Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
We tracked one down yesterday and it turned out to be a Windows Mobile phone running Android. Decidedly not a MAC.. :) -JEff On 9/28/10 10:44 AM, Andrew Clark wrote: I'm seeing them here at the University of Minnesota as well. Thanks for the heads-up! I'll see what I can discover once I can get a hold of one of these clients. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
On 9/27/10 11:26 AM, John Duran wrote: We are also seeing a client with that MAC address (00:11:22:33:44:55) on our system. Just a sanity check here, since most management systems seem to use MAC address as a primary key, it's likely you'll only 'see' one 00:11:22:33:44:55 address associated at any given time, right? DHCP logs or other auth logs may provide a more comprehensive list of how many devices are around, correct? Has anyone contacted their respective Wireless hardware vendors for comments? -JEff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Advertising Wireless Coverage
http://code.google.com/apis/maps/documentation/javascript/overlays.html#OverlaysOverview My speculation is that they probably already have their building footprints as overlay objects, so it's comparatively easy to add another layer that depicts buildings covered by wireless. -JEff On 9/1/10 12:06 PM, John Rodkey wrote: I think many of us on the list would like a peek into the elves' workshop. At least some general outline of the tools and methods used would be helpful to point us in the right direction. John On Wed, Sep 1, 2010 at 7:33 AM, Dave Barr d...@cornell.edu mailto:d...@cornell.edu wrote: I don’t know how the overlay works, I saw the map the first with the bus stops and parking as selectable items on it and then I just wished for Wi-Fi coverage to be indicated and sent a list to our webmaster then it was there; elves I think, but I’ll ask... All we’re indicating is that the building has some community space covered, meeting rooms classrooms that sort of thing. We have program space about 50% covered overall where that coverage was and is deployed is based upon individual department and college priorities. Dave *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Methven, Peter J *Sent:* Wednesday, September 01, 2010 4:06 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Advertising Wireless Coverage Dave, I’m curious about how you are doing your wireless coverage straight into an overlay on google maps. I’ve thought about doing that a few times but we have the issue that even in the buildings where we have “full coverage” there are black spots left on purpose in areas such as plant rooms etc. Do you show a building has coverage if all student accessible areas have coverage, or for all student and staff accessible areas (excluding plant rooms/comms rooms etc.)? Many Thanks Peter Mr Peter Methven, Network Specialist Information Technology (IT) Allen McTernan Building, Edinburgh Campus Tel: 0131 451 3516 For IT support queries or requests, please email ith...@hw.ac.uk mailto:ith...@hw.ac.uk or phone ext 4045, with full details of your query or request and your contact details. http://www.hw.ac.uk/it *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Dave Barr *Sent:* 31 August 2010 19:44 *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Advertising Wireless Coverage Pete, Our website developers figured out a way to use Google maps: http://www.cornell.edu/maps/interactive.cfm Selecting the RedRover checkbox highlights the buildings that have Wi-Fi coverage. Dave Barr *** Cornell Information Technologies Web: http://www.cit.cornell.edu David Barr - Information Technology Specialist Email: d...@cornell.edu mailto:d...@cornell.edu 110 Maple Avenue Telephone: 607 255-4703 Ithaca, NY 14850-4902 Fax: 607 255-8169 *** *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Peter P Morrissey *Sent:* Tuesday, August 31, 2010 2:08 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* [WIRELESS-LAN] Advertising Wireless Coverage Has anyone come up with ways of advertising information about their wireless coverage that students and maybe parents have found to be particularly helpful? Right now we just have a list of buildings, most of which are at 100%, but some with partial coverage where we include a floor plan/map. We are also going to put a symbol indicating the locations we have started to upgrade to 11n. Just wondering if there may be some better ways to accomplish this. Thanks, Pete Morrissey Syracuse University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] iPad Experiences
On 4/7/10 12:01 PM, Lee H Badman wrote: In response to Apple’s guidance, we’ve given out the user name and password to our wireless management system so IPad users can configure our access points as they need to fix their connectivity problems. I assume you're also handing out stepladders and tools so they can relocate them as necessary to get a better signal? -JEff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] WCS 4.2
Bentley, Douglas wrote: We had quite a few issues moving forward with 4.2.62. If you have configuration issues after upgrading to 4.2.62 - DON'T - try to load a backup config file from 4.xxx code to the new 4.2.62 WLCs. I made this error and put 5 - WLCs (2.5 WiSMs) back to the install wizard. We had to manually console into the WiSMs and start from new. We ran into this on a 4404. The solution was to connect to the console, clear the config NVRAM and then boot the 4.1 backup image. Once on the backup image, do enough of the configuration script to get the WLC on the network and D/L your saved 4.1 config. Then, save the config to flash and restart the controller on the main 4.2 image. The boot process will do the config upgrade for you. The release notes say they switched from a binary file to an XML based file format. I'd have thought the config process would be a little more robust and able to handle both versions.. Guess not. -JEff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] more fun with RADIUS
Julian Y. Koh wrote: We're only seeing these unknown records from a little over 10% of our APs, and some of them are generating thousands of the records, so longer-term, of course, we need to exercise some better RF management so that users don't roam as often.But that's another exercise for another day. For now, I just need to see if my reasoning is sound. Hey Julian, We don't run the WLSM, but we do run IOS APs and use WDS, which operates in the same manner as you describe. (Auth requests are aggregated by the WDS master AP, while accounting is sent by individual APs.) We also use EAP-TTLS instead of LEAP. I had a couple tickets open with the TAC a couple summers ago about this. The end result was that if our RADIUS server sent the User-Name attribute back in the Access-Accept packet, the APs wold use it to log the proper username when they sent accounting packets. In addition, because we have other .1x platforms that aren't reliable at reporting the username in accounting packets, I wrote a hook for our Radius server that logs sufficient accounting information from the access-request/access-accept packets. With the time and calling/called station ids it's not clean, but it does work. Oh, We use OSC's RADIATOR as our radius server. -JEff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 802.1X accounting, PEAP outer identity
Julian Y. Koh wrote: At 20:15 -0500 06/02/2006, Julian Y. Koh wrote: Now we find out from Funk that their fix in 5.4 still isn't working like they wanted, with a final fix scheduled for Q4 2006. This is obviously totally not cool, and will probably force us to jumpstart our freeradius efforts. The pain in the butt is that we just did our official rollout of the 802.1X/WPA2 wireless this week, and all the docs point to verifying the cert of the SBR server. Not an insurmountable deal to fix, but it looks bad if we have to switch. OTOH, switching now will be the best time to do it before we get a lot of people using the service, and it would be better than having people masquerade as other users in the accounting records You may also want to consider Radiator. I've found the support from the OSC folks to be much more friendly that some of the folks on the freeradius list. We use it and it's very flexible. We've even dealt with most of the issues that you raise.. -JEff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 802.1x rollout
Wyman Miles wrote: We're about to pilot an 802.1x project for one of the larger departments on campus and I had a few questions for the universities who've gone before: - is anyone using Kerberos as an authentication resource for your wireless clients. Any pitfalls? Did you have to distribute a 3rd party supplicant for the Windows clients? We use EAP-TTLS with PAP and the SecureW2 supplicant. Backend is Radiator talking to MIT K5. The Funk client has worked well for us, but the cost has prevented us from rolling it out for everyone. We've had mixed success with the card drivers that have packaged TTLS supplicants in them (TruMobile, Centrino, etc). Sometimes it works, sometimes it doesn't. Seems highly related to driver versions. Since the new version of SecureW2 has been available, we've been pushing that as our standard. It has some warts, but now that autoconfig works with XP SP1, we distribute a installer with our config preloaded and things pretty much just work. I'm sure you're aware that to install and configure the supplicant, the mobile users usually need administrator access on their laptops. That can be a problem for visitors. - who's using native 802.1x supplicants versus who is distributing additional software? Of the latter group, any recommendations? (my personal leanings are Funk's 802.1x supplicant mated with the Open.com Radiator RADIUS server). I've had no problems at all with our odyssey and secureW2 clients and Radiator.. It just works. Note that if you're going to use the builtin AuthKrb5 module in Radiator 3.13, There are a couple obscure bugs with null passwords you might run into. I have some patches that I need to forward back to Hugh and the guys, I just keep forgetting to actually send the diffs. I can provide more info on that offline if you want.. -JEff College of Earth and Mineral Sciences -- Penn State ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless Identification Tools
Philippe Hanset wrote: Don, A trick that I have been willing to test for a long time would be to join the Rogue AP, send traffic to a know sniffing host in that same layer2 network. This will reveal the Wired MAC address of the AP. Then search for that MAC on your wired side and disable the port. (if you have a good circuit-to-switchport DB, you know the location as well) If the AP doesn't allow guests, we use Directional Antennas and Wireless Sniffers as you mentioned. And as I have mentioned before: we rarely have Rogue APs in places were we provide decent Free Wireless coverage! We've been able to have good luck by searching our switch FDBs for MAC addresses matching all but the last octet of the MAC address in the rogue AP's beacon. More often than not, manufacturers use sequential MAC addresses for the wired and wireless ports of their devices. Of the 5 or 6 rogues we've seen over the last year, all were locatable that way. YMMV.. :) -JEff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless Identification Tools
John Watters wrote: Where can we find a good list of the MAC address ranges for wireless access points? If I just look by manufacturer (see http://standards.ieee.org/regauth/oui/index.shtml) I do not see a distinction between their access points their NICs, switches, routers, and other network equipment? I'm not aware that there is such a list. Even if there was, I imagine it'd be continuously out of date. As I mentioned earlier, our technique is to capture an AP beacon frame and extract the MAC address in the beacon frame. (Usually, the WLSE does that part of the job for us, although we do occasionally wander around with netstumbler.) Once we have the MAC from the beacon, we just query our network management database for all mac addresses that are similar, except for the last octet eg: 'select * from macdb where mac like nn:nn:nn:nn:nn:%'. We then investigate any wired MAC addresses that turn up in the search. So far, this method has worked for all the rogues we've investigated.. I expect that sooner or later we'll find some APs that don't have sequential MAC addresses, but that's just the way it goes. -JEff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.