RE: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing any issues in the fall with large classrooms and delayed connection times (Aruba 8.5.0.13)

[James Andrewartha]

I'm not too familiar with how Aruba handles arps, does it do proxy arp? I have 
seen Apple devices go to sleep before all broadcast/multicast traffic is sent 
by the AP, although that was 5 years ago. So I can believe that a behaviour 
change could cause increased ARPs if the devices aren't seeing them.

Sent from my Galaxy



 Original message 
From: "Turner, Ryan H" 
Date: 12/9/21 09:16 (GMT+08:00)
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing 
any issues in the fall with large classrooms and delayed connection times 
(Aruba 8.5.0.13)

We actually are allowing MORE ARPs. Apparently when policing kicks in, all 
connections are affecting. It can cause clients to freeze/not connect.  So we 
actually turned the knob in the opposite direction.  We were seeing counters to 
what amounts to large quantities of controllers pauses when the ARPs went over 
an arbitrarily set number.  Our wireless architect can reply with the details.

Ryan Turner
Head of Networking, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

On Sep 11, 2021, at 12:32 PM, Enfield, Chuck  wrote:


HI Ryan,

When you say that you detuned ARP policing, do you mean that the ARP policing 
on the underpinning network is now more aggressive (aka, dropping more ARP?)  I 
ask because I’ve been wondering why we aren’t seeing this problem when other 
schools that made the same changes we did still are.  We upgraded our 
underpinning network over the summer, and we’re dropping way more ARP than we 
were on the old network.  Your post just made me realize that may be protecting 
our controllers.  We’ve been considering changes, but we switched to an 
EVPN/VxLAN architecture.  We’re not completely sure what the consequences of 
this ARP policing is, so we’ve been holding off any changes.  If you had to 
police more aggressively to solve your problem, then we won’t start 
experimenting with out policers.

Thanks,

Chuck

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Turner, Ryan H
Sent: Saturday, September 11, 2021 10:12 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing 
any issues in the fall with large classrooms and delayed connection times 
(Aruba 8.5.0.13)

We had to make major changes to bring stability to Khrushchev environment.  I 
think we have at this point.

We had to significantly detune the ARP policing policies.

We had to block virtually every SNMP poller.

We had to reboot our controllers.

We had to put in place an ACL to block communication from the Mobility masters.

A ridiculous amount of work to basically get us where we were 2 years ago and 
we probably have 15% lower connections compared to then.  I am hoping that the 
upcoming firmware fix will allow us to at least reverse the ACL and SNMP 
pollers. At this point we are pretty blind into information on individual 
connections.

Ryan Turner
Head of Networking, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office


On Sep 10, 2021, at 4:25 PM, Johnson, Christopher 
mailto:cbjo...@ilstu.edu>> wrote:

I haven’t heard anything as of yet. Although interestingly while doing a 
packet-capture to monitor arp/dhcp rates – noticed one client sending 
DHCPRequests about 3-4-5 times a minutes – and disassociating/re-associating 
constantly – and from the received signal strength of the client – there didn’t 
appear to be any reason for this iPhone – 14.7.X – to behave in such a matter. 
So I’m wondering if that’s not an isolated behavior.

Christopher Johnson
Wireless Network Engineer
Office of Technology Solutions | Illinois State University
(309) 438-8444

Stay connected with ISU IT news and tips with @ISU IT Help on 
Facebook
 and 
Twitter

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Viou, Robert
Sent: Friday, September 10, 2021 10:28 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing 
any issues in the fall with 

Re: [WIRELESS-LAN] ISE-NPS-Azure MFA

[James Andrewartha]

Microsoft note this behaviour and have some sort of workaround in their NPS MFA 
extension: 
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension#radius-protocol-behavior-and-the-nps-extension

Really though, doing MFA for RADIUS is a square peg in a round hole, use MFA to 
provision a client cert and do EAP-TLS instead.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Manon Lessard 

Reply to: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Thursday, 26 August 2021 at 10:20 pm
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: [WIRELESS-LAN] ISE-NPS-Azure MFA

A question not directly related to Wi-Fi, but related to ISE which seems to be 
something some of you use.

We are currently authenticating a VPN test group via ISE through NPS servers 
(defined as a token server).
The goal is to do MFA with Azure through the Authenticator app on people’s 
phones.
Everything works, but Authenticator pops up for confirmation, sometimes 2 to 3 
times, even if one has accepted the first confirmation…

I would like to have feedback from people who used something like that and have 
solved the multiple Authenticator prompts.

Thank you

Manon Lessard
Chargée de programmation et d’analyse
CCNP, CWNE #275, AWA 10, ESCE Design
Direction des technologies de l'information
Pavillon Louis-Jacques-Casault
1055, avenue du Séminaire
Bureau 0403
Université Laval, Québec (Québec)
G1V 0A6, Canada

418 656-2131, poste 412853
Télécopieur : 418 656-7305
manon.less...@dti.ulaval.ca
www.dti.ulaval.ca

Avis relatif à la confidentialité | Notice of 
Confidentiality



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

[James Andrewartha]

Which is great and I agree with but Android went and made it really hard to 
onboard a private CA and so now people are going back to public certs for EAP 
to lower their support burden.



Sent from my Galaxy



 Original message 
From: Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: 9/8/21 20:42 (GMT+08:00)
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

A public CA issues certificates for web server authentication (amongst others 
like code signing and S/MIME).

An EAP server is not a web server and has a designated usage assigned (which 
public CAs will not issue). EAP also does not follow traditional PKIX 
validation models due to the way the protocol operates.

Any public CA web server certificate used for EAP could be revoked for misuse 
at any time.

Tim



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Elton, Norman N 

Sent: Monday, August 9, 2021 8:36:08 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root


You don't often get email from wne...@wm.edu. Learn why this is 
important


>> Technically, you're not even supposed to use the certificates issued from a 
>> public CA for EAP as it's a violation of multiple policies.



I’m curious what those are. I thought it was fairly standard practice to use 
publicly-signed certificates on the server side, with privately-signed 
certificates on the clients.



Thanks!



Norman



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 8:31 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

EAP server certs from a PKI you (or a partner like SecureW2) control are the 
best practice.



Technically, you're not even supposed to use the certificates issued from a 
public CA for EAP as it's a violation of multiple policies.



Tim







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Elton, Norman N 

Sent: Monday, August 9, 2021 8:18:37 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root




You don't often get email from wne...@wm.edu. Learn why this is 
important


To piggyback on Jonathan’s question … he mentions moving the server-side 
certificates to a private CA. Is this common? We’re using SecureW2 to configure 
an EAP-TLS deployment, so it should be trivial to configure the client to trust 
our private CA.



We currently configure clients to trust server certificates coming from 
InCommon. I’ve had a long-simmering concern that if, for whatever reason, we 
can’t use InCommon one day … that means we have to reconfigure all our 
cliients. One solution, of course, is to trust multiple root public CAs. I 
suppose an alternative is to move to a private CA on the server-side.



Thanks!



Norman





Norman Elton

Director

W IT Infrastructure

wne...@wm.edu / 757-221-7790







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 8:03 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You should never use different EAP server certificates across a RADIUS cluster. 
Use the same cert across all nodes (in this case take the other cert with the 
longest expiry and upload it to all the nodes in the CPPM cluster)







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Jonathan Miller 

Sent: Monday, August 9, 2021 7:32:19 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root




You don't often get email from jmill...@fandm.edu. Learn why this is 
important


We are currently using publicly signed certificates for our eduroam access on a 
cluster of 2 ClearPass servers.



We are in a situation where one of our certs will be expiring in October of 
this year, while the other is good until June of next year.



The certificate are issued through InCommon, and when I renewed our expiring 
certificate, I noticed that it is showing that is has a root of Sectigo, where 
it was previously Comodo.  The certificate that is not expiring has a root CA 
of Comodo.



This leads me to the following questions:

1.  Is it advisable to run certificates with different Root CAs on different 
members of our ClearPass cluster?  Would we expect to see client issues?

2.  If it's 

Re: [WIRELESS-LAN] Aruba 8.7 issues

[James Andrewartha]

On 19/5/21 5:07 am, Johnson, Christopher wrote:
> So how’s the ArubaOS 8.7 code train treating everyone these days? We’re
> looking at doing some maintenance here shortly and moving from 8.5.0.11
> to 8.6 code train for some mini OS enhancements – and looking at a
> couple AP-575 APs (which of course requires 8.7 minimum) – from this
> thread I’m getting a strong “Do Not Engage” vibe. But interested in
> everyone’s thoughts given the additional few months that have passed
> since then?

We run mostly 515s (~150) with a ~10 503Hs (which are the reason we went
from 8.5.0.11 to 8.7.1.1, now on 8.7.1.3). Since upgrading there's
multiple AP crashes per day on both 515 and 503H platforms. There's not
a common crash signature, but reading between the lines I think there's
some sort of memory leak that is affecting them. TAC have said they have
had to go to Broadcom for a fix. Honestly it's not actually too bad
since they reboot and come back into service automatically. But I still
wouldn't recommend it if you have either model.

Also on 8.7.1.1 I had a weird problem with the 515s where they would
randomly start getting 50% packet loss, which would clear after a
reboot. I haven't seen that since going to 8.7.1.3 40 days ago so I
think it's fixed. This one was more of a problem since clients would try
to connect and fail and not try another AP, so it actually caused
ongoing outages.

We also have a 375 and 377 but they've been fine.

Thanks,

-- 
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] WPA3/OWE as campus solution?

[James Andrewartha]

Printing has auth, any decent screen mirrorring solution requires a PIN, plus 
airgroup or similar to limit by location.

Sent from my Galaxy


 Original message 
From: Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: 16/4/21 22:22 (GMT+08:00)
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

How would you limit local services like printing, screen mirroring, media 
casting, etc?

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Lee H Badman 
<00db5b77bd95-dmarc-requ...@listserv.educause.edu>
Sent: Friday, April 16, 2021 10:17
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?


Exactly- hance the notion of simplifying… relying on application security, 2FA 
etc for actual security while making simply connecting much, much easier.



Lee Badman | Network Architect (CWNE#200)

Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244

t 315.443.3003   e lhbad...@syr.edu w its.syr.edu

Campus Wireless Policy: 
https://answers.syr.edu/display/network/Wireless+Network+and+Systems

SYRACUSE UNIVERSITY
syr.edu



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Tim Cappalli
Sent: Friday, April 16, 2021 10:16 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?



Just keep in mind that OWE does not have an identity layer.



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Lee H Badman 
<00db5b77bd95-dmarc-requ...@listserv.educause.edu>
Sent: Friday, April 16, 2021 10:08
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] WPA3/OWE as campus solution?



One more for you all- anyone contemplating ditching 802.1X for the BYOD side of 
your WLAN (not managed laptops and “business” clients) and simplifying with 
OWE/WPA3? Like… the open network that’s actually moderately secure leveraging 
the latest security options?



Thanks,



Lee Badman | Network Architect (CWNE#200)

Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244

t 315.443.3003   e lhbad...@syr.edu w its.syr.edu

Campus Wireless Policy: 
https://answers.syr.edu/display/network/Wireless+Network+and+Systems

SYRACUSE UNIVERSITY
syr.edu



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**

Re: [WIRELESS-LAN] Rate Limits on Guest Wi-Fi

[James Andrewartha]

On 13/4/21 7:20 am, Curtis K. Larsen wrote:
> Curious to know if any have removed or recently raised the rate limit on
> the Guest Wi-Fi network at your institution, particularly large
> universities or hospitals.  If you have taken that step how is it
> going?  Also curious to hear what speeds you rate limit to if it is rate
> limited and how you came to that conclusion.  

There was a talk on this at WLPC Phoenix 2019 about this
https://wlanprofessionals.com/the-netflix-effect-on-guest-wi-fi-jim-palmer-wlpc-phoenix-2019/

-- 
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [EXTERNAL] Re: [WIRELESS-LAN] Android 11 and Cert Verification

[James Andrewartha]

I’m arguing on behalf of the many poorly-resourced environments where NPS has a 
marginal cost of zero, and that enabling TOFU would be a simple thing to 
improve their security. Most of these places don’t have the budget or expertise 
for something like CPPM (I have it and even I’m intimidated by it). Microsoft 
isn’t helping because there’s no cloud RADIUS (NPS is explicitly not supported 
in Azure). It’s the responsibility of vendors to provide accessible tools for 
security.

--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Turpin, Max
Sent: Sunday, 17 January 2021 7:49 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [EXTERNAL] Re: [WIRELESS-LAN] Android 11 and Cert 
Verification

You do have to maintain a pki or have someone else do it but CRLs are hardly 
necessary if you do identity checking as part of your radius service. If you 
want to do posture checking you will need to use some sort of agent (as far as 
I know) so that could certainly be part of your on boarding solution.

The fact that the majority of environments fail to deploy 802.1x correctly 
doesn’t take away the responsibility of institutions to fix it and provide a 
secure solution to users even if it means educating the administration and 
users on what must be done now to access the network. And as we almost all 
know, the problem is not a technical one now, but one of communication.

Max


On Jan 16, 2021, at 10:56 AM, James Andrewartha 
mailto:jandrewar...@ccgs.wa.edu.au>> wrote:

Certificate enrolment sucks for BYOD though, there’s no ongoing posture 
checking, and you have to maintain a CA and CRL.

SSH uses TOFU and is more comparable to RADIUS in that you only connect to a 
limited number of hosts with rarely changing fingerprints.

I find it curious that this change is only on Pixel devices, is that because no 
others have Android 11 or because only Google is implementing it?

--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tim Cappalli
Sent: Saturday, 16 January 2021 11:33 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification

EAP-TLS is modern, strong authentication. And enrollment can even use 
passwordless.
Imagine of browsers operated on the TOFU model?
*tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of James Andrewartha 
mailto:jandrewar...@ccgs.wa.edu.au>>
Sent: Saturday, January 16, 2021 10:31:27 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification


I disagree, but OWE or SAE with a captive portal then? At least I can use 
modern authentication methods like hardware keys and TOTP with a browser.



--

James Andrewartha

Network & Projects Engineer

Christ Church Grammar School

Claremont, Western Australia

Ph. (08) 9442 1757

Mob. 0424 160 877



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tim Cappalli
Sent: Saturday, 16 January 2021 11:24 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification



Because trust on first use is almost as bad as not trusting at all.

Properly deploy 802.1X or don't use it. Sorry to be harsh but this same 
conversation multiple times per year, every year is tiring.

Tom



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of James Andrewartha 
mailto:jandrewar...@ccgs.wa.edu.au>>
Sent: Saturday, January 16, 2021 10:11:00 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification



Why couldn’t Google add trust-on-first-use to Android like Apple has with iOS 
and macOS, and Microsoft has in Windows?



--

James Andrewartha

Network & Projects Engineer

Christ Church Grammar School

Claremont, Western Australia

Ph. (08) 9442 1757

Mob. 0424 160 877



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tim Cappalli
Sent: Saturday, 16 January 2021 6:28 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<

RE: [WIRELESS-LAN] Android 11 and Cert Verification

[James Andrewartha]

Certificate enrolment sucks for BYOD though, there's no ongoing posture 
checking, and you have to maintain a CA and CRL.

SSH uses TOFU and is more comparable to RADIUS in that you only connect to a 
limited number of hosts with rarely changing fingerprints.

I find it curious that this change is only on Pixel devices, is that because no 
others have Android 11 or because only Google is implementing it?

--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Tim Cappalli
Sent: Saturday, 16 January 2021 11:33 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification

EAP-TLS is modern, strong authentication. And enrollment can even use 
passwordless.
Imagine of browsers operated on the TOFU model?
*tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of James Andrewartha 
mailto:jandrewar...@ccgs.wa.edu.au>>
Sent: Saturday, January 16, 2021 10:31:27 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification


I disagree, but OWE or SAE with a captive portal then? At least I can use 
modern authentication methods like hardware keys and TOTP with a browser.



--

James Andrewartha

Network & Projects Engineer

Christ Church Grammar School

Claremont, Western Australia

Ph. (08) 9442 1757

Mob. 0424 160 877



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tim Cappalli
Sent: Saturday, 16 January 2021 11:24 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification



Because trust on first use is almost as bad as not trusting at all.

Properly deploy 802.1X or don't use it. Sorry to be harsh but this same 
conversation multiple times per year, every year is tiring.

Tom



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of James Andrewartha 
mailto:jandrewar...@ccgs.wa.edu.au>>
Sent: Saturday, January 16, 2021 10:11:00 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification



Why couldn't Google add trust-on-first-use to Android like Apple has with iOS 
and macOS, and Microsoft has in Windows?



--

James Andrewartha

Network & Projects Engineer

Christ Church Grammar School

Claremont, Western Australia

Ph. (08) 9442 1757

Mob. 0424 160 877



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tim Cappalli
Sent: Saturday, 16 January 2021 6:28 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification



> "many colleges provided instructions as such."



This is one of the many reasons the change was made. Not just colleges, 
enterprises as well.



These instructions are worse than instructing users to do to this:



chrome.exe --ignore-certificate-errors



tim



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Angelo Santabarbara 
mailto:asantabarb...@siena.edu>>
Date: Friday, January 15, 2021 at 17:25
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification

Correct Tim. I failed to clarify that you can no longer setup eduroam profiles 
manually without a certificate.  Previously this worked and many colleges 
provided instructions as such. With the most recent update this is no longer 
possible so we had to resort to using the eduroam CAT tool to provide a simple 
method of joining eduroam.

-Angelo D. Santabarbara, MBA
Director Networks & Systems | Siena College
O 518-782-6996
E asantabarb...@siena.edu<mailto:asantabarb...@siena.edu>
W siena.edu

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunitydata=04%7C01%7Ctim.ca

RE: [WIRELESS-LAN] Android 11 and Cert Verification

[James Andrewartha]

I disagree, but OWE or SAE with a captive portal then? At least I can use 
modern authentication methods like hardware keys and TOTP with a browser.

--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Tim Cappalli
Sent: Saturday, 16 January 2021 11:24 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification

Because trust on first use is almost as bad as not trusting at all.
Properly deploy 802.1X or don't use it. Sorry to be harsh but this same 
conversation multiple times per year, every year is tiring.
Tom

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of James Andrewartha 
mailto:jandrewar...@ccgs.wa.edu.au>>
Sent: Saturday, January 16, 2021 10:11:00 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification


Why couldn't Google add trust-on-first-use to Android like Apple has with iOS 
and macOS, and Microsoft has in Windows?



--

James Andrewartha

Network & Projects Engineer

Christ Church Grammar School

Claremont, Western Australia

Ph. (08) 9442 1757

Mob. 0424 160 877



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tim Cappalli
Sent: Saturday, 16 January 2021 6:28 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification



> "many colleges provided instructions as such."



This is one of the many reasons the change was made. Not just colleges, 
enterprises as well.



These instructions are worse than instructing users to do to this:



chrome.exe --ignore-certificate-errors



tim



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Angelo Santabarbara 
mailto:asantabarb...@siena.edu>>
Date: Friday, January 15, 2021 at 17:25
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification

Correct Tim. I failed to clarify that you can no longer setup eduroam profiles 
manually without a certificate.  Previously this worked and many colleges 
provided instructions as such. With the most recent update this is no longer 
possible so we had to resort to using the eduroam CAT tool to provide a simple 
method of joining eduroam.

-Angelo D. Santabarbara, MBA
Director Networks & Systems | Siena College
O 518-782-6996
E asantabarb...@siena.edu<mailto:asantabarb...@siena.edu>
W siena.edu

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunitydata=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cd7b8a5c46dec41792dab08d8b9a46c44%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637463463147866490%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000sdata=BWCJlgK%2FAoLgUdILx%2Bqx7IL4GE4MU8jWaaYF0wrs0%2F8%3Dreserved=0<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C1123b0e513934e1deae808d8ba30fec7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637464067019202860%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000=Q4pgh1NCwwyZueoFjyD63kU9jYSagQUAxovStYMqTic%3D=0>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C1123b0e513934e1deae808d8ba30fec7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637464067019202860%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000=Q4pgh1NCwwyZueoFjyD63kU9jYSagQUAxovStYMqTic%3D=0>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy

RE: [WIRELESS-LAN] Android 11 and Cert Verification

[James Andrewartha]

Why couldn't Google add trust-on-first-use to Android like Apple has with iOS 
and macOS, and Microsoft has in Windows?

--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Tim Cappalli
Sent: Saturday, 16 January 2021 6:28 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification

> "many colleges provided instructions as such."

This is one of the many reasons the change was made. Not just colleges, 
enterprises as well.

These instructions are worse than instructing users to do to this:

chrome.exe --ignore-certificate-errors

tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Angelo Santabarbara 
mailto:asantabarb...@siena.edu>>
Date: Friday, January 15, 2021 at 17:25
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification
Correct Tim. I failed to clarify that you can no longer setup eduroam profiles 
manually without a certificate.  Previously this worked and many colleges 
provided instructions as such. With the most recent update this is no longer 
possible so we had to resort to using the eduroam CAT tool to provide a simple 
method of joining eduroam.

-Angelo D. Santabarbara, MBA
Director Networks & Systems | Siena College
O 518-782-6996
E asantabarb...@siena.edu<mailto:asantabarb...@siena.edu>
W siena.edu

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunitydata=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cd7b8a5c46dec41792dab08d8b9a46c44%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637463463147866490%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000sdata=BWCJlgK%2FAoLgUdILx%2Bqx7IL4GE4MU8jWaaYF0wrs0%2F8%3Dreserved=0

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] Client roaming

[James Andrewartha]

This is why I would suggest turning band select off. If you assume the
majority of clients are well-behaved, or at least can make better
decisions than the AP, then band-select is just going to confuse things.
A few years ago we used to have only Macs and iPads and would regularly
see 80%+ on 5GHz without any band selection on the APs.

-- 
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

On 10/10/20 3:32 am, Jake Snyder wrote:
> On thing to keep in mind is that iOS devices start behavior poorly when
> they have no good option above -65.  That’s the threshold they prefer
> 5GHz and when you combine that with “hallway design” and “band select”
> you are asking for a bad time.
> 
> Scenario:
> Client doesn’t see 5GHz above -65.  2.4Ghz looks better, client tries to
> associate and bandselect tries to send them back.  Client doesn’t think
> 5GHz meets its requirements, tries to associate on 2.4Ghz.  Round and
> round they go.
> 
> If you need band select for devices like iOS that prefer 5GHz, you
> likely don’t have enough 5GHz coverage, and trying to force them to 5GHz
> only results in issues.
> 
> A better approach is to have at least 6db of transmit power more on 5GHz
> than 2.4.  This makes 5GHz generally look more attractive so clients
> naturally pick it, band select not needed.  You can easily do this with
> TPC min/max settings. 
> 
> Also keep in mind when looking at your survey reports.  -65 is as
> measured by the device, not your fancy sidekick or aircheck.  Figure you
> need an extra 7-10db delta to overcome the limitations of some mobiles
> devices.  That puts you -58 to -55 as measured.

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] mdnsEXT - Educause Wireless Petition 2012 to Apple

[James Andrewartha]

Hi Christopher,

On 4/9/20 5:44 am, Johnson, Christopher wrote:
> So while prepping an answer for why mDNS isn’t “just turned on –
> filtered – controlled” in regards to the Zoom Share Screen (iPhone/iPad
> Option) – I was surprised to find a bit more history between Educause
> Wireless and Apple via an old petition back in 2012. So I was interested
> to find that the Educause Wireless Admins actually had a petition
> against Apple for mDNS in enterprise environment back in 2012. Did
> anything “really” come from this and mdnsEXT? I searched the listserv
> archives and only found one post in November 2012.

The Extensible Scalable DNS Service Discovery working group was formed
at the IETF and eventually various RFCs have been published
https://datatracker.ietf.org/wg/dnssd/documents/ but I don't know of any
actual implementations. OK I read RFC 8766 (Discovery proxy for mDNS
DNS-Based Service Discovery) and it says DNS Push Notifications (RFC
8675) is implemented in iOS 13 and macOS 10.15, and there's several test
implementations of RFC 8766 but nothing I'd call production ready. So
that's what you get after 8 years of the standards process, which is
about how much progress I was expecting when this all kicked off.

Thanks,

-- 
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] [EXTERNAL] Re: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X?

[James Andrewartha]

On 20/8/20 1:01 am, Smith, Todd wrote:
> If I come onto your institution then I would have to accept your
> certificate chain to be granted access.  Why should I trust your chain
> over a major CA provider?  Obviously, you have the control and authority
> to insist on whatever access conditions that you find acceptable, but in
> my case I don’t and I use third-party certs since they are acceptable by
> practically every device.

The risk is not about the initial trust, the risk is that with a public
CA, an attacker can obtain a certificate signed by the same CA, and
spoof your SSID and obtain PEAP credentials with their validly-signed
RADIUS server. Since most clients won't be configured with the specific
RADIUS server names and will trust any server signed by the same CA,
they will connect to this spoofed SSID without prompting the user. And
then, given the way PEAP works, they'll have a password-equivalent
secret for the user.

If you have a private CA for your RADIUS servers, nobody else can obtain
a certificate signed by it (well unless they hack your servers).

This is a marginal but not insignificant risk to poorly configured
clients. I definitely agree that vendors (both client and wifi
infrastructure) should make EAP-TLS easier to deploy.

-- 
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] MAC Randomization, a step further...

[James Andrewartha]

On 21/7/20 11:04 am, Tim Cappalli wrote:
> Both major Wi-Fi vendors have Passpoint offerings that are either
> available or in preview.

I'm talking about the client side. Intune doesn't even have a CA either
(no the short-lived one for conditional access doesn't count). Where's
the Microsoft supported agent that does device-specific TTLS-PAP like
you suggest?

Also https://www.securew2.com/blog/pitfalls-of-eap-ttls-pap/ is the top
google result for [TTLS-PAP], admittedly it's about user credentials not
device credentials but it's still a risk.

-- 
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] MAC Randomization, a step further...

[James Andrewartha]

On 21/7/20 5:21 am, Tim Cappalli wrote:
> Passpoint solves all of these issues.

Where is the vendor support for it? Autopilot white glove doesn't even
support wireless networks at all.

-- 
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)

[James Andrewartha]

On 19/4/20 4:08 am, Turner, Ryan H wrote:
>
> All,
>
>  
>
> We think we resolved it.  As others said before, it was the port we
> was wrong.  As soon as we changed it to 1700, everything worked.  The
> thing that has me scratching my head is why the Cisco WLC would be
> responding with properly formatted NAKs when we were sending to the
> wrong port.  This is probably a bad analogy, but it would be like your
> http server deciding to respond to a random port instead of 80.
>
>  
>
> Happy this worked out, and I appreciate the captures.  As it turns
> out, we are still sending the AVP type 55, and the WLC is not complaining.
>
I would be interested to see what you have in XMC/Control/Access
Control/Configuration/Global Settings/Engine
Settings/Reauthentication/Switch Reauthentication Configuration/the
appropriate sysObjectId for the Cisco WLC/Edit.../RFC 3576
Configuration, and then what Manage RFC 3576 Configurations... has. I
have this, which has the correct port:

-- 
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] Who has transitioned away from Aruba, and why?

[James Andrewartha]

On the specific bug that Ryan is talking about, I was speaking today
with a local partner who was experiencing the bug as well (and I believe
has contacted Ryan offline), and their workaround was to change the
SSIDs to bridge mode. We already made that change for unrelated reasons*
during our final week of PoC testing which probably explains why we
didn't see it recently.

I will say that Aruba support seems to be very quick to point fingers at
the rest of your infrastructure (DNS, DHCP, RADIUS etc) and so you have
to prove it's working, even though it's not been an issue up until the
point of the bug. I can understand this attitude but granting a little
bit of trust that we have our environment configured correctly since it
was working fine with another vendor would be nice.

*Airgroup wasn't controlling Airtames correctly, I have a TAC session to
gather traces scheduled for tomorrow

-- 
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

On 10/1/20 5:01 pm, James Andrewartha wrote:
> Hi all,
>
> I read this thread with some trepidation, since we're just finishing
> up a rollout of 150 AP515s on 7205s. We chose this platform after a
> nearly 6 month PoC, because we were hitting a high-impact but low
> occurrence and unreproducible bug with our Surface Book 2 fleet when
> connected to our Extreme Wireless network. Microsoft was unable to fix
> this bug (and it definitely was a client bug, their debug traces
> showed the Surfaces dropping BAR packets from the AP), so instead I
> hope they can fix the new bug we found the Surfaces have with Aruba
> APs, which is low-impact but occurs frequently (several times a
> minute) and so is highly reproducible. More on the Surface bugs below,
> but I had also seen the Aruba bug where the client loses connectivity
> for 5 minutes or so, HE was disabled at the time. It's easiest to spot
> this in Airwave, there will be a period of no traffic transferred for
> the client. We didn't have any problem reports in the last few weeks
> of testing though, while running on 8.5.0.3, so maybe it was fixed?
> The user group (Maths teachers) were very good in reporting issues,
> although not always in a timely fashion. Our new production install is
> running 8.5.0.5 but I'll probably be upgrading to 8.6.0.1 before the
> teachers get back from summer holiday.
>
> I will strongly agree with the others in this thread who have posted
> that the support of your local partner and vendor TAC and account team
> should be high on your consideration. The PoC was a tortured process,
> definitely not helped by the fact that the partner's engineers were in
> another state, and the local Aruba SE had just left, and a new one
> wasn't hired until October or so. I've also found Aruba TAC to be not
> great in my brief experience with them, certainly not compared to
> Extreme GTAC where I have on several occasions dealt directly with a
> developer, including one instance where we bisected code one evening
> to identify what change caused 2.4GHz to not work on AP3825s. The
> Aruba SE from another state did visit and let me know we should have
> set ReversePathFwdCheckPromisc on the ESXi host, as we were seeing
> connectivity problems that were DHCP related, and that was the fix. It
> is documented, but only in the appendix of the install guide
> https://www.arubanetworks.com/techdocs/ArubaOS_85_Web_Help/Content/install-guide/virt-appl/appendix/nic-team-vswi.htm
> and not in the version that Google returns as the first result. That
> was 2 months of frustration right there, and partly why for the
> production deployment I insisted on physical controllers (although the
> mobility master is a VM).
>
> In terms of my (probably ill-informed) view of the competitive
> landscape, I've seen an Aerohive demo after Extreme acquired them and
> was very impressed, but unfortunately they couldn't get me demo APs in
> time to do testing before exams started. I believe WiNG isn't going
> away, given the large customers who use it. Their latest APs run the
> same wireless code and can be managed by Aerohive^WExtremeCloud IQ,
> WiNG or XCA, your choice. Cisco, well WLC is legacy and the 9800
> series might be nice, but I'm yet to hear a good word about DNA
> Center. It's a beast, it needs 56 cores, 256GB of RAM and 2TB of SSD,
> and it's not supported as a VM (although people have made it work
> http://blog.vpnv4.com/dna-center-esxi-installation-guide/ ). Meraki, I
> don't like their business model. Aruba, well, we chose it in part
> because Microsoft use it internally and that prevents them blaming the
> wireless when we're getting them to fix their drivers. Mist I've never
> used, Ruckus have always had great wireless performance and with
> Cloud

Re: [WIRELESS-LAN] Who has transitioned away from Aruba, and why?

[James Andrewartha]

Hi all,

I read this thread with some trepidation, since we're just finishing up
a rollout of 150 AP515s on 7205s. We chose this platform after a nearly
6 month PoC, because we were hitting a high-impact but low occurrence
and unreproducible bug with our Surface Book 2 fleet when connected to
our Extreme Wireless network. Microsoft was unable to fix this bug (and
it definitely was a client bug, their debug traces showed the Surfaces
dropping BAR packets from the AP), so instead I hope they can fix the
new bug we found the Surfaces have with Aruba APs, which is low-impact
but occurs frequently (several times a minute) and so is highly
reproducible. More on the Surface bugs below, but I had also seen the
Aruba bug where the client loses connectivity for 5 minutes or so, HE
was disabled at the time. It's easiest to spot this in Airwave, there
will be a period of no traffic transferred for the client. We didn't
have any problem reports in the last few weeks of testing though, while
running on 8.5.0.3, so maybe it was fixed? The user group (Maths
teachers) were very good in reporting issues, although not always in a
timely fashion. Our new production install is running 8.5.0.5 but I'll
probably be upgrading to 8.6.0.1 before the teachers get back from
summer holiday.

I will strongly agree with the others in this thread who have posted
that the support of your local partner and vendor TAC and account team
should be high on your consideration. The PoC was a tortured process,
definitely not helped by the fact that the partner's engineers were in
another state, and the local Aruba SE had just left, and a new one
wasn't hired until October or so. I've also found Aruba TAC to be not
great in my brief experience with them, certainly not compared to
Extreme GTAC where I have on several occasions dealt directly with a
developer, including one instance where we bisected code one evening to
identify what change caused 2.4GHz to not work on AP3825s. The Aruba SE
from another state did visit and let me know we should have set
ReversePathFwdCheckPromisc on the ESXi host, as we were seeing
connectivity problems that were DHCP related, and that was the fix. It
is documented, but only in the appendix of the install guide
https://www.arubanetworks.com/techdocs/ArubaOS_85_Web_Help/Content/install-guide/virt-appl/appendix/nic-team-vswi.htm
and not in the version that Google returns as the first result. That was
2 months of frustration right there, and partly why for the production
deployment I insisted on physical controllers (although the mobility
master is a VM).

In terms of my (probably ill-informed) view of the competitive
landscape, I've seen an Aerohive demo after Extreme acquired them and
was very impressed, but unfortunately they couldn't get me demo APs in
time to do testing before exams started. I believe WiNG isn't going
away, given the large customers who use it. Their latest APs run the
same wireless code and can be managed by Aerohive^WExtremeCloud IQ, WiNG
or XCA, your choice. Cisco, well WLC is legacy and the 9800 series might
be nice, but I'm yet to hear a good word about DNA Center. It's a beast,
it needs 56 cores, 256GB of RAM and 2TB of SSD, and it's not supported
as a VM (although people have made it work
http://blog.vpnv4.com/dna-center-esxi-installation-guide/ ). Meraki, I
don't like their business model. Aruba, well, we chose it in part
because Microsoft use it internally and that prevents them blaming the
wireless when we're getting them to fix their drivers. Mist I've never
used, Ruckus have always had great wireless performance and with
CloudPath are getting their authentication piece in order. Which brings
me to another point, consider the vendor's other offerings like
management systems and RADIUS servers. I've already said my piece about
DNA-C, and Airwave seems to have barely changed since I last used it 8
years ago. Extreme XMC is ok.

I've run out of time today to expound upon the problems with the Surface
wifi chipset, but it seems there is an underlying problem that then
causes different high level problems depending on the AP - I've seen
three different bad behaviours on Extreme, Aruba and Cisco. We've got
200 Surface Pro 7s with Intel AX201 chipsets which I'll hopefully

Thanks,

-- 
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

On 10/1/20 12:15 am, Turner, Ryan H wrote:
> We’ve been an Aruba shop for a very long time and have around 10,000
> access points.  While every relationship with vendors have their ups
> and downs, my frustration with the Aruba is finally peaking to the
> point that I am considering making the enormous move to choose a
> different vendor.  The biggest reason is with the 8.X code train, and
> bugs that we just don’t consider appropriate to use in production.  It
> has been one thing after the other, and my extremely talented and
> qualified Net

Re: [WIRELESS-LAN] Apple TV alternative?

[James Andrewartha]

On 21/06/18 01:32, Mark Duling wrote:
> Can you elaborate on your comment on how the 4k AppleTV can get stuck in
> an app and need to be RMA'd? I'm not sure what you mean.
> 
> "Just don’t get the 4K version, if they get stuck in an app and lose
> their connection to the MDM you have to RMA them."
Sure. If you have an Apple TV 4K enrolled in MDM (presumably using DEP),
and then push down a profile for single-app mode (say for your digital
signage app), and then the Apple TV 4K loses connectivity with the MDM
(it can happen in various ways, but let's say someone deleted it from
the MDM by accident), then the Apple TV 4K will be stuck in single-app
mode forever.

There is no way to restore it to default config using Apple Configurator
like you can with previous models, since they removed the USB port. The
only solution is to return it to Apple for a replacement under warranty.

I'm not aware of any blog posts about it, this comes from the #apple-tv
channel on the MacAdmins Slack https://macadmins.herokuapp.com/

-- 
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Apple TV alternative?

[James Andrewartha]

In short, no. I have lost count of the number of wireless projection devices 
we’ve looked at. Vivi, Crestron AirMedia, Microsoft Wireless Display Adapter, 
Chromecast, Kramer Via Go we’ve had actual hardware, AirParrot, Mersive 
Solstice and the built-in Windows 10 receiver are software we’ve tried, and 
I’ve looked at the specs of Barco WePresent, Lifesize Share, Airtame and 
probably others I can’t remember off the top of my head, and so far none of 
them are as good or as cheap as Apple TVs. Of these, AirMedia does a very good 
Airplay but the cost (like many of the other professional grade ones) is above 
$1000/room, but then again I can’t get the Windows software to work, even under 
an administrator account.

It’s almost at the point where I would suggest have Apple TVs for Apple devices 
and another solution for Windows devices. Particularly with VPP coming to tvOS 
they are reasonably manageable now. Just don’t get the 4K version, if they get 
stuck in an app and lose their connection to the MDM you have to RMA them.

-- 
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

On 20/6/18, 10:27 pm, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
on behalf of Joseph Bernard"  wrote:

Does anyone have success with a device that is $200 or less that works with 
Apple devices to share video and works with an enterprise wifi network 
(802.1x/PEAP)?

Thanks,
Joseph Bernard

**
Participation and subscription information for this EDUCAUSE Constituent 
Group discussion list can be found at http://www.educause.edu/discuss.



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Wireless Options

[James Andrewartha]

Well, if you are willing to replace your wired network and APs, I believe 
Extreme APs on Extreme Campus Fabric (802.1aq SPB) will let you assign an I-SID 
per client which will tunnel traffic back to your core, and they can be cloud 
managed. You might not be able to do the I-SID mapping with the current cloud 
release but I would be very surprised if it’s not available later in the year. 
So it’s possible if controller-less is something you or your management truly 
desires (and can stomach a wholesale rip and replace of the entire network of 
course).

Automation you say? Would you like hardcoded backdoor admin accounts with that? 
Or two other CVSS 10.0 exploits? 
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180516-dnac
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180516-dna2
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180516-dna

--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Lee H Badman 
<lhbad...@syr.edu>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Date: Monday, 21 May 2018 at 9:43 pm
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Wireless Options

I struggle with this question, too (cloud versus not) as a long-time user of 
both. The need to trunk VLANs to cloud-based APs in a big environment is more 
of an issue to me than code paradigms. Absolutely nothing could be worse than a 
certain vendor’s appliance-based controller code quality track record over the 
last 12 years. A culture of “accepted suck” seems to pervade over that business 
unit and their most loyal customers, while I scratch my head over why there 
hasn’t been a class-action lawsuit over the entire mess. Now add automation to 
the mix and hang on for THAT thrill ride.

I’d love to have no more controllers, but the VLAN thing is tough to swallow.

-Lee Badman

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> On Behalf Of Osborne, Bruce W (Network 
Operations)
Sent: Monday, May 21, 2018 8:33 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless Options

With a cloud solution, if they mess up feature addition you are stuck with that 
latest version, correct? With controller-based ot Aruba Instant type scenarios 
you are in charge of when to upgrade, waiting for stable builds.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Enfield III, Charles Albert [mailto:cae...@psu.edu]
Sent: Friday, May 18, 2018 2:54 PM
Subject: Re: Wireless Options

The other thing that’s going to change is the functionality.  Jeff was on the 
right track when he talked about vendors with a global presence being better 
able to identify bugs, security flaws etc. and promptly diagnose and patch 
them.  They’re also better positioned to apply machine learning and AI to the 
problems of network security and Wi-Fi optimization.  If they’re doing things 
right, the cloud product won’t be a hamstrung version of the controller 
product.  It will be a better version of the controller product.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Jeffrey D. Sessler
Sent: Friday, May 18, 2018 1:30 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Wireless Options

One of the difficulties in comparing TCO is around staffing. Both estimating 
how much time staff really spend on the current solution, but also taking into 
account base salary with benefits. At many colleges, benefits can add another 
30%+ to the cost of a person. As such, the elimination (or reallocation) of one 
FTE has a huge impact on on-premise vs cloud comparisons. That single FTE could 
be $100K (salary + benefits) per year, saving (or reallocating) $700K over 
those 7 years.

In a lot of our cloud shift, those FTE’s have been re-allocated into more 
important roles such as security.

Jeff

From: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Thomas Carter 
<tcar...@austincollege.edu<mailto:tcar...@austincollege.edu>>
Reply-To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LA

Rotating 802.1x RADIUS CA certificate

[James Andrewartha]

Hi all,

While debugging another problem (Windows 10 client that lost its
certificates and some EAP configuration) I noticed that our private CA
used for WPA2 Enterprise RADIUS auth expires in September next year. The
certificate used by the RADIUS servers is valid until January 2024, but
am I correct in thinking that if the CA has expired the cert won't be
trusted either?

Has anyone rotated their cert and have any tips for managing the flag
day? I'm going to create a new private CA, this time with a 30 year
lifetime, although I imagine it'll be obsolete before then due to
increased crypto requirements. Speaking of which, what are the best
practices for a private CA these days? SHA2 (384bit)? SHA3? RSA?
Elliptic Curve?

We are fortunate in that most of our devices are school owned and so we
can push out wireless configuration. I had a look at the Windows and Mac
configs, and both of those can trust multiple CAs for a given SSID. On
iOS we don't push out wireless config, but we were going to reprovision
the remaining ones anyway at the end of this year so that's fine.

Thanks,

-- 
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Radius certificate length vs. onboarding opinions

[James Andrewartha]

ll-shocked Service Desk. To help
>> prevent this in the future (and because we are moving to a new Radius
>> infrastructure), what is the consensus on the following strategies:
>>
>>  
>>
>> Option 1: Using a self-signed/private PKI and a 10 year cert. Onboard
>> with "verify server certificate" enabled
>>
>>  
>>
>> Option 2: Removing all traces of “verify server certificate” from
>> OnBoard configuration and use 2-year certs from CAs
>>
>>  
>>
>> Option 3: Use 2-year CA certificates, enable “verify server
>> certificates” and educate/prepare every two years for connection issues.
>>
>>  
>>
>> Option 4 (probably the best long-term answer): Move to private PKI and
>> EAP-TLS.
>>
>>  
>>
>> Opinions?

-- 
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Two RF Questions

[James Andrewartha]

How did you measure the 35% improvement?

--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of GT Hill <g...@gthill.com>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Date: Tuesday, 26 September 2017 at 11:47 pm
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Two RF Questions

I know that this is just one example, but I was at a large university site 
(Cisco Wi-Fi) that was running 20/40 channelization. After a switch to 20 MHz 
only, there was a 35% improvement in end-user Wi-Fi experience.

Jake – One feature that I think many people agree is missing in FRA is the 
ability to dynamically turn off a radio. In some cases an extra radio in either 
band hurts more than it helps.

And to just stir the pot a bit, I wish there were SMALLER than 20 MHz 
channelization. In many high density environments 20 MHz is just too big. Give 
me some more radios at smaller channel sizes and I’ll show you a spectacular 
Wi-Fi network. :-)

GT

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Jake Snyder <jsnyde...@gmail.com<mailto:jsnyde...@gmail.com>>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Tuesday, September 26, 2017 at 9:39 AM
To: 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Two RF Questions

My challenge, as I’ve stated on this list before, is that Mac OS X preferences 
width in its AP selection criteria.  So while you may get more capacity, in a 
large Mac environment you lose most of that with Macs hanging onto APs linger 
and having to rate-shift down to slower PHY speeds due to that AP having a 
wider channel than its neighbors. Yes, it’s dumb.  But he’s the driver of that 
lambo.

Also, couple that with increasing the noise floor by 3db every time you double 
the channel width and there are many cases where your lambo just spins it’s 
tires.  All that power and you can’t hook it up.

Remember that spectrum is our constraining resource.

Figure out what width of channel you can run in a building, and run that.  
That’s the best use of spectrum and sure to give you the most smiles/hour on 
your lambo.

I really like what cisco did with FRA.  Give me the ability to see what it 
thinks the overlap is.  I would LOVE to see the same with DBS, and give me what 
width it thinks all the APs in the building can pull off.

Sent from my iPhone

On Sep 26, 2017, at 8:19 AM, Jeffrey D. Sessler 
<j...@scrippscollege.edu<mailto:j...@scrippscollege.edu>> wrote:
It’s surprising to me that anyone would purchase a Lamborghini, then disconnect 
ten of the twelve cylinders and drive it at 25 mph on the autobahn.

When I see static 20 MHz channels, or using 40 MHz in only limited areas, I 
wonder what’s behind the purposeful neutering of the system. If you are a Cisco 
customer running 8.1 or above, and not using DBS (Dynamic Bandwidth Selection), 
then it’s the equivalent of the Lamborghini above running on only two cylinders.

Don’t miss out on the significant advancements in bandwidth management. Free 
those resources spent doing point-in-time simulation and surveys for something 
the software doesn’t already do far better at. I promise, DBS won’t hurt a bit 
and your users will thank you a hundred times over.

Jeff


From: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "Street, Chad A" <cstr...@emory.edu<mailto:cstr...@emory.edu>>
Reply-To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Tuesday, September 26, 2017 at 6:59 AM
To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Two RF Questions

What is your reasoning behind not wanting 40 megahertz channels if you have 
plenty of overhead with your channel utilization?  People saying you should or 
should not do something without Gathering any type of metric worry me.

On Sep 25, 2017 3:28 PM, Chuck Enfield <chu...@psu.edu<mailto:chu...@psu.edu>> 
wrote:

1.  Enable it in places to check 

Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

[James Andrewartha]

600Mbps on a single AP is impressive, is that with a 40MHz or 80MHz channel? 
What sort of client mix is generating that much traffic?

--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of "Jeffrey D. Sessler" 
<j...@scrippscollege.edu>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Date: Friday, 25 August 2017 at 11:00 pm
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

Pair of 8540’s running 8.2.160
About half of all WAPs are now 2800/3800. 3800’s on multi-gig
20Gb Internet connection

3800-series equipped 110-bed residence hall, partially filled with a few early 
arrivals, already seeing peaks at over 600Mbps.

No observed problems yet, but our first-years just arrived and returning 
student are due soon.

Interesting stats:
#1 - 70% of devices are Apple, 90% of traffic. On the 1st day our 330 
first-years arrived they did over 12TB of traffic.

Jeff


From: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
on behalf of "lhbad...@syr.edu" <lhbad...@syr.edu>
Reply-To: "wireless-lan@listserv.educause.edu" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Date: Friday, August 25, 2017 at 6:22 AM
To: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

It might be beneficial to share notes in case other schools are hitting common 
problems. I’m wondering how everyone who is in the thick of it is faring with 
back-to-school?

On this end, we are doing OK halfway to our expected total daily peak clients 
(we’re at 15K now high water mark).

Our significant WLAN-related changes since end of Spring semester
· Running 8.2.151 on our 8540s
· Significant quantities of Wave 2 APs
· ISE as RADIUS (only, no NAC, no onboarding)

No changes to:
· our guest WLAN (Clearpass/an Aruba controller pair)
· onboarding (Cloudpath Wiz)
· overall topology
· open network in dorms for gadgets
· non-use of AVC, it crapped out and never got solved after hundreds of 
hours with TAC

Fears:
· We haven’t yet hit the scale that will reveal problems with any of 
the newer stuff listed above

Anyone else care to share?

-Lee


Lee Badman | Network Architect

Certified Wireless Network Expert (#200)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Cisco Code Version

[James Andrewartha]

Yeah, that fabric paradigm seems … well, let’s just quote from 
http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config-guide/b_cg85/few.html

> VXLAN

> After a TCP connection flap in the WLC, it takes about five to six minutes to 
> reestablish the connection. During this time, the access tunnels gets reset 
> during client join.

Table 2 AP Support
AP

Support

11N

No

11AC Wave 1

Yes

11AC Wave 2

Yes

Mesh

No

Table 3 Client Security


Security

Support

Open and Static WEP

No

Table 4 IPv6 Support
IPv6

Support

IPv6 Infra Support

No

IPv6 Client Support

No



And it needs a whole ‘nother controller (APIC-EM) with supported switches 
http://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/application-policy-infrastructure-controller-enterprise-module/datasheet-c78-739052.html
 and WLC (8540, 5520, 3504 only).

--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Lee H Badman 
<lhbad...@syr.edu>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Date: Tuesday, 1 August 2017 at 8:10 pm
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Cisco Code Version

I’m interested here, greatly… but:


-  8.5 will have to bake thoroughly for us. Not touching it until MR3 
or beyond. Zero trust or faith in early WLC code anymore- seems it’s all beta 
quality at best anymore.

-  Need to see if Cisco requires more licensing in ISE somehow to 
enable the feature (we only use ISE for basic RADIUS right now), and what the 
complexity to implement ends up being.


But if it scales, and if it isn’t nonsensically licensed, and if the code that 
supports it is eventually solid, and if you can use it without getting sucked 
into an immature, complicated, buggy fabric paradigm, it could be hugely 
enabling in certain environments.


-Lee


Lee Badman | Network Architect

Certified Wireless Network Expert (#200)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jason Cook
Sent: Tuesday, August 01, 2017 12:13 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco Code Version

Thanks, I am aware it’s any radius server so it seems I identified my issue a 
bit hastily./… or not at all ☺
It’s been a while since I played with an Aerohive AP but 3 years ago it was so 
easy to get this up and running on a single AP with different vlans and there’s 
self-registration as well. There were enterprise concerns about how that scales 
and redundancy back then and I haven’t followed the progress of that.

The radius method means it’s not quite an out of the box solution that was so 
simple with PPSK, but perhaps this is architecture requirements…  I guess it 
might be that easy if your using ICE. We are pretty keen to use this at some 
level, ideally with self-rego offering. Using freeradius I’m sure we can 
achieve this, but ongoing management could become interesting/a fair bit of 
development for the self-rego. No doubt we’ll look further into it in a couple 
of months once a few other priorities are ticked off

Regards

--
Jason Cook
Technology Services
The University of Adelaide, AUSTRALIA 5005
Ph: +61 8 8313 4800

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Samuel Clements
Sent: Tuesday, 1 August 2017 11:51 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Cisco Code Version

From the iPSK config guide at:

http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-5/b_Identity_PSK_Feature_Deployment_Guide.pdf

"IPSK can be configured on any AAA serer that supports Cisco av-pair."

 -Sam
This email sent from a mobile computing device. Please excuse typos and brevity.

On Jul 31, 2017, at 8:40 PM, Mccormick, Kevin 
<ke-mccorm...@wiu.edu<mailto:ke-mccorm...@wiu.edu>> wrote:
I just looked at the IPSK video from CIsco here.

https://www.youtube.com/watch?v=deEv-aNXfL0

Not 100% sure ISE is required by the sound of the video.

They say a radius serve such as ISE, and of course Cisco is going to try and 
sell you ISE.

They are using two Cisco-AV-Pairs which are psk-mode=ascii and psk=, 
along with MAC filtering and AAA override.

You maybe able to pass those Cisco-AV-Pairs with any radius server.

Kevin 
McCormick<https://www.youracclaim.com/b

Re: [WIRELESS-LAN] Nyansa vs 7Signal vs ?

[James Andrewartha]

Hi Jason,

No comments, but Nyansa and Cape (another hardware-based wifi monitoring 
company, but perhaps US-only since they use T-Mobile uplinks?) are at Mobility 
Field Day 2 this week. You’ve reminded me to take another look at 7Signal 
though; per Caston’s post, we already have a solution that overlaps with Nyansa 
so I won’t be investigating that. Also because my budget is capital-focused 
currently which means I need physical items to stick asset tags on, and 11ac 
Wave 2 APs don’t excite me at all (the only MU-MIMO capable device on campus is 
my personal phone).

Thanks,

--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Jason Cook 
<jason.c...@adelaide.edu.au>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Date: Tuesday, 25 July 2017 at 3:02 pm
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Nyansa vs 7Signal vs ?

Hi All,

There’s been plenty of positives mentioned about Nyansa in recent discussions. 
I’m wondering if anyone out there has experience at both 7signal and Nyansa or 
any other systems that do wireless monitoring/alerting in a more detailed way 
than vendor provided gear. The approach for these 2 are obviously quite 
different with I guess varying advantages. Don’t need much detail, just general 
thoughts is good.

Regards

Jason

--
Jason Cook
Technology Services
The University of Adelaide, AUSTRALIA 5005
Ph: +61 8 8313 4800
e-mail: 
jason.c...@adelaide.edu.au<mailto:jason.c...@adelaide.edu.au<mailto:jason.c...@adelaide.edu.au%3cmailto:jason.c...@adelaide.edu.au>>

CRICOS Provider Number 00123M
---
This email message is intended only for the addressee(s) and contains 
information which may be confidential and/or copyright.  If you are not the 
intended recipient please do not read, save, forward, disclose, or copy the 
contents of this email. If this email has been sent to you in error, please 
notify the sender by reply email and delete this email and any copies or links 
to this email completely and immediately from your system.  No representation 
is made that this email is free of viruses.  Virus scanning is recommended and 
is the responsibility of the recipient.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Ubiquiti per dorm room WIFI

[James Andrewartha]

Hi Michael,

On 12/03/17 00:01, Michael Blaisdell wrote:
> Has anyone looked at the new Ubiquiti IN WALL WAP?  It has what I need. 
> I also believe it answers some of the questions that came up in past
> posts about residence hall WIFI.
> 
> UAP-AC-IW - Ubiquiti UniFi In-Wall 2.4 / 5GHz AC Access Point
[snip]
> I didn't post the link to the data sheet but is listed on the site.

Is it actually available yet? The only in-wall AP I see on the ubnt.com
is the 2.4GHz-only one.

Thanks,

-- 
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] MAC OSX Duplicate IP's

[James Andrewartha]

Hi Shayne,

On 28/02/17 11:23, Shayne Ghere wrote:
> Last count, we have 51 Apple TV's, but they aren't on the same network we're
> having problems with.  The TV's are either hard-wired or registered on a
> Wireless network that's not secure and doesn't require any
> authentication...just registration.

Just to confirm, they're on a different subnet too?

So the MAC addresses that is stealing the IP address, what sort of
device are they? Even just the 3 octet prefix would help.

> I'm not a MAC guys at all, so do all MACs have this feature?  Can a MAC
> laptop that is on our secure network do the same thing the Apple TV does and
> create this problem?   It's happening on Iphones/Apple Laptops about 98% of
> the time, but only on the secured network.

A Mac (let's keep MAC for the ethernet concept) can perform this
function, the list according to Wikipedia is:

Apple AirPort Express with firmware version 7.4.1 or 7.4.2[3]
Apple AirPort Extreme with firmware version 7.4.1 or 7.4.2[3]
Apple AirPort Time Capsule[3]
Apple TV (all generations)
Computers running Mac OS X Snow Leopard act as a Bonjour sleep proxy
server when Internet sharing is enabled

Thanks,

-- 
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] MAC OSX Duplicate IP's

[James Andrewartha]

Hi Shayne,

On 28/02/17 11:10, Shayne Ghere wrote:
> I’m reaching out since we just started having problems with users
> complaining about getting messages on their Mac’s about a duplicate IP
> address on the network.
>  
> When looking in the ARP table of the Cisco Nexus switches, the mac
> address of their computer isn’t in there, however the IP address their
> machine has is owned by another mac address even though both the
> Controller and Prime doesn’t see that machine associated.
>  
> I came across an article that the Arp Cache Timeout on the 6509’s was
> 300 seconds, but the Nexus (7K) has bumped it to 1500-1800 seconds
> now.   That jives with what I’m seeing as the disassociation time of the
> original machine, and the duplicate message (within 20-25 minutes).
>  
> The Arp-Cache timeout on the Controller is set for 1800 seconds, and was
> configured that way since September 2016 (Cisco WLC 8540) with no problems.
>  
> This problem just cropped up within the past two weeks and is gaining
> steam.  Out of the 30 or so devices, 38 are Mac’s and the other two are
> Windows 10 or Microsoft Surface tablets.
> 
> If anyone else is experiencing these issues, or could point us in the
> right direction, I would greatly appreciate it.  Our Server/Radius team
> is fairly sure it’s not on their end, yet after talking with Cisco, I’m
> fairly positive it’s not the Controller/Wireless.  Not finger pointing,
> just asking for some advice.

Do you have any Apple TVs on your network? Apple devices have a lovely
feature called the Bonjour Sleep Proxy that will respond to mDNS queries
for a device that is asleep. The visible side effect is what you are
seeing, the IP address is owned by another MAC address. What sort of
devices are the ones stealing the IP addresses?

For us, the solution was to statically (via DHCP) assign IPs to the
Apple TVs.

Thanks,

-- 
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] 5GHz Channel Width

[James Andrewartha]

We’re running a 20MHz channel plan due to our AP density (one per classroom), 
over summer I’m going to look at enabling 40MHz in the less-dense non-teaching 
areas. Whenever I try out DFS channels they always get radared out within a day.

While troubleshooting a performance issue recently I was trying out a 40MHz 
channel width and noticed it was a lot noisier outside the channel bands:

[cid:image001.png@01D24AF6.151C4470]

Picture from Chanalzyer Pro with a Wi-Spy DBx. So that’s another reason to 
avoid 40MHz channels unless you actually get out there and check the RF to 
confirm your channel plan works in practice.

As for dual-radio 5GHz APs, I still think they’re stupid and vendors should be 
making single-radio 5GHz APs. OK, some already do, but they’re low-performance 
(2x2), not high-end (4x4). A single-radio 5GHz AP will fit within 802.3af even 
at 4x4, won’t have internal interference, and will allow better AP positioning. 
Yes, you do need to run an extra cable (although not if you’re already using 
dual-radio APs with 2.4GHz turned off), and it’ll still use a full AP license, 
but at least give us that option *gets off hobby horse*.

--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of "Trinklein, Jason R" 
<trinkle...@cofc.edu>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Date: Wednesday, 30 November 2016 at 5:35 am
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] 5GHz Channel Width

Hi All,

I was just reading a blog article that heavily recommends not to use 40Mhz 
channel width in multi-floor environments, particularly where many 5GHz radios 
are used (particularly in our case with Xirrus multi-radio APs). Our campus 
presently uses 20MHz channel width in all buildings. We are testing and 
considering 40MHz width because of the bandwidth benefits for clients. What do 
you use on your campus? Have you found that setting a 40MHz channel width on 
your 5GHz radios has caused too much interference?

Here is the article:
http://divdyn.com/dual-5ghz-radio-aps/

Your thoughts are appreciated.
--
Jason Trinklein
Wireless Engineering Manager
College of Charleston
81 St. Philip Street | Office 311D | Charleston, SC 29403
trinkle...@cofc.edu<mailto:trinkle...@cofc.edu> | (843) 300–8009
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Outsourced ResNet

[James Andrewartha]

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Jake Snyder <jsnyde...@gmail.com<mailto:jsnyde...@gmail.com>>
Date: Friday, 5 August 2016 at 10:41 PM

In the competitive stuff, I am seeing partners leading with Wave1 equipment 
because they get better pricing.

There are also some verticals where stability is more important (healthcare) 
and wave1 APs don't run as bleeding edge code.

Right now I would still buy mid-range Wave 1 APs, because the pricing is 
significantly cheaper, and there’s hardly any MU-MIMO clients yet, Apple 
devices in particular.

--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] How big are your wireless segments?

[James Andrewartha]

Hi Jake,

On 04/08/16 14:19, Jake Snyder wrote:
> Slightly different test, Meraki SSID, with a MBA13 running 10.10.5.

Thanks for giving it a test.

> I did a packet capture on the AP filtered for arp and used wireshark on the 
> Mac with the same capture filter.  I'm only tracking arp requests, since 
> that's all I should see on the MBA.  100% arp requests sent OTA from the AP 
> were seen by the MBA.  But this is an older 11n MBA.  I'll get my hands on an 
> 11ac device tomorrow and rerun the test.

How many ARP requests were on the network? In one case in 75 seconds I
saw 598 on the 10.9.5 laptop, with the 10.11.5 laptop seeing 184.
Filtered with (arp.opcode==1) && (eth.addr==ff:ff:ff:ff:ff:ff).

Filtering just on eth.addr==ff:ff:ff:ff:ff:ff I see 1863 vs 564 packets,
roughly evenly split between NBNS, NetBIOS Browser and ARP requests with
a touch of Dropbox LAN Sync and BOOTP (DHCP). Extending it out to
eth.ig==1 (all broadcast/multicast traffic) it's 4353 vs 1310, with the
addition of mDNS and IPv6.

> Is it possible you are in promiscuous mode in Windows?  You shouldn't see the 
> arp responses for anything that client didn't send, or in responses to the 
> clients request unless promiscuous mode is enabled.  which then isn't a fair 
> test of what the laptop did or did not hear.

My baseline hardware was a 15" Mid-2012 rMBP running 10.9.5, which is
only 11n capable. When rebooted into 10.11 it also exhibits the problem.

Thanks,

-- 
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] How big are your wireless segments?

[James Andrewartha]

I tried DTIM 3 (after reading that blog post), but it didn't help, the laptop's 
wifi chipset still just went to sleep and missed packets. Plus, some vendors 
(eg Meraki, Ruckus) don't let you change it anyway. One thing Ruckus does do is 
broadcast to unicast conversion when an SSID has 5 or fewer devices on an AP, 
which masks the issue.

A quick way to demonstrate the problem is to have Wireshark running on a Mac 
with OS X 10.10 or 10.11, and another laptop (either running OS X 10.9 or 
Windows) connected to the same AP, and filter by arp. The first Mac will see 
between 10-40% of the ARP packets of the second laptop in my testing, depending 
on the load.

James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Jake Snyder 
<jsnyde...@gmail.com>
Sent: Wednesday, 3 August 2016 8:56 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] How big are your wireless segments?

There was some talk about this with IOS a while back.  Something about Apple 
wanting a longer dtim value (3 seems to be working for a lot of folks).  Dtim 
of 1 seemed to give some grief.

http://www.sniffwifi.com/2016/05/go-to-sleep-go-to-sleep-go-to-sleep.html?m=1



Thanks
Jake Snyder


Sent from my iPhone

>> On Aug 2, 2016, at 9:04 PM, James Andrewartha <jandrewar...@ccgs.wa.edu.au> 
>> wrote:
>>
>> On 02/08/16 04:19, Peter P Morrissey wrote:
>> Given my understanding of the way arp works, not sure I understand how
>> it is possible for a large subnet to cause a client arp table to become
>> exhausted unless that client for some reason is directly communicating
>> with all of the other endpoints on the large subnet.
>>
>> My understanding is that the table is only populated in response to arp
>> queries that the client has initiated, even though it can “hear”
>> responses from other clients that are sent as a broadcast. It is easy
>> enough to verify this on Windows with an arp –a.
>>
>> I also don’t believe that broadcast traffic can have a material impact
>> on clients these days due to increases in CPU power at the magnitude of
>> Moore’s Law.
>
> Sadly there is no Moore's Law for batteries. OS X since 10.10 will
> aggressively sleep and miss broadcast ARP packets. I have seen this on
> four different AP vendors and have the wireless captures to prove it.
> Generally it doesn't cause user-visible problems, and it can be worked
> around by enabling proxy ARP on the APs/controller (if the vendor
> supports it).
>
> It will most likely present problems if the clients are trying to access
> servers on the same subnet and it's the *server's* ARP cache that gets
> exhausted (or simply expires the client). The client will resolve the
> server's MAC address OK, send the SYN packet, then the server will send
> a broadcast ARP request to resolve the client's MAC address, which can
> be missed by the Mac laptop. Depending on the level of broadcast
> traffic, it can take a minute or more with retries before a connection
> is established.
>
> For wireless designs where all data goes through the gateway and there's
> no client communication to other devices on the same subnet you probably
> won't notice a problem as the gateway's ARP cache will always be fresh.
> We saw it because we have a campus-wide flat L2 network shared between
> wired and wireless, and I also noticed a lot of ARP traffic from laptops
> looking for Apple TV IP addresses.
>
> We have filed a ticket with Apple, radar://26488949 if anyone has any
> contacts to escalate it. The fastest resolution we've had for any Apple
> bug is 3 years, so I don't expect this to be fixed any time soon.
>
> --
> James Andrewartha
> Network & Projects Engineer
> Christ Church Grammar School
> Claremont, Western Australia
> Ph. (08) 9442 1757
> Mob. 0424 160 877
>
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] How big are your wireless segments?

[James Andrewartha]

On 02/08/16 04:19, Peter P Morrissey wrote:
> Given my understanding of the way arp works, not sure I understand how
> it is possible for a large subnet to cause a client arp table to become
> exhausted unless that client for some reason is directly communicating
> with all of the other endpoints on the large subnet.
>  
> My understanding is that the table is only populated in response to arp
> queries that the client has initiated, even though it can “hear”
> responses from other clients that are sent as a broadcast. It is easy
> enough to verify this on Windows with an arp –a.
>  
> I also don’t believe that broadcast traffic can have a material impact
> on clients these days due to increases in CPU power at the magnitude of
> Moore’s Law.

Sadly there is no Moore's Law for batteries. OS X since 10.10 will
aggressively sleep and miss broadcast ARP packets. I have seen this on
four different AP vendors and have the wireless captures to prove it.
Generally it doesn't cause user-visible problems, and it can be worked
around by enabling proxy ARP on the APs/controller (if the vendor
supports it).

It will most likely present problems if the clients are trying to access
servers on the same subnet and it's the *server's* ARP cache that gets
exhausted (or simply expires the client). The client will resolve the
server's MAC address OK, send the SYN packet, then the server will send
a broadcast ARP request to resolve the client's MAC address, which can
be missed by the Mac laptop. Depending on the level of broadcast
traffic, it can take a minute or more with retries before a connection
is established.

For wireless designs where all data goes through the gateway and there's
no client communication to other devices on the same subnet you probably
won't notice a problem as the gateway's ARP cache will always be fresh.
We saw it because we have a campus-wide flat L2 network shared between
wired and wireless, and I also noticed a lot of ARP traffic from laptops
looking for Apple TV IP addresses.

We have filed a ticket with Apple, radar://26488949 if anyone has any
contacts to escalate it. The fastest resolution we've had for any Apple
bug is 3 years, so I don't expect this to be fixed any time soon.

-- 
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] 802.11b data rates disabled?

[James Andrewartha]

On 21/06/16 12:06, Anthony Croome wrote:
> Exactly, use 24Mbs to avoid weird behaviour.
> 
> We looked at this a few years ago and found that XP could not handle 
> management packets being sent at 48Mb/s or 54Mb/s despite the card connecting 
> at 450Mb/s on 5GHz N or 144Mb/s on 2.4GHz N.
> 
> On 5GHz the laptop could get an IP address but could not ping it's gateway.
> On 2.4GHz the laptop could get an IP, it could ping it's gateway, but it's 
> performance was terrible.
> 
> What we saw from a 5GHz packet capture was the AP continuously sending RTS to 
> the client but never getting any packets from the client.  On 2.4GHz it would 
> reply but only after a random number of RTS were sent.  

I saw a similar situation recently, a new laptop with an Intel AC
chipset was sending continuous RTS at 2Mbps (on 2.4GHz), however the AP
was configured with an 11g protection rate of 11Mbps. Setting that to
2Mbps and the client could talk fine.

-- 
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Turning off 2.4 on a select SSID?

[James Andrewartha]

On 07/04/16 19:44, Kees Pronk wrote:
> “you could in theory double the airtime available”
>  
> I would be interested in your actual experience with this. Now that a
> few vendors have taken this approach and others stay away from this.
>  
> Arguments in favor of 5/5 you will find these abundant on the vendors
> marketing pages, but how about :
> 
> Extra COGS (band pass filters etc), extra complexity with your channels
> plans (need a lot of separation between the 5/5 radios), you must enable
> DFS channels on every AP but what about false positive radar detects?
> What about the 2 radio’s  ‘deafening’ each other while trying so
> send/receive at the same time.
>  
> Please keep us posted and maybe others testing with this
> 1.   Innovation
> 2.   Marketing gimmick

My vote is for 2. Marketing gimmick. Why? Because "airtime available"
isn't the limiting factor for 802.11ac performance, it's "distance from
AP" (well, the high SNR required to get the best rates). So I'd much
rather a full-featured AP with a single 5GHz radio than one with two
5GHz or band-selectable radios. That way I can have a nice dense
deployment with low powered APs and waste money on radios I'm not going
to use. Lowering the AP power also increases the possibility of using
40GHz channels without interference from other APs, which again is what
you need to get the most out of 11ac.

Yes, there's an increased cost in cabling and switch ports, but OTOH
they should run off 802.3af power, not 802.3at which would delay having
to upgrade some of our older switches.

In terms of our deployment, we have 1 AP per classroom, and sparser
coverage in other areas. I used to see 75-80% on 5GHz, now it's a bit
lower after I reduced the radio power per vendor recommendation. This is
with primarily Apple devices, which are pretty good at picking 5GHz
without band steering.

Outside of classrooms 2.4GHz is still needed for coverage, it goes
through walls in ways 5GHz can only dream of. I tried using DFS channels
and 40MHz at the start of the year but I was getting a lot of radar
alerts so went back to 20MHz and non-DFS in 5GHz.

-- 
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Peer-to-peer traffic blocking with multiple controllers

[James Andrewartha]

It's not Cisco, but applying an ACL on the controller to block access to the 
local subnet might work: 
https://community.extremenetworks.com/extreme/topics/block_mu_to_mu_traffic_ap_filter_rule

Sent from my Samsung device


 Original message 
From: Oliver Elliott oliver.elli...@bristol.ac.uk
Date: 2015/07/08 19:00 (GMT+08:00)
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Peer-to-peer traffic blocking with multiple controllers

Hi all

We have a Cisco WiSM2 based wireless system here in Bristol which is steadily 
growing. Cisco offer a feature on their controllers called Peer to Peer 
Blocking, which serves to prevent clients talking to each other. This works 
great if you only have a single controller, however we have 4 pairs in HA, so a 
client can readily see clients that happen to be on a different controller. The 
only solution to this that I can see is to use VACLs/Private VLANs on the host 
Cisco 6500s, but this may have a drastic CPU and/or performance impact on the 
router.

Has anyone else run into this problem and discovered an elegant solution for it?

Oli
--
Oliver Elliott
Senior Network Specialist
IT Services
University of Bristol
e: oliver.elli...@bristol.ac.ukmailto:oliver.elli...@bristol.ac.uk
t: 0117 39 (41131)
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Wi-Fi Sense (Windows 10)

[James Andrewartha]

Has anyone tried out Wi-Fi Sense in Windows 10 yet? It's a feature that lets 
you share PSKs with your Facebook and Skype friends, although they don't get to 
see it. The only way to opt-out as a network operator is to include _optout 
in the SSID, or use 802.1x.


Given you can run netsh wlan show profile name=SSID key=clear I wonder how it 
will interact with Aerohive Private PSK and Ruckus Dynamic PSK which give each 
user their own individual PSKs per-device.


http://www.reddit.com/r/sysadmin/comments/3aam8m/because_i_really_want_my_clients_wpa_keys_shared/


--

James Andrewartha
Network  Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] OSX Re-Prompts to Select a Certificate When Multiple Exist

[James Andrewartha]

On 23/04/15 00:08, Curtis K. Larsen wrote:
 For those running EAP-TLS - I am wondering if you've seen this.
 
 If an OSX 10.10.2, or 10.10.3 device already has other certificates from 
 iCloud or similar in their keychain, and then they add the eap-tls user cert 
 - upon waking their device from sleep they get prompted to select a 
 certificate.  This happens repeatedly even though the user tells the OS to 
 remember this information on the same prompt, and the check box is also 
 enabled in NetworksWiFiadvanced to Remember networks this computer has 
 joined.  
 
 If the user selects the eap-tls cert it does of course connect but it is an 
 annoyance to constantly have to re-select when they never had to do anything 
 like that with PEAP.  Have any by chance encountered this issue?  Found a fix 
 or work-around?  If so please let me know.

We use EAP-PEAP (MS-CHAP), and see something similar, although we have
Login Window profiles such that the user needs to hit 802.1x Connect in
Network which then uses the network profile. There's some discussion at
https://jamfnation.jamfsoftware.com/discussion.html?id=13810

We did get some eapolclient logs but I can't remember the details, and
our Mac sysadmin is on holidays so I can't ask him either. I'm pretty
sure we have a bug open with Apple, and we didn't even have to pay $800
for the privilege. Personally I'm on 10.10.3 and can confirm it's very
annoying, we're waiting for a fix before upgrading our fleet of laptops.

-- 
James Andrewartha
Network  Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] 802.11ac AP Deployment

[James Andrewartha]

On 11/04/15 15:12, Kevin McCormick wrote:
 Cisco says to use 40 Mhz channels on 5 Ghz if you have the channels to 
 support it.
 
 We have more than enough channels in our deployments to avoid overlap, 
 so we have 40 Mhz turned on.
 
 We are also disabling 11b and 11a data rates to weed out the few slower 
 older clients.
 
 Since almost all our 5 Ghz clients are 11n or 11ac they will all take 
 advantage of the 40 Mhz.

I've been running 40Mhz channels without any noticeable problems, 80% of
devices are in 5GHz. Particularly since we still have a lot of iPad 4s,
which are only 1x1:1 but do support 40MHz channels.

 I agree with Cisco, if you can use 40 Mhz without any serious impact, 
 make the change from 20 to 40.
 
 http://www.cisco.com/web/strategy/docs/education/cisco_wlan_design_guide.pdf

Also 802.11ac is much better at sharing wider channels with neighbouring
APs, so you may as well enable 40MHz or even 80MHz channels, since if
the overlapping channels are busy the client will tell the AP and
they'll fall back to a narrower bandwidth. But otherwise you'll benefit
from the improved speeds.

http://www.cisco.com/c/en/us/products/collateral/wireless/aironet-3600-series/white_paper_c11-713103.html#_Toc383047848

http://chimera.labs.oreilly.com/books/123401739/ch03.html#medium_access_procedures

http://chimera.labs.oreilly.com/books/123401739/ch05.html#section-channel-selection

-- 
James Andrewartha
Network  Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Mixing ac AP types

[James Andrewartha]

On 05/02/15 22:50, Cosgrove, John wrote:
 I am designing a new wireless placement for a 5 story building and I
 have been considering mixing 802.11ac AP types.

Is the switching existing? If so, 802.3af vs at would also inform the
decision.

 Meaning.  Some Cisco 1702’s,2702’s and 3702’s.  Placement depending on
 estimated client densities.
  
 Example.  Conference rooms may have 3702’s yet open areas with less
 people population may have a 1702 or 2702.

I'm not particularly familiar with the Cisco range, but
http://www.cisco.com/c/en/us/td/docs/wireless/technology/apdeploy/8-0/Cisco_Aironet_3700AP.html
(which covers [123][67]00[ei]) seems to have a pretty good feature
comparison.

Lee, note it says A single GbE cable is fine for Wave-1. While it is
true 802.11ac (Wave-2) will exceed GbE speeds, there is no need or
requirement for cabling greater then GbE for 802.11ac Wave-1. Installers
wishing to future proof new installations should consider pulling CAT-6a
cables at least 1 and either another CAT6a or a CAT5e cable (this
allows you to fall back to 2 GbE ports) for some iterations of Wave-2
and/or support 10GbE should this emerge as the method. 10GbE has some
challenges such as PoE standardization. Again, for the foreseeable
future, a single GbE is all that is needed.

Plus Cisco appear to have announced multi-gigabit switches for Q2:
http://www.cisco.com/c/en/us/solutions/enterprise-networks/catalyst-multigigabit-switching/index.html

 I usually hear from people to “Keep it all consistent and the same” and
 I remember in the old days if you mixed “G” in with “b-only” ap’s often
 clients would grab the “G” and never let go no matter how bad the signal
 got.  I am thinking if I at least keep things in the same “family” of
 technology it should work out.

I don't think there would be a problem mixing AP types within the same
technology, from the client point of view it'd just be another roaming
decision. There is more information about how clients decide to roam
now, eg http://support.apple.com/en-au/HT203068 and it seems to be
mostly RSSI based. So if you account for the smaller coverage provided
by the lower-end models (per the diagrams in the above Cisco document)
then there shouldn't be any problems.

See also
http://community.arubanetworks.com/aruba/attachments/aruba/WLAN-Pro-Conf-EU-2014/1/1/WLANPro_EU_MobileDevices%20v1.0-airheads.pdf
for more info on what handover is like now (thanks to powersaving) and
how it should be in an ideal world with 802.11k.

 AP’s are a huge multiplier in a project cost and I was wondering if
 anyone else looked at approaching it this way.

I have a similar challenge in that I'm going to be upgrading some of our
n APs to ac this year. In terms of reducing cost, we have a fairly dense
deployment and so I'm still wishing for APs with a single 802.11ac 5GHz
radio since I turn off a fair few of my 2.4Ghz radios already, and my
client base is 80% 5GHz. Since we're a K-12 1:1 iPad school, I can at
least predict where the ac clients are going to be as we go through our
3 year refresh cycle.

-- 
James Andrewartha
Network  Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] New Device Activation WLAN

[James Andrewartha]

On 10/01/15 06:31, Britton Anderson wrote:
 I found albert.apple.com http://albert.apple.com is the DNS request
 the iPhone makes when trying to activate today. Resolves to one IP in
 Akamai's CDN network from our campus. Will give that a shot today.

I added that, however I also needed to add init.ess.apple.com (found via
wireshark) before activation would succeed. We're using Extreme
(Enterasys) NAC and wifi, which allows DNS whitelisting.

-- 
James Andrewartha
Network  Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] OS X 10.10.1

[James Andrewartha]

From: Trent Hurt trent.h...@louisville.edumailto:trent.h...@louisville.edu
http://support.apple.com/kb/DL1779

In our brief testing it hasn’t solved the problem. I’m not sure why it breaks, 
but when it does 802.1X isn’t established, and the AP is sending EAP Identity 
packets but the laptop isn’t responding. Hitting Connect next to the 802.1X 
appears to kill the supplicant, reassociates once or twice and then 
authenticates successfully. I turned on the extra logging available in Wireless 
Diagnostics (which has gotten even better than in 10.9, check it out), and the 
supplicant doesn’t even log anything when those packets are received, although 
they are noted at the kernel layer.

So it still looks broken, and like it’s a supplicant issue to me. Has anyone 
else tried it out?

Thanks,

--
James Andrewartha
Network  Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Potentially big news for the 11ac minded concerned with cabling

[James Andrewartha]

On 07/11/14 02:00, Frank Sweetser wrote:
 I would strongly encourage everyone to bug all of their vendors about where 
 this is on their roadmap.  I've been asking ours, and they haven't made any 
 commitments yet but they're all well aware of it.

Our AM at Extreme hinted that 2.5Gbps will be coming in their new
stackables which are due next year. 2.5GBps ethernet has been a thing
for 10 years, but only on PCBs as a single lane of XAUI.

I'd still argue YAGNI in a real-world environment that is limited to
40MHz channels, given that 80MHz and 160MHz don't allow for a lot of
channel re-use. So then 40MHz with 8 spatial streams peaks at 1.6Gbps
theoretical with all clients within 20ft of the AP. Add in overheads,
256QAM being unusable at with MU-MIMO [1] and a bit of clients sending
(which I believe can't be MU-MIMO) and you're well under 1Gbps again.

Even if we assume a single 3SS client, 256 QAM and 80MHz channels you're
looking at 1.3GBps theoretical, which again is going to be under 1GBps.
IMHO, if you really want to give good performance to everyone, install
dense single-5GHz-radio APs with 1Gbps links rather than trying to push
theoretical boundaries for just a few users.

[1]
http://www.cisco.com/c/en/us/products/collateral/wireless/aironet-3600-series/white_paper_c11-713103.html

-- 
James Andrewartha
Network  Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] IO7 devices not connecting to wireless

[James Andrewartha]

On 09/09/14 01:08, Muraca, Peppino P. wrote:
 Hi, I was wondering if anyone has been having issues being able to
 connect some IO7 devices iphone or ipad.
  
 We have been seeing some devices just not connect to either open or
 secure ssid’s . we have plenty of iphones and ipads that seem to connect
 fine, but I have a good amount that cannot. From everything I have found
 it seems io7 does have some wireless issues, but I haven’t been able to
 pinpoint a cause or find a solution to get these devices connected.

I can't comment on your particular case, but I'll note that Apple has
some profiles you can install to get debugging information from iOS
devices. If you have a developer account they're at
https://developer.apple.com/bug-reporting/ios/wi-fi/ otherwise your
vendor should be able to pass them on. Note that you have to email the
profile or download it directly on the device, they don't work with
Apple Configurator or an third-party MDM.

-- 
James Andrewartha
Network  Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] SSID Naming 5ghz

[James Andrewartha]

On 12/08/14 11:52, Tristan Gulyas wrote:
 We haven't had the need to explore this as yet.  We run two SSIDs, one
 for guest access and eduroam.  Most of our devices seem to be Apple
 devices which are reasonably successful at picking 5GHz over 2.4GHz.
 
 We've found that band select seems to be behaving as advertised but we
 haven't investigated in depth.

We're a primarily Apple school, and I don't even have band select
enabled and 81% of my clients are on 5GHz. Most of our SSIDs are on 5GHz
and 2.4GHz, with the Guest SSID only on 2.4GHz in most places. We do
have 1 AP per classroom (yes, I know, it made sense when iPads only had
20Mhz/1SS 802.11n).

Which vendors offer 5GHz-only APs? Particularly with 802.11ac being 5GHz
only and performing best at short ranges, it seems like a great way to
provide fill-in coverage and performance, as well as staying within 803.3af.

-- 
James Andrewartha
Network  Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Chromecast

[James Andrewartha]

On 25/07/14 10:55, Mike King wrote:
 There is an interesting developments coming on Chromecast.
 
 From the chromecast blog
 
 ...like the ability to allow others to cast to your TV without needing
 to be on the same WiFi network,
 
 Essentially they'll put a pin on the screen and you put that in to
 connect to it.

Not necessarily a PIN:
http://gigaom.com/2014/06/26/chromecast-will-use-ultrasonic-sounds-to-pair-your-tv-with-your-friends-phones/

-- 
James Andrewartha
Network  Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest Access

[James Andrewartha]

Actually, a little further reading and I can see PacketFence does allow inline 
enforcement, at which point you have the full power of iptables available to 
you.

-- 
James Andrewartha
Network  Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of James Andrewartha 
[jandrewar...@ccgs.wa.edu.au]
Sent: Saturday, 28 June 2014 11:49 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest 
Access

Hi Lee,

Although it is a NAC, PacketFence is GPLv2 and comes with a guest module that 
seems to do everything you 
wanthttp://www.packetfence.org/en/about/advanced_features.html#c1491. And if 
not, you can code it yourself or engage Inverse to develop it for you.

The only thing from your list that I can't quite see is data rate/session 
duration and firewall rules. I'm guessing for some of those the architecture 
would be to set up policies on your wireless controller and have the 
PacketFence send RADIUS attributes to the WLC to assign the user to the 
appropriate profile. I've only ever briefly looked at ClearPass, but I have a 
feeling it would be subject to the same limitation.

At work we use NetSight/NAC for guest portals, as well as wireless 802.1x 
authentication. I also do MAC auth on our switches, and currently it's mostly 
pass-through authentication for visibility. My goal is to have a way for the AV 
department, building management etc. to register their equipment MAC addresses 
combined with a policy to put them in the right VLAN, so I don't have to 
manually configure the VLAN of switch ports. Maybe one day I'll look at 802.1x 
on wired too, but the tooling around X.509 will have to improve a lot before I 
do.

Thanks,

--
James Andrewartha
Network  Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman 
[lhbad...@syr.edu]
Sent: Saturday, 28 June 2014 1:33 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest 
Access

Thanks, John. We’re steering away from NAC but will take a look at Netsight.

-Lee

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John Kaftan
Sent: Friday, June 27, 2014 1:28 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Aruba Clearpass Bolted Up To Cisco WLAN For Guest 
Access

Lee:

We have that same functionality built-in to the Netsight NAC - by Enterasys now 
Extreme.  I know they sell their NAC to Cisco shops too.  Not exactly what you 
are looking for but if you also want to do something with NAC\BYOD down the 
road this would be an option.  It does everything you mentioned.

John

On Fri, Jun 27, 2014 at 1:11 PM, Lee H Badman 
lhbad...@syr.edumailto:lhbad...@syr.edu wrote:
Happy Summer!

We run a large Cisco WLAN, and the native guest access functionality has never 
been suitable for our straightforward needs. So, for years, we've used a 
Bluesocket gateway on a dedicated guest VLAN/SSID to accomplish the following:

- Anyone with our 802.1x credentials can sponsor a guest using either guest 
email address or 10-digit mobile phone number
- Any guest can self-sponsor, but only with 10 digit mobile phone number that 
gets the password texted to them
- We control data rate, session durations, firewall rules etc in the Bluesocket 
for guests
- When we need a place to stick oddball wireless devices (like Google Glass) 
that can't do 802.1x we give them a MAC exception in the Bluesocket

This all works great, and is what is right for us (please don’t tell me all the 
different ways we could do guest access, just not what I’m looking for here). I 
know there are many other options out there for guest access/MAC exceptions (we 
also use Twillio on Meraki sites for texting/self sponsor) but I'd love to find 
an exact replacement for Bluesocket that replicates all the same functionality 
from a single appliance that could drop in instead of Bluesocket. Adtran bought 
Bluesocket, and I don't care for their response, support, or direction.

I’m wondering if anyone on the list uses Aruba’s ClearPass solution is with 
Cisco WLAN in the way I’m describing?


Thanks-


Lee Badman
Wireless/Network Architect
ITS, Syracuse University
315.443.3003tel:315.443.3003
(Blog: http://wirednot.wordpress.com)



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.



--
John Kaftan
IT Infrastructure Manager
Utica College

** Participation

Broadcast/multicast from multiple VLANs on a single SSID

[James Andrewartha]

Hi list,

We moved to a single WPA2-Enterprise SSID with RADIUS responses dropping
users into a particular VLAN at the start of the year. However,
multicast and broadcast traffic is seen by all clients, regardless of
VLAN. After some thought, this makes sense because the SSID has a common
group temporal key for broadcast/multicast. However I was wondering if
all clients had to have the same GTK, or if it's possible (or if some
vendor even implements) having a different one for clients on different
VLANs.

We are probably going to split up the clients across multiple SSIDs
again, as we're seeing Bonjour instability (you try telling a teacher to
plug into a cable after using AirPlay last year), which may be caused by
too much broadcast/multicast traffic or possibly just Bonjour not
handlins seeing queries from devices on different VLANs.

-- 
James Andrewartha
Network  Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] OS X 802.1x auth issue

[James Andrewartha]

On 29/01/14 00:26, Walter Reynolds wrote:
 2) Remove Wi-Fi network and then re-add (use the + and - buttons under
 the list in System Preferences/Network)

 If after doing those two you are still having problems we have had to
 take the nuclear approach.  This is less if simply not getting an IP,
 but more of not connecting automatically and disconnecting.

 3) Remove underlying plist config files (also remove Keychain entries).

  We have had this more than I would like.  I removes all their saved
 wireless networks, but improves stability.

We have a guest WPA2-PSK network, and sometimes on Macs I see the
network is saved in System Preferences, but there's no keychain entry
for the PSK. In this case I generally remove the network from the Wi-Fi
preferences and re-add it manually.

 On 28/01/14 22:52, Wright, Don wrote:
Taking a slight tangent here, has client roaming and dropout problems
 motivated anyone to move to a WPA2-PSK model across their campus?  The
 second part of the question is if you have, is it any better or worse to
 manage than an 802.1X network?  

So I'd say WPA2-PSK isn't any better for Mac configuration at least,
there's still problems (albeit different ones). WPA2-PSK (unless you use
a dynamic PSK like Ruckus) also means all authenticated clients can
decrypt everyone else's traffic which isn't great for security.

-- 
James Andrewartha
Network  Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Apple TV display mirroring spectrum use in HD wifi

[James Andrewartha]

Hi Jason,

On 17/01/14 01:59, Jason Heffner wrote:
 We took a slightly different approach to solve our issue with the
 AppleTV specifically at Penn State. We do have a Doceri deployment but
 recently we have released a PSU Airplay iOS enterprise app to allow
 mirroring to AppleTVs w/o having bonjour enabled. Since I saw this topic
 come up I thought it was a good time to share.

That's a very impressive solution, good thinking.

 If interested you can find out more on a recent blog entry I wrote up on
 the specifics. 
 
 http://sites.psu.edu/jasonheffner/2014/01/10/airplay-without-bonjour-on-enterprise-wireless-networks/

So the app advertises the Airplay service over the network, but only the
device it's running on sees the advertisement because you have multicast
disabled?

-- 
James Andrewartha
Network  Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Apple TV display mirroring spectrum use in HD wifi

[James Andrewartha]

Hi Bruce,

On 16/01/14 8:50 PM, Osborne, Bruce W (Network Services)
bosbo...@liberty.edu wrote:
You said,
Sure, I wish you could drop Apple TVs into a directory like printers
(though AirPrint indicates that's going away too) and just choose from a
list.

And I was replying to what Lee said,

  I like the Mersive paradigm as an alternative- it asks nothing of the
network. Although I'd still like to see Apple fix their own limitations.


I believe Aruba Networks' AirGroup feature can do exactly what you want,
letting users choose from devices they are close to.

AirGroup is another network solution. I have my own, dropping Bonjour
packets from Apple TVs at the core so teachers can only see the ones in
the building they're in. But you and I are network admins, in an ideal
world we shouldn't be touching anything above Layer 3. Our sysadmin for
Apple devices handles the printers, why can't he do Apple TVs as well?

You ca nalso limit what users have access to devices, so Students may not
be able to display on classroom monitors, for example.

I haven't gone quite that far yet - currently students have no access to
the Apple TVs. My next goal is to allow the teachers to give permission to
a particular student to display on an Apple TV, but that will require
coding up a web interface to change policy roles to bridge Bonjour for
that student.

I am interested in their user registration system, such that residents can
only see their own Apple TVs, but does it let the user authorise others to
use it, e.g. for shared residences?

Thanks,

-- 
James Andrewartha

Network  Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Apple TV display mirroring spectrum use in HD wifi

[James Andrewartha]

Hi Lee,

On 16/01/14 06:27, Lee H Badman wrote:
 To allow for display mirroring (and a lot more functionality) for ALL
 device types we are strongly leaning towards Mersive's Soltice software.
 It requires zero network reconfiguration, no multicast, and just fits
 like a glove. We are negotiating on $$ with Mersive after successful demos

Does it actually mirror any iOS display natively? I had a quick look at
the datasheet and it says Mirror iOS content via Apple TV connection.

We got a demo of Crestron AirMedia yesterday and were unimpressed with
its lack of mirroring from iOS - you can only display from their app. If
we were happy with that, our projectors (Epson) have their own app
available now. For us, being a K-12 school that only has Apple devices,
the Apple TV is a no brainer given its price.

-- 
James Andrewartha
Network  Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Apple TV display mirroring spectrum use in HD wifi

[James Andrewartha]

Hi Lee,

On 16/01/14 12:07, Lee H Badman wrote:
 Not sure what you're looking at, but AppleTV has nothing to do with Mersive. 
 I'm not trying to sell their stuff, just quite fond of it after the 
 frustrations of what the network needs to have done to it (bigger networks 
 are worse) for AppleTV.

I was looking at the Solstice datasheet [1] which seems to indicate it
doesn't do AirPlay on its own.

 I see TCO of AppleTV as $99 (for AppleTV) + lots of hours dorking with the 
 network + lots of support issues when it becomes a service so relied on that 
 it simply can't tolerate almost-guaranteed disruption/unpredictability + time 
 spent trying to accommodate non-Apple devices = AppleTV actually costs 
 hundreds (or thousands) of dollars and leaves you with a network you'd 
 probably prefer not to have, and a fragmented what device can do what 
 environment for diplay mirroring.

Absolutely, you have to determine whether it's worth it, for Apple TVs
or Solstice. I'm just trying to determine feature compatibility - from
what I can tell, the Solstice app [1] can only play media files or view
webpages, it's not true iOS display mirroring and so doesn't solve the
what device can do what environment. Perhaps that's all your classes
need, but not being able to mirror other iOS apps makes it a non-starter
for our requirements.

 I like the Mersive paradigm as an alternative- it asks nothing of the 
 network. Although I'd still like to see Apple fix their own limitations.

Sure, I wish you could drop Apple TVs into a directory like printers
(though AirPrint indicates that's going away too) and just choose from a
list. Actually, you can with the latest MDM stuff [3], but then you're
having to push configuration to the device. Bonjour even supports
wide-area DNS-SD, just the Apple TV doesn't for what appears to be
pandering to big content.

[1]
http://www.mersive.com/wordpress/wp-content/uploads/Solstice-data-sheet.pdf
[2] https://itunes.apple.com/us/app/solstice-client/id604298374?mt=8
[3]
http://help.apple.com/profilemanager/mac/3.0/#apd621BA9DF-4301-4D76-8A90-84E05E343FFA

-- 
James Andrewartha
Network  Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] WiFi planning

[James Andrewartha]

On 13/12/13 07:40, Frank Sweetser wrote:
 In certain areas, sure. One more thing we're going to have to divine
 from our tea leaves is which areas only need coverage, and which need
 the extra money sunk in for high capacity. Unfortunately, all it takes
 is a professor who wants in class laptop survey software getting
 scheduled in the wrong room to blow up your original plan.
 
 Personally, I'm still waiting for a vendor to release an AP with dual
 5GHz radios, so I can just buy one of those to add capacity in that band
 instead of buying two dual band units and turning the 2.4 radio off.

Some vendors have APs with radios that can work on either 2.4 or 5GHz.
Meru and Xirrus are the ones that come to mind, I can't remember if any
other vendors offer that.

-- 
James Andrewartha
Network  Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Cisco 3700 AP

[James Andrewartha]

On 04/10/13 20:09, Peter P Morrissey wrote:
 I agree, especially since there likely aren't any clients capable of 4 
 streams. I would be thrilled to be proven wrong on that though. Seems like 
 new Macs would be most likely possibilities as they do tend to be ahead on 
 these types of things in spite of all their other wireless issues.

The vendor information I've seen says that 4 spatial streams will debut
with 802.11ac Phase 2 in 2015, along with MU-MIMO (which will be really
worthwhile for us with plenty of 1SS mobile devices).

-- 
James Andrewartha
Network  Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Cisco 3700 AP

[James Andrewartha]

On 04/10/13 05:23, Andy Page wrote:
 For those interested, Cisco released information about their new 3700
 series access point with built-in 802.11ac. Likely won’t be able to
 purchase it for at least a month or so.
  
 http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps13367/data_sheet_c78-729421.html

They almost got it into a 802.3af power budget, except it runs in 3x3:3
MIMO instead of 4x4:3 which shouldn't make too much of a difference.

-- 
James Andrewartha
Network  Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Problems with new Apple Laptops

[James Andrewartha]

Not sure if it's the same problem, but I've got a 2012 MBA running
10.8.4 that's experiencing disconnects. Reading the logs it thinks it's
still got an 802.1x connection when it tries to reconnect to the
wireless, and it has a 169.254.x.x IP address. If I click Disconnect on
the 802.1x connection in the Network preferences, it fully disconnects
and loses its IP, but doesn't reconnect. The RADIUS server (Enterasys
NAC) logs show it was authenticating successfully many times, often as
little as 4 or 5 seconds apart, but it couldn't associate to the
wireless once it did.

On 27/09/13 04:43, Julian Y Koh wrote:
 On Sep 26, 2013, at 15:39 , Travis Schick trsch...@ucdavis.edu
  wrote:

 I have found that this delay will go away if the cert used for WPA2 auth is 
 updated to also always trust for SSL.   
 
 That seems suboptimal.  Not just because you need to get your clients to 
 change configs, but I wonder how that affects overall trust and if it opens 
 you up to other holes.  For example, does changing that setting on the client 
 mean that you won't be able to revoke that certificate?  What if your 
 certificate and key get stolen and then used to set up a malicious site 
 somewhere?  

The SSL certificate (actually, the CA that signs it) is already set to
always trust for everything.

 Someone else can do that testing.  :)
 
 Another vendor is recommending that a timeout value for EAP responses be 
 raised from its default 5 second value to 30 seconds, since the Macs are 
 eventually responding - it just takes a long time in some cases.  

I've upped my RADIUS timeout to 30 seconds (from 15), I'll see if that
has any effect.

-- 
James Andrewartha
Network  Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Dual Band Mac laptops...

[James Andrewartha]

On 21/09/13 11:34, Curtis, Bruce wrote:
   What power are the 2.4 and 5 GHz radios set to on the AP in the room?
 
   If the clients see a higher power signal from 5 GHz they might be more 
 likely to connect to the 5 GHz radio.

You can run the following command in a terminal to see what signal
strength the OS perceives for each BSSID (sorted by RSSI so long as your
SSIDs have no spaces):

/System/Library/PrivateFrameworks/Apple80211.framework/Resources/airport
-s | sort -rnk3

-- 
James Andrewartha
Network  Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] FW: iOS 7 update available at 1PM

[James Andrewartha]

On 19/09/13 03:49, John York wrote:
 From our friends at the ISC StormCenter.  I wonder how long it takes to get 
 registered with the mother ship.

A bit late, but the caching server only works for devices running iOS 7,
so it wouldn't have helped with the iOS 6-7 upgrade storm. The only
exception is upgrades performed on from a computer using iTunes 11.0.2.
For future iOS upgrades it should work, provided you are NATting all
clients to the same IP as the caching server.

https://groups.google.com/forum/#!topic/macenterprise/BzUAeNDN4lo

 -Original Message-
 From: Swa Frantzen - ISC [mailto:isc@ ] 
 Sent: Wednesday, September 18, 2013 3:39 PM
 To: John York
 Subject: Re: iOS 7 update available at 1PM
 
 They would contact your server!
 
 http://nbalonso.com/os-x-server-caching/#comments
 
 explains how it works: apple redirects the clients to your cache if the 
 request comes from an IP address you're registered for.
 No configuration at all needed on the client: apple sends the clients to you.
 
 Swa
 
 To install it: use any mac, add the OS X Server app from the app store (costs 
 a few dollars, guess around 20$ or so (I only see prices in EURO) Once you 
 have that, you can enable the cache service
 
 It'll register with apple and apple will redirect clients on your network to 
 the cache instead of their servers when it recognizes the source IP as the 
 same as the registered cache.
 There's no need to configure anything on the devices themselves.
 
 Advanced configurations might be needed on more complex networks. See here 
 for command line options: http://support.apple.com/kb/HT5590
 Esp. if you have multiple outside IP addresses, or internal firewalls between 
 the clients and the server, ... you need to do more than just turn on the 
 service.
 
 Worst case (in a .edu setting I guess it might be common, you'll need to NAT 
 the clients if they connect to apple to the same outside IP as the server)
 
 You can have multiple caching servers - but even a single mac mini can 
 offload quite a bit of you outside networks.

-- 
James Andrewartha
Network  Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Anyone tried Ubiquiti UniFi campus wifi?

[James Andrewartha]

Hi Steve,

On 11/09/13 04:24, Steve Bohrer wrote:
 A few months ago there were some generally positive posts about Ubiquiti's 
 Air Fiber links, but I'm wondering if anyone has tried out their UniFi 
 controller-less campus wifi solution, particularly with their dual-band 
 UniFi Pro AP and/or their UniFi AP AC access points. 

I have a small deployment (1x UAP-LR, 1x UAP-Pro, plus some AirMax for
linking buildings) at our remote outdoor education site.

One thing to note is the UAP-AC needs 802.3at power, or their own power
injectors.

 Part of the cost saving, of course, is that Ubiquiti doesn't have reps and a 
 sales team and such, so we won't get nearly as whizzy a pitch from Ubiquiti 
 as we have from the rest of the wifi vendors. Thus, first hand experiences 
 from other schools that have actually deployed this stuff would be very 
 useful. 

They do have some case studies on their website:
http://www.ubnt.com/education

 Thanks for any pros or cons you can share about UniFi. (Feel free to mention 
 your favorite wifi system as well, if you think it reasonable for our small 
 scale and budget. From the stuff we've seen so far, I like Ruckus, Aerohive, 
 and Meru, but don't have much user feedback on any of them.)

Pros: cheap cheap cheap. There's a decent user community, including
Ubiquiti staff, on the forums. The controller is available as a Debian
package (as well as Win/OS X/Linux). They support a cloud (DC-hosted)
controller, although that's not needed at your site. The APs keep
working if the controller is down, although not the guest portal.

Cons: the wireless coverage map doesn't take into account walls, it's
just a circle. Not as much fine control over wireless details like
minimum basic rates, AMPDU etc. Troubleshooting (not that I've had to do
any) involves sshing in to the AP (they run Linux).

For the price, you could pick up a three pack and have a play yourself.

I've sent you my thoughts about other vendors in the past, so I won't
repeat myself.

-- 
James Andrewartha
Network  Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Distributed WiFi model - Thin vs Thick debate revisited

[James Andrewartha]

On 29/04/13 22:51, Barros, Jacob wrote:
 It feels like I am coming full circle to where I was six years ago.
  Though I know its not exactly the same, I went back to the thin vs
 thick debates in the archives.  A few things stood out to me as
 considerations:  One concern was vendor longevity.  Another was whether
 or not the thick AP model would be able to keep up with the controller
 based architecture.  An advantage of the controller based architecture
 that stood out to me was central processing, specifically regarding key
 exchange.
 
 Are these points still valid concerns?  If your administration asked you
 to consider a distributed architecture, what other (vendor-neutral)
 concerns would you have?

There's a middle ground between thick and thin - relatively thick APs,
that are centrally managed but with enough smarts to process traffic
locally. 802.11ac will have an effect here, as each thin AP could
theoretically require 1Gb/s to the controller. This is why Cisco is
putting controllers in its switches, to distribute the traffic load.

Most controller-based vendors do support local bridging, but some will
not support all features or not maintain sessions if the controller fails.

I haven't really looked at the new range of thick APs like Meraki or
Aerohive, so can't comment on their architecture.

-- 
James Andrewartha
Network  Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] iPhone 5 wireless issues

[James Andrewartha]

On 23/04/13 06:24, Thomas Carter wrote:
 We have a mix of different APs – 422s, 522s, 82s, and 532s. We’re
 running MSS 8.0.1 (which has issues with the 82s, but that’s another
 issue). I haven’t opened a case with Juniper yet, as I’m still gathering
 the information about the problem.
  
 We’re using PacketFence (which wraps FreeRADUS).

Are you disconnecting clients during assessment? I've noticed that if an
iOS device receives more than 3 or 4 disconnects in a short period of
time, it will stop reconnecting until manually told to rejoin the
network (or turning wifi off and on or rebooting). This is mostly only a
problem when I'm doing testing an iPad with our NAC, I spoke to our
vendor (Enterasys) and they've noticed it as well.

-- 
James Andrewartha
Network  Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Wireless Vendor Recommendations?

[James Andrewartha]

 performing well, plus the integration with our switch
network and MDM software.

We technically ordered through a partner, but all our support has been
direct with Enterasys because they want to use us as a demo school. Like
any technology project, you'll want a good partner - that was one reason
we didn't go with Cisco, as that partner had done our CUCM install and
left us in the lurch a bit.

To sum up, the wireless tech is important, but so are all the parts that
surround it too, so work out what else you want from the wireless first.

I'm not sure if I should post this to the list as we're a K-12 school,
not a university. If you have any other questions, let me know.

-- 
James Andrewartha
Network  Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Ubiquiti Wireless

[James Andrewartha]

On 31/08/12 22:12, Michael Blaisdell wrote:
 Has anyone worked with UbiquiTi Wireless www.ubnt.com and in particular the 
 UniFi controller software?

I've played with it once - it's a Java webapp that allows you to push
out settings to a bunch of APs at once. It's more set and forget than
ongoing management, mainly targeted at small deployments from what I can
tell.

-- 
James Andrewartha
Network  Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Apple Petition

[James Andrewartha]

On 11/07/12 22:05, Johnson, Neil M wrote:
 So, even if you setup static DNS-SD records, the Airplay receiver (Apple
 TV) and Airplay transmitter (iPad, iPhone, or Mac running Mountain Lion)
 have to be in the same subnet.
 
 That is the reason for the 1st request in the petition.

Aerohive's Bonjour gateway feature claims to have Airplay working across
subnets. The SRV record does have a hostname, so presumably it uses
that. Even so, creating them manually is a pain, we need some sort of
tooling to help. Ideally the Apple TVs would register themselves in
wide-area DNS-SD domains, but I don't know how you control who can do
that, or if they can.

-- 
James Andrewartha
Network  Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Location Based Printing

[James Andrewartha]

I think Aruba’s AirGroup will be interesting too when it is finally released. 
It is currently in alpha status, I believe. According to their tech brief
http://www.arubanetworks.com/pdf/technology/TB_AirGroupWLANServices.pdf
it appears Aruba is initially planning on using AP association for determining 
location. Perhaps they can incorporate their AP grouping feature so this would 
work better in dense environments.
At Liberty University, we are an all-Cisco shop but we have found Aruba’s 
wireless products to be more feature rich and less expensive that Cisco’s 
offerings. We have also found Aruba’s technical support to be exceptional, 
especially when compared to our Cisco support experiences with their fat APs.
Reading the tech brief, it uses Clear Pass policy manager (previously Avenda 
eTIPS), so you could probably do something similar with Cisco ISE or Enterasys 
policy manager with some hackery. Obviously a well-engineerd product beats 
general hacks any day.

--
James Andrewartha
Network  Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.