco LWAP APs. Bruce Osborne Network Engineer IT Network Services (434) 592-4229 Liberty University | Training Champions for Christ since 1971 -Original Message- From: Arran Cudbard-Bell [mailto:a.cudba...@freeradius.org] Sent: Friday, November 29, 2013 2:25 PM Subject: Re: 802.1x vs web-portal On 19 Nov 2013, at 21:00, Ken LeCompte lecom...@oit.rutgers.edu wrote: One major consideration is that the use of https for more and more webpages is resulting in more confused users not getting redirected to captive portal login pages. A workaround for some devices would be to to add a WISPr responder to the portal. It will work will all recent iOS and OSX devices, some Windows Phones, and Windows 8/8.1. http://msdn.microsoft.com/en-us/library/windows/hardware/dn408675.aspx There is no perfect solution to portal redirection, but WISPr does seem a good way forward. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 802.1x vs web-portal
from the top of my head... ###What's bad for the user: -Captive portal: no encryption over the air, pesky re-authentication and timeouts, no authentication of the infrastructure (yes, when you accept that SSL Cert from RADIUS you actually authenticate the infrastructure) -802.1X: finicky supplicants, and, without a good installer, long config instructions. Strongly authenticated (can't escape the system ;-) ###What's bad for the network engineer (and user stuff as well...): -Captive portal: CPU capacity of portal (802.11ac!!!), clients taking IP addresses and air time even if not authenticated, authentication can be defeated -802.1X: bugs from various vendors. A pain the troubleshoot when not working. Certificate Expiration and help desk calls resulting from it add yours! Philippe Philippe Hanset www.eduroam.us On Nov 19, 2013, at 2:10 PM, Jeff Kell jeff-k...@utc.edu wrote: On 11/19/2013 4:05 PM, Peter P Morrissey wrote: Can anyone name an application that does not have strong encryption? I'm not arguing against 802.1x, because it works very well for us as users don't have to authenticate constantly on a portal, and we seem to do a very good job getting them on initially, but I am having a hard time understanding the encryption benefits lately. Does FireSheep or Ettercap ring any bells? Jeff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
eduroam clarification...
(coming from a discussion a few minutes ago with a large University that is considering joining eduroam) When we first started eduroam in the US, we had so few connectors that we required institutions to be Identity Providers (IdP, connect your backend authentication for your users) and Service Providers (SP, broadcast the eduroam SSID). Today, we still mention that there is a reciprocity requirement, but if you have problems broadcasting the SSID on your campus, don't let that prevent you from joining the eduroam federation as an IdP only. Be aware that you should still have a few eduroam hot spots on your campus to at least let your own users test their configuration before traveling (even one hot spot in the vicinity of the help desk is enough!) Best, Philippe Hanset www.eduroam.us ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Eduroam rollout- one more time
Matt, To add to what people have already mentioned on the list: If you already have a working 802.1X implementation, the work on the RADIUS server to become eduroam enabled is really basic. (instructions are located on the website www.eduroam.ushttp://www.eduroam.us for various RADIUS flavors. Those instructions are community driven.) Some schools were eduroam enabled on the IdP (Identity Provider) side in less than 2 hours. On the network side (enabling the SSID to become a SP, Service Provider) it's all about picking subnets, making firewall rules, and advertise the SSID. One school did a really quick shortcut in network configurations (I forgot who it was) by routing all institution's eduroam users to its current secure SSID network, and all of its eduroam visitors to its current visitor SSID network (VLAN assignments in the controller). They had to bypass the need for the web portal on the visitor side and make sure that local clients joining eduroam use the full REALM (user@domain) to be ready when they travel (a RADIUS config change). Best, Philippe Philippe Hanset www.eduroam.ushttp://www.eduroam.us On Nov 4, 2013, at 8:56 AM, Matt Williams mcw...@bucknell.edumailto:mcw...@bucknell.edu wrote: Thanks for all of the input. I appreciate it. From what I'm hearing it seems like it is no more time intensive than any other service. I'll be sure to pass all of this along. Thanks, again. Respectfully, Matthew Will Williams Assistant Director, Networking Bucknell University 570.577.1491 On Mon, Nov 4, 2013 at 7:31 AM, Tim Cappalli cappa...@brandeis.edumailto:cappa...@brandeis.edu wrote: Same here at 'Deis. A Brandeis user connecting to eduroam is treated exactly the same as they would be if they were connecting to our legacy branded secure network. We are using a lot of role-based magic from AD and enterprise LDAP. Also, there are some tweaks you can do in RADIUS to allow non-user devices to connect to eduroam with an @fqdn account (as long as they aren't expected to leave campus: Cisco wireless phones, wireless printers, ticket readers, etc) Tim Cappalli, Network Engineer LTS | Brandeis University x67149 | (617) 701-7149tel:%28617%29%20701-7149 cappa...@brandeis.edumailto:cappa...@brandeis.edu -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Julian Y Koh Sent: Sunday, November 03, 2013 9:58 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Eduroam rollout- one more time On Nov 1, 2013, at 11:34 , Lee H Badman lhbad...@syr.edumailto:lhbad...@syr.edu wrote: Go the easy path, and push it the Eduroam SSID everywhere, as an additional WLAN, and live with the fact that it won’t get a lot of use in most places and puts management traffic in the air that isn’t generally going to be used. This is what we did at NU. We do some role-based stuff on the back end such that if an NU person connects to eduroam, they get the same IP addressing and setup as if they use our regular 802.1X SSID. -- Julian Y. Koh Acting Associate Director, Telecommunications and Network Services Northwestern University Information Technology (NUIT) 2001 Sheridan Road #G-166 Evanston, IL 60208 847-467-5780tel:847-467-5780 NUIT Web Site: http://www.it.northwestern.edu/ PGP Public Key:http://bt.ittns.northwestern.edu/julian/pgppubkey.html ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Eduroam rollout- one more time
By the way... For schools that go with #1 (use eduroam as your own SSID), there is a free installer that can make the rollout of 802.1X quite easy! Not a bad saving! http://cat.eduroam.org Best, Philippe Hanset www.eduroam.ushttp://www.eduroam.us On Nov 1, 2013, at 12:47 PM, Ian McDonald i...@st-andrews.ac.ukmailto:i...@st-andrews.ac.uk wrote: We did #1, but we didn’t have .1x before that. My understanding is that most places that did went for #3. Our biggest benefit of #1 is that eduroam “just works” for users who go away to other institutions, without them ever having to plan it, as it’s already set up. -- ian From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:l...@listserv.educause.edu] On Behalf Of Scott Allen Sent: 01 November 2013 16:44 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Eduroam rollout- one more time Happy with #3 -Scott -Scott On Nov 1, 2013 12:34 PM, Lee H Badman lhbad...@syr.edumailto:lhbad...@syr.edu wrote: I know this comes up frequently, so forgive me. We’re at a different place than we were at last inquiry… Syracuse University has become an Eduroam school, and as we speak we have happy Eduroamers around the world. Woo Woo! At the same time, we have yet to roll out Eduroam on our own campus and are getting ready to in accordance to the Eduroam agreement. We’re trying to figure out the best model: 1. Retire our own beloved 802.1x SSID, and use Eduroam in its place. This has no favor with any of us, including our senior IT managers and so is not gonna happen. (Though I value the opinions of others, not wanting to get into a debate on this point :) ) 2. Do a targeted rollout of Eduroam, in places where it is likely to be used by visitors- academic buildings, etc. (So far, I can’t find evidence of anyone coming to SU and asking for it). This model requires building a new WLAN group or two and pushing it out to probably 20ish buildings out of our 200+ buildings. 3. Go the easy path, and push it the Eduroam SSID everywhere, as an additional WLAN, and live with the fact that it won’t get a lot of use in most places and puts management traffic in the air that isn’t generally going to be used. I can’t be the only one who has stood at this juncture and looked at the situation the same way. Wondering what others have done between #2 and #3, and what your level of satisfaction has been for whatever path you took. Regards, Lee Badman Syracuse University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Eduroam rollout- one more time
Lee, I hate to bust your identity pride ;-) but... In my experience the only people that care about the SSID names are the IT Crowd and some of the University administrators. (when will we have TV series on University Administrators?) Users just want something that works...they don't even look at SSIDs these days. Now, if like Birthday Cards, we start having singing SSIDs...that might be a different story! Philippe Philippe Hanset www.eduroam.ushttp://www.eduroam.us On Nov 1, 2013, at 3:26 PM, Lee H Badman lhbad...@syr.edumailto:lhbad...@syr.edu wrote: I hear you, and appreciate it it a point. At the same time, I don't buy into losing our identity to be part of something global, especially when measured in terms of 16K+ users on our branded campus WLAN at daily peaks, and a few dozen Eduroamers expected. In other words, why change something that statistically everybody is used to for the sake of statistically nobody? Not trying to quibble, just explaining where we come from. I actually think Eduroam should be more accommodating to individual SSIDs, but get why it can't work that way now. Hopefully Hotspot 2.0 lives up to it's billing as the cure-all for this sort of thing. Lee H. Badman Network Architect/Wireless TME ITS, Syracuse University 315.443.3003 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Hector J Rios [hr...@lsu.edumailto:hr...@lsu.edu] Sent: Friday, November 01, 2013 3:17 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Eduroam rollout- one more time We originally adopted the #3 option, but we are planning to retire our 802.1X SSID soon and just have everyone use eduroam. It just makes sense. What we have seen is that when on campus, we push our users to use our main SSID, but then when they go to participating universities, they sometimes have issues connecting to eduroam because they are not familiar with it. We figured that we are part of a global effort and we will never be 100% involved in it unless we get push our own users to use it as their main SSID when at home. That way when they go to other participating institutions, it will be seemless! Just the way it is supposed to work Hector Rios Louisiana State University From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:l...@listserv.educause.edu] On Behalf Of Lee H Badman Sent: Friday, November 01, 2013 11:35 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Eduroam rollout- one more time I know this comes up frequently, so forgive me. We’re at a different place than we were at last inquiry… Syracuse University has become an Eduroam school, and as we speak we have happy Eduroamers around the world. Woo Woo! At the same time, we have yet to roll out Eduroam on our own campus and are getting ready to in accordance to the Eduroam agreement. We’re trying to figure out the best model: 1. Retire our own beloved 802.1x SSID, and use Eduroam in its place. This has no favor with any of us, including our senior IT managers and so is not gonna happen. (Though I value the opinions of others, not wanting to get into a debate on this point :) ) 2. Do a targeted rollout of Eduroam, in places where it is likely to be used by visitors- academic buildings, etc. (So far, I can’t find evidence of anyone coming to SU and asking for it). This model requires building a new WLAN group or two and pushing it out to probably 20ish buildings out of our 200+ buildings. 3. Go the easy path, and push it the Eduroam SSID everywhere, as an additional WLAN, and live with the fact that it won’t get a lot of use in most places and puts management traffic in the air that isn’t generally going to be used. I can’t be the only one who has stood at this juncture and looked at the situation the same way. Wondering what others have done between #2 and #3, and what your level of satisfaction has been for whatever path you took. Regards, Lee Badman Syracuse University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless authentication issue after certificate renew
About 802.1X installers... There is a free installer that comes with eduroam that can help automatic installations: http://cat.eduroam.org It works for most OSes except Android (and a client for Android is planned), and it works for most EAP methods, except EAP-TLS. It can only be used for the eduroam SSID, so if you want to use it for your campus you will have to use eduroam as a home SSID as well. Some consider this a challenge and those who are using eduroam as their native SSID do not regret the move. Long emails can be exchanged about this ;-) If you like EAP-TLS and you are an InCommon Certificate customer, InCert will be coming up... www.internet2.edu/incerthttp://www.internet2.edu/incert It's going to make EAP-TLS a lot easier! As of today, none of the solutions highlighted above are as good or as versatile as Xpressconnect, but if you can't afford Xpressconnect they can address some of your 802.1X issues! (also, Xpressconnect can do a lot more than just install 802.1X material. It can check for OS updates, install third party software etc...) Best, Philippe Philippe Hanset www.eduroam.ushttp://www.eduroam.us On Oct 24, 2013, at 10:25 AM, Turner, Ryan H rhtur...@email.unc.edumailto:rhtur...@email.unc.edu wrote: We are a Cloudpath customer. It is not going to help you prevent Apple issues with certificate changes. It will install all the necessary certificate chains, as well as provision all client settings. We use EAP-TLS, and it has made the distribution of certificates a trivial matter. Most important for network engineers that are using EAP methods that pass username and password is the ability to CORRECTLY configure systems to reduce their vulnerability to man in the middle attacks. Of course, this doesn't prevent a client from manually incorrectly configuring their wireless profile. There are really smart shops, like UVA, that designed their own onboarding software, but for those that want a quick turnkey option, Cloudpath will work. Ryan Sent from Windows Mail From: Dennis Xu Sent: Thursday, October 24, 2013 10:02 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Thanks Ryan for this information. I am interested to know how products like CloudPath XpressConnect can make this process seamless to users. If any XpressConnect customers can elaborate on this, that will be great! Thanks. --- Dennis Xu Analyst 3, Network Infrastructure Computing and Communications Services(CCS) University of Guelph 519-824-4120 Ext 56217 d...@uoguelph.camailto:d...@uoguelph.ca www.uoguelph.ca/ccshttp://www.uoguelph.ca/ccs - Original Message - From: Ryan H Turner rhtur...@email.unc.edumailto:rhtur...@email.unc.edu To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Sent: Thursday, October 24, 2013 9:34:14 AM Subject: Re: [WIRELESS-LAN] Wireless authentication issue after certificate renew From our experience, this is normal. Apple does some caching with its certificate. If the certificate that is being offered from the server differs, they appear to complain. From my experience, there is a dialogue box that will come up on screen telling the users to accept a new certificate. I suspect this interferes with EAP authentication because the time it takes to accept a new certificate from the server will expire the EAP timer value, and after the cert is accepted, the machine will reauthenticate. I think if I were in your shoes, I would pick a few client mac addresses in the logs, and look at their sessions and make sure they are connected now. I will be you'll see them connected just fine. In any event, when we do a certificate change on our authentication servers, we issue campus wide change notices as a result of some of the aggravation. Ryan H Turner Senior Network Engineer The University of North Carolina at Chapel Hill CB 1150 Chapel Hill, NC 27599 +1 919 445 0113 Office +1 919 274 7926 Mobile -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:l...@listserv.educause.edu] On Behalf Of Osborne, Bruce W (Network Services) Sent: Thursday, October 24, 2013 7:38 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless authentication issue after certificate renew I assumed you configured your client to explicitly trust the ACS server certificate. In our setup, only the root intermediate certificates are configured on the client. We can then update our server certificates without any issue as long as we continue to use the same certificate chain. Unfortunately, we are preparing to move to a new certificate chain :( Bruce Osborne Network Engineer IT Network Services (434) 592-4229 Liberty University | Training Champions for Christ since 1971 -Original Message- From: Dennis Xu [mailto:d...@uoguelph.ca] Sent:
Re: [WIRELESS-LAN] Revisiting vendors on wireless-lan list
Vendors can chime in on a purely technical aspect without promoting their solution or brand. That's where it gets tricky especially when some vendors promote a patented technology under the cover of promoting a solution. It happens here and there, and in my 12 years on the list I have seen great posts from vendors but also horrible vendor battles. I would say that many of us receive very current information from our vendors and do a good job at sharing this with other members of this list. Here is what Educause requests for the list etiquette: http://www.educause.edu/discuss/constituent-and-discussion-group-participation-guidelines and then comes your own interpretation ... Philippe Hanset www.eduroam.ushttp://www.eduroam.us On Sep 25, 2013, at 8:12 AM, Scott Allen sc...@georgetown.edumailto:sc...@georgetown.edu wrote: I would prefer to see vendors remain on the list but not participate. They might feel obligated to defend their products and the discussion would shift more toward product comparisons. I don't have the funding or time to switch vendors as they leapfrog one another in new features. I need to find a way to support my users with the product set I have. If there a general shift away from one technology or product set, I want to hear about it without spin. Vendor technical support contracts provide me with operations support. This list provides me with the information I can only get from Higher Ed customers. -Scott On Tue, Sep 24, 2013 at 8:48 PM, Brian Helman bhel...@salemstate.edumailto:bhel...@salemstate.edu wrote: Everyone: I don't think there is an official policy (or I've never noticed it), so as such I'm not sure where the line is .. but I was discussing the iOS update issue with my wireless vendor today. They happened to mention that they were monitoring the subject on here (wireless-lan list). I thought it odd that they didn't chime in... If there is a stated policy against the following, then my question is moot, but I thought it would be helpful if vendors did chime in, letting their customers know how to address such issues. I know this could be a slippery slope, so my opinion is that such messages are limited to what can be done now, not future releases, and not contain pros/cons vs other vendor implementations. This vendor could have emailed me (and their customer base) directly, but as long as it isn't a marketing email, I think the info would be beneficial to this list (e.g if you are using xxx wireless, you can do the following to address download storms...). I have been a proponent of vendors being allowed to join this and NETMAN, as long as they were here/there to join discussions or even understand what our collective issues are and weren't using the lists as a vehicle to market. I'm feeling we are missing that participation. I'm definitely one to go for the throat of a vendor who blatantly misuses this list too. thoughts? -Brian ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- Scott Allen Director, Network Services Georgetown University sc...@georgetown.edumailto:sc...@georgetown.edu mobile - 202-309-5739 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Anyone tried Ubiquiti UniFi campus wifi?
Steve, From discussions that I have had with nsrc.org (the guys at University of Oregon known for building networks in Africa), they really enjoy Ubiquiti for small and mid size networks (they use point to point and campus APs). This said, you are managing a campus in the US and your population will most likely come with a diversity of devices and protocols that could rapidly overwhelm your network if you don't have the features to deal with it. If I were you I would definitely look into the features (traffic management more than AP management) that vendors offer for your price point. Aruba Networks has really been creative for some of those features and University of Tennessee uses quite a few of those for traffic management. It looks like traffic management is only going to get worse since all the Wi-Fi devices vendors are coming up with all kinds of interesting protocols. It's not just about coverage and throughput anymore... Philippe Philippe Hanset www.eduroam.us On Sep 10, 2013, at 4:24 PM, Steve Bohrer skboh...@simons-rock.edu wrote: A few months ago there were some generally positive posts about Ubiquiti's Air Fiber links, but I'm wondering if anyone has tried out their UniFi controller-less campus wifi solution, particularly with their dual-band UniFi Pro AP and/or their UniFi AP AC access points. For background, we are a very small college, and currently have an older Cisco WLC/WPS system, mostly with their A/G APs; though we have N in one building. The hardware limit of our current pair of WLCs is 75 APs, and we've hit that, so are considering our next step: Expand our Cisco system with newer gear; or else go to something else for our un-covered buildings, and have two systems running side-by-side for a while as we transition to the new system. I want to add about 25 APs right now to cover our four main dorms, and I think our eventual full-coverage, high-density (for small values of high!) deployment might be about 150 APs total. Staying with Cisco means upgrading from our WLC 4402s to 5508, which also means upgrading from WCS to PI, and it is feeling a bit like overkill for our size. I can't say that I've been heavily using all of the features and reporting of our current WCS. We are having presentations from other vendors, and my Sys Admin recommended Ubiquiti, and their price is _amazingly_ low. WIth their gear, we could add the new APs and also replace all of our existing Cisco APs for significantly less than the cost of adding 25 new Cisco N APs+WLC+PI. For our scale, that is really attractive. Part of the cost saving, of course, is that Ubiquiti doesn't have reps and a sales team and such, so we won't get nearly as whizzy a pitch from Ubiquiti as we have from the rest of the wifi vendors. Thus, first hand experiences from other schools that have actually deployed this stuff would be very useful. Thanks for any pros or cons you can share about UniFi. (Feel free to mention your favorite wifi system as well, if you think it reasonable for our small scale and budget. From the stuff we've seen so far, I like Ruckus, Aerohive, and Meru, but don't have much user feedback on any of them.) Steve Bohrer Network Admin, ITS Bard College at Simon's Rock 413-528-7645 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] ISE as RADIUS server with eduroam
All, I have contacted Cisco directly to try to accelerate the availability of the REALM stripping feature. Same with Microsoft and IAS (REALM stripping issue, and I'm also contacting them directly as well) Hope it will work! Philippe Philippe Hanset www.eduroam.ushttp://www.eduroam.us On Aug 14, 2013, at 12:44 PM, Curtis K. Larsen (UIT-Network) curtis.k.lar...@utah.edumailto:curtis.k.lar...@utah.edu wrote: The status of the enhancement request is open. In talking with TAC it appears it might take several months. We use MSCHAPv2, participate in eduroam, and rely on stripping the realm to put users in different vlans today so this is quite problematic for us. We are also running ISE 1.2. Thanks, Curtis From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Joe Roth [jr...@binghamton.edumailto:jr...@binghamton.edu] Sent: Wednesday, August 14, 2013 10:24 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ISE as RADIUS server with eduroam Correct, the SSID that we were using LDAP with did not use MSCHAPv2. Did they happen to mention what version that bug was fixed in? We upgraded to 1.2 and it has been stable for us so far. On Wed, Aug 14, 2013 at 11:17 AM, Curtis K. Larsen (UIT-Network) curtis.k.lar...@utah.edumailto:curtis.k.lar...@utah.edu wrote: Joe, Thanks for the reply. I am guessing you are not using PEAP-MSCHAPv2 is that correct? I have just come across the following from Cisco : CSCuc52361 Bug Details ISE should allow domain modification/stripping for AD external store Symptom: Currently ISE does not allow modifying the domain name before authentication when the external identity store used is AD. This is a problem in an environment like Eduroam where the specification enforces a particular username format (user@realm). Generally the username stored in the AD UPN field is not in the same format as the one supplied for authentication. It would be good to allow the modification of the AD username prior to authentication, or at least support suffix/prefix stripping, since this would be sufficient for local domain authentication (this would still break cross forest). Conditions: Trying to modify the domain name of the user before AD authentication. Workaround: Use LDAP for basic stripping (Does not currently work for MSCHAPv2) Thanks, Curtis From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Joe Roth [jr...@binghamton.edumailto:jr...@binghamton.edu] Sent: Tuesday, August 13, 2013 6:58 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ISE as RADIUS server with eduroam Curtis, We are not using eduroam but we are a cisco ISE user. When you connect to AD via LDAP in ISE I believe that you can accomplish what you are looking to do. If you create a new LDAP identity source look under the directory structure tab. You can strip the subject name based on a dividing character. You can leave your current AD identity source in place and add the LDAP one as well, they will run side by side. On Tue, Aug 13, 2013 at 7:05 PM, Curtis K. Larsen (UIT-Network) curtis.k.lar...@utah.edumailto:curtis.k.lar...@utah.edu wrote: Hello, I am just wondering if anyone on the list that participates in eduroam uses ISE for RADIUS. We are playing with ISE, and finding difficulty getting it to strip off the realm suffix before authenticating against AD. I can't imagine there isn't a way to do this since I assume that would prevent any eduroam customers from using ISE as their primary RADIUS server. Hopefully we are just missing something simple. Let me know. Thanks, Curtis Larsen University of Utah Network Engineer ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. -- Joe Roth Networking Group Binghamton University Ph. 607-777-7528tel:607-777-7528 Fax 607-777-4009tel:607-777-4009 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. -- Joe Roth Networking Group Binghamton University Ph. 607-777-7528 Fax 607-777-4009 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Cisco VS. Aruba
Lou, http://www.linkedin.com/pub/lou-vogel/10/a80/870 Here is the list etiquette: Promotional Messages and Advertising EDUCAUSE Constituent and Discussion Groups are educational in nature and not intended for promotional announcements, advertising, product-related press releases, or other commercial use. Please note that unsolicited commercial communications to constituent group participants as a result of postings to a Constituent or Discussion list violate the promotional messages and advertising provisions of these guidelines and may result in the loss of access to the listserv in question. Philippe Hanset Constituent Group Leader for wireless-lan@educause On Aug 1, 2013, at 4:55 PM, Lou Vogel louvoge...@aol.commailto:louvoge...@aol.com wrote: Ruckus is better than either of the 2 choices listed. -Original Message- From: Linchuan Yang linchuan.y...@concordia.camailto:linchuan.y...@concordia.ca To: WIRELESS-LAN WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Sent: Thu, Aug 1, 2013 11:53 am Subject: [WIRELESS-LAN] Cisco VS. Aruba Dear All We are planning to upgrade our whole wireless network. Could you please comment based on your experience which one is better: 1. Cisco Prime Infrastructure VS. Aruba Airwave 2. Cisco ISE VS. Aruba ClearPass Thank you, and have a nice day. Yours, Linchuan Yang (Antony) Wireless Networking Analyst Network Assessment and Integration, IITS-Concordia University Tel: (514)848-2424 ext. 7664 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Free online Webinar from Educause Jul 30-Aug 1…
Wishing you a great summer, Philippe Philippe Hanset www.eduroam.ushttp://www.eduroam.us wireless-lan@educause constituent group leader Begin forwarded message: From: Catherine Yang cy...@educause.edumailto:cy...@educause.edu Subject: [CGLEADERS] Please Forward- EDUCAUSE Sprint 2013 - Beyond MOOCs: Is IT Creating a Connected Age? Date: June 27, 2013 9:03:32 PM EDT To: cglead...@listserv.educause.edumailto:cglead...@listserv.educause.edu Reply-To: The EDUCAUSE Constituent Group Leaders Listserv cglead...@listserv.educause.edumailto:cglead...@listserv.educause.edu Hi everyone! EDUCAUSE is hosting an online “sprint” in a few weeks, centered around topics that are of interest to many of the CGs. Could you forward to your groups if you think the subject matter would be relevant? And please consider joining us! Thanks! -Catherine Yang EDUCAUSE MOOCs are catalyzing institutions to rethink the rules of higher ed. Large-scale online learning is reshaping pedagogy, delivery systems, business models, and credentialing, challenging what it means to be a college or university. The transformation is connecting students, faculty, and institutions in new ways. Join us July 30–August 1 for a free, online program of webinars, activities, resources, and discussions focused on the transformative elements of MOOCs—connectedness, scale, data, and new models—and IT’s role. Virtual seating is limited for the free webinars, scheduled from 1:00 to 2:30 p.m. (ET) each day. Register today!http://www.educause.edu/events/educause-sprint-2013 Each day will be dedicated to a specific theme to immerse yourself in: Tuesday, July 30: IT as a Force of Change Learn about the forces that are catalyzing change in higher education, business, and technology. Wednesday, July 31: How Technology Can Change Pedagogy Explore how large-scale, data-supported, online learning can change the learning experience, the composition of a classroom, and the definition of quality education. Thursday, August 1: Creating the IT Architecture for the Connected Age Discuss the infrastructure needed to realize the full potential of connectedness in higher education. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
The original creator of this list has left us...
It is with a lot of sorrow that I'm announcing to this list that our friend and colleague Dewitt Latimer has passed away. http://www.kpax.com/news/msu-chief-information-officer-killed-in-motorcycle-crash/ Dewitt created the wireless-lan list out of University of Tennessee then transferred it to Educause. One could always count on Dewitt to share his passion for IT and Wireless in particular. Please keep Dewitt's family in your thoughts and prayers, Philippe Philippe Hanset ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] multiple ssid's and campus access
Roger, If I could, here is how I would do it. 3 SSIDs, and I will name them for your campus as an example: # uthsc-open (open SSID controlled by a Web gateway) # eduroam (802.1X only) # uthsc-personal (hidden or not, you decide...great for medical instruments and various styles of scanners etc..., could be only present in specific buildings) # uthsc-open. Would have an initial splash page with: -Option to get material to connect to the 802.1X SSID (using Xpressconnect, QuickConnect, SecureW2,...you name it) -Option to register campus devices that can't do 802.1X. A MAC based authentication using NetReg or other forms. (with an option to sponsor long term visitors..e.g. a Faculty can register the MAC address of a long term visitor) If you don't want too many users to join this one and emphasize the secure SSID you could remove the option and just have a comment directing users that have devices that can't do 802.1X to the Help Desk (or other forms of incentives) -Option to handle visitors that can't use 802.1X (an option for non-sponsored visitors and an option for sponsored visitors) Sponsored visitors is great for conferences (they can get credentials from their organizers. Either common credentials, or dedicated ones if you are willing to deal with that) # eduroam (or your own 802.1x SSID if you don't do eduroam) Role Based authentication (with VLAN assignment based on the identifier or the REALM) (everything is possible here since you have a device AND a username AND a REALM) For your own users you can still direct them to the Network Registration page after they get connected to the 802.1X network to have their devices registered (easier if you have to track problems...also some schools use this as an inventory of devices) # utshc-personal WPA2-PSK. I would keep that one as stealth as possible and restrict it to only School's owned devices (I don't mean Faculty laptops but projectors, scanners, Blood pumps, etc...) Also, think about a remediation Web page when you assign a user to a remediation VLAN in case you disconnect them for security reasons (this doesn't have to involve a full blown NAC system... just another method to communicate with users and prevent costly Help Desk calls!) Philippe Philippe Hanset www.eduroam.ushttp://www.eduroam.us On May 2, 2013, at 10:03 AM, Schwartz, Roger J rschw...@uthsc.edumailto:rschw...@uthsc.edu wrote: I am looking for ideas to reduce the number of ssid's we advertise on our campus, faculty/staff, student, mobile, eduroam and guest. I know some folks have gone to just eduroam, if you have, what security do you have on the vlan, do users vpn back to the campus network, etc. We are looking at some form of Identity Service to push users into particular vlans, and that isn't working that great at this time. So what are you doing or going to be doing to resolve this type of issue. Any and all comments, suggestions are welcome Roger Senior Wireless Network Technician University of Tennessee Health Science Center Memphis, Tennessee rschw...@uthsc.edumailto:rschw...@uthsc.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] RFP/requirements for replacing campus wireless infrastructure
This seems like a good time to post Educause's list Etiquette: Promotional Messages and Advertising EDUCAUSE Constituent and Discussion Groups are educational in nature and not intended for promotional announcements, advertising, product-related press releases, or other commercial use. Please note that unsolicited commercial communications to constituent group participants as a result of postings to a Constituent or Discussion list violate the promotional messages and advertising provisions of these guidelines and may result in the loss of access to the listserv in question. Thank you Philippe Hanset wireless-lan@educause Constituent Group Leader On May 2, 2013, at 1:28 PM, Todd Plekavic tpleka...@gmail.commailto:tpleka...@gmail.com wrote: wag...@aerohive.commailto:wag...@aerohive.com On May 2, 2013 12:16 PM, Harvard Townsend harvard.towns...@wheaton.edumailto:harvard.towns...@wheaton.edu wrote: We are considering a forklift replacement of our Meru wireless infrastructure since a significant portion of it is approaching end-of-support life (all the controllers and over 2/3s of the APs) and we’ve had our share of problems with Meru. I was wondering if any of you who have recently re-bid your wireless have a set of requirements or an RFP you would be willing to share – either publicly to the list or privately to me directly – so I’m not starting from scratch. FWIW, we currently have six MC3000 controllers and 424 APs providing ubiquitous indoor coverage (admittedly with some weak spots). Bradford Network Sentry provides the NAC (wired and wireless). I do not intend to have a full site survey done as part of the bid, but will increase density in some known problem locations. I also lean toward continuing with the controller-based/thin-AP architecture. Some flavor of Apple Bonjour support will be a requirement (Meru and Apple TVs are not happy bedfellows). As for positioning us for 802.11ac down the road, it seems that the best I can hope for (and afford) at this point is a controller that will support 11ac with a future software/firmware upgrade rather than wholesale replacement. I would phase ac in over time by replacing a portion of the APs each year, starting with high use/capacity areas, and beginning that project after the 11ac products have matured… and dropped in price. :) Anyway, any recent RFP or requirements documents would be much appreciated. Regards, -- Harvard Townsend Manager of Networking, Systems, and Storage Wheaton College, IL Email: harvard.towns...@wheaton.edumailto:harvard.towns...@wheaton.edu Voice: (630)752-5528tel:%28630%29752-5528 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Distributed WiFi model - Thin vs Thick debate revisited
Jake, It seems that distributed architecture charge a yearly support fee per AP. In the controller based world, we often skip AP support and self insure ourselves due to our large deployments. To keep in mind when the RFP comes back!!! Also to consider: -IP mobility -Roaming: key exchange, re-auth to RADIUS (load?) -Openflow compatibility (ARISTA and Aruba are working on some Openflow pilots... how do various architecture adapt to switches and AP integrating with each other?) -PoE needs (If the AP is being asked to do more AND 802.11AC comes along...how will that work?) Best, Philippe Hanset www.eduroam.ushttp://www.eduroam.us On Apr 29, 2013, at 10:51 AM, Barros, Jacob jkbar...@grace.edumailto:jkbar...@grace.edu wrote: Hello all. We are seriously considering replacing our Aruba infrastructure in favor of a distributed model. We are having controller issues this academic year and the appeal of a controller-less model is strong. It feels like I am coming full circle to where I was six years ago. Though I know its not exactly the same, I went back to the thin vs thick debates in the archives. A few things stood out to me as considerations: One concern was vendor longevity. Another was whether or not the thick AP model would be able to keep up with the controller based architecture. An advantage of the controller based architecture that stood out to me was central processing, specifically regarding key exchange. Are these points still valid concerns? If your administration asked you to consider a distributed architecture, what other (vendor-neutral) concerns would you have? Thanks, in advance, for your opinions! Jake Barros | Network Administrator | Office of Information Technology Grace College and Seminary | Winona Lake, IN | 574.372.5100 x6178tel:574.372.5100%20x6178 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Paying for eduroam (US)?
Jason, When I first started eduroam in the US, I did that on my spare time while working at University of Tennessee and while supporting our growing Wi-Fi network. Mike (2004-2006), Dave (2007-2010), and Chad (2010-now) were my eduroam acolytes over the years. I couldn't have done it without them. When the success of eduroam started picking up our group at University of Tennessee realized that it was not sustainable and Internet2 stepped in. With the help of the National Science Foundation, Internet2 is now representing the service and Chad and myself are doing operations and some RD when time permits. With the current growth we will need a third person next month! The NSF grant is now ending and Internet2 will subsidize its members. Non-members will be charged a fee to support the service in the US. We certainly hope that these costs will not slow the adoption of the service since it is having such a great momentum . We are also revisiting the cost model to consider small schools that are now joining the service. Thank you, Philippe Philippe Hanset www.eduroam.ushttp://www.eduroam.us On Apr 26, 2013, at 11:14 AM, Schmidt, Jason W schm...@uww.edumailto:schm...@uww.edu wrote: After inquiring about joining eduroam (US), I was a little more than shocked to discover that this is now a paid service offered by Internet2. As we are not I2 members, the yearly costs would be about $1500/year for our institution. I am wondering what other people think about this, especially non-I2 members. Is this service worth that much per year? I am also concerned that these costs will slow or halt adoption of eduroam at smaller non-I2 schools, thereby limiting the benefits of the service. -- Jason Schmidt Network Engineer UW-Whitewater ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Is it possible to crack a WPA2 Enterprise network
Jason, There is an assumption in my answer that I forgot to mention: One can decrypt the traffic of another user with WPA2-PSK if one knows the passphrase of that particular WPA2-PSK network. This doesn't mean that WPA2-PSK is broken, but that in a large environment where everyone knows the passphrase then the encryption key of a user can be retrieved if the first 4 way hand shake of that user can be captured. (think roaming between APs!). Also, if you do WPA2-PSK rather than WPA2-enterprise ... you cannot do eduroam ;-) Best, Philippe Philippe Hanset www.eduroam.ushttp://www.eduroam.us On Apr 18, 2013, at 10:29 PM, Becker, Jason jbec...@wustl.edumailto:jbec...@wustl.edu wrote: Thanks Philippe, we currently are using 802.1x and meant to just ask about the psk. Thanks! From: Hanset, Philippe C phan...@utk.edumailto:phan...@utk.edu Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Date: Thursday, April 18, 2013 4:28 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Is it possible to crack a WPA2 Enterprise network Jason, Your subject mentions WPA2-enterprise, and the body of your text mentions PSK. If you move your infrastructure to WPA2-PSK, yes if someone watches the 4 way handshake they can get the key between AP and device for all people on the WPA2-PSK network. With WPA2-enterprise it is more complicated since each user has a key per session and you can also change the rekeying interval. There are some papers out there showing that they can crack WPA2-enterprise but it seems like a lot of work Philippe Philippe Hanset www.eduroam.ushttp://www.eduroam.us/ On Apr 18, 2013, at 4:22 PM, Becker, Jason jbec...@wustl.edumailto:jbec...@wustl.edu wrote: We planned to move to a psk ssid but have heard that it is possible to decrypt this traffic if you have the key and watch the 4 way handshake to get the key between the ap and device. Has anyone run into this or been able to do this? ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Is it possible to crack a WPA2 Enterprise network
Jason, Your subject mentions WPA2-enterprise, and the body of your text mentions PSK. If you move your infrastructure to WPA2-PSK, yes if someone watches the 4 way handshake they can get the key between AP and device for all people on the WPA2-PSK network. With WPA2-enterprise it is more complicated since each user has a key per session and you can also change the rekeying interval. There are some papers out there showing that they can crack WPA2-enterprise but it seems like a lot of work Philippe Philippe Hanset www.eduroam.ushttp://www.eduroam.us On Apr 18, 2013, at 4:22 PM, Becker, Jason jbec...@wustl.edumailto:jbec...@wustl.edu wrote: We planned to move to a psk ssid but have heard that it is possible to decrypt this traffic if you have the key and watch the 4 way handshake to get the key between the ap and device. Has anyone run into this or been able to do this? ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] eduroam question(s)
Julian, I can answer that for you. All Universities connected to the eduroam-US server are only using domains that they own, and in the form *.domainowned.edu. Some use multiple domains (e.g. utk.edu and tennessee.edu), but all are owned by the University. Best, Philippe Hanset www.eduroamus.org On Nov 14, 2012, at 12:14 PM, Julian Y Koh kohs...@northwestern.edu wrote: On Nov 13, 2012, at 09:11 , Hanset, Philippe C phan...@utk.edu wrote: For sanity, we will only pass to you *.northwestern.edu or other domains that you own and would like to be resolved e.gnorthwestern-1.edu Are there any stats available as to how many institutions are using a different eduroam domain than their regular top-level DNS domain? I'm thinking about tossing together a quick surveymonkey survey to collect some of this info if it's not available. -- Julian Y. Koh Manager, Network Transport, Telecommunications and Network Services Northwestern University Information Technology (NUIT) 2001 Sheridan Road #G-166 Evanston, IL 60208 847-467-5780 NUIT Web Site: http://www.it.northwestern.edu/ PGP Public Key:http://bt.ittns.northwestern.edu/julian/pgppubkey.html ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Eduroam technical questions
Lee, eduroam is EAP agnostic. All that the roaming does is pass the initial SSL/TLS tunnel to the home institution. Then in the tunnel, exchanges occur between your device and your home institution So, as long as your institution does a tunneled EAP, your are done. The visited institution has nothing to do with oyur EAP -method. EAP-TTLS, PEAP, EAP-TLS ... all tunneled will work Philippe On Nov 13, 2012, at 9:52 AM, Lee H Badman lhbad...@syr.edumailto:lhbad...@syr.edu wrote: I have read through the most recent docs, not quite grasping: - If we use MS-CHAPv2 w PEAP on our campus, and that's all we want to use, does that exclude us from Eduroam? - If not, what happens when I roam to another campus that uses TLS, or visa versa? The goal is autoconnection, with no reconfig, but is everyone on Eduroam really and truly using the same EAP with no need to reconfigure as you roam campus to campus? Sorry to be thick, I realize a lot of time went in to the documents. Lee H. Badman Network Architect/Wireless TME ITS, Syracuse University 315.443.3003 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] eduroam question(s)
For sanity, we will only pass to you *.northwestern.edu or other domains that you own and would like to be resolved e.g northwestern-1.edu On Nov 13, 2012, at 9:24 AM, Julian Y Koh kohs...@northwestern.edu wrote: On Nov 12, 2012, at 18:34 , Hanset, Philippe C phan...@utk.edu wrote: To answer the sub-domain question: we pass to your University everything in the form @*.university.edu So you decide what to do. But that's still not recommended as per the eduroam best practices? Is there a requirement that the university.edu match what we actually use? i.e., could we do something like nu-eduroam.edu instead of northwestern.edu? (note: I'm not saying that would be a good idea, just trying to understand what's possible :) ) -- Julian Y. Koh Manager, Network Transport, Telecommunications and Network Services Northwestern University Information Technology (NUIT) 2001 Sheridan Road #G-166 Evanston, IL 60208 847-467-5780 NUIT Web Site: http://www.it.northwestern.edu/ PGP Public Key:http://bt.ittns.northwestern.edu/julian/pgppubkey.html ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Eduroam technical questions
Lee, Your campus only terminates EAP sessions for YOUR users. For visitors, you take the initial TLS negotiation (with the outer tunnel identity e.g. lhbad...@syr.edumailto:lhbad...@syr.edu, or anonym...@syr.edumailto:anonym...@syr.edu, or @syr.eduhttp://syr.edu ) and you pass it to the top level. You never deal with the EAP-type for visitors. In your RADIUS server you basically have a switch: pass to top level OR terminate locally. Take a look at some config examples: http://www.eduroamus.org/radius_configuration Philippe On Nov 13, 2012, at 10:12 AM, Lee H Badman lhbad...@syr.edumailto:lhbad...@syr.edu wrote: Thanks, Phillipe- I'm talking more from supplicant config side. So we use Xpressconnect to configure our supplicants to only use MS-CHAPv2 /PEAP while disabling the other EAP types, and in RADIUS only have this single EAP type enabled. So if our Eduraom SSID required this EAP type, and someone showed up and hit our EDUROAAM with their supplicant configured for EAP-TLS for EDUROAM, a reconfiguration would be required, no? Or am I really missing something important? From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Hanset, Philippe C [phan...@utk.edumailto:phan...@utk.edu] Sent: Tuesday, November 13, 2012 10:01 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Eduroam technical questions Lee, eduroam is EAP agnostic. All that the roaming does is pass the initial SSL/TLS tunnel to the home institution. Then in the tunnel, exchanges occur between your device and your home institution So, as long as your institution does a tunneled EAP, your are done. The visited institution has nothing to do with oyur EAP -method. EAP-TTLS, PEAP, EAP-TLS ... all tunneled will work Philippe On Nov 13, 2012, at 9:52 AM, Lee H Badman lhbad...@syr.edumailto:lhbad...@syr.edu wrote: I have read through the most recent docs, not quite grasping: - If we use MS-CHAPv2 w PEAP on our campus, and that's all we want to use, does that exclude us from Eduroam? - If not, what happens when I roam to another campus that uses TLS, or visa versa? The goal is autoconnection, with no reconfig, but is everyone on Eduroam really and truly using the same EAP with no need to reconfigure as you roam campus to campus? Sorry to be thick, I realize a lot of time went in to the documents. Lee H. Badman Network Architect/Wireless TME ITS, Syracuse University 315.443.3003 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Eduroam technical questions
Robert, You are, of course, allowed to deactivate users that are reported for abuse. This is your institution's network! Philippe On Nov 13, 2012, at 10:12 AM, Colantuoni, Robert r...@buffalo.edumailto:r...@buffalo.edu wrote: OK – one more question – We currently handling security reports regarding abuse on our wireless network by looking up the IP/User and then pushing the user account into a “deact” group and filtering for that on the radius server. This cuts off the users network access without affecting their ability to check email and it can be automated on the operational side. Has anyone instituted a filter on their Eduroam realm that could disable user accounts if they are reported for abuse? What is the policy on this – can we do that? --- Robert G Colantuoni Senior Programmer Analyst CIT - Network and Classroom Services SUNY Buffalo r...@buffalo.edumailto:r...@buffalo.edu 716.645.3552 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:l...@listserv.educause.edu]On Behalf Of Hanset, Philippe C Sent: Tuesday, November 13, 2012 10:02 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Eduroam technical questions Lee, eduroam is EAP agnostic. All that the roaming does is pass the initial SSL/TLS tunnel to the home institution. Then in the tunnel, exchanges occur between your device and your home institution So, as long as your institution does a tunneled EAP, your are done. The visited institution has nothing to do with oyur EAP -method. EAP-TTLS, PEAP, EAP-TLS ... all tunneled will work Philippe On Nov 13, 2012, at 9:52 AM, Lee H Badman lhbad...@syr.edumailto:lhbad...@syr.edu wrote: I have read through the most recent docs, not quite grasping: - If we use MS-CHAPv2 w PEAP on our campus, and that's all we want to use, does that exclude us from Eduroam? - If not, what happens when I roam to another campus that uses TLS, or visa versa? The goal is autoconnection, with no reconfig, but is everyone on Eduroam really and truly using the same EAP with no need to reconfigure as you roam campus to campus? Sorry to be thick, I realize a lot of time went in to the documents. Lee H. Badman Network Architect/Wireless TME ITS, Syracuse University 315.443.3003 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Report from Educause (the session was not streamed)
Educause-Denver-2012 was a success. Great topics, amazing Weather, great audience, and even good food! The following topics were tackled by the Wireless-LAN group within the 50 minutes assigned. Here is the report from our meeting. Thank you to Jeffrey Ballentine from UPenn for taking notes during the meeting. •802.11AC Why wait? Why jump? AC is 5Hz only, the first offering will not support Multi user MIMO (the ability to support multiple devices on different streams) and it might take one more year before Multi User MIMO is supported. The group was wondering if vendors were already offering AC devices. As usual with Wi-Fi, consumer APs are first available then enterprise grade. So, no rush on AC as of today. And really Multi user MIMO seems to be the greatest benefit •How to empower users with Bonjour needs (or more generally speaking: mDNS)? Members of the audience are starting to experience demand for support of devices like AppleTV including Remote control and display mirroring. It seems that as time passes, we won't be able to ignore it ;-) -mDNSext, the new IETF proposal, looks to be the only non-vendor specific solution in the pipeline (check Neil Johnson's post on this list for more info) -Otherwise vendor specific solutions range from light control of the multicast traffic to total control, turning Multicast into Unicast and even doing identity based mDNSing (all MAC addresses assigned to a specific user can see each other even in different VLANs which can also address some security concerns if devices are poorly configured) •IP depletion (NAT?, Lease Time?, DHCP server load) It seems that everyone is using NAT with leases from 10 min to 30 min to answer the growth, and one institution doing 1 day leases without issues. Most people do NAT on their Firewall. The issue of logs was raised, but not many concerns there. One institution has a two week retention policy which doesn't overload the log storage at all! •As a side discussion we talked about RADIUS load...and that is definitely something to watch out for! Many members of the audience reported issues. One institution is considering putting RADIUS behind a load balancer •How to Deal with devices that cannot do 802.1x Don't get rid of the NetReg SSID yet it can come to the rescue with non-1x devices Only one institution was doing 802.1x only. And many are doing one dedicated SSID with WPA2-PSK for institution owned devices (Scanners, projectors, etc...) •Location Based Services (e.g. IP printing) No one is using LBS in the audience or has seen a solution that is satisfactory. Do you? •Success Stories with IPv6 on Wi-Fi? Not much traction there. Someone mentioned one example of a faculty that needed to reach an IPv6 only site in Asia and V6 had to be enabled for that purpose Some have V6 enable, but no one has a strategy in place. Remember June 6th is IPv6 day...do something! •Is Wireless management slowly moving to the switch? What does it mean for us? (Will it all work with openflow seamlessly?) Any fear of being locked with one vendor The gartner magic quadrant is now combining Wired and Wireless. Most vendors are offering Wireless and Wired. Controllers can only do so much. A natural evolution seems to push some of the intelligence of Wireless back to the edge. We had to cover that topic really quickly due to lack of time. At Tennessee we see the integration of Wireless and Wired as a good thing to have the traditional network engineer been involved in wireless. Find Network Engineers with Wireless expertise is hard, this might address this issue eventually. On the negative side, being locked with one vendor on Wired and Wireless is a deterrent to the adoption of such an architecture. Time will tell! •Outdoor Heat maps Someone in the audience needed the ability to plot outdoor heat maps. No one had an answer for a solution. Do you? Voila! Comments Welcome. Best, Philippe Hanset Univ. of TN, Knoxville www.eduroamus.orghttp://www.eduroamus.org ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] eduroam question(s)
... We have the stats but are not publishing institution specific them for privacy reasons. http://www.eduroamus.org/node/232 I have testimonials from Schools like UCSD and UChicago that immediately noticed hundreds of visitors on their campuses. Drexel University, for instance, had 40 eduroam users the first day they turned the SSID on. In general large institutions are amazed at how many eduroam visitors they have on campus. This said, the largest benefit is to make your campus population compatible with locations that heavily use eduroam (e.g. if your study abroad students go to Europe or Australia). There are places in Europe that make very difficult to use anything else than eduroam. To answer the using eduroam as the main 1X network, we have seen schools doing that very successfully. (your are definitely ready to roam...just by using it at your school) Here at UT Knoxville, we have opted to still keep the UTK branded 1x network and the eduroam network together for a while with the idea of getting rid of the UTK 1x (called ut-wpa2) in the future. In reality this is just a beaconing difference...in the back we resolve people that join eduroam with @utk.edu credentials to the exact same VLANs as the people joining ut-wpa2. To answer the sub-domain question: we pass to your University everything in the form @*.university.edu So you decide what to do. If you have alias issues, in some cases, an installer like Xpressconnect can be very helpful Best Philippe Hanset www.eduroamus.org (eduroam is now an Internet2 NET+ Service) On Nov 12, 2012, at 6:39 PM, Lee H Badman lhbad...@syr.edu wrote: Does anyone keep stats on how much your Eduroam efforts get used? Like, other than just being in the club, is it really providing benefits that an easy-to-use guest network wouldn't? Not being snarky, but genuinely wondering. Lee Badman On Nov 12, 2012, at 18:27, Jeff Kell jeff-k...@utc.edu wrote: Hey Julian, We recently went through this after cranking up eduroam officially this past fall. We have similar points of confusion, plus a bonus. Our email addresses are first-l...@utc.edu unless there are conflicts, in which case we use a middle initial or a suffix. Our official UTCid is a rather arbitrary string (3 letters, 3 numbers, where that came from don't ask me, it was back in the no-SSNs conversion). The directory key / userID is in fact the UTCid, and is typically used as a login for everything. It's also the Active Directory ID. And now the bonus... the AD domain is in fact utc.tennessee.edu (we're a branch of the state's tennessee.edu domain), so there's already some confusion as to using the tennessee.edu versus utc.edu. Even worse... there are root forest entries for ut...@tennessee.edu as well as @utc.tennessee.edu. And of course UTK started the whole eduroam thing, and they're already taking tennessee.edu as local :( although they still take utk.edu as well. So we more or less got stuck with ut...@utc.edu to avoid the domain/realm confusion with the big orange one. I would advise you rig up your local .1X to authenticate with your fully-qualified eduroam username, just so users can consistently login with the same credentials (assuming you're not using eduroam for production .1X). Jeff On 11/12/2012 6:11 PM, Julian Y Koh wrote: So we're looking at an eduroam deployment here, and one question that has come up is one of credentials. Here at NU, we have 2 identifiers - the NetID and the alias. All of the directories and the like are keyed off of the NetID, which does not have to be the same as the alias. Top-level email addresses take the form alias@northwestern.edu. Under a basic default eduroam deployment, a user would use netid@northwestern.edu as his/her username to authenticate to the wireless network. This is not 100% ideal from an end user point of view, though, since that could potentially lead to some confusion since at least here, netid rarely is the same as alias. Obviously, at some schools, netid = alias, so this is a moot point, but have other schools encountered support/documentation issues because of this? As an alternative, has anyone looking into using a subdomain for the realm? i.e., netid@eduroam.northwestern.edu? I tried going through the FAQs and documentation at http://www.eduroamus.org/, and there is some mention of avoiding subdomains at http://www.eduroamus.org/node/29. Personally, I think with good enough documentation we should be able to do the standard netid@northwestern.edu without a lot of trouble, but we also need to do due diligence and explore these options. :) Thanks!! ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion
Re: [WIRELESS-LAN] eduroam question(s)
On Nov 12, 2012, at 6:39 PM, Lee H Badman lhbad...@syr.edu wrote: Does anyone keep stats on how much your Eduroam efforts get used? Like, other than just being in the club, is it really providing benefits that an easy-to-use guest network wouldn't? Not being snarky, but genuinely wondering. How can you beat instant authentication with encryption over the air? Even an open network doesn't give that! I walk on a campus and my phone automatically switches from 3G to Wi-Fi for Data, not hitting my less than adequate quotas You are the hardest man to convince Lee ;-) Philippe Our email addresses are first-l...@utc.edu unless there are conflicts, in which case we use a middle initial or a suffix. Our official UTCid is a rather arbitrary string (3 letters, 3 numbers, where that came from don't ask me, it was back in the no-SSNs conversion). The directory key / userID is in fact the UTCid, and is typically used as a login for everything. It's also the Active Directory ID. And now the bonus... the AD domain is in fact utc.tennessee.edu (we're a branch of the state's tennessee.edu domain), so there's already some confusion as to using the tennessee.edu versus utc.edu. Even worse... there are root forest entries for ut...@tennessee.edu as well as @utc.tennessee.edu. And of course UTK started the whole eduroam thing, and they're already taking tennessee.edu as local :( although they still take utk.edu as well. So we more or less got stuck with ut...@utc.edu to avoid the domain/realm confusion with the big orange one. I would advise you rig up your local .1X to authenticate with your fully-qualified eduroam username, just so users can consistently login with the same credentials (assuming you're not using eduroam for production .1X). Jeff On 11/12/2012 6:11 PM, Julian Y Koh wrote: So we're looking at an eduroam deployment here, and one question that has come up is one of credentials. Here at NU, we have 2 identifiers - the NetID and the alias. All of the directories and the like are keyed off of the NetID, which does not have to be the same as the alias. Top-level email addresses take the form alias@northwestern.edu. Under a basic default eduroam deployment, a user would use netid@northwestern.edu as his/her username to authenticate to the wireless network. This is not 100% ideal from an end user point of view, though, since that could potentially lead to some confusion since at least here, netid rarely is the same as alias. Obviously, at some schools, netid = alias, so this is a moot point, but have other schools encountered support/documentation issues because of this? As an alternative, has anyone looking into using a subdomain for the realm? i.e., netid@eduroam.northwestern.edu? I tried going through the FAQs and documentation at http://www.eduroamus.org/, and there is some mention of avoiding subdomains at http://www.eduroamus.org/node/29. Personally, I think with good enough documentation we should be able to do the standard netid@northwestern.edu without a lot of trouble, but we also need to do due diligence and explore these options. :) Thanks!! ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] eduroam question(s)
Done. It's called 802.11u which is now part of 802.11 The SSID will soon be irrelevant anyway. All you will do is a Roaming Operator challenge! Philippe On Nov 12, 2012, at 9:41 PM, Lee H Badman lhbad...@syr.edu wrote: Also... Does anyone get a bit turned off about having yet another SSID in the air, or debranding your own in favor of pushing Eduroam as your SSID? Again, just wondering. Let's task Phillipe with figuring out a way to make the Eduroam underpinnings work automagically with any SSID we choose. Can we get that by Friday? On Nov 12, 2012, at 21:36, Lee H Badman lhbad...@syr.edu wrote: Nah, just like to understand the benefit before making changes. Trying to gage how many nomadic WLAN users are really roaming from school to school, as opposed to users connecting to it on their own campus. Seems like a fair exercise:) Sent from an Etch-a-Sketch. Please excuse squiggly lines. On Nov 12, 2012, at 19:44, Hanset, Philippe C phan...@utk.edu wrote: On Nov 12, 2012, at 6:39 PM, Lee H Badman lhbad...@syr.edu wrote: Does anyone keep stats on how much your Eduroam efforts get used? Like, other than just being in the club, is it really providing benefits that an easy-to-use guest network wouldn't? Not being snarky, but genuinely wondering. How can you beat instant authentication with encryption over the air? Even an open network doesn't give that! I walk on a campus and my phone automatically switches from 3G to Wi-Fi for Data, not hitting my less than adequate quotas You are the hardest man to convince Lee ;-) Philippe Our email addresses are first-l...@utc.edu unless there are conflicts, in which case we use a middle initial or a suffix. Our official UTCid is a rather arbitrary string (3 letters, 3 numbers, where that came from don't ask me, it was back in the no-SSNs conversion). The directory key / userID is in fact the UTCid, and is typically used as a login for everything. It's also the Active Directory ID. And now the bonus... the AD domain is in fact utc.tennessee.edu (we're a branch of the state's tennessee.edu domain), so there's already some confusion as to using the tennessee.edu versus utc.edu. Even worse... there are root forest entries for ut...@tennessee.edu as well as @utc.tennessee.edu. And of course UTK started the whole eduroam thing, and they're already taking tennessee.edu as local :( although they still take utk.edu as well. So we more or less got stuck with ut...@utc.edu to avoid the domain/realm confusion with the big orange one. I would advise you rig up your local .1X to authenticate with your fully-qualified eduroam username, just so users can consistently login with the same credentials (assuming you're not using eduroam for production .1X). Jeff On 11/12/2012 6:11 PM, Julian Y Koh wrote: So we're looking at an eduroam deployment here, and one question that has come up is one of credentials. Here at NU, we have 2 identifiers - the NetID and the alias. All of the directories and the like are keyed off of the NetID, which does not have to be the same as the alias. Top-level email addresses take the form alias@northwestern.edu. Under a basic default eduroam deployment, a user would use netid@northwestern.edu as his/her username to authenticate to the wireless network. This is not 100% ideal from an end user point of view, though, since that could potentially lead to some confusion since at least here, netid rarely is the same as alias. Obviously, at some schools, netid = alias, so this is a moot point, but have other schools encountered support/documentation issues because of this? As an alternative, has anyone looking into using a subdomain for the realm? i.e., netid@eduroam.northwestern.edu? I tried going through the FAQs and documentation at http://www.eduroamus.org/, and there is some mention of avoiding subdomains at http://www.eduroamus.org/node/29. Personally, I think with good enough documentation we should be able to do the standard netid@northwestern.edu without a lot of trouble, but we also need to do due diligence and explore these options. :) Thanks!! ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can
See you at Educause…(Denver, CO)
The Wireless-LAN session is on Wednesday Nov 7, from 10:30 till 11:20 Mountain Time, room 402. Topics that come to mind: -802.11AC Why wait? Why jump? -How to empower users with Bonjour needs? (or consequences for not doing it) -Is Wireless management slowly moving to the switch? What does it mean for us? (Will it all work with openflow seamlessly?) Any other topic you want us to discuss? Thanks, Have a good Weekend, Philippe Univ. of TN ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Favorite 802.3af injector for Cisco?
PowerDsine definitely! One reminder: if you have old wiring where the cat5 is split into two circuits (2 pairs for each circuit...was popular in some places in the nineties), you cannot use a Midspan (power injector), but you can use an endpsan (powered switch). Philippe Univ. of TN On Oct 29, 2012, at 12:45 PM, Watters, John john.watt...@ua.edu wrote: We also use the PowerDsine injectors. They come in 6, 12, 24-port models. -jcw - John WattersUA: OIT 205-348-3992 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Nathan Hay Sent: Monday, October 29, 2012 8:03 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Favorite 802.3af injector for Cisco? Does anyone have a favorite non-Cisco POE injector that they use with Cisco APs? Specifically for use with the 1042. Thanks, Nathan Nathan Hay Network Engineer | NOC WinWholesale Inc. * This email message and any attachments is for use only by the named addressee(s) and may contain confidential, privileged and/or proprietary information. If you have received this message in error, please immediately notify the sender and delete and destroy the message and all copies. All unauthorized direct or indirect use or disclosure of this message is strictly prohibited. No right to confidentiality or privilege is waived or lost by any error in transmission. * ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
sizing NAT and leases for the explosion
This is official, we have almost reached the capacity of our public IP addresses (20,000 just on Wireless) We love IPv6, but for the moment it's not going to solve our issue! So, NAT it is, and we have zero experience besides our visitor network that handles 1000+ users. Our plan is to terminate NAT on our Fortinet firewalls, and assign 32 VLANs (in our Aruba VLAN pools) with a private /21 in each subnet. So ~64,000 IP addresses. We block mDNS etc... no worries there. We can now move away from the 30 minutes lease time and go to... I was thinking 12 or 14 hours. We plan to do NAT-PAT 1 public to 8 private IP ratio or 1 to 16. People with similar size networks: Anything to worry about? DHCP capacity, NAT capacity, Logs, ... Thank you in advance for your input, Philippe Hanset Univ. of TN, Knoxville www.eduroamus.org ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
communication from the Handheld and Mobile Computing Constitutent Group
As you may have seen from recent posts on a few of the CG lists the Handheld and Mobile Computing CG is now Mobile Technologies. As the importance of mobile technologies has evolved since the inception of this constituent group and as the importance of mobile technologies continues to transform higher education the name of the CG has also transformed. Steve diFilipo Group Leader Thank you, Philippe Hanset Univ. of TN www.eduroamus.orghttp://www.eduroamus.org ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
DHCP losing its mind….
All, (trying to help our systems group by asking this list) Have any of you experienced DHCP issues due to too many machines requesting leases? We run two ISC DHCP servers (in Active-Active mode) with 30 minutes lease time Running on SUN V440, no unusual I/O load, no unusual CPU load and ethernet is fine. DHCP is literally not responding to lease requests, on wired and on wireless. We were fine during the summer (with 5000 concurrent users), but we are not now with 14,000 concurrent users. Thanks, Philippe Philippe Hanset University of Tennessee, Knoxville www.eduroamus.org ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] DHCP losing its mind..
Thank you all for the great suggestions. I have forwarded all to our system group. Thank you again, Philippe On Aug 27, 2012, at 10:17 PM, Frank Bulk frnk...@iname.com wrote: I assume you have ping-ahead turned off? Frank -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hanset, Philippe C Sent: Monday, August 27, 2012 1:20 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] DHCP losing its mind.. All, (trying to help our systems group by asking this list) Have any of you experienced DHCP issues due to too many machines requesting leases? We run two ISC DHCP servers (in Active-Active mode) with 30 minutes lease time Running on SUN V440, no unusual I/O load, no unusual CPU load and ethernet is fine. DHCP is literally not responding to lease requests, on wired and on wireless. We were fine during the summer (with 5000 concurrent users), but we are not now with 14,000 concurrent users. Thanks, Philippe Philippe Hanset University of Tennessee, Knoxville www.eduroamus.org ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Betr.: Re: [WIRELESS-LAN] Wireless Client Subnet sizing
Craig, That's a very good point to remind us. It's easy to forget that with VLAN pooling each Access-Point does broadcast to all members based on VLANs represented on that Access-Point. With the scenario that you demonstrate (we have the same geographical behavior with class changes), eventually the advantage of VLAN pooling tends to disappear, especially in well travelled areas, the ones where we have so many people per AP that we really don't want any BC or MC traffic! Here is what I would like to see in the future: One large VLAN for the entire WLAN (yes, you read that well, just like the good all days), with dynamic BC/MC filtering based on location. So basically your controllers will be geographically aware of groups of Access-Points that need to talk to each other but will not let the BroadCast and MultiCast traffic go beyond those boundaries. And then ARP proxy to limit the ARP traffic. This would address Mobility within the WLAN, and could even address Bonjour, while cleaning the air from distant BC/MC that you don't want to see. It might even provide a little more security since you have to be in the region to mess with the device ;-) It is not uncommon to go back to initial conditions, but in the smarter way! FishTetrapodMammalAquatic Mammal ;-) Any vendor ready to implement this? Drawbacks? (Are there cases of people interested to remotely operate an AppleTV from one end of campus to another end of campus?) Philippe Philippe Hanset Univ. of TN, Knoxville www.eduroamus.orghttp://www.eduroamus.org On Aug 2, 2012, at 1:06 PM, Craig Simons wrote: This is what we've been doing for years (except we're using /22s). The issue that we see now is that with near 100% wireless coverage on our main campus, there are no dead spots or bad roaming areas. Users authenticate in on area and move to the next area. Take the following scenario: 100 students attend a lecture in building A. 25 of these students authenticated to wireless on the east side of campus on controller 1 (they received an IP in the range assigned that controller). Another 25 of those students authenticated on the north side of campus on controller 2, 25 more on the south side on controller 3, etc. Now, as they all walk to their lecture, their wireless session roams until they sit down in the theatre. At this point the APs in the lecture theare are servicing 4 separate networks (on the same SSID). To me, it's really a moot point to discuss the wasted airtime of management frames, broadcast, etc. Functionally speaking, all of the users are sharing the radio spectrum as if they were on the same IP subnet. Even though the students can only see the broadcast frames of their own network, they still have to wait for the air to be clear. This scenario is something we see all across the board in all areas of our campus. So, as we don't have any VLAN pooling features and have to balance our IPs manually so that none of the controllers run out of IPs, my thinking is why not just make it easier on ourselves and move to /21s and save the hassle of balancing? Regards, Craig SFU SIMON FRASER UNIVERSITY Network Services Craig Simons Network and Systems Administrator Phone: 778-782-8036 Cell: 604-649-7977 Email: craigsim...@sfu.camailto:craigsim...@sfu.ca Twitter: simonscraighttp://www.twitter.com/simonscraig From: Kees Pronk cl.pr...@avans.nlmailto:cl.pr...@avans.nl To: WIRELESS-LAN@listserv.educause.edumailto:WIRELESS-LAN@listserv.educause.edu Sent: Wednesday, 1 August, 2012 23:05:49 Subject: [WIRELESS-LAN] Betr.: Re: [WIRELESS-LAN] Wireless Client Subnet sizing Aruba networks advises to keep the subnets /23 (for big campuses) because of wasted airtime due to increased management (beacons and mgt frames). I agree Cisco has excellent technical content, but imho for WLAN specifically, Aruba is better. http://www.arubanetworks.com/wp-content/uploads/DG_HighDensity_VRD.pdf Regards, Kees Pronk Netwerk admin engineer Avans University of Applied Sciences Diensteenheid ICT en Facilitaire Dienst (DIF) - ICT-Beheer Bezoekadres: Hogeschoollaan 1, Kamer HG204 4818 CR Breda, The Netherlands Postadres: Postbus 90116 4800 RA Breda E: cl.pr...@avans.nl T: @rovinguser Tristan Rhodes tristanrho...@weber.edu 8/1/2012 11:12 Like it was mentioned by Anders, this excellent material is freely available after a registration. Funny though, it seems that you can access the file directly: Design and Deployment of Enterprise WLANs (BRKEWN-2010) http://d2zmdbbm9feqrf.cloudfront.net/2012/usa/pdf/BRKEWN-2010.pdf Cisco has the most technical content available, compared to any other network vendor that I am aware of. Cheers! Tristan -- Tristan Rhodes Network Engineer Weber State University (801) 626-8549 On 7/31/2012 at 5:01 PM, in message CAP8VL9hbfk669TT=XGMu5WdMt25_eopDZ=xvcvceohabjrr...@mail.gmail.com, Mark Duling mark.dul...@biola.edu wrote: Luke, it looks like
Re: [WIRELESS-LAN] Apple Petition
Neil et al., About the petition, I would like to provide two comments: (sorry for the delay, I was enjoying a few days off in NYC... man what a city!) 1) l would propose not to ask to support in enterprise networks but in Academic Environments. Though many of our networks are run like enterprise networks, we are unique in three ways for this petition: - We have one of the largest Apple Devices penetration one can imagine (as you mention already in the petition) - The vast majority of the devices on our networks do not belong to the enterprise but to users (we were doing BYOD before Wi-Fi existed) -Our users want to use every cool gadget that Apple can think of, the day of the release. Apple persists in saying that they do not support enterprise deployments, but they do emphasize education. So, let's use the lingo to convince them to help us. 2) To introduce our demands, why not list our use cases first (I'll start by listing the two use cases that we have encountered so far, more can be listed) e.g.: Use case #1 -Our faculty insists on bringing AppleTV in conference rooms, but we run WPA2-enterprise and cannot support large Multicast domains This brings two problems: -The Apple TV cannot join our existing networks without using ugly network detours (we can temporally support a few exceptions but noting campus wide) -Those Apple TVs cannot be controlled by i-devices, only the infrared remote control (and the password can be seen being typed by all members of the audience) Use case #2 -Students want to operate Apple TVs in dormitories. Unlike private houses, our dormitories are run as large networks. As in use case #1 this generates 2 problems: join the network and control the device using Bonjour. This will make the petition a little longer, but can make the reader understand our challenges a little better. Philippe Philippe Hanset University of Tennessee, Knoxville www.eduroamus.orghttp://www.eduroamus.org the current text of the petition : We the undersigned academic and research institutions request that Apple provide support for Bonjour/Airplay technology in enterprise networks. With an Apple client device penetration of 50% or more on the typical campus, this amounts to thousands of Apple client devices whose owners desire to use their Apple TV and other Bonjour/Airplay based devices in classrooms, conference rooms, and in other locations on standards-based, enterprise-secure networks. Specifically, we request the following (in order of priority): * That Apple establish a way for Apple TV's (and other Bonjour/Airplay enabled devices) be accessible across multiple IPv4 and IPv6 sub-nets. * That the Apple TV support Enterprise Wireless Encryption and Authentication (WPA2-Enterprise). * That authentication to the Apple TV be able to utilize enterprise Authentication, Authorization, and Accounting (AAA) services. Any enterprise Bonjour/Airplay solution needs to meet the following criteria: * It must scale to 100's-1000's of Bonjour/Airplay enabled devices. * It must work with wired and wireless networks from different vendors. * It must not significantly negatively impact network traffic (wired and wireless). * It must be easily manageable at scale. * If it requires a separate hardware solution, that the solution must be enterprise grade (rack mountable, dual power supplies, etc.) * It must be provided at a reasonable cost Providing support for Boujour and Airplay Technologies on enterprise networks would benefit both our institutions and Apple by allowing Apple device owners the ability to use their devices as teaching and research aids, increasing the utility of and desirability of those devices. We would be happy to collaborate with Apple in the development of enterprise support for these devices. Thank you. On Jul 10, 2012, at 8:17 PM, Johnson, Neil M wrote: This is where I have been keeping the latest draft. https://www.facebook.com/groups/enterpriseairplay/files/ -Neil -- Neil Johnson Network Engineer The University of Iowa Phone: 319 384-0938 Fax: 319 335-2951 Mobile: 319 540-2081 E-Mail: neil-john...@uiowa.edumailto:neil-john...@uiowa.edu From: Jesse Rink jesse-r...@wi.rr.commailto:jesse-r...@wi.rr.com Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Date: Tuesday, July 10, 2012 5:53 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Apple Petition All this chat about the Apple Petition yet I don’t seem to find a link for it anywhere? Did I miss this in past messages? Can’t seem to locate anything.. Thanks J From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Garry
Re: [WIRELESS-LAN] Apple Petition (Was Re: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV support for instructors.)
Thank you Lee. I definitely believe that it is a great use of the list...A request made by Academia and for Academia Let me add: Even as an Apple shareholder, (no conflict of interest, more of a vested interest in the matter ;-), I believe that it is way past our time to voice our opinion strongly. We cannot continue to create ugly hacks to support those enterprise non-friendly protocols. I love my Apple TV and can imagine that students and faculty feel the same. I would like to support these cool devices on campus, but how? (and without destroying my Wi-Fi!) The local Student Apple representative on our campus asked me if he could bring up an Apple Airport Extreme on campus to show the features of Airplay to students... (I almost lost it ;-). In a cense, we don't need to be too detailed in our request it could be: Apple! help use support AirPlay on our campus networks Just to start a dialog (and add a few specifics) Should we start with a petition, as you all suggested, and if we get no response, we try the FaceBook approach (create a group). Or immediately go the FB way? I agree with the maturity process of a week. Philippe Univ. of TN On Jul 5, 2012, at 5:12 PM, Lee H Badman wrote: So... two thoughts. Perhaps give it another week for people to chime in with their gripes and let the list discuss them? Then perhaps digital signatures- DocuSign is free and elegant. I guess also, a courtesy inquiry to Phillipe over whether he sees this as prudent list of the group is probably in order. Say, Phillipe- do you see this as prudent use of the list? Thanks, Lee Lee H. Badman Wireless/Network Engineer, ITS Adjunct Instructor, iSchool Syracuse University 315.443.3003 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Curtis K. Larsen [curtis.k.lar...@utah.edu] Sent: Thursday, July 05, 2012 5:01 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Apple Petition (Was Re: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV support for instructors.) You should add fast-roaming to the list. No Mac or iOS device supports fast roaming with Opportunistic Key Caching. They can do PMK Sticky, but it is not the same as OKC. With Sticky, it is only fast when you roam back to an AP you've been on, and the client can only cache up to 8 AP's. Curtis Larsen Wireless Network Engineer University of Utah 801-587-1313 On 07/05/2012 02:46 PM, Lee H Badman wrote: Pretty much what I was thinking (ballpark) with all Educause schools individually signed on. May not amount to anything, but would in itself be media fodder. Lee H. Badman Wireless/Network Engineer, ITS Adjunct Instructor, iSchool Syracuse University 315.443.3003 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Johnson, Neil M [neil-john...@uiowa.edu] Sent: Thursday, July 05, 2012 3:37 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Apple Petition (Was Re: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV support for instructors.) I'm a little fuzzy on the specifics things to request from Apple, but here is a first pass): Whereas, we the undersigned academic and research institutions are receiving numerous requests from our faculty, staff, and students for the ability to utilize Airplay technology in classrooms, conference rooms, and other locations, hereby solemnly request that Apple provide support for Airplay technology in enterprise wireless networks. Specifically, we request the following (in order of priority): * That Apple establish a way for the Apple TV (and other Airplay enabled devices) to be discoverable across multiple IPv4 and IPv6 subnets or lacking that: * That Apple establish a way for the Apple TV (and other Airplay enabled devices) to be easily statically configured to be accessible across multiple IPv4 and IPv6 subnets * That the Apple TV support Enterprise Wireless Encryption and Authentication (WPA2-Enterprise) * That authentication to the Apple TV be able to utilize enterprise authentication services (LDAP and/or AD) Failure to provide this support severely limits the usefulness (and desirability) of Apple products in our institutions. At your earliest convenience please provide us with a roadmap for support of Airplay and related technologies in enterprise wireless environments. Thank you. -- Neil Johnson Network Engineer The University of Iowa Phone: 319 384-0938 Fax: 319 335-2951 Mobile: 319 540-2081 E-Mail: neil-john...@uiowa.edu From:Watters, Johnjohn.watt...@ua.edumailto:john.watt...@ua.edu Reply-To: The EDUCAUSE Wireless Issues Constituent Group
Re: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV support for instructors.
Mike, For a one off and minimal investment, I would bring up an Open-WRT or DDRT AP (or any affordable AP that is capable of doing WPA2-enterprise) independent from your regular infrastructure and make people join a dedicated subnet for that room (use NAT, and WPA2-enterprise). Connect the Apple TV to the wired port of the AP and broadcast a dedicated SSID. With WPA2-enterprise joining your RADIUS server you can make it secure. It is a dirty solution, electromagnetically speaking, but quick. If the conference room has too may users for one AP, create a dedicated SSID just for that conference room on your existing infrastructure and terminate the VLAN of that SSID on the same VLAN as the AppleTV Philippe Hanset Univ. of TN www.eduroamus.org On Jul 3, 2012, at 9:06 AM, Mike King wrote: So I have Cisco Wireless, and I've just been asked to make Airplay work in a conference room. We do not have multicast enable (anywhere). Asking for details, I've been told it's only this one conference room. (I someone believe this, as it the only one that has a projector that get's any use) Suggestions for this as a one off? I have idea's one what to do for a campus wide deployment, but that will take me significantly longer to deploy, and my boss is asking me to have this done this week. Right now, we have a single WPA2/enterprise SSID, and the apple TV will most likely be wired (not required) Mike ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV support for instructors.
Mike, Why would you have to turn Multicast on? (I don't know how Cisco controllers operate by default, I have to admit) If the subnet is small enough leave it without multicast turned on (you don't need IGMP on your switches either) The multicast traffic will fallback to broadcast and Bonjour will work. If that subnet is not too big, it should work for that one off. Of course this will make the air a little dirty everywhere that SSID is present, but it's just for one location. Am I missing something here? Philippe On Jul 3, 2012, at 10:35 AM, Mike King wrote: I voiced that solution and was shot down. If I do a separate SSID, on the same VLAN as the Apple TV, I'd still have to turn Multicast on on the controller, but I wouldn't have to roll out a PIM-SM deployment. Mike On Tue, Jul 3, 2012 at 10:03 AM, Hanset, Philippe C phan...@utk.edumailto:phan...@utk.edu wrote: Mike, For a one off and minimal investment, I would bring up an Open-WRT or DDRT AP (or any affordable AP that is capable of doing WPA2-enterprise) independent from your regular infrastructure and make people join a dedicated subnet for that room (use NAT, and WPA2-enterprise). Connect the Apple TV to the wired port of the AP and broadcast a dedicated SSID. With WPA2-enterprise joining your RADIUS server you can make it secure. It is a dirty solution, electromagnetically speaking, but quick. If the conference room has too may users for one AP, create a dedicated SSID just for that conference room on your existing infrastructure and terminate the VLAN of that SSID on the same VLAN as the AppleTV Philippe Hanset Univ. of TN www.eduroamus.orghttp://www.eduroamus.org/ On Jul 3, 2012, at 9:06 AM, Mike King wrote: So I have Cisco Wireless, and I've just been asked to make Airplay work in a conference room. We do not have multicast enable (anywhere). Asking for details, I've been told it's only this one conference room. (I someone believe this, as it the only one that has a projector that get's any use) Suggestions for this as a one off? I have idea's one what to do for a campus wide deployment, but that will take me significantly longer to deploy, and my boss is asking me to have this done this week. Right now, we have a single WPA2/enterprise SSID, and the apple TV will most likely be wired (not required) Mike ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Aruba Point to Point (PTP)
Brian, We haven't done a point to point with 802.11n yet but our considerations, before 802.11n, were the following: -We usually prefer a complete embedded solution (AP+Antennas in one enclosure) rather than an outdoor AP with connected antennas (e.g. Proxim used to do that with their Tsunami products, we have a QuickBridge 60 that has been up for 8 years without a glitch). Connectors tend to corrode (you can put all the tar-tape you want around an N-Type connector, eventually it will take moisture ;-). Embedded solution only have one Cat5 or cat6 with rugged connectors (O-ring and screw-on adapter). Especially with 802.11n, I would imagine that an embedded would be easier to handle than an outdoor AP with at least 2 antennas, if not 3! -Beware of the Fresnel Zone and position your AP high enough. Line of Sight is not enough in some cases. -Consider Management... If you use one vendor, you might want to stick to their solution (assuming that they have a decent p-t-p offering). The QB60 that I'm mentioning above requires a dedicated Java client that only runs on a Windows PC... that didn't age too well and only one or two people in our group still remember how that thing works. Best, Philippe Hanset Univ. of TN, Knoxville www.eduroamus.orghttp://www.eduroamus.org On Jun 13, 2012, at 8:13 AM, Brian David wrote: All, I wanted to get peoples perspective on their PTP wireless deployment. How reliable is it for you. How much does the weather affect it? How much through put are you getting and in what frequency are you using? We are looking to have a temporary deployment for a particular building that is less than a mile away and has excellent line of sight. Any input would be great. Thank you in advance. Brian J David Network Systems Engineer Boston College image001.jpg ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Location Based Printing
Mike, For wireless, we use release based printing. No one knows where you are better than you ;-) You can send a print job from anywhere you want. It goes to a print queue. (the print queue has also the advantage to do accounting/person) To release the print job at the right location, you have to authenticate to the printer on site (small workstation attached to the printer). There are also commercial solutions for this like: WEPA. https://www.wepanow.com/ This doesn't work for private printers of course, only for institution based printers. Philippe Philippe Hanset Univ. of TN, Knoxville www.eduroamus.orghttp://www.eduroamus.org On May 31, 2012, at 7:58 AM, Osborne, Bruce W wrote: Mike, I think Aruba’s AirGroup will be interesting too when it is finally released. It is currently in alpha status, I believe. According to their tech brief http://www.arubanetworks.com/pdf/technology/TB_AirGroupWLANServices.pdf it appears Aruba is initially planning on using AP association for determining location. Perhaps they can incorporate their AP grouping feature so this would work better in dense environments. At Liberty University, we are an all-Cisco shop but we have found Aruba’s wireless products to be more feature rich and less expensive that Cisco’s offerings. We have also found Aruba’s technical support to be exceptional, especially when compared to our Cisco support experiences with their fat APs. I know that if there is a feature we absolutely require, Aruba will work with us to develop it. They did that to enable us to offer our IPTV services on our wireless network. If you start with Aruba’s AirWave product, you can manage Cisco as well as Aruba APs from one management server. Bruce Osborne Network Engineer IT Network Services (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Mike King [mailto:m...@mpking.com] Sent: Wednesday, May 30, 2012 3:21 PM Subject: Location Based Printing We're piloting a VDI deployment, and I just got blindsided by my server team. I'm looking for some ideas. The VDI deployment has been sold to management with location based printing. It slices, It dices, It knows where you are and will select the appropriate printer for you This works all well and good in the labs and desktop replacements because it's all subnet based. If Endpoint X is in Subnet Y, map Printer Z This falls over with a tremendous bang when your using wireless. We're currently using Cisco Wireless, with a couple controllers, with all the access points tunneling the traffic back to the controllers. Means, without fail, almost everyone everywhere has the same address. Especially if you roam to another building, or a different part of big building. The next big push with VDI is moving to the BYOD (Bring Your Own Device) and the IPad users are lining up. So anyone using Cisco Wireless done any sort of location based printing on the wireless? We do own a location appliance. I know that new Aruba feature (AirGroup) is looking mighty tempting right now. Mike ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Radius Load-balancing and Aruba
Michael, Have you inquired about the built-in load balancing features of RADIATOR? You might not need an extra load balancer... Specifically one of these clauses: AuthBy ROUNDROBIN, AuthBy VOLUMEBALANCE, AuthBy LOADBALANCE, AuthBy HASHBALANCE, AuthBy EAPBALANCE. Philippe Philippe Hanset Univ. of TN, Knoxville www.eduroamus.orghttp://www.eduroamus.org On May 15, 2012, at 2:05 PM, Michael Hulko wrote: We are attempting to create a load-balance farm of Radius servers for our 802.1x authentication. The foundation is: Citrix Netscalars 9000s Aruba M3 controllers Radiator radius server (currently 3) on a Windows platform. We have been unable to successfully get authentication to work. We are getting Aruba involved, but they do not seem to have an answer yet. Any comments/suggestions if you are already doing this or have alternatives would be greatly appreciated. Thanks western-logo-sm2.gif Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.camailto:mihu...@uwo.ca mailto:mihu...@uwo.ca ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Sponsored SSID?
Lee, In Knoxville, TN we have Buddy's Barbecue (AKA Buddy's BBQ), and we cannot resell an SSID as a state school. I believe there is an Educause AUP about not mentioning BBQ before 11 a.m. EST. Supposedly it creates various unwanted Pavlov conditionings within our community. Also, next thing you know, the Eastern North Carolina guys will argue how best their BBQ is compared to the Western North Carolinas guys...and don't even throw Alabama in the mix, or for that matter, any Southern state ;-) Philippe Philippe Hanset Univ. of TN, Knoxville www.eduroamus.orghttp://www.eduroamus.org p.s. Disclaimer: there is no Educause AUP about BBQ ;-) On May 15, 2012, at 9:07 AM, Lee H Badman wrote: For context, this is nothing more than a curious notion. Other than the likes of the ATT outsourced model, has anyone ever gone the path of selling an SSID for one of your own wireless networks? Something like WirelessByBubba'sBarbeque kinda thing? (Mmmm. Barbeque...) Thanks- Lee Badman ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 4-channels in 2.4 GHz
Lee, Univ. of TN Knoxville still runs 4 channels (1-4-8-11) and has been doing so since 2000! This said, we had a long discussion with Aruba Networks engineers about 3 VS 4 and they mentioned that their algorithms are better tuned for 3 channels (I suspect that it is the case for most vendors that provide managed APs). The reasoning is that an AP (or controller) can more easily detect and deal with co-channel interference than it can with adjacent channel interference (not as detectable). So, we have tested a dormitory with 3 channels, and are very pleased with the results. The throughput increased sightly, which is not a small thing. We plan to convert the whole campus to 3 channels. In the world of human managed APs it made more sense to us to have 4 channels. Easier graph coloring and we also measured a true benefit in high density environments. But we didn't change channels all the time and didn't play with power! In the world of managed APs, and if you don't plan to tweak settings from the manufacturer, I would say, stick with standards, in this case 3 channels, just because most of those systems are designed to do so. Sorry, no cool graphs with measured differences, just a discussion ;-) Best, Philippe Philippe Hanset Univ. of TN, Knoxville www.eduroamus.orghttp://www.eduroamus.org On May 8, 2012, at 10:34 AM, Lee H Badman wrote: With no intent to open a conversational can 'o worms, I'm curious if anyone is running a 4-channel plan on their production WLANs, that is willing to share their opinions and experiences on the topic. Thanks- Lee Lee H. Badman Wireless/Network Engineer, ITS Adjunct Instructor, iSchool Syracuse University 315.443.3003 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 4-channels in 2.4 GHz
On May 8, 2012, at 3:00 PM, Coehoorn, Joel wrote: The short answer is no. It comes down to the skirts again. Most low-end tools to measure wireless coverage do a poor job of showing this, but my understanding is that wifi RF is such that the skirts flare out quickly, and you have nearly all of the signal overlap even at fairly low power levels. These wide skirts makes it impractical to try for four channels... you're almost as bad off as if you tried to use all eleven. Joel, You forgot the black magic part of wireless ;-) We didn't go with theory back in 2000, but with measurements. In a large auditorium with 100+ users and 4 APs, we were getting better throughput with 1-4-8-11 than with 1-6-11-1. We didn't play with smaller cells. Philippe Philippe Hanset Univ. of TN, Knoxville www.eduroamus.orghttp://www.eduroamus.org ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Eduroam question
Brian, With eduroam the relation is strictly between the client and its home institution. As long as you use a tunneled EAP method (PEAP, EAP-TTLS, EAP-TLS, EAP-FAST, ) you will be able to join eduroam. The main national and international eduroam servers only help pass the TLS tunnel between a user and its home institution without interruption (and using the outer tunnel information for routing), which makes the whole process EAP agnostic (as long as it can negotiate a TLS tunnel) In summary: Pick any tunneled EAP method that your institution feels comfortable using. Best, Philippe Philippe Hanset Univ. of TN, Knoxville www.eduroamus.orghttp://www.eduroamus.org On Apr 12, 2012, at 1:33 PM, Brian David wrote: Greeting all, We are looking into Eduroam again…I know other schools have done this.. One of the questions that came up is…Does every school use the same EAP type on the eduroam SSID? Brian J David Network Systems Engineer Boston College ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] SSIDs, devices and guests
Give different IP addresses on the visitor network that cannot access local resources (e.g Blackboard). We also use the allow unknown clients in DHCP. Once a device is registered on the regular network, it will not receive a lease on the visitor network. Philippe Univ. of TN On Jan 30, 2012, at 3:55 PM, Lee H Badman wrote: How do you regulate the suck so guests can use it, but campus folks can't? -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Brian Helman Sent: Monday, January 30, 2012 3:51 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] SSIDs, devices and guests To keep the students and employees off it. -Brian -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Peter P Morrissey Sent: Friday, January 27, 2012 10:55 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] SSIDs, devices and guests I've seen this come up a couple of times. So I hope you don't mind me asking, what would be the advantage of providing very low total bandwidth for your guests? Pete M. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Brian Helman Sent: Friday, January 27, 2012 10:49 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] SSIDs, devices and guests We rate shape the guest network to a very low total bandwidth and block all applications except email, web traffic and software/os update facilities. -Brian From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Caroline Owens [ow...@sju.edu] Sent: Thursday, January 19, 2012 1:34 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] SSIDs, devices and guests The first thought that pops into my mind is that you might need to manage violation messages from the RIAA or other copyright-concerned organizations and what will your recourse be if you do not have security. We use Audible Magic's solution to try to do our due diligence as far as government standards in a way that is mostly automatic, but there are always a few that slip through. When we get the notices, we need to be able to find the device that caused them and we can do this on the wireless through the user authentication. Somebody else might have a solution to this or another thought process (actually that would be great!). But, that is ONE of our reasons right now. The other is the cost of our Internet bandwidth. We're in an urban environment and try to conserve our resources for our students, faculty, and staff. Caroline Owens Networking and Telecommunications Saint Joseph's University (610) 660-1613 - Original Message - From: Bob Williamson bob_william...@aw.org To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Sent: Thursday, January 19, 2012 1:27:43 PM GMT -05:00 US/Canada Eastern Subject: [WIRELESS-LAN] SSIDs, devices and guests We are a small(ish) boarding school (K-12) with around 100 boarders. We are located in a residential neighborhood with a lot of homes very close to the school. Management wants an SSID for guests which does not require a password. My corporate reaction is that is crazy. My secondary/new to academia reaction is why not. If the guests network is completely separated from the internal network, severely limited in bandwidth, web filtered, protocol/applications blocked etc. Who cares? The only potential issue I could see is web filtering can't stop everything. Then there is the whole question of how to handle personal devices for staff and students. Any thought on that would be appreciated as well. Thinking of hidden SSID (simply to make it less confusing for users) with MAC address limiting and DPSK (via Ruckus). Thank you for any suggestions. I am finding the transition from a corporate environment to academic, especially with boarding students, to be quite interesting to say the least, Bob Williamson Network Administrator Annie Wright Schools | 827 N Tacoma Ave, Tacoma, WA 98403 | www.aw.org D: +1.253.284.5465 | F: +1.253.572.3616 | bob_william...@aw.org Annie Wright's strong community cultivates individual learners to become well-educated, creative, and responsible citizens for a global society. Description: AWS Seal 2Description: FacebookDescription: Twitter ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be
Re: [WIRELESS-LAN] Wireless Bandwidth Restrictions
We limit the upload for our dormitories to 3 Mbps and the download to 10 Mbps per user on our Aruba controllers. Mostly because we still have 802.11b/g and need to manage the WLAN capacity (we rarely reach the limit on the WAN side). Once we upgrade to 802.11n with high density we will definitely reconsider. Philippe Hanset Univ. of TN, Knoxville www.eduroamus.orghttp://www.eduroamus.org On Dec 1, 2011, at 6:09 PM, Cappalli, Tim G @ LSC-ITS wrote: Hi All – Does anyone utilize role-based bandwidth restrictions in their wireless controller (other than guest networks) or do you just leave WLAN traffic like a wired port and traffic shape on the WAN edge? We are using an Aruba centralized wireless network. Tim Cappalli, CCNA ACWA | IT Services | (802) 626-6456 » tim.cappa...@lyndonstate.edumailto:tim.cappa...@lyndonstate.edu | it.lyndonstate.eduhttp://it.lyndonstate.edu/ image001.jpg ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] College deals with wireless issues
Pay $40 to violate our AUP and have a chance to be disconnected and not recover $40. I guess you can never discard dumb people! We will handle them carefully and one by one ;-) Philippe On Nov 11, 2011, at 9:25 AM, Osborne, Bruce W wrote: And what if somebody pays your $40 per semester to connect their personal AP to your network? Bruce Osborne Wireless Network Engineer IT Network Services (434) 592-4229 LIBERTY UNIVERSITY 40 Years of Training Champions for Christ: 1971-2011 From: Hanset, Philippe C [mailto:phan...@utk.edu] Sent: Thursday, November 10, 2011 8:44 PM Subject: Re: College deals with wireless issues If you provide a great wifi coverage and no wired access You shouldn't have to worry about rogues (since there is No port to connect to ;-) Philippe, University. Of TN, Knoxville On Nov 10, 2011, at 8:29 PM, Jeff Kell jeff-k...@utc.edumailto:jeff-k...@utc.edu wrote: On 11/10/2011 8:24 PM, Harry Rauch wrote: We have in our internet docs for students that rogue wireless devices that interferes with the dorm's internet usage will be requested to shutdown or the student will lose internet rights for 30 days. Students seem to be more than willing to shut off their wireless router after they are made aware of the problem; they honestly don't have a clue about the effects of their personal wireless and the school's. We have similar policies. If we detect a rogue (shows up in our NAC as a NATed client), we quarantine the MAC address of the router. If they connect to their rogue wireless, they get a captive portal telling them to disconnect it! If they then connect directly, they are fine again. Other than us having to mark the MACs, it is self-remediating (and if the MAC returns, it gets the same result, regardless of the jack/location). Jeff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] College deals with wireless issues
If you provide a great wifi coverage and no wired access You shouldn't have to worry about rogues (since there is No port to connect to ;-) Philippe, University. Of TN, Knoxville On Nov 10, 2011, at 8:29 PM, Jeff Kell jeff-k...@utc.edumailto:jeff-k...@utc.edu wrote: On 11/10/2011 8:24 PM, Harry Rauch wrote: We have in our internet docs for students that rogue wireless devices that interferes with the dorm's internet usage will be requested to shutdown or the student will lose internet rights for 30 days. Students seem to be more than willing to shut off their wireless router after they are made aware of the problem; they honestly don't have a clue about the effects of their personal wireless and the school's. We have similar policies. If we detect a rogue (shows up in our NAC as a NATed client), we quarantine the MAC address of the router. If they connect to their rogue wireless, they get a captive portal telling them to disconnect it! If they then connect directly, they are fine again. Other than us having to mark the MACs, it is self-remediating (and if the MAC returns, it gets the same result, regardless of the jack/location). Jeff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] College deals with wireless issues
We support everything as long as it matches Our design ( eg we won't reenable 1 and 2 Mbps Rates because a few people cannot join) We have a MAC based SSID (netreg based) for devices that cannot Do Wpa2 enterprise. If gamers want wired access they can order wired on demand.. But they will have to pay for this. With a design of 8 users per AP I certainly hope That we won't have to throttle anything. Why throttle video? Philippe, typing on a tiny keyboard On Nov 10, 2011, at 9:00 PM, Brian Helman bhel...@salemstate.edumailto:bhel...@salemstate.edu wrote: Philippe, Do you guys support gaming consoles? Our Wii users can't use our wireless .. no wpa2/Enterprise. And we are throttling (or even blocking) video more on wireless than on wired. You'd be surprised how quickly students plug in when they realize that. -Brian From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Hanset, Philippe C [phan...@utk.edumailto:phan...@utk.edu] Sent: Thursday, November 10, 2011 8:44 PM To: mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] College deals with wireless issues If you provide a great wifi coverage and no wired access You shouldn't have to worry about rogues (since there is No port to connect to ;-) Philippe, University. Of TN, Knoxville On Nov 10, 2011, at 8:29 PM, Jeff Kell mailto:jeff-k...@utc.edujeff-k...@utc.edumailto:jeff-k...@utc.edu wrote: On 11/10/2011 8:24 PM, Harry Rauch wrote: We have in our internet docs for students that rogue wireless devices that interferes with the dorm's internet usage will be requested to shutdown or the student will lose internet rights for 30 days. Students seem to be more than willing to shut off their wireless router after they are made aware of the problem; they honestly don't have a clue about the effects of their personal wireless and the school's. We have similar policies. If we detect a rogue (shows up in our NAC as a NATed client), we quarantine the MAC address of the router. If they connect to their rogue wireless, they get a captive portal telling them to disconnect it! If they then connect directly, they are fine again. Other than us having to mark the MACs, it is self-remediating (and if the MAC returns, it gets the same result, regardless of the jack/location). Jeff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
EDUCAUSE Advanced Core Technologies Initiative Annual Meeting
Group, If you are interested in attending the ACTI annual meeting, please read below: Best, Philippe Subject Line: 2012 ACTI Annual Meeting: Held Jointly with CSG, Open to All Interested in Core Technologies Copy: To help facilitate collaboration on core technology challenges among colleges and universities, EDUCAUSE is planning hold the 2012 Advanced Core Technologies Initiative (ACTI) Annual Meetinghttp://www.educause.edu/ACTI12 in conjunction with the Common Solutions Group (CSG) Annual Meeting: January 10–13, 2012 Palo Alto, CA I am writing to encourage ACTI members to take advantage of this opportunity to share and learn about common core technology challenges. Non-ACTI members who are interested in the collaboration ACTI facilitates or whose contributions and leadership would better enable ACTI to achieve its mission are invited to attend. The meeting will begin with an ACTI members meeting the afternoon of Tuesday, January 10, and continue on Wednesday and Thursday morning with shared ACTI/CSG workshop sessions focusing on IT metrics and dashboards; strategic planning and service portfolios; and cloud applications. CSG will host its members meeting Thursday afternoon through Friday morning (restricted to CSG members). A joint ACTI/CSG dinner will take place on Wednesday evening. For more information or to register, visit the 2012 ACTI/CSG Joint Meetinghttp://www.educause.edu/ACTI12 website. Thank you for your help. Sincerely, Ashlan Sarff Marketing Coordinator 303-939-0333 EDUCAUSE 4772 Walnut St, Ste 206 Boulder, CO 80301 Uncommon Thinking for the Common Good www.EDUCAUSE.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] RADIUS Server preference for 10K+ Client Environments?
Lee, I will speak as UTK and eduroam-US. We see a lot of satisfaction with the following three RADIUS flavors: -RADIATOR (supported, very affordable, and PERL based...easy to customize, keeps up with innovations: RadSec, CUI,...) -FreeRADIUS (open Source, FREE, C based, support community, keeps up with innovations: CUI, not RadSec yet) -NPS (Microsoft, GUI, integrates with MS environments) We have used RADIATOR at UTK for the last 6 years, and also use it for the top level RADIUS servers for the US. Be aware that RadSec and CUI bring a lot of security features for eduroam (CUI = Chargeable User Identity, RadSec brings TCP and SSL/TLS as a replacement to UDP and Shared Secrets) Best, Philippe Hanset Univ. of TN, Knoxville www.eduroamus.orghttp://www.eduroamus.org On Nov 1, 2011, at 2:25 PM, Lee H Badman wrote: We’re feeling some frustration with our current RADIUS solution (ACS 5, virtual appliances) that are frequently attributed to the size of our client base. (At the same time, the logging and reporting on ACS is among the best I’ve ever seen.) For those of you with large (10,000 + users) RADIUS deployments, what servers are you using and what are your points of pain and/or appreciation? We currently only use the servers in question for wireless client support, doing MS-CHAPv2/PEAP. Regards- Lee Badman Lee H. Badman Wireless/Network Engineer Information Technology and Services Adjunct Instructor, iSchool Syracuse University 315 443-3003 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] RADIUS Server preference for 10K+ Client Environments?
Lee, If you want to see some configuration examples for six RADIUS flavors go there: https://www.eduroamus.org/radius_configuration This will not give you examples of how to do PEAP, but you will have a good idea of how the various flavors are configured for proxying. Philippe On Nov 1, 2011, at 2:25 PM, Lee H Badman wrote: We’re feeling some frustration with our current RADIUS solution (ACS 5, virtual appliances) that are frequently attributed to the size of our client base. (At the same time, the logging and reporting on ACS is among the best I’ve ever seen.) For those of you with large (10,000 + users) RADIUS deployments, what servers are you using and what are your points of pain and/or appreciation? We currently only use the servers in question for wireless client support, doing MS-CHAPv2/PEAP. Regards- Lee Badman Lee H. Badman Wireless/Network Engineer Information Technology and Services Adjunct Instructor, iSchool Syracuse University 315 443-3003 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Certs for EAP-PEAP
Jason et al., One heads up: with 2048 bit certs make sure that you have the Framed-MTU flag in RADIUS set to something like 1400 bytes Reference: http://www.eduroamus.org/node/29 read the last paragraph. It applies for regular campus 1x and eduroam Philippe Univ. of TN On Oct 19, 2011, at 9:27 PM, Jason Healy wrote: On Oct 19, 2011, at 3:20 PM, John York wrote: If that’s true, I’ve been adding extra complexity to my work for years. I guess “any valid cert” would also have to come from a CA the user’s computer accepts. Comments? This year we changed our EAP cert from a real cert (GeoTrust) to a self-signed dot1x cert with a friendly CN (instead of a DNS-like one). We had to break away from our old method because our cert provider only did 2048-bit certs, and after we got one issued we found out that our old (5.x) Aruba gear only deals with 1024-bits. Whoops. We're an all-mac shop, and there's been no change in the rest of the process for us. OS X requires that the cert be manually trusted for EAP (even if it's signed by a trusted root authority), so it's really no extra work to have a self-signed dot1x cert (we have a script that adds and trusts the cert that our users run). We also baked the special sauce windows OIDs into our cert and have gotten Windows 7 to trust it, though we've only set this up manually (I've tested it on exactly two clients, as that's how many windows boxes we have around here). We don't have AD, so I'm not sure how cert trust is supposed to work with MS infrastructure. Given the number of windows clients we have, this is fine for now. From what I understand, XpressConnect makes all of this much easier, but unfortunately I don't have the $$$ for that right now... Jason -- Jason Healy|jhe...@logn.net| http://www.logn.net/ ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Educause Conference this week: wireless-lan session. Any topic of interest?
All, The wireless-lan@educause will have a session at the Educause conference (Philadelphia) this coming Wednesday from 4:50 p.m. till 5:40 p.m. I will also present a poster (Wed 1:30 pm) and a session (Thu 1:30 pm) about eduroam. Here are some of the topics that I had in mind: -iOS5: Can we say Au Revoir to Bonjour? EAP-TLS cert issues (md5) Could Apple please release a survey tool for iPhone (WiFiFoFum is now definitely not working unless you are willing to jailbreak)..should we ask as Wi-Fi network operators? (any interest?) -Campus Wi-Fi and exponential growth of new devices (how to deal with it) -The future dormitory room (How much Wi-Fi is enough? Do we still need a wire/pillow?) -Your eternal visitor-access question: we need to provide it but what are our limits? (would we have different policies if we could strongly authenticate visitors?) -802.11u (how will it change our SSID layout? and more... Do you have a topic that you would like to cover? I will write a summary and post it to the list after the conference, but nothing beats being there ;-) Let me know, Philippe Hanset University of Tennessee, Knoxville wireless-lan@educause Constituent Group Leader www.eduroamus.org ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] selectively disabling wireless in classrooms
This is the wireless-...@educause.edumailto:wireless-...@educause.edu, not the un-wireless-...@educause.edumailto:un-wireless-...@educause.edu ;-) Seriously, we have seen teachers requesting devices to be turned off during class, or else... Also, the curriculums are requesting increasingly interaction with digital media. It's going to become harder and harder to justify a budget to remove access (we operate on a cost recovery basis) Make the teacher pay for the implementation of this specific policy. FIX IT costs money! Philippe On Sep 23, 2011, at 8:21 AM, Gogan, James P wrote: Well, it's that time of year again …. the time when we get calls from a handful of faculty who want the ability to disable the wireless access point that covers their classroom during specific class periods (they also want cellular coverage disabled during those times -- yeah, right ……).When I point out that the AP that covers their classroom may also provide coverage for the one next door, or that with a controller-based architecture, shutting off one access point would likely just increase the signal coverage area of adjacent APs, the response I usually get back is well, I KNOW that other universities are doing it, so …. FIX IT. So, let me ask my biennial question: what ARE other universities doing in this regard?I was specifically given U of Michigan as an example.Anyone know what they're doing? Any successful implementation details from anyone dealing with this issue are welcome.And yes, I am biting my tongue to not say teach more engagingly. Thanks in advance! -- Jim Gogan / Univ of North Carolina ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Same Radius server, more than one SSID, different groups of users?
Nick, Most RADIUS servers will let you do that (freeRADIUS, RADIATOR, ACS...) If you want to separate users you can also Use the same SSID that you use currently And return an attribute item from AD that would Set the VLAN per user or per group of users. Philippe, eduroamus.orghttp://eduroamus.org University of Tennessee (using a tiny keyboard) On Sep 19, 2011, at 9:33 AM, Urrea, Nick urr...@uchastings.edumailto:urr...@uchastings.edu wrote: We at UC Hastings would like to create a new SSID that only allows certain users with WPA-Enterprise authentication to access. We currently have two SSIDs one which uses WPA-Enterprise with RADIUS which checks against and Active Directory group and the other which uses Web-Auth which checks against the same Active Directory. We are using the Cisco Solution for enterprise wireless. I would like to use the same RADIUS server for both WPA-Enterprise SSIDs. Any ideas? --- Nicholas Urrea Information Technology UC Hastings College of the Law San Francisco, CA, 94102 urr...@uchastings.edumailto:urr...@uchastings.edu help desk: 415-581-8802 helpd...@uchastings.edumailto:helpd...@uchastings.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 1200 Series AP's on a newer 2960s Cisco switch using POE
Ken, (just throwing a flashing experience of our own...) Does it flash when you connect just one AP-1200 or if you connect many AP-1200? Switches or Midspan can only handle as much as the power supply can provide. So if you overload the system it will flash. We have had that problem when connecting more than 22 Aruba AP-125 to a PowerDsine 24 ports 6000 serie Midspan. Philippe Univ. of TN On Aug 15, 2011, at 3:18 PM, Watters, John wrote: We had a similar problem years ago. We use PowerDsine midspan power inserters for our AP power (they come in 6, 12, 24-port versions so they are cheaper than buying power for a whole Cisco switch or blade when only a few ports need power; management is also easy via a Web interface). In order for them to power the old 1200 APs, we had to buy a special dongle from PowerDsine to make them work. You may have the same issue. Call or write offline if you have any questions about this. -jcw image001.jpg - John WattersUA: OIT 205-348-3992 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Taillon II, Kendall Sent: Monday, August 15, 2011 1:57 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] 1200 Series AP's on a newer 2960s Cisco switch using POE We are in the middle of adding new 2960s Cisco switches to are edge. When connecting our old 1200 series AP’s to the switch via POE, the switch interface just keeps flashing. Is this because the old AP’s use the old pre-standard POE? Our new 1142 series AP’s connect just fine. Is there any way to have the older AP’s use the newer POE through the switch port? Ken Taillon Network Administrator Wesleyan University Middletown, CT 860-685-5657 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] MacOS Lion Wireless Password Resets
Ryan, We have a 6 months password change policy for users with regular access and a 2 months password change policy for users with sensitive access. So far, it has been a nightmare for Macs (10.5, 10.6,...) on our 802.1x network. EAP-TLS or change the mind of the security office have been the options that I have considered... Xpressconnect could help if users are willing to switch back to another SSID, and run Xpressconnect every time they change their password. Philippe Univ. of TN On Aug 4, 2011, at 5:01 PM, Holland, Ryan C. wrote: I have finally got my hands on MacOS 10.7 (lion) and have started running it through wireless tests. One item I find very worrisome is this: - Via WPA2-Enterprise (PEAP/MSCHAPv2), I connect to the SSID using username password1; these credentials are then stored in the keychain - If I change my password to, say, password2, then the next time I connect, the Mac fails authentication It seems that the Mac, if failing authentication, never prompts for the username password to be reentered. Our university is soon to roll-out and enforce a 90-day password policy, and I am concerned that users will be unable to authenticate and forced to remove the password from their keychain. Have any of you run into this similar issue? If so, how do handle this behavior? (I don't recall it being this way in MacOS 10.6 or 10.5) == Ryan Holland Network Engineer, Wireless Office of the Chief Information Officer The Ohio State University 614-292-9906 holland@osu.edumailto:holland@osu.edu Submit a Kudos to an OCIO employee!http://www.surveygizmo.com/s/514095/giveociokudos ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Eduroam questions
Don, We have two separate SSIDs that do 802.1x ut-wpa2 and eduroam, across campus. This separation is creating a lot of confusion to our community. Sometimes they wonder why use one versus the other! We would like to redesign this and only have the eduroam SSID, but separate the traffic based on authentications (roles). If a user from utk joins the eduroam SSID, the users gets different privileges (e.g. a different role in the controller) than other users. We can do this differentiation in our Aruba controllers based on the REALM of users. (e.g. don...@brown.edumailto:don...@brown.edu would reach a subnet that's routed as if the user was coming from the outside, with a different IP address, and phil...@utk.edumailto:phil...@utk.edu, would get full access). One problem that we have seen pertains to the MTU size in RADIUS. Since RADIUS uses UDP (RadSec uses TCP!!!), and if you use Certificates that are 2048 bytes, you may encounter problems if you don't enable the frame-fragmentation flag at 1500 or less in your RADIUS server. It won't affect people visiting your campus, but it will affect your users (especially if there is a piece of hardware between Brown's user and your RADIUS server that has small MTU set). eduroam.orghttp://eduroam.org advises an MTU flag of 1400 to be cautious. Also, if you don't mind the initial investment (will save you money in the long run)... get Xpressconnect Best, Philippe Univ. of TN On Jul 29, 2011, at 3:12 PM, Wright, Donald wrote: We have a mandate to setup Eduroam for our campus for the upcoming fall semester and I was wondering how others have done this in the past. Did you use a separate ssid made available throughout your campus ? Any issues or gotchas that I should be aware of as far initial response time for users, credential caching and roaming, etc ? Thanks in advance. Don Wright Senior Network Engineer CIS - Network Technologies Group Brown University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] ATT WiFi
Overlaying ATT Wi-Fi over the wireless network to me seems like the same problem as a vendor specific DAS. Only ATT customers can really use the infrastructure unless you are willing to pay a la carte for the service. What's next? Verizon Wi-Fi, Sprint Wi-Fi... or a web page where you have to pick the vendor of your choice in a long list (highly sensitive to MITM). With models like eduroam, at least all RE people can join the network while traveling around. What we really need is eduroam for other users as well! (I'm working on it ;-) Philippe Philippe Hanset Univ. of TN, Knoxville www.eduroamus.orghttp://www.eduroamus.org On Jul 21, 2011, at 12:28 PM, Dewitt Latimer wrote: As a person who travels to many campuses, I can tell you that having my iPhone auto-associate with a campus WiFi is a whole lot nicer than having to bug my hosts to sponsor me for a guest wireless account. So I think the real way to look at this is (1) how many guests do you have to your campus, (2) do you care about them, (3) is your wireless guest registration system self sponsored and simple, or a real PIA? You don't necessarily have to overlay the ATT ssid over your whole campus either. You can hit (say) the performing arts, campus hotel and conference, etc. But that's more of a political outcome than technical. If you go through the hassle of a couple of buildings, you might as well do them all. Also, ATT almost always brings their own commodity bandwidth to the bargaining table. So depending on how many guests you have anyway, you can off load some of their data to their pipe. -d On Thu, Jul 21, 2011 at 12:16 PM, Lee H Badman lhbad...@syr.edumailto:lhbad...@syr.edu wrote: Ryan- Do you feel there has been any real value to OSU, or any downside? Thanks- Lee H. Badman Wireless/Network Engineer Information Technology and Services Adjunct Instructor, iSchool Syracuse University 315 443-3003tel:315%20443-3003 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Holland, Ryan C. Sent: Wednesday, July 20, 2011 1:34 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ATT WiFi We have it here at OSU, and it works adequately. Nothing special. Just a L2 handoff from our equipment to theirs. == Ryan Holland Network Engineer, Wireless Office of the Chief Information Officer The Ohio State University 614-292-9906tel:614-292-9906 holland@osu.edumailto:holland@osu.edu Submit a Kudos to an OCIO employee!http://www.surveygizmo.com/s/514095/giveociokudos On Jul 20, 2011, at 1:17 PM, Steve Hess wrote: Anyone have experience with the ATT WiFi product? Upper management is looking into it here. My understanding is they will use our existing Aruba infrastructure to propagate the signal. Curious for input from others on direct experience and technical considerations (in general and as relates to Aruba specifically). Thanks, Steve -- - Steve Hess Network Administrator Wheaton College Phone: 508-286-3404tel:508-286-3404 Fax: 508-286-8270tel:508-286-8270 - Spamhttps://antispam.osu.edu/b.php?i=1228228303m=da5d14dd5179c=s Not spamhttps://antispam.osu.edu/b.php?i=1228228303m=da5d14dd5179c=n Forget previous votehttps://antispam.osu.edu/b.php?i=1228228303m=da5d14dd5179c=f ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. No virus found in this message. Checked by AVG - www.avg.comhttp://www.avg.com/ Version: 10.0.1390 / Virus Database: 1518/3776 - Release Date: 07/20/11 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] ATT WiFi
Shouldn't Universities foot the Wi-Fi bill and make ATT pay to carry the SSID? (ATT needs that capacity anyway if they want to service those thousands of people with smartphones) That will give Universities the freedom to carry additional services when the time comes. Another thing to remember: ATT has limits on their 3G data plan of 2 Gigs (or 4 Gigs if you a have the hotspot plan) (with the exception of grandfathered customers that have unlimited plans) Verizon and Sprint provide unlimited data over 3G on smartphones. So, it is in the interest of ATT customers to join Wi-Fi if they don't want to exhaust their quotas and pay $10/extra Gig. Looking at these 2 cost models (Sprint/Verizon VS ATT), it looks like ATT needs the Wi-Fi capacity to sustain the demand. Or is it that they just want to provide a better experience on 3G and offload data as much as possible to Wi-Fi by providing incentives? I experienced a few days ago an interesting problem: I was trying to download an iTunes album and received a message warning me that files larger than 20 Mbytes have to be downloaded over Wi-Fi. This was with an iPhone on ATT. Not being in proximity of a free Wi-Fi hotspot, I had to turn on the hotspot feature of my iphone, and use iTUnes on my laptop, over the same 3G network. No limit this time ;-) Why is ATT so afraid of data usage? Philippe On Jul 21, 2011, at 1:30 PM, Dewitt Latimer wrote: The stadium DAS projects with WiFi where the lead integrator is covering the cost of the WiFi are usually locked down in one form or another. The lead integrator would have no way to recover their investment if it was left wide open. Most schools have not built out WiFi in stadiums except in limited ways (eg ticket scanners, POS, other locked-down infrastructure needs). You get the occasional club boxes that have WiFi that is locked with a common key (usually give us more money). So unless the school is going to foot the WiFi cost for 7 days a year (which they're not), I don't see what the big deal is for stadium WiFi being parceled out to the carriers. I also don't fault ATT for being out in the lead for having a pretty well branded WiFi hotspot service. I wish the others would catch up! -d On Thu, Jul 21, 2011 at 1:20 PM, Holland, Ryan C. holland@osu.edumailto:holland@osu.edu wrote: To answer Lee's question, yes, there has been value. The transient users that use the attwifi service are the responsibility of ATT and not the university. This is a value-add for us. == Ryan Holland Network Engineer, Wireless Office of the Chief Information Officer The Ohio State University 614-292-9906tel:614-292-9906 holland@osu.edumailto:holland@osu.edu Submit a Kudos to an OCIO employee!http://www.surveygizmo.com/s/514095/giveociokudos On Jul 21, 2011, at 1:08 PM, Lee H Badman wrote: This is where I gotta plug our Bluesocket box for guest access. They worked with us to develop a simple “SMS you your password” mechanism, and I can’t imagine a simpler guest portal for people to use. The ATT model does seem interesting, but to Phillipe’s point, I’m not digging the single carrier thing. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hanset, Philippe C Sent: Thursday, July 21, 2011 1:01 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ATT WiFi Overlaying ATT Wi-Fi over the wireless network to me seems like the same problem as a vendor specific DAS. Only ATT customers can really use the infrastructure unless you are willing to pay a la carte for the service. What's next? Verizon Wi-Fi, Sprint Wi-Fi... or a web page where you have to pick the vendor of your choice in a long list (highly sensitive to MITM). With models like eduroam, at least all RE people can join the network while traveling around. What we really need is eduroam for other users as well! (I'm working on it ;-) Philippe Philippe Hanset Univ. of TN, Knoxville www.eduroamus.orghttp://www.eduroamus.org/ On Jul 21, 2011, at 12:28 PM, Dewitt Latimer wrote: As a person who travels to many campuses, I can tell you that having my iPhone auto-associate with a campus WiFi is a whole lot nicer than having to bug my hosts to sponsor me for a guest wireless account. So I think the real way to look at this is (1) how many guests do you have to your campus, (2) do you care about them, (3) is your wireless guest registration system self sponsored and simple, or a real PIA? You don't necessarily have to overlay the ATT ssid over your whole campus either. You can hit (say) the performing arts, campus hotel and conference, etc. But that's more of a political outcome than technical. If you go through the hassle of a couple of buildings, you might as well do them all. Also, ATT almost always brings their own commodity bandwidth
Re: [WIRELESS-LAN] Wireless design
Bruce, We install our APs in the same subnet as our users (for reasons mentioned by others as well: it seems that rogue detection works better on the wire side that way), but with private IP addresses. The gateway as two subnets (one primary and one secondary). Primary is for users, secondary is for APs and switches. Since our APs do DHCP, we have a rule in our DHCP server that hands specific leases to our APs based on the OUI of our AP vendor. That way we don't consume publicly addressable IP addresses for 2500 APs! This said in the near future the concept of locating APs in the user subnet (when I mention subnet , I mean the layer two domain, not the strict IP subnet), will become difficult since we plan to have something like 3-5 user's subnets per building (based on the of user classification that we end up with). When it comes to Wireless users subnets, we completely rely on GRE tunnels that go back to the controllers and we do the Aruba VLAN pooling for each SSID. The MAC address based SSID doesn't let users access sensitive apps, the 802.1x SSID does. In the future, we plan to go to a more Role based networking approach, where user's Attributes decide what they can do more than IP addresses. (IP addresses will always be involved of course, but in a more dynamic way) Best, Philippe Hanset Univ. of TN www.eduroamus.orghttp://www.eduroamus.org On Jun 8, 2011, at 6:54 PM, Entwistle, Bruce wrote: We will soon be migrating our wireless network from Cisco autonomous 1231 APs to a combination of Cisco 3502i along with some of the existing 1231 APs converted to lightweight. As we prepare for this we are looking at how to best architect the new network.The new network will cover the entire campus which consists of approx 50 buildings, with each building having its’ own VLAN. The initial idea was to install the APs so the IP address of the AP would be a part of the local building VLAN. This is the IP the AP would use to talk back to the controller. For user connections there would be two VLANs created which would be accessed through a single SSID. The users would then be dynamically assigned to one of the two VLANs based on their logon credentials. Currently all users are placed on the same VLAN after authentication, as our current installation is not capable of dynamic VLAN assignment. There is currently only a single SSID in place. I would be interested to know what other have done and how successful it was. Thank you Bruce Entwistle Network Manager University of Redlands ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Strange behavior: iMacs 2011
All, (I checked the Archives and couldn't find anything on this) One of our desktop support guy is losing his mind on a problem with three iMacs that have a very erratic behavior on wireless only. -Those iMacs were purchased during the last month. -They can join Wireless -They can get a DHCP lease -Ping, traceroute, etc.. works -Web (Safari or Firefox) doesn't work at all (either by name or by IP address) This is on an Aruba infrastructure (AP-125 with M3 controllers). There is a discussion about this problem at: https://discussions.apple.com/message/15166297#15166297 Anyone else facing this problem? Any resolution (we have contacted Apple... but that might take a while)? Thank you, Philippe Hanset Univ. of TN ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Strange behavior: iMacs 2011
This is on an open SSID with NetReg in the back end. No portal, no 802.1x. Philippe On Jun 1, 2011, at 6:51 PM, Jason Appah wrote: We have had lots of problems with firefox and our aruba in general when used with the captive portal. You didn’t mention if this is 802.1x or CP or WPA but safari and firefox seem to have problems with our CP on aruba over wireless only. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hanset, Philippe C Sent: Wednesday, June 01, 2011 3:38 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Strange behavior: iMacs 2011 All, (I checked the Archives and couldn't find anything on this) One of our desktop support guy is losing his mind on a problem with three iMacs that have a very erratic behavior on wireless only. -Those iMacs were purchased during the last month. -They can join Wireless -They can get a DHCP lease -Ping, traceroute, etc.. works -Web (Safari or Firefox) doesn't work at all (either by name or by IP address) This is on an Aruba infrastructure (AP-125 with M3 controllers). There is a discussion about this problem at: https://discussions.apple.com/message/15166297#15166297 Anyone else facing this problem? Any resolution (we have contacted Apple... but that might take a while)? Thank you, Philippe Hanset Univ. of TN ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Policy towards self installed AP's in dorms
On Apr 5, 2011, at 11:34 AM, Johnson, Neil M wrote: These questions are targeted at larger schools with large dorm populations that use EAP authentication (802.1x) on their wireless network. 1. What is your school's policy in regards to students installing their own access points in the dorms where you have wireless service already available? The policy is: you will not interfere with the Wireless Network provided by the University This give us some leeway. Since we are in the process of revamping the Dorm Wireless: In places where our network is weak, we give students more wireless freedom. In places where our network is good, we give students less wireless freedom 2. How do you inform students about your policy? Policy is not advertised, only used/reminded when needed. We have noticed over the years that when the service is good, rogues don't appear as much! 3. Do you enforce your policy? A dorm is not much different than a hotel (read: students are customers!). So, we try to be as understanding as possible, while maintaining the service. If our IDS detects rogues and we see a lot of interferences, we explain the problem to students. If they don't listen, we turn the network port off, and in some cases we turn the IPS on (very rare). (BTW, most of the students enable encryption on their rogues!) 4. Do you proactively search for access points, or do you intervene only when they are impacting your service? Our Aruba controllers constantly report rogues. If we see problems or problems are reported, we intervene. Philippe Hanset Univ. of TN Thanks. Neil Johnson The University of Iowa ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless to the Rescue...
I have been thinking about continuing the debate, but it is April 2nd in Australia... I did write check the date at the end of my email, though! Sorry all, I had more fun reading the responses than writing my silly April's fool. Have a great W-E, Philippe On Apr 1, 2011, at 1:20 PM, Jeffrey Sessler wrote: That's just not right. These people are adults, and as such, should be able to decide on their own if they are going to attend class. The college is not their parents, and it's not a daycare. This is a behavior issue with needs addressing, and disabling the technology is not the answer. What's next, disable WiFi if that don't take out the trash from their dorm room, or decide not to shower, or protest some decision the campus made, etc? Will you disable WiFi except in the stadium during a game, so as to force students to attend? Something wicked this way comes, and it's at UTK. I'm curious, does your honor code, guide to student life, etc. state that attending class is mandatory? If not, how are you able to levy sanctions against a student for not attending (disable WiFi)? I can see it now... Student doesn't show up for class. Said student is in trouble, but can't the necessary help (send email, make a skype call, etc.) because none of his/her devices can connect to the network. Student becomes seriously ill, or dies, etc. because of this new policy, and the college faces a huge lawsuit. Don't get me wrong, it's an interesting technological solution, but it's still wrong in my book. If a student is not attending class, your dean of students needs to bring the student in for a discussion. Jeff Hanset, Philippe C phan...@utk.edu 4/1/2011 9:22 AM All, University of Tennessee has had some class attendance issues lately, especially with Sophomores. We came up with a location based wireless solution that could fix this issue. We have built a database of rooms surrounding Access-Points that we correlate with a class roster. Basically if a student is supposed to be in room x at time y, our filtering only allows the student access to a set of access points surrounding that room during that time. No wireless elsewhere. Dormitories are included in the algorithm. If you are doing something similar, we would like to know some of the caveats. Thanks, Philippe Hanset University of TN (Constituent Group Leader of Wireless-LAN@educause) (what's the date?) ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless Site Survey cost
Having done a Dorm Installation last week, let me add another point: 5 Ghz is great, but in some places you might want to skip the expense. We had no choice but to feed Dorm suites from the center hallway. After a thorough testing we came to the conclusion that we would only provide 802.11n at 2.4 GHz since too much of the 5 GHz signal was wasted. So instead of using Aruba AP-105 ($695 list) everywhere in that building, we settled for Aruba AP-93 ($395 list). With the savings, we did smaller cells to somewhat compensate for the lesser capacity. Each bedroom still has an ethernet drop (unfortunately unusable for APs for architectural reasons). Philippe Univ. of TN On Mar 22, 2011, at 3:38 PM, heath.barnhart wrote: If nothing else, you will have a documentation showing what your coverage is and can uncover any gotchas. If someone says they are having issues in an area, you pull up the survey and have instant access to more information to help uncover the reason behind their issues. Heath On 3/22/2011 2:11 PM, John Kaftan wrote: So I hate to dig this up again but nobody really responded to Jeff Sessler’s post “Given the need for designs based on capacity rather than coverage, do those who've done site surveys previously feel they are still worth the trouble?” Seems to me wireless surveys are for determining coverage which is something we can easily measure. We can require that an area will have no less than -68 dBm signal and do the survey to determine what it will take. However, if folks are saying that in a high density area like a ResHall just providing coverage is not enough and we must go much denser what good is the survey? If coverage is not enough then how do we determine our density? Is it just by feel? Up until now I figured I was not going to do a survey. I figured for the cost of the survey I could buy an additional 30-50 APs. When pulling wire I’d have facilities leave a 20’ coil and pull double the wire I originally guessed based on past experience. Then we would just “Throw it up” and see what happens. If we move slowly and do a ResHall at a time we should be able to get a feel for it. Now I have a shot at doing a survey this summer after the fact by using students from a nearby University that has a MS in Networking as an internship. The cost is much less than a professional survey but I have to ask if it is still worth it if capacity is what we are going for? Perhaps I should be looking at a different internship. There is certainly plenty to do around here. John Kaftan Infrastructure Manager Utica College 315.792.3102 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John Kaftan Sent: Wednesday, March 16, 2011 8:16 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless Site Survey cost I have everyone held back to 2 Mbs on wireless. That seems to be a good number for now. Nobody is complaining and it helps to keep their experience consistent. They can watch a Netflix movie with that. I imagine Netflix would use more bandwidth if it could. I have not tested though. On 3/16/2011 6:28 PM, Brian Helman wrote: If people are building new dorms, I’d definitely run copper to any common rooms if you support any gaming consoles. Honestly though, we have a good density of wiring even in the dorms and I’m pretty close to shutting down or at least limiting the bandwidth available for video on the wireless network. Netflix, Flash and Youtube are killing it (not to mention our Internet connection). -Brian From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Joel Coehoorn Sent: Tuesday, March 15, 2011 10:30 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless Site Survey cost Agree I wouldn't run new port-per-pillow drops, but I wouldn't ditch existing drops (just update the switching) and anywhere you have apartment-style living I would put a wired port in the common space for game consoles/blu-ray/smart tvs/etc. Those who actually use the ports will be the few who know enough to know why it's better, and they also tend to be your heaviest users. It's nice to get some of the gaming and netflix traffic out of your airspace. On Mar 15, 2011 7:50pm, John Kaftan jkaf...@utica.edumailto:jkaf...@utica.edu wrote: Thanks, but I have purchased already. We will be doing this backwards. We are pulling extra drops and leaving 20' coils of cable above the ceilings and then throw up the APs and see what happens. Not perfect but we have been doing alright with that. We have a feel for it and the students report happiness. This summer we will do the survey to tighten things up a bit. I am considering dropping the wired ports as our LAN is past due for a refresh
Re: [WIRELESS-LAN] Wireless Site Survey cost
5 GHz was only usable in hallways (deserted) and the front part of suites (shower and restroom). Where users are present we were measuring -80 dBm or less at 5 GHz. That dorm doesn't have common areas. In common areas, it would make sense to use 5 GHz of course. The extra capacity is provided by providing smaller cells at 2.4 GHz. The other problem with weak 5GHz and stronger 2.4GHz is that devices (e.g. Macs!) do not join 5 GHz, even if available. Tricks like Bandwidth Steering can help this behavior, but not if the difference is too large between the 2 spectrums. BTW: If a large majority of users start watching Netflix in restrooms we will have to swap APs! Philippe On Mar 22, 2011, at 4:26 PM, David J Molta wrote: Wasted in what sense, Philippe? Residence halls are obviously high-density environments so capacity is a big concern, especially during peak usage periods. Even if the 5 GHz 11n channel can’t provide full coverage for the area under consideration, if it offloads even 25-30% of the 2.4 GHz 11n traffic, it seems like it would be worth the extra cost because it would result in better performance under heavy contention for both 2.4 GHz and 5 GHz users. Dave Molta On 3/22/11 3:59 PM, Hanset, Philippe C phan...@utk.edux-msg://2463/phan...@utk.edu wrote: Having done a Dorm Installation last week, let me add another point: 5 Ghz is great, but in some places you might want to skip the expense. We had no choice but to feed Dorm suites from the center hallway. After a thorough testing we came to the conclusion that we would only provide 802.11n at 2.4 GHz since too much of the 5 GHz signal was wasted. So instead of using Aruba AP-105 ($695 list) everywhere in that building, we settled for Aruba AP-93 ($395 list). With the savings, we did smaller cells to somewhat compensate for the lesser capacity. Each bedroom still has an ethernet drop (unfortunately unusable for APs for architectural reasons). Philippe Univ. of TN On Mar 22, 2011, at 3:38 PM, heath.barnhart wrote: If nothing else, you will have a documentation showing what your coverage is and can uncover any gotchas. If someone says they are having issues in an area, you pull up the survey and have instant access to more information to help uncover the reason behind their issues. Heath On 3/22/2011 2:11 PM, John Kaftan wrote: So I hate to dig this up again but nobody really responded to Jeff Sessler’s post “Given the need for designs based on capacity rather than coverage, do those who've done site surveys previously feel they are still worth the trouble?” Seems to me wireless surveys are for determining coverage which is something we can easily measure. We can require that an area will have no less than -68 dBm signal and do the survey to determine what it will take. However, if folks are saying that in a high density area like a ResHall just providing coverage is not enough and we must go much denser what good is the survey? If coverage is not enough then how do we determine our density? Is it just by feel? Up until now I figured I was not going to do a survey. I figured for the cost of the survey I could buy an additional 30-50 APs. When pulling wire I’d have facilities leave a 20’ coil and pull double the wire I originally guessed based on past experience. Then we would just “Throw it up” and see what happens. If we move slowly and do a ResHall at a time we should be able to get a feel for it. Now I have a shot at doing a survey this summer after the fact by using students from a nearby University that has a MS in Networking as an internship. The cost is much less than a professional survey but I have to ask if it is still worth it if capacity is what we are going for? Perhaps I should be looking at a different internship. There is certainly plenty to do around here. John Kaftan Infrastructure Manager Utica College 315.792.3102 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John Kaftan Sent: Wednesday, March 16, 2011 8:16 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUx-msg://2463/WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless Site Survey cost I have everyone held back to 2 Mbs on wireless. That seems to be a good number for now. Nobody is complaining and it helps to keep their experience consistent. They can watch a Netflix movie with that. I imagine Netflix would use more bandwidth if it could. I have not tested though. On 3/16/2011 6:28 PM, Brian Helman wrote: If people are building new dorms, I’d definitely run copper to any common rooms if you support any gaming consoles. Honestly though, we have a good density of wiring even in the dorms and I’m pretty close to shutting down or at least limiting the bandwidth available for video on the wireless network. Netflix, Flash and Youtube are killing it (not to mention our Internet connection). -Brian From
Re: [WIRELESS-LAN] 802.1x and password change policy...
Curtis, I'm a big advocate of EAP-TLS if you are willing to deal with the PKI. How do you deal with Certs? Do you have a PKI for other purposes as well? Philippe On Feb 25, 2011, at 3:35 PM, Curtis, Bruce wrote: On Feb 14, 2011, at 12:28 PM, Hanset, Philippe C wrote: All, I have asked this question in the past, but things change, someone out there might have a better answer! We run two 802.1x SSIDs with WPA2 (ut-wpa2 and eduroam). All goes well on these two SSIDs until users are asked to change their password (every 6 months) (would love to get rid of that password change but that's not an option) We are using EAP-TLS here. EAP-TLS requires a client side certificate but our certificates are good for more than 6 months. Iphone and Ipad prompt users for new credentials, no problems there. OSX and Windows, not so seamless. Windows 7 seems to require you to join and fail twice, Mac won't even prompt (the user has to go in settings, network, 802.1x... by that time our helpdesk is involved!) Has anyone found something smart to counter this problem? (using native clients, no SecureW2 or Odyssey) It doesn't seem that Xpressconnect (Cloudpath) can address this issue since it doesn't have a permanent agent. Thank you in advance for your answers, Best, Philippe Philippe Hanset Univ. of TN, Knoxville www.eduroamus.org ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. --- Bruce Curtis bruce.cur...@ndsu.edu Certified NetAnalyst II701-231-8527 North Dakota State University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wifi and spectrometers?
Air is so noisy in the Microwaves range these days (cellular, Wi-Fi, you name it...), I would think that people that use spectrometers that are sensitive to Microwaves have to worry about a lot more things than just University based Wi-Fi. Why not isolate the spectrometer instead of the Wi-Fi? How do they plan to deal with rogue Wi-Fi from the guy next door that wanted Wi-Fi but couldn't get it because of the Spectrometer ;-) Philippe Univ. of TN On Feb 22, 2011, at 12:35 PM, Chanowski, John wrote: Because APs are a heat source, we have been prohibited from installing them in some rooms that are temperature sensitive and also in some rooms that are vibration sensitive. No spectrometer issues have yet arisen, though. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Daniel Eklund Sent: Tuesday, February 22, 2011 11:56 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wifi and spectrometers? We have ubiquitous Wifi coverage in both 2.4 and 5Ghz spectrum in all our science buildings and have had no complaints of interference with equipment. -- Daniel Eklund Director, Networking Wayne State University 313-577-5558 - Original Message - We haven't heard of any complaints or design constraints, though we've occasionally asked -- I don't know whether there are those specific kind of spectrometers, though, or the details. I'd be very interested in hearing about people's experiences in this area as well, as we have some large science buildings that we'll be putting more wireless in shortly. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman Sent: Tuesday, February 22, 2011 11:02 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Wifi and spectrometers? We're about to take the campus wireless into some new areas and getting some concern voiced about possible negative impact on both noble gas and IR spectrometers. Before I start researching a defense, has anyone else already been down this road? Lee Badman ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
802.1x and password change policy...
All, I have asked this question in the past, but things change, someone out there might have a better answer! We run two 802.1x SSIDs with WPA2 (ut-wpa2 and eduroam). All goes well on these two SSIDs until users are asked to change their password (every 6 months) (would love to get rid of that password change but that's not an option) Iphone and Ipad prompt users for new credentials, no problems there. OSX and Windows, not so seamless. Windows 7 seems to require you to join and fail twice, Mac won't even prompt (the user has to go in settings, network, 802.1x... by that time our helpdesk is involved!) Has anyone found something smart to counter this problem? (using native clients, no SecureW2 or Odyssey) It doesn't seem that Xpressconnect (Cloudpath) can address this issue since it doesn't have a permanent agent. Thank you in advance for your answers, Best, Philippe Philippe Hanset Univ. of TN, Knoxville www.eduroamus.org ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Site survey tools
Funny that you mention that. We did a comparison yesterday between a Fluke AirCheck and an Iphone4 using WiFiFoFum. The AirCheck was consistently 15 dBm better than the Iphone. (consistent with your data) Since Iphone like devices are showing all over campus much more than Fluke Aircheck, we have decided to corroborate our predictive surveys done in Airwave with Iphone or Ipod Touch running WiFiFoFum. Rick, I forgot to mention a detail in the corroboration step: We go on site with an Iphone and WiFiFoFum, but also the AP that we plan to install for the building powered by a battery. Aruba controller based AP will let you configure APs as stand alone. We plan the number of check points based on the size of the building, and also check anomalies reported by the predictive software. It is sometimes amazing how accurate those anomalies are reported. (not always!) I don't know how other survey tools work, but Airwave will let you pick in the predictive model the type of AP that you plan to use. Philippe Unfortunately, WiFiFoFum is not available at the AppStore anymore, but you can get it via Cydia. $2.99. Best, Philippe Hanset Univ. of TN, Knoxville www.eduroamus.org On Jan 21, 2011, at 1:28 PM, Rick Brown wrote: We have been using Motion Computing Tablet PC's with Cisco's CB21 wireless adapter card and the Site Survey Utility for conducting manual site surveys. Originally we had found that due to the nature of the buildings on our campus that a manual survey was much faster than using any of the predictive software such as AirMagnet and Siteplanner. We are starting to see problems with the older tablets. Replacing them doesn't seem to be an option since most tablets aren't coming with PCMCIA slots anymore. We've looked at the Fluke AirCheck meters but they tend to show RSSI anywhere from 10dbm to 20dbm better signal than what it really is. Are any of you still doing manual surveys? And what equipment and app are you using to read signal levels, etc.? Thanks! Rick -- sig6.gif ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Aruba Mobility Design Options
Stan We do use VLAN pooling extensively and our pools are large - 16 to 20 /24 subnets. I don't think there is any issue going higher, but I don't know what the upper limit is. Aruba supports a maximum of 32 pools. You assign the subnet that you want to each pool (we have 32*/23) Philippe Univ. of TN I'd be happy to discuss our architecture with you off list. You might also want to engage your Aruba Systems Engineer to advise you on the best way to integrate the Aruba hardware into your network architecture. - Stan Brooks - CWNA/CWSP Emory University University Technology Services 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: wlans...@hotmail.commailto:wlans...@hotmail.com GoogleTalk: wlans...@gmail.commailto:wlans...@gmail.com From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of schilling [schilling2...@gmail.com] Sent: Tuesday, January 18, 2011 11:40 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Aruba Mobility Design Options Hi All, I tried to join the list with my edu email, but still not received any confirmation email yet. Resubscribe got email of Rejected - similar commands already pending. So I am posting this message with my gmail account. We are trying to implement mobility for student. In order to fit into our campus network virtualization with MPLS L3VPN, we would like to have WLANs default gateway at Core routers, so we could have the flexibility to selectively put certain WLANs to a MPLS L3VPN i.e facstaff or students. We would also like to put certain clients into certain WLAN pools according to their AD/LDAP attribute. I knew we could have dedicated controllers for each specific group of users. I wish Aruba could provide multi-vrf/vrf-lite capability. All security device like Cisco ASA/Juniper ScreenOS/Fortigate Firewall all have the virtual router/context capability. There are two ways to do mobility, layer 2/VLAN mobility, layer 3/IP mobility. I am trying to explore both mobility options with the constraint of WLAN default gateway in the Core router. Attached please find two diagram, student-alternatives-vlan-mobility.jpeg with the following notes/questions Notes: Layer 2/VLAN mobility requires all user VLANs/WLANs to be present on all controllers in the same mobility domain. Is it feasible/recommended to have 10 Aruba Controllers w/ 80%*512 AP termination in a layer 2/VLAN mobility group? Is it feasible/recommended to have 4000 users/devices in a layer 2/VLAN mobility group w/ 16 /24 VLANs in a VLAN pool? student-alternatives-ip-mobility.jpeg with the following notes/questions Notes: Layer 3/IP mobility requires ip address for user VLAN -WLAN to correctly forward layer-3 broadcast/multicast traffic to clients when they are away from home network Could Core be the default gateway for user VLANs/WLANs while still have an IP address in Aruba Controllers for corresponding user VLANs/WLANs to provide layer 3/IP mobility? Could VLAN pooling feature be used in this kind of design if feasible? Basically West WLANs and East WLANs will be in same VLAN pool, so upon association, clients will be evenly distributed among pool member VLANs. But they will be tunneled to their home agent once roam to foreign agent. Questions for both design: Could an IETF tunnel private Group ID in RADIUS server to be set to VLAN pool name instead of VLAN? Could server-derived rule to be used to map certain RADIUS attribute to VLAN pool name? I would really appreciate your feedback on my design or what your institution are doing for the mobility. Thanks, Shiling Shiling Ding Network Specialist 850-645-6810 Information Technology Services Florida State University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Aruba Mobility Design Options
Shiling, We have opted to leave Aruba controller as layer2 devices, and terminate all of our subnets on VRFs on one external router, except for our web based visitor network that is terminated on our Master Controller. Aruba will let you do everything (Rules, Roles, FW etc...) you want at layer 2 and 3 without having to terminate IP gateways on controllers. For Mobility we have been very satisfied with VLAN Pooling, doing 32* /23 for assignments.. I wouldn't go beyond that... maybe /22 if you are desperate for IP addresses. I cannot compare VLAN pooling to sliced bread since I'm a baguette eater, but I'm sure that I would agree with Stan if I did like sliced bread ;-) Philippe Univ. of TN www.eduroamus.org On Jan 18, 2011, at 11:40 AM, schilling wrote: Hi All, I tried to join the list with my edu email, but still not received any confirmation email yet. Resubscribe got email of Rejected - similar commands already pending. So I am posting this message with my gmail account. We are trying to implement mobility for student. In order to fit into our campus network virtualization with MPLS L3VPN, we would like to have WLANs default gateway at Core routers, so we could have the flexibility to selectively put certain WLANs to a MPLS L3VPN i.e facstaff or students. We would also like to put certain clients into certain WLAN pools according to their AD/LDAP attribute. I knew we could have dedicated controllers for each specific group of users. I wish Aruba could provide multi-vrf/vrf-lite capability. All security device like Cisco ASA/Juniper ScreenOS/Fortigate Firewall all have the virtual router/context capability. There are two ways to do mobility, layer 2/VLAN mobility, layer 3/IP mobility. I am trying to explore both mobility options with the constraint of WLAN default gateway in the Core router. Attached please find two diagram, student-alternatives-vlan-mobility.jpeg with the following notes/questions Notes: Layer 2/VLAN mobility requires all user VLANs/WLANs to be present on all controllers in the same mobility domain. Is it feasible/recommended to have 10 Aruba Controllers w/ 80%*512 AP termination in a layer 2/VLAN mobility group? Is it feasible/recommended to have 4000 users/devices in a layer 2/VLAN mobility group w/ 16 /24 VLANs in a VLAN pool? student-alternatives-ip-mobility.jpeg with the following notes/questions Notes: Layer 3/IP mobility requires ip address for user VLAN -WLAN to correctly forward layer-3 broadcast/multicast traffic to clients when they are away from home network Could Core be the default gateway for user VLANs/WLANs while still have an IP address in Aruba Controllers for corresponding user VLANs/WLANs to provide layer 3/IP mobility? Could VLAN pooling feature be used in this kind of design if feasible? Basically West WLANs and East WLANs will be in same VLAN pool, so upon association, clients will be evenly distributed among pool member VLANs. But they will be tunneled to their home agent once roam to foreign agent. Questions for both design: Could an IETF tunnel private Group ID in RADIUS server to be set to VLAN pool name instead of VLAN? Could server-derived rule to be used to map certain RADIUS attribute to VLAN pool name? I would really appreciate your feedback on my design or what your institution are doing for the mobility. Thanks, Shiling Shiling Ding Network Specialist 850-645-6810 Information Technology Services Florida State University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. Student-Alternatives-VLAN-Mobility.jpegStudent-Alternatives-IP-Mobility.jpeg ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Aruba Mobility Design Options
n+1 redundancy for controllers. we have 5 active controllers (going to more very soon), one Master that holds the +1 redundancy as well, and an additional controller as a master backup. On layer 3 (on our routers), we do VRRP for all 32 subnets. Philippe On Jan 18, 2011, at 3:03 PM, schilling wrote: Philippe, 32*/23 is very impressive. Layer 2 is what we are trying to go. Are you doing any kind of controller redundancy as you mentioned all subnets terminated on one external router? Please answer offlist if you think it's too narrowing down to your implementation. Thanks, Shiling On Tue, Jan 18, 2011 at 2:47 PM, Hanset, Philippe C phan...@utk.edu wrote: Shiling, We have opted to leave Aruba controller as layer2 devices, and terminate all of our subnets on VRFs on one external router, except for our web based visitor network that is terminated on our Master Controller. Aruba will let you do everything (Rules, Roles, FW etc...) you want at layer 2 and 3 without having to terminate IP gateways on controllers. For Mobility we have been very satisfied with VLAN Pooling, doing 32* /23 for assignments.. I wouldn't go beyond that... maybe /22 if you are desperate for IP addresses. I cannot compare VLAN pooling to sliced bread since I'm a baguette eater, but I'm sure that I would agree with Stan if I did like sliced bread ;-) Philippe Univ. of TN www.eduroamus.org On Jan 18, 2011, at 11:40 AM, schilling wrote: Hi All, I tried to join the list with my edu email, but still not received any confirmation email yet. Resubscribe got email of Rejected - similar commands already pending. So I am posting this message with my gmail account. We are trying to implement mobility for student. In order to fit into our campus network virtualization with MPLS L3VPN, we would like to have WLANs default gateway at Core routers, so we could have the flexibility to selectively put certain WLANs to a MPLS L3VPN i.e facstaff or students. We would also like to put certain clients into certain WLAN pools according to their AD/LDAP attribute. I knew we could have dedicated controllers for each specific group of users. I wish Aruba could provide multi-vrf/vrf-lite capability. All security device like Cisco ASA/Juniper ScreenOS/Fortigate Firewall all have the virtual router/context capability. There are two ways to do mobility, layer 2/VLAN mobility, layer 3/IP mobility. I am trying to explore both mobility options with the constraint of WLAN default gateway in the Core router. Attached please find two diagram, student-alternatives-vlan-mobility.jpeg with the following notes/questions Notes: Layer 2/VLAN mobility requires all user VLANs/WLANs to be present on all controllers in the same mobility domain. Is it feasible/recommended to have 10 Aruba Controllers w/ 80%*512 AP termination in a layer 2/VLAN mobility group? Is it feasible/recommended to have 4000 users/devices in a layer 2/VLAN mobility group w/ 16 /24 VLANs in a VLAN pool? student-alternatives-ip-mobility.jpeg with the following notes/questions Notes: Layer 3/IP mobility requires ip address for user VLAN -WLAN to correctly forward layer-3 broadcast/multicast traffic to clients when they are away from home network Could Core be the default gateway for user VLANs/WLANs while still have an IP address in Aruba Controllers for corresponding user VLANs/WLANs to provide layer 3/IP mobility? Could VLAN pooling feature be used in this kind of design if feasible? Basically West WLANs and East WLANs will be in same VLAN pool, so upon association, clients will be evenly distributed among pool member VLANs. But they will be tunneled to their home agent once roam to foreign agent. Questions for both design: Could an IETF tunnel private Group ID in RADIUS server to be set to VLAN pool name instead of VLAN? Could server-derived rule to be used to map certain RADIUS attribute to VLAN pool name? I would really appreciate your feedback on my design or what your institution are doing for the mobility. Thanks, Shiling Shiling Ding Network Specialist 850-645-6810 Information Technology Services Florida State University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. Student-Alternatives-VLAN-Mobility.jpegStudent-Alternatives-IP-Mobility.jpeg ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Blocking broadcast traffic ?
Zach, I forwarded your question to our UTK resident faculty/service defender, and here is his answer: But to answer Zach's question about consequences.. Blocking mDNS/Bonjour/Zeroconf (all the same proto) will immediately affect the users if they use the iLife tools (iTunes, iPhoto, etc). Moreover iChat uses mDNS to discover local folks to chat with which some people use for inter-office chat. Also lots of printers are discovered that way so you end up having to manually configure (by IP) network printers. How much of an issue the iLife and iChat family being block depends on the density of macs really, and how the users use them secondly. Preventing automatic printer discovery may add load to the IT staff so that's a consideration. Blocking CUPS affects printing of course and CUPS is pretty noisy. How many CUPS enabled machines with printers attached are there? Do people use them via CUPS or do they use another protocol? Dropbox is super popular with a number of folks I know who rely on it for realtime backups of their academic work. If people are using the protocol enough for you to notice and be worried you might impact those users very negatively. On Dec 3, 2010, at 12:26 PM, Zachary McGibbon, Mr wrote: Hi, we are looking into blocking some broadcast traffic on our wireless network here at McGill and I wanted to get some feedback to see if anyone else has done this and if so what ports you blocked and what were the consequences? Here is a list of some ports we’re thinking of blocking: * UDP 137 / Netbios * UDP 631 / CUPS * UDP 5353/ MDNS * UDP 5355/ LLMNR * UDP 17500 / Dropbox These ports take up a lot of traffic on our network and is causing our Aruba controllers to drop spanning tree and VRRP frames and then cause APs to switch back and forth between ports on our switches and between the active/standby controller. Zachary McGibbon McGill NCS / Burnside Hall Email: zachary.mcgib...@mcgill.camailto:zachary.mcgib...@mcgill.ca Office: (514) 398-7388 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Outdoor N access
Bruce, We face the same issue. So far we have solved it by deciding to continue to use b/g outdoor while waiting for an outdoor/enclosed 802.11n (antenna and AP embedded in one elegant metal box) :( This said, the cost of enclosed outdoor APs is really high compared to indoor APs with outdoor antennas. Aruba has a outdoor MIMO antenna that doesn't look too bad (doesn't require two antennas and supports 2.4 and 5), but you still have to deal with 3 cables: AP-ANT-17 or AP-ANT-92. http://www.arubanetworks.com/pdf/products/ap-ant-17_ss.pdf http://www.arubanetworks.com/pdf/products/ap-ant-92_ss.pdf (connector works with non-Aruba hardware!) Though we would rather standardize our 802.11n offering, we have also noticed that outdoor wireless is more about coverage than bandwidth, and b/g seems to be fine. Philippe Hanset University of TN On Dec 2, 2010, at 1:51 PM, Entwistle, Bruce wrote: We are currently looking at different ways to cover outdoor areas as we look to migrate to N wireless. In our existing B/G installation we have installed APs inside buildings and run coaxial cable to antennas located on strategic positions on the outside of the building. However as we look to installing N APs the idea of two antennas and six cables on the outside of the building does not seem aesthetically pleasing. I would appreciate anyone who is willing to share their experience with a similar situation. Thank you Bruce Entwistle Network Manager University of Redlands ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] WiFi blockers in classrooms
Luis, Cellular networks (usually licensed spectrum) are not under the same regulations as Wi-Fi (usually unlicensed spectrum). In the US, for instance, one cannot interfere with the licensed spectrum (jammers etc...), and when it comes to the unlicensed spectrum (e.g. Wi-Fi), you have to comply with Part15 of the FCC. Can you interfere with cellular networks in Nicaragua or Costa Rica? (I would double check...otherwise students will remind you!) The point I want to make with Cellular access (Macro towers, DAS, etc..), is that students that cannot join the Wi-Fi network in classrooms will find other wireless technologies to get access (Smartphones, tethering laptops, air-cards or just a book, but not the textbook!). So, students that can afford cellular-data access can still be distracted. This could be an interesting research. The hypothesis would be Is it about who you know or what you know or TextBook VS FaceBook ;-) Philippe Univ. of TN On Nov 19, 2010, at 9:45 AM, Luis Fernando Valverde wrote: Yes, we do.The idea is to block any source of wireless connection to the WiFi network. lf From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Hanset, Philippe C Sent: Jueves, 18 de Noviembre de 2010 07:42 p.m. To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WiFi blockers in classrooms And do you plan to block air-cards on cellular as well with that jammer? Philippe Univ. of TN On Nov 18, 2010, at 4:06 PM, Luis Fernando Valverde wrote: I understand your points of view and I agree with some of your comments. However, we use our classrooms for multiple academic activities (MBA programs, seminar and in-company events), and we need to find a simple device to block the signal in a 10-20 meters radius / classroom. So, the adjacent classrooms can work with the signal of their own access points (some professors require Internet signal to teach their sessions – internet dynamics, simulations over the internet, cloud computing services, etc.). I have heard that this is implemented in some universities in the USA, Europe and Asia (for instance, I was told that in the Indian School of Bussiness’ classrooms there are switches to enable/disable wireless signals. I emailed them, but I haven’t received answer yet). Luis Fernando From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Greg Schaffer Sent: Jueves, 18 de Noviembre de 2010 03:00 p.m. To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WiFi blockers in classrooms They also use cloud document management such as Google docs and would need the connectivity if storing notes out there. Instructors need to manage the classroom, not take tools away, IMO. Greg On Thu, Nov 18, 2010 at 2:52 PM, Methven, Peter J p.j.meth...@hw.ac.ukmailto:p.j.meth...@hw.ac.uk wrote: If you have some lead laying around, you could line the rooms and turn the APs off during lecture times... But as other respondents have said it's not really a technology issue, you design your WIFI for full coverage for a reason. Students use laptops to take notes like we all used to use notepads. Similar to using notepads to draw on when bored in a lecture or write notes, our current students use their laptops to use facebook etc. The issue lecturers should look at is why their students are so bored in their lectures that they are losing interest! Many Thanks Peter Peter Methven Network Specialist Heriot-Watt University Edinburgh Scotland EH14 4AS (+44)0 131 4513516 This email has been sent from a mobile phone, please excuse any creative spelling or grammar that may have occured! On 18 Nov 2010, at 20:35, Russ Leathe russ.lea...@gordon.edumailto:russ.lea...@gordon.edu wrote: We can push out different SSID’s with ACL’s that limit what an authenticated user can access. However, our AP heatmap shows leakage from AP’s above and below the floors where the classroom are. So, in a nutshell, it wasn’t worth it (blocking that is). Especially true once you incorporate emergency notification via 802.11x. I would agree with other colleagues comments, it’s an academic/classroom/Professor issue. Northeastern, I believe, did not roll out 802.11x in the classrooms, because the Professors did not want it. The idea behind this decision was “you don’t need wifi to take notes”. I hope this is helpful, Russ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Luis Fernando Valverde Sent: Thursday, November 18, 2010 2:31 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] WiFi blockers in classrooms Hello, Has anybody used jammer WiFi blockers to block
Re: [WIRELESS-LAN] WiFi blockers in classrooms
And do you plan to block air-cards on cellular as well with that jammer? Philippe Univ. of TN On Nov 18, 2010, at 4:06 PM, Luis Fernando Valverde wrote: I understand your points of view and I agree with some of your comments. However, we use our classrooms for multiple academic activities (MBA programs, seminar and in-company events), and we need to find a simple device to block the signal in a 10-20 meters radius / classroom. So, the adjacent classrooms can work with the signal of their own access points (some professors require Internet signal to teach their sessions – internet dynamics, simulations over the internet, cloud computing services, etc.). I have heard that this is implemented in some universities in the USA, Europe and Asia (for instance, I was told that in the Indian School of Bussiness’ classrooms there are switches to enable/disable wireless signals. I emailed them, but I haven’t received answer yet). Luis Fernando From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Greg Schaffer Sent: Jueves, 18 de Noviembre de 2010 03:00 p.m. To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WiFi blockers in classrooms They also use cloud document management such as Google docs and would need the connectivity if storing notes out there. Instructors need to manage the classroom, not take tools away, IMO. Greg On Thu, Nov 18, 2010 at 2:52 PM, Methven, Peter J p.j.meth...@hw.ac.ukmailto:p.j.meth...@hw.ac.uk wrote: If you have some lead laying around, you could line the rooms and turn the APs off during lecture times... But as other respondents have said it's not really a technology issue, you design your WIFI for full coverage for a reason. Students use laptops to take notes like we all used to use notepads. Similar to using notepads to draw on when bored in a lecture or write notes, our current students use their laptops to use facebook etc. The issue lecturers should look at is why their students are so bored in their lectures that they are losing interest! Many Thanks Peter Peter Methven Network Specialist Heriot-Watt University Edinburgh Scotland EH14 4AS (+44)0 131 4513516 This email has been sent from a mobile phone, please excuse any creative spelling or grammar that may have occured! On 18 Nov 2010, at 20:35, Russ Leathe russ.lea...@gordon.edumailto:russ.lea...@gordon.edu wrote: We can push out different SSID’s with ACL’s that limit what an authenticated user can access. However, our AP heatmap shows leakage from AP’s above and below the floors where the classroom are. So, in a nutshell, it wasn’t worth it (blocking that is). Especially true once you incorporate emergency notification via 802.11x. I would agree with other colleagues comments, it’s an academic/classroom/Professor issue. Northeastern, I believe, did not roll out 802.11x in the classrooms, because the Professors did not want it. The idea behind this decision was “you don’t need wifi to take notes”. I hope this is helpful, Russ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Luis Fernando Valverde Sent: Thursday, November 18, 2010 2:31 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] WiFi blockers in classrooms Hello, Has anybody used jammer WiFi blockers to block to block wireless network access in classrooms in order to help students to concentrate on course instruction? I would like to know which blockers are being used with success to do this? Can somebody tell me which is the best and cheaper solution (something so easy as turn a switch on/off)? Thanks, Luis Fernando --- Luis Fernando Valverde Director de Tecnología de Información INCAE Business School Tel: +506 24 37 2338 Fax: +506 24 33 9101 fernando.valve...@incae.edumailto:fernando.valve...@incae.edu www.incae.eduhttp://www.incae.edu/ --- Error! Filename not specified. El medio ambiente es del interés de todos. Evitemos imprimir correos innecesarios. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. Heriot-Watt University is a Scottish charity registered under charity number SC000278. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE
Re: [WIRELESS-LAN] solar panel powered AP: pictures
DIY on the power side! I didn't write details on the AP config: -With the Proxim AP-4000 we use WDS or Mesh the 5 GHz radio for uplink, the 2.4 GHz radio for Wi-Fi -With Aruba our intention (we need to test this) is to interconnect with an ethernet cable and AP-60 with an AP-61. The AP-60 will do Mesh at 5 GHz (uplink), the AP-61 will serve Wi-Fi. Another solution with Aruba: AP-85 that can support 12V directly (no need for the 12v to 5 V converter) Both Proxim (AP-4000) and Aruba (AP-60, 61, 125, 124) have the same Voltage requirements (5V) and same DC plug (very convenient) Philippe Univ. of TN On Oct 6, 2010, at 9:59 PM, Peter P Morrissey wrote: Very cool! So it is a home-made, DIY solar powered AP kind of a thing then. Pete M. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Hanset, Philippe C Sent: Wednesday, October 06, 2010 7:31 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] solar panel powered AP: pictures Some of you have asked to have details of our home-made solar panel powered AP. Since it is dismounted at the moment I was able to take clear pictures of the equipment's labels. http://www.flickr.com/photos/crangoncrangon/ Best, Philippe Univ. of TN ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
solar panel powered AP: pictures
Some of you have asked to have details of our home-made solar panel powered AP. Since it is dismounted at the moment I was able to take clear pictures of the equipment's labels. http://www.flickr.com/photos/crangoncrangon/ Best, Philippe Univ. of TN ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
One more piece of info on the 00:11:22:33:44:55 weirdness: We have a user registered in NetReg with MAC address 00:11:22:33:44:55, It is an Imac and was registered on our network in Parallels (browser reference is Windows NT 6.1). I wonder how many of these strange MAC addresses are generated by virtual environments? On Sep 28, 2010, at 11:11 AM, Jeff Wolfe wrote: We tracked one down yesterday and it turned out to be a Windows Mobile phone running Android. Decidedly not a MAC.. :) -JEff On 9/28/10 10:44 AM, Andrew Clark wrote: I'm seeing them here at the University of Minnesota as well. Thanks for the heads-up! I'll see what I can discover once I can get a hold of one of these clients. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.