Re: [WIRELESS-LAN] ISE-NPS-Azure MFA

[Jake Snyder]

I would check your RADIUS timeout.  The RADIUS session times out waiting for 
the MFA and it retries, resulting in multiple confirmations.

Sent from my iPhone

> On Aug 26, 2021, at 11:50 AM, Heavrin, Lynn  wrote:
> 
> 
> Anyconnect has a SAML built-in browser (which doesn’t seem to share SSO 
> sessions unfortunately) and I believe you can also have it open up your 
> preferred browser at least on windows anyway.  I have it running in my lab 
> right now and seems to work fine, though it’s been finnicky at best until 
> recently.  Here’s a screenshot of what it looks like on Mac OS.  It pops up 
> automatically then connects like normal after creds are confirmed.
>  
> 
>  
> I’ll tell you it’s a much better experience for your users if they’re used to 
> logging in via SAML to other university resources because it’s familiar and 
> not the ugly anyconnect login client page.
>  
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  on behalf of Matthew Craig 
> 
> Date: Thursday, August 26, 2021 at 12:35 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> Subject: Re: [WIRELESS-LAN] ISE-NPS-Azure MFA
> 
>  
> Isn’t SAML entirely a web-based thing?  Sure, you can tie it into the actual 
> website URL of your ASA, but what about logging in directly from the 
> AnyConnect client itself?  This is not referenced in any documents I’ve seen 
> so far.  Is this possible?
>  
> website login for AnyConnect would be unfriendly to many users who are 
> already hostile to having to use VPN in the first place.
>  
>  
>  
> My research on the topic is that many people are going to ISE 3.0 and using 
> PAP to go to Azure AD for RA AnyConnect.  Additionally Azure AD doesn’t seem 
> to support PEAP-MSCHAPv2 right now, which does directly concern wireless.  
> (and yes I know EAP-TLS is the the way that it “should” be done, but the 
> “should" doesn’t materialize into reality for many people.  Many simply are 
> not in a position to roll out EAP-TLS)
>  
> Azure AD seems to be designed with Cloud web-apps in mind only, and this 
> apparently is creating alot of gaps on the Networking end, and Microsoft is 
> not in the Networking business to care.
>  
>  
> Please correct me on any point, I do have alot of knowledge gaps on this 
> subject.
>  
>  
> -
> Matt
>  
>  
>  
>  
>  
> 
> 
> 
> On Aug 26, 2021, at 9:14 AM, Jeffrey D. Sessler  
> wrote:
>  
> WARNING: This email originated external to the NMSU email system. Do not 
> click on links or open attachments unless you are sure the content is safe.
> I 2nd Tim’s suggestion.  If the VPN is Cisco-based, they support using SAML 
> against AzureAD including MFA.
>  
> https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215935-configure-asa-anyconnect-vpn-with-micros.html
>  
> Jeff
>  
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  on behalf of Manon Lessard 
> 
> Date: Thursday, August 26, 2021 at 7:54 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> Subject: Re: [WIRELESS-LAN] ISE-NPS-Azure MFA
> 
> We are talking VPN here and for the entire campus…
>  
> Manon Lessard
> Chargée de programmation et d’analyse 
> CCNP, CWNE #275, AWA 10, ESCE Design
> Direction des technologies de l'information
> Pavillon Louis-Jacques-Casault
> 1055, avenue du Séminaire
> Bureau 0403
> Université Laval, Québec (Québec)
> G1V 0A6, Canada
> 418 656-2131, poste 412853
> Télécopieur : 418 656-7305
> manon.less...@dti.ulaval.ca
> www.dti.ulaval.ca
> Avis relatif à la confidentialité | Notice of Confidentiality
>  
>  
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  on behalf of James Andrewartha 
> 
> Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 
> 
> Date: Thursday, August 26, 2021 at 10:50 AM
> To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
> Subject: Re: [WIRELESS-LAN] ISE-NPS-Azure MFA
>  
> Microsoft note this behaviour and have some sort of workaround in their NPS 
> MFA extension: 
> https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension#radius-protocol-behavior-and-the-nps-extension
>  
> Really though, doing MFA for RADIUS is a square peg in a round hole, use MFA 
> to provision a client cert and do EAP-TLS instead.
>  
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  on behalf of Manon Lessard 
> 
> Reply to: The EDUCAUSE Wireless Issues Community Group Listserv 
> 
> Date: Thursday, 26 August 2021 at 10:20 pm
> To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
> Subject: [WIRELESS-LAN] ISE-NPS-Azure MFA
>  
> A question not directly related to Wi-Fi, but related to ISE which seems to 
> be something some of you use.
>  
> We are currently authenticating a VPN test group via ISE through NPS servers 
> (defined as a token server).
> The goal is to do MFA with Azure through the Authenticator app on people’s 
> phones.
> Everything works, but Authenticator pops up for confirmation, sometimes 2 to 
> 3 times, even if one has accepted the first 

Re: [WIRELESS-LAN] Multi sim 4G routers

[Jake Snyder]

Peplink is another I’ve seen used for load-balancing cellular connections.  But 
I’m a big cradlepoint fan as well.

Sent from my iPhone

> On Jul 21, 2021, at 9:07 AM, McClintic, Thomas  
> wrote:
> 
> 
> +1 for cradlepoint.
>  
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  On Behalf Of Travis Geske
> Sent: Wednesday, July 21, 2021 9:15 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Multi sim 4G routers
>  
>  EXTERNAL EMAIL 
> 
> We use CradlePoint and have been very happy with their products.  
>  
>  
> Travis Geske
> Director of Network Infrastructure
> MCP,MDAA,NCP-MCI,ECSE #2597,HYCU Admin
> Information Technology
> John A. Logan College
> 700 Logan College Road
> Carterville, IL  62918
> O:618-985-2828 x.8670
> www.jalc.edu
> 
>  
>  
>  
>  
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  On Behalf Of Hales, David
> Sent: Wednesday, July 21, 2021 9:12 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Multi sim 4G routers
>  
> [EXTERNAL SENDER]
> This message did not originate from John A Logan College.  Please report any 
> suspicious attachments, links, or requests for sensitive information.
> 
> While I didn’t end up using the multi-sim support, I’ve used these cellular 
> routers for remote locations in the past.  They’re pretty good products, 
> support dual SIM, battery backup or PoE, and external antennae.
>  
> https://www.digi.com/products/networking/cellular-routers/enterprise/digi-6310-dx
>  
> David Hales
> Network Systems Administrator
>  
> Information Technology Services
> Tennessee Tech University
> 1010 N. Peachtree Av., CLEM117
> Cookeville, TN 38505
> P: 931-372-3983
> E: dha...@tntech.edu
>  
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  On Behalf Of Luke Whitworth
> Sent: Wednesday, July 21, 2021 8:54 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] Multi sim 4G routers
>  
> External Email Warning
> This email originated from outside the university. Please use caution when 
> opening attachments, clicking links, or responding to requests.
> Hi all,
>  
> We’ve got a requirement to support some learning spaces in remote locations.  
> We use Aruba wireless so if we can have some remote APs there, we just need 
> to work out how to backhaul them.  In the past I’ve resorted to a Raspberry 
> Pi and a 4G USB dongle (as although some Aruba access points have USB modem 
> support it was a nightmare that I gave up on).  However, for this people are 
> wanting more bandwidth and resiliency, and a plug in and go solution.  I’ve 
> found https://teltonika-networks.com/product/rutx09/, which seemingly ticks 
> lots of boxes but I was wondering if anyone has any experience with products 
> / vendors in this area that they’d be happy to share?  Ideally we’d like 
> multiple SIMs that we can load balance over, so we just plug in a few APs and 
> live in hope that all users don’t associate with just one AP!
>  
> Cheers,
>  
> Luke
>  
> Luke Whitworth
> Network Specialist
> Information Services
> Building 63 (IT) G46, Cranfield University, Cranfield, Bedfordshire MK43 0AL
> E: luke.whitwo...@cranfield.ac.uk
> T: +44 (0) 1234 75 4007
> W: www.cranfield.ac.uk
>  
> This email and any attachments to it may be confidential and are intended 
> only for the named addressee. If you are not the named addressee, please 
> accept our apology, notify the sender immediately and then delete the email. 
> We request that you do not disclose, use, copy or distribute any information 
> within it.
>  
> Any opinions expressed are not necessarily the corporate view of Cranfield 
> University. This email is not intended to be contractually binding unless 
> specifically stated and the sender is an authorised University signatory.
>  
> Whilst we have taken steps to ensure that this email and all attachments are 
> free from any virus, we advise that, in keeping with good computing practice, 
> the recipient should ensure they are actually virus free.
>  
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community
> 
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community
> 
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> 

Re: [WIRELESS-LAN] Placement mapping of APs

[Jake Snyder]

Is there any kind of Prime > Ekahau > DNAC workflow you can leverage?

Sent from my iPhone

> On Jun 16, 2021, at 4:40 PM, Lee H Badman 
> <00db5b77bd95-dmarc-requ...@listserv.educause.edu> wrote:
> 
> 
> Their a software company now.  
> 
> 
> Lee Badman | Network Architect | CWNE #200
> Information Technology Services
> 206 Machinery Hall
> 120 Smith Drive
> Syracuse, New York 13244
> t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w its.syr.edu
> SYRACUSE UNIVERSITY
> syr.edu
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  on behalf of Michael Usher 
> <010ef28e43bf-dmarc-requ...@listserv.educause.edu>
> Sent: Wednesday, June 16, 2021 6:10 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> Subject: Re: [WIRELESS-LAN] Placement mapping of APs
>  
> And the floor ordering is inverted!  At least CPI let you define the sequence 
> correctly.
> 
> Cisco DNAC — “up is down and down is up!"
> —
> Michael Usher
> Network Operations Manager
> University of California, Santa Cruz
> mus...@ucsc.edu831-459-3697
> 
>> On Jun 16, 2021, at 2:37 PM, William Green  wrote:
>> 
>> One of my hot buttons...
>> 
>> We've brought this up with Cisco Product Managers over the years, and they 
>> don't seem to get it.  Perhaps a critical mass on this group could get it 
>> raised in priority.  We've suggested Geographic Information Systems numerous 
>> times.  You would not necessarily need GPS reception inside the building.  
>> Just geo-reference a few exterior corners of a floor plan, and any GIS 
>> system projects specific coordinates as you drop an AP.  I had some grad 
>> students do this with a percentage of our floorplans a decade ago and it all 
>> worked.  Then you should be able to export those and re-import into any 
>> floor plan that is geo-referenced.
>> 
>> Related, Cisco' mapping (DNAC and DNASpaces) is pretty two dimensional, and 
>> doesn't have the concept of a campus with many buildings and many floors to 
>> those buildings.  
>> 
>> **
>> Replies to EDUCAUSE Community Group emails are sent to the entire community 
>> list. If you want to reply only to the person who sent the message, copy and 
>> paste their email address and forward the email reply. Additional 
>> participation and subscription information can be found at 
>> https://www.educause.edu/community
> 
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community
> 
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] Client roaming

[Jake Snyder]

On thing to keep in mind is that iOS devices start behavior poorly when they 
have no good option above -65.  That’s the threshold they prefer 5GHz and when 
you combine that with “hallway design” and “band select” you are asking for a 
bad time.

Scenario:
Client doesn’t see 5GHz above -65.  2.4Ghz looks better, client tries to 
associate and bandselect tries to send them back.  Client doesn’t think 5GHz 
meets its requirements, tries to associate on 2.4Ghz.  Round and round they go.

If you need band select for devices like iOS that prefer 5GHz, you likely don’t 
have enough 5GHz coverage, and trying to force them to 5GHz only results in 
issues.

A better approach is to have at least 6db of transmit power more on 5GHz than 
2.4.  This makes 5GHz generally look more attractive so clients naturally pick 
it, band select not needed.  You can easily do this with TPC min/max settings. 

Also keep in mind when looking at your survey reports.  -65 is as measured by 
the device, not your fancy sidekick or aircheck.  Figure you need an extra 
7-10db delta to overcome the limitations of some mobiles devices.  That puts 
you -58 to -55 as measured.



Sent from my iPhone

> On Oct 9, 2020, at 1:08 PM, James Helzerman  wrote:
> 
> 
> Best thing you can do for clients is have a 5GHz only SSID.  We moved over 
> the summer to this with our main 802.1x network and it has fixed a ton of 
> these roaming issues and complaints of performance.  Basically take the 
> decision making out of the hands of the client, give them only one band to 
> choose from.  Band Select / steering may work but can lead to a lot of users 
> issues as roaming can break if the client doesnt take the hint to use 5GHz.  
> Transitions with real time applications like voice can be negatively affected.
> 
> For those on our campus that have 2.4GHz only devices, we offer eduroam in 
> both bands and have them use that then use AAA override to place them in the 
> same network as our branded ssid giving them all the same access to 
> resources.  Our branded 802.1x, MWireless, has 95% of our user devices.
> 
> -Jimmy
> 
> 
> -- 
> James Helzerman
> Wireless Network Engineer
> University of Michigan - ITS
> 
>> On Fri, Oct 9, 2020 at 12:03 PM Enfield, Chuck  wrote:
>> FWIW, I’ve been reluctant to assume this is a new problem.  Usage patterns 
>> have changed in the dorms and people are spending much more time using 
>> real-time protocols than ever before.  Those protocols make brief 
>> connectivity issues very noticeable.  It’s quite possible we’ve always had 
>> these problems, but they rarely bothered users enough to make them open 
>> trouble tickets.
>> 
>>  
>> 
>> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>>  On Behalf Of Michael Davis
>> Sent: Friday, October 09, 2020 10:49 AM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> Subject: Re: [WIRELESS-LAN] Client roaming
>> 
>>  
>> 
>> We're an Aruba shop and only seeing it on iOS and MacOS devices.  
>> 
>> 
>> On 10/9/20 10:44 AM, Mallon, Jason wrote:
>> 
>> I have not been able to pinpoint a device type as of yet.  It seems to be 
>> happening across all platforms including game systems.
>> 
>>  
>> 
>> Thanks,
>> 
>> Jason Mallon | Network Engineer III  
>> 
>> 
>>  
>> 
>> OIT  
>> The University of Alabama 
>> jemal...@ua.edu  
>> 
>> 
>>  
>> 
>>  
>> 
>> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>> 
>> Date: Friday, October 9, 2020 at 9:40 AM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
>> Subject: [EXTERNAL] Re: [WIRELESS-LAN] Client roaming
>> 
>> We’re an Aruba shop and have noticed similar behavior.  We’re having more 
>> incidents of intermittent connectivity issues this year than in previous 
>> years, and most of those clients are making questionable roaming decisions.  
>> It’s been really prevalent with iOS and MacOS.  Much less on Windows and 
>> Android.  There’s always been problems with picking a good radio when those 
>> devices first connect, but, historically, once they were steered to a good 
>> 5GHz radio they stayed there.  They’re not staying there this year.  We 
>> haven’t figured out why.
>> 
>>  
>> 
>> Chuck Enfield
>> 
>> Manager, Wireless and Cellular
>> 
>> Penn State IT
>> 
>> 814.863.8715
>> 
>>  
>> 
>> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>>  On Behalf Of Mallon, Jason
>> Sent: Friday, October 09, 2020 10:30 AM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> Subject: [WIRELESS-LAN] Client roaming
>> 
>>  
>> 
>> Wondering if anybody else is seeing this.  We currently have devices doing a 
>> lot of roaming between 5 and 2.4 radios, especially in the dorms.  I would 
>> not think anything of it normally, but they are moving from a -52 to -58 on 
>> the 5 radio to a -75 or worse on the 2.4 radio.  This doesn’t seem to matter 
>> what SSID they are connected to.  Band select is enabled on all SSIDs.  We 
>> are running Cisco 8540 WLCs on 8.10.130.  Most of the complaints are coming 
>> from the dorms, 

Re: [WIRELESS-LAN] MAC Randomization, a step further...

[Jake Snyder]

It should change the next time it associates.

Sent from my iPhone

> On Jul 30, 2020, at 1:02 PM, GT Hill  wrote:
> 
> 
> From what I understand it will keep the same MAC longer if it passing traffic 
> at that 24 hour mark. 
> 
> GT Hill
> 
>> On Thu, Jul 30, 2020 at 1:44 PM Rios, Hector J 
>>  wrote:
>> I’ve done several tests on an iPhone 7 and there have been instances where 
>> the phone retains the same private MAC addr longer than 24 hours. Has anyone 
>> else done more testing?
>> 
>>  
>> 
>> Hector Rios, Wireless Network Architect
>> 
>> The University of Texas at Austin
>> 
>>  
>> 
>>  
>> 
>>  
>> 
>> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>>  On Behalf Of Enfield, Chuck
>> Sent: Friday, July 10, 2020 4:14 PM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...
>> 
>>  
>> 
>> Ahh.  I glossed right over the 24-hour part.  That’s much less distressing, 
>> but I’m going to have a beer anyway.
>> 
>>  
>> 
>> Thanks Tim.
>> 
>>  
>> 
>> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>>  On Behalf Of Tim Cappalli
>> Sent: Friday, July 10, 2020 5:04 PM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...
>> 
>>  
>> 
>> But why would that change anything? A user on campus for a football game is 
>> there for less than 24 hours. The MAC address changes per ESSID, every 24 
>> hours. I don’t understand what changes here for that use case?
>> 
>>  
>> 
>> It really only impacts mid to long term guests. So I guess in your example, 
>> parents weekend may be the one that is affected. But even then, dropping the 
>> lease times would solve the problem. I believe many wireless vendors 
>> recommend a visitor lease time of 1-8 hours.
>> 
>>  
>> 
>> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>> 
>> Date: Friday, July 10, 2020 at 17:01
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
>> Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...
>> 
>> Tim,
>> 
>> With Covid, any lease time would not be an issue. But how big were your home 
>> football events / tailgate parties / parent weekends at Brandeis? I’m 
>> focusing more on the impact of those events on the guest side of things.
>> 
>> Brad
>> 
>>  
>> 
>> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Tim Cappalli
>> Sent: Friday, July 10, 2020 3:53 PM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> Subject: [EXTERNAL]Re: [WIRELESS-LAN] MAC Randomization, a step further...
>> 
>>  
>> 
>> Agreed on IPv6, but even for IPv4, I imagine most folks are running short 
>> leases on a visitor network, so I don’t really think much changes here. If 
>> your leases are 12 hours or less, there should be no impact.
>> 
>>  
>> 
>> tim
>> 
>>  
>> 
>> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>> 
>> Date: Friday, July 10, 2020 at 16:51
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
>> Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...
>> 
>> Maybe a good use case for IPv6
>> 
>>  
>> 
>> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Enfield, Chuck
>> Sent: Friday, July 10, 2020 3:49 PM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> Subject: [EXTERNAL]Re: [WIRELESS-LAN] MAC Randomization, a step further...
>> 
>>  
>> 
>> Uhg.  Didn’t even think about that.
>> 
>>  
>> 
>> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>>  On Behalf Of Eric LaCroix
>> Sent: Friday, July 10, 2020 4:48 PM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...
>> 
>>  
>> 
>> We’re all going to need to check the TTL on DHCP leases… some of our scopes 
>> will get eaten alive otherwise.
>> 
>>  
>> 
>> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>>  on behalf of "Floyd, Brad" 
>> 
>> Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 
>> 
>> Date: Friday, July 10, 2020 at 3:42 PM
>> To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
>> Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...
>> 
>>  
>> 
>> Thanks Tim. I just started a conversation with my SE.
>> 
>> Brad
>> 
>>  
>> 
>> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Tim Cappalli
>> Sent: Friday, July 10, 2020 2:07 PM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> Subject: [EXTERNAL]Re: [WIRELESS-LAN] MAC Randomization, a step further...
>> 
>>  
>> 
>> For extended visitor use cases (over 1 day), Passpoint is really the only 
>> feasible solution moving forward. Aruba has a Passpoint offering/service 
>> called Air Pass and WBA’s OpenRoaming initiative is gaining a lot of support.
>> 
>>  
>> 
>> tim
>> 
>>  
>> 
>> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>> 
>> Date: Friday, July 10, 

Re: [WIRELESS-LAN] Icing ISE 2.1 but where to jump

[Jake Snyder]

Typically I've monitored the release cycle on patches to determine how "bad" 
things were.

In the olden days, Cisco would release a patch when a fixed number of serious 
issues were resolved.  You could then track how many serious bugs were being 
fixed by the interval between patches.  Quicker patches means more issues with 
a higher severity.  If the intervals between patches went down, things were 
starting to stabilize.  So if you saw a patch two months in a row, it might be 
a "let's wait for the next one."  

Not sure that will hold true, now that Cisco is saying that "all" releases will 
be stable-train moving forward for ISE.  I see it's been a while from 2.7 to 
2.7p1.  That could be a good sign.  Typically I would wait 2 months before 
upgrading to make sure there weren't repeated patches.  You see this even with 
some long-lived trains that have patches 8,9,10,11 all very close together.


> On Jul 16, 2020, at 2:02 PM, Ciesinski, Nick  wrote:
> 
> ISE 2.7 is a stable release. Cisco released very few new features and instead 
> focused a lot of bug fixes in 2.6 and 2.7. 


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)

[Jake Snyder]

I uploaded the failed Reauth from CPPM along with the debug from the controller 
to that folder if you want to see what the output was.  The WLC tells you what 
it likes/disliked.



> On Apr 17, 2020, at 11:49 AM, Jake Snyder  wrote:
> 
> Both of those worked.  Both received ACKs from the WLC.
> 
> 
> 
>> On Apr 17, 2020, at 11:38 AM, Turner, Ryan H > <mailto:rhtur...@email.unc.edu>> wrote:
>> 
>> Thank you!.  You are getting ACKs on both, and the ‘Disconnect’ that matches 
>> what we are doing omits the Time Stamp AVP.  The Coa-Reauth has has time 
>> time stamp.  I am a little confused.  Did the first or second fail?
>>  
>> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>> > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Jake Snyder
>> Sent: Friday, April 17, 2020 1:28 PM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
>> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
>> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change 
>> of Authorization)
>>  
>> Here are some PCAPs for you folks.
>> https://www.dropbox.com/sh/njdfxt9bfo89xte/AABmaJkT9W2h9RoAirdQ0GV8a?dl=0 
>> <https://www.dropbox.com/sh/njdfxt9bfo89xte/AABmaJkT9W2h9RoAirdQ0GV8a?dl=0>
>>  
>> One is a COA Disconnect from CPPM and one is a COA Reauth from ISE. (My 
>> Reauth from CPPM failed).
>>  
>> Also, if you run *debug aaa events enable* on the Cisco WLC it will likely 
>> tell you which attribute it hates/needs.
>>  
>> Thanks
>> Jake
>>  
>> 
>> 
>> On Apr 17, 2020, at 11:06 AM, Jake Snyder > <mailto:jsnyde...@gmail.com>> wrote:
>>  
>> Care to share a link to the doc?
>>  
>> 
>> 
>> On Apr 17, 2020, at 10:13 AM, Turner, Ryan H > <mailto:rhtur...@email.unc.edu>> wrote:
>>  
>> I really think Felix hit the nail on the head.  I found the documentation 
>> with the supported attributes for CoA and Cisco.  Type 55 (Event-Timestamp) 
>> is NOT a supported option.  We are getting NAKs back stating that we are 
>> sending an ‘Unsupported Attribute’.  I am asking Extreme how to strip 55 out 
>> of the CoA.  In the meantime, I have also asked the other institution to 
>> look at their configs and validate 3799.
>>  
>> Ryan
>>  
>> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>> > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Curtis K. Larsen
>> Sent: Friday, April 17, 2020 12:03 PM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
>> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
>> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change 
>> of Authorization)
>>  
>> We use 1700 as well for our CoA stuff against the Cisco 8540 with 
>> PacketFence.
>>  
>> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>> > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Turner, Ryan H 
>> mailto:rhtur...@email.unc.edu>>
>> Sent: Friday, April 17, 2020 10:01 AM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
>> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
>> > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
>> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change 
>> of Authorization)
>>  
>> I reversed that.  The standard is 3799, and I know Cisco tends to use 1700.  
>> But I see plenty of documentation on 3799 for Cisco.  I’ll confirm.
>>  
>> From: Turner, Ryan H 
>> Sent: Friday, April 17, 2020 12:00 PM
>> To: The EDUCAUSE Wireless Issues Community Group Listserv 
>> > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
>> Subject: RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change 
>> of Authorization)
>>  
>> So apparently that changed.  If you search on Cisco, you will note that they 
>> seemed to go away from the default port.  I do not think we would be getting 
>> a properly formatted NAK if we were sending to the wrong port.  But I am 
>> going to ask the other institution to validate that.
>>  
>> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>> > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Abhiramms
>> Sent: Friday, April 17, 2020 11:25 AM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
>> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
>> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change 
>> of Authorization)
>>  
>> Ryan,
>>  
>> Have you tried UDP port 1700. 
>> A

Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)

[Jake Snyder]

Both of those worked.  Both received ACKs from the WLC.



> On Apr 17, 2020, at 11:38 AM, Turner, Ryan H  wrote:
> 
> Thank you!.  You are getting ACKs on both, and the ‘Disconnect’ that matches 
> what we are doing omits the Time Stamp AVP.  The Coa-Reauth has has time time 
> stamp.  I am a little confused.  Did the first or second fail?
>  
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  On Behalf Of Jake Snyder
> Sent: Friday, April 17, 2020 1:28 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change 
> of Authorization)
>  
> Here are some PCAPs for you folks.
> https://www.dropbox.com/sh/njdfxt9bfo89xte/AABmaJkT9W2h9RoAirdQ0GV8a?dl=0 
> <https://www.dropbox.com/sh/njdfxt9bfo89xte/AABmaJkT9W2h9RoAirdQ0GV8a?dl=0>
>  
> One is a COA Disconnect from CPPM and one is a COA Reauth from ISE. (My 
> Reauth from CPPM failed).
>  
> Also, if you run *debug aaa events enable* on the Cisco WLC it will likely 
> tell you which attribute it hates/needs.
>  
> Thanks
> Jake
>  
> 
> 
> On Apr 17, 2020, at 11:06 AM, Jake Snyder  <mailto:jsnyde...@gmail.com>> wrote:
>  
> Care to share a link to the doc?
>  
> 
> 
> On Apr 17, 2020, at 10:13 AM, Turner, Ryan H  <mailto:rhtur...@email.unc.edu>> wrote:
>  
> I really think Felix hit the nail on the head.  I found the documentation 
> with the supported attributes for CoA and Cisco.  Type 55 (Event-Timestamp) 
> is NOT a supported option.  We are getting NAKs back stating that we are 
> sending an ‘Unsupported Attribute’.  I am asking Extreme how to strip 55 out 
> of the CoA.  In the meantime, I have also asked the other institution to look 
> at their configs and validate 3799.
>  
> Ryan
>  
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Curtis K. Larsen
> Sent: Friday, April 17, 2020 12:03 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change 
> of Authorization)
>  
> We use 1700 as well for our CoA stuff against the Cisco 8540 with PacketFence.
>  
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Turner, Ryan H 
> mailto:rhtur...@email.unc.edu>>
> Sent: Friday, April 17, 2020 10:01 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
>  <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change 
> of Authorization)
>  
> I reversed that.  The standard is 3799, and I know Cisco tends to use 1700.  
> But I see plenty of documentation on 3799 for Cisco.  I’ll confirm.
>  
> From: Turner, Ryan H 
> Sent: Friday, April 17, 2020 12:00 PM
> To: The EDUCAUSE Wireless Issues Community Group Listserv 
>  <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
> Subject: RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change 
> of Authorization)
>  
> So apparently that changed.  If you search on Cisco, you will note that they 
> seemed to go away from the default port.  I do not think we would be getting 
> a properly formatted NAK if we were sending to the wrong port.  But I am 
> going to ask the other institution to validate that.
>  
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Abhiramms
> Sent: Friday, April 17, 2020 11:25 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change 
> of Authorization)
>  
> Ryan,
>  
> Have you tried UDP port 1700. 
> As far as I can remember, the default port when adding a radius client for a 
> cisco device was 1700. 
>  
> Also - I usually refer to this link that has the different CoA pcaps captured 
> from a cisco perspective:
>  
> https://drive.google.com/drive/mobile/folders/1wYJhxkCoessGu03O__77cLWEJokBWJt9?usp=sharing
>  
> <https://drive.google.com/drive/mobile/folders/1wYJhxkCoessGu03O__77cLWEJokBWJt9?usp=sharing>
>  
> Source - 
> https://wirelesslywired.com/2018/01/18/deconstructing-the-radius-coa-process/ 
> <https://wirelesslywired.com/2018/01/18/deconstructing-the-radius-coa-process/>
>  
> Thanks 
> Abhi 
> 
>  
> 
> On Apr 17, 2020, at 8:07 AM, Turner, Ryan H  <mailto:rhtur...@email.unc.edu>> wrote:
> 
>  
> Thank you Felix.  We

Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)

[Jake Snyder]

Here are some PCAPs for you folks.
https://www.dropbox.com/sh/njdfxt9bfo89xte/AABmaJkT9W2h9RoAirdQ0GV8a?dl=0 
<https://www.dropbox.com/sh/njdfxt9bfo89xte/AABmaJkT9W2h9RoAirdQ0GV8a?dl=0>

One is a COA Disconnect from CPPM and one is a COA Reauth from ISE. (My Reauth 
from CPPM failed).

Also, if you run *debug aaa events enable* on the Cisco WLC it will likely tell 
you which attribute it hates/needs.

Thanks
Jake


> On Apr 17, 2020, at 11:06 AM, Jake Snyder  wrote:
> 
> Care to share a link to the doc?
> 
> 
>> On Apr 17, 2020, at 10:13 AM, Turner, Ryan H > <mailto:rhtur...@email.unc.edu>> wrote:
>> 
>> I really think Felix hit the nail on the head.  I found the documentation 
>> with the supported attributes for CoA and Cisco.  Type 55 (Event-Timestamp) 
>> is NOT a supported option.  We are getting NAKs back stating that we are 
>> sending an ‘Unsupported Attribute’.  I am asking Extreme how to strip 55 out 
>> of the CoA.  In the meantime, I have also asked the other institution to 
>> look at their configs and validate 3799.
>>  
>> Ryan
>>  
>> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>> > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Curtis K. Larsen
>> Sent: Friday, April 17, 2020 12:03 PM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
>> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
>> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change 
>> of Authorization)
>>  
>> We use 1700 as well for our CoA stuff against the Cisco 8540 with 
>> PacketFence.
>>  
>> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>> > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Turner, Ryan H 
>> mailto:rhtur...@email.unc.edu>>
>> Sent: Friday, April 17, 2020 10:01 AM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
>> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
>> > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
>> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change 
>> of Authorization)
>>  
>> I reversed that.  The standard is 3799, and I know Cisco tends to use 1700.  
>> But I see plenty of documentation on 3799 for Cisco.  I’ll confirm.
>>  
>> From: Turner, Ryan H 
>> Sent: Friday, April 17, 2020 12:00 PM
>> To: The EDUCAUSE Wireless Issues Community Group Listserv 
>> > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
>> Subject: RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change 
>> of Authorization)
>>  
>> So apparently that changed.  If you search on Cisco, you will note that they 
>> seemed to go away from the default port.  I do not think we would be getting 
>> a properly formatted NAK if we were sending to the wrong port.  But I am 
>> going to ask the other institution to validate that.
>>  
>> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>> > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Abhiramms
>> Sent: Friday, April 17, 2020 11:25 AM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
>> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
>> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change 
>> of Authorization)
>>  
>> Ryan,
>>  
>> Have you tried UDP port 1700. 
>> As far as I can remember, the default port when adding a radius client for a 
>> cisco device was 1700. 
>>  
>> Also - I usually refer to this link that has the different CoA pcaps 
>> captured from a cisco perspective:
>>  
>> https://drive.google.com/drive/mobile/folders/1wYJhxkCoessGu03O__77cLWEJokBWJt9?usp=sharing
>>  
>> <https://drive.google.com/drive/mobile/folders/1wYJhxkCoessGu03O__77cLWEJokBWJt9?usp=sharing>
>>  
>> Source - 
>> https://wirelesslywired.com/2018/01/18/deconstructing-the-radius-coa-process/
>>  
>> <https://wirelesslywired.com/2018/01/18/deconstructing-the-radius-coa-process/>
>>  
>> Thanks 
>> Abhi 
>> 
>>  
>> 
>> On Apr 17, 2020, at 8:07 AM, Turner, Ryan H > <mailto:rhtur...@email.unc.edu>> wrote:
>> 
>>  
>> Thank you Felix.  We do have this attribute present.  Let me see if I can 
>> get it removed.
>>  
>> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>> > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Felix Windt
>> Sent: Friday, April 17, 2020 9:52 AM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
>> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
>>

Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)

[Jake Snyder]

Care to share a link to the doc?


> On Apr 17, 2020, at 10:13 AM, Turner, Ryan H  wrote:
> 
> I really think Felix hit the nail on the head.  I found the documentation 
> with the supported attributes for CoA and Cisco.  Type 55 (Event-Timestamp) 
> is NOT a supported option.  We are getting NAKs back stating that we are 
> sending an ‘Unsupported Attribute’.  I am asking Extreme how to strip 55 out 
> of the CoA.  In the meantime, I have also asked the other institution to look 
> at their configs and validate 3799.
>  
> Ryan
>  
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  On Behalf Of Curtis K. Larsen
> Sent: Friday, April 17, 2020 12:03 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change 
> of Authorization)
>  
> We use 1700 as well for our CoA stuff against the Cisco 8540 with PacketFence.
>  
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  on behalf of Turner, Ryan H 
> 
> Sent: Friday, April 17, 2020 10:01 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change 
> of Authorization)
>  
> I reversed that.  The standard is 3799, and I know Cisco tends to use 1700.  
> But I see plenty of documentation on 3799 for Cisco.  I’ll confirm.
>  
> From: Turner, Ryan H 
> Sent: Friday, April 17, 2020 12:00 PM
> To: The EDUCAUSE Wireless Issues Community Group Listserv 
> 
> Subject: RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change 
> of Authorization)
>  
> So apparently that changed.  If you search on Cisco, you will note that they 
> seemed to go away from the default port.  I do not think we would be getting 
> a properly formatted NAK if we were sending to the wrong port.  But I am 
> going to ask the other institution to validate that.
>  
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  > On Behalf Of Abhiramms
> Sent: Friday, April 17, 2020 11:25 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> 
> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change 
> of Authorization)
>  
> Ryan,
>  
> Have you tried UDP port 1700. 
> As far as I can remember, the default port when adding a radius client for a 
> cisco device was 1700. 
>  
> Also - I usually refer to this link that has the different CoA pcaps captured 
> from a cisco perspective:
>  
> https://drive.google.com/drive/mobile/folders/1wYJhxkCoessGu03O__77cLWEJokBWJt9?usp=sharing
>  
> 
>  
> Source - 
> https://wirelesslywired.com/2018/01/18/deconstructing-the-radius-coa-process/ 
> 
>  
> Thanks 
> Abhi 
> 
>  
> 
> On Apr 17, 2020, at 8:07 AM, Turner, Ryan H  > wrote:
> 
>  
> Thank you Felix.  We do have this attribute present.  Let me see if I can get 
> it removed.
>  
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  > On Behalf Of Felix Windt
> Sent: Friday, April 17, 2020 9:52 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> 
> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change 
> of Authorization)
>  
> This is off the cuff, but in the past I’ve had issues with Cisco WLCs taking 
> CoAs when the Event-Timestamp attribute was present.
>  
> thx,
> felix
>  
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  > on behalf of "Turner, Ryan H" 
> mailto:rhtur...@email.unc.edu>>
> Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 
>  >
> Date: Friday, April 17, 2020 at 9:26 AM
> To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> " 
>  >
> Subject: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
> Authorization)
>  
> We currently use Extreme Network Access Control.  We have had this for 14 
> years and it works very well.  We integrated it with Aruba wireless years 
> ago, and we are able to send back filter IDs on the initial authentication to 
> change roles, as well as issue disconnects to the user, forcing them to 
> reauthenticate to their new policy (for example, a user is online and doing 
> something bad, we send a disconnect message to the controllers and the user 
> reconnects and authenticates with the new role).
>  
> We are now having to integrate with another institutions Cisco wireless 
> controllers.  We have the authentication stuff working great.  But we are 
> unable to get the disconnect/CoA to work.  We believe we have the correct 
> format (xx-xx-xx-xx-xx-xx) and we are utilizing 

Re: [WIRELESS-LAN] New and separate SSID for 2.4Ghz?

[Jake Snyder]

A fun story that happened to me at a university:

They did as you propose.  2.4GHz only and 5GHz only separate SSIDs.  first week 
of school they had ~80% of clients on 5GHz.

About three weeks before the end of the semester, Wi-Fi complaints have gone 
up, and the percentage of clients on 2.4GHz had grown to 50%.  This is when i 
got a call to come look at it.

Over the course of the semester, a DHCP outage and internet circuit outage led 
folks to try “to see if the other network was working.”  But, when students 
arrived on campus every morning, they picked up the 2.4GHz only network first.  
Then they spend all day, because client won’t leave the 2.4GHz SSID while it’s 
present.

I asked for a 2 minute outage for the 2.4GHz network.  I disabled it for 2 
minute and then re-enabled.  10 minutes later it was back to 80% 5GHz and 20% 
2.4GHz.

The moral of the story: you can’t out engineer people’s behavior.  When things 
break, when they experience issues, they will try to work around it.  As much 
as some folks might imagine their networks are perfect, I’ve yet to find one 
that is.

The best way to overcome this, have a 5GHz only SSID and a Dual Band SSID.  
That way if students do choose to connect to the other SSID, they have a way 
for their device to make a better choice most of the time.  This also ensures 
that you can do the Apple Watch with a 2.4GHz radio without dramatically 
hurting their iPhone’s connectivity.

In summary:
Use dual band instead of a 2.4 GHz only network
Make sure 5GHz is 6db greater than 2.4GHz in transmit power.

I would also add, make sure you don’t use band steering on either network.

Jake Snyder



Sent from my iPad

>> On Jan 31, 2020, at 4:13 PM, Seddon, James 
>> <0159faeb9fd9-dmarc-requ...@listserv.educause.edu> wrote:
> 
> Happy Friday, everyone!
>  
> In high density areas of our campus (library, center of 
> campus food courts, large lecture halls, etc), we often turn off some 2.4Ghz 
> radios to help avoid co-channel interference issues.
>  
> We think we’re seeing behavior where client devices in motion attach to an AP 
> in 2.4, then stubbornly hang on to that frequency (and sometimes AP), even if 
> they end up in a location with a much stronger 5 Ghz signal from a closer AP. 
>   And of course, with the messy nature of the 2.4 band, they’re even more 
> susceptible to interference using a weak signal from a distant AP.
>  
> We do have Cisco’s band steering already in play, but we think it might be of 
> limited benefit in situations like this.  Our general advice is for clients 
> to prefer 5.0GHz when they can.  But we think most users are just letting 
> their devices do what they want, and we really have no control over that.
>  
> We’re considering converting our main SSIDs to offer 5 GHz only.   And then 
> creating a new SSID that offers 2.4 service (MainSSID2-4, or Legacy2-4, or 
> something).
>  
> Because we believe we have good 5.0GHz coverage, we think this change would 
> be invisible to most users who have 5 GHz capable devices.   Their devices 
> are already configured to connect to our main SSID, and they would just do so 
> in 5Ghz from then on.  They’d see the 2.4 SSID offered if they looked, of 
> course.
>  
> Clients that are 2.4 only would see our SSID disappear, and need 
> reconfiguration/reattachment, accept the cert…all the usual onboarding stuff. 
>   Because of this, we’d only make this change after an extensive 
> communication period to include our support teams, campus partners, and 
> customers.
>  
> Most of our campuses IOT-kinda-stuff (which tend both to be 2.4 and need more 
> attention/configuration) are already on a separate SSID that we wouldn’t be 
> touching.  So nothing would change for them.
>  
> Questions:
>  
> 1.   Have other large campuses done this?  We have ~400 buildings and 
> ~7,300 access points.  We have upwards of 60,000 peak concurrent WiFi 
> connections, with maybe 14,000 of those in 2.4.  We don’t know how to tell 
> how many of those can ONLY do 2.4, and how many are 5Ghz capable, but just 
> aren’t for some reason.
> 2.   How did it work?
> 3.   What were the lessons learned/gotchas, either from a technical or 
> non-technical/communication perspective?
>  
> Other advice?
>  
> Best Regards,
>  
> James Seddon
> Enterprise Network Operations - Voice and Data
> Information Technology Services (ITS)
> UC San Diego
> 858-822-4040
> jsed...@ucsd.edu
>  
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found 

Re: [WIRELESS-LAN] Ex: Re: [WIRELESS-LAN] neighbors 'jamming' 2.4GHz spectrum

[Jake Snyder]

N] Ex: Re: [WIRELESS-LAN] neighbors 'jamming' 
>> 2.4GHz spectrum
>> 
>> 
>> 
>> I'm not sure everyone is really speaking the same language here.
>> 
>> 
>> 
>> If my University passed a policy that said students can't have sandwiches on 
>> campus, that would be enforceable and they could even be subject to 
>> disciplinary committee if they brought a sandwich to campus.
>> 
>> 
>> 
>> If you replace a sandwich with a Mi-Fi device, I'm not sure how that's any 
>> different.
>> 
>> 
>> 
>> That being said, we do not have such a policy - just one forbidding them 
>> from connecting their routers and such to our network. That's fine for us, 
>> and we just try to educate people - 90% of the time it works every time.
>> 
>> 
>> 
>> --
>> 
>> Hunter Fuller
>> 
>> Router Jockey
>> 
>> VBH Annex B-5
>> 
>> +1 256 824 5331
>> 
>> 
>> 
>> Office of Information Technology
>> 
>> The University of Alabama in Huntsville
>> 
>> Network Engineering
>> 
>> 
>> 
>>> On Wed, Jan 29, 2020 at 9:52 AM Jake Snyder  wrote:
>>> 
>>> 
>> 
>>> Unfortunately, aside from talking to the person there isn’t much you can 
>>> do.  The person in question isn’t “jamming,” they are using spectrum and 
>>> completely entitled to do so.
>> 
>>> 
>> 
>>> Simplistically, you can prevent devices the university owns from connecting 
>>> to it. Beyond that, you venture into the grey area.
>> 
>>> 
>> 
>>> Best course is to go talk to the person, educate them, and hope they are 
>>> reasonable. realistically, you cause as much impact to them as they do to 
>>> you.
>> 
>>> 
>> 
>>> Sent from my iPhone
>> 
>>> 
>> 
>>>> On Jan 29, 2020, at 8:22 AM, Dom Colangelo 
>>>>  wrote:
>>> 
>>> 
>> 
>>> 
>> 
>>> 
>> 
>>> I came across this 2015 article on the Marriot penalty and subsequent FCC 
>>> public notice – there’s a lot of grey area as it relates with higher 
>>> education, and it seems many are forming their own interpretations.
>> 
>>> 
>> 
>>> 
>> 
>>> 
>> 
>>> --
>> 
>>> ---
>> 
>>> 
>> 
>>> 
>> 
>>> Dom Colangelo
>> 
>>> 
>> 
>>> Systems Engineer
>> 
>>> 
>> 
>>> Omada Technologies
>> 
>>> 
>> 
>>> Cell: (617)-446-3945
>> 
>>> 
>> 
>>> dcolang...@omadatechnologies.com
>> 
>>> 
>> 
>>> 
>> 
>>> 
>> 
>>> 
>> 
>>> 
>> 
>>> From: The EDUCAUSE Wireless Issues Community Group Listserv
>> 
>>>  On Behalf Of Michael Holden
>> 
>>> Sent: Wednesday, January 29, 2020 10:07 AM
>> 
>>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> 
>>> Subject: Re: [WIRELESS-LAN] Ex: Re: [WIRELESS-LAN] neighbors 'jamming'
>> 
>>> 2.4GHz spectrum
>> 
>>> 
>> 
>>> 
>> 
>>> 
>> 
>>> Aruba gives the following warning when doing containment / deauth
>> 
>>> 
>> 
>>> 
>> 
>>> 
>> 
>>> The Federal Communications Commission ("FCC") and some third parties have 
>>> alleged that, under certain circumstances, use of containment functionality 
>>> violates 47 U.S.C. Section 333 and/or other FCC rules, regulations or 
>>> policies. Before using any containment functionality, you should determine 
>>> whether your intended use is allowed under the applicable rules, 
>>> regulations and policies. Aruba shall not be liable for any claims, 
>>> sanctions, or other direct, indirect, special, consequential or incidental 
>>> damages related to your use of containment functionality.
>> 
>>> 
>> 
>>> 
>> 
>>> 
>> 
>>> 
>> 
>>> 
>> 
>>> 
>> 
>>> 
>> 
>>> From: The EDUCAUSE Wireless Issues Community Group Listserv
>> 
>>>  On Behalf Of Julian Y Koh
>> 
>>> Sent: Wednesday, January 29, 2020 9:50 AM
>> 
>>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> 
>>> Subject: Re: [WIRELESS-LAN] Ex: Re: [

Re: [WIRELESS-LAN] Ex: Re: [WIRELESS-LAN] neighbors 'jamming' 2.4GHz spectrum

[Jake Snyder]

Unfortunately, aside from talking to the person there isn’t much you can do.  
The person in question isn’t “jamming,” they are using spectrum and completely 
entitled to do so.

Simplistically, you can prevent devices the university owns from connecting to 
it. Beyond that, you venture into the grey area.

Best course is to go talk to the person, educate them, and hope they are 
reasonable. realistically, you cause as much impact to them as they do to you.

Sent from my iPhone

> On Jan 29, 2020, at 8:22 AM, Dom Colangelo  
> wrote:
> 
> 
> I came across this 2015 article on the Marriot penalty and subsequent FCC 
> public notice – there’s a lot of grey area as it relates with higher 
> education, and it seems many are forming their own interpretations.
>  
> -
> 
> Dom Colangelo
> Systems Engineer
> Omada Technologies
> Cell: (617)-446-3945
> dcolang...@omadatechnologies.com
>  
>  
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  On Behalf Of Michael Holden
> Sent: Wednesday, January 29, 2020 10:07 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Ex: Re: [WIRELESS-LAN] neighbors 'jamming' 2.4GHz 
> spectrum
>  
> Aruba gives the following warning when doing containment / deauth
>  
> The Federal Communications Commission ("FCC") and some third parties have 
> alleged that, under certain circumstances, use of containment functionality 
> violates 47 U.S.C. Section 333 and/or other FCC rules, regulations or 
> policies. Before using any containment functionality, you should determine 
> whether your intended use is allowed under the applicable rules, regulations 
> and policies. Aruba shall not be liable for any claims, sanctions, or other 
> direct, indirect, special, consequential or incidental damages related to 
> your use of containment functionality.
>  
>  
>  
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  On Behalf Of Julian Y Koh
> Sent: Wednesday, January 29, 2020 9:50 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Ex: Re: [WIRELESS-LAN] neighbors 'jamming' 2.4GHz 
> spectrum
>  
> On Jan 29, 2020, at 08:38, Coehoorn, Joel  wrote:
>  
> I don't know about that. The enforcement example that stands out to me is 
> Marriott was not allowed to use the fine print when you get a room to 
> prohibit hot spots, interfering or not, and they paid a hefty fine because of 
> it.
>  
> The details are a little hazy with the passage of time, but IIRC the Marriott 
> case was special because they were using the active rogue disassociation 
> features of their wireless network to intentionally knock people off of any 
> SSIDs other than the ones that they were operating.  So that goes beyond 
> simply radiating on a channel.
>  
> Corrections/clarifications welcome as always! :)
> 
> -- 
> Julian Y. Koh
> Associate Director, Telecommunications and Network Services
> Northwestern Information Technology
>  
> 2020 Ridge Avenue #331
> Evanston, IL 60208
> +1-847-467-5780
> Northwestern IT Web Site: 
> PGP Public Key: 
>  
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community
> 
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community
> 
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID

[Jake Snyder]

Generally speaking there are 3 scenarios where you can safely use containment.

On wire rogue:  I own the network it's plugged in to.
If you can prove that the AP is plugged into your network against policy you 
can contain, since the network they are connecting to is yours.  However, this 
is not a good use of airtime, and is much more effective at wired side 
containment method.

Owned devices: I own the device connecting to another network.
If you own a device, and you see it connected to something that is not yours, 
you can contain it since you are interacting with a device your organization 
owns.  However, if it's a BYOD or employee/student device you are containing 
then that's likely not ok.

Pentesting: I have legal authorization from the device/network owner to contain.
You are a wireless pentester and have permissions to contain any device that is 
owned by and authorized by your customer.


I recorded my thoughts on the matter here:

https://www.youtube.com/watch?v=7e--Y-KjsEQ 



Monitor and report, but action needs to be deliberate and targeted.  Otherwise, 
you are asking for a fine from the FCC.

Jake





> On Oct 28, 2019, at 11:55 AM, Enfield, Chuck  wrote:
> 
> My main reason for worrying about people broadcasting our SSIDs is usability.
>  
> The $64 question for security is whether or not the Aruba IDS would detect a 
> well-executed evil twin attack.  If the twin uses not just your ESSID but a 
> valid BSSID from one of your APs in an area where the “spoofed” AP can’t 
> detect it, would the IDS figure it out?  If so, then there may be some value 
> in enabling automatic mitigation.
>  
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  > On Behalf Of Sidharth Nandury
> Sent: Monday, October 28, 2019 12:56 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> 
> Subject: Re: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID
>  
> Thank you for the response. 
>  
> Thomas,
> I'm definitely going to share the FCC announcement with my management and 
> security officer to ensure that they are aware of this. That being said, we 
> are not trying to prevent anyone from using a hotspot, but like Chuck 
> mentioned are trying to protect our users from connecting to counterfeit 
> "well-known" campus SSIDs. My thought is to only add "well-known" SSIDs in 
> our list of protected networks.
>  
> Chuck,
> Airwave can be an option for alerting, but as you said, it needs manual 
> intervention. If our security officer decides to go against implementing 
> this, my next suggestion would be using Airwave for manual intervention. 
> Something else I can think of is the polling intervals duration and immediacy 
> of action. If there is a malicious individual trying to broadcast a 
> known-network, wouldn't we want to have immediate action to be taken, rather 
> than having to wait for the airwave polling interval, receive an email 
> notification, turn around and maybe have some kind of text alert to 
> immediately alert us to take action? Thoughts?
>  
> Regards,
> Sid
>  
> On Mon, Oct 28, 2019 at 12:08 PM Enfield, Chuck  > wrote:
> Most of the time if somebody is using one of your well-known SSID’s on campus 
> it’s either out of ignorance or benign experimentation.  Rouge mitigation of 
> those devices is unlikely to attract the attention of the FCC, and even if it 
> does, I doubt you’ll get in any trouble for it.  The FCC has cracked down on 
> property owners acting like they own the spectrum within their facilities.  I 
> suspect an effort to protect users from what may reasonably be characterized 
> as “counterfeit” networks would be viewed in a different light.  They may 
> still tell you to knock it off, but penalties seem really unlikely.
>  
> On the other hand, have you considered an Airwave alert to bring these device 
> to your attention and mitigating by manual intervention?  If your institution 
> is anything like ours you’ll see very few of these.
>  
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  > On Behalf Of Thomas Carter
> Sent: Monday, October 28, 2019 11:53 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> 
> Subject: Re: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID
>  
> The short answer is don’t do this. The longer answer is the FCC frowns on 
> rogue mitigation:
> https://nakedsecurity.sophos.com/2015/08/19/fcc-fines-company-75-for-disabling-conference-hotspots/
>  
> 

Re: [WIRELESS-LAN] Azure AD and RADIUS - anyone moved this direction?

[Jake Snyder]

I am not an expert in radius or azureAD.  But my understanding is that you 
cannot have an machine “joined” to AzureAD.  This prevents most of the common 
deployment models like AD integrated ISE or ClearPass where you rely on 
Kerberos and NTLM by joining the node to the domain.

The solution has been to move to a Hybrid deployment and have a local AD box 
you can integrate to.  Or just running a regular DC in Azure and integrating 
radius there.

In a perfect world, you would move to EAP-TLS to remove the need for ntlm and 
Kerberos which needs an AD joined machine.  I believe you can do LDAP for 
attribute lookup against AzureAD.  Alas I don’t think they have the equivalent 
of AD certificate services in AzureAD to get certs for all your devices

I would love to hear if anyone is doing something that works well.


Sent from my iPhone

>> On Sep 25, 2019, at 12:43 PM, Turner, Ryan H  wrote:
> 
> I know that most times RTT between campus and cloud is low, but I just think 
> its something to be fearful of when authentication times matter.  You really 
> are going to have no data center footprint to host local services?
>  
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  On Behalf Of Jeffrey D. Sessler
> Sent: Wednesday, September 25, 2019 2:10 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] Azure AD and RADIUS - anyone moved this direction?
>  
> Curious if anyone has moved their RAIDUS to authenticating againstAzure AD, 
> and if so, what path did you take? There doesn’t seem to be a clear MS 
> solution other than standing up domain services for azure AD and running a 
> NPS VM, and I’ve also found a couple of RaaS (radius as a service) offering 
> such as Jumpcloud.
>  
> Would welcome feedback. We’re just about out of our datacenter for most 
> operations, and radius has been one of those important but low-handing items 
> that I’m now focused on.
>  
> Jeff
>  
> -- 
> Jeff Sessler
> Executive Director, Information Technology
> Scripps College
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community
> 
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] WLC interface groups?

[Jake Snyder]

I’m a consultant and I HATE interface groups.

It’s more complexity and more things to go wrong. Not a big enough address 
block?  Re-subnet.  If the switch can’t handle the arp entries, it can’t handle 
the arp entries. Rarely does matter how many VLANs you spread them out from.  
And yes, I do get the amount of effort required to re-subnet.  I wouldn't 
suggest it if I didn’t feel it was worth the effort.

Remember the android bug where they would spam dhcp requests until the 
controller marked all the interfaces dirty?  I still have nightmares.  I 
continue to see interfaces in groups marked dirty at several universities and 
causing issues.

Also, option 3:
If you have broadcast from 32k clients, you have broadcast from 32k clients.  
Doing things like interface groups moves them from VLAN to VLAN, but does 
little to reduce the overall number or OTA, which is where it is the bigger 
problem.

It also complicates things like IPv6 where due to a shared group encryption 
key, clients can hear RA from the other subnets.  This leads you down the 
“multicast to unicast conversion” solution to address, piling more complexity 
on to deal with the existing complexity.

However, I have one use case where interface groups make sense: public IP space 
where you don’t have a big enough single block.  I would prefer to keep them 
all in the same block, but this is a case where some orgs really can’t and with 
the shortage of IPv4, odds are you won’t be able to fix this without some huge 
cash outlays.

If you are going to use interface groups:
1. keep them all the same subnet size or the small ones will fill up first and 
cause issues.
2. Keep them them in 2^n sizes.  1, 2, 4, 8 it keeps the hashing easy and ends 
up with more evenly distributed usage.

Jake Snyder

Sent from my iPhone

> On Aug 28, 2019, at 3:11 PM, Mark Duling  wrote:
> 
> As James said, we use interface groups to select which set of networks to put 
> users into based on their ldap membership within the same SSID. I also 
> assumed at the time having small nets was better than larger ones as on wired 
> networks, but I know it's different on wireless controllers so maybe thinking 
> can be very different on that. But I'm not aware of a real argument against 
> using interface groups.
> 
> We don't use public ip addresses, so running out of them isn't an issue for 
> us. But there is the DHCP option in newer servers "one-lease-per-client" that 
> allows a "single lease per client on a per member basis". I've never used it 
> so I have no idea how well it works, but theoretically I guess that option 
> might solve exhaustion issues when clients move between networks. But again, 
> no experience with it but maybe others have  and can comment. 
> 
> Mark
> 
> 
>> On Wed, Aug 28, 2019 at 1:16 PM James Helzerman  wrote:
>> Hi.  On our main SSID we use Interface Groups so we can return a interface 
>> variable back via RADIUS that can be the same in each of our data nodes that 
>> has controllers.  This way VLAN numbers dont need to be same and in the case 
>> you mentioned if we ever need to add IP space for a quick short term its 
>> easy to add to the group.  We rely on the WLC to control the broadcasts and 
>> dont see any issues from it.  We dont do DHCP proxy on the controllers.  For 
>> our main SSID we currently have two /18 running at each of our three data 
>> nodes (different routers).  The biggest thing we have had to watch out and 
>> plan for was the routers resources in terms of ARP cache and timeout values.
>> 
>> We use Interface Groups on almost all our SSIDs by design.
>> 
>> -Jimmy
>> 
>> -- 
>> James Helzerman
>> Wireless Network Engineer
>> University of Michigan - ITS
>> Phone: 734-615-9541
>> 
>> 
>>> On Wed, Aug 28, 2019 at 3:56 PM Glinsky, Eric  wrote:
>>> This question is for large universities with WLCs that tunnel traffic 
>>> through a controller. Do you use a single interface (VLAN) for, say, 30k 
>>> clients, or do you use two or more interfaces in an interface group, and 
>>> why? Do you use DHCP proxy? Is there any documentation or 
>>> generally-accepted rules of thumb on this?
>>> 
>>>  
>>> 
>>> Historically, on all three Cisco 8540 pairs, we had a core interface and an 
>>> interface for res halls, and depending on the AP’s location (6k APs) our 
>>> branded SSID would map clients to one interface or the other.
>>> 
>>>  
>>> 
>>> All our wireless clients have public IPs, and we’ve faced issues running 
>>> out. Throughout the day, we’d see the majority of clients move from the res 
>>> hall network to the core network, and vice versa at night. At on

Re: [WIRELESS-LAN] Wireless Options

[Jake Snyder]

I’m curious about the requirement that controllers be “cloud based” and what 
business requirement that maps to.

Trying to understand what a cloud based controller give your business that an 
on-premises controller does not.  How that translates to better experience, 
happier students or faster connectivity. 

Sent from my iPhone

> On May 17, 2018, at 12:13 PM, Norton, Thomas (Network Operations) 
>  wrote:
> 
> I  highly recommend looking at Aruba as well.
>  
> T.J. Norton
> Wireless Network Architect
> Network Operations 
> 
> Office: (434) 592-6552 
>  
> 
> 
> Liberty University  |  Training Champions for Christ since 1971
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Trenton Hurt
> Sent: Thursday, May 17, 2018 2:11 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Wireless Options
>  
> https://www.mist.com/
>  
> On Thu, May 17, 2018 at 2:10 PM John Rodkey  wrote:
> Our college - about 40 buildings, 1200 students, 3500 wireless clients per 
> day, currently 310 WAPs - is considering a major upgrade in WAPs, replacing a 
> number that are 9 years old and no longer supported.
>  
> We could replace with the latest model of our existing vendor, but want to 
> consider all the feasible alternatives.  We have a hard requirement that the 
> controller be cloud-based, the system deal well with Mac clients, understand 
> VLANs and an enterprise quality network, and have a rich set of 
> configuration, logging, monitoring, and troubleshooting tools for dealing 
> both with clients and access points. Responsive support is also required, and 
> unsurprisingly  total system cost is a significant issue.
>  
> 3 vendors come to mind:  Meraki, Ubiquiti, and Aerohive.
>  
> Questions:
>  1) do other vendors come to mind that play well in this space?
>  2) what are your positive experiences with any of the above?
>  3) what are your negative experiences?
>  4) have you recently gone through this analysis, and if so, what were your 
> conclusions?
>  5) what issues have you experienced with PoE capacity requirements with 
> these devices?
>  
> John Rodkey
> Director of Servers and Networks
> Westmont College
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] More client weirdness

[Jake Snyder]

Just saw a customer having issues with 702w and Mac clients.  Hard to 
reproduce.  Curious if there are active tickets open or if there is a bug ID in 
progress.

Sent from my iPhone

> On Apr 11, 2018, at 10:06 AM, Gray, Sean  wrote:
> 
> I think I would go down that path if it impacted more clients. The fact that 
> we are only hearing of this occurring on a very, very small number of clients 
> and only when they connect to a 702w AP on an 802.1x WLAN makes me unsure if 
> this is a code or client problem.
>  
>  
>  
> Sean Gray | B.Sc (Hons)
> Voice, Collaboration & Wireless Network Analyst
> ITS, University of Lethbridge
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
> Sent: April-11-18 6:25 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] More client weirdness
>  
> Any thoughts of rolling back to older code, rather than living with the issue?
>  
> Lee Badman | Network Architect 
> 
> Certified Wireless Network Expert (#200)
> Information Technology Services
> 206 Machinery Hall
> 120 Smith Drive
> Syracuse, New York 13244
> 
> t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w its.syr.edu
> SYRACUSE UNIVERSITY
> syr.edu
> 
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>  On Behalf Of Tristan Gulyas
> Sent: Wednesday, April 11, 2018 12:38 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] More client weirdness
>  
> Hi all,
>  
> We have two TAC cases, one for the Dell 1535 and the other for the general 
> poor connectivity issues.
>  
> We rebooted one AP yesterday and the customer tells us that their 
> connectivity improved.  In another instance, we rebooted an AP and the 
> situation did not improve (in fact, we replaced it - still to no avail).
>  
> We have over 1800 of these deployed so the impact is widespread.  All in 
> local mode.
>  
> I would be very keen to hear if anyone else would be willing to share TAC 
> case details for any tickets logged to Cisco for this issue.
>  
> Cheers,
> Tristan
> -- 
> TRISTAN GULYAS
> Senior Network Engineer
>  
> Technology Services, eSolutions
> Monash University
> 738 Blackburn Road
> Clayton 3168
> Australia
>  
> T: +61 3 9902 9092  
> M: +61 (0)403 224 484
> E: tristan.gul...@monash.edu
> monash.edu
>  
> 
> On 11 Apr 2018, at 9:57 am, Jason Cook  wrote:
>  
> Ours are also local mode.
>  
> Replication could be challenging, we have 27x 702w’s  currently but I’ve only 
> come across 1 confirmed repeat offender. Though some of those are in student 
> accommodation, so I suspect a few of the complaints there could be related. 
> However getting details to troubleshoot are somewhat more challenging there.
>  
> Anyone worked with TAC or had a bug outside of what Stephen mentioned? I 
> don’t recall seeing those logs when looking at this one. Haven’t been in 
> contact with TAC due to low use/impact vs other work.  
>  
> --
> Jason Cook
> Information Technology and Digital Services
> The University of Adelaide, AUSTRALIA 5005
> Ph: +61 8 8313 4800
>  
> CRICOS Provider Number 00123M
> ---
> This email message is intended only for the addressee(s) and contains 
> information which may be confidential and/or copyright.  If you are not the 
> intended recipient please do not read, save, forward, disclose, or copy the 
> contents of this email. If this email has been sent to you in error, please 
> notify the sender by reply email and delete this email and any copies or 
> links to this email completely and immediately from your system.  No 
> representation is made that this email is free of viruses.  Virus scanning is 
> recommended and is the responsibility of the recipient.
>  
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>  On Behalf Of Mike Atkins
> Sent: Wednesday, 11 April 2018 1:09 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] More client weirdness
>  
> I see thanks. I do not think I’ll have time but if I can I’ll setup a 702W 
> and see if I can repeat.  If I can I’ll try to do an over the air capture.
>  
>  
>  
>  
>  
> Mike Atkins
> Network Engineer
> Office of Information Technology
> University of Notre Dame
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Gray, Sean
> Sent: Tuesday, April 10, 2018 11:20 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] More client weirdness
>  
> Nope, all of our 702w are in local mode.
>  
>  
> Sean Gray | B.Sc (Hons)
> Voice, Collaboration & Wireless Network Analyst
> ITS, University of Lethbridge
>  
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 

Re: [WIRELESS-LAN] Measuring RADIUS Performance

[Jake Snyder]

I would find 2+ seconds to authenticate as horribly unacceptable.

The fact that Mac auth is so much lower begs the question if there is something 
that is not keeping up (Like the AD environment).  Might be worth checking the 
MaxConcurrentAPI settings on the domain, if doing certificates, make sure the 
OCSP or CRL server is responding quickly.

2 seconds will have impacts on association, roaming, etc.



Sent from my iPhone

> On Mar 15, 2018, at 9:44 AM, Adam Forsyth  wrote:
> 
> How do you measure the performance of your RADIUS Serve? How fast is fast 
> enough? How slow is unacceptable?
> 
> We have Aruba Airwave, and its Clarity module provides me a way to measure 
> the amount of time that RADIUS Authentication takes.  For our RADIUS MAC 
> SSID's it says it takes 63ms, and for our 802.1x SSID it says 2392ms.  The 
> settings Airwave comes with by default are that <500ms is marked green 
> meaning good, 500 -- 1000ms is marked yellow meaning warning and >1000ms is 
> marked read meaning poor.
> 
> Of course faster is always better, but I wondered if others have opinions on 
> whether Airwave's  ranges are reasonable, or whether they have unrealisticly 
> expectations.  If they're reasonable, then I probably need to figure out how 
> to speed up our 802.1x RADIUS performance.
> 
> -- 
> Adam Forsyth
> Director of Network and Systems
> Luther College Information Technology Services
> 700 College Drive
> Decorah, IA 52101
> 563-387-1402
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] devices not connecting to open network

[Jake Snyder]

I would say data rates is one hurdle, wireless security methodology the 
another.  Gaming devices have notoriously poor support for WPA2 Enterprise, and 
consequently there usually has to be either a PSK or open network strategy.

Vendors that Support per wlan data rates can be of help here, mitigating *some* 
of the downfalls if enabling lower rates across the board.

Sent from my iPhone

> On Jan 16, 2018, at 10:49 AM, Rob Harris  wrote:
> 
> Yes, these types of devices tend to be more sensitive to any networks that 
> aren't your standard out of the box, home router config.
> 
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
> Sent: Tuesday, January 16, 2018 12:21 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] devices not connecting to open network
> 
> Do you all- regardless of vendor affinity- generally feel that game console 
> success is a matter of supported data rates (where network design and 
> coverage are sound)?
> 
> Lee Badman | Network Architect 
> 
> Certified Wireless Network Expert (#200) Information Technology Services
> 206 Machinery Hall
> 120 Smith Drive
> Syracuse, New York 13244
> t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w its.syr.edu SYRACUSE 
> UNIVERSITY syr.edu
> 
> 
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Richard Nedwich
> Sent: Tuesday, January 16, 2018 12:06 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] devices not connecting to open network
> 
> Hi Bruce,
> 
> I am glad to hear your reshall network is working well.  Note: Aruba's 
> residence hall VRD also recommends using an AP with integrated four-port, 
> managed Ethernet switch to connect wired devices, such as an Ethernet-enabled 
> HDTV, gaming device, VoIP phone, or any wired device.  I do believe most 
> enterprise WLAN vendors will agree on this.  But to answer your question, we 
> have many happy Ruckus customers using ceiling or wall mounted APs, rather 
> than wall-plate AP in the residence halls, too.  I guess in my view, it's an 
> option which some use and others choose not to use based on their particular 
> design preference or the specific set of needs.
> 
> Hopefully having another tool in the tool belt is a good thing :)
> 
> Best,
> Rich
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/discuss.
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/discuss.
> 
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/discuss.
> 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Big flaw in WPA2

[Jake Snyder]

You have more faith in the WFA than I.  I’m sure our next houses will be Wi-Fi 
certified Krack-Free.

Sent from my iPhone

> On Oct 19, 2017, at 5:13 AM, Osborne, Bruce W (Network Operations) 
>  wrote:
> 
> The specification, like many, was vague in implementation details and 
> practically all vendors chose a poor, insecure design.  The only claw in WPA2 
> was vagueness in the specification. I understand the Wi-Fi Alliance is 
> working on remedying that as well as specifically testing for KRACK in its 
> certification testing.
>  
> Since many implementations were likely based off the chipmakers reference 
> designs, this is not very surprising.
>  
>  
> 
> Bruce Osborne
> Senior Network Engineer
> Network Operations - Wireless
>  (434) 592-4229
> 
> LIBERTY UNIVERSITY
> 
> Training Champions for Christ since 1971
> 
>  
> From: Marcelo Maraboli [mailto:marcelo.marab...@uc.cl] 
> Sent: Wednesday, October 18, 2017 11:56 AM
> Subject: Re: Big flaw in WPA2
>  
> if it were a Design Flaw, no patch can fix it we would need to upgrade to 
> WPA3 or something.
> 
> the fact that there is patch going on, is that either every implementation is 
> wrong (not likely) or
> the specification (how to code the Design) did not address boundaries or 
> restrictions that should/must
> be cared for.
> 
> or am I wrong ?
> 
> 
> regards,
> 
> On 10/16/17 4:32 PM, Hector J Rios wrote:
> The short answer is Yes.
>  
> Hector Rios
> Louisiana State University
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Mike Cunningham
> Sent: Monday, October 16, 2017 1:58 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Big flaw in WPA2
>  
> If this is a flaw in the design of the WPA2 protocol isn’t the fix going to 
> need to be made on both sides of the communication link?  Access points will 
> all need to be updated but also all client wifi drivers are going to need to 
> be updated on all wifi enabled devices that support WPA2, right?
>  
> Mike Cunningham
>  
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Stephen Belcher
> Sent: Monday, October 16, 2017 10:40 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Big flaw in WPA2
>  
> From Cisco:
> 
>  
> 
> https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa
> 
>  
> 
>  
> 
> / Stephen Belcher
> Assistant Director of Network Operations 
> WVU Information Technology Services
> One Waterfront Place / PO Box 6500
> Morgantown, WV  26506
>  
> (304) 293-8440 office 
> (681) 214-3389 mobile 
> steve.belc...@mail.wvu.edu
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>  on behalf of Richard Nedwich 
> 
> Sent: Monday, October 16, 2017 10:34:43 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Big flaw in WPA2
>  
> Ruckus is providing a response today.
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
>  
> This email may contain confidential information about a Pennsylvania College 
> of Technology student. It is intended solely for the use of the recipient. 
> This email may contain information that is considered an “educational record” 
> subject to the protections of the Family Educational Rights and Privacy Act 
> Regulations. The regulations may be found at 34 C.F.R. Part 99 for your 
> reference. The recipient may only use or disclose the information in 
> accordance with the requirements of the Federal Educational Rights and 
> Privacy Act Regulations. If you have received this transmission in error, 
> please notify the sender immediately and permanently delete the email.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
>  
> -- 
> Marcelo Maraboli Rosselott
> Subdirector de Redes y Seguridad
> Dirección de Informática
> Pontificia Universidad Católica de Chile
> http://informatica.uc.cl/
> --
> Campus San Joaquín, Av. Vicuña Mackenna 4860, Macul
> Santiago, Chile
> Teléfono: (56) 22354 1341
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list 

Re: [WIRELESS-LAN] Portable Power for Mesh APs

[Jake Snyder]

I’ve been doing a lot of APoaS surveys with the Revolt G2. 
http://www.portableuniversalpower.com/revolt-g2/

I have another engineer using the RavPower:
https://www.ravpower.com/ravpower-23000mah-portable-charger-external-battery-charger.html

We use these with a 12V Poe+ injector from Tycon.  If your AP takes 12V 
directly, it may not be needed.

With the Revolt G2 I’m good for a full day with a 802.3at powered AP.  Higher 
powered APs may give you less.

Sent from my iPhone

> On Oct 8, 2017, at 10:52 AM, Chris Adams (IT)  wrote:
> 
> It looks like this is for temporary use, but what kind of runtimes are you 
> getting from this unit with a WAP attached?
>  
>  
> Thanks,
>  
> Chris Adams
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of James Helzerman
> Sent: Saturday, October 7, 2017 10:28 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Portable Power for Mesh APs
>  
> Either or.  Looking to see if anyone else has done this type of thing.  I was 
> trying to find alternatives that are either cheaper or have a multi-purpose 
> ability so its not a one time use.
>  
> We use this for site surveys but is about $250 each and is only useful for 
> PoE.  It works very well and is nice to have the ethernet port pass through, 
> unfortunately surveys or temp installations are its only useful purpose for 
> me.  For the temp event I would need 10-15 units.
>  
> https://www.bhphotovideo.com/c/product/1220949-REG/veracity_vad_psp_pointsource_plus_battery_powered.html
>  
> -Jimmy
>  
> On Sat, Oct 7, 2017 at 9:59 PM, GT Hill  wrote:
> Are you looking for a complete solution or a less expensive DIY? 
>  
> GT
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>  on behalf of James Helzerman 
> 
> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
> Date: Saturday, October 7, 2017 at 8:20 PM
> To: 
> Subject: [WIRELESS-LAN] Portable Power for Mesh APs
>  
> Hi.  Is anyone using portable power for temporary Mesh APs?  If so what model 
> device are you using?  Ie portable jump starter with AC outlets, portable 
> battery pack with 802.3at power, etc.
>  
> We have an event coming up and are looking at different ways to provide power 
> to access points for 6 hours that will connect via Mesh.  Some locations will 
> have multiple access points so a single power source that has multiple 
> outlets / connections would be ideal.
>  
> Thanks,
>  
> -Jimmy
>  
> --
> James Helzerman
> Wireless Network Engineer
> University of Michigan - ITS
> Phone: 734-615-9541
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> 
> 
>  
> --
> James Helzerman
> Wireless Network Engineer
> University of Michigan - ITS
> Phone: 734-615-9541
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Wi-Fi Request for University Conference event

[Jake Snyder]

For CWA, you need to put the MAC address into a guest endpoint group.

Then, if the endpoint is in guest endpoint group, just put them on instead of 
the portal.

Way easier than LWA + sleeping client.

Sent from my iPhone

> On Sep 27, 2017, at 6:50 AM, Yahya M. Jaber  wrote:
> 
> Hi,
> 
> Thanks for that.
> 
> I do use CWA with ISE.
> The issue is not with the ISE, its with the WLC that by nature has the idle 
> timeout for 5 minutes. Then the client would have to re-auth as its no longer 
> on the WLC client list.
> 
> For idle timeout...i am trying to find a sane value that would at least give 
> me good repots when needed...but I think I'll go with LWA+AUP and sleeping 
> client.
> 
> Yahya Jaber.
> Sr. Wireless Engineer
> IT Network & Communications – Engineering
> Building 14, Level 3, Rm 308-WS07
> KAUST 23955-6900 Thuwal, KSA
> 
> Email yahya.ja...@kaust.edu.sa
> Office +966 (0) 12 8081237
> Mobile +966 (0) 558697555
> On Call Rotation Mobile: +966 54 470 1177
> 
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Joachim Tingvold
> Sent: Wednesday, September 27, 2017 3:44 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Wi-Fi Request for University Conference event
> 
>> On 27 Sep 2017, at 14:17, Yahya M. Jaber wrote:
>> - Would give up my guest SSID through ISE. As still there is no
>> feature to increase the idle timeout on the WLC “like the sleeping
>> client” which will stop users from complaining about the constant
>> login once they go idle “”especially iPhone that turns off WiFi after
>> sometime when its on the lock screen!!””…I know that I can increase
>> the idle timeout, but that would prevent getting real client count
>> from the WLC and PI and might affect the client WLC DB.
>> - Would use simple AUP guest SSID with sleeping client timer of 1-4
>> days.
> 
> Hi,
> 
> You should look into CWA (Central Web Authentication), if that’s not already 
> what you’re looking into. Then you can use MAC-caching, where you can set the 
> time for how long they should he allowed into the network before needing to 
> re-enter the username/password. Hence, you can set the idle-timeout to a more 
> sane value. CWA works with most RADIUS servers (i.e. you don’t specifically 
> need ISE).
> 
> --
> Joachim
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/discuss.
> 
> 
> This message and its contents including attachments are intended solely for 
> the original recipient. If you are not the intended recipient or have 
> received this message in error, please notify me immediately and delete this 
> message from your computer system. Any unauthorized use or distribution is 
> prohibited. Please consider the environment before printing this email.
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/discuss.
> 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Two RF Questions

[Jake Snyder]

Jeff,
Take in context that GT works for a company that builds a tool to quantify 
wireless problems based in depth packet analysis.  So when he says he sees 35% 
improvement, there’s a lot of data that goes into it.

Sent from my iPhone

> On Sep 26, 2017, at 12:41 PM, Jeffrey D. Sessler <j...@scrippscollege.edu> 
> wrote:
> 
> “After a switch to 20 MHz only, there was a 35% improvement in end-user Wi-Fi 
> experience.”
>  
> I would argue that this is a meaningless statement without context, and 
> probably a bad question to ask a user in the first place. What does the user 
> think “experience” means i.e. the ability to connect or how well their 
> speedtest performs? It’s not specific enough to draw a conclusion.
>  
> For example:
> If 1/3 of my users had a device that could not associate because of how the 
> primary channel was selected in a 40 or 80 MHz wide deployment, then those 
> people would not be happy. If I then change to 20 MHz only, allowing those 
> users with the problematic device to connect, there will obviously be a 
> significant improvement in those user’s WiFi experience. The other users may 
> still be happy because they can still connect.
> If my buildings are open-concept (no walls/doors), and I have 24 AP’s on a 
> 1000 sq/ft floor plan, and statically set to 80 MHz channels, then the 
> end-user WiFi experience is going to be really poor. If I then switch all 
> those APs to 20 Mhz only, of course it’s going to be a huge improvement. 
> Clearly, it was a poor design, and less about the channel width and more 
> about the person who thought they knew better.
>  
> Of course, if the survey questions were more specific, and had questions 
> like, “Do you consistently receive the highest 4K stream rate from NetFlix”, 
> the satisfaction for this question may trend down.
>  
> Jeff
>  
>  
>  
> From: "wireless-lan@listserv.educause.edu" 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of GT Hill <g...@gthill.com>
> Reply-To: "wireless-lan@listserv.educause.edu" 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Date: Tuesday, September 26, 2017 at 8:47 AM
> To: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Subject: Re: [WIRELESS-LAN] Two RF Questions
>  
> I know that this is just one example, but I was at a large university site 
> (Cisco Wi-Fi) that was running 20/40 channelization. After a switch to 20 MHz 
> only, there was a 35% improvement in end-user Wi-Fi experience. 
>  
> Jake – One feature that I think many people agree is missing in FRA is the 
> ability to dynamically turn off a radio. In some cases an extra radio in 
> either band hurts more than it helps. 
>  
> And to just stir the pot a bit, I wish there were SMALLER than 20 MHz 
> channelization. In many high density environments 20 MHz is just too big. 
> Give me some more radios at smaller channel sizes and I’ll show you a 
> spectacular Wi-Fi network. :-) 
>  
> GT
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Jake Snyder 
> <jsnyde...@gmail.com>
> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Date: Tuesday, September 26, 2017 at 9:39 AM
> To: <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Subject: Re: [WIRELESS-LAN] Two RF Questions
>  
> My challenge, as I’ve stated on this list before, is that Mac OS X 
> preferences width in its AP selection criteria.  So while you may get more 
> capacity, in a large Mac environment you lose most of that with Macs hanging 
> onto APs linger and having to rate-shift down to slower PHY speeds due to 
> that AP having a wider channel than its neighbors. Yes, it’s dumb.  But he’s 
> the driver of that lambo.
>  
> Also, couple that with increasing the noise floor by 3db every time you 
> double the channel width and there are many cases where your lambo just spins 
> it’s tires.  All that power and you can’t hook it up.
>  
> Remember that spectrum is our constraining resource.
>  
> Figure out what width of channel you can run in a building, and run that.  
> That’s the best use of spectrum and sure to give you the most smiles/hour on 
> your lambo.
>  
> I really like what cisco did with FRA.  Give me the ability to see what it 
> thinks the overlap is.  I would LOVE to see the same with DBS, and give me 
> what width it thinks all the APs in the building can pull off.
>  
> Sent from my iPhone
> 
> On Sep 26, 2017, at 8:19 AM, Jeffrey D. Sessler <j...@scrippscollege.edu> 
> wrote:
> 
> It’s surprising to me that anyone would purchase a Lamborghini, then 
> disc

Re: [WIRELESS-LAN] Two RF Questions

[Jake Snyder]

My challenge, as I’ve stated on this list before, is that Mac OS X preferences 
width in its AP selection criteria.  So while you may get more capacity, in a 
large Mac environment you lose most of that with Macs hanging onto APs linger 
and having to rate-shift down to slower PHY speeds due to that AP having a 
wider channel than its neighbors. Yes, it’s dumb.  But he’s the driver of that 
lambo.

Also, couple that with increasing the noise floor by 3db every time you double 
the channel width and there are many cases where your lambo just spins it’s 
tires.  All that power and you can’t hook it up.

Remember that spectrum is our constraining resource.

Figure out what width of channel you can run in a building, and run that.  
That’s the best use of spectrum and sure to give you the most smiles/hour on 
your lambo.

I really like what cisco did with FRA.  Give me the ability to see what it 
thinks the overlap is.  I would LOVE to see the same with DBS, and give me what 
width it thinks all the APs in the building can pull off.

Sent from my iPhone

> On Sep 26, 2017, at 8:19 AM, Jeffrey D. Sessler  
> wrote:
> 
> It’s surprising to me that anyone would purchase a Lamborghini, then 
> disconnect ten of the twelve cylinders and drive it at 25 mph on the autobahn.
>  
> When I see static 20 MHz channels, or using 40 MHz in only limited areas, I 
> wonder what’s behind the purposeful neutering of the system. If you are a 
> Cisco customer running 8.1 or above, and not using DBS (Dynamic Bandwidth 
> Selection), then it’s the equivalent of the Lamborghini above running on only 
> two cylinders.
>  
> Don’t miss out on the significant advancements in bandwidth management. Free 
> those resources spent doing point-in-time simulation and surveys for 
> something the software doesn’t already do far better at. I promise, DBS won’t 
> hurt a bit and your users will thank you a hundred times over.
>  
> Jeff
>  
>  
> From: "wireless-lan@listserv.educause.edu" 
>  on behalf of "Street, Chad A" 
> 
> Reply-To: "wireless-lan@listserv.educause.edu" 
> 
> Date: Tuesday, September 26, 2017 at 6:59 AM
> To: "wireless-lan@listserv.educause.edu" 
> Subject: Re: [WIRELESS-LAN] Two RF Questions
>  
> What is your reasoning behind not wanting 40 megahertz channels if you have 
> plenty of overhead with your channel utilization?  People saying you should 
> or should not do something without Gathering any type of metric worry me.
>  
> On Sep 25, 2017 3:28 PM, Chuck Enfield  wrote:
> 1.  Enable it in places to check for radar events.  If you get few, then 
> yes.  Client devices are almost fully capable now.  Hidden SSID’s are the 
> only issue.  Some clients don’t probe on DFS channels, and will only respond 
> to beacons.  Make sure 2.4 is usable for the small number of incompatible 
> devices.
> 
> 2.  No.  Don’t even consider 40MHz unless you’re using almost all the DFS 
> channels, but even then you’ll probably have to disable it in some high 
> density areas.
> 
>  
> 
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of David Blahut
> Sent: Monday, September 25, 2017 3:17 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] Two RF Questions
> 
>  
> 
> Greetings,
> 
> I have two hopefully simple RF related questions:
> 
> 1.  Should I enable the extended UNII-2 channels campus wide?
> 
> 2.  Should I enable 40Mhz channel width campus wide?
> 
> In other words what are you doing on your campus and what is the "best 
> practice?
> 
>  
> 
> Our wireless infrastructure:
> 
>  
> 
> 3 Cisco 5508s running 8.2.141.0
> 
>  
> 
> 20 - 3800 APs
> 
> 368 - 3700 APs
> 
> 414 - 3600 APs
> 
> 8 - 3500 APs
> 
> 7 - 1810 APs
> 
> 32 - 1142 APs
> 
>  
> 
> Prime 3.1.0
> 
>  
> 
> Thanks for your input.
> 
> David
> 
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> 
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
>  
>  
> 
> This e-mail message (including any attachments) is for the sole use of
> the intended recipient(s) and may contain confidential and privileged
> information. If the reader of this message is not the intended
> recipient, you are hereby notified that any dissemination, distribution
> or copying of this message (including any attachments) is strictly
> prohibited.
> 
> If you have received this message in error, please contact
> the sender by reply e-mail message and destroy all copies of the
> original message (including attachments).
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group 

Re: [WIRELESS-LAN] Aruba OS 6.5.X

[Jake Snyder]

We had some issues with the controllers crashing on 6.5.2.1. 6.5.3.2 has been 
solid for the same client.  

Sent from my iPhone

> On Sep 22, 2017, at 1:55 PM, Brian L. Cox  wrote:
> 
> For whatever it is worth, we are going to go from 6.5.2.0 to 6.5.3.2 
> conservative release per TAC recommendation
>  
> Brian
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Michael Hulko
> Sent: Friday, September 22, 2017 2:06 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Aruba OS 6.5.X
>  
> I stand corrected… we are experiencing - Reboot Cause: Datapath timeout (SOS 
> Assert) (Intent:cause:register 54:86:50:2)  associated with bug ID: 168710
>  
> Cause:  "contents in datapath is not freed. New streams are not allocated 
> with resources to categorize. Due to this duplicate session deletes were not 
> happening and hence the controller was crashing.”
>  
>  
> This appears to happen when the controllers reach over 9k users.
>  
> We have been experiencing AP103H reboots since 6.4.4.x code base as well as 
> increased number of radar events.  These were supposed to be fixed moving to 
> 6.5.4x code.
>  
> We have over 4600 APs on Campus (105, 215, 225, 315,103H, 205H)
>  
> M
>  
>  
>  
> On Sep 22, 2017, at 12:21 PM, Colin Randall  wrote:
>  
> We’re running 6.5.2.1 as well, without any issues.  That said, we’re running 
> mostly AP-225’s and a few AP-335’s, and not running the DFS frequencies at 
> all.
> -Colin
> 
> Colin Randall
> Network Manager
> Colorado School of Mines
> 303-384-2208
>  
> On Sep 22, 2017, at 9:18 AM, Amel Caldwell  wrote:
> 
> 
> Did they say what the release will be?  Will it be 6.5.2.1 or are they going 
> to expect you to jump to 6.5.3 or 6.5.4?  We often request fixes to be put in 
> older versions to minimize risk of going to a whole other train of code.
>  
> I am curious because I was told 6.5.2 had been “parked”.
>  
> Amel Caldwell
> University of Washington UW-IT
> Wi-Fi Network Engineer
> Wi-Fi Service Manager
>  
> am...@uw.edu
> 206-543-2915
>  
> Ask me about open Network Engineer positions on the wireless team.
>  
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>  on behalf of "Bucklaew, Jerry" 
> 
> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
> Date: Friday, September 22, 2017 at 5:46 AM
> To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
> Subject: Re: [WIRELESS-LAN] Aruba OS 6.5.X
>  
>  
> We have been on 6.5.2.1 for a couple months now with no “major issues”.We 
> have the 3xx dfs bug and we do see a ton of radar hits.
>  
> Waiting for the fix release that is due out in another week or two.
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Amel Caldwell
> Sent: Thursday, September 21, 2017 5:15 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] Aruba OS 6.5.X
>  
> Hi y’all—
>  
> We have depleted our supply of AP 215s and are wanting to begin installing AP 
> 315s on our campus and have been having a hard time finding stable 6.5.X 
> code.  Our school starts next week, and we just had a failed attempt at 
> rolling out 6.5.1.8 because we saw dozens of radar detected events right 
> after upgrading.  This was the fourth version of 6.5.1.x we have tried to put 
> on this particular set of controllers and each has brought a new set of 
> issue; STM crash and cause APs to lose contact with controller; AMON not 
> sending firewall session data; radar detection events; LACP and VRRP problems 
> to name a few.
>  
> Since most of you have been back in session for a month or so, I thought I 
> would ask to see what code version you have, issues you may have experienced, 
> and any war stories you might want to share.  It would also be interesting to 
> know what types of APs and controllers, and a brief description of your 
> environment.
>  
> Thanks
>  
> Amel Caldwell
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
>  
>  
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
>  
>  
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> 

Re: [WIRELESS-LAN] Cisco Code Version

[Jake Snyder]

One of the things as a partner I try to educate customers on is “who is 
recommending what, and why.”

My experience has been that the BU is trying to drive feature adoption, sell 
APs and controllers.  That’s why they exist, so don’t fault them for it.  They 
tend to recommend new APs, new versions of code and new features.  Why?  
Because they are in the business of selling.

Tac is all about which code results in defects are going to generate the least 
amount of tickets, and hopefully that means more stability.

As a partner I try to ride the line.  I tend to determine a customer’s appetite 
for risk, longevity, their market and their staff capability. This puts them 
into 3 buckets: proven technology only, moderate, and bleeding edge.  I’m 
accountable if I recommend something and it doesn’t work well, so I tend to be 
more conservative.  Bleeding edge gets you further in a lifecycle if equipment, 
but you better be prepared to deal with some bugs in the short term.

And I sit down and talk with them about why I feel they should be buying and 
operating in the bucket that makes sense for them.  Ultimately they make the 
buying decision.  Sometimes things bite me, it happens.  But it happens less 
and less over time.

For those of you who are feeling the pain, somehow you are listening to the 
wrong folks, buying outside the bucket that fits your org, or the person 
helping you with that decision is looking at things in a way that doesn’t align 
with your business.

Having the relationship with the BU is important.  Know how to work with Tac 
and having a trusted partner is also important.  And ultimately the you, the 
customer gets to make that decision on where and how you go.

Sent from my iPhone

> On Aug 2, 2017, at 8:54 AM, Jeffrey D. Sessler  
> wrote:
> 
> Lee,
>  
> I can only speak to my experience, and in the case of the x800 series, we 
> were a first-customer-ship and had them in production in Aug 2016. I ran into 
> a few bugs, mostly stuck radios, but with direct engagement with the BU, I 
> was getting code fixes (or viable workarounds) within hours. I was also 
> having weekly meetings with the BU engineering team, and my local SE and SE 
> manager were on top of it. I have a similar relationship with the PI team, 
> although PI has been solid for me for a long time, and I use the channel 
> mostly for enhancement requests.
>  
> For the size of your deployment, I’d pursue the same direct relationship with 
> the BU. As customers, we can either say to Cisco, “Hey, you have mind reading 
> skills so figure it out” or, we can engage directly in an attempt to make the 
> product better. I choose the later since I know how complex these systems are 
> and I’d rather do my part to improve the product.
>  
> On the feature side, I divide items into “essentials” and “fluff”, and I put 
> AVC in the “fluff” category. Yes, it’s nice to have, but I can get this 
> information from other sources and it’s not necessary to provide the base 
> service i.e. I leave the controllers dedicated to the essentials. I suspect a 
> lot of customers do the same, so there isn’t the same amount of 
> testing/feedback on that feature – thanks for the 400 hours dedicated to 
> fixing it. Additionally, on the development bug-resolution front, if I was 
> Cisco, I’d prioritize fixing the essentials over the fluff. On the positive 
> side, with the AVC off-load features in the new WAPs, controllers should do 
> much better with AVC moving forward.
>  
> Someday I’d love to compare notes. Somehow, we seem to be dating the same 
> girl, yet she’s totally different when she’s with me vs when she’s with you. 
> Maybe a nice box of chocolates is in order? LOL ;-)
>  
> Jeff
>  
>  
>  
> From: "wireless-lan@listserv.educause.edu" 
>  on behalf of "lhbad...@syr.edu" 
> 
> Reply-To: "wireless-lan@listserv.educause.edu" 
> 
> Date: Wednesday, August 2, 2017 at 6:04 AM
> To: "wireless-lan@listserv.educause.edu" 
> Subject: Re: [WIRELESS-LAN] Cisco Code Version
>  
> I value what Jeff is doing with Beta, but also have to agree with James. 
> Universities might be different- but we’re not THAT different that 
> controllers and APs should crumble after all these years and generations of 
> vendor offerings. I find code updates can be problematic, too many APs dump 
> back to factory defaults, etc. And we’ve been particularly burned by:
>  
> 8510s did not live up to spec when running AVC
> 8540s gave great results with AVC, to a certain code version, then it failed 
> hard. 400+ TAC/engineering hours (and at least three “now try THIS code” go 
> rounds) later, we stopped using AVC.  Couldn’t go back to the code that used 
> to work because it didn’t support the APs we were now using.
> Too many TAC cases drag on far too long for both PI and WLC
> The assumption is that you will 

Re: [WIRELESS-LAN] Cisco FRA APs

[Jake Snyder]

Nope, that’s expected. However, some clients handle it better than others.  
Modern Intel nics, the user will likely not notice. Apple Macs are notoriously 
slower on rolling with it.  Mac users will likely drop 2-4 pings on any DCA 
event they are connected to.

I’m gearing up to test 10.3 Beta to See if this still holds true.

Sent from my iPhone

> On Jul 28, 2017, at 12:28 PM, Legge, Jeffry <jgle...@radford.edu> wrote:
> 
> I used to use BEST but found that many users were getting kicked when it 
> changed width. Am I doing something wrong?
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
> Sent: Thursday, July 27, 2017 8:24 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Cisco FRA APs
>  
> If you’re not using best you are leaving bandwidth in the air (so to speak). 
> The code will auto determine best width based on the clients it sees in the 
> surrounding areas (the white paper covers this), so if they are all AC (and 
> depending on other factors), the WAPs will run at 80. Not AC or a mix, there 
> is a decision algorithm used to decide width all the way down to 20.
>  
> My new residential hall is about 120 beds and 110 WAPs – very dense. Nearly 
> all of them are 80-wide when running in best. The propagation of 5GHz is 
> poor, so it doesn’t take a lot of distance to allow reuse of channels.
>  
> Jeff
>  
> From: "wireless-lan@listserv.educause.edu" 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Jake Snyder 
> <jsnyde...@gmail.com>
> Reply-To: "wireless-lan@listserv.educause.edu" 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Date: Thursday, July 27, 2017 at 2:26 PM
> To: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Subject: Re: [WIRELESS-LAN] Cisco FRA APs
>  
> I’m not a DCA BEST guy.  You should be using the channel width that the 
> building can support.  With FRA, it’s easy to quickly overshoot the amount of 
> channels available.
>  
> That said, if you want to take the advice to use BEST, you should set the max 
> width to 40MHz.
>  
> Also, 
>  
>  
> On Jul 21, 2017, at 11:28 AM, Jeffrey D. Sessler <j...@scrippscollege.edu> 
> wrote:
>  
> Less, there is a Cisco white paper on the subject (applies to 8.2 and above). 
> It has a lot of fantastic information on RRM in general including FRA, 
> including how it makes decisions. It should all be there, and what’s not I 
> got directly from the RRM/FRA engineers in the BU.
>  
> http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-3/b_RRM_White_Paper.html
>  
> Jeff
>  
>  
>  
> From: "wireless-lan@listserv.educause.edu" 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of "lhbad...@syr.edu" 
> <lhbad...@syr.edu>
> Reply-To: "wireless-lan@listserv.educause.edu" 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Date: Friday, July 21, 2017 at 8:23 AM
> To: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Subject: Re: [WIRELESS-LAN] Cisco FRA APs
>  
> Jeff-
>  
> Any reference links on the timers/sensitivity/channel width recommendations?
>  
> -Lee
>  
> Lee Badman | Network Architect 
> 
> Certified Wireless Network Expert (#200)
> Information Technology Services
> 206 Machinery Hall
> 120 Smith Drive
> Syracuse, New York 13244
> 
> t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w its.syr.edu
> SYRACUSE UNIVERSITY
> syr.edu
> 
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
> Sent: Thursday, July 20, 2017 4:30 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Cisco FRA APs
>  
> In general, here are the important items.
> Make sure your 802.11a/n/ac and b/g/n DCA timers are at the default 10 mins. 
> This is critical since FRA uses the data from DCA runs to decide changes for 
> the radio. If this runs only once every six hours, FRA will not be able to 
> make an informed (correct) decision about the radio role.
> 802.11a/n/ac and b/g/n must have the same RF group leaders, and those leaders 
> must be controllers running the latest code.
> 802.11a/n/ac DCA Channel Width should be set to “Best” – it’s helps maximize 
> spectrum use. Even in our dense deployments, most WAPs run in 80 MHz.
> FRA – sent sensitivity to LOW, this sets the bar very high for determining a 
> role switch for the radio.
> FRA – Interval of 1 Hour. This allows the fastest reaction to need.
>  
> Last but not least, pro

Re: [WIRELESS-LAN] [EXTERNAL] Re: [WIRELESS-LAN] Cisco 3800 Series APs

[Jake Snyder]

The mGig consideration is a switching one for sure, because switches you buy 
today will likely see another evolution of wifi AP at some point.

For the 3800 as an AP.  It takes just more than 100 MHz of spectrum to break 
the 1Gbps barrier.  For most of us, that just isn't practical in most modern 
density deployments.  Sure you can do it in a lab setting, I've done it myself. 
 But I haven't seen a production environment that could necessitate more than 
1Gbps to the AP today.

The real question is the module.  Especially with AP extensions (APEx) being 
published on devnet. The DC power connector and enhanced cellular coexistence 
are reasons to look at 3800 IMHO.

For new construction, run the extra cable.  The cost of the cable pull is 
dramatically smaller during construction.  Maybe you use it for a digital 
projector, IP clock, IP speaker, or something we haven't dreamed up yet.  I've 
never had someone say "I wish I had pulled fewer cables."

As far as lag on 2800. Supposedly you have to load-balance on src-dst-port 
otherwise you don't get above 1Gbps.  Plus the config is a PITA unless you have 
a switch that supports the auto-lag feature.  I worry that you are getting into 
additional operational overhead when you won't be above 1Gbps anyway.



Sent from my iPhone

> On Jul 8, 2017, at 9:54 PM, Jeffrey D. Sessler  
> wrote:
> 
> On the 3800-series decision point (and multi-gig):
>  
> New construction – Don’t need to run a 2nd Ethernet cable to the WAP (spend 
> that money to uplift to the 3800). You also won’t need a 2nd Ethernet port, 
> and a single multi-gig port is less than the cost of two 1Gb ports.
> New WAPs with new Switches – this is also common given the push for UPoE. 
> Again, like new construction, if you think running a 2nd Ethernet is within 
> the life-cycle of these switches e.g. 7-10 years, go multi-gig and the 3800’s.
>  
> Last but not least. If you use Cisco switches, there are some wonderful 
> bundle deals with Cisco WAPs and switches that make it hard not to go 
> 3800/multi-gig.
>  
> Jeff
>  
>  
> From: "wireless-lan@listserv.educause.edu" 
>  on behalf of Charles Francis 
> 
> Reply-To: "wireless-lan@listserv.educause.edu" 
> 
> Date: Saturday, July 8, 2017 at 1:37 PM
> To: "wireless-lan@listserv.educause.edu" 
> Subject: Re: [WIRELESS-LAN] [EXTERNAL] Re: [WIRELESS-LAN] Cisco 3800 Series 
> APs
>  
> Hi Bryan,
> A few notes from our experience and our deployments recently.
>  
> 8.2MR5 is a necessity if you are running X800 series AP’s.   We had a slew of 
> issues with 1810, 2800, 3800 AP’s when they first came out, but they are 
> pretty solid now.
>  
> We ended up going with 1810’s in our dorm’s to provide higher density, but 
> also provide wired ports.  The 1810’s are AC wave2, no CleanAir and only 2x2 
> but at the price point, it was worthwhile to get the coverage.  We also 
> started to put them into smaller team and study rooms.
>  
> We weighed the 3800 and 2800 and settled on 2802i’s as our standard going 
> forward.  Although they didn’t support mGig, we can use both ports and push 
> 2gig if needed.  We do have a few 3800’s deployed but no mGig switches at 
> this.  From what we can see, we are bursting to around 200mb today at the 
> switchport and that’s in dense areas.  The 3800’s seemed interesting, but the 
> only difference we could see was the mGig. 
>  
> We peaked out around 80 clients on a 3800 in the library during finals with 
> no reported performance issues.
>  
>  
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>  on behalf of Bryan Ward 
> 
> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
> Date: Friday, July 7, 2017 at 8:45 AM
> To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
> Subject: [EXTERNAL] Re: [WIRELESS-LAN] Cisco 3800 Series APs
>  
> *** Exercise caution. This is an EXTERNAL email. DO NOT open attachments or 
> click links from unknown senders or unexpected email. ***
> Thanks everyone for the good quick feedback.
> I think we’ll be making the switch to the 3800s – most likely the 3802E model 
> as our existing APs are mainly wall-mounted.  The E model has the 
> advantage(?) over the I model in that only the I model supports macro/micro 
> cell, which seems to be the cause of FRA issues in non-dense deployments.  We 
> certainly don’t have very many dense deployments.
>  
> The 2800s also do sound like they could work for us, however our eventual 
> goal is to support mGig on our APs.  We have the wiring for it already.  
> There’s also been some renewed talk about adding cellular radio modules (but 
> I don’t want to get into that discussion here).
>  
> The issues mentioned all seem to have 

Re: [WIRELESS-LAN] Major issues with Cisco 1810w deployment

[Jake Snyder]

There have been some bugs with regard to some with Poe.  Not sure about the 
IE4ks, but I saw this in a customer environment on 3850 not too long ago.

CSCux65429

Might be why the midspans aren't having the issue.

It may be just the 1810W PD are specifically triggering the bug.

Sent from my iPhone

> On Jul 8, 2017, at 3:39 PM, Dourty, Brian  wrote:
> 
> We recently deployed over 2000 Cisco 1850w WAPs at the UT Dallas campus and 
> have experienced an extremely high failure rate. At this point we have lost 
> over 25% of them. We have had Cisco on site to review the install and are 
> waiting on their report and EFA on 6 of the initial WAPs that died. The issue 
> appears to be power related as the failures have mostly occurred during 
> thunderstorms.
>  
> Approximately 1500 of the 1810w WAPs are deployed in older apartment 
> buildings with the switch gear in NEMA 3 boxes outside the apartments. These 
> buildings (45 total) were built as commercial apartments in the late 80’s 
> early 90’s with no facilities to house gear. In these locations we have 24 
> port Cisco IE4010 switches connected to the WAPs. Due to a limited POE budget 
> with the dual 150W power supplies in the IE4010 only the first 12 WAPs are 
> powered by the switch. The other 12 are powered by a 12 port POE injector. We 
> have only seen failures on WAPs plugged directly into the switch. The POE 
> injector appears to be acting as some type of shield for the WAPs and is 
> protecting them. They still go down but by unplugging them from the injector 
> and plugging them back in they will recover. The WAPs plugged into the switch 
> are completely dead and will not power on. A replacement WAP in that same 
> switch port will function. The failures are randomly distributed across the 
> buildings. Usually only a few per switch. We see the following error at the 
> switch when this occurs.
>  
> Jul  7 15:57:33 CDT: %ILPOWER-3-CONTROLLER_PORT_ERR: Controller port error, 
> Interface Gi1/14: Power Controller reports power Imax error detected
> Jul  7 15:57:35 CDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface 
> GigabitEthernet1/14, changed state to down
> Jul  7 15:57:36 CDT: %LINK-3-UPDOWN: Interface GigabitEthernet1/14, changed 
> state to down
> Jul  7 16:01:08 CDT: %ILPOWER-3-CONTROLLER_PORT_ERR: Controller port error, 
> Interface Gi1/16: Power Controller reports power Imax error detected
> Jul  7 16:01:09 CDT: %ILPOWER-3-CONTROLLER_PORT_ERR: Controller port error, 
> Interface Gi1/1: Power Controller reports power Imax error detected
>  
> We have also had failures in building where we are using Cisco 3850s and the 
> equipment is located in a typical wiring closet inside the building.
>  
> We had 200 go down Friday at around 4:00pm during a severe storm. It is the 
> first time we have had a failure in our newer residential halls too. This 
> particular building was built a few years ago and is setup like the rest of 
> the academic buildings on campus. We haven’t had any issues with the 1000+ 
> Cisco WAPs we have deployed across the rest of campus.
>  
> If anyone has encountered this or has any ideas we are all ears.
>  
> Thanks,
>  
> Brian Dourty
> Associate Vice President and Chief Technology Officer
> University of Texas at Dallas
> 573-268-6871 - Cell
> 972-883-6600 - Office
>  
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Aruba AP Models - 315 vs 325

[Jake Snyder]

Bruce,
The 310 series is 4x4 with 4 MU streams.  But it is only 2SS on 2.4GHz.

325 has 2nd Ethernet port, full spatial streams in 2.4GHz, 3MU streams, and 
does 80MHz only.

315 is single Ethernet, 2SS in 2.4GHz, 4MU streams and does 160, but drops to 
2SS in 5GHz @160.

The 330 and 310 are the 2nd gen W2 chips from QCA which is why they get the 4th 
MU stream.

I can't comment on CPU.



Sent from my iPhone

> On May 2, 2017, at 5:49 AM, Osborne, Bruce W (Network Operations) 
>  wrote:
> 
>  
> http://www.arubanetworks.com/products/networking/access-points/
>  
> Checking quickly, the 330 series is 4x4 MU-MIMO and has HP SmartRate, their 
> multi-gigabit solution. You can get 5Gps on Cat 5e or 10Gps on Cat6A, 
> according to their data sheet.
>  
> http://www.arubanetworks.com/assets/so/SO_SmartRate.pdf
>  
> 320 Series is 4x4 MU-MIMO
>  
> 310 Series is 2x2 MU-MIMO
>  
> Bruce Osborne
> Senior Network Engineer
> Network Operations - Wireless
>  (434) 592-4229
> LIBERTY UNIVERSITY
> Training Champions for Christ since 1971
>  
> From: Chuck Enfield [mailto:chu...@psu.edu] 
> Sent: Monday, May 1, 2017 12:46 PM
> Subject: Re: Aruba AP Models - 315 vs 325
>  
> The differences that I know of are:
>  
> -330 series supports VHT160.  I can’t see using it, but if you can than this 
> is the AP for you.
> -330 has switchable antenna polarization, which should allow better H-plane 
> coverage when wall-mounting the AP. I haven’t tested this to see how well it 
> works, but a bracket to wall-mount an AP while maintaining its horizontal 
> orientation is pretty inexpensive.
>  
> Traditionally, each higher Aruba AP series also has more memory, and often a 
> better processor, to ensure adequate performance in the densest users 
> environment.  I recently asked my VAR about how the 320’s and 330’s compare 
> in this way, but haven’t heard back from them yet.  Anybody know?
>  
> Chuck Enfield
> Manager, Wireless Engineering
> Enterprise Networking & Communication Services
> The Pennsylvania State University
> 110H, USB2, UP, PA 16802
> ph: 814.863.8715
> fx: 814.865.3988
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Steve Hess
> Sent: Monday, May 01, 2017 12:07 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] Aruba AP Models - 315 vs 325
>  
> Aruba folks,
> Looking for opinions on whether the price premium of the 325 
> over the 315 is worth it. 
>  
>  
> Thanks,
>  
> Steve
>  
>  
> 
> 
> Steve Hess
> Manager of Networking and Telecommunications 
> 26 E. Main St Norton, MA 02766
> t. 508-286-3413
> f. 508-286-8270
> 
> 
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Skype For Business With Cisco WLAN ?

[Jake Snyder]

My preference:
Configure clients to mark their traffic for Skype (where possible).
Configure skype with unique port ranges for Voice/Video/desktop/file.
Classify on switches based on port ranges.
Use platinum QoS on wlan.

If you don't see a performance impact, the SDN API stuff is interesting.  But 
AVC at scale has been giving some on the list grief.  I've not tried this 
integration on the cisco side.



Sent from my iPhone

> On Mar 16, 2017, at 5:19 PM, Curtis K. Larsen  
> wrote:
> 
> Hi All,
> 
> Wondering if any have successfully optimized their Cisco WLAN for Skype for 
> Business and are willing to share tips on or off list.  I found this guide 
> http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-1/Lync_SDN/b_Lync-Client-Server-in-Cisco-Wireless-LAN.html
>  but was hoping for a shortcut haha.
> 
> Thanks,
> 
> Curtis
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Cisco 8510 8.2 Load Issues

[Jake Snyder]

Might try leaving it off and see if that improves things.  Just sounds oddly 
familiar.  Make sure you disable it on all SSIDs to make sure you get a fair 
test with it off.

Sent from my iPhone

> On Mar 8, 2017, at 10:56 PM, Jason Cook <jason.c...@adelaide.edu.au> wrote:
> 
> We don’t use it, but yes looking at our SSID config under QOS AVC is enabled 
> on. Is this the only place to enable it? Per SSID?
>  
> This would seem a good thing to kill off, clearly I should have paid more 
> attention to that discussion last year looking at history.
>  
> Thanks Jake
>  
> I’m now cringing a bit if this is the fix. Oh well. Gotta learn one way or 
> another
>  
> --
> Jason Cook
> Technology Services
> The University of Adelaide, AUSTRALIA 5005
> Ph: +61 8 8313 4800
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jake Snyder
> Sent: Thursday, 9 March 2017 4:08 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Cisco 8510 8.2 Load Issues
>  
> I hate to ask, but do you have AVC enabled?
> 
> Sent from my iPhone
> 
> On Mar 8, 2017, at 9:59 PM, Watters, John <john.watt...@ua.edu> wrote:
> 
> I'll check the load on our most loaded 8510 HA pair in the morning & get back 
> to you. It is about 2300-2500 APs with at least that many concurrent clients. 
> Running 8.0.140.0 though (we moved there from a 7.6 (126 ?) level and Cisco 
> recommended that we move to 8.0.140 before going on up to 8.3).
> 
>  
> 
> We just bought a new 8510HA pair for this same MPLS area to divide the load. 
> It is running, but has no load at all yet. Was thinking of starting it on 8.3 
> code. So, I am very interested in your problem and tghe solution. Please be 
> sure to post it.
> 
>  
> 
>  
> 
>  
> 
>  
> ==
> -jcw
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Jason Cook 
> <jason.c...@adelaide.edu.au>
> Sent: Wednesday, March 8, 2017 10:28:09 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] Cisco 8510 8.2 Load Issues
>  
> Hi All,
>  
> Just wondering if anyone has had an similar experiences to the fun we’ve had 
> the last week or so.
>  
> Towards the end of last year we moved to new 8510 HA pair on 8.2.121.11 (we 
> had an issue in testing at the time so grabbed the latest ER release that 
> resolved a crash bug)
> From 5x5508’s in N+1 on 8.0.121.0 code
> We started before the end of term with a small number of locations but didn’t 
> fully load it up until the big break. Now the students are back and needing 
> there internet we have had some real load issues during the day.
>  
> SO it’s 2x 8510’s in HA about 2100 AP’s peaking at about 14k concurrent 
> clients but the issue seems to creep in at about 10k. While ICMP isn’t the 
> greatest tool for performance it does line up here, the graph below show 
> around 10am we see increased delays in response to the vlan42 (client 
> network) interface on the controller and we see this on its management 
> interface too. At this point our clients ICMP to its  own gateway starts to 
> increase  from 1-3ms to 400-600 and even upto 1800 when the big spike shows 
> 800ms to the interface. Iperf testing will also go from 100Mb down to 1-5 and 
> even 0 at times. With users complaining of slowness and it’s worse unable to 
> login.
>  
> CPU/Memory resources, channel util etc all ok. It’s site wide impact to users 
> no matter if it’s HD rf design or what AP model (1142, 2702,3702,3502 etc) So 
> seems in the controller itself. All testing done on 5hz
>  
> Around midday we started migrating AP’s away to our old 5508’s, which saw a 
> significant drop just before 12:30 and things back to normal at 12:40  once 
> 300AP’s were moved off. So for now users are happy, apparently we’ve even had 
> callers in saying how good it is today (must have been bad the last week for 
> that to happen). Controller response to SNMP was so bad it was taking Prime 2 
> minutes per AP to re-configure primary controller. Did it by hand, ssh/gui 
> response was not it’s normal self but no problem. The 5508’s have shown no 
> signs of being unhappy with about 150 AP’s each. 
>  
> We are working with TAC who have been good and they are investigating(no like 
> cases found though), shedding the load has worked around the issue but it 
> needs fixing. We upgraded to 8.2.141.0 yesterday evening but won’t be 
> re-loading the 8510’s until next week so confirming it’s fixed is a few days 
> off. There’s a few short upto 30ms delayed ICMP responses today but it’s har

Re: [WIRELESS-LAN] Cisco 8510 8.2 Load Issues

[Jake Snyder]

I hate to ask, but do you have AVC enabled?

Sent from my iPhone

> On Mar 8, 2017, at 9:59 PM, Watters, John  wrote:
> 
> I'll check the load on our most loaded 8510 HA pair in the morning & get back 
> to you. It is about 2300-2500 APs with at least that many concurrent clients. 
> Running 8.0.140.0 though (we moved there from a 7.6 (126 ?) level and Cisco 
> recommended that we move to 8.0.140 before going on up to 8.3). 
> 
> We just bought a new 8510HA pair for this same MPLS area to divide the load. 
> It is running, but has no load at all yet. Was thinking of starting it on 8.3 
> code. So, I am very interested in your problem and tghe solution. Please be 
> sure to post it.
> 
> 
> 
>  
> ==
> -jcw
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>  on behalf of Jason Cook 
> 
> Sent: Wednesday, March 8, 2017 10:28:09 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] Cisco 8510 8.2 Load Issues 
>  
> Hi All,
>  
> Just wondering if anyone has had an similar experiences to the fun we’ve had 
> the last week or so.
>  
> Towards the end of last year we moved to new 8510 HA pair on 8.2.121.11 (we 
> had an issue in testing at the time so grabbed the latest ER release that 
> resolved a crash bug)
> From 5x5508’s in N+1 on 8.0.121.0 code
> We started before the end of term with a small number of locations but didn’t 
> fully load it up until the big break. Now the students are back and needing 
> there internet we have had some real load issues during the day.
>  
> SO it’s 2x 8510’s in HA about 2100 AP’s peaking at about 14k concurrent 
> clients but the issue seems to creep in at about 10k. While ICMP isn’t the 
> greatest tool for performance it does line up here, the graph below show 
> around 10am we see increased delays in response to the vlan42 (client 
> network) interface on the controller and we see this on its management 
> interface too. At this point our clients ICMP to its  own gateway starts to 
> increase  from 1-3ms to 400-600 and even upto 1800 when the big spike shows 
> 800ms to the interface. Iperf testing will also go from 100Mb down to 1-5 and 
> even 0 at times. With users complaining of slowness and it’s worse unable to 
> login.
>  
> CPU/Memory resources, channel util etc all ok. It’s site wide impact to users 
> no matter if it’s HD rf design or what AP model (1142, 2702,3702,3502 etc) So 
> seems in the controller itself. All testing done on 5hz
>  
> Around midday we started migrating AP’s away to our old 5508’s, which saw a 
> significant drop just before 12:30 and things back to normal at 12:40  once 
> 300AP’s were moved off. So for now users are happy, apparently we’ve even had 
> callers in saying how good it is today (must have been bad the last week for 
> that to happen). Controller response to SNMP was so bad it was taking Prime 2 
> minutes per AP to re-configure primary controller. Did it by hand, ssh/gui 
> response was not it’s normal self but no problem. The 5508’s have shown no 
> signs of being unhappy with about 150 AP’s each. 
>  
> We are working with TAC who have been good and they are investigating(no like 
> cases found though), shedding the load has worked around the issue but it 
> needs fixing. We upgraded to 8.2.141.0 yesterday evening but won’t be 
> re-loading the 8510’s until next week so confirming it’s fixed is a few days 
> off. There’s a few short upto 30ms delayed ICMP responses today but it’s hard 
> to know if that’s related or just the nature of icmp and network gear 
> priority.
>  
> Interested to know if anyone has seen anything like this in their environment.
> And anyone if anyone out there is using 8510’s in HA what’s your load in AP 
> and concurrent users? I can imagine many places loading their devices up more 
> than us
> Anyone know how to look at other hardware resources (not CPU/memory/system 
> buffers) Something like ASIC on switches if it exists. Surely all this 
> traffic isn’t cpu
>  
> Thanks
> 
> Jason
>  
> 
> --
> Jason Cook
> Technology Services
> The University of Adelaide, AUSTRALIA 5005
> Ph: +61 8 8313 4800
> e-mail: jason.c...@adelaide.edu.au
>  
> CRICOS Provider Number 00123M
> ---
> This email message is intended only for the addressee(s) and contains 
> information which may be confidential and/or copyright.  If you are not the 
> intended recipient please do not read, save, forward, disclose, or copy the 
> contents of this email. If this email has been sent to you in error, please 
> notify the sender by reply email and delete this email and any copies or 
> links to this email completely and immediately from your system.  No 
> representation is made that this email is free of viruses.  Virus scanning is 
> recommended and is the responsibility of the 

Re: [WIRELESS-LAN] 2.4 GHz Interference

[Jake Snyder]

Power and distance matter greatly in RF.  Could be differences in client TX 
power, distance from the wispy, the client card, or even the filters in the 
card.  Even the same make/model of card can variants in output.  Partially why 
we can't have calibrated cards in wifi.

2.4GHz will look slightly different than 5GHz due to the the non-ofdm nature of 
the preamble. That signature slope away from channel is a good bet that it's 
the wifi from your laptop.  Also, the strength is absurdly high.  If the wispy 
wasn't on top of the source there's no way it would be at -20 without you 
glowing or your hair itching.

Combine that with the fact that it follows him around and I'm reasonably 
convinced.  Not saying there isn't something else, but taking a capture without 
the super high ACI and you'll get a better picture.


Sent from my iPhone

> On Mar 8, 2017, at 9:53 PM, CHARLES ALBERT ENFIELD III <cae...@psu.edu> wrote:
> 
> Thanks Jake.  I was aware of the shape of the side band, but I thought I 
> remembered it starting 30 dB below the peak.  I guess it’s more like 20.  
> Jason’s trace seems to corroborate that.  Sean’s trace seems to be 10 to 15 
> dB.
>  
> The sideband emissions on the Revolution Wi-Fi image looks more like Sean’s 
> than Jason’s.  I think this is relevant because the nature of the OFDM 
> sideband emissions is determined by the subcarrier width and channel width.  
> Sean and Jason both have the same parameters for both, but in Jason’s trace 
> the side lobe disappears into the low noise floor within about 35MHz while 
> Sean’s doesn’t disappear into the much higher noise floor until about 55Mhz.  
> Sean’s 20MHz channel looks much more like the 80MHz channel image on Rev Wifi.
>  
> FWIW, I’m increasingly convinced your hunch is right.  Perhaps I’m taking 
> these traces from inexpensive equipment a little too literally.  I know they 
> are approximations at best, but I’m trying to figure out what’s going on.  
> I’m hopeful that thinking this through will improve my understanding.  
> Something in Sean’s trace still doesn’t add up for me.
>  
> From: Jake Snyder
> Sent: Wednesday, March 8, 2017 9:16 PM
> To: Chuck Enfield
> Cc: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] 2.4 GHz Interference
>  
> 
> Might check this out: 
> http://revolutionwifi.blogspot.com/2014/08/80211ac-adjacent-channel-interference.html?m=1
> 
> There's and image there you should find similar.
> 
> Sent from my iPhone
> 
>> On Mar 8, 2017, at 4:58 PM, Chuck Enfield <chu...@psu.edu> wrote:
>> 
>> Cool images.  I’ve never tried this.  I would have this afternoon, but our 
>> operations guys have the spectrum analyzer in another building.  I’m a 
>> little surprised to see as nice a plot as you got in the second trace.  
>> Between near field effects and the potential to push the Rx amplifiers into 
>> a non-linear region I would have expected something more messy.
>>  
>> Do you know what the max signal strength was in the two traces?  Also, do 
>> you know how to account for the increased duty cycle in the second one?  I’m 
>> wondering if this is due to different iperf behavior or if it’s weirdness 
>> caused by proximity.  I’ve been doing Wi-Fi for 15 years and still find 
>> myself guessing on a regular basis.
>>  
>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jason Cook
>> Sent: Wednesday, March 08, 2017 6:08 PM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> Subject: Re: [WIRELESS-LAN] 2.4 GHz Interference
>>  
>> Still learning my way through signatures but I have been caught out before 
>> with the anaylzer being too close to a wifi source
>> Below shows this on channel 132, using iperf  for a data burst in the first 
>> image the anaylzer is 1m away from a Mac Air,
>> In the second it’s a few centimetres away from it. You can really see the 
>> impact on neighbouring channels at that distance  (I think there’s even a 
>> bit in the 36-40 area)
>>  
>> I now keep the anaylzer away from wifi devices as much as possible J
>>  
>> 
>>  
>> 
>>  
>> --
>> Jason Cook
>> Technology Services
>> The University of Adelaide, AUSTRALIA 5005
>> Ph: +61 8 8313 4800
>>  
>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Gray, Sean
>> Sent: Thursday, 9 March 2017 7:26 AM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> Subject: Re: [WIRELESS-LAN] 2.4 GHz Interference
>>  
>> Nope, the spectrum analyzer is going directly into a Surface Pro 2.
>>  
>

Re: [WIRELESS-LAN] 2.4 GHz Interference

[Jake Snyder]

Might check this out: 
http://revolutionwifi.blogspot.com/2014/08/80211ac-adjacent-channel-interference.html?m=1

There's and image there you should find similar.

Sent from my iPhone

> On Mar 8, 2017, at 4:58 PM, Chuck Enfield <chu...@psu.edu> wrote:
> 
> Cool images.  I’ve never tried this.  I would have this afternoon, but our 
> operations guys have the spectrum analyzer in another building.  I’m a little 
> surprised to see as nice a plot as you got in the second trace.  Between near 
> field effects and the potential to push the Rx amplifiers into a non-linear 
> region I would have expected something more messy.
>  
> Do you know what the max signal strength was in the two traces?  Also, do you 
> know how to account for the increased duty cycle in the second one?  I’m 
> wondering if this is due to different iperf behavior or if it’s weirdness 
> caused by proximity.  I’ve been doing Wi-Fi for 15 years and still find 
> myself guessing on a regular basis.
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jason Cook
> Sent: Wednesday, March 08, 2017 6:08 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] 2.4 GHz Interference
>  
> Still learning my way through signatures but I have been caught out before 
> with the anaylzer being too close to a wifi source
> Below shows this on channel 132, using iperf  for a data burst in the first 
> image the anaylzer is 1m away from a Mac Air,
> In the second it’s a few centimetres away from it. You can really see the 
> impact on neighbouring channels at that distance  (I think there’s even a bit 
> in the 36-40 area)
>  
> I now keep the anaylzer away from wifi devices as much as possible J
>  
> 
>  
> 
>  
> --
> Jason Cook
> Technology Services
> The University of Adelaide, AUSTRALIA 5005
> Ph: +61 8 8313 4800
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Gray, Sean
> Sent: Thursday, 9 March 2017 7:26 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] 2.4 GHz Interference
>  
> Nope, the spectrum analyzer is going directly into a Surface Pro 2.
>  
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jake Snyder
> Sent: March-08-17 1:30 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] 2.4 GHz Interference
>  
> Are you using a USB 3.0 hub?
>  
>  
> On Mar 8, 2017, at 1:23 PM, Jason Heffner <jdh...@psu.edu> wrote:
>  
> I’ve seen something similar when running some of the older Cisco controllers. 
> If you ruled out everything else and are starting to look for devices causing 
> interference I'd check out some of your wireless mic systems. We had some 
> 800Mhz that we had to salvage that were causing harmonic distortion on 2.4GHZ 
> similar to this on the lower channels.
> 
> On Mar 8, 2017, at 2:32 PM, Gray, Sean <sean.gr...@uleth.ca> wrote:
>  
> Hi Everyone,
>  
> I’ve been doing a little spectrum analysis around campus and I keep seeing 
> the same interference signature in different buildings. I was wondering if 
> anyone had seen anything like this before. It is typically visible for well 
> over 10 minutes at a time and then it completely disappears. 
>  
> Thanks
>  
> Sean
>  
>  
> Sean Gray | B.Sc (Hons)
> Voice, Collaboration & Wireless Network Analyst
> ITS, University of Lethbridge
>  
>  
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> 
>  
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
>  
>  
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] 2.4 GHz Interference

[Jake Snyder]

Try putting your laptop in airplane mode.  My guess is the SpecAn is in very 
close proximity to the laptop.  That horizontal slope indicates the wispy is 
VERY close to a wifi device (aka your surface).  That's why it looks like OFDM, 
because it is.  Getting your wispy close to an AP will look the same.



Sent from my iPhone

> On Mar 8, 2017, at 1:56 PM, Gray, Sean <sean.gr...@uleth.ca> wrote:
> 
> Nope, the spectrum analyzer is going directly into a Surface Pro 2.
>  
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jake Snyder
> Sent: March-08-17 1:30 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] 2.4 GHz Interference
>  
> Are you using a USB 3.0 hub?
>  
>  
> On Mar 8, 2017, at 1:23 PM, Jason Heffner <jdh...@psu.edu> wrote:
>  
> I’ve seen something similar when running some of the older Cisco controllers. 
> If you ruled out everything else and are starting to look for devices causing 
> interference I'd check out some of your wireless mic systems. We had some 
> 800Mhz that we had to salvage that were causing harmonic distortion on 2.4GHZ 
> similar to this on the lower channels.
> 
> On Mar 8, 2017, at 2:32 PM, Gray, Sean <sean.gr...@uleth.ca> wrote:
>  
> Hi Everyone,
>  
> I’ve been doing a little spectrum analysis around campus and I keep seeing 
> the same interference signature in different buildings. I was wondering if 
> anyone had seen anything like this before. It is typically visible for well 
> over 10 minutes at a time and then it completely disappears. 
>  
> Thanks
>  
> Sean
>  
>  
> Sean Gray | B.Sc (Hons)
> Voice, Collaboration & Wireless Network Analyst
> ITS, University of Lethbridge
>  
>  
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> 
>  
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
>  
>  
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] 2.4 GHz Interference

[Jake Snyder]

Are you using a USB 3.0 hub?


> On Mar 8, 2017, at 1:23 PM, Jason Heffner  wrote:
> 
> I’ve seen something similar when running some of the older Cisco controllers. 
> If you ruled out everything else and are starting to look for devices causing 
> interference I'd check out some of your wireless mic systems. We had some 
> 800Mhz that we had to salvage that were causing harmonic distortion on 2.4GHZ 
> similar to this on the lower channels.
> 
>> On Mar 8, 2017, at 2:32 PM, Gray, Sean > > wrote:
>> 
>> Hi Everyone,
>>  
>> I’ve been doing a little spectrum analysis around campus and I keep seeing 
>> the same interference signature in different buildings. I was wondering if 
>> anyone had seen anything like this before. It is typically visible for well 
>> over 10 minutes at a time and then it completely disappears. 
>>  
>> Thanks
>>  
>> Sean
>>  
>>  
>> Sean Gray | B.Sc (Hons)
>> Voice, Collaboration & Wireless Network Analyst
>> ITS, University of Lethbridge
>>  
>>  
>> ** Participation and subscription information for this EDUCAUSE 
>> Constituent Group discussion list can be found at 
>> http://www.educause.edu/discuss .
>> 
>> 
> 
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss .
> 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.



smime.p7s
Description: S/MIME cryptographic signature

Re: [WIRELESS-LAN] 2.4 vs 5

[Jake Snyder]

One thing I like in your design is the 5GHz only and dual band.  So many people 
try a 5GHz only and a 2.4Ghz only and it backfires on them.



Sent from my iPhone

> On Mar 6, 2017, at 3:17 PM, Jason Cook  wrote:
> 
> We have a dedicated 5ghz SSID but it’s in addition to our standard which is 
> not ideal… too many SSID’s doing the same thing
> So our dot1x auth’s are
> UofA (2.4&5)
> UofA 5ghz (5 only)
> eduroam (2.4 & 5)
>  
> We still see plenty of brand new devices on 2.4 only and I was helping a 
> student recently who grabbed an old laptop out of hard rubbish. So we are 
> stuck with making them work but in doing so we see 5ghz capable devices 
> sitting on 2.4 which isn’t so good. The extra SSID was fired up as a test and 
> worked, so got stuck there but we  still don’t classify it under our 
> production since it’s poorly named.
>  
> For end of year I’m proposing the removal of “UofA 5ghz” and making “UofA” a 
> 5ghz only SSID with eduroam covering both 5 and 2.4. Our users get the same 
> service on eduroam anyway as they would on our branded SSID(ip connectivity 
> wise).
>  
> A few years back I posted a discussion about this where we were considering 
> something similar but having a 2.4ghz only network as UofA-legacy or the 5ghz 
> network as UofA-Premium etc. since the current “UofA 5ghz” is technical and 
> users don’t know what it means.  We never got to a point where we were fully 
> happy with the plan but in general we preferred the idea that if your 2.4ghz 
> only you go on something called legacy to help drive the idea that they would 
> ideally not use such a device.
>  
>  
> --
> Jason Cook
> Technology Services
> The University of Adelaide, AUSTRALIA 5005
> Ph: +61 8 8313 4800
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Casey Feskens
> Sent: Tuesday, 7 March 2017 4:58 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] 2.4 vs 5
>  
> We are currently using a 5GHz only SSID (as well as 2.4) and have been trying 
> to encourage students to use it. We recently conducted a survey of wireless 
> performance and asked questions about why people were using 2.4 networks vs. 
> 5GHz. A surprising number of students replied that their devices could not 
> see the 5GHz SSID.
>  
> On Mon, Mar 6, 2017 at 10:18 AM, Hunter Fuller  wrote:
> Similarly, we haven't looked at it. You can walk into Best Buy today and walk 
> out with a brand new laptop with no 5GHz wireless.
>  
> On Mon, Mar 6, 2017 at 12:13 PM Jeffrey D. Sessler  
> wrote:
> I don’t think there is a way to get away from 2.4 yet in EDU. For example, 
> while most would install high-density 5GHz in every residential room, it’s 
> likely cost-prohibitive to accomplish the same in hallways and other areas 
> that devices transit but don’t linger. As such, 2.4 is still important for 
> “in flight” devices.
>  
> Jeff
>  
> From: "wireless-lan@listserv.educause.edu" 
>  on behalf of "Oliver, Jeff" 
> 
> Reply-To: "wireless-lan@listserv.educause.edu" 
> 
> Date: Monday, March 6, 2017 at 8:42 AM
> To: "wireless-lan@listserv.educause.edu" 
> Subject: [WIRELESS-LAN] 2.4 vs 5
>  
> Folks, just wondering how many PSI’s have successfully turned off your 2.4 
> and gone 5GHz only? And how much blowback?
>  
>  
> Cheers,
> Jeff
>  
> ---
>  
> Jeffrey L. Oliver
> Manager, Network and Telecommunications
> Information Technology Services
> The University of Lethbridge
> 4401 University Drive, Lethbridge, Alberta, T1K 3M4
>  
> Tel: 403.329.5162
> Mob: 403.315.4461
>  
> URI:   jeff.oli...@uleth.ca
> Web:http://www.uleth.ca/information-technology/
>  
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> 
> 
>  
> --
> -
> Casey Feskens 
> Director of Infrastructure Services
> Willamette Integrated Technology Services
> Willamette University, Salem, OR
> Phone:  (503) 370-6950
> -
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> 

Re: [WIRELESS-LAN] Disney's Free Wi-Fi

[Jake Snyder]

Hector, we must have just missed each other, I flew home today.  The Coke store 
in Disney Springs was crazy.  Lots and lots of Cisco APs, with a single Aruba 
on each floor (for Disney I'm assuming).  I had some initial funkiness on my 
iPhone where I was rapidly disconnecting and reconnecting, but settled down in 
about 20 seconds and was solid the rest of the time.  I assume I was bumping 
into an RSSI cutoff or clientmatch was being too bossy.  Other than some APs in 
retail stores, I found none visible.  Worked very well for me.

Universal didn't do anywhere near as good of a job at hiding APs.  Skull island 
and Harry Potter had them in the ceiling, with blackout covers on them (aside 
from bright green LED showing).  I saw lots of them, but didn't get to test 
(wife took away my phone).  Outside and inside of MIB there were lots of 
terrawave antennas visible (painted silver outdoors).

The Daytona 500 on Sunday was lackluster.  Dhcp fell over multiple times with 
some DNS issues throughout the day.  For me as a fan, and the RF was really 
suboptimal in the fan seating.  When it did work, it seemed ok. Das felt slow, 
but functional for light texting.  Lots of pics from there when we did the 
tour.  Ruckus in the track, cisco in the museum/office areas and UBNT for the 
connectivity to booths/tents outdoors.  Glad I'm not managing that.

Sent from my iPhone

> On Mar 2, 2017, at 2:52 PM, Chris Adams (IT)  wrote:
> 
> I am impressed that a networking professional had a vacation long and quiet 
> enough to enjoy an amusement park.
>  
> Well done, Hector!
>  
>  
> Thanks,
>  
> Chris Adams, CISSP
>  
> Director, Network & Telecom Services
> Division of Information Technology
> University of North Georgia
> E-Mail: chris.ad...@ung.edu | Office: (706) 867-2891
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hector J Rios
> Sent: Thursday, March 2, 2017 4:28 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] Disney's Free Wi-Fi
>  
> I just came back from a trip to Disney World and I was blown away about the 
> availability of their Wi-Fi network. It covers all the Disney Hotels, parks 
> (I believe with the exception of the water parks) and the Disney Springs 
> district. From the MAC address of a couple of WAPs, it appears they use 
> Aruba. The coverage is impressive, and the connectivity is good; although 
> reliability is decent, but I can forgive them knowing what a humongous task 
> it takes to deploy such a massive network.
>  
> Does anybody know any more details about how this network was deployed? I 
> looked and looked for places where I could see WAPs but didn’t see a thing. 
> However  they did it, it is impressive.
>  
> Oh BTW, I did enjoy the park too. J
>  
> Hector Rios
> Louisiana State University
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Nyansa - tap info

[Jake Snyder]

Gigamon is what I've used.

Sent from my iPhone

> On Feb 28, 2017, at 11:05 AM, Walter Reynolds  wrote:
> 
> For anyone using Nyansa, if you are using a fiber tap instead of spanning a 
> port could you please let me know what hardware you are using to do this.
> 
> Thanks.
> 
> 
> Walter Reynolds
> Principal Systems Security Development Engineer
> Information and Technology Services
> University of Michigan
> (734) 615-9438
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] SSID names

[Jake Snyder]

Clients will connect and take up an IP with or without a captive portal. They 
might stay connected longer without access to the internet, but they hit the 
captive portal which requires an IP.

To me, if you rely on a captive portal to solve dhcp issues, you've undersized 
your subnets and dhcp pools.  I see lots of orgs trying very low dhcp timers to 
"solve" this.  The solution is to have a subnet scoped to support the peak 
number number of unique clients for a given day.

Sent from my iPhone

> On Feb 22, 2017, at 8:16 AM, Jonathan Waldrep  wrote:
> 
> > I do have in my back pocket a plan to flatten these /24s into one larger 
> > network if need be
> 
> We recently moved to this model and it has been great so far. One /17 network 
> per router.
> 
> --
> Jonathan Waldrep
> Network Engineer
> Network Infrastructure and Services
> Virginia Tech
> 
>> On Wed, Feb 22, 2017 at 9:39 AM, Tony Skalski  wrote:
>> >how do you stop roaming mobile devices from sucking up all your dhcp 
>> >addresses?
>> 
>> Devices always get the same IP address (until we change the VLAN assignments 
>> for the AP group (i.e. vap profile in Aruba-speak)). Granted, Aruba's 
>> VALN-assignment hashing algorithm is not perfect and once in a while one of 
>> the /24s assigned to the guest SSID exceeds 80% used (our alerting 
>> threshold), but that has only happened a few times since school started in 
>> September. I do have in my back pocket a plan to flatten these /24s into one 
>> larger network if need be, given that Aruba has sufficient controls to deal 
>> with {broad,multi}cast traffic.
>> 
>> ajs  
>> 
>>> On Wed, Feb 22, 2017 at 7:00 AM, Osborne, Bruce W (Network Operations) 
>>>  wrote:
>>> With the captive portal removed, how do you stop roaming mobile devices 
>>> from sucking up all your dhcp addresses? We have found that a captive 
>>> portal helps reduce usage by roaming devices.
>>> 
>>>  
>>> 
>>>  
>>> 
>>> Bruce Osborne
>>> 
>>> Senior Network Engineer
>>> 
>>> Network Operations - Wireless
>>> 
>>>  
>>> 
>>>  (434) 592-4229
>>> 
>>>  
>>> 
>>> LIBERTY UNIVERSITY
>>> 
>>> Training Champions for Christ since 1971
>>> 
>>>  
>>> 
>>> From: Tony Skalski [mailto:a...@stolaf.edu] 
>>> Sent: Tuesday, February 21, 2017 4:48 PM
>>> Subject: Re: SSID names
>>> 
>>>  
>>> 
>>> Up until this past summer, we had three SSIDs: a guest SSID, an open SSID 
>>> for college users and a 1x protected SSID for college users. There was 
>>> considerable overlap between the open and guest SSIDs, so we collapsed them 
>>> into one. We now have: eduroam and 'St. Olaf Guest'. We decided we were OK 
>>> with 1x-incapable devices using the guest network and removed the captive 
>>> portal we had on the old guest SSID.
>>> 
>>>  
>>> 
>>>  
>>> 
>>> On Tue, Feb 21, 2017 at 3:06 PM, Adam T Ferrero  wrote:
>>> 
>>> 
>>>   These have served us pretty well.  We only have a mac auth SSID in our 
>>> residence halls.  Occasionally it would be useful to have it everywhere but 
>>> we don't currently.
>>> 
>>> TUsecurewirelessWPA2 enterprise which gives different access levels 
>>> (staff, student, guest)
>>> TUguestwireless Open for onboarding (SMS text credentials)
>>> eduroam Guest like access for anyone
>>> 
>>>   Adam
>>> 
>>> -Original Message-
>>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Michael Dickson
>>> Sent: Tuesday, February 21, 2017 4:02 PM
>>> 
>>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>>> Subject: Re: [WIRELESS-LAN] SSID names
>>> eduroam  (our only 802.1x offering)
>>> UMASS  (open, CP, primarily for guests)
>>> UMASS-DEVICES  (MAC auth'd device support for non-802.1x capable devices, 
>>> as allowed by policy)
>>> 
>>> Mike
>>> 
>>> Michael Dickson
>>> Network Analyst
>>> Information Technology
>>> University of Massachusetts Amherst
>>> 413-545-9639
>>> michael.dick...@umass.edu
>>> PGP: 0x16777D39
>>> 
>>> 
>>> On 2017-02-21 15:36, Jim Stasik wrote:
>>> > Hello, I have been encouraged by one of our governance bodies to
>>> > consider renaming our wireless SSIDs to better match the network names
>>> > to the function of the networks behind them.  I don’t get it, but
>>> > maybe I am a little too close to it.  We don’t have any residential on
>>> > our campuses so have just two primary SSIDs in use on our campus (as
>>> > well as eduRoam).  One is named Public and is our onboarding/guest
>>> > network.  The other is our authenticated/secure network which we call
>>> > MC3Waves and is for all students, staff, faculty and administrators,
>>> > with 802.1x on the back end to steer the end user to the appropriate
>>> > role.  We have had these network around for as long as I can remember
>>> > (15 years maybe).  I am curious how others are naming and separating
>>> > the SSIDs in their environment?
>>> >
>>> > Thanks in advance,
>>> >
>>> > Jim Stasik
>>> >

Re: [WIRELESS-LAN] In room WIFI - second example

[Jake Snyder]

I'm not opposed to using a low cost device, just make sure you are doing things 
that are scalable and lead to good experiences.

NAT provides some hard issues to address.  First off, no roaming.  Ip 
addressing will change.  Even on a common SSID, each device will lose all 
established session on every roam.  Generally not regarded well in having a 
"good experience."

Separate SSIDs per room leads to other challenges.  The signal is confined 
locally around the room and once they leave, they have to rely on either a 
"house" network, or they start giving out each other's keys PSK in order to 
facilitate roaming.  This makes SSID selection on the device ugly and likely 
suboptimal for students a lot of the time.

How are you going to manage channel/power across a dense deployment of these 
devices?  What do you do when students have 2.4GHz only devices and their dorm 
room doesn't have the 2.4 radio enabled?  Do you alter channel plan to 
accommodate?  How do you deal with CCI? How do you get all their devices 
talking across APs?  Please not tunnels...

This isn't a new idea.  Hotels have been doing this (very poorly) for years.  
It's never been a great experience.  I can't say I've ever had a good 
experience with hotels doing SSIDs per floor or per wing.

I don't know that I have good solutions to these kinds of issues.  The best 
advice I can give is set expectations with the students, and get their feedback.


Sent from my iPhone

> On Feb 20, 2017, at 10:01 AM, Thomas Carter  wrote:
> 
> It does bring up a problem that I’ve been complaining about for a long time – 
> the top tier vendors don’t really offer any low cost single-room solutions, 
> especially when it comes to ac. For example, what is there between this 
> Mikrotik device at $50 and an Aruba AP-205H for $400? I see they have a 203H 
> coming, but I don’t know the pricing on that. It seems the Cisco 1810 is a 
> little better at $300, but for less than double that cost I can support 3 
> rooms with a traditional ceiling mount. And that doesn’t include the extra 
> controller licensing and capacity required.
>  
> From the point of view of someone with a small, challenging budget, I could 
> get the Aruba or Cisco and then have to keep them in service for 10+ years, 
> or go for the cheaper models and replace them every 3. I realize there are 
> other issue, but cost is a big driver.
> Thomas Carter
> Network & Operations Manager / IT
> Austin College
> 900 North Grand Avenue 
> Sherman, TX 75090
> Phone: 903-813-2564
> www.austincollege.edu
> 
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Mark Elley
> Sent: Monday, February 20, 2017 10:24 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] In room WIFI - second example
>  
> IMHO what you potentially save upfront will probably cost you dearly in 
> maintenance, support issues and customer (dis)satisfaction.
> 
>  
> Wireless Service Manager
> IT Services, University of Bristol
>  
> On 20 February 2017 at 14:55, Michael Blaisdell  
> wrote:
> Hmm. How many rooms, buildings, and end devices, Michael?
> 
> 
> 700 rooms over 10 buildings and about 3000 end devices.
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/discuss.
>  
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Wifi blocking paint?

[Jake Snyder]

I've been to many device manufacturers and they use RF chambers for a lot do 
their testing.  There are also some pesky compliance things that it enables you 
to get around.

Sent from my iPhone

> On Feb 19, 2017, at 9:00 AM, Mike King  wrote:
> 
> Frank,
> 
> I'm not sure what your program is trying to accomplish, but I have had in a 
> program in the past utilizing an ixia veriwave.
> https://www.ixiacom.com/products/ixveriwave
> 
> Essential it's all based around Faraday Cages, and specialized equipment to 
> monitor, modulate, and generate RF signals in a closed enviorment.
> 
> The upfront cost is pricey, but how pricey is some of the building 
> modifications we've discussed, as well as long term effectiveness.
> 
> One of the really nice things about the Veriwave setup was the everything was 
> repeatable.
> 
> 
> 
> 
> 
>> On Thu, Feb 16, 2017 at 8:24 PM, Sweetser, Frank E  wrote:
>> I don't know that the demand for blocking is significant enough to justify a 
>> consultant, but I'm certainly going to float the idea.  If that doesn't 
>> happen, though, the yshield paint recommendation (along with basic ideas, 
>> like making sure they keep their power levels down low) should at least give 
>> me some best effort protection.
>> 
>> 
>> thanks!
>> 
>> 
>> Frank Sweetser
>> Director of Network Operations
>> Worcester Polytechnic Institute
>> "For every problem, there is a solution that is simple, elegant, and wrong." 
>> - HL Mencken
>> 
>> 
>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>>  on behalf of Chuck Enfield 
>> 
>> Sent: Thursday, February 16, 2017 4:51 PM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> Subject: Re: [WIRELESS-LAN] Wifi blocking paint?
>>  
>> If the lab needs to be completely isolated you’re going to want to hire a 
>> consultant to design a shielding system.  If you just need enough 
>> attenuation to mitigate significant interference, I’ve heard good things 
>> about the yshield paint.  You can add about 30-40dB of loss to a wall.  If 
>> you can keep your radios 40-50 feet apart, this should isolate them from 
>> each other enough that they disappear into the noise floor.
>>  
>> Keep in mind that it has to be grounded for maximum effect, and if I’m 
>> skeptical about the efficacy of the paint it’s mostly to do with this.  Good 
>> bonding and grounding is hard, and carbon paint doesn’t strike me as a great 
>> medium for reliable bonding.  That said, at Wi-Fi wavelengths ground quality 
>> shouldn’t be too much of a factor in attenuation as long as you keep antenna 
>> elements far enough from the walls to avoid near field effects.  But if the 
>> grounding isn’t effective you could end up with excessive internal 
>> reflection in the lab.  No problem if there’s a normal amount of absorptive 
>> material in the room, but could be a problem otherwise.
>>  
>> Just my two cents.
>>  
>> Chuck
>>  
>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Sweetser, Frank E
>> Sent: Thursday, February 16, 2017 3:27 PM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> Subject: [WIRELESS-LAN] Wifi blocking paint?
>>  
>>  
>> 
>> Hi all,
>> 
>>  
>> 
>> we just got word that a professor here wants to start running a certificate 
>> program around a wireless lab setup.  To mitigate any potential problems 
>> from this, we'd like to try to isolate the lab wireless to the one room as 
>> much possible.  Does anyone have any recommendations for wifi blocking 
>> paint, or other building material choices and techniques?
>> 
>>  
>> 
>> thanks!
>> 
>>  
>> 
>> Frank Sweetser
>> Director of Network Operations
>> Worcester Polytechnic Institute
>> "For every problem, there is a solution that is simple, elegant, and wrong." 
>> - HL Mencken
>> ** Participation and subscription information for this EDUCAUSE 
>> Constituent Group discussion list can be found at 
>> http://www.educause.edu/discuss.
>> ** Participation and subscription information for this EDUCAUSE 
>> Constituent Group discussion list can be found at 
>> http://www.educause.edu/discuss.
>> ** Participation and subscription information for this EDUCAUSE 
>> Constituent Group discussion list can be found at 
>> http://www.educause.edu/discuss.
> 
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] wild card certs and PEAP

[Jake Snyder]

To reiterate, SANs are not needed on some platforms.  Please consult your 
documentation.

Sent from my iPhone

> On Feb 6, 2017, at 6:00 AM, Osborne, Bruce W (Network Operations) 
>  wrote:
> 
> We use SANs on our RADIUS certificate so we can use the same certificate for 
> https on those servers.
> I agree with Tim, though. SANs are not needed and we have run our RADIUS 
> certificate for several years on multiple servers without any SANs.
>  
>  
> Bruce Osborne
> Senior Network Engineer
> Network Operations - Wireless
>  
>  (434) 592-4229
>  
> LIBERTY UNIVERSITY
> Training Champions for Christ since 1971
>  
> From: Cappalli, Tim (Aruba) [mailto:t...@hpe.com] 
> Sent: Friday, February 3, 2017 4:46 PM
> Subject: Re: wild card certs and PEAP
>  
> For an EAP server certficiate, you do not need SANs for every server. You can 
> do something generic like “network-login.domain.edu” and put that cert on 
> every box.
>  
> The SANs will never be referenced and will just add significant cost.
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hunter Fuller
> Sent: Friday, February 3, 2017 16:38
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] wild card certs and PEAP
>  
> Yes. Ours is a cert with CN eduroam.uah.edu and SANs eduroam.uah.edu, 
> acs01.uah.edu, acs02.uah.edu, etc... All servers present the same cert. 
>  
> On Fri, Feb 3, 2017 at 15:19 Mike Atkins  wrote:
> Our identity management group runs our Microsoft NPS servers and I recall 
> them calling it a multi-domain certificate.  So NPS1.nd.edu, NPS2.nd.edu, 
> NPS3.dn.edu…. and so on all present common name as NPS1.nd.edu.   This keeps 
> your client from having to trust each NPS server.
>  
>  
>  
>  
>  
>  
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Brian Helman
> Sent: Friday, February 03, 2017 3:32 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> 
> Subject: [WIRELESS-LAN] wild card certs and PEAP
>  
> I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our 
> configurations in place to join eduroam.  Yes, I can get a temporary cert (or 
> beg digicert for one, since I don’t think they have an option), but we tried 
> to use a wildcard cert that we usually use for testing of services.  It 
> generates/imports correctly and Android doesn’t appear to have an issue with 
> it, but Win7 and Win10 don’t care for it when we try to authenticate to the 
> wireless network.  It looks like Android may be ignoring the validation or 
> generally fine with the wildcard. 
>  
> The easier question is – will a wildcard cert work here?
> The tougher question is – if yes, um .. any good references to configure it 
> with S2012R2?
>  
> -Brian
>  
>  
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> --
> 
> --
> Hunter Fuller
> Network Engineer
> VBRH Annex B-1
> +1 256 824 5331
> 
> Office of Information Technology
> The University of Alabama in Huntsville
> Systems and Infrastructure
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] wild card certs and PEAP

[Jake Snyder]

Tim,
For Cisco ISE, it validates that the host name matches the CN or SAN.  So you 
can't always do that.

But you could do something like *.radius.univ.edu as a SAN and call them 
radius01.radius.univ.edu which would match.  

Sent from my iPhone

> On Feb 3, 2017, at 2:45 PM, Cappalli, Tim (Aruba)  wrote:
> 
> For an EAP server certficiate, you do not need SANs for every server. You can 
> do something generic like “network-login.domain.edu” and put that cert on 
> every box.
>  
> The SANs will never be referenced and will just add significant cost.
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hunter Fuller
> Sent: Friday, February 3, 2017 16:38
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] wild card certs and PEAP
>  
> Yes. Ours is a cert with CN eduroam.uah.edu and SANs eduroam.uah.edu, 
> acs01.uah.edu, acs02.uah.edu, etc... All servers present the same cert. 
>  
> On Fri, Feb 3, 2017 at 15:19 Mike Atkins  wrote:
> Our identity management group runs our Microsoft NPS servers and I recall 
> them calling it a multi-domain certificate.  So NPS1.nd.edu, NPS2.nd.edu, 
> NPS3.dn.edu…. and so on all present common name as NPS1.nd.edu.   This keeps 
> your client from having to trust each NPS server.
>  
>  
>  
>  
>  
>  
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Brian Helman
> Sent: Friday, February 03, 2017 3:32 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> 
> Subject: [WIRELESS-LAN] wild card certs and PEAP
>  
> I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our 
> configurations in place to join eduroam.  Yes, I can get a temporary cert (or 
> beg digicert for one, since I don’t think they have an option), but we tried 
> to use a wildcard cert that we usually use for testing of services.  It 
> generates/imports correctly and Android doesn’t appear to have an issue with 
> it, but Win7 and Win10 don’t care for it when we try to authenticate to the 
> wireless network.  It looks like Android may be ignoring the validation or 
> generally fine with the wildcard. 
>  
> The easier question is – will a wildcard cert work here?
> The tougher question is – if yes, um .. any good references to configure it 
> with S2012R2?
>  
> -Brian
>  
>  
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> --
> 
> --
> Hunter Fuller
> Network Engineer
> VBRH Annex B-1
> +1 256 824 5331
> 
> Office of Information Technology
> The University of Alabama in Huntsville
> Systems and Infrastructure
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] wild card certs and PEAP

[Jake Snyder]

There is a good blog by Aaron Woland on this.  If memory serves, wildcard in CN 
isn't feasible, but windows clients will tolerate a wildcard in the SAN field. 

http://www.networkworld.com/article/2225032/infrastructure-management/what-are-wildcard-certificates-and-how-do-i-use-them-with-ciscos-ise.html

Likely it's still only practical when doing it via an internal CA. I don't 
think many public CAs will let you do SAN wildcards.

Sent from my iPhone

> On Feb 3, 2017, at 1:51 PM, Frans Panken  wrote:
> 
> Hi Brian,
> Wild card certificates should indeed be avoided as Windows clients cannot 
> cope with them. This will occur on every RADIUS server and has nothing to do 
> with NPS (or with eduroam).
> -Frans
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>  on behalf of Brian Helman 
> 
> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
> Date: Friday, 3 February 2017 at 21:32
> To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
> Subject: [WIRELESS-LAN] wild card certs and PEAP
>  
> I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our 
> configurations in place to join eduroam.  Yes, I can get a temporary cert (or 
> beg digicert for one, since I don’t think they have an option), but we tried 
> to use a wildcard cert that we usually use for testing of services.  It 
> generates/imports correctly and Android doesn’t appear to have an issue with 
> it, but Win7 and Win10 don’t care for it when we try to authenticate to the 
> wireless network.  It looks like Android may be ignoring the validation or 
> generally fine with the wildcard. 
>  
> The easier question is – will a wildcard cert work here?
> The tougher question is – if yes, um .. any good references to configure it 
> with S2012R2?
>  
> -Brian
>  
>  
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Cisco 1810w Questions

[Jake Snyder]

I learned something from one of my higher ed customers.  They put these 
inexpensive brass locks on their APs.  Not because they provide great 
protection, but because it simplifies any insurance claims if they are stolen.  
The $2 lock let them bypass a ton of paperwork and get funded for a replacement 
quickly.

Sent from my iPhone

> On Jan 16, 2017, at 8:39 AM, Jeffrey D. Sessler  
> wrote:
> 
> If you are installing in any quantity, do the math on the cost of the locks. 
> You’ll likely find that you can have a lot walk away (and be replaced) before 
> equaling the cost of the locks.
>  
> If you do go the lock route, stick to the real Kensington locks. The 
> knock-offs are easy to defeat.
>  
> Instead of the Torx, consider using a non-standard head e.g Pentalobe that is 
> less likely to be in an off-the-shelf driver set.
>  
> Jeff
>  
> From: "wireless-lan@listserv.educause.edu" 
>  on behalf of "Mccormick, Kevin" 
> 
> Reply-To: "wireless-lan@listserv.educause.edu" 
> 
> Date: Friday, January 13, 2017 at 6:41 AM
> To: "wireless-lan@listserv.educause.edu" 
> Subject: [WIRELESS-LAN] Cisco 1810w Questions
>  
> 
> I know some of you have been deploying these and I have a couple questions.
> 
> 1. What is the size of the Torx screw that comes with the AP. Cisco 
> documentation skips over that detail...
> 
> 2. What Kensington style locks are you using?
> 
> I would appreciate the help as we are getting a few.
>  
> --
> Kevin McCormick
> Network Administrator
> University Technology - Western Illinois University
> ke-mccorm...@wiu.edu | (309) 298-1335 | Morgan Hall 106b
> Connect with uTech: Website | Facebook | Twitter
> 
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Clients unable to obtain an IP address via DHCP

[Jake Snyder]

For you guys having challenges, are you in proxy mode or bridge mode for DHCP?

Sent from my iPhone

> On Dec 13, 2016, at 2:06 PM, Brian Helman  wrote:
> 
> Does the Infoblox go through a router to hit the 8510?  I wonder if the 
> router isn’t liking something from the update re: the lease response?  If 
> that is the case, have you sniffed the line on both sides of the router (hmm, 
> that didn’t sound as Breaking Bad in my head)?
>  
> -Brian
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Mike Atkins
> Sent: Tuesday, December 13, 2016 3:49 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Clients unable to obtain an IP address via DHCP
>  
> We are an Infoblox shop with Cisco 8510 controllers running 8.2.121.0.  We 
> updated the software on our Infoblox appliances around the beginning of the 
> semester because of similar symptoms.  In our case I was capturing traffic on 
> the wired side between the controller and Infoblox servers because I saw 
> debug logs on the controller indicating dirty interface.  Capturing DHCP 
> traffic between client and DHCP server showed the client sending discover and 
> no response from the DHCP servers for long periods of time (minutes.)  When I 
> looked at the syslogs from the DHCP servers I did not see log entries for the 
> discovers.  One of our engineers updated the Infoblox software and opened a 
> ticket with Infobox to run debug on the Infoblox servers.  However, after 
> updating the software we were not able to successfully replicate the issue so 
> we had to close the Infoblox ticket.  After the software update I was not 
> able to catch any instances where DHCP discovers were greater than DHCP 
> offers.  I checking this by running a packet capture and graphing discovers 
> vs offers.  We never received reports of wired users not getting DHCP leases 
> but I doubt they would notice.  I’m still suspicious because I have wireless 
> debugs where the client repeated requests IP address and DHCP server 
> repeatedly ACKs. (even with good RSSI and good SNR)
>  
> From the group it sounds like we might need to update controller software in 
> addition to the Infoblox update.  We are running 7.3.8-3405 on Infoblox now.
>  
>  
>  
>  
>  
> Mike Atkins
> Network Engineer
> Office of Information Technology
> University of Notre Dame
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Atanas P Atanasov
> Sent: Tuesday, December 13, 2016 2:35 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Clients unable to obtain an IP address via DHCP
>  
> Yes,
>  
> This has been going on for at least 3 months. Seeing the issue on all kinds 
> of clients Apple, Windows and Android.
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Mike Atkins
> Sent: Tuesday, December 13, 2016 2:33 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Clients unable to obtain an IP address via DHCP
>  
> Atanas,
> Has this been going on for a while?  It is not related to a recent Microsoft 
> patch? (so more than just Windows clients?)
>  
>  
>  
>  
> Mike Atkins
> Network Engineer
> Office of Information Technology
> University of Notre Dame
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Atanas P Atanasov
> Sent: Tuesday, December 13, 2016 2:23 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] Clients unable to obtain an IP address via DHCP
>  
> We’re a seeing some odd behavior in our wireless deployment, seemingly random 
> clients aren’t able to obtain an IP via DHCP
> When analyzing the DHCP logs and also debugs on the wireless controller, we 
> see the clients sending a DHCP DISCOVER packet and the DHCP server responds 
> with a DHCP OFFER. However the client doesn’t follow up with a DHCP REQUEST. 
> This behavior continues sometimes for hours, until the client finally sends a 
> DHCP REQUEST and obtains a lease.
> The side effect of this is our DHCP servers are getting long delays when the 
> dhcp service is restarted. We are using Infoblox dhcp severs in a failover 
> group. From a support case we have opened with Infoblox, they have determined 
> that these excessive dhcp requests are increasing the number of dhcp leases 
> in the database which causes the long restart.
> We have seen similar behavior with our wired clients but in lot smaller 
> numbers.
>  
> We’re a Cisco shop, using 8450 controllers, code version is 8.2.121
>  
> Attached is a Splunk search on one of the “misbehaving” clients’ MAC
> Any comments are appreciated.
>  
> Atanas Atanasov
> Network Engineer
> Syracuse University
>  
> 
> ** Participation and subscription information for 

Re: [WIRELESS-LAN] 5GHz Channel Width

[Jake Snyder]

One things to keep in mind is that certain device manufacturers preference 
wider channels.  Apple in the Mac OS X products for instance, will always 
prefer an 80MHz channel over a 40MHz channel.  As well as a 40MHz channel over 
a 20MHz channel.  Things like DBS can lead to stickier clients, as you are now 
mixing channel widths.  This leads you to trying things like Opt-R in order to 
force now sticky clients to other APs, which will likely be less successful 
since OS X doesn’t support 802.11v.  This means DEAUTH, ironically which the OS 
X devices don’t handle as well as their PC brethren…


https://support.apple.com/en-us/HT206207 
<https://support.apple.com/en-us/HT206207>

Selection criteria for band, network, and roam candidates

OS X always defaults to the 5GHz band over the 2.4GHz band, as long as the RSSI 
for a 5GHz network is -68 dBm or better.
If multiple 5GHz SSIDs meet this level, OS X chooses a network based on these 
criteria:
802.11ac is always preferred over 802.11n or 802.11a
802.11n is always preferred over 802.11a
80 MHz channel width is always preferred over 40 MHz or 20 MHz
40 MHz channel width is always preferred over 20 MHz 

All in all, I would suggest not doing DBS in OS X heavy environments.  My 
preference is to take each building and decide whether it can be leveraged in 
20, 40 or 80, and configure the whole building that way.

For how to decide if you can get away with 20 vs 40 vs 80, my preference is to 
pick the channels you want to use, and start with a survey.  Let’s say you want 
to enable UNII 1 and UNII 3.  That’s 8x 20MHz Channels.  Could i go to 40MHz?  
If i can get away with 4 channels, then yes.  Or I could add channels until i 
get to the number of channels needed to maintain channels separation.   This 
varies wildly based on density of APs in a building.  Eventually you run out of 
channels that you can add and then must either deal with co-channel 
interference or drop down to a narrower width.

Start with 20MHz
How many channels do i need with my current design to maintain channel 
separation? (Survey may be necessary)
Do i have twice that many channels enabled at the current channel width?
If yes, increase channel width to 2x current channel width.
If no, do i feel comfortable adding channels to get to twice that?
If yes, add channels and increase channel width to 2x current channel width.

Hope this helps

Thanks
Jake Snyder



> On Nov 30, 2016, at 12:03 PM, Jeffrey D. Sessler <j...@scrippscollege.edu> 
> wrote:
> 
> Depending on the building construction, and assuming you are using DFS 
> channels, running 40Mhz and even 80Mhz is very likely with no downside. 5GHz 
> does not propagate very well, so a static 20Mhz plan in anything but big open 
> spaces is IMHO unnecessary.
>  
> If you are a Cisco customer, enabling DFS (Dynamic Bandwidth Selection) is 
> likely the best choice for maximizing the use of the 5Ghz space. DFS will 
> dynamically adjust width based on the client make up and other factors, and 
> I’ve found it to be far better than a human design since the environment is 
> never static.
>  
> I have a newly completed 110-bed residential hall with a very dense 
> deployment of APs (105 AP’s total), most are in-room/suite. With DFS enabled, 
> a clear majority of the in-room APs run at 80MHz. In more public and/or open 
> spaces, they tend to adjust to 20Mhz or 40Mhz. Most of the clients in this 
> residence hall are 11.ac and report a 1300 or 1170 Mbps connection speed.
>  
> Jeff
>  
>  
>  
>  
> From: "wireless-lan@listserv.educause.edu 
> <mailto:wireless-lan@listserv.educause.edu>" 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of "Trinklein, Jason 
> R" <trinkle...@cofc.edu <mailto:trinkle...@cofc.edu>>
> Reply-To: "wireless-lan@listserv.educause.edu 
> <mailto:wireless-lan@listserv.educause.edu>" 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
> Date: Tuesday, November 29, 2016 at 1:35 PM
> To: "wireless-lan@listserv.educause.edu 
> <mailto:wireless-lan@listserv.educause.edu>" 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
> Subject: [WIRELESS-LAN] 5GHz Channel Width
>  
> Hi All,
>  
> I was just reading a blog article that heavily recommends not to use 40Mhz 
> channel width in multi-floor environments, particularly where many 5GHz 
> radios are used (particularly in our case with Xirrus multi-radio APs). Our 
> campus presently uses 20MHz channel width in all buildings. We are testing 
> and considering 40MHz width because of the bandwidth benefits for clients. 
> What do you use on your campus? Have you found that setting a 40MHz chann

Re: [WIRELESS-LAN] Decent tools, on sale

[Jake Snyder]

Not necessarily an EAP-TLS issue.  I've personally seen some medical devices 
that puke on larger certs as well.  Even using PEAP, they still get the cert 
from the radius server for building the TLS tunnel.  No tunnel, no credential 
exchange. No creds, no access.  In one example, we saw a 3-part certificate 
delivery because cert was over 3200 bytes (3x 1500 MTU packets) and immediately 
saw a certificate reject. And these devices don't actually do any cert 
validation.

Sent from my iPhone

> On Nov 30, 2016, at 4:15 AM, Jethro R Binks  wrote:
> 
>> On Wed, 30 Nov 2016, Lee H Badman wrote:
>> 
>> ?That's actually a pretty interesting question, Chuck. I run the G2 (and 
>> G1) against 802.1X as well with RADIUS using the longer certs... but- 
>> using PEAP w/MS-CHAPv2.  Which in this context, is largely irrelevant 
>> because you can simply ignore the certs. I'm guessing that you're using 
>> TLS?
> 
> Funnily enough I got a notification this week about new firmware for the 
> G2:
> 
> AirCheck™ G2 Wireless Network Tester v1.1.1 Maintenance Release
> 
> but the notes don't mention about cert length fixes.
> 
> .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .
> Jethro R Binks, Network Manager,
> Information Services Directorate, University Of Strathclyde, Glasgow, UK
> 
> The University of Strathclyde is a charitable body, registered in
> Scotland, number SC015263.
> 
> 
>> 
>> 
>> Lee Badman | Network Architect (CWDP, CWNA, CWSP, Mobility+)
>> Information Technology Services
>> 206 Machinery Hall
>> 120 Smith Drive
>> Syracuse, New York 13244
>> t 315.443.3003   f 315.443.4325   e 
>> lhbad...@syr.edu w its.syr.edu
>> SYRACUSE UNIVERSITY
>> syr.edu
>> 
>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>>  on behalf of Chuck Enfield 
>> 
>> Sent: Tuesday, November 29, 2016 8:58 PM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> Subject: Re: [WIRELESS-LAN] Decent tools, on sale
>> 
>> A gentle caution about the Aircheck.  I love the product, but our gen 1 
>> devices just took a major utility hit when we changed to a SHA-256 4K 
>> cert that the device couldn't support.  Now we can't use it for 
>> connectivity tests on our 1x SSID.  There's a 2K key size limit on the 
>> gen 1 Airchecks.
>> 
>> More troubling is that I've had a ticket open with NetScout for almost a 
>> month to see if the G2's can do better, but they've yet to offer an 
>> answer.  I've pinged them twice, so it's not an issue of forgetting 
>> about my inquiry.  They don't seem to know what their device can do.
>> 
>> From: Lee H Badman
>> Sent: Tuesday, November 29, 2016 7:55 PM
>> To: 
>> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> Subject: [WIRELESS-LAN] Decent tools, on sale
>> 
>> 
>> http://netool.io/ competes with LinkSprinter- is a nice tool on sale right 
>> now, FYI.  Also NetScout running buy one/get one sale on AirCheck G2- but 
>> that sale is almost over as well.
>> 
>> Just FYI, both are worth having.
>> 
>> Lee Badman (mobile)
>> ** Participation and subscription information for this EDUCAUSE 
>> Constituent Group discussion list can be found at 
>> http://www.educause.edu/groups/.
>> 
>> **
>> Participation and subscription information for this EDUCAUSE Constituent 
>> Group discussion list can be found at http://www.educause.edu/groups/.
>> 
>> 
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] College Sports Venue Wireless- In-House vs 3rd Party

[Jake Snyder]

One thing to be cautious of is having a telecom providing infrastructure.  
There are some telecom laws in the US that can limit or restrict what info they 
can share with you.  Make sure you get specifics of what they can/can't share.

Sent from my iPhone

> On Nov 8, 2016, at 10:09 AM, Julian Y Koh  wrote:
> 
>> On Tue Nov 08 2016 11:03:51 CST, Norman Elton  wrote:
>> 
>> Just following up on this, were there any additional responses?
> 
> We've actually started these conversations with our Athletics department as 
> well.  One of our facilities will be undergoing significant renovation over 
> the next couple of years, and there is a huge focus on technology for 
> enhancing the fan experience.  In general we are looking to have a model 
> where Athletics and a vendor are responsible for real time support for the 
> infrastructure and systems that are reliant on it, but nothing's been 
> finalized.  
> 
> 
> -- 
> Julian Y. Koh
> Associate Director, Telecommunications and Network Services
> Northwestern Information Technology
> 
> 2001 Sheridan Road #G-166
> Evanston, IL 60208
> +1-847-467-5780
> Northwestern IT Web Site: 
> PGP Public Key:
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] WLC Association Failures with reason code 105 and 107

[Jake Snyder]

You may be hitting this bug for the 105:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuw34201

Fixed in 8.0.135 and later.

107 seems like it may be similarly related to APs hitting a max limit as well.

I would consult Tac before upgrading, but seems like there are a couple active 
bugs that could be triggering this.  8.0.140 has a long list of resolved 
caveats that might be worth exploring.

Sent from my iPhone

> On Oct 20, 2016, at 3:15 PM, Legge, Jeffry  wrote:
> 
> I am see quite a few association errors. Has anyone seen these. I am on 
> 8.0.133.0
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Anyone else jumping on Aruba 8.0 code?

[Jake Snyder]

I think in 8.0 Master controllers are replaced with the Mobility Master.  You 
would be managing multiple local controllers with different versions.

Sent from my iPhone

> On Oct 10, 2016, at 5:20 AM, Osborne, Bruce W (Network Operations) 
>  wrote:
> 
> We have installed a VM and will be evaluating it as time permits.
>  
> Unless there are some major “must-have” features though, we will not likely 
> deploy in full Production until after the second GA release.
>  
> I am interested in your experiences, though. One new feature is the ability 
> to manage multiple master controllers, even if they run differing versions of 
> ArubaOS (8.0+). Have you tried that feature yet?
>  
> We currently have 3 non-testing master controllers – Production, Remote (RAP) 
> & LPV. It would be great to centralize management of them.
>  
>  
> Bruce Osborne
> Wireless Engineer
> IT Network Operations - Wireless
>  (434) 592-4229
>  
> LIBERTY UNIVERSITY
> Training Champions for Christ since 1971
>  
> From: Sweetser, Frank E [mailto:f...@wpi.edu] 
> Sent: Friday, October 7, 2016 10:27 PM
> Subject: Anyone else jumping on Aruba 8.0 code?
>  
> Hey all,
>  
> For those of you who haven't been following the early code releases from 
> Aruba, AOS 8 is a major upgrade, to the point where there's no actual upgrade 
> path from AOS 6.x.  It's got some pretty slick features, though, for those 
> brave enough to jump in and blow a test environment.  We're dipping our toes 
> in here, working very closely with Aruba support.  We've had some wrinkles to 
> work out, as expected in any x.0.0 release, though so far the resources we've 
> been given have been right on top of them.
>  
> So my question is, has anyone else tried out the 8.0 code on any decently 
> sized production scale, and if so, how's it worked out?
>  
> (Alternatively, for those who haven't tried it at all, I'd be happy to answer 
> any questions I can from my limited deployment so far.)
>  
> thanks everyone!
>  
> Frank Sweetser
> Director of Network Operations
> Worcester Polytechnic Institute
> "For every problem, there is a solution that is simple, elegant, and wrong." 
> - HL Mencken
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Wireless Mobility

[Jake Snyder]

FYI, you might look at 8540 if you are ordering net-new controllers.  8540 only 
runs 8.1+ so be aware.

Thanks
Jake Snyder


Sent from my iPhone

> On Aug 9, 2016, at 1:32 PM, Watters, John <john.watt...@ua.edu> wrote:
> 
> If you have HA pairs of Cisco 8510s why would you not rely on the failover 
> unit to be the backup? Were you going to buy two HA pairs for each campus?
>  
> We have been using Cisco 8510 HA pairs for a few months now with goo success. 
> Our failover unit is at our on campus backup data center (we also have DR 
> type of stuff at a facility in Atlanta). All of our buildings have dual feeds 
> to both our main DC as well as the backup DC. When an 8510 fails over to the 
> HA unit, the clients are rarely affected at all since the HA unit keeps full 
> state info. All along the units seem to fail over for some  reason with the 
> roles of the two units reversed. The clients do not know the difference, nor 
> do the APs. We have to look closely to tell which is active since they share 
> a common IP address for AP (and therefore, also client) connectivity.
>  
> We do not list a secondary or tertiary controller for any of our APs.
>  
> As for mobility groups, since our campus is divided into three MPLS areas 
> each with a single 8510 (and it's HA unit), we have different mobility group 
> in each area. These are relatively separated by outdoor space, though users 
> can be outside in a place that is covered by leakage from buildings in two 
> areas (and hence two mobility domains). We have not had any complaints 
> though. We do physically house all of our 8510 primary WLCs in the main DC 
> and all of the HA units in the backup DC. Having as lot of fiber makes this 
> quite doable.
>  
> I'm sure that others who have been running these longer that we have will 
> have some opinions as well.
>  
> By the way, even though each 8510 has a listed capacity of 6,000 APs, we are 
> trying to limit ours to 3,000 for now. Two of my MPLS areas are comfortably 
> below 3,000 but one is close. We will be ordering another 8510 HA pair for 
> this area. They will both be placed in the same mobility group.
>  
> If you want more info, please feel free to call.
>  
> John Watters
> Network Engineer, Office of Information technology
> 
> The University of Alabama
> A115 Gordon Palmer Hall
> Box 870346 
> Tuscaloosa, AL 35487 
> Phone 205-348-3992
> john.watt...@ua.edu
> 
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Chris Wandell
> Sent: Tuesday, August 09, 2016 12:12 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] Wireless Mobility
>  
> We are in the process of setting up new wireless controllers at Binghamton 
> University. We will be setting up 2 sets of 8540 ha paired controllers on our 
> main campus and 1 set of 5520 ha paired controllers on a satellite campus. 
> This will be the first time we have housed controllers at the satellite 
> campus. Currently we have 3 sets of Wism2 controllers on campus and let 
> access points associate to any of our controllers. All current controllers 
> are in the same mobility group. What we would like to do to is break up ap's 
> by building, with each ap in a building having a defined primary and 
> secondary controller. My question is would we still need the mobility group 
> for our controllers?
>  
> Any problems concerns you see by doing this?
>  
> Thanks in advance for any input
>  
> Chris
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Outsourced ResNet

[Jake Snyder]

I think there's a short term risk vs long term reward.  In the short term, 
there's little benefit to W2 and more risk of code stability, lack of features, 
etc.

In the long term, MU will bring some benefit.  How much will depend on a lot of 
factors.  W1 vs W2 for me is really about these risks vs equipment lifecycle.  
How much sooner are you replacing equipment, end of support dates, etc.



Thanks
Jake Snyder


Sent from my iPhone

> On Aug 5, 2016, at 11:08 AM, GT Hill <g...@gthill.com> wrote:
> 
> Hello all…
> 
> Just a few thoughts on this topic. 
> Wave 2 isn’t any faster than wave 1 so it doesn’t need two Eth ports etc.
> Now, by true specification, yes it CAN be faster but that’s only because of 
> 160 MHz channelization. 
> MU-MIMO just takes the same number of streams and distributes them to 
> multiple clients. For example, 3 MU streams has no greater Eth load than a 
> 3x3:3 client on a 3x3:3 AP. 
> However, new 11ac APs are 4x4:4. So technically they can be faster. But, the 
> only way that will have any effect whatsoever is if you have a 4 spatial 
> stream client device. And while those will come out (if not already) most 
> devices on campus are mobile, so 2 spatial stream max. MU-MIMO would then be 
> able to send two, two stream transmissions. However, keep in mind that each 
> MU-MIMO stream will be lowering its data rate vs. a single device. (longer 
> discussion)
> One single 1 Gbps port will take you through to 11ax. 
> Wi-Fi is half duplex and Eth is full. 
> I used to work for a Wi-Fi manufacturer and in any test we could throw at it, 
> we couldn’t get 1 Gbps ethernet to be our bottleneck except is completely 
> unrealistic environments (single direction traffic  only, 160 MHz 
> channelization, 4x4:4 client etc)
> Wave 1 to Wave 2 is a VERY small upgrade in the grand scheme of things. 11g 
> to 11n was revolutionary. 
> MU-MIMO hasn’t been proven except in a lab. Yes, in perfect scenarios it can 
> provide some improvement. But there is a lot of cost (overhead) in making 
> MU-MIMO work. Dollar for dollar, I would only consider MU-MIMO APs in my most 
> highly dense areas. And even for that I may not be convinced…
> Look at individual features on wave 2 APs. 
> There ARE sacrifices in new technology for sake of getting it to market. 
> Often times you will see better performance from an older generation (I use 
> generation loosely with 11ac W1 to W2) APs. 
> Look to make sure that all performance features (ATF, band steering etc) are 
> there are newer APs. Oddly enough, some features are dropped b/c programming 
> those into a new chipset takes TIME.
> Random thoughts
> I am not saying don’t buy W2 APs. I’m saying that you shouldn’t expect the 
> features in W2 to have that much of an improvement 
> New chipsets are almost always better at PHY level stuff vs. older chips EVEN 
> with the same specs (3x3:3, 4x4:4 etc). Chip manufacturers just get better at 
> what they do. 
> Don’t forget about 11ax. Its here in two years and it should have significant 
> improvement for high-density (not overall, single device throughput) 
> applications. Client devices will of course take some time but as someone 
> mentioned, higher-ed has the fastest client adoption turnover in any 
> vertical. 
> Sorry that was such a long response. 
> 
> GT Hill
> 
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Philippe Hanset 
> <phan...@anyroam.net>
> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Date: Friday, August 5, 2016 at 11:34 AM
> To: <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Subject: Re: [WIRELESS-LAN] Outsourced ResNet
> 
> Brian,
> 
> Food for thoughts...
> 
> How is the over-subscription to the commodity Internet keeping up with Wi-Fi 
> these days?
> 
> Most services are in the cloud and it seems that Internet Commodity could be 
> the limiting factor rather than wave1 or wave2 or even staying with 802.11n.
> 
> Is it worth worrying about 802.11ac wave 1 or wave 2 when your Wi-Fi is so 
> much more capable than your campus uplink?
> (or is it?)
> 
> When we talked about 802.11g VS 802.11n there were huge differences between 
> the two.
> Is it still the case between wave 1 and wave 2?
> 
> Software support lifecycle seems to be the main determining factor in Wi-Fi 
> infrastructure upgrades.
> So, rather than Wave1 VS Wave2, we should maybe consider vendors with longer 
> software lifecycle support.
> 
> Also, many of us upgraded from 802.11n to 802.11ac building-wide and even 
> campus-wide because n and ac didn’t play well together.
> How do Wave1 and Wave 2 play together?
&

Re: [WIRELESS-LAN] Outsourced ResNet

[Jake Snyder]

In the competitive stuff, I am seeing partners leading with Wave1 equipment 
because they get better pricing.

There are also some verticals where stability is more important (healthcare) 
and wave1 APs don't run as bleeding edge code.

Thanks
Jake Snyder


Sent from my iPhone

> On Aug 5, 2016, at 8:34 AM, Brian Helman <bhel...@salemstate.edu> wrote:
> 
> Excellent question.  Their explanation seemed like more of an excuse – that 
> Wave 1 was proven.  I think they probably have an inventory of Wave 1 AP’s 
> and/or are getting them at a better price.  Personally I wouldn’t use them, 
> just because it doesn’t make sense to not install the most current 
> technology, but I loosely understand.  Certainly we have peers on here who 
> are still rolling out 11n.
>  
> -Brian
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W 
> (Network Services)
> Sent: Friday, August 05, 2016 7:41 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Outsourced ResNet
>  
> Any idea why they are specifying 11ac Wave 1 when Wave 2 APs are current?
>  
> ​
>  
> Bruce Osborne
> Wireless Engineer
> IT Network Oprations - Wireless
>  
> (434) 592-4229
>  
> LIBERTY UNIVERSITY
> Training Champions for Christ since 1971
>  
> From: Brian Helman [mailto:bhel...@salemstate.edu] 
> Sent: Thursday, August 4, 2016 10:57 AM
> Subject: Outsourced ResNet
>  
> We're talking with a large college-oriented service provider about 
> outsourcing our residence halls' networking (wireless and wired).  
> Originally, I was going to write this email in a neutral tone, but I'm just 
> not sold on the idea.  I AM willing to listen to my peers on this list
> 
> Anyone using these guys?  Happy, dissatisfied, neutral?
> 
> Assuming we look closer, I'd like to know how they handle guests:
> student guests during the academic year
> non-institutional residents .. ie "summer" guests that may be in 
> housing for 4 days to 2 months
> non-student residents (faculty in residence, administrative offices 
> that may co-lo in res halls, etc)
> 
> Some of our older res halls still have Cat5 cabling.  This company is pushing 
> 11ac Wave 1 products.  They minimize installation costs by re-using cabling.  
> Their specifications say that Cat5 for runs less than 150' is fine (for gbs 
> ethernet).  I'm doing this in my house, so sure .. but thoughts?
> 
> They don't guarantee a signal strength.  They use a device count (4:1).  Our 
> 5GHz standard is -60 or better.  Concerns?
> 
> One argument from sr management is -- Wouldn't you like the complaints to go 
> away?  My answer is, if we are funded to update the design (most places we 
> currently have a coverage, not capacity design) they'll go away (we have 4 
> buildings with 11ac, designed for capacity.  They are the only buildings we 
> don't get complaints about).  I do have consistency of service/experience 
> concerns.  Getting the res halls working well is obviously great, but if they 
> then go to an academic building and the experience is different, that's a 
> little more overhead on the Help Desk.  I'm also very concerned about 
> diverting funding such that only the res halls are fixed.
> 
> Any other information .. again, good, bad or neutral .. as to why you used, 
> considered, are using an outsourced service?
> 
> I'm not going to put the name of the company (starts with A, ends with EE) so 
> my question doesn't show up in obvious searches.  Also, I'm only interested 
> in this service as it pertains to wireless (not cross posting to NETMAN).
> 
> Feel free to ping me directly.
> 
> -Brian
> 
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] How big are your wireless segments?

[Jake Snyder]

In 60 seconds I was just over 100 (107) arp requests. This is a test network.  
I can definitely ramp that up to do more testing.

Thanks
Jake Snyder


Sent from my iPhone

> On Aug 4, 2016, at 1:45 AM, James Andrewartha <jandrewar...@ccgs.wa.edu.au> 
> wrote:
> 
> Hi Jake,
> 
>> On 04/08/16 14:19, Jake Snyder wrote:
>> Slightly different test, Meraki SSID, with a MBA13 running 10.10.5.
> 
> Thanks for giving it a test.
> 
>> I did a packet capture on the AP filtered for arp and used wireshark on the 
>> Mac with the same capture filter.  I'm only tracking arp requests, since 
>> that's all I should see on the MBA.  100% arp requests sent OTA from the AP 
>> were seen by the MBA.  But this is an older 11n MBA.  I'll get my hands on 
>> an 11ac device tomorrow and rerun the test.
> 
> How many ARP requests were on the network? In one case in 75 seconds I
> saw 598 on the 10.9.5 laptop, with the 10.11.5 laptop seeing 184.
> Filtered with (arp.opcode==1) && (eth.addr==ff:ff:ff:ff:ff:ff).
> 
> Filtering just on eth.addr==ff:ff:ff:ff:ff:ff I see 1863 vs 564 packets,
> roughly evenly split between NBNS, NetBIOS Browser and ARP requests with
> a touch of Dropbox LAN Sync and BOOTP (DHCP). Extending it out to
> eth.ig==1 (all broadcast/multicast traffic) it's 4353 vs 1310, with the
> addition of mDNS and IPv6.
> 
>> Is it possible you are in promiscuous mode in Windows?  You shouldn't see 
>> the arp responses for anything that client didn't send, or in responses to 
>> the clients request unless promiscuous mode is enabled.  which then isn't a 
>> fair test of what the laptop did or did not hear.
> 
> My baseline hardware was a 15" Mid-2012 rMBP running 10.9.5, which is
> only 11n capable. When rebooted into 10.11 it also exhibits the problem.
> 
> Thanks,
> 
> -- 
> James Andrewartha
> Network & Projects Engineer
> Christ Church Grammar School
> Claremont, Western Australia
> Ph. (08) 9442 1757
> Mob. 0424 160 877
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] How big are your wireless segments?

[Jake Snyder]

Slightly different test, Meraki SSID, with a MBA13 running 10.10.5.

I did a packet capture on the AP filtered for arp and used wireshark on the Mac 
with the same capture filter.  I'm only tracking arp requests, since that's all 
I should see on the MBA.  100% arp requests sent OTA from the AP were seen by 
the MBA.  But this is an older 11n MBA.  I'll get my hands on an 11ac device 
tomorrow and rerun the test.

Is it possible you are in promiscuous mode in Windows?  You shouldn't see the 
arp responses for anything that client didn't send, or in responses to the 
clients request unless promiscuous mode is enabled.  which then isn't a fair 
test of what the laptop did or did not hear.

Thanks
Jake Snyder


Sent from my iPhone

> On Aug 3, 2016, at 9:47 AM, James Andrewartha <jandrewar...@ccgs.wa.edu.au> 
> wrote:
> 
> I tried DTIM 3 (after reading that blog post), but it didn't help, the 
> laptop's wifi chipset still just went to sleep and missed packets. Plus, some 
> vendors (eg Meraki, Ruckus) don't let you change it anyway. One thing Ruckus 
> does do is broadcast to unicast conversion when an SSID has 5 or fewer 
> devices on an AP, which masks the issue.
> 
> A quick way to demonstrate the problem is to have Wireshark running on a Mac 
> with OS X 10.10 or 10.11, and another laptop (either running OS X 10.9 or 
> Windows) connected to the same AP, and filter by arp. The first Mac will see 
> between 10-40% of the ARP packets of the second laptop in my testing, 
> depending on the load.
> 
> James Andrewartha
> Network & Projects Engineer
> Christ Church Grammar School
> Claremont, Western Australia
> Ph. (08) 9442 1757
> Mob. 0424 160 877
> 
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Jake Snyder 
> <jsnyde...@gmail.com>
> Sent: Wednesday, 3 August 2016 8:56 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] How big are your wireless segments?
> 
> There was some talk about this with IOS a while back.  Something about Apple 
> wanting a longer dtim value (3 seems to be working for a lot of folks).  Dtim 
> of 1 seemed to give some grief.
> 
> http://www.sniffwifi.com/2016/05/go-to-sleep-go-to-sleep-go-to-sleep.html?m=1
> 
> 
> 
> Thanks
> Jake Snyder
> 
> 
> Sent from my iPhone
> 
>>> On Aug 2, 2016, at 9:04 PM, James Andrewartha <jandrewar...@ccgs.wa.edu.au> 
>>> wrote:
>>> 
>>> On 02/08/16 04:19, Peter P Morrissey wrote:
>>> Given my understanding of the way arp works, not sure I understand how
>>> it is possible for a large subnet to cause a client arp table to become
>>> exhausted unless that client for some reason is directly communicating
>>> with all of the other endpoints on the large subnet.
>>> 
>>> My understanding is that the table is only populated in response to arp
>>> queries that the client has initiated, even though it can “hear”
>>> responses from other clients that are sent as a broadcast. It is easy
>>> enough to verify this on Windows with an arp –a.
>>> 
>>> I also don’t believe that broadcast traffic can have a material impact
>>> on clients these days due to increases in CPU power at the magnitude of
>>> Moore’s Law.
>> 
>> Sadly there is no Moore's Law for batteries. OS X since 10.10 will
>> aggressively sleep and miss broadcast ARP packets. I have seen this on
>> four different AP vendors and have the wireless captures to prove it.
>> Generally it doesn't cause user-visible problems, and it can be worked
>> around by enabling proxy ARP on the APs/controller (if the vendor
>> supports it).
>> 
>> It will most likely present problems if the clients are trying to access
>> servers on the same subnet and it's the *server's* ARP cache that gets
>> exhausted (or simply expires the client). The client will resolve the
>> server's MAC address OK, send the SYN packet, then the server will send
>> a broadcast ARP request to resolve the client's MAC address, which can
>> be missed by the Mac laptop. Depending on the level of broadcast
>> traffic, it can take a minute or more with retries before a connection
>> is established.
>> 
>> For wireless designs where all data goes through the gateway and there's
>> no client communication to other devices on the same subnet you probably
>> won't notice a problem as the gateway's ARP cache will always be fresh.
>> We saw it because we have a campus-wide flat L2 network shared between
>> wired and wireless, and I also noticed a lot of ARP traffi

Re: [WIRELESS-LAN] How big are your wireless segments?

[Jake Snyder]

There was some talk about this with IOS a while back.  Something about Apple 
wanting a longer dtim value (3 seems to be working for a lot of folks).  Dtim 
of 1 seemed to give some grief.

http://www.sniffwifi.com/2016/05/go-to-sleep-go-to-sleep-go-to-sleep.html?m=1



Thanks
Jake Snyder


Sent from my iPhone

>> On Aug 2, 2016, at 9:04 PM, James Andrewartha <jandrewar...@ccgs.wa.edu.au> 
>> wrote:
>> 
>> On 02/08/16 04:19, Peter P Morrissey wrote:
>> Given my understanding of the way arp works, not sure I understand how
>> it is possible for a large subnet to cause a client arp table to become
>> exhausted unless that client for some reason is directly communicating
>> with all of the other endpoints on the large subnet.
>> 
>> My understanding is that the table is only populated in response to arp
>> queries that the client has initiated, even though it can “hear”
>> responses from other clients that are sent as a broadcast. It is easy
>> enough to verify this on Windows with an arp –a.
>> 
>> I also don’t believe that broadcast traffic can have a material impact
>> on clients these days due to increases in CPU power at the magnitude of
>> Moore’s Law.
> 
> Sadly there is no Moore's Law for batteries. OS X since 10.10 will
> aggressively sleep and miss broadcast ARP packets. I have seen this on
> four different AP vendors and have the wireless captures to prove it.
> Generally it doesn't cause user-visible problems, and it can be worked
> around by enabling proxy ARP on the APs/controller (if the vendor
> supports it).
> 
> It will most likely present problems if the clients are trying to access
> servers on the same subnet and it's the *server's* ARP cache that gets
> exhausted (or simply expires the client). The client will resolve the
> server's MAC address OK, send the SYN packet, then the server will send
> a broadcast ARP request to resolve the client's MAC address, which can
> be missed by the Mac laptop. Depending on the level of broadcast
> traffic, it can take a minute or more with retries before a connection
> is established.
> 
> For wireless designs where all data goes through the gateway and there's
> no client communication to other devices on the same subnet you probably
> won't notice a problem as the gateway's ARP cache will always be fresh.
> We saw it because we have a campus-wide flat L2 network shared between
> wired and wireless, and I also noticed a lot of ARP traffic from laptops
> looking for Apple TV IP addresses.
> 
> We have filed a ticket with Apple, radar://26488949 if anyone has any
> contacts to escalate it. The fastest resolution we've had for any Apple
> bug is 3 years, so I don't expect this to be fixed any time soon.
> 
> -- 
> James Andrewartha
> Network & Projects Engineer
> Christ Church Grammar School
> Claremont, Western Australia
> Ph. (08) 9442 1757
> Mob. 0424 160 877
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] How big are your wireless segments?

[Jake Snyder]

Actually, they don't have to "respond."  They have to process the incoming 
frame.  If they aren't listening for that port, they will ignore or drop the 
packet.

If you are talking about client impact to CPU/battery/etc, I agree.  If you are 
talking about airtime, the sum of the broadcast traffic is the same.  Stopping 
broadcast over the air is the scalable way to solve

Thanks
Jake Snyder


Sent from my iPhone

> On Jul 26, 2016, at 6:00 AM, Osborne, Bruce W (Network Services) 
> <bosbo...@liberty.edu> wrote:
> 
> Actually, you reduce the broadcast traffic with smaller subnets. Remember 
> that all clients on the subnet *must* respond to a broadcast.
>  
> Smaller subnets generally mean fewer clients responding to a given broadcast. 
> This leaves more airtime for productive Wi-Fi traffic.
>  
> ​
>  
> Bruce Osborne
> Wireless Engineer
> IT Network Services - Wireless
>  
> (434) 592-4229
>  
> LIBERTY UNIVERSITY
> Training Champions for Christ since 1971
>  
> From: Jake Snyder [mailto:jsnyde...@gmail.com] 
> Sent: Monday, July 25, 2016 1:28 PM
> Subject: Re: How big are your wireless segments?
>  
> One thing to remember is that over the air you have the same amount of 
> broadcast whether it is one vlan or a pool of 4.
> 
> For Example: If you have 4 client segments that are a /24, and each AP has a 
> client on one of the 4 subnets, you still send the sum of 4x /24 network 
> broadcast over the air.  Meaning only on lightly loaded APs where you don't 
> have all 4 subuets do you get a net gain of airtime.  Same applies for 
> link-local multicast.  Smaller subnets in pools don't really gain you much 
> without the suppression techniques, and with the suppression techniques, you 
> don't need the smaller subnets.
> 
> The place where pools/groups of vlans are attractive is where you may be 
> using public IPs and don't have a large contiguous block of IPs in which to 
> place clients.  So picking 4 non-contiguous /24 networks is easier to do than 
> picking a full class B.
>  
> 
>  
> On Mon, Jul 25, 2016 at 11:04 AM, Tim Tyler <ty...@beloit.edu> wrote:
> Brian,
>   We have pools of /22 /23/ and /24.  We separate our pools from students vs 
> fac/staff (still on the same ssid).   It may be ok to do /16.   I know that 
> Aruba does a lot to prevent broadcast storms, but I feared the overhead of 
> one large segment might have on it.   We also give students a different ip 
> pool depending whether they are in a residential building vs an 
> academic/admin building.  This allows us to shape traffic differently.  But 
> this will become less of an issue as we acquire more bandwidth (hopefully).
>I am curious of those using /16, does that resolve your layer 2 issues?   
> Aruba does a good job of bridging many layer 2 solutions anyways, but having 
> one /16 vlan does seem enticing and perhaps unnecessary for bridging 
> protocols.  However, I am curious about other overhead efficiency issues.
> Tim
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Brian Helman
> Sent: Monday, July 25, 2016 10:22 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] How big are your wireless segments?
>  
> We are in the process of moving from a controllerless vendor to Aruba.  Our 
> current design is very segmented, to keep wireless device broadcasts from 
> overwhelming the network and AP’s (we had this problem back in 11g days).  
> Presently, we’ve limited segments to /23’s (give or take).  In your 
> controller-based environments, how large have you let these segments go?  Is 
> a /21, /20 … viable?
>  
> -Brian
>  
> 
> Brian Helman, M.Ed |  Director, ITS/Networking Services | (: 978.542.7272
> Salem State University, 352 Lafayette St., Salem Massachusetts 01970
> GPS: 42.502129, -70.894779
>  
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
>  
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] 802.11b data rates disabled?

[Jake Snyder]

With mandatory rates, the higher you go the more issues you can see and the 
advantages of more airtime suffer diminishing returns.  Since the lowest 
mandatory is where control frames get sent, it can have some pretty serious 
impact.  Pushing higher than 24 should be done with some good airtime analysis 
that most controllers won't give you. When you watch Mac laptops spam control 
frames like RTS and BAR at 6Mbps and it go unack'd from the AP because of data 
rates, things can go sideways pretty fast.  For more resiliency, keeping lower 
OFDM rates enabled helps clients with poor supplicants have good experiences.

And most NMS and controllers can't see the issues because the AP isn't 
registering the frames sent at unsupported rates.  This leads to performance 
issues that you probably won't see and are hard to quantify.

Trimming DSSS and HR-DSSS rates (1,2,5.5,11) are a good idea if you can, but I 
would advise getting crazy trimming rates beyond that.

My general recommendation is 12Mbps as minimum in 2.4GHz and 6 as the minimum 
for 5GHz.  This is a reasonable starting place with good overall device 
compatibility.  Obviously in LPV and stadiums are exceptions to this advise.

Thanks
Jake Snyder


Sent from my iPhone

> On Jun 21, 2016, at 7:44 PM, James Andrewartha <jandrewar...@ccgs.wa.edu.au> 
> wrote:
> 
>> On 21/06/16 12:06, Anthony Croome wrote:
>> Exactly, use 24Mbs to avoid weird behaviour.
>> 
>> We looked at this a few years ago and found that XP could not handle 
>> management packets being sent at 48Mb/s or 54Mb/s despite the card 
>> connecting at 450Mb/s on 5GHz N or 144Mb/s on 2.4GHz N.
>> 
>> On 5GHz the laptop could get an IP address but could not ping it's gateway.
>> On 2.4GHz the laptop could get an IP, it could ping it's gateway, but it's 
>> performance was terrible.
>> 
>> What we saw from a 5GHz packet capture was the AP continuously sending RTS 
>> to the client but never getting any packets from the client.  On 2.4GHz it 
>> would reply but only after a random number of RTS were sent.  
> 
> I saw a similar situation recently, a new laptop with an Intel AC
> chipset was sending continuous RTS at 2Mbps (on 2.4GHz), however the AP
> was configured with an 11g protection rate of 11Mbps. Setting that to
> 2Mbps and the client could talk fine.
> 
> -- 
> James Andrewartha
> Network & Projects Engineer
> Christ Church Grammar School
> Claremont, Western Australia
> Ph. (08) 9442 1757
> Mob. 0424 160 877
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] backhaul wifi comparison/suggestions

[Jake Snyder]

A couple suggestions on using low end devices for PTP.  These are directed at 
the UBNT line specifically, but are probably good advice for most outdoor 
installs.

Keep a spare.  Cheap doesn't happen by chance.  My experience with UBNT is that 
the cheaper the product, the higher the likely hood of hardware failures. If 
I'm using their products, I typically go for higher end models.  Regardless, if 
you can't tolerate a long RMA with a site down, keep a spare on hand.

Thoroughly test on the bench.  Before you put that bridge up, make sure you 
test it.  Backup configs and software images.  Once you are positive it works 
flawlessly, deploy it and "Never touch it again."  This was sage advice given 
my by a WISP that deployed UBNT. There have been a lot of times that features 
come and go in different versions, or work radically different.  Keep your 
config and software versions matched on your spare and make sure you have the 
software files saved someplace.

Keep purchase paperwork.  Warranty issues may require you to prove your 
purchase date.  Make sure you can show your purchase date, otherwise they may 
try to use the date it was sold into distribution. 

Thanks
Jake Snyder


Sent from my iPhone

> On Apr 7, 2016, at 6:45 AM, Gregg Heimer <ghei...@mc3.edu> wrote:
> 
> I recommend the Ubiquiti PowerBeam for a 4-5 Mile link, 5GHz, up to 650Mbps 
> throughput.  About $85.00 per end.
>  
>  
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Moore, Brandon
> Sent: Wednesday, April 6, 2016 2:12 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] backhaul wifi comparison/suggestions
>  
> Anyone have long distance sites such as 4 or 5 miles?  We have a set of old 
> Cisco 1410 bridges to replace shortly.  Trees in the way, so no free space 
> optics option.  
>  
> Brandon
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hector J Rios
> Sent: Wednesday, April 06, 2016 1:18 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] backhaul wifi comparison/suggestions
>  
> I also recommend the Ubiquiti LocoM5. Affordable, easy to configure, and easy 
> to manage. You could also look into MikroTik. They are very versatile, 
> affordable, but can be a little challenging to configure.
>  
> Hector Rios
> Louisiana State University
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Gregg Heimer
> Sent: Wednesday, April 06, 2016 9:04 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] backhaul wifi comparison/suggestions
>  
> Ubiquiti LocoM5 (5GHz – 300Mbps throughput) is the product you want.  You can 
> get them for about $55 through your reseller.  They are designed as CPE 
> devices, but work fine for PTP applications.  They are weatherproof and work 
> well indoors or outdoors.  We use them to supply network connectivity to job 
> trailers for construction projects around campus.  You can use AirView2 to 
> manage all of them, there are no license fees for the device or the 
> management software.  I highly recommend Ubiquiti, we have about 12 of their 
> devices on our production network from the locoM5 to the AirFiber units. 
>  
> If you need more throughput use the Ubiquiti NanoBeam AC, ($89).  This will 
> provide around 650Mbps throughput and is the size of a flood light. 
>  
>  
> LocoM5: https://www.ubnt.com/airmax/nanostationm/
>  
> NanoBeam AC: https://www.ubnt.com/airmax/nanobeam-ac/
>  
>  
> AirView2 Software:
> 
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John Rodkey
> Sent: Tuesday, April 5, 2016 5:36 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] backhaul wifi comparison/suggestions
>  
> I have need for a fairly inexpensive,  low bandwidth (10Mbps), short distance 
> (<200 ft)  point to point wireless connection .
> I am aware of the Cambrium ePMP 1000 and Ubiquiti nano.
> 
> Would anyone like to compare these items or propose other good solutions to 
> this type of situation?
> 
> John
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
>  
> 
> Montgomery County Community College is proud to be designated as an Achieving 
> the Dream Leader College for its commitment to student access and success.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can b

Re: [WIRELESS-LAN] Cisco WLC5508

[Jake Snyder]

When 2800/3800 start shipping, there will be a release to support them.  My 
guess would be an 8.3 release.

Thanks
Jake Snyder


Sent from my iPhone

> On Mar 24, 2016, at 6:19 AM, Mathieu Sturm <mathieu.st...@hogent.be> wrote:
> 
> What is the preferred/stable release for a Cisco WLC 5508?
> I’m planning on updating this summer.
>  
> AP’s 2800,1810 and 3800 series support is required.
>  
> Sturm Mathieu
> Hoofdmedewerker Netwerkbeheer
> --
> 
> 
> Hogeschool Gent
> Directie Financiën en ICT
> Valentin Vaerwyckweg 1
> 9000 Gent
> HoGent.be
>  
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Recent Radius Meltdowns

[Jake Snyder]

If AD is not keeping up with the NTLM requests, giving the DCs more NTLM worker 
threads can help it keep up with higher loads.

Working with TAC we found specifically in the ACS logs that it was waiting for 
Windows to respond.

As far as number of devices, they weren't showing increases over earlier in the 
week or previous weeks.

Thanks
Jake Snyder


Sent from my iPhone

> On Mar 10, 2016, at 12:21 PM, Matthew Newton <m...@leicester.ac.uk> wrote:
> 
> Hi,
> 
>> On Thu, Mar 10, 2016 at 10:54:59AM -0800, Jake Snyder wrote:
>> That's for the great info on FreeRadius.  I don't think this is
>> the case in what I'm seeing that, which is specifically that
>> Windows AD is not keeping up with NTLM.
> 
> OK, that's interesting. I think the issue that others have seen on
> this would look like that - and certainly the symptoms sound the
> same as you described - so I'm wondering how you came to the
> conclusion that it's AD itself rather than something between AD
> and ACS.
> 
> However, I'm not at all familiar with ACS - I guess it sits on a
> member server and probably calls LsaLogonUser directly - so there
> is the communication between the member server and the DC, though
> I guess that /should/ be fairly slick in theory...
> 
>> These are customers with environments that are relatively stable
>> and have been performing well for extended periods of time with
>> similar user counts.  These are also well below the 256 radius
>> session limit.
> 
> I'd throw in the consideration of student numbers as well. We
> always hit our peak number of wireless clients in February/March
> each year, so this is the time problems often show up. Why this
> time of year I have no idea! Probably all the new Christmas
> presents being connected. :)
> 
>> The MaxConcurrentAPI raises the number of worker threads in AD
>> so that it NTLM on the DC can keep up with the incoming
>> requests.  Why did the performance of NTLM change recently?  I
>> have no idea, but it appears it has.
> 
> I believe MaxConcurrentAPI helped some people[0] who were having
> problems with the FreeRADIUS/Samba setup as well, so again I'm not
> entirely sure it's a pointer to AD having necessarily changed.
> 
> Maybe reviewing all Windows patches applied to the DCs and ACS
> servers in the last 3 months and see if anything seems relevant?
> But I'm not sure how easy this is to do.
> 
> It's seems very likely to me that sites are seeing a combination
> of problems, which could be all of WLC running out of RADIUS IDs,
> ntlm_auth/Samba as well as MaxConcurrentAPI - so it wouldn't
> surprise me if different things seem to fix the same symptoms for
> different sites. It's just that the ACS sites don't have the
> ntlm_auth component of the problem, so it may have taken a few
> more months of load before the issue reared its head!
> 
> Cheers,
> 
> Matthew
> 
> 
> [0] see e.g. 
> https://lists.freeradius.org/pipermail/freeradius-users/2015-March/075969.html
> 
> -- 
> Matthew Newton, Ph.D. <m...@le.ac.uk>
> 
> Systems Specialist, Infrastructure Services,
> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
> 
> For IT help contact helpdesk extn. 2253, <ith...@le.ac.uk>
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Recent Radius Meltdowns

[Jake Snyder]

Matthew,
That's for the great info on FreeRadius.  I don't think this is the case in 
what I'm seeing that, which is specifically that Windows AD is not keeping up 
with NTLM.

These are customers with environments that are relatively stable and have been 
performing well for extended periods of time with similar user counts.  These 
are also well below the 256 radius session limit.

The MaxConcurrentAPI raises the number of worker threads in AD so that it NTLM 
on the DC can keep up with the incoming requests.  Why did the performance of 
NTLM change recently?  I have no idea, but it appears it has.

Thanks
Jake Snyder


Sent from my iPhone

> On Mar 10, 2016, at 7:50 AM, Matthew Newton <m...@leicester.ac.uk> wrote:
> 
> On Thu, Mar 10, 2016 at 09:14:02AM -0500, Earl Barfield wrote:
>>> Just wanted to throw this out to the educause community to see if others
>>> are seeing this.  Although this is not ultimately a problem with Higher Ed,
>>> the large scale RADIUS deployments in higher ed resulting in more impact
>> 
>> If anything (radius server, users, Active Directory, etc) slows down
>> the auth process, then you're going to have more auth sessions in
>> progress simultaneously.
> 
> This has been a well-known issue in the FreeRADIUS world for a
> long time now. Anything that slows down the NTLM communication
> between the RADIUS server and the AD server will eventually lead
> to problems. It just seems to crop up more in certain
> circumstances. With FreeRADIUS, part of the problem seemed to be
> using Samba's ntlm_auth (which involves an exec) so I did quite a
> bit of hacking a year ago to use a library call and avoid that,
> which does seems to help. As does faster hardware for the RADIUS
> servers.
> 
> Cisco haven't helped themselves for a long time by using a single
> UDP source port (and therefore only 256 radius IDs) per
> controller. Using a different source port per access point would
> have a decent solution IMO, or even just random ephemeral ports,
> but they've gone for some half-way solution that uses a few more
> source ports in 8.1-something. Better than before anyway.
> 
> The problem exacerbates itself because when the WLC doesn't get a
> response from a RADIUS server after a while, it will drop that
> server and move to the next. Then all 250 or so authentications
> in-flight (and probably half completed) will get chopped off and
> have to start again on the next server.
> 
> Each hour when all the students moved between lectures we'd see 10
> minutes of WLCs jumping to a different RADIUS server every minute
> or so. This makes the higher-ed situation fairly unique and not
> like business environments, where people don't tend to move around
> in very large groups all at the same time.
> 
> I started to collect mailing list posts on a blog post to try and
> collect information together if anyone's interested in reading
> lots of different views on it! http://q.asd.me.uk/0
> 
> It's one of those things that if you're not looking for it,
> though, you might not easily notice it, but just have complaints
> about bad wireless connectivity at certain times of the day. It
> becomes easy to see in the WLC SNMP RADIUS server not responding
> traps, however.
> 
> Cheers,
> 
> Matthew
> 
> 
> -- 
> Matthew Newton, Ph.D. <m...@le.ac.uk>
> 
> Systems Specialist, Infrastructure Services,
> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
> 
> For IT help contact helpdesk extn. 2253, <ith...@le.ac.uk>
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Recent Radius Meltdowns

[Jake Snyder]

I don't necessarily agree with the doc in all aspects.  My takeaway is that 
some failing clients can put a huge load on the RADIUS environment.  I've seen 
some clients sending 20 requests per second.  I think it's better to identify a 
client doing that through logging and block them individually rather than 
risking the exclusion.

Thanks
Jake Snyder


Sent from my iPhone

> On Mar 9, 2016, at 1:53 PM, Lee H Badman <lhbad...@syr.edu> wrote:
> 
> I have to disagree with 120 second client exclusion timer- that in itself can 
> be devastating. I recommend 5 or 10 seconds.
> 
> Lee Badman
> Network Architect/Wireless TME
> Syracuse University
> 315.443.3003
> 
> -----Original Message- 
> From: Jake Snyder [jsnyde...@gmail.com]
> Received: Wednesday, 09 Mar 2016, 16:05
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
> Subject: [WIRELESS-LAN] Recent Radius Meltdowns
> 
> Just wanted to throw this out to the educause community to see if others are 
> seeing this.  Although this is not ultimately a problem with Higher Ed, the 
> large scale RADIUS deployments in higher ed resulting in more impact
> 
> Several weeks ago we had a higher ed customer who's Radius environment 
> started periodically melting down.  The customer was running Cisco 
> Infrastructure and ACS 5.x on the back end.
> 
> In terms of changes, there were no recent changes to either the wireless 
> network, or RADIUS environment.  The only recent change was patches applied 
> to the Windows environment.
> 
> Ultimately, the cause was found to be the AD environment was taking an 
> excessive time responding to NTLM authentications.  There was no ultimate fix 
> found, but troubleshooting led us to the changing the MaxConcurrentAPI on the 
> windows servers. which ultimately helped enough to eliminate the problem from 
> a daily occurrence.
> 
> About a week later, this same customer reported to me that visiting another 
> university campus that their RADIUS environment was also experiencing these 
> issues.
> 
> Fast forward a couple weeks, I had a public utility customer seeing this same 
> issue.  Suddenly flags went off that this is wider spread that just a couple 
> Higher Ed customers.
> 
> Now i'm sitting at #ATM16 and talking with other Higher Ed engineer and a 
> large retail customer, it MAY be impacting non-cisco infrastructure as well.  
> My assumption is anything performing
> 
> Below are some of the links that talk about this change to the 
> MaxConcurentAPI.  I believe these two customers made changes anywhere from 2 
> to 20.  I know some of these customers are on this educause   I'm not 
> advocating a specific value, i assume that different environments will need 
> different values.
> 
> 
> https://support.microsoft.com/en-us/kb/109626
> 
>  
> 
> https://blogs.technet.microsoft.com/ad/2008/09/23/updated-ntlm-and-maxconcurrentapi-concerns/
> 
> 
> 
> Hopefully this helps anyone who has started to see these issues in the last 
> few weeks.  Also, if you're having this, please reply and let the community 
> know infrastructure, radius and possibly AD environment versions.
> 
> 
> Also, for the Cisco folks, here's a great doc that you should read.
> 
> 
> 
> http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/118703-technote-wlc-00.html
> 
> 
> 
> 
> 
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Recent Radius Meltdowns

[Jake Snyder]

Just wanted to throw this out to the educause community to see if others
are seeing this.  Although this is not ultimately a problem with Higher Ed,
the large scale RADIUS deployments in higher ed resulting in more impact

Several weeks ago we had a higher ed customer who's Radius environment
started periodically melting down.  The customer was running Cisco
Infrastructure and ACS 5.x on the back end.

In terms of changes, there were no recent changes to either the wireless
network, or RADIUS environment.  The only recent change was patches applied
to the Windows environment.

Ultimately, the cause was found to be the AD environment was taking an
excessive time responding to NTLM authentications.  There was no ultimate
fix found, but troubleshooting led us to the changing the MaxConcurrentAPI
on the windows servers. which ultimately helped enough to eliminate the
problem from a daily occurrence.

About a week later, this same customer reported to me that visiting another
university campus that their RADIUS environment was also experiencing these
issues.

Fast forward a couple weeks, I had a public utility customer seeing this
same issue.  Suddenly flags went off that this is wider spread that just a
couple Higher Ed customers.

Now i'm sitting at #ATM16 and talking with other Higher Ed engineer and a
large retail customer, it MAY be impacting non-cisco infrastructure as
well.  My assumption is anything performing

Below are some of the links that talk about this change to the
MaxConcurentAPI.  I believe these two customers made changes anywhere from
2 to 20.  I know some of these customers are on this educause   I'm not
advocating a specific value, i assume that different environments will need
different values.


https://support.microsoft.com/en-us/kb/109626



https://blogs.technet.microsoft.com/ad/2008/09/23/updated-ntlm-and-maxconcurrentapi-concerns/


Hopefully this helps anyone who has started to see these issues in the last
few weeks.  Also, if you're having this, please reply and let the community
know infrastructure, radius and possibly AD environment versions.


Also, for the Cisco folks, here's a great doc that you should read.


http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/118703-technote-wlc-00.html

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Cisco One

[Jake Snyder]

There are cost savings to be had.  There is currently a promo when moving to 
new 5520 or 8540 hardware that is very compelling.

That said, brownfield where you are just migrating from standard licensing to 
C1 on the existing hardware doesn't make a lot of sense unless you want to add 
features.  ISE, MSE/CMX, Prime Assurance...

Ultimately it's going to depend on where you are in the lifecycle process.  You 
should totally ping your Cisco Partner and have them run the numbers for you, 
so you can see what the right thing to do is.

Thanks
Jake Snyder


Sent from my iPhone

> On Mar 6, 2016, at 8:00 AM, Tom Klimek <tkli...@nd.edu> wrote:
> 
> I've recently been asked if we could benefit from Cisco One for wireless 
> licensing. I am not very familiar with the product so I thought I would ask 
> the Educause community for any input and see if it is very widely used and 
> valued.
> 
> One scenario I was presented with is that perpetual licensing would save us 
> from re-purchasing Access Point licensing when we upgrade to newer (hardware) 
> controllers. When we upgraded from 5508's to 8510's we managed to negotiate a 
> transfer of our existing licenses at no cost but that is not a guarantee for 
> the next upgrade.
> 
> Appreciate any feedback.
> 
> 
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Wireless LAN Professionals Conference in Phoenix

[Jake Snyder]

I'll be there, honing in on Sam's shameless plug ;)

Thanks
Jake Snyder


Sent from my iPhone

> On Feb 18, 2016, at 6:06 PM, Samuel Clements <scleme...@gmail.com> wrote:
> 
> I'll be there and would love to meet all of you!
> 
> 
> I'll be doing a podcast on Tuesday and Wednesday evening and I'll be 
> presenting a session on Thursday - looking forward to seeing everyone!
> 
> 
>   -Sam
> 
>> On Thu, Feb 18, 2016 at 12:11 PM, Brad Weldon <bwel...@georgefox.edu> wrote:
>> I'll be there for the conference. My first time for WLPC. 
>> 
>> - - - - - 
>> Brad Weldon
>> Network Engineer
>> George Fox University
>> - - - - - 
>> 
>>> On Wed, Feb 17, 2016 at 7:27 PM, Norman Elton <normel...@gmail.com> wrote:
>>> Anyone going to the WLPC in Phoenix this year?
>>> 
>>> http://wlanpros.com/WLPC2016
>>> 
>>> I'd be happy to line up a higher ed get-together if anyone else is going.
>>> 
>>> Norman Elton
>>> College of William & Mary
>>> 
>>> **
>>> Participation and subscription information for this EDUCAUSE Constituent 
>>> Group discussion list can be found at http://www.educause.edu/groups/.
>> 
>> ** Participation and subscription information for this EDUCAUSE 
>> Constituent Group discussion list can be found at 
>> http://www.educause.edu/groups/.
> 
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Cisco WLC Client Profiling

[Jake Snyder]

I've seen our VP of Operation's Mac showing up as a nortel phone with just DHCP 
profiling only.  Http + DHCP profiling took care of that for us.

Jake Snyder

Sent from my iPhone

> On Dec 17, 2015, at 8:17 AM, Walter Reynolds <wa...@umich.edu> wrote:
> 
> On older code it was under Local profiling.  It is not the most clear all the 
> time or accurate.  This is a sample from one of our controllers (we are 
> running appliances and not the WISM.  Another controller I looked at said we 
> had 21% Nortel phones (we do not)  It has not seemed to create problems, but 
> gives an idea at least.  The image below is on 8.0.115.
> 
> 
> 
> 
> 
> Walter Reynolds
> Principal Systems Security Development Engineer
> Information and Technology Services
> University of Michigan
> (734) 615-9438
> 
>> On Wed, Dec 16, 2015 at 11:57 PM, Peter Arbouin <p.arbo...@qut.edu.au> wrote:
>> Hi,
>> 
>>  
>> 
>> Just wondering if anyone has enabled Client Profiling on a Cisco controller? 
>> I have recently upgraded our Wism2 modules to 8.1.131.0 and notice that the 
>> new dashboard has a section for Operating Systems.
>> 
>> Looks like it could be a useful feature. Has anyone any issues/comments on 
>> this feature?
>> 
>>  
>> 
>> Thanks,
>> 
>> Peter.
>> 
>>  
>> 
>>  
>> 
>> 
>> 
>> Peter Arbouin | Network Engineer
>> IT Networks | Information Technology Services
>> Queensland University of Technology 
>> Level 3 | 88 Musk Avenue | Kelvin Grove Campus
>> 
>> Mob: 0402476892 | Ph: +61 7 3138 1030
>> 
>> Email: p.arbo...@qut.edu.au
>> 
>> 
>> CRICOS No. 00213J
>> 
>>  
>> 
>> ** Participation and subscription information for this EDUCAUSE 
>> Constituent Group discussion list can be found at 
>> http://www.educause.edu/groups/.
> 
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Cisco LWAP Advice

[Jake Snyder]

So the only AP still sold new that is supported on a 4404 is the 3502i.

Not much in the way for options on that old platform, but that is what you can 
still buy.  Might be time to look at upgrading that old girl.

Thanks
Jake Snyder
jsny...@compunet.biz
208-286-3015

Sent from my iPhone

> On Dec 9, 2015, at 4:56 PM, Andrew Conley <andrew.con...@sduhsd.org> wrote:
> 
> Hi all,
> 
> 
> I'm new to the EduCause community (even though I'm a HS District IT Director 
> and Educause is for Higher-Ed..). We're a 135,000 student and 6,000 staff 
> district (very large). I am doing a AP deploy for a new high school building 
> (I have a Cisco WLC4402-100-K9 installed in the building already) with 
> approximately 500 clients connected and wanted to know what Cisco LWAPs 
> everyone was using or would recommend for this deploy. 
> 
> 
> Thanks in advance for your assistance!
> 
> 
> Andrew Conley
> 
> Director of Information Technology
> 
> San Diego Unified High School District
> 
> E: andrew.con...@sduhsd.org
> 
> W: 760.363.5008 x 1009
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Wireless Options in Athletic Buses

[Jake Snyder]

For mobile applications I've done both Cradlepoint and Cisco.  Cisco is nice 
because everyone knows how to manage Cisco Routers.  The Cradlepoint solution 
has some added benefits.  Cloud management is nice, as is being able to look at 
GPS data.  Also the "Wifi As WAN" feature on the Cradlepoint makes it an 
excellent candidate to offload video data via wifi when they are in the bus 
barn.

The other piece is Cradlepoint can support 2 sims in the IBR1100 and you can 
change carrier by downloading code.  They also have a second radio module so 
you can have two active carriers to keep people connected when one doesn't have 
service.

I've not played with the Aerohive solution, but I think they are Verizon only 
(can someone confirm?).

The other company to look at might be peplink.

Thanks
Jake Snyder
jsny...@compunet.biz
208-286-3015

Sent from my iPhone

> On Nov 18, 2015, at 12:31 PM, Jeremy Gibbs <jlgi...@utica.edu> wrote:
> 
> I know people may snicker at this but take a look at the offerings from 
> Aerohive for this.  I demoed a solution that was VERY slick.  I think it 
> would work very well for you.  
> 
> 
> --
> 
> Jeremy L. Gibbs
> Sr. Network Engineer
> Utica College IITS
> 
> T: (315) 223-2383
> F: (315) 792-3814
> E: jlgi...@utica.edu
> http://www.utica.edu
> 
>> On Wed, Nov 18, 2015 at 2:01 PM, Adam T Ferrero <a...@temple.edu> wrote:
>>  
>> 
>>   We put some gear on our shuttle buses that travel between campuses a few 
>> years ago.  Basically a Cradlepoint router (Verizon LTE cellular backhaul 
>> with an ethernet hand off).  That ethernet hand off goes to a wifi access 
>> point that is able to do dns lookup and find its controller (happens to be 
>> Meru but I know Aruba does supports similar mechanisms).  Everything is 
>> tunneled back encrypted through the controller.
>> 
>>  
>> 
>>   This has served us well for those students that enjoy a 45 minute commute 
>> between campuses.
>> 
>>  
>> 
>>   Adam
>> 
>>  
>> 
>> 
>> 
>>  
>> 
>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Daniel Wurst
>> Sent: Wednesday, November 18, 2015 12:57 PM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> Subject: [WIRELESS-LAN] Wireless Options in Athletic Buses
>> 
>>  
>> 
>> Hi,
>> 
>>  
>> 
>> This is my first post in this group.  I have really enjoyed being a part of 
>> this group and have learned quite a bit so you thank you to all members.
>> 
>>  
>> 
>> Recently I was asked If there was a way we could supply wireless 
>> connectivity in our athletic buses for student athletes as they travel to 
>> sporting events.  My thoughts would be some kind of cellular network hot 
>> spot that the students could log into with their devices.
>> 
>>  
>> 
>> I was wondering if other Universities have attempted anything like this or 
>> have any hot spot devices they would recommend for this use.
>> 
>>  
>> 
>> Appreciate any feedback on this topic.
>> 
>>  
>> 
>> Thank you,
>> 
>>  
>> 
>> --
>> 
>> Daniel Wurst
>> 
>> Network Engineer II
>> 
>> Denison University
>> 
>> Fellows 003B
>> 
>> wur...@denison.edu
>> 
>> 740-587-6229
>> 
>> ** Participation and subscription information for this EDUCAUSE 
>> Constituent Group discussion list can be found at 
>> http://www.educause.edu/groups/.
>> 
>> ** Participation and subscription information for this EDUCAUSE 
>> Constituent Group discussion list can be found at 
>> http://www.educause.edu/groups/.
> 
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] eduroam in a Cisco environment

[Jake Snyder]

You can always do an interface group and use the name of the group instead of 
the vlan ID coming from Cloudpath. Just keep all interfaces in the group the 
same size.

Thanks
Jake Snyder
jsny...@compunet.biz
208-286-3015

Sent from my iPhone

> On Sep 24, 2015, at 2:38 PM, Timothy Burns <bu...@unca.edu> wrote:
> 
> We are just now starting down the eduroam path. 
> 
> We are a Cisco shop and currently have our controllers pointed towards 
> xpressconnect to onboard/authenticate our students.
> 
> We currently have many interfaces on our controllers per building/SSID. We 
> were thinking of collapsing many of those interfaces and have larger subnets 
> and vlan tag the clients based on access we want to allow using the single 
> "eduroam" ssid.
> 
> So, for example, our local users will be placed in vlan 1 and eduroam users 
> from different colleges would be placed in vlan 2 with internet only access. 
> We have brought this up to our SE and VAR engineers and they are a little 
> hesitant on this approach as they say the the subnets will be too large. But, 
> as I understand it, the broadcast messages are suppressed at the controller. 
> 
> Xpressconnect only supports 1 vlan tag so we were looking at using free 
> radius and create different realms and vlan tag the clients based on end of 
> the username(ex: @.edu). We still have ACS at our disposal as we were 
> using it very heavily before using xpressconnect, so we thought it may be an 
> option to bring that back into the picture and use it to tag the clients.
> 
> The answers I am looking to gain from this are:
> 
> Do you have eduroam deployed as your primary SSID or in addition to your 
> SSID's? 
> 
> Do you separate/tag your eduraom users? If so, how(acs/ISE/free radius, etc)?
> 
> How big are your wireless subnets?
> 
> Any opinions/suggestion/questions are welcome.
> 
> Thanks again in advance.
> 
> -- 
> Tim Burns
> 
> Junior Network Administrator
> 1 University Heights
> Asheville, NC 28804
> 828-232-5013
> bu...@unca.edu
> 
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Aruba Instant IAP-215 Wireless Access Points

[Jake Snyder]

The other thing you might check is to see if you have LLDP running on the 
switches.  This can help with Poe negotiation.

Thanks
Jake Snyder


Sent from my iPhone

> On Sep 14, 2015, at 6:53 PM, James Michael Keller <jmkel...@houseofzen.org> 
> wrote:
> 
>> On 09/14/2015 11:37 AM, Ronald Loneker wrote:
>> Good Morning -
>> 
>> (forgive cross-postings - a member of the NETMAN list suggested this
>> might be the place to post this question)
>> 
>> We just had close to 90 new Aruba Instant IAP-215 wireless access points
>> installed in our residence halls to upgrade our wireless network. 
>> Another building is soon to be underway, and I'm managing this project.
>> 
>> Over the last couple of weeks, it seems like random access points are
>> shutting down wireless access.  They are not all connected to the same
>> Cisco switch (various Cisco POE switches in two residence halls).  The
>> access point is not ping-able, the MAC address is not found in the
>> virtual controller's table, the switch port is up and power is being
>> supplied to the access point.  The only way we seem to get an access
>> point back up is to do a shut/no shut on the switch port to which it is
>> connected. 
>> 
>> The vendor who configured the access points hasn't been able to
>> determine why this is happening and before we initiate an Aruba support
>> call, I was wondering if anyone had any similar experiences like this
>> and what you determined was the cause of the issue.  We are running into
>> walls here.
>> 
>> Thanks in advance for any thoughts or ideas.
>> 
>> Ron Loneker, Jr.
>> Director of Media Services
>> College of Saint Elizabeth
>> Mahoney Library
>> 2 Convent Road
>> Morristown, NJ  07960
>> 
>> Phone:  973-290-4229 
>> 
>> e-mail:  rlone...@cse.edu <mailto:rlone...@cse.edu>
>> 
>> /**/
>> 
>> 
>> ** Participation and subscription information for this EDUCAUSE
>> Constituent Group discussion list can be found at
>> http://www.educause.edu/groups/.
> 
> I have seen similar with the campus APs when the PoE power is either
> dropping below min spec either due to switch power or cable run
> resistance.   The APs will have enough power to initialize which brings
> up the link, but they fail to boot into ArubaOS and hang until they are
> power cycled.  Typically the ones with cable run issues continue to fail
> on the next cycle.  Brown out triggered ones come up fine usually, and
> typically we see more then one on the same switch do it for PoE power
> issues.
> 
> -- 
> 
> -James
> 
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.
> 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Windows 10 Random Mac Address

[Jake Snyder]

Found a good presentation on this from the IETF
https://www.ietf.org/proceedings/93/slides/slides-93-intarea-5.pdf

On Fri, Aug 28, 2015 at 3:45 PM, Heath Barnhart heath.barnh...@washburn.edu
 wrote:

 Anyone else seeing Windows 10 devices with Randomize WiFi Hardware
 Address on? Just had one show up at our help desk. As we require MAC
 registration this puts a bind in things. Does anyone else have some
 information, a quick Google search didn't come up with anything.


 
 Heath Barnhart, CCNA
 ITS Network Administrator
 Washburn University
 785-670-2307

 ** Participation and subscription information for this EDUCAUSE
 Constituent Group discussion list can be found at
 http://www.educause.edu/groups/.



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Exclusive 2.4 Ghz and 5 Ghz SSIDs

[Jake Snyder]

The challenge for FAST networks is when you don't have 5ghz dense enough to 
cover everywhere.

What will happen is users will be walking and run into places where they drop 
from 5Ghz.  And they will manually connect to the 2.4Ghz SSID.

Without having the ability to tune which network is preferred, you can run into 
issues where the clients may start artificially preferring 2.4 because of the 
SSID priority order on their device.  Bam, all that work and you may have made 
the problem worse.

And certain devices don't let you explicitly set the priority order.  iOS takes 
the last network used into account, security level, etc into account.  I don't 
know if it still prefers the highest alphabetically or not. Appending FAST 
moves a network down in alphabetical order, which is the opposite of what you 
want.

Now that a user has both SSIDs, as they walk along campus and they hit a 5ghz 
dead spot they will connect to the 2.4Ghz network which will remain preferred 
because It was the last network joined.  For a device that already prefers 
5ghz over 2.4ghz, that's not a great way to go.

https://support.apple.com/en-us/HT202831

Thanks
Jake Snyder

Sent from my iPhone

 On Aug 12, 2015, at 6:07 AM, Tevlin, Dave dtev...@visi.org wrote:
 
 Paul,
 
 Similar to the concept that Jason mentioned earlier, I heard of a wireless 
 setup at an Educause conference a while back with separate SSIDs for 2.4 and 
 5. What helped them, unfortunately can't remember who it was, was adding 
 'FAST' to the 5Ghz SSID name to help steer users to the 5Ghz band. Once they 
 did that the uptick of devices on the 5Ghz band increased greatly.
 
 They had two separate SSIDs before with 2.4 and 5Ghz but it was only after 
 they changed the SSID name to include FAST that they saw that improvement. I 
 also agree that the 2.4 and 5 should not show up in the SSID name.
 
 Dave Tevlin
 Network/ Systems Administrator
 Georgetown Visitation Prep School
 
 
 
  
 
 On Wed, Aug 12, 2015 at 7:35 AM, Osborne, Bruce W (Network Services) 
 bosbo...@liberty.edu wrote:
 Why not just deploy the 2.4 GHz with the same SSID on a few of the APs?  
 With our Aruba APs, that is the recommended solution in a dense situation.
 
  
 
 ​
 
  
 
 Bruce Osborne
 
 Wireless Engineer
 
 IT Infrastructure  Media Solutions
 
  
 
 (434) 592-4229
 
  
 
 LIBERTY UNIVERSITY
 
 Training Champions for Christ since 1971
 
  
 
 From: Paul Sedy [mailto:rps...@masters.edu] 
 Sent: Tuesday, August 11, 2015 4:23 PM
 Subject: Exclusive 2.4 Ghz and 5 Ghz SSIDs
 
  
 
 Hello everyone,
 
  
 
 We are a Cisco shop and have, up until now, employed a single SSID for 
 students, supporting both 2.4 Ghz and 5Ghz connections.  During this summer, 
 we have been working to develop sufficient AP density to ensure good 5Ghz 
 cells throughout our dorms.  In the past, we have seen numerous instances of 
 poorer performance on the 2.4 Ghz spectrum, but up to this point, have 
 relied on the client to make the decision between these two options. 
 
  
 
 We are thinking of deploying two separate SSIDs, a 5Ghz network and a 2.4 
 Ghz network, that are exclusive in order to promote a better experience for 
 the students with devices capable of 5Ghz connectivity.  We would probably 
 use the original SSID name with an appended (5 Ghz) or (2.4 Ghz).
 
  
 
 Are any of you currently employing this type of configuration and how well 
 has it worked for you?
 
  
 
 We would appreciate any insights that anyone might have.
 
  
 
 Paul Sedy
 
 The Master’s College
 
 Director of IT Operations
 
 21726 Placerita Canyon Rd, Santa Clarita, CA 91321
 
 661.362.2340 | rps...@masters.edu
 
 ** Participation and subscription information for this EDUCAUSE 
 Constituent Group discussion list can be found at 
 http://www.educause.edu/groups/.
 
 ** Participation and subscription information for this EDUCAUSE 
 Constituent Group discussion list can be found at 
 http://www.educause.edu/groups/.
 
 ** Participation and subscription information for this EDUCAUSE 
 Constituent Group discussion list can be found at 
 http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Cisco Aironet Series

[Jake Snyder]

They should perform near identically.  Well within the margin of error of 
whatever test you are doing.

Actually if you look at the specs, the RX sensitivity of the 2700 is better 
than the 3700.  If you have a compelling use case for the module, go 3700.  If 
you don't, go 2700.

Thanks
Jake Snyder
jsny...@compunet.biz
208-286-3015

Sent from my iPhone

 On Aug 5, 2015, at 3:05 PM, Sullivan, Don dsulli...@samford.edu wrote:
 
 Our Cisco sales guy pretty much sold us our 2702s on those points because we 
 had initially requested the 3702s. I cannot tell you for sure if there is any 
 difference because we have not deployed 3702s.
  
 Don Sullivan
 Network Administrator
 205-726-2111
  
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Deshong, Kenneth
 Sent: Wednesday, August 05, 2015 3:36 PM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: [WIRELESS-LAN] Cisco Aironet Series
  
 I have a question that I hope someone can help me with. 
  
 In the hope of saving money, my boss wants me to look at a cheaper 
 alternative to the 3702i in areas that might not need a top of the line 
 Access Point. In my comparison, I find the Aironet 2702i to have similar 
 specs minus the 4x4 radio. Both support 802.11ac, Client Link 3.0, CleanAir 
 2.0.  I don’t plan on using the Modular slot .
  
 I’ve read from limited sources that say the electrons are the same, and 
 performance is neck and neck.  Can anyone debunk that?   
 ** Participation and subscription information for this EDUCAUSE 
 Constituent Group discussion list can be found at 
 http://www.educause.edu/groups/.
 ** Participation and subscription information for this EDUCAUSE 
 Constituent Group discussion list can be found at 
 http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Ekahau Site Survey + Tablet

[Jake Snyder]

In terms of strain, I've tried every commercially available harness.  And I've 
found that you can't beat the laws of physics.  That strain is placed somewhere 
on your body.

Holding the laptop puts it on your arms and wrists.  The harness just move that 
to your shoulders and back.  I will alternate days between holding and a 
harness, but by Friday I am generally sore all over.

Now if only I had a Segway

Thanks
Jake Snyder

Sent from my iPhone

 On Aug 4, 2015, at 9:55 AM, Jon Scot Prunckle prunc...@uwm.edu wrote:
 
 All,
 
 
 FWIW, we went the opposite direction in terms of machine [ease of] 
 portability and have had very good results with ESS Pro.  We're currently 
 using three Dell Latitude E6430 series with i7 processors, 16GB RAM (and an 
 SSD hard drive on one) with Win 7 Pro.  The machines are docked when not in 
 use and are accessible by RDP...allows us to do our analysis and 
 what-have-you directly on the machines.
 
 
 We've contrived field harnesses for the survey technicians to wear to hold 
 the laptops to avoid strain.  We used to insist on using wheeled carts, but, 
 understandably, a number of the technicians found the carts obtrusive.
 
 
 Either way, we've been very happy with Ekahau in terms of responsiveness to 
 user needs and feature requests as well as producing an excellent piece of 
 software.
 
 Sincerely,
 
 
 J. Scot Prunckle
 Network Engineer
 UITS Network and Operations Services
 University of Wisconsin-Milwaukee
 Office Mobile: (414) 416-9709
 E-mail: prunc...@uwm.edu
 
 
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of Hector J Rios 
 hr...@lsu.edu
 Sent: Monday, August 3, 2015 1:43 PM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] Ekahau Site Survey + Tablet
  
 SP3 has worked for us as well. We’ve used the softwareon a Thinkpad Yoga and 
 it was OK. The main issue was the laptop itself and wonderful Win  8. Battery 
 life was not great either . We’ll see if Win 10 is better.
  
 Hector Rios
 Louisiana State University
  
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Shayne Fedorka
 Sent: Friday, July 31, 2015 10:21 AM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] Ekahau Site Survey + Tablet
  
 There’s a decent deal on the SP3 right now if you can’t wait a couple months 
 for the SP4 to drop the price of the SP3 even more.
  
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Eric T. Barnett
 Sent: Friday, July 31, 2015 10:51 AM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] Ekahau Site Survey + Tablet
  
 So the Surface Pro 3 so far. I’m really just looking at using this for active 
 surveys. I can do analysis on my laptop.
  
 Thanks for the responses so far!
  
 --Eric
  
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Rowell Dionicio
 Sent: Friday, July 31, 2015 8:52 AM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] Ekahau Site Survey + Tablet
  
 We’re currently using the Surface Pro 3 for conducting wireless surveys with 
 Ekahau. Works great. I would recommend getting an external USB hub that you 
 can velcro to it. I find that the USB port is a little finicky. If I nudge 
 the USB adapter I sometimes have issues causing me to restart Ekahau. 
  
 I use the pen during the survey and found it much more useful than using a 
 trackpad or your finger. I don’t use the keyboard attached to the surface 
 during surveys. 
  
 I also recommend using a bluetooth or USB mouse for analyzing the survey 
 while at your desk. I still haven’t gotten used to using the removable 
 keyboard/cover we got with it.
 
 Rowell
  
 On Jul 31, 2015, at 6:05 AM, Trent Hurt trent.h...@louisville.edu wrote:
  
 I know a few folks who use surface 3 for surveying without issues.  Here is a 
 nice blog with some performance recommendations for ekahau 
  
 http://www.ekahau.com/wifidesign/blog/2015/07/24/boosting-ekahau-site-survey-and-3d-planner-performance/
 
 Sent from my iPhone
 
 On Jul 31, 2015, at 8:22 AM, Sachse, Hartmut sac...@pdv-sachsen.net wrote:
 Ask Jussi from Ekahau via Twitter @jussikiviniemi. If i remember right the 
 recommend Surface Pro 3.
  
 
 Best Regards
 
 Hartmut Sachse 
 Systems Engineer 
 
  
 Von: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] Im Auftrag von Eric T. Barnett
 Gesendet: Donnerstag, 30. Juli 2015 23:57
 An: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Betreff: [WIRELESS-LAN] Ekahau Site Survey + Tablet
  
 Good afternoon,
  
 I was wondering if anyone out there was running Ekahau’s site survey software 
 on a tablet and which ones that they’ve had good luck with. I’m looking at a 
 Surface Pro 3, but I wonder if the Pro 2 would

Re: [WIRELESS-LAN] CWNA training

[Jake Snyder]

I took CWAP from Robert, not CWNA and can attest to him being a great 
instructor.  Know lots of guys who took CWNA from him and they had nothing but 
good things to say.

Thanks
Jake Snyder

Sent from my iPhone

 On Jul 24, 2015, at 8:56 AM, Alan Klein akl...@osisecure.com wrote:
 
 If also had great success with reading the CWNA book, I found it very 
 informative and an interesting read. A solid foundation for all the other 
 books.
 
 If you do prefer instructor lead training, I have taken two courses from 
 Robert Bartz, http://eightotwo.com/index.html (CWAP  CWDP) and had a very 
 positive experience.
 
 Alan
 
 
 
 
 On Jul 23, 2015, at 5:04 PM, Hinson, Matthew P 
 matthew.hin...@vikings.berry.edu wrote:
 
 I'd recommend the Official Study Guide by Sybex. It's written by David 
 Coleman 
 and David Westcott. I was able to pass the exam by a healthy margin simply 
 by 
 reading and re-reading that book.
 
 The Davids do not teach for the test. They absolutely stress that you need 
 a 
 strong functional knowledge of 802.11 concepts rather than know these five 
 items to pass the test.
 
 Relatively speaking, it's cheap, and I highly recommend it. I didn't 
 personally utilize a training course because of how well done the book was.
 
 -Original Message-
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jason Becker
 Sent: Thursday, July 23, 2015 1:12 PM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: [WIRELESS-LAN] CWNA training
 
 Looking for reviews on the CWNA training course?  Any recommendations on who 
 to go through?
 
 Thanks in advance,
 
 --
 Jason Becker
 Network Systems Engineer,
 Network Planning and Services
 Tel:(314)935-5006
 
 **
 Participation and subscription information for this EDUCAUSE Constituent 
 Group 
 discussion list can be found at http://www.educause.edu/groups/.
 
 **
 Participation and subscription information for this EDUCAUSE Constituent 
 Group discussion list can be found at http://www.educause.edu/groups/.
 
 **
 Participation and subscription information for this EDUCAUSE Constituent 
 Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Cisco AIR-CAP2702E could not discover WLC

[Jake Snyder]

2702s have had a number of issues, both I and E models depending on when they 
were manufactured.  There were a couple of months where APs were getting a bad 
image.  I haven't seen many I models lately, but E models don't get sold in as 
high of volume.  

There have been issues with both DHCP and DNS discovery not working, as well as 
the AP sending the AUX port MAC address in the discovery.

My experience has been that you can do a few things to help.  Configure both 
DNS and DHCP (Opt43) methods of controller discovery.  If that doesn't work, 
the ip helper/forward protocol discovery method helps when you can't put the AP 
on the WLC management address. Barring either of those, just configuring the AP 
via the serial cable generally works, but is less scalable and more labor 
intensive.

Hope this helps

Jake

Sent from my iPhone

 On Jul 22, 2015, at 10:48 AM, Bahr, Deb db...@coe.edu wrote:
 
 I am trying to deploy the 2702E AP's with 5508 wireless controllers and am 
 seeing the following error:
 
 Could not discover WLC.  Either IP address is not assigned or assigned IP is 
 wrong.  Renewing DHCP IP.  It will receive an IP address, and then continue 
 this error message and keep trying to renew DHCP IP.
 
 I can connect a AIR-CAP2702I to the same PoE switch and it connects 
 flawlessly.   I'm not sure why the 2702I will work and not the 2702E.
 
 Has anyone else ran into this issue?
 
 -- 
 Deb Bahr
 Department of Information Technology
 db...@.coe.edu |319-399-8877
 
 
 
 
 
 Coe College Confidentiality Notice: Since email messages are transmitted over 
 the Internet, Coe College cannot assure that such messages are secure. You 
 should be careful in transmitting information to Coe College that you 
 consider confidential. If you are uncomfortable with such risks, you may 
 decide not to use email to communicate with Coe College. This message and any 
 attachments are covered by the Electronic Communication Privacy Act, 18 USC 
 Section 2510-2515, and may contain confidential and privileged information 
 that is protected by law, including FERPA. The information contained herein 
 is transmitted for the sole use of the intended recipient(s). If you are not 
 the intended recipient or designated agent of the recipient of such 
 information, you are hereby notified that any use, dissemination, copying or 
 retention of this email or the information contained herein is by law 
 strictly prohibited and may subject you to penalties under federal and/or 
 state law. If you received this email in error, please notify the sender 
 immediately and permanently delete this email and all attachments.
  
 ** Participation and subscription information for this EDUCAUSE 
 Constituent Group discussion list can be found at 
 http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Wireless Door Locks

[Jake Snyder]

We've been playing with the Assa Abloy locks.  Currently we have them connected 
all the time to facilitate lockdown, and leverage a power jump to keep them 
powered all the time.  Batteries are only in play if the power jump is without 
power.  Different group dealing with that, but sounds promising.

Down side is limited EAP support.  Leap, peap and Eap-Ttls.  And the config 
program is wonky.

Thanks
Jake Snyder
jsny...@compunet.biz
208-286-3015

Sent from my iPhone

 On Jul 2, 2015, at 2:22 PM, Parker, Ron ron.par...@brazosport.edu wrote:
 
 I would strongly advise against these locks unless you fully understand their 
 limitations and are OK with them. We did some construction projects where 
 hard-wired locks were “value engineered” out of the project to save money. We 
 ended up with a bunch of wireless Assa Abloy locks that don’t work right and 
 that we can’t get support on. They have been nothing but headaches for us. 
 Most of them don’t work anymore and we can’t find anyone in the Houston area 
 that can support them.
  
 They are useless if you want to do a building lockdown for a security issue. 
 They can’t be locked or unlocked remotely because they aren’t in constant 
 contact with the access control system. Ours poll the access control system 
 once per day in the middle of the night, that’s it. You can’t remove access 
 to an area instantly by revoking a user’s card or access level. You have to 
 wait for the update to happen that night or go to that lock (or locks) and 
 manually trigger an update.
  
 The locks originally arrived with WEP security as the only available option. 
 I rejected that and insisted they upgrade them to WPA2 or I would not allow 
 them on the network. That was done but we ended up paying extra to have their 
 controller modules changed out.
  
 We’ve learned the hard way that IT needs to insist on being at every possible 
 construction and design meeting and to stay on top of these things all along 
 the way or we end up with these kinds of messes dumped on us. We still got 
 things dumped on us in spite of our best efforts but at least we tried. Do 
 not trust architects or construction companies to do what makes sense in 
 today’s IT world. They don’t understand our field any more than we understand 
 theirs.
  
 --
 Ron Parker, Director of Information Technology, Brazosport College
 Voice: (979) 230-3480 FAX: (979) 230-3111 
 http://www.brazosport.edu, KE5RON
  
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Derek Johnson
 Sent: Thursday, July 02, 2015 12:33 PM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: [WIRELESS-LAN] Wireless Door Locks
  
 Our campus planners are looking to standardize  modernize lock systems 
 across campus, and they're drooling over my worst nightmare wireless door 
 locks that connect to our existing wifi network.  2.4GHz only, of course.  
 I'm against this idea for too many reasons to list (technical  
 security-based), but I'm curious to hear perspectives from the community.  
 Has anyone deployed or had to support a wifi-based door lock system?  What's 
 been your experience? 
 
 On the flip side, have you successfully fended off a push for wireless door 
 locks?  If so, do tell... :) 
 
 Thinking back to Lee's recent drone discussion... perhaps I can get 
 administration interested in drone surveillance instead of wifi door locks.  
 That's an idea I could get behind... 
 
 
 Derek Johnson | Data Communications Coordinator
 FORT HAYS STATE UNIVERSITY
 415 Lyman Dr. TH 101, Hays, KS 67601 
 (785) 628 - 5688 | dpjohn...@fhsu.edu
 
 ** Participation and subscription information for this EDUCAUSE 
 Constituent Group discussion list can be found at 
 http://www.educause.edu/groups/.
 ** Participation and subscription information for this EDUCAUSE 
 Constituent Group discussion list can be found at 
 http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] AW: [WIRELESS-LAN] To provide (wireless) service, or not to provide (wireless) service...

[Jake Snyder]

The other factor in resnet applications is who is paying the bills.  Some 
campuses require students to live on campus. Others compete directly with 
off-campus housing for revenue.  Still others, housing and dining services are 
income sources to the school.

Poor wireless becomes a student satisfaction issue.  This can result in 
students leaving the school altogether (retention), or simply students moving 
to private housing (loss of revenue to housing). Both have a direct financial 
impact to the school.



Sent from my iPhone

 On May 13, 2015, at 7:05 PM, Jon Young j...@network-plumbers.com wrote:
 
 Chuck,
 That's a very fair question and I don't believe there is solid data to 
 support (or oppose) my contention.  I can only support my claim by consistent 
 anecdotal opinions of those in the institutional position to know - our 
 stakeholder interviews with personnel in Admissions, Res Life, Student 
 Affairs strongly favor this opinion at most residential institutions.  
 Interestingly, in my experience this is less so for those institutions that 
 have a larger demographic from economically disadvantaged backgrounds.  I'll 
 leave the guessing as to why that is so to another forum.
 
 As you are likely aware, the ACUTA survey supports my contention but I am 
 unaware of any solid data surveying student recruitment in this area so it is 
 accurate to say that my opinion is based strictly on anecdotal (but 
 consistent) evidence from key stakeholders at a broad swath of institutions. 
 Even the ACUTA survey is based on the opinions of the those institutional 
 personnel, not direct student surveys.
 
 That said, for internal political purposes, those internal stakeholder 
 opinions tend to be crucial in gaining the backing needed for effective 
 wireless initiatives.  As we all also know, higher-ed has a strong tendency 
 to base decisions on what peers and aspirational peers are doing and the 
 ACUTA survey can be an excellent tool for this.
 
 Thanks,
 Jon
 Vantage Technology Consulting Group
 
 On Wed, May 13, 2015 at 5:03 PM, Chuck Enfield chu...@psu.edu wrote:
 John, I’ve often heard it said that wireless is important to recruiting and 
 retention, but I’ve yet to find any solid foundation for the claim.  This 
 may be because those search terms in Google return so much unrelated 
 information that the good data is hard to find, or it could be that the 
 claim is tenuous.  Can you point us to any sources to substantiate it?  I’m 
 skeptical, but open to evidence.  It would definitely change the way I think 
 about our wireless services in relation to business needs.
 
  
 
 Thanks,
 
  
 
 Chuck Enfield
 
 Manager, Wireless Systems  Engineering
 
 Telecommunications  Networking Services
 
 The Pennsylvania State University
 
 110H, USB2, UP, PA 16802
 
 ph: 814.863.8715
 
 fx: 814.865.3988
 
  
 
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jon Young
 Sent: Wednesday, May 13, 2015 4:43 PM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] AW: [WIRELESS-LAN] To provide (wireless) 
 service, or not to provide (wireless) service...
 
  
 
 We consult with many higher-ed institutions and the question your President 
 has posed about buying bulk data is a real one that many institutions have 
 looked into.  We are frequently asked this question (same question for 
 cellular when it is time to replace the phone system) when we assist schools 
 with the network and WiFi strategy so I can tell you that if you define the 
 some schools are investigating this by asking their independent 
 consultants, that is true.  If you are asking if it is remotely viable and 
 if anyone is seriously pursuing it beyond asking the question, the answer as 
 you expect is a resounding no for all the reasons others have articulated 
 on this thread.
 
  
 
 That said, a couple of things to note:
 
 Many schools have chosen to successfully outsource their resnet including 
 wireless (see the recent resnet report from ACUTA).  That is sometimes by 
 letting the local cable company come in and offer service in the residence 
 halls and sometimes by outsourcing resnet to a company like Apogee.  There 
 are pros and cons to insourcing vs outsourcing resnet but I think it is 
 reasonable to consider if that is the right choice for your institution.
 
  
 
 Of I think larger importance to your President - the quality of wireless 
 internet is a key component of student recruitment and retention at many 
 institutions.  At the request of one Ivy, I even wrote an internal white 
 paper justifying ubiquitous WiFi across campus based primarily on student 
 recruitment and retention.  I suggest speaking with your admissions group 
 and getting their thoughts on the importance of high-quality wireless 
 internet (define that how you like) in the res halls and the rest of campus.
 
  
 
 Good luck,
 
 Jon Young
 
 Vantage Technology 

Re: [WIRELESS-LAN] FlexConnect

[Jake Snyder]

Some design considerations to be careful of.  In local mode the default is to 
not forward broadcast traffic.  Because flexconnect is just bridging wired and 
wireless interfaces it forwards broadcast.

It is even more important that you segment wired and wireless clients into 
different Vlans or you will find that you quickly consume all your airtime with 
wired broadcast traffic forwarding out over the air.

We see a lot of people trying to do wired PC + wireless flexconnect clients on 
the same Vlan for mDNS and link-local services but you take a significant hit 
to airtime sending BUM (broadcast, unknown unicast and multicast)traffic over 
the air.

I've seen where a PC or Mac scanning for hosts on the network can consume most 
of the airtime due to netbios or AFP discoveries.

You may also want to put L2 acls or storm control on the wired side to limit 
how much impact you see in a flex design.

Sent from my iPhone

 On Apr 25, 2015, at 6:16 AM, Hector J Rios hr...@lsu.edu wrote:
 
 image001.jpg
 Jeff,
  
 Everything that Frans said. Plus, check the subject “ResHalls”, that had a 
 good discussion on Flexconnect. Below is an email I had sent. In the end, the 
 cons led us not to use FlexConnect and we stayed in local mode.
  
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hector J Rios
 Sent: Tuesday, March 17, 2015 9:28 AM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] ResHall Wireless
  
 I tested FlexConnect on 8.0.110.0. Here are my observations:
  
 *Great alternative to switch data locally (obviously)
 *No AVC Support
 *When controller is down, AP goes into standalone more. Must make sure that 
 AP is not able to reach any other controller you don’t want. This was fixed 
 with an ACL.
 *Client details page does not show client IPv6 address. Client still gets 
 IPv6 address. (PRIME does show it if you run a report).
 *Client details page does not show VLAN ID. 
 *Putting AP in FlexConnect mode does not require reboot (Cool!)
 *No IPv6 ACL support
  
 More testing to do, but so far so good.
  
 -Hector
  
  
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Legge, Jeffry
 Sent: Thursday, April 23, 2015 5:05 PM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: [WIRELESS-LAN] FlexConnect
  
 I am not currently using any Aps in FlexConnect mode in any buildings on 
 campus.
 We are building a new building and I have been asked to use FlexConnect mode 
 for the Aps in this building.
 Is anyone using FlexConnect in campus buildings? If so why are you using it 
 rather than Local mode and is it more or less difficult to configure.
  
 Jeff Legge
 Radford University
 ** Participation and subscription information for this EDUCAUSE 
 Constituent Group discussion list can be found at 
 http://www.educause.edu/groups/.
 ** Participation and subscription information for this EDUCAUSE 
 Constituent Group discussion list can be found at 
 http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] ResHall Wireless - FlexConnect

[Jake Snyder]

There is support for it in local mode, just not in flex.

Sent from my iPhone

 On Mar 19, 2015, at 5:41 AM, Osborne, Bruce W (Network Services) 
 bosbo...@liberty.edu wrote:
 
 No Cisco support for multicast to unicast?
  
 Aruba has had that support for years and we have been using it for IPTV over 
 Wi-Fi. Aruba calls this Dynamic Multicast Optimization.
  
  
 Bruce Osborne
 Wireless Engineer
 IT Infrastructure  Media Solutions
  
 (434) 592-4229
  
 LIBERTY UNIVERSITY
 Training Champions for Christ since 1971
  
 From: Jake Snyder [mailto:jsnyde...@gmail.com] 
 Sent: Wednesday, March 18, 2015 3:50 PM
 Subject: Re: ResHall Wireless - FlexConnect
  
 Other vendors are doing this too.  I know from a recent presentation at 
 Atmosphere 2015 that Aruba performs the RA Multicast to Unicast conversion.
 It's a known limitation in terms of how the 802.11 protocol works.  Different 
 vendors are implementing different features to overcome it, but it's an 
 expected thing.
  
 There is currently not support for Multicast to Unicast conversion for 
 Flexconnect, they simply bridge broadcast/multicast traffic.
  
 On Wed, Mar 18, 2015 at 1:36 PM, Frans Panken frans.pan...@surfnet.nl wrote:
 Breaking IPv6 is indeed undesirable ;-) Fortunately, other vendors do not 
 share your opinion.
 Good news for the majority on this list: the bug is limited to Cisco's 
 FlexConnect.
 -Frans
 
 
 
 Jake Snyder schreef op 18/03/15 om 20:19:
 It is expected from an 802.11 perspective.  May not be desirable, but that is 
 how the wireless standard works.  Unicasting RAs over the air fixes this.
 
 Sent from my iPhone
 
 On Mar 18, 2015, at 12:42 PM, Frans Panken frans.pan...@surfnet.nl wrote:
 
 No, it is not. The result is that it breaks IPv6 on local VLANs: clients 
 receive multiple prefixes on local VLANs.
 
 Jake Snyder schreef op 18/03/15 om 17:51:
 Leaking of RAs between VLANS is expected behavior as RA are multicast.  
 Because the 802.11 protocol sends multicast traffic as broadcast over the air 
 and every device on a BSSID shares the same group key for encryption, any 
 client can decode any multicast packet, including RAs not on the same VLAN.  
 Again, this is expected behavior.  The solution to this is to use multicast 
 to unicast conversion for the RA, however i've never done this in a 
 flexconnect deployment.
  
 This is also important in IPv4 deployments where you need to secure who can 
 gain access to a multicast stream.
  
 On Wed, Mar 18, 2015 at 10:32 AM, Frans Panken frans.pan...@surfnet.nl 
 wrote:
 We use FlexConnect in both central and local switched mode (v 8.110.6).
 We use a single SSID and distinguish various user groups, differentiated
 by Radius and mapped on different VLANs.
 We observe that VLANs leak traffic to other VLANs. This is in particular
 very undesired with IPv6, where router adverstisements from one VLAN is
 broadcast to other VLANs (this also happens on IPv4, e.g., with ARP and
 other broadcast traffic). Even VLANs that are only centrally accessible
 leak traffic to local VLANs.
 
 This is a security issue that in my oppinion does not receive the
 desired attention.
 
 Frans
 
 
 
 Watters, John schreef op 18/03/15 om 07:29:
  Please post any results you have if/when try expand FlexConnect to your 
  entire campus. It looks like you are close to our size (we now have about 
  125 buildings  about 38K students plus about 4K faculty/staff).
 
  Thanks.
 
  Sent from my iPhone
 
  On Mar 17, 2015, at 4:12 PM, Hector J Rios hr...@lsu.edu wrote:
 
  I've not performed tests to that scale yet. Plus we are only considering 
  this for our ResHalls, of which we have 21 buildings only.
 
  -Hector
 
 
  -Original Message-
  From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
  [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Watters, John
  Sent: Tuesday, March 17, 2015 11:55 AM
  To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
  Subject: Re: [WIRELESS-LAN] ResHall Wireless - FlexConnect
 
  We played with FlexConnect for a number of months but still could not get 
  what we needed it to do on a consistent basis. Essentially we wanted 
  FlexConnect to drop users into their building VLAN so they would be able 
  to easily interact with the same devices that the wired connections in the 
  buildings could see. As I'm sure you know, this also resolves many of the 
  Apple, Chromecast, etc., problems.
 
  We did have one caveat though that we just couldn't get past -- we wanted 
  to drop faculty/staff into one VLAN and students into another (we can 
  easily return the proper VLAN for a particular client in a particular 
  building from Radius server - FreeRadius with a call to our LDAP server 
  for info) but  we also need to send everything else back to the controller 
  for central switching (e.g., police connections, special bar-code scanners 
  that roam and serve to identify a user, but not being used for client 
  traffic, for example, to give out free flu shots

Re: [WIRELESS-LAN] ResHall Wireless - FlexConnect

[Jake Snyder]

Leaking of RAs between VLANS is expected behavior as RA are multicast.
Because the 802.11 protocol sends multicast traffic as broadcast over the
air and every device on a BSSID shares the same group key for encryption,
any client can decode any multicast packet, including RAs not on the same
VLAN.  Again, this is expected behavior.  The solution to this is to use
multicast to unicast conversion for the RA, however i've never done this in
a flexconnect deployment.

This is also important in IPv4 deployments where you need to secure who can
gain access to a multicast stream.

On Wed, Mar 18, 2015 at 10:32 AM, Frans Panken frans.pan...@surfnet.nl
wrote:

 We use FlexConnect in both central and local switched mode (v 8.110.6).
 We use a single SSID and distinguish various user groups, differentiated
 by Radius and mapped on different VLANs.
 We observe that VLANs leak traffic to other VLANs. This is in particular
 very undesired with IPv6, where router adverstisements from one VLAN is
 broadcast to other VLANs (this also happens on IPv4, e.g., with ARP and
 other broadcast traffic). Even VLANs that are only centrally accessible
 leak traffic to local VLANs.

 This is a security issue that in my oppinion does not receive the
 desired attention.

 Frans



 Watters, John schreef op 18/03/15 om 07:29:
  Please post any results you have if/when try expand FlexConnect to your
 entire campus. It looks like you are close to our size (we now have about
 125 buildings  about 38K students plus about 4K faculty/staff).
 
  Thanks.
 
  Sent from my iPhone
 
  On Mar 17, 2015, at 4:12 PM, Hector J Rios hr...@lsu.edu wrote:
 
  I've not performed tests to that scale yet. Plus we are only
 considering this for our ResHalls, of which we have 21 buildings only.
 
  -Hector
 
 
  -Original Message-
  From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
 WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Watters, John
  Sent: Tuesday, March 17, 2015 11:55 AM
  To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
  Subject: Re: [WIRELESS-LAN] ResHall Wireless - FlexConnect
 
  We played with FlexConnect for a number of months but still could not
 get what we needed it to do on a consistent basis. Essentially we wanted
 FlexConnect to drop users into their building VLAN so they would be able to
 easily interact with the same devices that the wired connections in the
 buildings could see. As I'm sure you know, this also resolves many of the
 Apple, Chromecast, etc., problems.
 
  We did have one caveat though that we just couldn't get past -- we
 wanted to drop faculty/staff into one VLAN and students into another (we
 can easily return the proper VLAN for a particular client in a particular
 building from Radius server - FreeRadius with a call to our LDAP server for
 info) but  we also need to send everything else back to the controller for
 central switching (e.g., police connections, special bar-code scanners that
 roam and serve to identify a user, but not being used for client traffic,
 for example, to give out free flu shots to eligible folks or let folks into
 a sporting event). We just couldn't get past having 95+% locally switched
 and the remainder centrally switched for over 200 buildings many with now
 over 100 APs each without using FlecConnect groups which are limited to
 numbers way too small for our campus.
 
  We can even live comfortably without roaming between buildings. MOst
 folks are not used to being able to roam between buildings downtown or many
 cannot roam between apartments off campus.
 
  How did you get around the FlexConnect group problem?
 
 
 
 
  ==
  -jcw
  
  From: The EDUCAUSE Wireless Issues Constituent Group Listserv [
 WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Hector J Rios [
 hr...@lsu.edu]
  Sent: Tuesday, March 17, 2015 9:27 AM
  To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
  Subject: Re: [WIRELESS-LAN] ResHall Wireless
 
  I tested FlexConnect on 8.0.110.0. Here are my observations:
 
  *Great alternative to switch data locally (obviously) *No AVC Support
 *When controller is down, AP goes into standalone more. Must make sure that
 AP is not able to reach any other controller you don't want. This was fixed
 with an ACL.
  *Client details page does not show client IPv6 address. Client still
 gets IPv6 address. (PRIME does show it if you run a report).
  *Client details page does not show VLAN ID.
  *Putting AP in FlexConnect mode does not require reboot (Cool!) *No
 IPv6 ACL support
 
  More testing to do, but so far so good.
 
  -Hector
 
 
 
  From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
 WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hector J Rios
  Sent: Thursday, March 12, 2015 11:13 PM
  To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
  Subject: Re: [WIRELESS-LAN] ResHall Wireless
 
  We use Cisco's wireless solution with WiSM2s and a variety of WAPs. We
 actually implemented the guest anchor 

Re: [WIRELESS-LAN] ResHall Wireless - FlexConnect

[Jake Snyder]

It is expected from an 802.11 perspective.  May not be desirable, but that is 
how the wireless standard works.  Unicasting RAs over the air fixes this.

Sent from my iPhone

 On Mar 18, 2015, at 12:42 PM, Frans Panken frans.pan...@surfnet.nl wrote:
 
 No, it is not. The result is that it breaks IPv6 on local VLANs: clients 
 receive multiple prefixes on local VLANs. 
 
 Jake Snyder schreef op 18/03/15 om 17:51:
 Leaking of RAs between VLANS is expected behavior as RA are multicast.  
 Because the 802.11 protocol sends multicast traffic as broadcast over the 
 air and every device on a BSSID shares the same group key for encryption, 
 any client can decode any multicast packet, including RAs not on the same 
 VLAN.  Again, this is expected behavior.  The solution to this is to use 
 multicast to unicast conversion for the RA, however i've never done this in 
 a flexconnect deployment.
 
 This is also important in IPv4 deployments where you need to secure who can 
 gain access to a multicast stream.
 
 On Wed, Mar 18, 2015 at 10:32 AM, Frans Panken frans.pan...@surfnet.nl 
 wrote:
 We use FlexConnect in both central and local switched mode (v 8.110.6).
 We use a single SSID and distinguish various user groups, differentiated
 by Radius and mapped on different VLANs.
 We observe that VLANs leak traffic to other VLANs. This is in particular
 very undesired with IPv6, where router adverstisements from one VLAN is
 broadcast to other VLANs (this also happens on IPv4, e.g., with ARP and
 other broadcast traffic). Even VLANs that are only centrally accessible
 leak traffic to local VLANs.
 
 This is a security issue that in my oppinion does not receive the
 desired attention.
 
 Frans
 
 
 
 Watters, John schreef op 18/03/15 om 07:29:
  Please post any results you have if/when try expand FlexConnect to your 
  entire campus. It looks like you are close to our size (we now have about 
  125 buildings  about 38K students plus about 4K faculty/staff).
 
  Thanks.
 
  Sent from my iPhone
 
  On Mar 17, 2015, at 4:12 PM, Hector J Rios hr...@lsu.edu wrote:
 
  I've not performed tests to that scale yet. Plus we are only considering 
  this for our ResHalls, of which we have 21 buildings only.
 
  -Hector
 
 
  -Original Message-
  From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
  [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Watters, John
  Sent: Tuesday, March 17, 2015 11:55 AM
  To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
  Subject: Re: [WIRELESS-LAN] ResHall Wireless - FlexConnect
 
  We played with FlexConnect for a number of months but still could not 
  get what we needed it to do on a consistent basis. Essentially we wanted 
  FlexConnect to drop users into their building VLAN so they would be able 
  to easily interact with the same devices that the wired connections in 
  the buildings could see. As I'm sure you know, this also resolves many 
  of the Apple, Chromecast, etc., problems.
 
  We did have one caveat though that we just couldn't get past -- we 
  wanted to drop faculty/staff into one VLAN and students into another (we 
  can easily return the proper VLAN for a particular client in a 
  particular building from Radius server - FreeRadius with a call to our 
  LDAP server for info) but  we also need to send everything else back to 
  the controller for central switching (e.g., police connections, special 
  bar-code scanners that roam and serve to identify a user, but not being 
  used for client traffic, for example, to give out free flu shots to 
  eligible folks or let folks into a sporting event). We just couldn't get 
  past having 95+% locally switched and the remainder centrally switched 
  for over 200 buildings many with now over 100 APs each without using 
  FlecConnect groups which are limited to numbers way too small for our 
  campus.
 
  We can even live comfortably without roaming between buildings. MOst 
  folks are not used to being able to roam between buildings downtown or 
  many cannot roam between apartments off campus.
 
  How did you get around the FlexConnect group problem?
 
 
 
 
  ==
  -jcw
  
  From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
  [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Hector J Rios 
  [hr...@lsu.edu]
  Sent: Tuesday, March 17, 2015 9:27 AM
  To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
  Subject: Re: [WIRELESS-LAN] ResHall Wireless
 
  I tested FlexConnect on 8.0.110.0. Here are my observations:
 
  *Great alternative to switch data locally (obviously) *No AVC Support 
  *When controller is down, AP goes into standalone more. Must make sure 
  that AP is not able to reach any other controller you don't want. This 
  was fixed with an ACL.
  *Client details page does not show client IPv6 address. Client still 
  gets IPv6 address. (PRIME does show it if you run a report).
  *Client details page does not show VLAN ID.
  *Putting AP in FlexConnect mode does

Re: [WIRELESS-LAN] ResHall Wireless - FlexConnect

[Jake Snyder]

Other vendors are doing this too.  I know from a recent presentation at
Atmosphere 2015 that Aruba performs the RA Multicast to Unicast conversion.
It's a known limitation in terms of how the 802.11 protocol works.
Different vendors are implementing different features to overcome it, but
it's an expected thing.

There is currently not support for Multicast to Unicast conversion for
Flexconnect, they simply bridge broadcast/multicast traffic.

On Wed, Mar 18, 2015 at 1:36 PM, Frans Panken frans.pan...@surfnet.nl
wrote:

  Breaking IPv6 is indeed undesirable ;-) Fortunately, other vendors do not
 share your opinion.
 Good news for the majority on this list: the bug is limited to Cisco's
 FlexConnect.
 -Frans



 Jake Snyder schreef op 18/03/15 om 20:19:

 It is expected from an 802.11 perspective.  May not be desirable, but that
 is how the wireless standard works.  Unicasting RAs over the air fixes this.

 Sent from my iPhone

 On Mar 18, 2015, at 12:42 PM, Frans Panken frans.pan...@surfnet.nl
 wrote:

   No, it is not. The result is that it breaks IPv6 on local VLANs:
 clients receive multiple prefixes on local VLANs.

 Jake Snyder schreef op 18/03/15 om 17:51:

 Leaking of RAs between VLANS is expected behavior as RA are multicast.
 Because the 802.11 protocol sends multicast traffic as broadcast over the
 air and every device on a BSSID shares the same group key for encryption,
 any client can decode any multicast packet, including RAs not on the same
 VLAN.  Again, this is expected behavior.  The solution to this is to use
 multicast to unicast conversion for the RA, however i've never done this in
 a flexconnect deployment.

  This is also important in IPv4 deployments where you need to secure who
 can gain access to a multicast stream.

 On Wed, Mar 18, 2015 at 10:32 AM, Frans Panken frans.pan...@surfnet.nl
 wrote:

 We use FlexConnect in both central and local switched mode (v 8.110.6).
 We use a single SSID and distinguish various user groups, differentiated
 by Radius and mapped on different VLANs.
 We observe that VLANs leak traffic to other VLANs. This is in particular
 very undesired with IPv6, where router adverstisements from one VLAN is
 broadcast to other VLANs (this also happens on IPv4, e.g., with ARP and
 other broadcast traffic). Even VLANs that are only centrally accessible
 leak traffic to local VLANs.

 This is a security issue that in my oppinion does not receive the
 desired attention.

 Frans



 Watters, John schreef op 18/03/15 om 07:29:
  Please post any results you have if/when try expand FlexConnect to your
 entire campus. It looks like you are close to our size (we now have about
 125 buildings  about 38K students plus about 4K faculty/staff).
 
  Thanks.
 
  Sent from my iPhone
 
  On Mar 17, 2015, at 4:12 PM, Hector J Rios hr...@lsu.edu wrote:
 
  I've not performed tests to that scale yet. Plus we are only
 considering this for our ResHalls, of which we have 21 buildings only.
 
  -Hector
  
 
  -Original Message-
  From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
 WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Watters, John
  Sent: Tuesday, March 17, 2015 11:55 AM
  To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
  Subject: Re: [WIRELESS-LAN] ResHall Wireless - FlexConnect
 
  We played with FlexConnect for a number of months but still could not
 get what we needed it to do on a consistent basis. Essentially we wanted
 FlexConnect to drop users into their building VLAN so they would be able to
 easily interact with the same devices that the wired connections in the
 buildings could see. As I'm sure you know, this also resolves many of the
 Apple, Chromecast, etc., problems.
 
  We did have one caveat though that we just couldn't get past -- we
 wanted to drop faculty/staff into one VLAN and students into another (we
 can easily return the proper VLAN for a particular client in a particular
 building from Radius server - FreeRadius with a call to our LDAP server for
 info) but  we also need to send everything else back to the controller for
 central switching (e.g., police connections, special bar-code scanners that
 roam and serve to identify a user, but not being used for client traffic,
 for example, to give out free flu shots to eligible folks or let folks into
 a sporting event). We just couldn't get past having 95+% locally switched
 and the remainder centrally switched for over 200 buildings many with now
 over 100 APs each without using FlecConnect groups which are limited to
 numbers way too small for our campus.
 
  We can even live comfortably without roaming between buildings. MOst
 folks are not used to being able to roam between buildings downtown or many
 cannot roam between apartments off campus.
 
  How did you get around the FlexConnect group problem?
 
 
 
 
  ==
  -jcw
  
  From: The EDUCAUSE Wireless Issues Constituent Group Listserv [
 WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU

Re: [WIRELESS-LAN] ResHall Wireless - FlexConnect

[Jake Snyder]

When talking about taking a single SSID and switching some traffic
locally and some traffic centrally there is a way to do that using
RADIUS.


There is a feature called VLAN Based Central Switching.  Based on the
VLAN you return you can switch traffic either locally or centrally.

There are some rules around how this works:



1. If the VLAN passed exists on the flexconnect AP, the traffic is
switched locally.

2. If the VLAN passed does not exist on the flexconnect AP, it is
forwarded centrally.

3. If the VLAN ID doesn't exist on the WLC, the VLAN is assumed bogus
and traffic is dropped on the interface defined under Wlan/AP Group as
any centrally traffic would traditionally be done.


The trick is if you need to return an interface group or you have
overlapping vlan IDs.  Today, you can use interface names if the APs
are in local mode, but flexconnect rejects this.  The workaround is to
use the bogus vlan so traffic is forwarded centrally and then define
the AP-Group interface so that it drops onto the correct interface (or
interface group).


I have a request to allow the ability to use interface names when
dealing with flexconnect, but we will see if/when this makes it into
shipping code.


Thanks

Jake Snyder

@jsnyder81



-Original Message-

From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Watters, John

Sent: Tuesday, March 17, 2015 11:55 AM

To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU

Subject: Re: [WIRELESS-LAN] ResHall Wireless - FlexConnect



We played with FlexConnect for a number of months but still could not
get what we needed it to do on a consistent basis. Essentially we
wanted FlexConnect to drop users into their building VLAN so they
would be able to easily interact with the same devices that the wired
connections in the buildings could see. As I'm sure you know, this
also resolves many of the Apple, Chromecast, etc., problems.



We did have one caveat though that we just couldn't get past -- we
wanted to drop faculty/staff into one VLAN and students into another
(we can easily return the proper VLAN for a particular client in a
particular building from Radius server - FreeRadius with a call to our
LDAP server for info) but  we also need to send everything else back
to the controller for central switching (e.g., police connections,
special bar-code scanners that roam and serve to identify a user, but
not being used for client traffic, for example, to give out free flu
shots to eligible folks or let folks into a sporting event). We just
couldn't get past having 95+% locally switched and the remainder
centrally switched for over 200 buildings many with now over 100 APs
each without using FlecConnect groups which are limited to numbers way
too small for our campus.



We can even live comfortably without roaming between buildings. MOst
folks are not used to being able to roam between buildings downtown or
many cannot roam between apartments off campus.



How did you get around the FlexConnect group problem?









==

-jcw



From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Hector J Rios
[hr...@lsu.edu]

Sent: Tuesday, March 17, 2015 9:27 AM

To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU

Subject: Re: [WIRELESS-LAN] ResHall Wireless



I tested FlexConnect on 8.0.110.0. Here are my observations:



*Great alternative to switch data locally (obviously) *No AVC Support
*When controller is down, AP goes into standalone more. Must make sure
that AP is not able to reach any other controller you don't want. This
was fixed with an ACL.

*Client details page does not show client IPv6 address. Client still
gets IPv6 address. (PRIME does show it if you run a report).

*Client details page does not show VLAN ID.

*Putting AP in FlexConnect mode does not require reboot (Cool!) *No
IPv6 ACL support



More testing to do, but so far so good.



-Hector







From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hector J Rios

Sent: Thursday, March 12, 2015 11:13 PM

To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU

Subject: Re: [WIRELESS-LAN] ResHall Wireless



We use Cisco's wireless solution with WiSM2s and a variety of WAPs. We
actually implemented the guest anchor controller solution last year
with dual controllers (WLC2504) and we've been happy.



I like Britton's idea of using FlexConnect at the dorms to switch the
student data locally. However, I believe there are some limitations
that would keep us from using it such as no support for AVC, and some
limitations on IPv6.



-Hector



From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne,
Bruce W (Network Services)

Sent: Thursday, March 12, 2015 7:42 AM

To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN