RE: [WIRELESS-LAN] [EXTERNAL]Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Wi-Fi expectations/service levels and validation

[Jeffrey D. Sessler]

When I read the uiowa wifi SLA link, I can't help but think it's boarding on an 
excuse, rather than a true SLA between the service operator and the customer.  
Don't misunderstand, there are technical limitations to WiFi, but we can also 
engineer around many of them assuming the organization considers the service 
strategically important to its mission and invests appropriately. If one isn't 
sure if it is strategically important, I would spend a little time perception 
checking within one's organization including sr. leadership.  I've run across 
many education organizations that will state WiFi is of strategic importance, 
but their capital investment per FTE is often significantly lower than their 
investment in say general software licensing.  It goes without saying, if the 
organization is spending $300/FTE on software licensing and only $50/FTE on 
capital investments in WiFi, it's likely there is a misalignment between 
strategic importance and funding.

I've also run into many an organization that invests oddly in WiFi.  They under 
capitalize the infrastructure but have 3-4 WiFi engineers that spend all their 
time trying to work around the under investment.  Imagine reducing the number 
of engineers from 4 to 1 and investing that $300-500K per year in WiFi 
infrastructure and assurance tools. It seems obvious, but sometimes 
self-preservation within a service organization can get in the way of solid 
service/business decisions.

Before going down the road of defining what constitutes "good wifi," it would 
be beneficial for folks to understand their current state, including the 
creation of an SLA around what you already have.  Parallel to this, meet with 
your customers to understand their needs, develop a new SLA, get leadership buy 
in, and out of that will come the answer for what constitutes "good wifi" to 
your organization.

Lastly, even a basic SLA can be immensely helpful in tempering the divide 
between what you have and what someone expects. As an alternative to 
techsplaining away the service quality issues, your customers know exactly what 
the service is and is not, including by location.  Imagine something as basic 
as:

Residential Hallls

  *   Dense deployment of WiFi. Designed to meet the demanding needs of 
high-def steaming and gaming.
  *   Design assumes an average of four devices per resident.
  *   Minimum of one access point per every other room.
  *   Near equivalent to a gigabit wired port.

Academic Spaces

  *   Classrooms
 *   Support for interactive applications
 *   Designed for twelve FTE per access point
 *   Minimum of one access point per classroom
 *   Minimal support for high-def streaming outside of instructor or 
in-room conferencing
  *   Conference Rooms
  *   Study Spaces
Outdoor Spaces

  *   
 *   Designed for coverage
 *   Basic email, texting
 *   Reliable streaming unlikely
Best,
Jeff


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of LaPorte, David
Sent: Friday, September 24, 2021 2:07 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [EXTERNAL]Re: [WIRELESS-LAN] [External] Re: 
[WIRELESS-LAN] Wi-Fi expectations/service levels and validation

You don't often get email from 
david_lapo...@harvard.edu. Learn why this is 
important
Yes, thanks to you and all who have responded.  It's been good to hear that 
we're not alone in finding this exercise very challenging, and it's been great 
to see some of the great pages and thoughts provided.  I'll be sure to share 
what  we come up with.

Have a nice weekend!
Dave

-

David LaPorte
Harvard University Information Technology
P: (617) 496-3446

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Sullivan, Don mailto:dsulli...@samford.edu>>
Date: Friday, September 24, 2021 at 2:56 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] [EXTERNAL]Re: [WIRELESS-LAN] [External] Re: 
[WIRELESS-LAN] Wi-Fi expectations/service levels and validation
I appreciate you sharing this also. Nice writeup.

Don Sullivan
Network Administrator
Technology Services

205-726-2111 | office
dsulli...@samford.edu

Re: [WIRELESS-LAN] Amazon prime video error (Your device is connected to the internet using a VPN or proxy service)

[Jeffrey D. Sessler]

If you aren’t blocking P2P anonymizer clients, where user devices are endpoints 
for folks in other regions, Amazon and others may blacklist your IP range.  
These clients may show up with students from other countries, or students who 
have returned from being abroad.

If you have something like Cisco’s Umbrella, they have an entire anonymizer 
category you can block, but to be 100% effective, you need to block external 
DNS access so that is harder to circumvent.

Jeff

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Muraca, Peppino P. 

Date: Friday, September 17, 2021 at 6:17 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: [WIRELESS-LAN] Amazon prime video error (Your device is connected to 
the internet using a VPN or proxy service)
You don't often get email from pmur...@stonehill.edu. Learn why this is 
important
Hi everyone, has anyone come across this yet where Prime video will not play . 
this is what is on the screen ( Your device is connected to the internet using 
a VPN or proxy service. Please disable it and try again.) we have called Amazon 
and they told us to contact our ISP . We only see this on our wireless 
networks. Talking with our ISP it seems this is happening more and more and 
what basically has happened is out NAT ip’s for out wireless have been black 
listed and now we have to remove our selves from these lists. Has anyone else 
come across this yet ? if so how successful has it been to remove yourself from 
these lists.

Thank you
Pino

[cid:image001.png@01D7AB92.8EF49ED0]


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: PoE Load Tester Recommendation

[Jeffrey D. Sessler]

I don't know about other brands, but if you have Cisco Catalyst switches, many 
have a built in TDR that can help with determining if you have a cable/distance 
issue.  In a building we completed a couple of years ago I found some of the AP 
runs exceeded 100m (conduit plan not followed), which did limit multigig speeds

If you are having POE and link issues not meeting your needs, did your 
low-voltage vendor commit any sins such as bundling Cat6a tightly together with 
zip ties and in long uniform bundles?  If they didn't use F/UTP, those very 
pretty bundles/dressing can be murder on alien crosstalk.

Lastly, for POE in particular, did you happen to use reduced size thin or 
ultrathin Cat6 patch cables?  For newer AP's that require 30-60W, those thin 
Cat6a cables can contribute to power issues.

Jeff

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Floyd, Brad
Sent: Thursday, September 09, 2021 8:54 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] PoE Load Tester Recommendation

Hey JJ,
Good to hear from you, thanks for the reply. It looks like (from the 
description) the LinkRunner G2 and above will do the actual PoE load test I'm 
looking for (not just repeating what LLDP/CDP is saying the capabilities are). 
The LinkRunner 10G also appears to test the NBASE-T / 802.3bz standard for 
M-Gig. I've had some new construction recently where most all APs in a building 
link up at 5 Gbps, but a couple only link up at 2.5 Gbps. I would like to be 
able to test for that too. However. The $6k+ price tag is fairly steep.

Hopefully we can catch up again post-pandemic at WLPC soon. Is the domain 
change from CAD to Viszen a good thing? We can discuss offline if you prefer.
Thanks,
Brad

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Jennifer Minella
Sent: Wednesday, September 8, 2021 4:25 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] PoE Load Tester Recommendation


[EXTERNAL SENDER]
Hi Brad,
If your team or a friend has a NetAlly tool around, that would kill a few birds 
with one stone and provide detailed PoE reporting (among a million other 
things).
https://www.netally.com/products/

Specifically, these are the wired products. Starting at the LinkRunner AT model 
and going up, those have various PoE validation capabilities, increasing in 
capability as you head up to the LinkRunner G2 and then EtherScope nXG (which 
also does WiFi testing and makes coffee for you).

Some of them can also be remotely controlled, so you can throw it to NOC, a 
tech, intern, whatever - and control it from the Interwebs.

[cid:image001.jpg@01D7A576.C342AE10]

_
Jennifer Minella, CISSP
Founder, Principal Advisor- Security Architecture
Viszen Security
919.539.2726 mobile/text
j...@viszensecurity.com
https://www.viszensecurity.com
[cid:image002.png@01D7A576.C342AE10]
Get free network security insights delivered to your inbox 

Re: [WIRELESS-LAN] ISE-NPS-Azure MFA

[Jeffrey D. Sessler]

I 2nd Tim’s suggestion.  If the VPN is Cisco-based, they support using SAML 
against AzureAD including MFA.

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215935-configure-asa-anyconnect-vpn-with-micros.html

Jeff

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Manon Lessard 

Date: Thursday, August 26, 2021 at 7:54 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] ISE-NPS-Azure MFA
We are talking VPN here and for the entire campus…

Manon Lessard
Chargée de programmation et d’analyse
CCNP, CWNE #275, AWA 10, ESCE Design
Direction des technologies de l'information
Pavillon Louis-Jacques-Casault
1055, avenue du Séminaire
Bureau 0403
Université Laval, Québec (Québec)
G1V 0A6, Canada
418 656-2131, poste 412853
Télécopieur : 418 656-7305
manon.less...@dti.ulaval.ca
www.dti.ulaval.ca
Avis relatif à la confidentialité | Notice of 
Confidentiality


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of James Andrewartha 

Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Thursday, August 26, 2021 at 10:50 AM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] ISE-NPS-Azure MFA

Microsoft note this behaviour and have some sort of workaround in their NPS MFA 
extension: 
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension#radius-protocol-behavior-and-the-nps-extension

Really though, doing MFA for RADIUS is a square peg in a round hole, use MFA to 
provision a client cert and do EAP-TLS instead.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Manon Lessard 

Reply to: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Thursday, 26 August 2021 at 10:20 pm
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: [WIRELESS-LAN] ISE-NPS-Azure MFA

A question not directly related to Wi-Fi, but related to ISE which seems to be 
something some of you use.

We are currently authenticating a VPN test group via ISE through NPS servers 
(defined as a token server).
The goal is to do MFA with Azure through the Authenticator app on people’s 
phones.
Everything works, but Authenticator pops up for confirmation, sometimes 2 to 3 
times, even if one has accepted the first confirmation…

I would like to have feedback from people who used something like that and have 
solved the multiple Authenticator prompts.

Thank you

Manon Lessard
Chargée de programmation et d’analyse
CCNP, CWNE #275, AWA 10, ESCE Design
Direction des technologies de l'information
Pavillon Louis-Jacques-Casault
1055, avenue du Séminaire
Bureau 0403
Université Laval, Québec (Québec)
G1V 0A6, Canada
418 656-2131, poste 412853
Télécopieur : 418 656-7305
manon.less...@dti.ulaval.ca
www.dti.ulaval.ca
Avis relatif à la confidentialité | Notice of 

RE: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

[Jeffrey D. Sessler]

CA's have done nothing is fifteen plus years, so from a risk management 
perspective, the chance of them changing course now is rather low. As to future 
RFCs, even if that happened tomorrow, it could be a decade or more before there 
was broad support, and more importantly, we could think about enforcement.

Jeff


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Tim Cappalli
Sent: Monday, August 09, 2021 8:05 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

CA policies really have nothing to do with implementations of other protocols. 
There have been many discussions about this on this list and others, and a 
future RFC will likely include further clarity. However, as I've said in the 
past, RFCs do not dictate CA/B policies.

If we're going to continue this discussion, we should fork a new thread as it 
has nothing to do with the original question.

tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Jeffrey D. Sessler 
mailto:j...@scrippscollege.edu>>
Sent: Monday, August 9, 2021 10:53
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root


Per the RFC, the certificate-using application _MAY_ require the EAP extended 
key usage extension to be present. It is not a must or shall, so I'm not 
exactly sure the problem here. Vendors have chosen against requirement.



The certificate-using application appears to be satisfied by the server 
authentication EKU, which is appropriate, and I don't see why the public CA 
would consider it a misuse and invalidate it.



As others have indicated, this is the de facto, and right or wrong, it's not 
going to change and not worth getting stirred up about.



jeff



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Doug Wussler 
<029e57f9967b-dmarc-requ...@listserv.educause.edu<mailto:029e57f9967b-dmarc-requ...@listserv.educause.edu>>
Date: Monday, August 9, 2021 at 7:33 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Well, here is Microsoft's take on it...



https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/certificate-requirements-eap-tls-peap<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Ftroubleshoot%2Fwindows-server%2Fnetworking%2Fcertificate-requirements-eap-tls-peap=04%7C01%7CJeff%40scrippscollege.edu%7Cc8f0083e79e44aa4d7e608d95b4716a9%7C47274664281d4e3282489661a922b78c%7C0%7C0%7C637641183177714995%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=hx1WCuagh9lX9pNwIudcw%2F%2B1L9iNEOFO13obhaS%2FJJo%3D=0>



[Image removed by 
sender.]<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Ftroubleshoot%2Fwindows-server%2Fnetworking%2Fcertificate-requirements-eap-tls-peap=04%7C01%7CJeff%40scrippscollege.edu%7Cc8f0083e79e44aa4d7e608d95b4716a9%7C47274664281d4e3282489661a922b78c%7C0%7C0%7C637641183177724988%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=oulRbm%2B6JCUWoavQ13gPzzffQm4UhNVS5vUz5gl5VRQ%3D=0>

Certificate requirements when you use EAP-TLS - Windows Server | Microsoft 
Docs<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Ftroubleshoot%2Fwindows-server%2Fnetworking%2Fcertificate-requirements-eap-tls-peap=04%7C01%7CJeff%40scrippscollege.edu%7Cc8f0083e79e44aa4d7e608d95b4716a9%7C47274664281d4e3282489661a922b78c%7C0%7C0%7C637641183177734982%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=4J0h%2Fbn1bh16qdZY3wTIP5sZLEHjqlzWv7q79c0lMLw%3D=0>

Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS. 09/08/2020; 
4 minutes to read; D; h; s; In this article. When you use Extensible 
Authentication Protocol-Transport Layer Security (EAP-TLS) or Protected 
Extensible Authentication Protocol (PEAP) with EAP-TLS, your client and server 
certificates must meet certain requirements.

docs.microsoft.com







From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>>
Sent: Monday, August 9, 2021 10:31 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCA

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

[Jeffrey D. Sessler]

Per the RFC, the certificate-using application _MAY_ require the EAP extended 
key usage extension to be present. It is not a must or shall, so I’m not 
exactly sure the problem here. Vendors have chosen against requirement.

The certificate-using application appears to be satisfied by the server 
authentication EKU, which is appropriate, and I don’t see why the public CA 
would consider it a misuse and invalidate it.

As others have indicated, this is the de facto, and right or wrong, it’s not 
going to change and not worth getting stirred up about.

jeff

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Doug Wussler 
<029e57f9967b-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 7:33 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root
Well, here is Microsoft's take on it...

https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/certificate-requirements-eap-tls-peap

[Image removed by 
sender.]
Certificate requirements when you use EAP-TLS - Windows Server | Microsoft 
Docs
Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS. 09/08/2020; 
4 minutes to read; D; h; s; In this article. When you use Extensible 
Authentication Protocol-Transport Layer Security (EAP-TLS) or Protected 
Extensible Authentication Protocol (PEAP) with EAP-TLS, your client and server 
certificates must meet certain requirements.
docs.microsoft.com



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Sent: Monday, August 9, 2021 10:31 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

I started working on something but decided it is not something I really have 
the cycles to maintain over time. (And I've found over the years that most 
people don't follow best practices anyway.)

tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Doug Wussler 
<029e57f9967b-dmarc-requ...@listserv.educause.edu>
Sent: Monday, August 9, 2021 10:30
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You don't often get email from 
029e57f9967b-dmarc-requ...@listserv.educause.edu. Learn why this is 
important
Tim -

Didn't you write up an explanation for all these issues?  You were going to be 
able to point to that page since these issues resurface so often.

Doug


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Sent: Monday, August 9, 2021 8:42 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

A public CA issues certificates for web server authentication (amongst others 
like code signing and S/MIME).

An EAP server is not a web 

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

[Jeffrey D. Sessler]

I’m curious about this and would like to know more. Many operating systems 
require the Server Auth (1.3.6.1.5.5.7.3.1) EKU, and MS calls this out as a 
requirement for EAP. Last I looked, public CA’s include this when minting a so 
called web server cert.

Jeff


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 5:42 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root
A public CA issues certificates for web server authentication (amongst others 
like code signing and S/MIME).

An EAP server is not a web server and has a designated usage assigned (which 
public CAs will not issue). EAP also does not follow traditional PKIX 
validation models due to the way the protocol operates.

Any public CA web server certificate used for EAP could be revoked for misuse 
at any time.

Tim



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Elton, Norman N 

Sent: Monday, August 9, 2021 8:36:08 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You don't often get email from wne...@wm.edu. Learn why this is 
important

>> Technically, you're not even supposed to use the certificates issued from a 
>> public CA for EAP as it's a violation of multiple policies.



I’m curious what those are. I thought it was fairly standard practice to use 
publicly-signed certificates on the server side, with privately-signed 
certificates on the clients.



Thanks!



Norman



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 8:31 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

EAP server certs from a PKI you (or a partner like SecureW2) control are the 
best practice.



Technically, you're not even supposed to use the certificates issued from a 
public CA for EAP as it's a violation of multiple policies.



Tim







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Elton, Norman N 

Sent: Monday, August 9, 2021 8:18:37 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root



You don't often get email from wne...@wm.edu. Learn why this is 
important

To piggyback on Jonathan’s question … he mentions moving the server-side 
certificates to a private CA. Is this common? We’re using SecureW2 to configure 
an EAP-TLS deployment, so it should be trivial to configure the client to trust 
our private CA.



We currently configure clients to trust server certificates coming from 
InCommon. I’ve had a long-simmering concern that if, for whatever reason, we 
can’t use InCommon one day … that means we have to reconfigure all our 
cliients. One solution, of course, is to trust multiple root public CAs. I 
suppose an alternative is to move to a private CA on the server-side.



Thanks!



Norman





Norman Elton

Director

W IT Infrastructure

wne...@wm.edu / 757-221-7790







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 8:03 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You should never use different EAP server certificates across a RADIUS cluster. 
Use the same cert across all nodes (in this case take the other cert with the 
longest expiry and upload it to all the nodes in the CPPM cluster)







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Jonathan Miller 

Sent: Monday, August 9, 2021 7:32:19 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root



You don't often get email from jmill...@fandm.edu. Learn why this is 
important

We are currently using publicly signed certificates for our eduroam access on a 
cluster of 2 ClearPass servers.



We are in a situation where one of our certs will be expiring in October of 
this year, while the other is good until June of next year.



The certificate are issued through InCommon, and when I renewed our expiring 
certificate, I noticed that it is showing that is has a root of Sectigo, where 
it was previously Comodo.  The certificate that is not expiring has a root CA 
of Comodo.



This leads me to the following questions:

1.  Is it advisable to run certificates with different Root CAs on different 

RE: [WIRELESS-LAN] can Active Directory backend for ISE be tested before adding all wireless auth?

[Jeffrey D. Sessler]

As a point of reference, if you are cloud-based and have deployed Microsoft’s 
AADDS (Azure Active Directory Domain Services), the architecture model for that 
service puts a LB in front of the DCs to assist with service scale out, 
including replica sets across geographic regions.

One could accomplish this within each individual service, but as the number of 
services increases, there is a point where hiding that complexity behind a LB 
makes the management a bit easier including DR/business continuity.

Jeff

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Manon Lessard
Sent: Tuesday, August 03, 2021 8:48 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] can Active Directory backend for ISE be tested 
before adding all wireless auth?

Spurgeon

We tend to load balance a whole bunch of things, but I would really be 
concerned about load balancing AD servers because the VS would itself add some 
latency. Not saying it wouldn’t work, just my own experience.
I would rather rely on dedicating AD servers to some “site” and use the “site” 
as a way to establish a pecking order. So the stuff that’s crucial (ex: Auth) 
would be tied to a “critical” site, and thus be served first.

Also, I would strongly suggest that the groups which are whitelisted and added 
are not too large. They are only what the ISE server has to use to lookup 
users. With ISE the AD connector can deal with not being everywhere, make good 
use of it. ACS 5 didn’t have that capability and thus was real slow, esp. since 
it had to browse the whole thing.

And remember, ad_agent.log  is your friend, if it whines, there’s a problem.

Manon Lessard
Chargée de programmation et d’analyse
CCNP, CWNE #275, AWA 10, ESCE Design
Direction des technologies de l'information
Pavillon Louis-Jacques-Casault
1055, avenue du Séminaire
Bureau 0403
Université Laval, Québec (Québec)
G1V 0A6, Canada
418 656-2131, poste 412853
Télécopieur : 418 656-7305
manon.less...@dti.ulaval.ca
www.dti.ulaval.ca
Avis relatif à la confidentialité | Notice of 
Confidentiality


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "Spurgeon, Charles E" 
mailto:c.spurg...@austin.utexas.edu>>
Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Tuesday, August 3, 2021 at 11:41 AM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] can Active Directory backend for ISE be tested 
before adding all wireless auth?

I have no answer for dev testing of AD performance. However, I do have some 
links to Cisco info on ISE scaling and deployment that I saved for future ref. 
Here they are in case they may be of use:

  1.  “2019 How Cisco Deployed ISE”
https://www.ciscolive.com/global/on-demand-library.html?search=dgtl-brkcoc%20ise=dgtl-brkcoc+ise#/session/1573153539632001Je9Y
  2.  2018 – “Designing ISE for Scale and High Availability”
https://www.ciscolive.com/global/on-demand-library.html?search=dgtl-brkcoc%20ise=dgtl-brkcoc+ise#/session/1500302030233001WuLd
  3.  “ISE Peformance and Scale” community doc with current updates:
https://community.cisco.com/t5/security-documents/ise-performance-amp-scale/ta-p/3642148

FWIW, I recall hearing somewhere (probably a 

RE: [WIRELESS-LAN] Ekahau Licensing & Alternatives

[Jeffrey D. Sessler]

I think it is reasonable for Ekahau to enforce their license, especially when 
licensing it for multiple team members may be cheaper than using a third party. 
 Then again, if pushing the envelope of the licensing is what made it less 
money than using a third party, perhaps shifting that work back out to a third 
party is a good idea?

Unless the college’s strategic plan includes wireless surveying, this could be 
an opportunity to get out of the business and have those FTE’s focused on 
something that is strategically important to the college’s goals. It’s like 
“running servers” not being part of the organization’s strategic plan and 
shifting that infrastructure work toward SaaS/IaaS, focusing those FTE 
resources elsewhere.

Jeff

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jason Cook
Sent: Monday, July 19, 2021 5:12 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Ekahau Licensing & Alternatives

We’ve always had it attached to a team name (e.g. wifiteam@) which is clearly 
generic.
Our license didn’t get cancelled, but they did email and ring to state we were 
out of compliance and wanted to chat and resolve the situation instead of 
cutting off access. Perhaps they changed their process 

It’s still the best product and we have a external group we sometimes use to do 
surveys who also have their own copy(I’ll have to see how they have fared with 
the licensing). After some staff changes I’m the only one who knows the 
software, so right now this isn’t a huge issue but that will change.

It’s not unreasonable for them to ensure their product is licensed and used 
correctly, it would be great if they could consider our use cases and provide a 
more reasonable solution.



--
Jason Cook
Information Technology and Digital Services
The University of Adelaide, AUSTRALIA 5005
---
This email message is intended only for the addressee(s) and contains 
information which may be confidential and/or copyright.  If you are not the 
intended recipient please do not read, save, forward, disclose, or copy the 
contents of this email. If this email has been sent to you in error, please 
notify the sender by reply email and delete this email and any copies or links 
to this email completely and immediately from your system.  No representation 
is made that this email is free of viruses.  Virus scanning is recommended and 
is the responsibility of the recipient.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of James Helzerman
Sent: Monday, 19 July 2021 11:46 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Ekahau Licensing & Alternatives

Hi, how did they know it was a generic account?  Are they sending back 
information about the device it's on and mapping the login?  Or they just using 
some heuristic that looks to see if it may be a generic account such as sending 
emails to thT user account and getting no response.

Jimmy

On Sun, Jul 18, 2021, 10:56 PM Jason Cook 
mailto:jason.c...@adelaide.edu.au>> wrote:
This frustrated us a bit too. Their licensing seems to be aimed primarily at 
Wifi professionals who use this all the time/profit from it as part of their 
business. Doesn’t really fit our environments at all.

Over the course of a year lets say at best we’d use this at .5 of an FTE (I’m 
probably overstating that, would prefer to use it more but we just don’t have 
time)
There’s 5 people in our team. We aren’t going to pay for 5 licenses for 
something that is use so little… not at the license cost they have anyway.

Oh well.. what’s the difference in a generic email versus personal email for 
them anyway..

--
Jason Cook
Information Technology and Digital Services
The University of Adelaide, AUSTRALIA 5005
---
This email message is intended only for the addressee(s) and contains 
information which may be confidential and/or copyright.  If you are not the 
intended recipient please do not read, save, forward, disclose, or copy the 
contents of this email. If this email has been sent to you in error, please 
notify the sender by reply email and delete this email and any copies or links 
to this email completely and immediately from your system.  No representation 
is made that this email is free of viruses.  Virus scanning is recommended and 
is the responsibility of the recipient.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Dan Lauing
Sent: Monday, 19 July 2021 11:39 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Ekahau Licensing & Alternatives

I don't blame them for not wanting multiple users on a single license.

However, I do blame them for not warning us that we were 

RE: [WIRELESS-LAN] [EXTERNAL] [WIRELESS-LAN] Cisco 8540 Code Recommendation, Based on Stability?

[Jeffrey D. Sessler]

I would encourage those with these open cases to join the EFT. Once you join, 
you get to interface directly with the BU, with direct eyes-on from the 
developers.

Jeff

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Rios, Hector J
Sent: Wednesday, June 09, 2021 2:32 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [EXTERNAL] [WIRELESS-LAN] Cisco 8540 Code 
Recommendation, Based on Stability?

The log “chatter: lat_client_add(422): Failed to add client” is documented in 
CSCvv78366. The release notes for 8.10.151 say that it is resolved, but it is 
not. From the troubleshooting I’ve done, even on MR5, it appears this bug is 
purely cosmetic. I have not had issues connecting to APs experiencing this bug 
when I have tested. The biggest issue with this bug is all the trash that is 
generating.

Hector Rios, UT Austin

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Mathieu Sturm
Sent: Tuesday, June 8, 2021 2:03 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [EXTERNAL] [WIRELESS-LAN] Cisco 8540 Code 
Recommendation, Based on Stability?

Hello all,

We were struggling with this issue as well on version 8.10.130.0. We created a 
tac case (SR 690110031) last year but due to covid and lockdowns we couldn’t 
reproduce the issue. We only saw these issues on places where there was a lot 
of clients/roaming. On these ap’s the logs were filled with “chatter: 
lat_client_add(422): Failed to add client”. Not sure if this was related 
though. We only saw this issue on newer ap’s (2800/3800 and 9120’s).

No fix so far (and apparently not even in 8.10.151). Cisco pointed us to bug id 
CSCvv78719 and we had to disable MU-MIMO.
We weren’t able to verify this fix.

Regards


Mathieu Sturm
Hoofdmedewerker Netwerkbeheer

[https://www.hogent.be/www/assets/Image/logo2018.png]

Directie Financiën, Infrastructuur en IT
Afdeling Netwerkbeheer
Campus Schoonmeerssen - Gebouw B  Lokaal B0.75
Valentin Vaerwyckweg 1 - 9000 Gent
+32 9 243 35 23
www.hogent.be






Van: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
Namens Jonathan Oakden
Verzonden: woensdag 2 juni 2021 17:38
Aan: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Onderwerp: Re: [WIRELESS-LAN] [EXTERNAL] [WIRELESS-LAN] Cisco 8540 Code 
Recommendation, Based on Stability?

Not sure as yet as we have been too busy to get this over to TAC at the moment 
since we identified the problem and came across this bug ID at the end of last 
week. It’s certainly the closest match we can find.
We can see that most of our 2801 APs sit at around 30-50% memory utilisation, 
however around 6% of them (about 320) are currently above 60% which is unusual. 
These appear to be climbing steadily at around 3-4% per week as though there is 
a memory leak.
We first spotted this when we got reports from students in a residence saying 
they were connected to wifi but nothing was working. Looking at the AP it was 
sat at 95% memory utilisation. Rebooting the AP restored service. However, we 
then looked at nearby APs and could see them climbing as well. It doesn’t 
appear to be all our APs but some unknown subsection of them.
We only went to 8.10 as we had bought some 9105 APs.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Lee H Badman 
<00db5b77bd95-dmarc-requ...@listserv.educause.edu>
Date: Wednesday, 2 June 2021 at 16:30
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] [EXTERNAL] [WIRELESS-LAN] Cisco 8540 Code 
Recommendation, Based on Stability?
That one’s interesting because it shows affected code is 8.5(140.0), and only 
one case... is TAC agreeing it’s the same bug? Just curious.
Lee Badman (mobile)

On Jun 2, 2021, at 11:23 AM, Jonathan Oakden 
mailto:j.p.oak...@lboro.ac.uk>> wrote:

We are on 8.10.151 for the last couple of months here at Loughborough 
University in England. We think we are being hit quite badly by this bug:

Re: Cisco 8540 Code Recommendation, Based on Stability?

[Jeffrey D. Sessler]

Note on code.  Cisco does run a very helpful EFT program for their code, and in 
most cases it is supported for production use. It is also supported directly by 
the Wireless BU, which is a plus.  They will post announcements on the Cisco 
community site, and once you’ve signed up, you’ll get future announcements as 
well.  Even if you are not interested in running the code, it’s helpful to see 
what fixes/issues are being addressed in the next MR release.

Here are the current EFT offerings that I’ve aware of.

17.3.4
https://community.cisco.com/t5/wireless-mobility-blogs/announcing-cisco-wireless-catalyst-9800-17-3-4-second-eft/ba-p/4412556#M728

8.10.MR6
https://community.cisco.com/t5/wireless/announcing-cisco-wireless-8-10mr6-first-eft-beta-8-10-158-55/td-p/4399108

Jeff

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Lee H Badman 
<00db5b77bd95-dmarc-requ...@listserv.educause.edu>
Date: Wednesday, June 2, 2021 at 7:40 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: [WIRELESS-LAN] Cisco 8540 Code Recommendation, Based on Stability?
Hi all,

After a tumultuous series of code versions, awhile back we settled on 8.5.151.0 
and hung on to it like grim death because it was very, very reliable.

Given that 8.5 code goes end-of-support at end of 2021, combined with latest 
rounds of announced vulnerabilities, I’m looking for recommendations in the 
8.10 train based on wanting stability above all. We have 3800s and 3700s 
currently, likely to stay that way through the next academic year.

Has anyone found an 8.10. code version for the 8540 that supports the 3700 and 
3800 while providing good daily stability?

Thanks,


Lee Badman | Network Architect (CWNE#200)
Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   e lhbad...@syr.edu w its.syr.edu
Campus Wireless Policy: 
https://answers.syr.edu/display/network/Wireless+Network+and+Systems
SYRACUSE UNIVERSITY
syr.edu


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] WPA3/OWE as campus solution?

[Jeffrey D. Sessler]

Chuck,

The key that you touch on is that this has to do with the organization's 
appetite for risk, and what legal says is defensible. Tell me the rules as you 
see them and I'll make adjustments accordingly to my Joo Janta 200 
Super-Chromatic Peril Sensitive Sunglasses.

Jeff

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Enfield, Chuck
Sent: Thursday, April 22, 2021 12:29 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

We discussed all those issues, and no doubt it opens a smelly can of worms.  
Most of these issues come into play simply by allowing employees to use 
personal devices.  If you allow for personal device use, requiring their use 
didn't create many additional legal issues.

I feel like I need to make a disclaimer here.  I'm not a lawyer, you may recall 
me getting things very wrong regarding CALEA a couple years back.  I researched 
your comments and concluded you were right and the university attorney that 
gave me contradictory information was incorrect.  It took me long enough to be 
sure of that that I never replied to the thread to say so.  I could be wrong 
about this as well, but unlike our guest network access, which was evaluated by 
one attorney and probably didn't get very much attention from her, this issue 
was taken very seriously by the controller, HR, Risk, and General Counsel.  
Outside counsel with expertise in this area was also consulted.  I'm confident 
that whatever our legal team concluded on this issue was defensible.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Jeffrey D. Sessler
Sent: Thursday, April 22, 2021 3:04 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

For sure, my lens is based on California law, however, the federal Fair Labor 
Standards Act and state overtime and wage payment laws also come into play 
here.  Since nonexempt (hourly) workers have ready access to the technology, 
they will be in a position to respond to e-mails and text messages or to 
otherwise engage in work activities outside their scheduled work hours. Even if 
you don't reimburse for the use of the personal device, there is the wage 
exposure of having to compensate those nonexempt employees because checking 
their work email is - well - working.   When we rolled out DUO, we had to offer 
all employees a token, and they signed a waiver if they wanted to use the DUO 
app on their personal phone for their convenience.

On the eDiscovery/litigation front, it can be difficult/impossible to ensure 
that business records stored on an employee's personal device are retained long 
enough to satisfy discovery requests.  There are also risks should that data 
not be available, and presents a whole other quagmire in the BYOD movement that 
is beyond this conversation.

Jeff


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Enfield, Chuck
Sent: Thursday, April 22, 2021 10:54 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

Jeff,

It makes sense that you think this is settled law, because in California it is 
settled law.  I don't recall all the details, but I was on a team involved with 
considering mobile device policies for Penn State, and we discussed a case in 
California around 2014/2015 that clarified California labor law.  The law 
required that employers reimburse employees for expenses, but said nothing 
about how those expenses should be calculated.  Some employers decided they 
only needed to reimburse marginal expenses, but the court decision said that's 
not the case.  So if you're required to use your device for work in California 
you're entitled to reimbursement of some kind.  As I recall, no specific 
reimbursement formula was recommended by the court in that case.  I assume 
there's been some standardization since, even if only de facto.

That, however, was a California court interpreting California law.  Our 
institution considered that ruling and concluded that Pennsylvania law was 
different and that we could discontinue our stipend and require certain 
employees to provide and use their own phones for work communications.  In the 
end, we stopped the stipend, but never implemented the mandate.  I was never 
informed precisely why we stopped short of the mandate.  That decision was made 
out of committee.

I'm confident there was no clear Federal requirement when we were discussing 
this in 2016, but if there's been case law or US Department of Labor guidance 
since then I wouldn't necessarily expect to know about it.  I'm am curious if 
anybody knows more about it.

Chuck

From: The EDUCAUSE Wireless Issues Community Group Lists

RE: [WIRELESS-LAN] WPA3/OWE as campus solution?

[Jeffrey D. Sessler]

For sure, my lens is based on California law, however, the federal Fair Labor 
Standards Act and state overtime and wage payment laws also come into play 
here.  Since nonexempt (hourly) workers have ready access to the technology, 
they will be in a position to respond to e-mails and text messages or to 
otherwise engage in work activities outside their scheduled work hours. Even if 
you don't reimburse for the use of the personal device, there is the wage 
exposure of having to compensate those nonexempt employees because checking 
their work email is - well - working.   When we rolled out DUO, we had to offer 
all employees a token, and they signed a waiver if they wanted to use the DUO 
app on their personal phone for their convenience.

On the eDiscovery/litigation front, it can be difficult/impossible to ensure 
that business records stored on an employee's personal device are retained long 
enough to satisfy discovery requests.  There are also risks should that data 
not be available, and presents a whole other quagmire in the BYOD movement that 
is beyond this conversation.

Jeff


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Enfield, Chuck
Sent: Thursday, April 22, 2021 10:54 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

Jeff,

It makes sense that you think this is settled law, because in California it is 
settled law.  I don't recall all the details, but I was on a team involved with 
considering mobile device policies for Penn State, and we discussed a case in 
California around 2014/2015 that clarified California labor law.  The law 
required that employers reimburse employees for expenses, but said nothing 
about how those expenses should be calculated.  Some employers decided they 
only needed to reimburse marginal expenses, but the court decision said that's 
not the case.  So if you're required to use your device for work in California 
you're entitled to reimbursement of some kind.  As I recall, no specific 
reimbursement formula was recommended by the court in that case.  I assume 
there's been some standardization since, even if only de facto.

That, however, was a California court interpreting California law.  Our 
institution considered that ruling and concluded that Pennsylvania law was 
different and that we could discontinue our stipend and require certain 
employees to provide and use their own phones for work communications.  In the 
end, we stopped the stipend, but never implemented the mandate.  I was never 
informed precisely why we stopped short of the mandate.  That decision was made 
out of committee.

I'm confident there was no clear Federal requirement when we were discussing 
this in 2016, but if there's been case law or US Department of Labor guidance 
since then I wouldn't necessarily expect to know about it.  I'm am curious if 
anybody knows more about it.

Chuck

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Jeffrey D. Sessler
Sent: Thursday, April 22, 2021 1:06 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

Tim,

I would take a look at case law, where it was determined that an employer can 
not expect an employee to use their own device without compensation.  This has 
resulted in two scenarios now.  The first being that the employer provides the 
employee with a stipend to compensate them for use of their personal device.  
The second being that employers now provide the necessary devices (tools) to 
the employee in order to carry out their duties.

For example, with COVID, many employers are providing temporary stipends to 
employees to cover Internet consumption and personal cell use.

In no way shape or fashion can an employer compel the user to install or enroll 
their personal device into their employer's end-point management.  The employer 
could say it's an optional condition of the employee's desire, in a voluntary 
decision, to use that device for company business. Can't be forced.

Jeff

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tim Cappalli
Sent: Thursday, April 22, 2021 9:14 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

Well, I can tell you that is just not the reality. Sorry!


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Jeffrey D. Sessler 
mailto:j...@scrippscollege.edu>>
Sent: Thursday, April 22, 2021 12:04
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] WPA3/OWE as ca

RE: [WIRELESS-LAN] WPA3/OWE as campus solution?

[Jeffrey D. Sessler]

Tim,

I would take a look at case law, where it was determined that an employer can 
not expect an employee to use their own device without compensation.  This has 
resulted in two scenarios now.  The first being that the employer provides the 
employee with a stipend to compensate them for use of their personal device.  
The second being that employers now provide the necessary devices (tools) to 
the employee in order to carry out their duties.

For example, with COVID, many employers are providing temporary stipends to 
employees to cover Internet consumption and personal cell use.

In no way shape or fashion can an employer compel the user to install or enroll 
their personal device into their employer's end-point management.  The employer 
could say it's an optional condition of the employee's desire, in a voluntary 
decision, to use that device for company business. Can't be forced.

Jeff

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Tim Cappalli
Sent: Thursday, April 22, 2021 9:14 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

Well, I can tell you that is just not the reality. Sorry!


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Jeffrey D. Sessler 
mailto:j...@scrippscollege.edu>>
Sent: Thursday, April 22, 2021 12:04
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

On 2021-04-21 21:30:53+, Tim Cappalli wrote:
>  I'd also like to address the comment about post-college experience.
>
>  Most organizations these students are going to work at are going to
> require MDM or MAM on their personal devices. So I fundamentally
> disagree with the comment that they won't deal with "enrollment" post
> campus life.

On the above specifically.  In every business scenario I've encountered, and 
it's at EDU level now too, unless you are going to compensate the user for 
access/control of their device, the business has no right to require MDM.  This 
is in the same territory as requiring an employee to check business email from 
a personal device - it must be only as an employee opt-in convenience, and not 
a substitute for the business providing that person the tools they need to do 
their job.

That's a long trip version of saying that a business is going to hand their 
employee a pre-enrolled/managed company-owned device(s) where it is the 
business' responsibility to handle whatever onboarding they've established for 
their company assets.  The individual will never encounter this activity (nor 
should they) with a personal device they own.

Jeff

-Original Message-
From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Jonathan Waldrep
Sent: Wednesday, April 21, 2021 7:27 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

On 2021-04-21 21:24:25+, Tim Cappalli wrote:
>  Why not take baby steps? One example: So many organizations talk
> about user experience challenges of onboarding (and trust me, I hear
> you) but then issue 1 year certs and force the user through it every
> year.
>
>  Switch to a 5 year cert (or device specific cred) and use
> authorization rules to temporarily (or permanently) revoke access.
 100%. Preach. We are kicking off a project to move from PEAP/MSCHAPv2 to 
EAP-TLS, primarily for usability reasons. There are plenty of other reasons why 
it is a good change (that I as an admin am personally excited about), but they 
are not what is pushing things forward that hardest. Right now, because 
MSCHAPv2 is hot garbage, users have a password used only for network access. We 
want to get rid of that.
Partly because _passwords_ are hot garbage.

 The intent is to move to per-device certs that will expire after the device is 
dead from oxidation. The cert/key establishes _authentication_ (who is this?). 
This is only breaks if the key is compromised or the device changes hands. 
Everything else is an issue of _authorization_ (is this allowed?). We're 
considering blurring that line a bit and pretending it is all authorization, 
but now I'm just rambling.

 I don't think I've said anything until this point that Tim would disagree 
with. It's here mostly for the broader discussion of the thread.

> You don't have to burn the whole forest down.
 I'm not planning on it. We'll still have a .1X network (eduroam). I just won't 
care if someone decides to not use it.

 What I do want to burn down are the dead trees - the captive portal and 
_mandated_ authentication. And that's not going to happen for a while.
EAP-TLS 

RE: WPA3/OWE as campus solution?

[Jeffrey D. Sessler]

My experience may be different that others, but with tools like netflow, SIEM, 
location, and other assurance tools, a operator of a network service generally 
has a pretty good picture of what’s happening, and can rapidly pinpoint 
problematic devices. These tools also allow for rapid retrospective analysis of 
what said device has been up to, allowing containment at multiple levels, 
without the need to know who is at the other end of the device.

Jeff

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jennifer Minella
Sent: Wednesday, April 21, 2021 2:22 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

Jeff – Yes, that’s exactly right for connections to apps/services - but what if 
we’re talking about an infected machine or malicious user? They’re not 
necessarily connecting to anything specific in terms of an application that 
would further auth them. That’s actually why I’m saying if it’s Internet-only 
and inter-station blocking is on then let them have at it, as long as the org’s 
legal team is OK with it. Otherwise, if they could access internal resources at 
the network level then those non-app based connections (L1-4) should be given 
some consideration and protection.

I don’t agree that there are enough breadcrumbs from the network admin side to 
identify a user on a device with anonymous login/auth. You’d need to either 
access data or artifacts on the device for that, or have some other means of 
traffic analysis on-network to try and piece that together. And some kind of 
extra special magic is needed if they’re on a device with private/randomized 
MAC.

Very valid point of course on the stolen creds or stolen device with device 
certs. That’s just a risk but from a compliance/audit standpoint that’s a 
different risk than an open network.

___
Jennifer Minella, CISSP, HP MASE
VP of Engineering & Security
Carolina Advanced Digital, Inc.
www.cadinc.com<http://www.cadinc.com/>
j...@cadinc.com<mailto:j...@cadinc.com>
919.460.1313 Main Office
919.539.2726 Mobile/text
[CAD LOGO EMAIL SIG]

From: Jeffrey D. Sessler 
mailto:j...@scrippscollege.edu>>
Sent: Wednesday, April 21, 2021 4:05 PM
Subject: Re: WPA3/OWE as campus solution?

Jennifer,

I would hope that the service itself has authorization/admittance controls vs 
relying on the user’s device and/or the particular network the device is in for 
permission.

I’d also argue that there is enough breadcrumbs about any given device to 
determine the user without the need for them to authenticate to wireless. Then 
again, the device could just as easily be stolen, or the user’s account could 
have been compromised, and the attacker self-enrolls his/her machine/uses the 
credentials to gain access.

Jeff

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Jennifer Minella
Sent: Wednesday, April 21, 2021 12:30 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

Oh my goodness. I forgot the biggest one – if you’re going to give that user or 
device access to internal resources/assets you probably want to know who it is 
– even if it’s printers, screen casting, etc. If the user or device has access 
to critical internal resources, then you definitely need to know who it is. 
From a infosec due diligence standpoint, it would be hard to argue a defense on 
that one if a significant event were to occur.

___
Jennifer Minella, CISSP, HP MASE
VP of Engineering & Security
Carolina Advanced Digital, Inc.
www.cadinc.com<http://www.cadinc.com/>
j...@cadinc.com<mailto:j...@cadinc.com>
919.460.1313 Main Office
919.539.2726 Mobile/text
[CAD LOGO EMAIL SIG]

From: Jennifer Minella mailto:j...@cadinc.com>>
Sent: Wednesday, April 21, 2021 3:22 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: RE: WPA3/OWE as campus solution?

Ooh Lee what a great thread! I didn’t have a chance yesterday but catching up 
now.

Here’s what I throw in the mix for consideration… (no recommendations just free 
flow thoughts)
Sorry this is long; WPA3 gets me really excited 


  1.  OWE/Open Enhanced (not technically part of WPA3 but #semantics) ONLY 
provides OTA encryption; it does nothing for authenticating the user to the 
network NOR the network to the user.
  2.  …that means you could use a guest portal experience, with or without user 
ID, and add encryption vs historically having to use a Pre-Shared Key or 802.1X 
for key exchanges and encryption.
  3.  If you care about who the user is, you can still use a portal with 
self-registration and whatever duration you feel is appropriate. Depending on 
how much you care, a self-registration portal may (or may not) be sufficient.
  4.  If you care about protecting the user/device

RE: [WIRELESS-LAN] WPA3/OWE as campus solution?

[Jeffrey D. Sessler]

On 2021-04-21 21:30:53+, Tim Cappalli wrote:
>  I'd also like to address the comment about post-college experience.
>
>  Most organizations these students are going to work at are going to 
> require MDM or MAM on their personal devices. So I fundamentally 
> disagree with the comment that they won't deal with "enrollment" post 
> campus life.

On the above specifically.  In every business scenario I've encountered, and 
it's at EDU level now too, unless you are going to compensate the user for 
access/control of their device, the business has no right to require MDM.  This 
is in the same territory as requiring an employee to check business email from 
a personal device - it must be only as an employee opt-in convenience, and not 
a substitute for the business providing that person the tools they need to do 
their job.

That's a long trip version of saying that a business is going to hand their 
employee a pre-enrolled/managed company-owned device(s) where it is the 
business' responsibility to handle whatever onboarding they've established for 
their company assets.  The individual will never encounter this activity (nor 
should they) with a personal device they own. 

Jeff

-Original Message-
From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jonathan Waldrep
Sent: Wednesday, April 21, 2021 7:27 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

On 2021-04-21 21:24:25+, Tim Cappalli wrote:
>  Why not take baby steps? One example: So many organizations talk 
> about user experience challenges of onboarding (and trust me, I hear
> you) but then issue 1 year certs and force the user through it every 
> year.
>
>  Switch to a 5 year cert (or device specific cred) and use 
> authorization rules to temporarily (or permanently) revoke access.
 100%. Preach. We are kicking off a project to move from PEAP/MSCHAPv2 to 
EAP-TLS, primarily for usability reasons. There are plenty of other reasons why 
it is a good change (that I as an admin am personally excited about), but they 
are not what is pushing things forward that hardest. Right now, because 
MSCHAPv2 is hot garbage, users have a password used only for network access. We 
want to get rid of that.
Partly because _passwords_ are hot garbage.

 The intent is to move to per-device certs that will expire after the device is 
dead from oxidation. The cert/key establishes _authentication_ (who is this?). 
This is only breaks if the key is compromised or the device changes hands. 
Everything else is an issue of _authorization_ (is this allowed?). We're 
considering blurring that line a bit and pretending it is all authorization, 
but now I'm just rambling.

 I don't think I've said anything until this point that Tim would disagree 
with. It's here mostly for the broader discussion of the thread.

> You don't have to burn the whole forest down.
 I'm not planning on it. We'll still have a .1X network (eduroam). I just won't 
care if someone decides to not use it.

 What I do want to burn down are the dead trees - the captive portal and 
_mandated_ authentication. And that's not going to happen for a while.
EAP-TLS isn't a strict prereq, but it is more urgent, and we don't have the 
manpower to do both at the same time.

>  I'm sure your security folks would rather have a guaranteed encrypted 
> network with user identity, a 5 year cert and full control, than an 
> open network with no reliable user identity or enforcement mechanism.
 I've talked to them. They don't care. That's the simplicity zero-trust brings 
to the table. The _legal_ team on the other hand... that's a conversation that 
still needs to happen.

 I've used the term "zero-trust" some already, and I'm about to a lot more, so 
let's get past the buzz-word and define it. By "zero-trust", I am making the 
explicit choice to _NOT_:
  - care who you are
  - make any assumption about the security posture of the device
  - make any assumption about the network between us (encrypted, MitM,
etc)
 I _might_ care if your identity is knowable. Subtle but important distinction 
here: I _might_ care if the question, "Who are you?" has a meaningful answer, 
for the sake of accountability. I do _not_ care what that answer is.
 Also, some of these questions obviously need answering somewhere around layer 
7. But, layers 1-3 are not designed to answer those questions and are really 
bad at trying. Zero-trust is specifically layers 1-3.

 On enforcement, lets take a trip into the nuances of our implementation of 
zero-trust (told you I was going to use it more).
 Right now, if you connect on eduroam (VT affiliate or a roaming user), as a 
sponsored guest, or with a (MAC) registered device, you end up in the same 
network. Lets call it the accountable network.
 If you connect as a self-sponsored guest, you end up in a different network. 
Let's call it the unaccountable network.
 The unaccountable network is a different routing 

RE: WPA3/OWE as campus solution?

[Jeffrey D. Sessler]

Jennifer,

I would hope that the service itself has authorization/admittance controls vs 
relying on the user’s device and/or the particular network the device is in for 
permission.

I’d also argue that there is enough breadcrumbs about any given device to 
determine the user without the need for them to authenticate to wireless. Then 
again, the device could just as easily be stolen, or the user’s account could 
have been compromised, and the attacker self-enrolls his/her machine/uses the 
credentials to gain access.

Jeff

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jennifer Minella
Sent: Wednesday, April 21, 2021 12:30 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

Oh my goodness. I forgot the biggest one – if you’re going to give that user or 
device access to internal resources/assets you probably want to know who it is 
– even if it’s printers, screen casting, etc. If the user or device has access 
to critical internal resources, then you definitely need to know who it is. 
From a infosec due diligence standpoint, it would be hard to argue a defense on 
that one if a significant event were to occur.

___
Jennifer Minella, CISSP, HP MASE
VP of Engineering & Security
Carolina Advanced Digital, Inc.
www.cadinc.com
j...@cadinc.com
919.460.1313 Main Office
919.539.2726 Mobile/text
[CAD LOGO EMAIL SIG]

From: Jennifer Minella mailto:j...@cadinc.com>>
Sent: Wednesday, April 21, 2021 3:22 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: RE: WPA3/OWE as campus solution?

Ooh Lee what a great thread! I didn’t have a chance yesterday but catching up 
now.

Here’s what I throw in the mix for consideration… (no recommendations just free 
flow thoughts)
Sorry this is long; WPA3 gets me really excited 


  1.  OWE/Open Enhanced (not technically part of WPA3 but #semantics) ONLY 
provides OTA encryption; it does nothing for authenticating the user to the 
network NOR the network to the user.
  2.  …that means you could use a guest portal experience, with or without user 
ID, and add encryption vs historically having to use a Pre-Shared Key or 802.1X 
for key exchanges and encryption.
  3.  If you care about who the user is, you can still use a portal with 
self-registration and whatever duration you feel is appropriate. Depending on 
how much you care, a self-registration portal may (or may not) be sufficient.
  4.  If you care about protecting the user/device against a MiTM or evil twin 
attack, then you probably prefer a mechanism that allows some type of 
authentication, which is typically mutual authentication (e.g. 1X).
  5.  Under WPA3, security is increased across the board and will be ongoing 
(not fixed). Including replacing Pre-Shared Key (PSK) with SAE- which 
looks/feels JUST like PSK to admins/users but further protects assets by using 
unique key derivations for each endpoint. So… if someone has the passcode they 
can get on, but they can’t decrypt any other traffic even if the endpoint(s) 
are using the same key. The list of enhancements goes on and on.
  6.  Does your organization require traceability of users for any internal or 
external policies or compliance? This could be for security reasons, compliance 
with IP and digital rights, or other needs. One Uni org I’ve worked with 
successfully stopped a student from a suicide attempt when the student posted 
online- they physically located the person and saved them from what they were 
about to do… There are a lot of things to consider and every org is different.
  7.  Whether or not portal acceptable use and/or user ID/registration is 
needed is a hotly-debated topic and has a lot of “it depends”. I recently asked 
several CISOs, lawyers, auditors, and cyber security friends at the FBI.
 *   The CISOs feel it’s “window dressing” except that per …
 *   …Lawyers, there may be some legal protection if a user compromised 
while on your network comes after you (e.g. policy says “org not responsible 
for anything resulting from use of their network”).
 *   The FBI says they need “something” to open a case and prosecute (e.g. 
Acceptable Use clause or access banner).
 *   In Europe (I’m told) orgs providing public internet access fall under 
ISP laws, and therefore must be diligent about registration/acceptable use/etc. 
By policy/compliance they have stricter rules for requiring accountability and 
registration.

___
Jennifer Minella, CISSP, HP MASE
VP of Engineering & Security
Carolina Advanced Digital, Inc.
www.cadinc.com
j...@cadinc.com
919.460.1313 Main Office
919.539.2726 Mobile/text
[CAD LOGO EMAIL SIG]

From: Enfield, Chuck mailto:cae...@psu.edu>>
Sent: Friday, April 16, 2021 4:57 PM
Subject: Re: WPA3/OWE as campus solution?

I’ve been floating this idea to IT leadership for years, with no 

RE: [WIRELESS-LAN] WPA3/OWE as campus solution?

[Jeffrey D. Sessler]

Note on that link, "After thorough review, the final court decision appears to 
allow for most, if not all, campus networks to be exempt from compliance."

CALEA: It doesn't apply to universities and libraries after all
https://library.educause.edu/resources/2007/5/calea-it-doesnt-apply-to-universities-and-libraries-after-all

Jeff
-Original Message-
From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jonathan Waldrep
Sent: Friday, April 16, 2021 4:42 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

On 2021-04-16 22:38:48+0000, Jeffrey D. Sessler wrote:
> Educause did an extensive review of DMCA and concluded there is no 
> need to "know with reasonable certainty who is using the network."

 What about for CALEA? I found [this][1] page, but all the FAQs linked are dead 
links.

[1]: https://library.educause.edu/topics/policy-and-law/calea

--
Jonathan Waldrep
Network Engineer
Network Infrastructure and Services
Virginia Tech

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [External] Re: [WIRELESS-LAN] Rate Limits on Guest Wi-Fi

[Jeffrey D. Sessler]

We've never used rate limits.  Doing the math, the price for larger internet 
pipes was significantly less that the rate/traffic shaping technology plus 
related FTE staffing costs.

Jeff

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Adam T. Ferrero
Sent: Tuesday, April 13, 2021 4:12 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Rate Limits on Guest 
Wi-Fi


  Once we got all our pipes bigger than most folks could use, we dropped all 
the rate limiting games we were playing.  It's simpler and easier to operate.  
On the wired side, when we were increasing from 10 to 100 to gig we used to 
wrongly think they're going to use it all up and our upstream pipes will have 
to be massive to deal with it.  Users just use what they need/want and when you 
raise their throughput ceiling they'll just get it faster and get out of the 
way.  Third party optics and internet bandwidth are all cheap now.

  Adam

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Martin MacLeod-Brown
Sent: Tuesday, April 13, 2021 3:12 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [External] Re: [WIRELESS-LAN] Rate Limits on Guest Wi-Fi

That is an interesting question. I believe (perhaps wrongly) that rate limiting 
increases Wi-Fi inefficiency as you are then forcing the client to stay on the 
medium longer to transmit/receive data?
We used to rate limit back in the day, but then removed all limits when we went 
to 802.11ac and didn't notice any impact to the network...

From: The EDUCAUSE Wireless Issues Community Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Curtis K. Larsen
Sent: 13 April 2021 00:21
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Rate Limits on Guest Wi-Fi

Hello,

Curious to know if any have removed or recently raised the rate limit on the 
Guest Wi-Fi network at your institution, particularly large universities or 
hospitals.  If you have taken that step how is it going?  Also curious to hear 
what speeds you rate limit to if it is rate limited and how you came to that 
conclusion.

Thanks,

--
Curtis K. Larsen
Wireless Network Engineer III
The University of Utah


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] WPA3/OWE as campus solution?

[Jeffrey D. Sessler]

Paul,

Educause did an extensive review of DMCA and concluded there is no need to 
“know with reasonable certainty who is using the network.”  Colleges have opted 
to do so for education purposes, but it’s not required. I would recommend 
reading the FAQ educause put together as you may be spending a lot of 
time/expense for something you do not need to do.

https://www.educause.edu/focus-areas-and-initiatives/policy-and-security/educause-policy/dmca-faq

What if I can’t match the IP address and time stamp given in a DMCA notice to 
an individual?
If your institution, after taking reasonable efforts to investigate and match a 
user to the IP address designated in the DMCA notice, cannot, for technical or 
other legitimate reasons, match a user to this IP address, the DMCA does not 
specifically require any other action.

11. Are there different requirements for claims relating to student-owned 
computers (e.g., in residence halls) than for computers owned by the 
institution?

Most student and guest activity on university networks occurs through 
personally owned equipment and thus falls under 17 U.S.C. Section 512(a). This 
section provides immunity to the ISP for information that simply transits the 
ISP’s networks, with no direction, input, or interference from the ISP itself, 
and is not stored anywhere on the ISP’s network. Notably, no additional 
proactive steps are required for an ISP to avail itself of this immunity. 
However, for a variety of reasons, some institutions have made a policy 
decision to treat these notices as if they fall under Section 512(c), 
terminating users from the network unless and until the infringing content is 
removed. Often such activity is handled through a student affairs process, 
rather than as a legal or IT matter, so as to seize upon a “teachable moment” 
for students. And while there may be no legal requirements under this section 
of the DMCA, the HEOA requirements still apply. See Question 18.


Jeff

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Neumann, Paul
Sent: Friday, April 16, 2021 1:42 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

I agree that forcing client to jump through hoops unnecessarily is a Bad Thing. 
 Requiring someone to go through a simple self-service onboarding process (or 
proceed as guest without access to Uni resources) does not seem unreasonable to 
me.  The problem is that we do these measures because we have to.  Federal 
requirements such as DMCA, CALEA force us to know with reasonable certainty who 
is using the network and to be able to provide those records upon demand – 
which for DMCA happens regularly.  I need to be able to tell the Motion Picture 
Association of America that student X downloaded Shrek at 10:10pm last night -- 
by federal law.

If there was a federal law requiring you to provide proof of who used the 
shower last night at 10:10pm at what time, there may also be an onboarding 
process/logins for your sinks and showers.

Universities occupy an interesting niche.  We’re very reluctant to do things 
that most businesses have no problems doing.  Corporations have no problem 
disallowing BYOD, performing posture assessment upon login,  forcing you to 
install certs to allow deep packet inspection or forcing you through extremely 
restrictive proxies.  Requiring only a userid/password and unrestricted 
Internet would appear crazy to most large corporations.

Paul
--
Paul Neumann
Lead Network Engineer

Technology Solutions (Formerly ACCC) Network Services
University of Illinois at Chicago
E: pa...@uic.edu<mailto:pa...@uic.edu>
P: (312) 355-0113

it.uic.edu
Visit the new UIC Help Center at help.uic.edu to find IT services, Answers, and 
Support!

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Jeffrey D. Sessler
Sent: Friday, April 16, 2021 11:47 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

I’m all for the connection experience being as simple as possible. We subject 
our casual users to often extreme onboarding measures when they’ll never 
experience this outside of their 4-years, or even outside the college community.

If we consider the forward march to SaaS and other aaS products in higher 
education, in the not so distant future, we’ll run almost nothing on-campus. 
Wireless will just be a commodity connection-point out to a bunch of Internet 
services. If an end user can “do what they need” at the myriad wifi hotspot 
locations in the US e.g. starbucks, then we shouldn’t need to ask them to jump 
through more hoops just because they are on a college campus.  Is there such a 
thing as wireless elitism?

Perhaps the challenge with wireless is that it’s still a service owned and 
managed by IT? If the governance was customer focused, with goals cent

RE: [WIRELESS-LAN] WPA3/OWE as campus solution?

[Jeffrey D. Sessler]

I’m all for the connection experience being as simple as possible. We subject 
our casual users to often extreme onboarding measures when they’ll never 
experience this outside of their 4-years, or even outside the college community.

If we consider the forward march to SaaS and other aaS products in higher 
education, in the not so distant future, we’ll run almost nothing on-campus. 
Wireless will just be a commodity connection-point out to a bunch of Internet 
services. If an end user can “do what they need” at the myriad wifi hotspot 
locations in the US e.g. starbucks, then we shouldn’t need to ask them to jump 
through more hoops just because they are on a college campus.  Is there such a 
thing as wireless elitism?

Perhaps the challenge with wireless is that it’s still a service owned and 
managed by IT? If the governance was customer focused, with goals centered on 
community experience vs enterprise risk, perhaps a happy medium could be 
reached between what the consumer of the service desires, and what those 
managing it can provide?
If my facilities director told me that the water spigot I wanted installed in 
my building required a pass-code or onboarding before use, I’d consider them 
crazy. After all, my home version requires a simple turn of the handle.  When I 
look at what lengths some of us have gone with our college wifi, I wonder if 
the pass-code water spigot is far off.  

Jeff

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Lee H Badman
Sent: Friday, April 16, 2021 8:29 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

All good input- again, just thinking free here... thanks for playing the game.
Lee Badman (mobile)


On Apr 16, 2021, at 11:07 AM, David Logan 
mailto:tarheeldav...@gmail.com>> wrote:

So - truly thinking out loud...

1. To Tim's point on lack of identity, the unstated requirement that could be 
chosen to be fulfilled or not - there would need to be post-connect, 
post-activity monitoring such that "bad activity" could be detected, mitigated, 
prevented.  Anybody and any device within throw range of the WLAN could connect 
and do whatever they want, within the bounds of monitoring and enforcement at 
L2/L3/L7.  IRL - none of your doors have locks, but you could choose to 
implement security cameras if someone you don't know comes in to take the TV.

2.  It certainly suggests creating "network segments of one" to ensure that the 
ability for a bad actor with a connected device cannot recon nor exploit the 
other local connected devices, systems, apps, protocols.   Suggests all local 
traffic would have to be firewalled or proxied, or else the "network segment of 
one" architecture is unenforceable.

2a.   OR - it suggests a "don't care what happens between non-IT sanctioned 
systems" - i.e. if a bad actor on a moderately sized broadcast domain/subnet 
co-opts an attached non-IT device (like a smart TV) and "does something bad" - 
that's OK.  This then suggests that consequences of consumer IT product vendors 
implementing poor embedded software systems/exploitable protocols would trickle 
down to the end-user and back out to the consumer IT vendor.

2b.  Also suggests that if the local network segments are not policed using 
firewalls of some sort, then the local IT-managed systems (if there ARE any) - 
definitely need to be up to date on patch management and support and 
vendor-product-software security.

-- Dave


On Fri, Apr 16, 2021 at 10:33 AM Lee H Badman 
<00db5b77bd95-dmarc-requ...@listserv.educause.edu>
 wrote:
Not sure how, or even if you’d need to depending on how it all worked. No plan 
here, just discussion..

Lee Badman | Network Architect (CWNE#200)
Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   e lhbad...@syr.edu w 
its.syr.edu
Campus Wireless Policy: 
https://answers.syr.edu/display/network/Wireless+Network+and+Systems
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tim Cappalli
Sent: Friday, April 16, 2021 10:23 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

How would you limit local services like printing, screen mirroring, media 
casting, etc?

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Lee H Badman 
<00db5b77bd95-dmarc-requ...@listserv.educause.edu>
Sent: Friday, April 16, 2021 10:17
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>

RE: [WIRELESS-LAN] Issues with Zoom in Res Halls

[Jeffrey D. Sessler]

There was mention of a bug in one of the code bases (maybe 8.5) that could 
cause this, but there was updated code for it. 

Also, go have a look at the events for the AP's in question.  We had a few 
reports of call pauses/lags, and with the Zoom diagnostic data from the meeting 
details in-hand, we correlated it to the client's connected AP switching 
channels because of RRM/Interference.  

If you're not familiar with the Zoom client/meeting data, ask your Zoom admin 
to give you access to the dashboard. For live and past meetings you can see a 
wealth of information on what the client is up to and how it is performing. 

Jeff

-Original Message-
From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Charles Rumford
Sent: Friday, January 22, 2021 7:22 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Issues with Zoom in Res Halls

Hey -

We have started getting reports of issues with Zoom calls in our Res Halls. 
Most of the complaints have been around multiple drops during calls or lagging 
calls. 
Our res halls are currently only at 40-50% capacity if that.

I was curious if anyone else has been seeing any issues with an increase of 
Zoom calls from on campus students.


-- 
Charles Rumford (he/his/him)
IT Architect
ISC Tech Services
University of Pennsylvania
OpenPGP Key ID: 0xF3D8215A

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] [External Email] Re: [WIRELESS-LAN] Transitioning from older controller to new controller

[Jeffrey D. Sessler]

The 9800 does have a conversion tool for the aireOS controller configs and does 
most everything but the encrypted stuff.

Even if building from scratch, running the existing config through the tool may 
help in understanding how all the pieces work, including the equivalent 
commands between the two.

When building from scratch, it can be helpful to forget about what you had, and 
treat it as a different vendor product. It’s a rather radical change, but far 
more powerful, and despite many will initially ignore the built-in wizards, 
they are pretty powerful.

Jeff

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Dennis Xu
Sent: Friday, October 09, 2020 10:37 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [External Email] Re: [WIRELESS-LAN] Transitioning 
from older controller to new controller

I have completed a 5508 to 9800-L migration recently. I can join and share my 
experience too.

Dennis



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Alan D Wang
Sent: October 9, 2020 1:32 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [External Email] Re: [WIRELESS-LAN] Transitioning 
from older controller to new controller

CAUTION: This email originated from outside of the University of Guelph. Do not 
click links or open attachments unless you recognize the sender and know the 
content is safe. If in doubt, forward suspicious emails to 
ith...@uoguelph.ca

I would be interested in this session as well

On Fri, Oct 9, 2020 at 1:26 PM Christina Klam 
mailto:ck...@ias.edu>> wrote:
I want in.

Thank you,

Christina Klam
Network Engineer
Institute for Advanced Study
1 Einstein Dr
Princeton, NJ 08540
(m) +1 609-751-7899
(o) +1 609-734-8154
ck...@ias.edu


From: "Brahim Bouchaiba" 
mailto:brahim.boucha...@gmail.com>>
To: "The EDUCAUSE Wireless Issues Community Group Listserv" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Sent: Friday, October 9, 2020 12:07:12 PM
Subject: Re: [WIRELESS-LAN] Transitioning from older controller to new 
controller

I like to be added also.
Thanks.

On Fri, Oct 9, 2020 at 11:27 AM Jesse Thomas 
mailto:jtho...@hamilton.edu>> wrote:
Same here - we're moving from WiSM2 to 9840.
Thanks,


--
Jesse Thomas
Network & Systems Administrator
Hamilton College
315-859-4211


On Fri, Oct 9, 2020 at 10:44 AM Slone, Kelly 
mailto:kelly.sl...@marshall.edu>> wrote:
I would also like to be included.

Thank you,

Kelly Slone, B.S., MCP
IT Infrastructure Engineer
Marshall University Information Technology
Drinko Library DL 436
Office:  304-696-6109
Helpdesk:  304-696-3200
slon...@marshall.edu


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Friday, October 9, 2020 at 10:30 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Transitioning from older controller to new 
controller
Sounds like I might need to set up a general session.  I'll catch Don and Abbas 
early next week, but if there's other interest, I'm happy to do a wider 
discussion after a bit of preparation.  I'll send out an invite for signups 
when I'm ready next week.

On Fri, Oct 9, 2020 at 7:27 AM Floyd, Brad 
mailto:bfl...@mail.smu.edu>> wrote:
Mike,
Per our recent conversation about this topic, yes please add me to the invite 
list.
Thanks,
Brad

From: The EDUCAUSE Wireless Issues Community Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
 On Behalf Of Mike Atkins
Sent: Friday, October 09, 2020 9:08 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Transitioning from older controller to new 
controller


[EXTERNAL SENDER]

I’ve reached out to a few schools individually on this very topic.  Would the 
group want to do a Zoom session on this?





Mike Atkins
Network Engineer
Office of Information Technology
University of Notre Dame

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Sullivan, Don
Sent: Friday, October 9, 2020 9:01 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Transitioning from older controller to new controller

We are in the process of upgrading our wireless from a Cisco 8510 to a Cisco 
9800-80. I wanted to query those on this list who have already gone through 
this process about any lessons learned that would have been nice to know before 
transitioning your existing AP inventory that is compliant with the new 
hardware. I am building the configuration for the 9800 from scratch and it has 
been a challenge 

RE: Client roaming

[Jeffrey D. Sessler]

My personal belief is that even today, technologies like band select just 
compete with the secret sauce on the client side, and are subject to problems.  
Every time I've experimented with it, I turn it back off (cisco and aruba), as 
your success is often short-lived until the next device OS or driver update.

Specific to 8.10, TAC and the BU have recommended the interim 8.10.139.43 until 
8.10 MR4 is out. As such, you may want to take a look at the release notes to 
see if there are any defects registered that relate to the issue.

https://community.cisco.com/t5/wireless-and-mobility/announcing-cisco-wireless-8-10mr4-first-interim-8-10-139-43/td-p/4155055

Jeff

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Mallon, Jason
Sent: Friday, October 09, 2020 7:30 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Client roaming

Wondering if anybody else is seeing this.  We currently have devices doing a 
lot of roaming between 5 and 2.4 radios, especially in the dorms.  I would not 
think anything of it normally, but they are moving from a -52 to -58 on the 5 
radio to a -75 or worse on the 2.4 radio.  This doesn't seem to matter what 
SSID they are connected to.  Band select is enabled on all SSIDs.  We are 
running Cisco 8540 WLCs on 8.10.130.  Most of the complaints are coming from 
the dorms, so I am not sure if it is happening on our other controllers with an 
older code level.

Thanks,
Jason Mallon | Network Engineer III
[/var/folders/h2/r448cc4j4_v70yns10brx6r0gq/T/com.microsoft.Outlook/Content.MSO/90F25235.tmp]
OIT
The University of Alabama
jemal...@ua.edu
[/var/folders/h2/r448cc4j4_v70yns10brx6r0gq/T/com.microsoft.Outlook/Content.MSO/8434B70B.tmp]

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] Mac wireless issue

[Jeffrey D. Sessler]

What channels are the impacted AP’s running on?

A few weeks ago I had a similar issue (Cisco wireless), My Mac laptop would 
attach to our WPA2 network no problem – auth was successful (5 GHz), but would 
never get an IP. If I walked the Mac laptop (running Catalina) into rage of 
another AP (also 5GHz), it worked perfectly. Same switch, same AP type, with 
the only difference being the channel the AP was on. I could replicate this in 
another area, where a user reported a similar issue.   I don’t have my notes in 
front of me, but I believe the problematic AP’s were on unni-3 channels, and 
the ones that were OK, were not.  With COVID, students remote, and work from 
home, I’ve not had time to go back in to the campus and really drill into it.

There had been no reported problems when our campus closed in March, and no 
changes to our wireless deployment since that date.

Jeff



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Barros, Jacob
Sent: Tuesday, October 06, 2020 12:25 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Mac wireless issue

We are seeing oddities with macbooks as well. Our experience is similar both in 
scope and behavior, however, I am a Ruckus customer.  Any Cisco or Meraki users 
with the same issue?





[https://lh6.googleusercontent.com/ne_lTqgFJdoXUoU7gASzv0xOtDuEXE2aaf5NZNvmQ2e_NgyV_DSK_fBjBsHc5NeluIdDut6CDq9B7cQn3WHBZgFO5U9IyPePBYnuLPQ27XRP9oq2Snrkz_l8X0iU-z242JWJVv4Z]

Jacob Barros

Associate Director of IT, Network and Operations /

Information Security Officer | Office of Information Technology

E: barro...@grace.edu | W: 574.372.5100 ext. 6178

[https://lh5.googleusercontent.com/7qgaEy3R8t0pg6-FqBft4irBB3Tn07-iqWUmhV6zOMpEbI5uO8cZ-QGJaLvBqImKUw5TiHuVJNKO7jpbZJvnqIDHN1iXBMJRLUHfWS2DWYy_oyi4x1cp3kP8s3fz-xsskqXr4Ram]






On Tue, Oct 6, 2020 at 3:04 PM Stacey Frye 
mailto:sfry...@manhattan.edu>> wrote:
Greetings,

We are seeing a weird issue on our campus and hoping some of you may give us 
some ideas to check on.

Background: We are using Aruba wireless controllers/APs (sadly, no airwave). 
All buildings are using the same VLAN ID for the wireless subnet, but each 
building has their own subnet for wireless. All APs are configured in the same 
AP-group. We have an open wireless network and not using any NAT (public IPs 
are being given out). IPv4 only.

A lot of our Mac users, though not all, when trying to connect to wireless, 
they are able to connect to the AP, but are receiving a "No IP Address" 
message, and therefore cannot access the Internet. Once they leave this 
building and go to any other building on campus, they do not have an issue 
whatsoever.

We have tried to manually configure the IP address, but still the device is 
unable to access the Internet (cannot even ping the GW). After removing the 
Wi-Fi option in Network Preferences and then re-adding, the device is able to 
get an IP from DHCP server, but is still unable to pass any traffic. We have 
tried rebooting the laptop, completely removing wireless network and 
reconnecting, and have tried booting in safe mode. Nothing seems to be working. 
If we connect using an ethernet cable in the same building that we're having 
wifi trouble in, it works with no problem. Config for the wireless subnet in 
the affected building is the exact same as config in all other buildings 
(except the subnet, of course). All buildings are using the same DHCP server.

This seems to only be happening with Macs, not any Windows machines that I am 
aware of, nor do we have any problems with other Apple devices. And like I 
said, some Macs are having the issue, others are not. We only started seeing 
these problems within the last 2-3 weeks. The only difference we made in the 
affected building is giving it a larger subnet over the summer.

We are working with our Aruba SE who is reaching out to TAC for us, but wanted 
to reach out to you guys for any other possible insight or ideas. Thanks in 
advance!

Respectfully,

Stacey Frye
Network Engineer
Office of Information Technology Services (ITS)
[http://home.manhattan.edu/collegerelations/email_logo.jpg]
Riverdale, NY 10471
Phone: 718-862-7499
sfry...@manhattan.edu
www.manhattan.edu

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 

RE: Cisco 8.10.130.0 eduroam issues

[Jeffrey D. Sessler]

You probably want 8.10.139.43, which is fully BU supported and suggested for 
production. This is a link to the release notes, I'd check to see if any of 
these apply. Also, verify your timeouts aren't set too low for the radius 
responses coming from eduroam.  I ran into this at Cal Poly in Pomona, where I 
could not interactively login to eduroam, but I could save my credentials and 
it worked just fine.  I suspected a timeout set too low (this was Aruba 
equipment however). Had an entire group there for a meeting that faced the same 
issues.

https://www.cisco.com/web/software/280926587/153915/Release_Notes_8_10_139_43.pdf

Jeff


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Mathieu Sturm
Sent: Wednesday, September 23, 2020 3:07 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Cisco 8.10.130.0 eduroam issues

Hello,

We updated our Cisco 5520 controllers from 8.5.151.0 to 8.10.130.0. Since the 
update we have issues with eduroam. Before the update the students and other 
users could select the ssid eduroam and fill in the credentials and they were 
connected.
Now we have to update the NIC's (mostly AX200) to the latest version and/or 
update to W10 version 2004. And even then we often have to configure the SSID 
manually and save credentials.

We see that the users get to the ISE and are permitted but the WLC doesn't 
always see this permit. Or the ISE gives a certificate warning (I've checked 
our certificates, all are valid).

Is anyone experiencing the same thing?

We went tot 8.10.130.0 for our new 9120's.

Mathieu Sturm
Hoofdmedewerker Netwerkbeheer

[https://www.hogent.be/www/assets/Image/logo2018.png]

Directie Financiën, Infrastructuur en IT
Afdeling Netwerkbeheer
Campus Schoonmeerssen - Gebouw B  Lokaal B0.75
Valentin Vaerwyckweg 1 - 9000 Gent
+32 9 243 35 23
www.hogent.be


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] Antenna mounting suggestions

[Jeffrey D. Sessler]

I’m a fan of ground or near-ground mounting.  We use the Cisco outdoor AP’s, 
and place them in planters and other areas where they disappear into landscape. 
Occasionally we’ll mount them below the cameras on a security pole.

Jeff

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of John Turner
Sent: Friday, August 28, 2020 6:39 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Antenna mounting suggestions

I did this back in the mid 2K time frame. I can tell you it was a disaster. 
Mounting AP’s up high causes issues in far away places. We would have users on 
the 4 th floor connecting to AP’s mounted on the roof of a building 150’ away.

Second with the trees you are suggesting are there they will suck up the RF 
quickly.

Do you have any blue lights on the quad? Those are great locations. 
Alternatively at the ground level can you penetrate next to a fire standpipe or 
environmental sensor with a patch antenna?

You are going to spend a lot of time and money mounting them on the roof plus 
the service issues down the road for limited benefit.



On Fri, Aug 28, 2020 at 5:47 PM Enfield, Chuck 
mailto:cae...@psu.edu>> wrote:













PS – I also recommend bonding the AP and mount to the main conductor for the 
lightening protection system (LPS).  Without equalizing the potential a strike 
may arc from the grounding conductor of the LPS to your wireless gear which (if

you’re doing it right) will have its own ground.  Without bonding you can 
expect very different potentials during a strike, and when that close together 
arcing is likely.





From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>

On Behalf Of Enfield, Chuck


Sent: Friday, August 28, 2020 5:29 PM


To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU


Subject: Re: [WIRELESS-LAN] Antenna mounting suggestions





The library is an excellent candidate for a non-penetrating roof mount.  If you 
google it you’ll find many options.  Don’t get crazy with the size or you’ll 
have to have a structure engineer make sure the roof can handle the spot 
loading.

I did the wind load calculations and I think a 100MPH wind could result in 23lb 
of lateral load on an AP-375, so there’s no need for tons of ballast.  Also, 
put a pad of some sort (usually available where you order your mount) between 
the mount and the antenna

to project the roof membrane.



For Building 2, if you’re trying to cover that smallish space between the 
buildings I’d definitely recommend wall-mounted panel antennas.  Put the AP 
above the ceiling inside, drill a ¾” hole in the wall, and mount an ant-35 (or 
something

similar) flat to the wall outside.  If you paint it to blend in with the brick 
it will almost disappear.





From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>

On Behalf Of Brian Helman


Sent: Friday, August 28, 2020 3:50 PM


To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU


Subject: [WIRELESS-LAN] Antenna mounting suggestions





Hey everyone:



I hope you’re coping with the chaos and enrollment challenges.



So we’re rolling out a major wireless upgrade using Aruba gear.  A part of this 
rollout is to provide wireless coverage to a few outdoor spaces.  One of these 
spaces is a quad flanked by 2 relatively tall buildings (about 6 stories).  One

of those buildings has a flat roof with no knee wall or parapet.  The other has 
a parapet that has glass on the outside.  Both are rubber-membrane roofs, so 
mechanical attachment isn’t going to fly.  The building with the parapet only 
has about a 6’ clearance

between the wall and solar panels, so I only have about 2’ to work with.



Building 1:

Flat roof

Rubber membrane

Roof has a minimal lip before you drop 6 stories

Has a penthouse that is recessed from the side of the building that I can put 
electronics on/in



Building 2:

Library

Flat roof

Rubber membrane

~40” knee wall/parapet

Rubber membrane goes almost to top of knee wall, then is capped with lead and a 
lightning ground

Outside of wall is glass



Our basic philosophy here is to separate the access points and antennas (ie use 
external antennas).  We can’t attach anything to the face of the Library 
(Building 2) because of the glass and I don’t really want to have to maintain 
electronics

over the edge of a building anyway.  So, how are people installing antennas on 
roofs pointed down to cover quads 60+’ below?  I’ll figure out where to  put 
the AP’s and dress in the cables.



Mounting at ground-level isn’t going to work.  There is too much sidewalk and 
landscaping that would have to be disrupted.  It’d be a budget-buster.



Again, physically attaching anything isn’t going to be acceptable and in 
Building 2’s (Library) case, a large weighted sled will encroach on the service 
area for the solar panels.  There 

RE: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X?

[Jeffrey D. Sessler]

MFA is common place at the cohorts I interface with, and was driven by a mix of 
the financial aid security requirements (GLBA) finally being enforced (Dear 
Colleague Letter in 2014), and Internet2 Net+ collaborations starting with DUO 
in 2012. If you're an organization with everything behind SSO, then MFA is a 
pretty simple add. If your organization has a Office365 tenant, MFA comes along 
for free as does their federation service.  Other than apathy, the barrier to 
adoption is pretty low.

That said, when we talk about risk, you don't necessarily have to mitigate 
everything to be successful i.e. every resource behind MFA.  You simply need 
enough of the primary services enabled where a bad actor simply moves on to an 
easier target. If the Employee HR portal (where direct deposit info can be 
changed) and email are behind SSO + MFA with other primary apps, you're risk 
becomes significantly smaller.

Jeff


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Tim Cappalli
Sent: Wednesday, August 19, 2020 2:01 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] New certificate expiration for certificates 
affecting 802.1X?

I was saying there are very few organizations that truly have every resource, 
where the primary password is used, enabled for MFA.


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Scott Bertilson 
<01d368c4bbc6-dmarc-requ...@listserv.educause.edu>
Sent: Wednesday, August 19, 2020 4:45:27 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] New certificate expiration for certificates 
affecting 802.1X?

Tim commented:
...I highly doubt a majority of organizations have every single non-Wi-Fi 
resource protected with strong MFA at this point in time.

In our case, we use PEAP and use the same PW for WiFi as for everything else, 
but most of everything else (and growing) requires MFA.  I hope that's what he 
meant or else I'm missing something about how you make MFA work for WiFi in any 
large installation.

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X?

[Jeffrey D. Sessler]

For a student population that will only be with the institution for 4 years, 
and then spend the next 60 years using WiFi options with lower barriers and 
potentially a little more risk, are EDU’s getting it wrong? Are we too focused 
on something with low risk while ignoring other higher risk issues? At the 
point one needs complicated provisioning tools, your userbase sees only 
barriers, and then wonders why the other 99% of places they frequent don’t 
require such inconveniences.

The key is a _realistic_ risk assessment. There are plenty of examples outside 
of technology e.g. the lock on your doors, where it’s a given there are no 
silver bullets and we choose based on risk vs cost.  Do you spend thousands of 
dollars to put Bowley locks on your doors, or accept that in most situations, 
the $20 kwickset locks are good enough?  As a bad actor, why would I spend time 
trying to compromise a WiFi network, when it’s far easier to send your 
organization phishing emails? Phishing can be done remotely and exploit the 
greatest weakest (humans).  A successful phish/compromise and I’m well past the 
front door, the expensive locks, and enjoying a beer from your refrigerator.

According to by eduroam guest reports, PEAP still dominates everything else at 
89.7% vs 8.3% for EAP-TLS and 1.97% for EAP-TTLS. I don’t know that I’d call 
that legacy, and while it does have weakness, how would one compare it to an 
institution that may not have the best security controls around their 
provisioning tools? A compromise of one’s provisioning tool, say because of 
admins using weak passwords and/or no MFA, may present a higher security risk 
than the use of PEAP.

Jeff


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Tim Cappalli
Sent: Wednesday, August 19, 2020 9:43 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] New certificate expiration for certificates 
affecting 802.1X?

My old colleagues likely won’t be happy with me saying this, but given the 
industry changes, I think you should collectively pressure NAC vendors to make 
device provisioning part of the core product without the need for additional 
licensing (at least for EDU).




From: Tim Tyler
Sent: Wednesday, August 19, 2020 12:39
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] New certificate expiration for certificates 
affecting 802.1X?

Yes, I always find this conversation to be interesting.  There are many 
institutions that can’t afford an on-boarding solution.   Hence, the certs 
usually get ignored since most configurations are manual or semi-automatic.  
And my thought is that mac address registration would eliminate the 
vulnerability of user’s credentials via network authentication.  So this is 
something I keep thinking might be better than 802.1x if certs are going to get 
ignored anyways.
  But the recent conversation on mac addresses potentially becoming dynamic 
will make me strongly hesitate on this thought.
Tim


From: The EDUCAUSE Wireless Issues Community Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
 On Behalf Of Tim Cappalli
Sent: Wednesday, August 19, 2020 11:27 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] New certificate expiration for certificates 
affecting 802.1X?

Correct, some versions of operating systems do not support a self-signed EAP 
server certificates.

It is also just a bad idea as you can’t renew it without re-onboarding devices. 
If you use at least 1 issuer, you can cycle the certificate without updating 
clients.

PEAP (and EAP-TTLS) should never be used on unmanaged devices unless a security 
assessment has been done and its been determined that credential exposure is an 
acceptable risk to the organization.

I feel like this conversation surfaces multiple times per year. So here’s the 
summary:

If able, EAP-TLS should be used for all user-centric device network access. 
This then implies an organizationally controlled PKI is used to issue the EAP 
server certificate.
If EAP-TLS is not feasible and a legacy, known vulnerable EAP method like PEAP 
is going to be used, it is highly recommended that a supplicant provisioning 
wizard be used. This would also use an organizationally controlled PKI for the 
EAP server certificate. Your information security team should determine whether 
credential exposure is an acceptable risk for the organization.
If EAP-TTLS/PAP or EAP-TTLS/MSCHAPv2 are used, a supplicant provisioning wizard 
is required for Apple operating systems. This would also use an 
organizationally controlled PKI for the EAP server certificate. Your 
information security team should determine whether credential exposure is an 
acceptable risk for the organization.
If you decide to use an EAP server certificate from a public CA, expect 
problems 

RE: [WIRELESS-LAN] Openroaming - anyone connected?

[Jeffrey D. Sessler]

I’m not trying to get out of a business, but Internet2 could eventually get out 
of the radius/eduroam business. Unless I’m mistaken, at the point an 
institution federates directly with openroaming, the need for eduroam 
diminishes. Obviously it’s going to take time, but if there is a push to adopt 
openroaming in EDU, then in say five years, does eduroam have a future?

On the identity front… As we march toward a cloud-based future, and our WiFi 
networks transformed into simple gateways to the internet, how much information 
do we need/want? How much information should we collect? After all, if the 
service is no different than at Starbucks, what does the collection of more 
information do for us?

Jeff

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Tim Cappalli
Sent: Monday, August 17, 2020 9:09 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Openroaming - anyone connected?

What business are you trying to get out of specifically? OpenRoaming is a way 
for federations of organizations and/or individual organizations to 
interconnect. Eduroam would start to mean “less” to end users, as they wouldn’t 
see an “eduroam” ESSID anymore, but there is still value in a trust framework 
for educational organizations, especially when it comes to identity.

If you decide not to provision users with your university identity, you will 
likely have no access to that users real identity. I imagine you still want 
access to identity for your own users and devices?

At its core, OR is simply a few extra elements in the profile that gets put on 
the device provisioning. OR itself, also does not provide client provisioning. 
You still need to do that, or pay for a service that will do it.

I think, personally, that there is a major lack of understanding throughout the 
industry of what OR actually is.

tim

From: Jeffrey D. Sessler<mailto:j...@scrippscollege.edu>
Sent: Monday, August 17, 2020 11:56
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Openroaming - anyone connected?

Why not the other way around, and standardize on OpenRoaming, and have 
everything else become a member of it? Do we still need eduroam at that point? 
Do we care if the client device is using their ATT, Spectrum, or college 
credentials?

I’m reminded that in EDU we often fix problems nobody cared much about at the 
time e.g. eduroam, but as the world matures, and there are perhaps better 
alternatives, why not get out of the business?  There are costs to operate 
eduroam, and if it’s no longer strategic or different from other services e.g. 
OpenRoaming, why not put those resources into something that is strategic and a 
differentiator?  Why wouldn’t Internet2 and its members focus on adoption of 
OpenRoaming rather than a new and possibly duplicative service like anyroam?

Jeff



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Philippe Hanset
Sent: Sunday, August 16, 2020 7:20 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Openroaming - anyone connected?

At least for the US, we plan to have an Open-Roaming gateway at ANYROAM.
We became member of the WBA for that purpose back in May 2020.

The idea is to simplify connectivity for schools:  you have one connection with 
ANYROAM, and all your roaming traffic
is sorted by us (Open-Roaming, eduroam, Govroam, …). No need to be turn your 
school’s RADIUS server into a complex gateway.

We are working on a document that we will post at 
anyroam.net<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fanyroam.net%2F=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C41aa639e53094c114be008d842c60ebf%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637332765717534156=JT6i9sSEm0DSYqSzcaFJLiv6MT5C62Ou32pl5B25bXo%3D=0>
 in a few weeks.

Thanks,

Philippe

Philippe Hanset, CEO
www.anyroam.net<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.anyroam.net%2F=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C41aa639e53094c114be008d842c60ebf%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637332765717534156=ZJg9yjZIiAKCLYMZh15bKi5UTeo76pIk7dx4TBn4W%2FM%3D=0>
Operator of eduroam-US
+1 (865) 236-0770




On Aug 16, 2020, at 9:19 PM, Phill Solomon 
<0150915d379b-dmarc-requ...@listserv.educause.edu<mailto:0150915d379b-dmarc-requ...@listserv.educause.edu>>
 wrote:

Hello all,

One of the items on the radar for us is OpenRoaming, is there anyone connected, 
or looking into connecting?

And if you are connected are you using it as an extension for students / staff 
or just for visitors.?

Thanks in advance,

Kind regards,

Phill Solomon
Senior Network Engineer
IS - AV & Networks
ICT Infrastructure Services, eSolutions
Planned Leave: NA



Deakin University
301 Burwood Highway, Burwood
VIC 3125, Austra

RE: [WIRELESS-LAN] Openroaming - anyone connected?

[Jeffrey D. Sessler]

Why not the other way around, and standardize on OpenRoaming, and have 
everything else become a member of it? Do we still need eduroam at that point? 
Do we care if the client device is using their ATT, Spectrum, or college 
credentials?

I’m reminded that in EDU we often fix problems nobody cared much about at the 
time e.g. eduroam, but as the world matures, and there are perhaps better 
alternatives, why not get out of the business?  There are costs to operate 
eduroam, and if it’s no longer strategic or different from other services e.g. 
OpenRoaming, why not put those resources into something that is strategic and a 
differentiator?  Why wouldn’t Internet2 and its members focus on adoption of 
OpenRoaming rather than a new and possibly duplicative service like anyroam?

Jeff



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Philippe Hanset
Sent: Sunday, August 16, 2020 7:20 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Openroaming - anyone connected?

At least for the US, we plan to have an Open-Roaming gateway at ANYROAM.
We became member of the WBA for that purpose back in May 2020.

The idea is to simplify connectivity for schools:  you have one connection with 
ANYROAM, and all your roaming traffic
is sorted by us (Open-Roaming, eduroam, Govroam, …). No need to be turn your 
school’s RADIUS server into a complex gateway.

We are working on a document that we will post at 
anyroam.net in a few weeks.

Thanks,

Philippe

Philippe Hanset, CEO
www.anyroam.net
Operator of eduroam-US
+1 (865) 236-0770






On Aug 16, 2020, at 9:19 PM, Phill Solomon 
<0150915d379b-dmarc-requ...@listserv.educause.edu>
 wrote:

Hello all,

One of the items on the radar for us is OpenRoaming, is there anyone connected, 
or looking into connecting?

And if you are connected are you using it as an extension for students / staff 
or just for visitors.?

Thanks in advance,

Kind regards,

Phill Solomon
Senior Network Engineer
IS - AV & Networks
ICT Infrastructure Services, eSolutions
Planned Leave: NA



Deakin University
301 Burwood Highway, Burwood
VIC 3125, Australia.
• Phone: +61 3 924 46069 
• E-mail: 
phill.solo...@deakin.edu.au

Deakin University CRICOS Provider Code 00113B

Important Notice: The contents of this email are intended solely for the named 
addressee and are confidential; any unauthorised use, reproduction or storage 
of the contents is expressly prohibited. If you have received this email in 
error, please delete it and any attachments immediately and advise the sender 
by return email or telephone.
Deakin University does not warrant that this email and any attachments are 
error or virus free.


Important Notice: The contents of this email are intended solely for the named 
addressee and are confidential; any unauthorised use, reproduction or storage 
of the contents is expressly prohibited. If you have received this email in 
error, please delete it and any attachments immediately and advise the sender 
by return email or telephone.

Deakin University does not warrant that this email and any attachments are 
error or virus free.
**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: MAC Randomization, a step further...

[Jeffrey D. Sessler]

As higer-ed transitions more and more to SaaS/IaaS services, and we are running 
fewer services on-premise,  WiFi is nothing more than a commodity gateway to 
the Internet.  Why not make it easier on everyone and move to less obtrusive 
ways to get folks connected?

Passpoint, or rather, OpenRoaming, looks to be the direction everyone is head 
in.  The bigger question is if one wants to be an identity provider, or let 
users gain access via their mobile, ISP, Cable, or other providers.

Jeff

From: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Monday, July 20, 2020 at 2:21 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...
Passpoint solves all of these issues.

Tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Monday, July 20, 2020 at 17:14
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...

For guests, I've been tossing around the idea of an open network. No

.1x, no PSK, no captive portal. Affiliates would be encouraged to use

eduroam via SSO nag. Columbia University had a presentation on how they

are doing the open network side of this. I suspect the most difficult

part will be getting legal on board. Who has an open network? What have

your experiences been? This is only tangentially related, so feel free

to split it into a new thread.

We run an open network for guests.  It has been wonderful for guests and they 
all like it.

The major problem has been student, faculty, staff devices connect to the guest 
network (usually unbeknown to the user).  Restrictions on that network then 
cause support calls.  Google decided the network was “good” and so Android 
devices connect by default (then VPN tunnel back to Google).  We don’t want to 
block that due to guests.

But maybe there will be a new problem.  When devices have been found infected 
on any of our networks we’ve quarantined by MAC address.  Hmmm… so for our 
users we can quarantine by their user name (much less helpful to take all their 
devices offline instead of just the one infected, but hey this progress right). 
 I don’t know what we do with infected guest devices (or as our users’ device 
decides to move to the guest network because they were blocked on the main 
network) if they are randomizing between connections.  Vendors haven’t thought 
this through.  That may push a registration method with credentials for guests 
— meaning less privacy?


--
William Green, Director of Networking and Telecommunications
The University of Texas at Austin | ITS | 512-475-9295 | 
gr...@austin.utexas.edu


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] Icing ISE 2.1 but where to jump

[Jeffrey D. Sessler]

I don't know Lee, within our consortium of 5 undergrad and 2 grad universities, 
all running AireOS-based WLCs, the reliability has been exceptional.  My last 
show-stopper (WLC crash) was way back in 5.x days.  Sure, there have been AP 
radio code challenges, but most of those were wayward client devices that had 
to have their behavior dealt with at the AP radio code level.

This is purely my experience, but when I ran into those AP<->client radio 
issues with my first customer ship 3800's, the Cisco wireless BU worked 
directly with us on resolution, with rapid radio code updates to work around 
the client challenges.  I couldn't ask for a better relationship with a vendor.

It surprises me that any vendor's WiFi in EDU's work reliably given the myriad 
of client devices, OS versions, and chipsets we deal with. It was certainly the 
case when my consortium had Aruba too, that the grass wasn't greener... they 
had their gopher problems, and Cisco had prairie dogs.

I do think the future is in SaaS/IaaS, where the vendor has much better 
visibility on its installed base, and can capture assurance data to help with 
rapid code improvement. The reality is, must customers aren't sophisticated 
enough, or have the teams in-place, to diagnose WiFi issues, but a vendor with 
insight into their installed-base deployment would.

All my best,
Jeff

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Lee H Badman
Sent: Friday, July 17, 2020 8:15 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Icing ISE 2.1 but where to jump

Agreed. I'd go so far as to say that I have never seen or heard of a buggier 
product set than the AireOS WLCs. I can't imagine Airespace would have survived 
over time had Cisco not bought them to get into the thin AP paradigm given the 
chronic code issues.

Lee Badman | Network Architect (CWNE#200)
Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   e lhbad...@syr.edu w its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Gray, Sean
Sent: Friday, July 17, 2020 10:57 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Icing ISE 2.1 but where to jump

Hopefully that means we are moving back to functionality over features for a 
few patches. That's certainly not been the case for newer WLC code trains

Sean Gray | B.Sc (Hons)
Voice, Collaboration & Wireless Network Analyst
ITS, University of Lethbridge

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Jake Snyder
Sent: July 16, 2020 3:12 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Icing ISE 2.1 but where to jump

Caution: This email was sent from someone outside of the University of 
Lethbridge. Do not click on links or open attachments unless you know they are 
safe. Please forward suspicious emails to 
phish...@uleth.ca.

Typically I've monitored the release cycle on patches to determine how "bad" 
things were.

In the olden days, Cisco would release a patch when a fixed number of serious 
issues were resolved.  You could then track how many serious bugs were being 
fixed by the interval between patches.  Quicker patches means more issues with 
a higher severity.  If the intervals between patches went down, things were 
starting to stabilize.  So if you saw a patch two months in a row, it might be 
a "let's wait for the next one."

Not sure that will hold true, now that Cisco is saying that "all" releases will 
be stable-train moving forward for ISE.  I see it's been a while from 2.7 to 
2.7p1.  That could be a good sign.  Typically I would wait 2 months before 
upgrading to make sure there weren't repeated patches.  You see this even with 
some long-lived trains that have patches 8,9,10,11 all very close together.


On Jul 16, 2020, at 2:02 PM, Ciesinski, Nick 
mailto:ciesi...@uww.edu>> wrote:

ISE 2.7 is a stable release. Cisco released very few new features and instead 
focused a lot of bug fixes in 2.6 and 2.7.


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**

RE: Cisco pre-DNA Spaces Location Service, Contact Tracing

[Jeffrey D. Sessler]

Lee,

Even without location services, one can get association data for a device and 
use that for rudimentary contact tracing.  I used it over the summer for a 
possible COVID case, and it was helpful in determining where the person was 
not. That is, it's not accurate enough to exclude people from the local area, 
but if the devices weren’t seen in other buildings, that was helpful.  I don't 
know that it would scale come students returning, and we're going to need 
something like Spaces to help.  Spaces looked very expensive however. 

We make use of an emergency notification product called Everbridge, and they 
are pitching a contact tracing support add-on to their mobile app where they 
bridge data from WiFi associations, door swipe, meal cards, and so on, all in 
an effort to provide more accurate information on a device/person.  Of course, 
that raises privacy concerns, so I'm still hopeful we'll see something 
compelling come from the Apple/Google partnership where we aren't holding onto 
data that must be protected and managed.

Jeff

-Original Message-
From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Lee H Badman
Sent: Wednesday, May 27, 2020 10:30 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Cisco pre-DNA Spaces Location Service, Contact Tracing

I hope everyone on the list is doing well.

We are getting multiple vendor pitches these days for contact tracing 
“solutions”. From Cisco, our main network vendor, their pitch relies on DNA 
Spaces. We don’t use that yet,  and it’s no secret what is happening to many of 
our budgets.

 My question is specifically for Cisco legacy location services users. Are you 
all doing anything specific in anticipation of possibly needing to provide 
Wi-Fi location data for contact tracing? Are you being specifically asked about 
it by your management? 

I haven’t decided yet weather the vendors are being generally altruistic or 
opportunistic on this topic yet.

Regards,

Lee Badman (mobile)

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: Wireless location data for contact tracing

[Jeffrey D. Sessler]

It's pretty trivial today to look at a device/person's association data and 
reconstruct where they've been.  I suspect we all use this data from time to 
time to diagnose a user reported problem, and someone could theoretically use 
it for something more intrusive. It's a policy and procedure issue rather than 
technical, and policy decisions about privacy are rarely something we are 
responsible for setting. I'd focus on the technical challenges and leave the 
privacy policy piece your college leadership to decide.

We're looking at Cisco's "DNA Spaces" as one option for contact tracing and 
occupancy forecasting, but I think the better approach will be in the 
short-distance contact tracing the likes of Apple and Google are working on.  
Unless your WiFi network is designed around location awareness, the accuracy is 
likely to be too poor to get meaningful correlations.

Jeff

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of McGuire, Michael
Sent: Friday, May 15, 2020 9:18 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Wireless location data for contact tracing

As I'm sure everyone else is doing, we're working on plans for having our 
campus community rejoin us at some point. The question of "how far back do you 
keep wireless logs" was just asked which of course leads to "we want to see 
where a person has been on a given day".

This of course has privacy issues along with the technical challenges of 
storing and accessing that data.

Has anyone else been asked to look into this or begun to make preparations for 
such?

Being an Aruba shop we already leverage AirWave reports for our campus police 
when tracing lost or stolen devices as well as where a user has been or devices 
in an area at a specific time.

This request seems to be a larger scale with potentially more moving parts.


- Michael

Michael McGuire
Network Systems Administrator
Monmouth University
mmcgu...@monmouth.edu
732.263.5589
[Monmouth University 
Logo]
400 Cedar Avenue
West Long Branch, NJ 07764
monmouth.edu

[https://www.monmouth.edu/identity/wp-content/uploads/sites/61/2018/08/social-icons-twitter.png]
[https://www.monmouth.edu/identity/wp-content/uploads/sites/61/2018/08/social-icons-facebook.png]
[https://www.monmouth.edu/identity/wp-content/uploads/sites/61/2018/08/social-icons-instagram.png]
[https://www.monmouth.edu/identity/wp-content/uploads/sites/61/2018/08/social-icons-snapchat.png]
[https://www.monmouth.edu/identity/wp-content/uploads/sites/61/2018/08/social-icons-linkedin.png]
[https://www.monmouth.edu/identity/wp-content/uploads/sites/61/2018/08/icons-green.png]
We are a green campus.
Think before you print.



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [EXTERNAL] [WIRELESS-LAN] Pod-style Residence Halls

[Jeffrey D. Sessler]

All of our new residential halls are wireless only, and as we remodel our 
historic residential halls, we’re pulling the network copper from the room 
plates into the celling to support the addition of a celling mounted AP.

Our density is every other room by default/minimum, so it’s very dense 
coverage, and have had no requests for a wired connection in those renovated 
spaces.

Jeff

From: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Tuesday, February 25, 2020 at 11:10 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] [EXTERNAL] [WIRELESS-LAN] Pod-style Residence Halls
Chintan,
All of our older dorms are wired currently wired, and are both pod-style and 
apartment.  These all have wires in them.  The newer dorms all of which have 
been pod-style are wireless only.  New construction we are using ceiling mount 
APs like the 1815i or 2802.  In the older dorms that we have to upgrade, we 
will be using the hospitality units (1815w).  We have them deployed in a couple 
dorms now and the coverage has been great.  We are also removing the hard lines 
in the older dorms and going to wireless only.

Thanks,
Jason Mallon | Network Engineer III

OIT
The University of Alabama  jemal...@ua.edu


On 2/25/20, 10:46 AM, "The EDUCAUSE Wireless Issues Community Group Listserv 
on behalf of Chintan Patel"  wrote:

Morning,

We are in process of building new residence halls (3 buildings) with 
Pod-style rooms. Pod-style concept is new to us and I wanted some feedback from 
anyone who currently has these living spaces. I will be leading the Network and 
Wireless planning for the residence halls.

Below are couple of my questions:

1. In Pod-style rooms - are you providing hard-wired data?
2. Wireless planning - any issues and/or challenges in wireless coverage? 
We currently use Aruba. Are you using "H" style hospitality WAPs?

If you have any additional feedback and/or are willing to share the good, 
bad.. etc - please send me an email.

Thanks,

Chintan Patel
Network/Systems Team
Colorado State University - Housing and Dining Services
Ph:970-491-1041



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] Who has transitioned away from Aruba, and why?

[Jeffrey D. Sessler]

I try to remind myself that EDU’s (Higher ed in particular) are outliers. We 
want to buy the cutting-edge WiFi technology, but at the same time, we have the 
most diverse of environments that will absolutely cause every lurking bug or 
compatibility issue to come out of the shadows.

While it would be nice, vendors will never stop releasing technology before 
it’s time. You can’t have one vendor release pre 11ax and not expect others to 
respond. It’s the nature of the beast.  I have a Nighthawk rax120 11ax AP at 
home (Qualcomm chipset), and it was only in the last few weeks that they 
released updated radio code from Qualcomm to make it usable with most legacy 
devices.

Keep in mind that those initial enterprise 11ax AP’s are built using “off the 
shelf” chipsets, be it Broadcom, Qualcomm, Quantenna, or Marvell,  and every AP 
vendor is at the mercy of those chipset vendors for radio-code updates. Be it 
Cisco, Aruba, or other, if there is a radio bug, they are in the queue waiting 
for those fixes. Using Cisco as an example, the 9115 and 9117 use “off the 
shelf” chipsets – I believe Broadcom in one, and Qualcomm in the other. It’s 
when you get to Cisco’s 9120 and 9130 that you get custom chipsets with Cisco 
having the ability to fix radio code without waiting on a chipset vendor. Those 
AP’s are more expensive, but fixes should presumably be faster.

Two other rubs with 11ax.

  *   The new announced “E” variant with access to the 6 GHz space and the 14 
additional 80 MHz channels. All of those pre-11ax AP’s are probably obsolete, 
and we’ll have 11ax clients that can’t access those channels, making use of 
them challenging despite the obvious benefit.
  *   For pre 11ax AP’s based on Qualcomm chipsets, they’ll never be WiFi 6 
certified because the chipset can’t do OFDMA on the uplink.

Jeff



From: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Friday, January 10, 2020 at 9:09 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] Who has transitioned away from Aruba, and why?
> "To me, 11ax APs shouldn't even be on the Enterprise market yet."

I 100% agree with that sentiment.

At the same time, I can imagine the response an Aruba or Cisco would get for 
waiting to offer those access points. Even offering the AP alongside official 
guidance to disable the feature would leave them in a bad place.

The problem is our network teams are now the ones left holding the potato.

[https://docs.google.com/a/york.edu/uc?id=0B6EvlGH2mMjUVWozX2lScmplOFU]

Joel Coehoorn
Director of Information Technology
402.363.5603
jcoeho...@york.edu
Please contact helpd...@york.edu for technical 
assistance.

The mission of York College is to transform lives through Christ-centered 
education and to equip students for lifelong service to God, family, and society


On Fri, Jan 10, 2020 at 10:16 AM Lee H Badman 
<00db5b77bd95-dmarc-requ...@listserv.educause.edu>
 wrote:
Hi Norman,

To me, 11ax APs shouldn't even be on the Enterprise market yet. I know that 
doesn't touch your question, and we all have our own "you do what you gotta do" 
realities.

Thanks for reading through that long post.

-Lee

Lee Badman | Network Architect (CWNE#200)
Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   e lhbad...@syr.edu w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu


-Original Message-
From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Norman Elton
Sent: Friday, January 10, 2020 10:10 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Who has transitioned away from Aruba, and why?

I agree with 100% of that. But here's a question ...

>> I absolutely will not sacrifice an otherwise sound WLAN by tweaking
>> configs or code upgradin for some small minority of poorly designed
>> or suddenly misbehaving clients that can be fixed from the client
>> side

What about Intel's AX driver bugs? I absolutely hate the idea of disabling AX 
to support a few clients. But how many people are telling their helpdesk to 
upgrade drivers on whatever BYOD laptop shows up?
What about a conference with 200 laptops that suddenly finds that half are 
unsupported?

But, once it's disabled, will we ever re-enable AX? It's easy to say that we'll 
disable it "short term", but we know those drivers won't magically update 
themselves. We could be looking at crippling our wireless indefinitely :-/.

Our current AX test environment has it turned off on the 2.4 radio, so that at 
least those users can connect someplace. Leave 5 GHz for those that can support 
AX. I don't like the compromise, but the alternative ("hey we're trying out a 
brand new wireless 

Re: Who has transitioned away from Aruba, and why?

[Jeffrey D. Sessler]

Our consortium had both Cisco and Aruba, and about 12-18 months ago the Aruba 
folks tossed in the towel and went Cisco. Various unresolvable problems with 
Aruba AP’s, including one that required a weekly reboot of a particular model.

As Lee mentions, the grass isn’t always greener, so expect that you’re going to 
run into issues with any vendor. As such, it’s going to come down to 
support/resolution and your relationship with the vendor.  Startups are great 
as they have a single product with a single code-train, so they tend to be 
pretty responsive at the start. Once they have a few years under their belt, 
and their code base starts to fragment, you’ll get to the same point you have 
with the big incumbents i.e. too many code bases to support effectively.

Jeff


From: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Thursday, January 9, 2020 at 8:15 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: [WIRELESS-LAN] Who has transitioned away from Aruba, and why?
All:

We’ve been an Aruba shop for a very long time and have around 10,000 access 
points.  While every relationship with vendors have their ups and downs, my 
frustration with the Aruba is finally peaking to the point that I am 
considering making the enormous move to choose a different vendor.  The biggest 
reason is with the 8.X code train, and bugs that we just don’t consider 
appropriate to use in production.  It has been one thing after the other, and 
my extremely talented and qualified Network Architect (Keith Miller) might as 
well be on the Aruba payroll as much work as he has been doing for them to 
solve bugs.  Just when we think we have one fixed, another one crops up.

The big one as of late is with 515s running 8.5 code train.  We have them 
deployed in one of our IT buildings.  Periodically, people that are connected 
to these APs in the 5G band will stop working.  To the user, they are browsing 
a site, then it becomes unresponsive.  If they are on their phone, they will 
disconnect from wifi and everything works fine on cell.  Nothing makes an 
802.11 network look worse than switching to cell and seeing a problem resolve.  
Normally, if the users disconnect then reconnect, their problems will go ahead 
(but I think they end up connecting in the 2.4G band).   We’ve been working on 
this problem with them for months.  It always seems as though we have to prove 
there is a real issue.  I’m fed up with it.  We are a sophisticated shop.  If 
we have a problem, 9 times out of 10 when we bring it to the vendor, it is a 
real problem.  I’m extra frustrated that due to issues we’ve seen in ResNet on 
the 8.3X train that we don’t want to abandon our 6 train on main campus.  To 
Aruba’s credit, we purchased around 1,000 515s last year (I think around 
February).  When they could not get good code to support them on, Aruba bought 
back half of them.  I asked for them to buy back half because I thought for 
sure with the 315s that we would have instead, the issues would be fixed by the 
time the 315s ran out.  Not looking to be the case.

So, with that rant over, we are seriously considering looking to move away from 
Aruba (unless they get their act together really soon).  There are other bugs 
I’m not even mentioning here.  For those of you that made the switch to another 
vendor, I would be curious how long the honeymoon lasted, what were your 
motivators, and were you happy with the overall results?  Of course, this is a 
great opportunity to plug your vendor.  As I see it, we have 3 choices….  
Something from Cisco (we had Cisco long ago and dumped them for bugs), 
something from Extreme (we are a huge Extreme shop so this makes sense), 
something from Juniper (Mist).

Thanks,
Ryan Turner
Head of Networking
The University of North Carolina at Chapel Hill
+1 919 445 0113 Office
+1 919 274 7926 Mobile
r...@unc.edu


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] Azure AD and RADIUS - anyone moved this direction?

[Jeffrey D. Sessler]

Minimal DC footprint, mostly security related.  Almost all of our services are 
now SaaS, so with the exception of security-related items and DHCP, there isn’t 
anything else left.

I was concerned with RTT, but our primary Azure DC is about 30ms roundtrip.

Jeff

From: "wireless-lan@listserv.educause.edu"  
on behalf of "Turner, Ryan H" 
Reply-To: "wireless-lan@listserv.educause.edu" 

Date: Wednesday, September 25, 2019 at 11:43 AM
To: "wireless-lan@listserv.educause.edu" 
Subject: Re: [WIRELESS-LAN] Azure AD and RADIUS - anyone moved this direction?

I know that most times RTT between campus and cloud is low, but I just think 
its something to be fearful of when authentication times matter.  You really 
are going to have no data center footprint to host local services?

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jeffrey D. Sessler
Sent: Wednesday, September 25, 2019 2:10 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Azure AD and RADIUS - anyone moved this direction?

Curious if anyone has moved their RAIDUS to authenticating againstAzure AD, and 
if so, what path did you take? There doesn’t seem to be a clear MS solution 
other than standing up domain services for azure AD and running a NPS VM, and 
I’ve also found a couple of RaaS (radius as a service) offering such as 
Jumpcloud.

Would welcome feedback. We’re just about out of our datacenter for most 
operations, and radius has been one of those important but low-handing items 
that I’m now focused on.

Jeff

--
Jeff Sessler
Executive Director, Information Technology
Scripps College

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Azure AD and RADIUS - anyone moved this direction?

[Jeffrey D. Sessler]

Curious if anyone has moved their RAIDUS to authenticating againstAzure AD, and 
if so, what path did you take? There doesn’t seem to be a clear MS solution 
other than standing up domain services for azure AD and running a NPS VM, and 
I’ve also found a couple of RaaS (radius as a service) offering such as 
Jumpcloud.

Would welcome feedback. We’re just about out of our datacenter for most 
operations, and radius has been one of those important but low-handing items 
that I’m now focused on.

Jeff

--
Jeff Sessler
Executive Director, Information Technology
Scripps College

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

[Jeffrey D. Sessler]

that are specifically 
permitted. That’s enforced on the firewalls between campus and the DMZ.
We do see quite a lot of students on that SSID permanently. As a huge amount of 
our student applications are either cloud hosted or available on the public 
Internet, that works just fine for them. We’d prefer them on eduroam, but user 
experience trumps our preferences. The only real problem are devices such as 
Sonos sound bars, Google appliances, and other devices that will only support 
PSKs for wireless. For those we don’t have a solution right now.

Once WPA3/OWE is out and widely supported I genuinely don’t know how much we’ll 
care about where devices are. At that point it seems not just more user 
friendly but easier for IT overall to just throw reasonable security in front 
of web apps that the student and faculty population need to access, and let 
them sit on the SSID that’s easier to get on to. Administrative machines under 
central control would probably be kept on properly authenticated networks, but 
those are easier to solve if you have reasonable mass device management options.

For what it’s worth, we use the eduroam CAT tool for onboarding.

thx,

Felix Windt
Dartmouth College

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "Rumford, Charles" 
mailto:charl...@isc.upenn.edu>>
Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Thursday, September 12, 2019 at 2:26 PM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

I agree that complicated onboarding is the worst from the end user perspective 
and a pain to manage.

I started designing a PPSK/MPSK design to take over our primary 802.1x network. 
The biggest hurdle I ran into with it was the randomization of MAC addresses 
for device. I've been told Android 10 has it on by default,and I know that 
windows support also. I could only see issues from a support issue coming down 
the line. O need to spend some more research time with it.

--
Charles Rumford
IT Architect
ISC Tech Services
University of Pennsylvania
OpenPGP Key ID: 0xF3D8215A
(Sent from Mobile)

From: "Enfield, Chuck" mailto:cae...@psu.edu>>
Sent: Thursday, September 12, 2019 14:11
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

Seconded.

And for those who think that security is more important than the user 
experience in some cases, I wouldn’t argue, but I would point out that an 
improperly configured 1x device puts the user’s credentials at risk.  802.1x 
isn’t all upside from a security perspective either.

Chuck

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Jeffrey D. Sessler
Sent: Thursday, September 12, 2019 1:46 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

I’ve never been a fan of the complicated onboarding. It’s intrusive, and unlike 
any other wireless experience an individual will encounter in their life i.e. 
any other wifi-enabled location/venue.
With the growing trend of EDUs moving to SaaS and other Cloud solutions, 
wireless will be nothing but a gateway to those external services. When it’s 
easier to consume those services via one’s own unlimited-data cellular 
connection, or go to Starbucks, it may be time for us (EDU’s) to reevaluate our 
approach.

Besides a purely open network, the next-best (same?) experience to home would 
be something like PPSK or for the Cisco folks IPSK. You get something slightly 
better than an open network, but it’s PSK and all of those wonderful IoT 
devices just work. My crystal ball wish is to have that PPSK/IPSK solution then 
group that user’s devices into a private virtual home network, providing 
something that approaches their home experience.

Jeff

From: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Kurtis Olsen mailto:kurtis.ol...@uvu.edu>>
Reply-To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Thursday, September 12, 2019 at 9:27 AM
To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] Feasibility of an open SSID for student use

We have been receiving a lot of complaints about a complicated o

Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

[Jeffrey D. Sessler]

I’ve never been a fan of the complicated onboarding. It’s intrusive, and unlike 
any other wireless experience an individual will encounter in their life i.e. 
any other wifi-enabled location/venue.
With the growing trend of EDUs moving to SaaS and other Cloud solutions, 
wireless will be nothing but a gateway to those external services. When it’s 
easier to consume those services via one’s own unlimited-data cellular 
connection, or go to Starbucks, it may be time for us (EDU’s) to reevaluate our 
approach.

Besides a purely open network, the next-best (same?) experience to home would 
be something like PPSK or for the Cisco folks IPSK. You get something slightly 
better than an open network, but it’s PSK and all of those wonderful IoT 
devices just work. My crystal ball wish is to have that PPSK/IPSK solution then 
group that user’s devices into a private virtual home network, providing 
something that approaches their home experience.

Jeff

From: "wireless-lan@listserv.educause.edu"  
on behalf of Kurtis Olsen 
Reply-To: "wireless-lan@listserv.educause.edu" 

Date: Thursday, September 12, 2019 at 9:27 AM
To: "wireless-lan@listserv.educause.edu" 
Subject: [WIRELESS-LAN] Feasibility of an open SSID for student use

We have been receiving a lot of complaints about a complicated onboarding 
process and have been asked to look at providing an Open SSID that has little 
to no onboarding.  I see an advantage being the ease of connecting but I have 
some concerns, mainly about providing a secure environment.
Our current onboarding process works like this.  Users connect to our 
Wolverine-WIFI SSID.  They then authenticate through our NAC solution which 
forces laptops to download a client.  This client scans their device for 
Antivirus and OS updates.  If it fails the scan they have access to get these 
updates.  Once it passes they are moved to our wireless production vLan.  There 
are no clients or scans for cellular devices at this time.  Users then of the 
option to join our Wolverine-Secure which authenticates by cert using 
SecureW2’s services.

I am curious if anyone else is using a completely open network for their 
general population or any other suggestions of how this can be simplified.

Kurtis Olsen
Director – Network & Telecom
Utah Valley University
800 W University Prkway
Orem, UT 84058
801-863-8000



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] Wireless Only in Student Housing?

[Jeffrey D. Sessler]

Dan,

We were one of the first colleges nationally to provide wired “gigabit to the 
pillow” in all of our residential halls. Today, those residential halls are 
WiFi-only and we’ve abandoned the wired, going as far as to remove the copper 
doing renovations.

Done well, with dense coverage in-room as well as in hallways, common spaces, 
etc. there are only outlier cases where a wired port would be desirable.

I knew wired networking in Residential halls was at an end when a number of our 
first-years ask, “What’s an Ethernet Cable?” They’ve spent there 
Internet-connected life on wireless devices, so the term and concept is now 
foreign.

Jeff

From: "wireless-lan@listserv.educause.edu"  
on behalf of Daniel Wurst 
Reply-To: "wireless-lan@listserv.educause.edu" 

Date: Friday, August 24, 2018 at 11:11 AM
To: "wireless-lan@listserv.educause.edu" 
Subject: [WIRELESS-LAN] Wireless Only in Student Housing?

Hi All,

We are looking into building a new student housing building and are considering 
going Wifi only for network connectivity. We were wondering if anyone else has 
gone the route of only allowing network connectivity via wireless. If so, can 
you share your experience, lessons learned, and advice.

Thank you,

Dan
--
Daniel Wurst
Network Engineer
Denison University
wur...@denison.edu
740-587-6229

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Cisco - Field Notice - 70253 - Wireless Client Fails to Associate: AID

[Jeffrey D. Sessler]

It’s important to separate marketing from the reality of how the technology 
functions.


  *   Band Steering – Cisco didn’t say it was impossible, what they said was 
that the client side of the equation was so fraught with issues that the 
feature would lead to greater problems, especially in diverse ecosystems such 
as education. That totally played out here, where the Aruba feature had to be 
disabled because it was causing a lot of issues.  In the central library, I 
could watch as Macs (in particular) would be bounced around like a hot potato. 
Even today, it’s a lot better, but clients are far better at making the right 
decision, so leaving the feature off, be it Cisco or Aruba, is a prudent idea.
  *   Spectrum Monitoring – Again, Aruba is/was dependent on what the 
off-the-shelf chipset is capable of. Perhaps this has improved in the latest 
AP’s, but we (and respected others in the field), found them rather blind to a 
lot of spectrum data that the CleanAir Cisco devices saw clearly – and 
significantly faster at detection of items the Aruba also saw. CleanAir AP’s 
have a dedicated equivalent of spectrum expert on them – they don’t need to use 
the client radios to do the work. It’s always on, always looking.
  *   Bugs – I don’t know the specifics on the current issues, but I know 
they’ve run into a number of show-stopper problems in the past. The controllers 
and APs are fairly new (24 months), so it’s not because they are running 
something unsupported. The companies you mention were customers before HP 
purchased Aruba. Given what the college’s here have expressed since the change, 
it would be difficult to speculate on their satisfaction under the new 
direction. It’s sort of like saying Cisco has 45% of the WiFi market, so with 
nearly a three-fold advantage over their nearest competitor, it’s surprising 
Toyota would go with a distant 2nd. Then again, companies often make decisions 
based on non-technical reasons e.g. joint marketing incentives, or because the 
alternative is a close partner with a competitor.




From: "wireless-lan@listserv.educause.edu"  
on behalf of "bosbo...@liberty.edu" 
Reply-To: "wireless-lan@listserv.educause.edu" 

Date: Friday, August 24, 2018 at 4:48 AM
To: "wireless-lan@listserv.educause.edu" 
Subject: Re: [WIRELESS-LAN] Cisco - Field Notice - 70253 - Wireless Client 
Fails to Associate: AID


Aruba introduced client band steering before we became their customer in 2008. 
At that time Cisco said band steering was not possible. Aruba has had spectrum 
monitoring since before Cisco’s CleanAir technology. We know who is following 
whom. That is why we made our choice.

Aruba has had ap preload for years but this is hands off seamless automated 
updating of controllers & APs.
.

I am very interested in what Aruba bugs have not been addressed, assuming they 
were running supported code. We work very closely with their support and they 
insure our needs are met. I am sure large companies like Microsoft, Google, & 
Toyota would not use Aruba if the support was lacking behind others.

With Aruba (& Cisco) one needs to move carefully when updating to insure the 
new version meets your stability requirements while fulfilling your needs.


The above is strictly my personal opinion and not that of my employer

Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Jeffrey D. Sessler [mailto:j...@scrippscollege.edu]
Sent: Thursday, August 23, 2018 9:48 AM
Subject: Re: Cisco - Field Notice - 70253 - Wireless Client Fails to Associate: 
AID Error

It’s great to hear Aruba is adding features such as “automated RF management” 
that Cisco has had for over a decade. In another ten years maybe they’ll catch 
up to Cisco’s CleanAir technology?  :D

In all seriousness,. if you’re talking specifically about AP updates, cisco has 
had AP code pre-download for years, resulting in between 2 to 4 minutes 
downtime when rebooting a multi-thousand AP controller. Not hitless, but low 
impact for sure.

If you make use of Prime 3.3 or above, you’ve got Rolling AP Upgrade, ensuring 
that AP’s are updated and rebooted in defined groups so that clients are 
minimally impacted i.e. they roam to another AP while an adjacent is being 
updated. It’s not hitless since the client must roam, but it’s as transparent 
as you’re going to get.

In my opinion, the only way we’re going to see better results for enterprise 
WiFi in EDU will be as customers transition to cloud-based managed-services. In 
this scenario, the vendor gains significant visibility on everything deployed 
in the field and isn’t waiting for a customer to decide to open a case and do 
all the necessary log/data collection e.g. Meraki.

The campuses in our consortium that had been on Aruba have been migrating to 
Cisco this summer. Since the purchase by HP, support and innovation h

Re: [WIRELESS-LAN] Cisco - Field Notice - 70253 - Wireless Client Fails to Associate: AID Error

[Jeffrey D. Sessler]

Ian,

I could be misremembering, but I believe, at least on the 2800/3800, that the 
OS is based on Meraki's with the additional cisco pieces such as CAPWAP 
added-in. Also, the engineering team members I've worked with for the product 
are located in San Jose.

I do agree that there were growing pains with the launch of the 2800/3800s. You 
had a new underlying OS and new technology e.g. software-defined-radio sitting 
on top of it. We had a few challenges, but the engineering team in San Jose 
worked directly with us to resolve the problems.

As for time to market. There are some enterprise WiFi vendors that use the same 
off-the-shelf chips and reference designs as the home router folks. There are 
other vendors that develop their own chips including radio code so they can 
innovate. Sometimes that innovation means you don't get to lay claim to "first 
to market."  

Jeff


On 8/23/18, 7:03 AM, "Ian Lyons"  wrote:

Good point Lee

My experience through the painful upgrade/failure was that Cisco doesn’t 
know the pain point. They kept saying, point blank, we were the only people 
having issues.I immediately whipped out my laptop and showed them that 
others were having issues.  The blinking and open/closed mouths that ensued 
were comical until I realized I just went against everything they had believed. 
The end result was that my comment and documentation was ignored.  The data did 
not line up with their expectations and was ignored.  

Further, the new AC code is BRAND NEW.  The Aero code that runs all the 
older B,G,N ap's could not be upgraded to handle AC. So they started 
over...from scratch, without having bought a company.  I watched our Cisco team 
call China and made live edits to kernel code and have it compiled in real time 
and packaged up for us to test the next day to solve our problems.

My $.02, Cisco is a Marketing company and not an Engineering company (any 
more).  They cut their QA dept and rushed product out the door so they wouldn’t 
be lapped. Aruba already had been shipping for 14 months  a Wave 2 AC AP by the 
time a 1810/2802/3802 AP was rolled out. Even Belkin was announcing a Wave 2 AC 
AP the week our Cisco Ap's were shipped. I remember this as I was told it would 
be 1 month more before I got them and then they showed up.  I joked with my 
sales guy, did the Belkin announcement scare you?  We laughed

However, the initial order of 500 AP's that I received, did not work.  They 
all had bad code on them that prevented the devices from talking to the 
controller without manual configuration of the WLC on each AP.

I think the local Cisco people are GREAT.  Sales, Regional support, even 
TAC...  However, the institution itself (cisco) concerns me.  They rely on 
acquisitions to get new gear and struggle to incorporate the gear smoothly into 
their products. I am still waiting for Firepower 9300 to look anything remotely 
like a Checkpoint or Palo Alto NGFW Firewall.  They no longer are the market 
leaders in tech.  Aruba and Palo alto have superior products that work, right 
out of the gate. 

Ian

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 On Behalf Of Lee H Badman
Sent: Thursday, August 23, 2018 9:33 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco - Field Notice - 70253 - Wireless Client 
Fails to Associate: AID Error

One thing that Cisco has in its favor (my theory): most struggling 
customers don't know the scale of the code problems because they don't really 
talk to other customers. This list aggregates the pain and lays it bare for all 
to see, and it's very concerning.  I'd love to see AireOS scrapped, personally. 
And a new management option for those of us who don't want hyper-bloated 
"unified" whatever. I don't know what would come next, but stability and 
reliability needs to be moved way, way up the priority list.

-Lee



-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 On Behalf Of Ian Lyons
Sent: Thursday, August 23, 2018 8:25 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco - Field Notice - 70253 - Wireless Client 
Fails to Associate: AID Error

As a result of the lack of QA, we removed all 1000 of our Cisco AP's and 
moved to Aruba.  Since then, we have had zero problems.  

Cisco really needs to get their stuff together, their Wireless has not been 
an Enterprise level product, in my opinion.

Ian

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 On Behalf Of Kenny, Eric
Sent: Thursday, August 23, 2018 8:02 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco - Field Notice - 70253 - Wireless Client 
Fails to Associate: AID Error

We were hit with the AID bug 

Re: [WIRELESS-LAN] Cisco - Field Notice - 70253 - Wireless Client Fails to Associate: AID Error

[Jeffrey D. Sessler]

Here is my counter to your statement Lee:

Until I joined my neighborhood Nextdoor app, I had no idea that people were 
getting their mail stolen, animals taken by coyotes and mountain lions, 
unlocked cars ransacked, and so on. As I studied this, I realized that I was 
now seeing a small number of posts from a pool of nearly 12,000 members in the 
neighborhoods I was now connected to. I also noticed that the posts heavily 
skewing toward issues/problems vs positives. In my twenty years living in my 
neighborhood, I've never experienced one of these issues. Life is great, 
ignorance is bliss, and I'm not going to concern myself with a problem that 
appears to impact one tenth of one percent of the neighborhood population. 

You see, the Nextdoor Neighborhood app, like this forum, hyper-focuses on 
problems from a small subset of a vendor's overall installed base. It's not 
like people show up here and post a "best practice" for setting up a given 
technology/feature or talk about how awesome a new piece of tech is. It's a 
place to share and seek answers to problems, and like the Nextdoor app, it's 
sometimes difficult to believe that "life is great" for the vast majority of 
people. 

Jeff 


On 8/23/18, 6:32 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
on behalf of Lee H Badman"  wrote:

One thing that Cisco has in its favor (my theory): most struggling 
customers don't know the scale of the code problems because they don't really 
talk to other customers. This list aggregates the pain and lays it bare for all 
to see, and it's very concerning.  I'd love to see AireOS scrapped, personally. 
And a new management option for those of us who don't want hyper-bloated 
"unified" whatever. I don't know what would come next, but stability and 
reliability needs to be moved way, way up the priority list.

-Lee



-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 On Behalf Of Ian Lyons
Sent: Thursday, August 23, 2018 8:25 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco - Field Notice - 70253 - Wireless Client 
Fails to Associate: AID Error

As a result of the lack of QA, we removed all 1000 of our Cisco AP's and 
moved to Aruba.  Since then, we have had zero problems.  

Cisco really needs to get their stuff together, their Wireless has not been 
an Enterprise level product, in my opinion.

Ian

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 On Behalf Of Kenny, Eric
Sent: Thursday, August 23, 2018 8:02 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco - Field Notice - 70253 - Wireless Client 
Fails to Associate: AID Error

We were hit with the AID bug around this time last year on an 8.3 release.  
At the time the bug was a Sev 2 with Cisco.  They provided an engineering 
release which we ran until the issue was finally resolved in later code.  More 
proof that QA in large environments is lacking, to say the least.

I’m with Bruce on this one, we are running Aruba 8.3.0.1 release and have 
used the live upgrades a few times now.  The only issues we’ve seen with it are 
our mesh deployment, but I hear they are working on that.  Client devices will 
roam as Joachim mentioned, but as long as you have roaming setup correctly, 
it’s almost always transparent to the user.
---
Eric Kenny
Network Architect
Harvard University ITS
---

> On Aug 23, 2018, at 7:33 AM, Osborne, Bruce W (Network Operations) 
 wrote:
> 
> Come over to the Intelligent Wi-Fi side! :D
>  
> We just moved to Aruba 8.2.x this summer and are impressed with the 
automated RF management capabilities. We can now upgrade all or part of our 
wireless network with zero downtime. 
>  
> We also are in the process from moving from 3 independent systems 
(campus, remote, LPV) to a single unified system, simplifying configuration and 
adding more consistency..
>  
> Bruce Osborne
> Senior Network Engineer
> Network Operations - Wireless
>  
>  (434) 592-4229
>  
> LIBERTY UNIVERSITY
> Training Champions for Christ since 1971
>  
> From: Lee H Badman [mailto:lhbad...@syr.edu]
> Sent: Wednesday, August 22, 2018 4:20 PM
> Subject: Re: Cisco - Field Notice - 70253 - Wireless Client Fails to
> Associate: AID Error
>  
> Is crazy- Cisco is up to 8.8.x on support site, but I hesitate to move 
from 8.2 MR7 as it actually works. Like hesitate to move, ever. EVER.
>  
> -Lee Badman
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>  On Behalf Of Mccormick, Kevin
> Sent: Wednesday, August 22, 2018 1:30 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] Cisco - 

Re: [WIRELESS-LAN] Cisco - Field Notice - 70253 - Wireless Client Fails to Associate: AID Error

[Jeffrey D. Sessler]

It’s great to hear Aruba is adding features such as “automated RF management” 
that Cisco has had for over a decade. In another ten years maybe they’ll catch 
up to Cisco’s CleanAir technology?  :D

In all seriousness,. if you’re talking specifically about AP updates, cisco has 
had AP code pre-download for years, resulting in between 2 to 4 minutes 
downtime when rebooting a multi-thousand AP controller. Not hitless, but low 
impact for sure.

If you make use of Prime 3.3 or above, you’ve got Rolling AP Upgrade, ensuring 
that AP’s are updated and rebooted in defined groups so that clients are 
minimally impacted i.e. they roam to another AP while an adjacent is being 
updated. It’s not hitless since the client must roam, but it’s as transparent 
as you’re going to get.

In my opinion, the only way we’re going to see better results for enterprise 
WiFi in EDU will be as customers transition to cloud-based managed-services. In 
this scenario, the vendor gains significant visibility on everything deployed 
in the field and isn’t waiting for a customer to decide to open a case and do 
all the necessary log/data collection e.g. Meraki.

The campuses in our consortium that had been on Aruba have been migrating to 
Cisco this summer. Since the purchase by HP, support and innovation has waned, 
with bugs they’ve hit not being addressed. Clearly, like the difference in mu 
and Lee’s Cisco experience, it’s not all rainbows and unicorns on the Aruba 
side either.

Jeff



From: "wireless-lan@listserv.educause.edu"  
on behalf of "bosbo...@liberty.edu" 
Reply-To: "wireless-lan@listserv.educause.edu" 

Date: Thursday, August 23, 2018 at 4:33 AM
To: "wireless-lan@listserv.educause.edu" 
Subject: Re: [WIRELESS-LAN] Cisco - Field Notice - 70253 - Wireless Client 
Fails to Associate: AID Error

Come over to the Intelligent Wi-Fi side! :D

We just moved to Aruba 8.2.x this summer and are impressed with the automated 
RF management capabilities. We can now upgrade all or part of our wireless 
network with zero downtime.

We also are in the process from moving from 3 independent systems (campus, 
remote, LPV) to a single unified system, simplifying configuration and adding 
more consistency..

Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Lee H Badman [mailto:lhbad...@syr.edu]
Sent: Wednesday, August 22, 2018 4:20 PM
Subject: Re: Cisco - Field Notice - 70253 - Wireless Client Fails to Associate: 
AID Error

Is crazy- Cisco is up to 8.8.x on support site, but I hesitate to move from 8.2 
MR7 as it actually works. Like hesitate to move, ever. EVER.

-Lee Badman

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Mccormick, Kevin
Sent: Wednesday, August 22, 2018 1:30 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Cisco - Field Notice - 70253 - Wireless Client Fails to 
Associate: AID Error

New field notice was published yesterday.

https://www.cisco.com/c/en/us/support/docs/field-notices/702/fn70253.html

You may want to check if you are being affected.

Following versions are affected.

8.0.150.0, 8.0.152.0
8.4.100.0
8.5.103.0

If you are running 8.0, TAC has  8.0MR5esc available.


Kevin McCormick
Network Administrator
University Technology - Western Illinois University
ke-mccorm...@wiu.edu | (309) 
298-1335 | Morgan Hall 106b
Connect with uTech: Website | 
Facebook | 
Twitter
[http://www.wiu.edu/university_technology/images/signatures/currentimage.jpg]
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Cisco AP2800 failure rate

[Jeffrey D. Sessler]

You may not get link/activity until the AP's interface comes up, but the AP may 
still be requesting power and booting. I'd get one attached to a console cable 
and see what happens. If you're using a Cisco switch, the "show power inline" 
command will tell you if power is being supplied/requested.

Jeff

On 8/17/18, 11:17 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
on behalf of Sam Ziadeh"  wrote:

POE switch (non cisco). We did take some of the failed units and plugged 
them into a Cisco POE switch to rule out a switch issue.

We did not check the console port of the AP, but the port on the switch was 
not lighting up either.

-Sam

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 On Behalf Of Jeffrey D. Sessler
Sent: Thursday, August 16, 2018 7:59 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco AP2800 failure rate

I’ve got a metric ton of 3800’s and 2800’s spanning FCS (first customer 
ship) to less than a month old and have had zero failures. 

 

I agree with one of the other posters that even with no lights displayed, 
there can be action on the console port.

 

Was the initial failure when connected to a POE switch or using an 
injector? Cisco switches/injectors or third-party?

 

Jeff

 

From: "wireless-lan@listserv.educause.edu" 
 on behalf of Sam Ziadeh 
Reply-To: "wireless-lan@listserv.educause.edu" 

Date: Thursday, August 16, 2018 at 7:39 AM
To: "wireless-lan@listserv.educause.edu" 

Subject: [WIRELESS-LAN] Cisco AP2800 failure rate

 

Is anyone else seeing a high rate of Cisco AP 2800 failures? Out of a batch 
of ~500 recently installed Aps, we have had roughly 70 fail. Some were online 
for a month, but some only a few days.

Typically they will fail after a powercycle or loss of power.
We are working with Cisco on this, but I’m curious if this is a more wide 
spread problem.

 

-

Sam Ziadeh

Manager, Network Engineering & Architecture

University Networking & Infrastructure

Information Technology Services

Louisiana State University

(225) 578-0074

szia...@lsu.edu <mailto:szia...@lsu.edu> 

 

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss. 

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss. 


**
Participation and subscription information for this EDUCAUSE Constituent 
Group discussion list can be found at http://www.educause.edu/discuss.




**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Cisco AP2800 failure rate

[Jeffrey D. Sessler]

I’ve got a metric ton of 3800’s and 2800’s spanning FCS (first customer ship) 
to less than a month old and have had zero failures.

I agree with one of the other posters that even with no lights displayed, there 
can be action on the console port.

Was the initial failure when connected to a POE switch or using an injector? 
Cisco switches/injectors or third-party?

Jeff

From: "wireless-lan@listserv.educause.edu"  
on behalf of Sam Ziadeh 
Reply-To: "wireless-lan@listserv.educause.edu" 

Date: Thursday, August 16, 2018 at 7:39 AM
To: "wireless-lan@listserv.educause.edu" 
Subject: [WIRELESS-LAN] Cisco AP2800 failure rate

Is anyone else seeing a high rate of Cisco AP 2800 failures? Out of a batch of 
~500 recently installed Aps, we have had roughly 70 fail. Some were online for 
a month, but some only a few days.
Typically they will fail after a powercycle or loss of power.
We are working with Cisco on this, but I’m curious if this is a more wide 
spread problem.

-
Sam Ziadeh
Manager, Network Engineering & Architecture
University Networking & Infrastructure
Information Technology Services
Louisiana State University
(225) 578-0074
szia...@lsu.edu

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Meraki AP connectivity to eduroam

[Jeffrey D. Sessler]

Same as others said. Define the management IP to be allowed by your radius 
sever and it works great. If you have a lot of locations, and less control of 
the management IP network e.g. it’s hanging on say a comcast network where the 
IP changes, the alternative is to use Meraki’s proxy radius. The APs talk to 
the Meraki proxy radius and the proxy radius in-turn talks with your radius.

Now if only Meraki would directly peer with eduroam, then all you’d need to do 
is point at the proxy and be done.

Jeff

From: "wireless-lan@listserv.educause.edu"  
on behalf of "Mark McNeil [Staff]" 
Reply-To: "wireless-lan@listserv.educause.edu" 

Date: Friday, July 27, 2018 at 12:21 AM
To: "wireless-lan@listserv.educause.edu" 
Subject: [WIRELESS-LAN] Meraki AP connectivity to eduroam

Hi everyone,
 I'm wondering if someone can provide a little clarity on configuring 
Meraki to connect to eduroam. The documentation states that

" The MR's will need to be defined on the RADIUS server as RADIUS clients 
(consult RADIUS server documentation to complete this step). "

I take this to mean that I will need to define all my AP's, in my case MR42's, 
in my local RADIUS. Is this correct or is there another way around this on the 
Meraki. I only have 33 AP's but seems there should be another way.

Any help is appreciated.

Thanks

Mark

--

Mark McNeil
Director, Network Engineering and Operations
Fordham University | Fordham IT
Tel: 718-817-3763
Business Office: 718-817-3750
Fax: 718-817-5775
email: mcn...@fordham.edu 
http://www.fordham.edu
_
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] TimeClocks Plus

[Jeffrey D. Sessler]

Have you taken a packet capture to see what’s up?

We have similar android-based timeclocks from our timekeeping vendor Kronos. At 
one of the campuses they have a similar issue with their clocks, only they are 
wired.

Jeff

From: "wireless-lan@listserv.educause.edu"  
on behalf of "lhbad...@syr.edu" 
Reply-To: "wireless-lan@listserv.educause.edu" 

Date: Monday, July 2, 2018 at 10:00 AM
To: "wireless-lan@listserv.educause.edu" 
Subject: [WIRELESS-LAN] TimeClocks Plus

Hi Everyone,

Throwing this out there again: is anyone using/supporting TimeClocks Plus time 
and attendance clocks on their WLAN? Would love to speak to anyone who is.

Thanks,

Lee Badman
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Wireless Options

[Jeffrey D. Sessler]

Lee’s comment is one where the cloud may be a better fit and/or would get 
resolution to plaguing issues. If I and thousands of other customers have an 
on-premise solution that has been rock solid,  yet Lee has the same vendor 
solution and it’s so problematic, how do we compare notes and/or help the 
vendor in teasing out the differences? It’s near impossible, but in a proper 
cloud situation, where the vendor can analyze everything including 
cross-customer configurations, perhaps there is hope for those that are 
struggling?

I believe this is even more helpful if the IT department is small, and just 
doesn’t have the bandwidth to deep-dive into the technology. If the expectation 
is that it just works, then the cloud solutions, with fewer interesting knobs 
to turn/adjust, might just be the right call.

On the subject of extending VLANs, it comes down to network/applications design 
philosophy. If you reach a state where you eliminate the network as an access 
control mechanism e.g. this vlan for access to app Z, then you can perhaps drop 
users into whatever network is already on the switch. There is also network 
virtualization which is another subject altogether.

Jeff


From: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
on behalf of "lhbad...@syr.edu" <lhbad...@syr.edu>
Reply-To: "wireless-lan@listserv.educause.edu" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Date: Monday, May 21, 2018 at 6:43 AM
To: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Wireless Options

I struggle with this question, too (cloud versus not) as a long-time user of 
both. The need to trunk VLANs to cloud-based APs in a big environment is more 
of an issue to me than code paradigms. Absolutely nothing could be worse than a 
certain vendor’s appliance-based controller code quality track record over the 
last 12 years. A culture of “accepted suck” seems to pervade over that business 
unit and their most loyal customers, while I scratch my head over why there 
hasn’t been a class-action lawsuit over the entire mess. Now add automation to 
the mix and hang on for THAT thrill ride.

I’d love to have no more controllers, but the VLAN thing is tough to swallow.

-Lee Badman

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> On Behalf Of Osborne, Bruce W (Network 
Operations)
Sent: Monday, May 21, 2018 8:33 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless Options

With a cloud solution, if they mess up feature addition you are stuck with that 
latest version, correct? With controller-based ot Aruba Instant type scenarios 
you are in charge of when to upgrade, waiting for stable builds.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Enfield III, Charles Albert [mailto:cae...@psu.edu]
Sent: Friday, May 18, 2018 2:54 PM
Subject: Re: Wireless Options

The other thing that’s going to change is the functionality.  Jeff was on the 
right track when he talked about vendors with a global presence being better 
able to identify bugs, security flaws etc. and promptly diagnose and patch 
them.  They’re also better positioned to apply machine learning and AI to the 
problems of network security and Wi-Fi optimization.  If they’re doing things 
right, the cloud product won’t be a hamstrung version of the controller 
product.  It will be a better version of the controller product.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Jeffrey D. Sessler
Sent: Friday, May 18, 2018 1:30 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Wireless Options

One of the difficulties in comparing TCO is around staffing. Both estimating 
how much time staff really spend on the current solution, but also taking into 
account base salary with benefits. At many colleges, benefits can add another 
30%+ to the cost of a person. As such, the elimination (or reallocation) of one 
FTE has a huge impact on on-premise vs cloud comparisons. That single FTE could 
be $100K (salary + benefits) per year, saving (or reallocating) $700K over 
those 7 years.

In a lot of our cloud shift, those FTE’s have been re-allocated into more 
important roles such as security.

Jeff

From: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Thomas Carter 
<tcar...@austincollege.edu<mailto:tcar...@austincollege.edu>>
Reply-To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu

Re: [WIRELESS-LAN] Wireless Options

[Jeffrey D. Sessler]

One of the difficulties in comparing TCO is around staffing. Both estimating 
how much time staff really spend on the current solution, but also taking into 
account base salary with benefits. At many colleges, benefits can add another 
30%+ to the cost of a person. As such, the elimination (or reallocation) of one 
FTE has a huge impact on on-premise vs cloud comparisons. That single FTE could 
be $100K (salary + benefits) per year, saving (or reallocating) $700K over 
those 7 years.

In a lot of our cloud shift, those FTE’s have been re-allocated into more 
important roles such as security.

Jeff

From: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
on behalf of Thomas Carter <tcar...@austincollege.edu>
Reply-To: "wireless-lan@listserv.educause.edu" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Date: Friday, May 18, 2018 at 8:43 AM
To: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Wireless Options

For cloud to really take over, the costs need to drop. We just went through a 
similar thing and are of a similar size (~300 APs), and the cloud on-going OpEx 
costs dropped them out of the race. The simplicity of costs budgeting is nice, 
but 7 year TCO is no contest.

Where they currently seem to be the best option is in the >25 to <100 AP market 
(<25 easily fits into Aruba Instant, Ruckus Unleashed, etc) or the small 
business vendor-managed market.

Thomas Carter
Network & Operations Manager / IT
Austin College
900 North Grand Avenue
Sherman, TX 75090
Phone: 903-813-2564
www.austincollege.edu<http://www.austincollege.edu/>

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> On Behalf Of Jeffrey D. Sessler
Sent: Friday, May 18, 2018 10:07 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless Options

Chuck has the right idea here. Our respective college strategic missions don’t 
mention running servers or wireless controllers as strategic to the mission of 
the college. Cloud/SaaS solutions free up folks from the mundane tasks, 
allowing them to focus on those higher-up technology layers that can benefit 
the strategic mission. I think it’s easy today to see the benefits of moving 
on-premise email systems to GAFE or O365, but that comfort level isn’t there 
yet with some other systems such a Wireless.

From a support standpoint, a vendor like Meraki has global visibility of how 
their product is operating, meaning they can correlate/see/react to issues 
faster including patching. For the controller-based solutions, there is the 
isolation factor, capability of the customer to gather support info, and the 
vendor not knowing if other customers are having the issue.

I suspect both options will be with us for years to come, but as more and more 
of our respective data centers move to the cloud, I predict the wireless cloud 
services will become more popular.

Jeff
From: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "Enfield III, Charles Albert" 
<cae...@psu.edu<mailto:cae...@psu.edu>>
Reply-To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Thursday, May 17, 2018 at 1:38 PM
To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Wireless Options

I don’t want to put words in John’s mouth, but operating controllers requires 
time and effort beyond what’s required to manage configurations.  Scaling, 
security, software upgrades, etc., all require resources but contribute nothing 
to the user experience.  For us the benefits of hosting our own controllers is 
worth it, but I understand that isn’t true for everybody.  I’m not even sure it 
will always be true for us.  When the benefits of controllers as traffic 
aggregators can be easily replaced with SD fabrics, I’ll probably want cloud 
controllers too.  The details will matter, but it’s where I think we’re going.

Chuck Enfield
Manager, Wireless Engineering
Enterprise Networking & Communication Services
The Pennsylvania State University
119L, USB2, UP, PA 16802
ph: 814.863.8715
fx: 814.865.3988

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Peter P Morrissey
Sent: Thursday, May 17, 2018 4:30 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Wireless Op

Re: [WIRELESS-LAN] Wireless Options

[Jeffrey D. Sessler]

Chuck has the right idea here. Our respective college strategic missions don’t 
mention running servers or wireless controllers as strategic to the mission of 
the college. Cloud/SaaS solutions free up folks from the mundane tasks, 
allowing them to focus on those higher-up technology layers that can benefit 
the strategic mission. I think it’s easy today to see the benefits of moving 
on-premise email systems to GAFE or O365, but that comfort level isn’t there 
yet with some other systems such a Wireless.

From a support standpoint, a vendor like Meraki has global visibility of how 
their product is operating, meaning they can correlate/see/react to issues 
faster including patching. For the controller-based solutions, there is the 
isolation factor, capability of the customer to gather support info, and the 
vendor not knowing if other customers are having the issue.

I suspect both options will be with us for years to come, but as more and more 
of our respective data centers move to the cloud, I predict the wireless cloud 
services will become more popular.

Jeff
From: "wireless-lan@listserv.educause.edu"  
on behalf of "Enfield III, Charles Albert" 
Reply-To: "wireless-lan@listserv.educause.edu" 

Date: Thursday, May 17, 2018 at 1:38 PM
To: "wireless-lan@listserv.educause.edu" 
Subject: Re: [WIRELESS-LAN] Wireless Options

I don’t want to put words in John’s mouth, but operating controllers requires 
time and effort beyond what’s required to manage configurations.  Scaling, 
security, software upgrades, etc., all require resources but contribute nothing 
to the user experience.  For us the benefits of hosting our own controllers is 
worth it, but I understand that isn’t true for everybody.  I’m not even sure it 
will always be true for us.  When the benefits of controllers as traffic 
aggregators can be easily replaced with SD fabrics, I’ll probably want cloud 
controllers too.  The details will matter, but it’s where I think we’re going.

Chuck Enfield
Manager, Wireless Engineering
Enterprise Networking & Communication Services
The Pennsylvania State University
119L, USB2, UP, PA 16802
ph: 814.863.8715
fx: 814.865.3988

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 On Behalf Of Peter P Morrissey
Sent: Thursday, May 17, 2018 4:30 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless Options

Same here. I was also curious as to why it would be limited to cloud based 
solutions. I would drill down a layer into the perceived benefits of cloud 
based, and define it that way. Easier management requiring less staff time and 
thus lower TCO and more ability to accomplish other activities? Etc. Maybe.

One of the disadvantages of cloud based solutions besides losing some control 
and visibility is the ongoing costs. We love Meraki as much as anyone, but the 
annual recurring licensing costs are rather steep and should be carefully 
weighed against the benefits.

Pete Morrissey

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jake Snyder
Sent: Thursday, May 17, 2018 2:26 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless Options

I’m curious about the requirement that controllers be “cloud based” and what 
business requirement that maps to.

Trying to understand what a cloud based controller give your business that an 
on-premises controller does not.  How that translates to better experience, 
happier students or faster connectivity.

Sent from my iPhone

On May 17, 2018, at 12:13 PM, Norton, Thomas (Network Operations) 
> wrote:
I  highly recommend looking at Aruba as well.

T.J. Norton
Wireless Network Architect
Network Operations

Office: (434) 592-6552

[Image removed by sender. 
http://www.liberty.edu/media/1616/40themail/wordmark-for-email.jpg]

Liberty University  |  Training Champions for Christ since 1971

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Trenton Hurt
Sent: Thursday, May 17, 2018 2:11 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless Options

https://www.mist.com/

On Thu, May 17, 2018 at 2:10 PM John Rodkey 
> wrote:
Our college - about 40 buildings, 1200 students, 3500 wireless clients per day, 
currently 310 WAPs - is considering a major upgrade in WAPs, replacing a number 
that are 9 

Re: [WIRELESS-LAN] Wireless Options

[Jeffrey D. Sessler]

We are using Meraki (cloud) as well as Cisco (controller). For the cloud 
requirement, the Meraki is really easy to setup and manage and they have both 
small as well as very large enterprise deployments. The interface it great, and 
like other cloud offering, you get out of the management of 
controllers/software updates. Meraki pretty much owns k-12, where the 
simplicity is a huge plus over the traditional on-prem controller designs. The 
cloud managed switches/security devices are also easy to manage. Support is top 
notch too.

If you are considering controller-based, my consortium currently uses both 
Aruba and Cisco, although the Aruba schools have recently made the decision to 
move to Cisco. If you’d like to hear information on both, contact me off-list. 
No need to start a “Ford vs Chevy” debate on the list.

Jeff

From: "wireless-lan@listserv.educause.edu"  
on behalf of John Rodkey 
Reply-To: "wireless-lan@listserv.educause.edu" 

Date: Thursday, May 17, 2018 at 11:10 AM
To: "wireless-lan@listserv.educause.edu" 
Subject: [WIRELESS-LAN] Wireless Options

Our college - about 40 buildings, 1200 students, 3500 wireless clients per day, 
currently 310 WAPs - is considering a major upgrade in WAPs, replacing a number 
that are 9 years old and no longer supported.

We could replace with the latest model of our existing vendor, but want to 
consider all the feasible alternatives.  We have a hard requirement that the 
controller be cloud-based, the system deal well with Mac clients, understand 
VLANs and an enterprise quality network, and have a rich set of configuration, 
logging, monitoring, and troubleshooting tools for dealing both with clients 
and access points. Responsive support is also required, and unsurprisingly  
total system cost is a significant issue.

3 vendors come to mind:  Meraki, Ubiquiti, and Aerohive.

Questions:
 1) do other vendors come to mind that play well in this space?
 2) what are your positive experiences with any of the above?
 3) what are your negative experiences?
 4) have you recently gone through this analysis, and if so, what were your 
conclusions?
 5) what issues have you experienced with PoE capacity requirements with these 
devices?

John Rodkey
Director of Servers and Networks
Westmont College
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Need help

[Jeffrey D. Sessler]

Is there a reason you are on that code? I’d start with running the recommended 
8.2MR7 interim.

Jeff

From: "wireless-lan@listserv.educause.edu"  
on behalf of Hector J Rios 
Reply-To: "wireless-lan@listserv.educause.edu" 

Date: Monday, April 23, 2018 at 7:10 AM
To: "wireless-lan@listserv.educause.edu" 
Subject: [WIRELESS-LAN] Need help

All,

Last fall we all shared our experiences with the beginning of the semester. 
Ours was not great, and what we thought had been resolved, came back to bite 
us, again. If you want more info, search for subject “Re: [WIRELESS-LAN] Move 
In/Opening Week- Any Problems?”

My question to all of you is the following: If you have Cisco 8540s and over 
3000 APs, have you ever moved APs from one controller to another with no 
issues? i.e. You move 3000 APs from one controller to another at once.  Please 
respond and let me know your basic setup.

Here is our problem. Last year we moved all of our APs to an HA pair of 8540. 
We experienced no issues until the beginning of the fall, when all students 
came back. Last week, we moved all the APs from one HA pair to another, and 
right away we started experiencing issues.

What is the issue? When the issue starts happening, it appears that a good 
portion of our APs cannot associate to our controllers. It seems like the 
controllers run out of resources to be able to establish CAPWAP tunnels (memory 
leak?).

Our configuration:

Two HA pairs of 8540s, AP/Client SSO
AVC turned on, only on eduroam
IPv4/IPv6 dual stack support
Our oldest AP model is 1140
Software 8.2.161 (yes, we know it is deferred)
3900 APs
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Wireless RFP - Preparing to Start the Process

[Jeffrey D. Sessler]

If you are a member of Gartner or other similar service, they have fantastic 
frameworks/templates for this sort of thing.

Jeff

From: "wireless-lan@listserv.educause.edu"  
on behalf of Manuel Amaral 
Reply-To: "wireless-lan@listserv.educause.edu" 

Date: Thursday, March 1, 2018 at 6:28 AM
To: "wireless-lan@listserv.educause.edu" 
Subject: Re: [WIRELESS-LAN] Wireless RFP - Preparing to Start the Process

We’d be interested in this as well as we need to undergo a full wireless 
replacement.

Regards,
Manny
---
Manuel (Manny) Amaral
Director, Information Technology Operations
781-292-2433 | www.olin.edu

[Olin_Identifier_Gradient_Standard_Blue_RGB]

Leading the Revolution in Engineering Education
twitter | 
facebook | 
youtube

We will never ask you for your password!



From: Mike Beane [mailto:bea...@husson.edu]
Sent: Wednesday, February 28, 2018 12:23 PM
Subject: Wireless RFP - Preparing to Start the Process

Good afternoon,

We've reached the point where we will be starting the groundwork for putting 
out an RFP to engage vendors with before next summer.  For my short time here, 
this will be the first time I've done this particular system and even though 
we've overhauled our virtual infrastructure and Internet connectivity in the 
past three years, those were fairly "behind the scenes" projects.  I believe 
that this will be our (or at least Infrastructure's) most visible project to 
date.  We have both the daily routine of students\faculty\staff, but also a 
quarter of our students are residents on campus throughout the academic year.

I'm looking for anyone who might be willing to share their wireless RFP, and if 
you've done this in the last three years, what system did you go with?  On list 
or off is fine and either is appreciated.

Thank you,
Mike

Mike Beane
IT Infrastructure Manager
Ph: 207-941-7613
Husson University
1 College Circle
Bangor ME 04401

[https://docs.google.com/uc?export=download=0B3R7hvnYnGh9Tk5tU0p1dnpPV28=0B3R7hvnYnGh9aEJORWhxNzNndC9LMkd5NldMQXB1dVlPa3JrPQ]
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Offline/Spare Gear Inventory Size

[Jeffrey D. Sessler]

  *   Look at the turn-around time for warranty replacement. The free 
limited-lifetime may take longer than if the AP is under an extended contract.
  *   Evaluate your deployment plan. If your deployment is coverage-based, 
where the loss of a single AP could be devastating to clients, then keep more 
spares. If you have a dense deployment where the loss of one or more APs is of 
little consequence, keep less.
  *   Spares are technology collecting dust with the same life-cycle as those 
in production. If you have 5000 APs and spare 2%, that’s 100 APs that would 
likely cover a moderately sized building, and provide a lot of in-fill.
  *   If you keep spares, make sure to cycle them into production i.e. always 
install them into a new project, and put new APs back on the spare shelf.
  *   When you upgrade controller code, pull those spares out and let them 
upgrade too, then test that they still work.

Jeff

From: "wireless-lan@listserv.educause.edu"  
on behalf of "Trinklein, Jason R" 
Reply-To: "wireless-lan@listserv.educause.edu" 

Date: Monday, February 26, 2018 at 10:21 AM
To: "wireless-lan@listserv.educause.edu" 
Subject: [WIRELESS-LAN] Offline/Spare Gear Inventory Size

Hi All,

I’m curious to know the size of your spare gear inventories. Do you keep a 
percentage of each model of AP in inventory, and what is your reasoning? 
Storms? Last minute/emergency wireless coverage needs?

What percentage of your live gear do you keep as offline inventory? (100 live 
APs with 1 inventory AP = 1% offline inventory).

With Xirrus, we had an offline inventory of more than 10% of live inventory. We 
kept that inventory to cover the high failure rate of the equipment, the 
incidence of hurricanes and lightning strikes in our area, the broad range of 
AP models on campus, and last minute large events in low coverage areas.

We are evaluating the minimum offline inventory for our new Aruba gear as we 
finish up the vendor switch. I have been thinking 1-2%, but I want to see what 
you guys do first, and why.

Thank you,
--
Jason Trinklein
Wireless Engineering Manager
College of Charleston
81 St. Philip Street | Office 311D | Charleston, SC 29403
trinkle...@cofc.edu | (843) 300–8009

DID YOU KNOW? The Princeton Review selected the College of Charleston as one of 
50 schools focused on providing students with practical experiences that take 
their academics to the next level.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Maybe OT - Cell repeater - SureCAll Force 5

[Jeffrey D. Sessler]

My facilities department resides at the other side of my building, and about 
six weeks ago they installed a SureCall Force 5 cell booster. Had no idea this 
occurred (no surprise), but at the exact same time everyone in my office with 
ATT stopped being able to make outgoing calls. For the previous 20 years, no 
issues at all be in ATT, Sprint, Verizon, or Tmobile.

Anyone with experience with this device and similar issues or have suggestions 
for something you know works far better?

--
Jeff Sessler
Director, Information Technology
Scripps College

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] iPhone - Incorrect Wi-Fi Password Error

[Jeffrey D. Sessler]

Sean,

Are you running a multi-controller setup? If so, I’d look to make sure 
inter-controller roaming and mobility groups are operating correctly. Have you 
removed the lower data rates from your AP’s so that clients don’t stick as long 
to distant APs?

Jeff

From: "wireless-lan@listserv.educause.edu"  
on behalf of "Gray, Sean" 
Reply-To: "wireless-lan@listserv.educause.edu" 

Date: Tuesday, January 30, 2018 at 8:55 AM
To: "wireless-lan@listserv.educause.edu" 
Subject: Re: [WIRELESS-LAN] iPhone - Incorrect Wi-Fi Password Error

Hi Dave,

We didn’t see the client hitting our RADIUS server, and unfortunately these 
events aren’t typically reported when they happen.

I like your other thought about the AP power and cell size in relation to the 
clients output power. This never crossed my mind at the time, but I will 
certainly be looking more into this.

Thanks

Sean

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of LaPorte, David
Sent: January-29-18 3:45 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] iPhone - Incorrect Wi-Fi Password Error

Sean,

A few different manifest the behavior your users are seeing, but here are a 
couple thoughts.

We use Radiator RADIUS for our 802.1x wireless network and were seeing errors 
in the logs that accompanied the credential pop-up.  It appeared as though the 
RADIUS controllers were receiving a large number of spurious packets mid-EAP 
transaction from our Cisco WISM2s.  That seemed like a bug, but I was able to 
work around the issue by ignoring the offending packets and never re-visited 
it.  Not sure if you are able to debug that deeply with ISE to see if that 
could be an issue.

Another thought, are your AP radios set to maximum power?  It’s possible that 
the user is at the edge of a coverage area and their device’s radio simply 
can’t reach the AP.

Regards,
Dave

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
on behalf of "Gray, Sean" >
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>
Date: Monday, January 29, 2018 at 4:44 PM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
>
Subject: [WIRELESS-LAN] iPhone - Incorrect Wi-Fi Password Error

Hi  Everyone,

I’m just wondering if anyone has experienced or heard reports of weird iPhone 
client behaviour.

We have had a couple of reports of iPhones throwing a “Incorrect Wi-Fi 
Password” error when the client is trying to join a network while walking 
around campus. The error resolves itself quite quickly if they hit cancel on 
the message as the correct credentials are cached on the device.

When I check the logs on our ISE server I see that the client never actually 
made an authentication attempt. So it may have been blacklisted on the WLC, 
unfortunately I don’t see a way to report on historical exclusion events.

No other client devices have been reported as experiencing the same issue, and 
it doesn’t appear to occur in the same geographic region. So I’m thinking this 
is a client side problem.

Thanks

Sean


Sean Gray | B.Sc (Hons)
Voice, Collaboration & Wireless Network Analyst
ITS, University of Lethbridge


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Cisco Channel Width

[Jeffrey D. Sessler]

Statements such as “…go from 20/40 to all 20 MHz and it have a 30% improvement” 
are highly dependent on the design of the infrastructure. If I walked into a 
university and they still had all of their WAPs in hallways, with clear 
line-of-sight to each other, then a statement like that seems plausible. It’s 
about the context, and without it, these statements can be misleading. And 
misleading to the point that people will accept it as absolute no matter what, 
potentially tossing a lot of their investment in a drawer.

In our environment, where construction is reinforced/filled concrete block, 
5Ghz doesn’t propagate very far, and we’ve done much testing be it static 
20MHz, static 40MHz, and DBS set to best at a max 80MHz, and the data 
absolutely shows a huge client benefit in DBS’s decision to run WAPs at 80MHz. 
But, we also place WAPs in rooms rather than hallways, and our client-base is 
almost exclusively 11ac. This is the “your mileage may very” portion of the 
disclaimer.

We can certainly debate if that peak performance potential is necessary at this 
time, but again, the data indicates that there is client improvement.

Jeff

From: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
on behalf of GT Hill <g...@gthill.com>
Reply-To: "wireless-lan@listserv.educause.edu" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Date: Friday, January 19, 2018 at 8:02 AM
To: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Cisco Channel Width

This is very anecdotal, but I have personally seen a large university go from 
20/40 to all 20 MHz and it have a 30% improvement in end user performance. 
Everyone’s mileage will vary but given the data I’ve seen no way would I run 80 
MHz channels except in VERY limited scenarios.

If I were implementing a network today I would start at 20 MHz and move UP as 
scenarios presented themselves, NOT the other way around.

GT

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "Jeffrey D. Sessler" 
<j...@scrippscollege.edu<mailto:j...@scrippscollege.edu>>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Friday, January 19, 2018 at 9:14 AM
To: 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Cisco Channel Width

Been running that option (Best) for a long time. No downside that I’ve found 
and after a few passes it’s very stable with channel width. Even in our dense 
AP deployment residential areas, most all of our WAPs are running at 80Mhz  - 
our students having mostly 11ac devices. The bandwidth use in our residential 
went way up as a result.

As to clients getting kicked off when the width changes, Cisco’s magic sauce 
tries to prevent this from happening (it’s detailed in the white papers). The 
code also makes decisions based on the client mix it sees e.g. if it sees a 
majority of 802.11n clients around a WAP, it won’t run that AP at 80Mhz. If the 
WAP is mostly 11ac, it will.

Running a static 20Mhz plan, in my opinion, is just tossing away performance 
and client experience. You wouldn’t purchase an 800HP supercar only to 
permanently disable half of its cylinders.

Jeff

From: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Les Ridgley 
<les.ridg...@newcastle.edu.au<mailto:les.ridg...@newcastle.edu.au>>
Reply-To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Thursday, January 18, 2018 at 6:45 PM
To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] Cisco Channel Width

Hi All,
For those Cisco shops – has anyone configured the “BEST” parameter for channel 
width that would like to share their experiences or thoughts on the benefits or 
otherwise .

We have been advised to use 20Mhz as a campus wide setting, however DBS appears 
to offer significant benefits that would allow us to make better use of our 
802.11ac AP’s.  We are currently running two 8540 WLC’s with around 2,500 
access points with a mix of 3600 – 3700 -3800 and 1810 access points.

Thanks in advance,
Les
--
Les Ridgley
Senior Communications Officer (Network Operations),

IT Services
Resources Division
The University of Newcastle
University Drive, Callaghan NSW 2308
les.ridg...@newca

Re: [WIRELESS-LAN] Cisco Channel Width

[Jeffrey D. Sessler]

A lot of these magic sauce features e.g. FRA, have expectations/dependencies on 
other services like DCA operating at current best-practices. If you’ve been 
running a Cisco solution for years, a well-meaning admin may have tweaked them 
for any number of reasons. If those settings aren’t reviewed with each new 
major code version, you wind up defeating the new features. For example, I find 
that many people have changed DCA’s scheduled run time from its default of 10 
minutes to hours or disabled it altogether. FRA is dependent on DCA, and is 
most effective when DCA is back at its default.

Jeff

From: "wireless-lan@listserv.educause.edu"  
on behalf of Charles Francis 
Reply-To: "wireless-lan@listserv.educause.edu" 

Date: Friday, January 19, 2018 at 7:17 AM
To: "wireless-lan@listserv.educause.edu" 
Subject: Re: [WIRELESS-LAN] Cisco Channel Width

We tried it and didn’t have consistent or very good results.  We are presently 
using 40mhz as a standard with 20mhz for dense deployments.  Not quite in the 
same vein, but we actually decided to leave this alone and go towards tuning 
out 2.4 and making use of FRA more.  We are not doing the automagic FRA, but 
rather manually switching radios over to either 5.8 or monitor mode.



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of "Legge, Jeffry" 

Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 

Date: Friday, January 19, 2018 at 7:07 AM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] Cisco Channel Width

Initially I thought it was a great idea. In practice students kept getting 
bounced because of width changes so I removed it an I  am using 20Mhz channels 
only.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Les Ridgley
Sent: Thursday, January 18, 2018 9:45 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Cisco Channel Width

Hi All,
For those Cisco shops – has anyone configured the “BEST” parameter for channel 
width that would like to share their experiences or thoughts on the benefits or 
otherwise .

We have been advised to use 20Mhz as a campus wide setting, however DBS appears 
to offer significant benefits that would allow us to make better use of our 
802.11ac AP’s.  We are currently running two 8540 WLC’s with around 2,500 
access points with a mix of 3600 – 3700 -3800 and 1810 access points.

Thanks in advance,
Les
--
Les Ridgley
Senior Communications Officer (Network Operations),

IT Services
Resources Division
The University of Newcastle
University Drive, Callaghan NSW 2308
les.ridg...@newcastle.edu.au,
Phone +61 2 4921 6598
Fax: +61 2 4921 6910

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Cisco Channel Width

[Jeffrey D. Sessler]

Been running that option (Best) for a long time. No downside that I’ve found 
and after a few passes it’s very stable with channel width. Even in our dense 
AP deployment residential areas, most all of our WAPs are running at 80Mhz  - 
our students having mostly 11ac devices. The bandwidth use in our residential 
went way up as a result.

As to clients getting kicked off when the width changes, Cisco’s magic sauce 
tries to prevent this from happening (it’s detailed in the white papers). The 
code also makes decisions based on the client mix it sees e.g. if it sees a 
majority of 802.11n clients around a WAP, it won’t run that AP at 80Mhz. If the 
WAP is mostly 11ac, it will.

Running a static 20Mhz plan, in my opinion, is just tossing away performance 
and client experience. You wouldn’t purchase an 800HP supercar only to 
permanently disable half of its cylinders.

Jeff

From: "wireless-lan@listserv.educause.edu"  
on behalf of Les Ridgley 
Reply-To: "wireless-lan@listserv.educause.edu" 

Date: Thursday, January 18, 2018 at 6:45 PM
To: "wireless-lan@listserv.educause.edu" 
Subject: [WIRELESS-LAN] Cisco Channel Width

Hi All,
For those Cisco shops – has anyone configured the “BEST” parameter for channel 
width that would like to share their experiences or thoughts on the benefits or 
otherwise .

We have been advised to use 20Mhz as a campus wide setting, however DBS appears 
to offer significant benefits that would allow us to make better use of our 
802.11ac AP’s.  We are currently running two 8540 WLC’s with around 2,500 
access points with a mix of 3600 – 3700 -3800 and 1810 access points.

Thanks in advance,
Les
--
Les Ridgley
Senior Communications Officer (Network Operations),

IT Services
Resources Division
The University of Newcastle
University Drive, Callaghan NSW 2308
les.ridg...@newcastle.edu.au,
Phone +61 2 4921 6598
Fax: +61 2 4921 6910

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Eduroam and Govroam

[Jeffrey D. Sessler]

I’m not speaking to my security model. I’m speaking of all these public-sector 
entities that can’t seem to support their mobile workforce, and are asking that 
someone else “solve” the problem for them e.g. govroam.

Maybe the solution is to abandon both eduroam and govroam and create a global 
“unsecureroam” that everyone can use, and understands its posture.

Jeff

From: "wireless-lan@listserv.educause.edu"  
on behalf of Jonathan Waldrep 
Reply-To: "wireless-lan@listserv.educause.edu" 

Date: Thursday, January 4, 2018 at 12:13 PM
To: "wireless-lan@listserv.educause.edu" 
Subject: Re: [WIRELESS-LAN] Eduroam and Govroam

@Jeff - If you are concerned with users accessing sensitive services over an 
inappropriate network (e.g., anything that is not the local campus network), 
then only make the services available on the appropriate networks (e.g., vpn). 
The same false sense of security exists when someone is working from home, and 
that is something that is already happening all the time. If your security 
model doesn't account for this, then it is already broken.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Eduroam and Govroam

[Jeffrey D. Sessler]

Like user confusion with eduroam, users of govroam are unlikely to make the 
mental connection that govroam is the same as the open Starbucks network. In 
providing the global service, there is a built-in belief/expectation that 
govroam (like eduroam) is the same be it at your local company/university as it 
is when at another location. Nothing can be further from the truth. The simple 
user/device-authentication giving yet another false layer of comfort to the 
user’s perception of the service.

With InfoSec, we want the user to act with muscle memory. When a user walks 
into a Starbucks and connects to WiFi, the mental light bulb goes off reminding 
them that they better be using VPN, and perhaps not use it for business 
activity. It’s Starbucks after all – not my company’s network. Does the 
light-bulb go off when they automatically roam onto eduroam or govroam at a 
third-party location? Again, if they use them day-to-day at their home office, 
what’s the trigger that they need to treat it differently when away from the 
office? In downtown locations, can they even distinguish between govroam 
broadcast by their public-sector entity, and say the university across the 
street?

Why aren’t the IT offices of these public-sector entities issuing these 
public-sector workers mobile hotspots, and call it a day? It seems like govroam 
just transfers the costs, and some liability, for providing robust mobile IT 
support to others.

Jeff

From: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
on behalf of Tomo <t...@london.edu>
Reply-To: "wireless-lan@listserv.educause.edu" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Date: Thursday, January 4, 2018 at 11:06 AM
To: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Eduroam and Govroam

Hi Jeff

I’m not sure that’s entirely the case, or it wouldn’t be over here.

The University, by providing govroam, would be acting like any other Wifi 
hotspot service, albeit without a captive portal because of the 802.1x roaming. 
You can see the authentication outer-ID username and accept/reject message like 
you can for any other eduroam or govroam user, but that’s about it.

Would Starbucks get implicated in a PII leak if I went and exposed a bunch of 
data of my enterprise data over their Wifi? I would suggest not, but I would be 
in line for disciplinary action, and the data controller of the enterprise data 
would be hauled over the coals by the regulator if it was found that 
inappropriate measures hadn’t been taken by the data controller to ensure the 
employee did the right thing through a combination of technical measures and 
procedures.

I would suggest it’s down to the public sector IT departments to ensure that 
their users access and use the data that they have access to appropriately, and 
that they should treat govroam like any other untrusted network, albeit with 
easy upfront authentication to get onto the network. You would hope that there 
would be additional layers of security and technical/process measures in place 
to protect the transactions of the public sector employee but that really is 
the remit of their data controller and IT people, not your network?

I should have said in my previous email, I understand govroam is not just a UK 
thing, other European countries are also joining in.

_

Tomo | Senior Infrastructure Engineer - Networks, Telecoms & Security | 
Information Technology.
London Business School | Regent's Park | London NW1 4SA | United Kingdom.
Switchboard +44 (0)20 7000 7000 | Direct line +44 (0)20 7000 

www.london.edu<http://www.london.edu/>  London experience. World impact.
Connect with us: [twitter.jpg] <https://twitter.com/LondonBSchool>  Follow us 
on Twitter<https://twitter.com/LondonBSchool>  [facebook.jpg] 
<http://www.facebook.com/pages/London-United-Kingdom/London-Business-School/14027365105>
  Become a fan on 
Facebook<http://www.facebook.com/pages/London-United-Kingdom/London-Business-School/14027365105>

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
Sent: 04 January 2018 18:26
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Eduroam and Govroam

Seems ripe for PII to leak via independently run WiFi networks that broadcast 
govroam, yet are under no obligation to “do the right thing” with the public 
sector data flowing over their private networks. And by providing this at the 
university, does the university suddenly become a party to legal action should 
there be a data leak while a public sector employee is using govroam at their 
campus?

This seems like a big InfoSec headache I’d rather avoid altogether.

Jeff



From: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>"

Re: [WIRELESS-LAN] Eduroam and Govroam

[Jeffrey D. Sessler]

Seems ripe for PII to leak via independently run WiFi networks that broadcast 
govroam, yet are under no obligation to “do the right thing” with the public 
sector data flowing over their private networks. And by providing this at the 
university, does the university suddenly become a party to legal action should 
there be a data leak while a public sector employee is using govroam at their 
campus?

This seems like a big InfoSec headache I’d rather avoid altogether.

Jeff



From: "wireless-lan@listserv.educause.edu"  
on behalf of Tomo 
Reply-To: "wireless-lan@listserv.educause.edu" 

Date: Thursday, January 4, 2018 at 9:54 AM
To: "wireless-lan@listserv.educause.edu" 
Subject: Re: [WIRELESS-LAN] Eduroam and Govroam

I can fill in a bit of background here, as I was party to some of the early 
meetings about the London govroam project.

The Wifi provision in the public sector in the UK is a bit of a uncoordinated 
mess. Every bit of the public sector does their own thing. Public sector 
colleagues can’t use each others Wifi. So a social worker attending a police 
station can’t just roam onto the police wifi. A librarian from one council area 
can’t roam onto another council library wifi elsewhere. And a community 
healthcare worker has to mess around with guest access when doing outreach at 
the local hospital. The assumption is that public sector colleagues have plenty 
of places where they could consume the wifi, and probably do via some guest 
mechanism, but waste a lot of time (and hence our money) doing that; or end up 
surviving on 3G/4G services. And there are plenty of mobile notspots.

The people who run the UK academic network and eduroam – JISC – have stood up 
the National Radius Proxy infrastructure for govroam in the UK, and are trying 
to encourage the public sector to sign up. In places they are pushing against 
an open door, in others people can’t (yet) see the point. There has been an 
initial focus on this in London, hence the blog posting you’ve picked up on. 
JISC have encouraged Universities who are already running eduroam to also turn 
on govroam. For most of us it’s a pretty simple thing to do, although it’s 
another SSID. It helps them in their conversations with the public sector to be 
able to say that your people (police, ambulance, fire, healthcare, social care, 
council workers) can hop onto good quality Wifi in all these places if you sort 
out govroam. And in big cities like London that’s a lot of places.

So what’s in it for the Universities? At the start the benefit is limited – but 
when the local council start to turn up govroam (and alongside that eduroam) in 
their buildings our students can consume their wifi in the local council 
libraries and sports facilities; maybe at a council office if they need to 
visit. In some cities where the council provide wide area public wifi you can 
get a considerable benefit. And when any public sector employees who are 
govroam enabled arrive on our campuses to assist students or our staff, they 
can get on with their jobs by being well connected.

It’s a long road, the benefits won’t be quick or easy. For some parts of public 
sector it might require a contract renewal to come up before action is taken, 
and in general the public sector moves slowly. But if enough of us do it, 
slowly they will come and join the Wifi roaming party.

Honest self-disclosure: we haven’t quite yet had time to enable govroam, but we 
will soon. One of our buildings is shared with the local council and we need to 
mess around to provide their Wifi SSIDs on our Infrastructure. When they sign 
up for an sort our govroam, we wouldn’t need to do that.

Hope that helps understanding. It’s not a quick win, more of the start of a 
journey.

_

Tomo | Senior Infrastructure Engineer - Networks, Telecoms & Security | 
Information Technology.
London Business School | Regent's Park | London NW1 4SA | United Kingdom.
Switchboard +44 (0)20 7000 7000 | Direct line +44 (0)20 7000 

www.london.edu  London experience. World impact.
Connect with us: [twitter.jpg]   Follow us 
on Twitter  [facebook.jpg]  Become a fan on 
Facebook

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Mike Atkins
Sent: 04 January 2018 17:06
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Eduroam and Govroam

Thanks Philippe, that long term explanation makes sense.  Like Lee, we have 
students abroad.  I sent a quick FYI to our Infosec team to let them know users 
may eventually see eduroam at new locations and reminded them proper device 
configuration is important.  Our 

Re: [WIRELESS-LAN] Another Cisco WLC Code Thread

[Jeffrey D. Sessler]

27 cases won’t necessarily translate into hundreds of other sites hitting the 
bug. I just finished the 1st academic semester and have had zero tickets for 
wireless. Were users running into this bug and not reporting it, or are there 
specific circumstances that trigger it that aren’t happening in my environment? 
If this was wide-spread, I’d have expected a quick MR6 .1 release.

MR7 is not released yet, and I’ve not seen the open beta either, so it stands 
to reason that TAC isn’t going to recommend it unless there is good cause.

As for being chummy – it’s more about being engaged with your vendors support 
network. TAC is just one of many avenues and having a professional relationship 
with your local support SE as well as the BU is just plain good business.

Jeff



From: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
on behalf of "lhbad...@syr.edu" <lhbad...@syr.edu>
Reply-To: "wireless-lan@listserv.educause.edu" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Date: Wednesday, December 20, 2017 at 9:15 AM
To: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Another Cisco WLC Code Thread

I understand the words. And am speaking in the context that 8.2.166 is what’s 
listed as recommended. Not sure why you’d have to be chummy with the BU to get 
better information.

My point is that 27 reported open cases equals likely hundreds of sites more 
hitting the issue without realizing it. Ideally, a customer wouldn’t have to 
hit a known bug and have customers impacted before being able to negate that 
bug. If MR7 fixes it before it happens, now is the time to install it, while 
we’re on break, as opposed to late in January when suddenly business operations 
get impacted.

The messaging is uncomfortable to say the least.

Lee Badman | Network Architect

Certified Wireless Network Expert (#200)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
Sent: Wednesday, December 20, 2017 11:41 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Another Cisco WLC Code Thread

Well, 8.2 MR7 interim with that fix has been available since early September, 
but there are several newer builds including the Dec 18th 8.2.167.2 that 
include it and other fixes and new features. Those first early builds were 
likely restricted i.e. if you aren’t hitting the bug then why risk installing 
very early interim code?

Again, hit up your local SE or BU contacts and it’s easy to get access to the 
interim code, but don’t install it unless you’re hitting the identified bugs. 
That’s the point of verification by TAC.

Jeff


From: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "lhbad...@syr.edu<mailto:lhbad...@syr.edu>" 
<lhbad...@syr.edu<mailto:lhbad...@syr.edu>>
Reply-To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Wednesday, December 20, 2017 at 5:09 AM
To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Another Cisco WLC Code Thread

Thanks, Yahya. Now here’s an axe-grinding moment for me: from Cisco’s list of 
recommended code versions, 8.2.166.0 is the version to go with. Easy enough- 
yes?

No. Look at the note regarding the x800 AP-related bug CSCve57121  Client when 
auto-connects to SSID unable to reach gateway after a few secs

It’s a nasty one, with 27 reported cases. The fix is to get MR7- but you 
seemingly have to prove that you’re hitting the bug before you can get it.

So… the culture here on the vendor side:


  *   Recommend a code version- to upgrade large environments, there will be 
downtime required and coordinated after testing of this code, as normal.
  *   Leave an extremely disruptive bug out there for people to hit
  *   Make them prove that the bug is actually being hit before they can get 
the fix code
  *   Meanwhile, potentially thousands of clients are being impacted and can’t 
use the WLAN
  *   Make the fix code available after a TAC case has been opened
  *   Back to step one- scheduling a code upgrade and re-disrupting the 
environment

So why isn’t MR7 the recommended code to begin with?


Lee Badman | Network Architect

Certified Wireless Network 

Re: [WIRELESS-LAN] Another Cisco WLC Code Thread

[Jeffrey D. Sessler]

Well, 8.2 MR7 interim with that fix has been available since early September, 
but there are several newer builds including the Dec 18th 8.2.167.2 that 
include it and other fixes and new features. Those first early builds were 
likely restricted i.e. if you aren’t hitting the bug then why risk installing 
very early interim code?

Again, hit up your local SE or BU contacts and it’s easy to get access to the 
interim code, but don’t install it unless you’re hitting the identified bugs. 
That’s the point of verification by TAC.

Jeff


From: "wireless-lan@listserv.educause.edu"  
on behalf of "lhbad...@syr.edu" 
Reply-To: "wireless-lan@listserv.educause.edu" 

Date: Wednesday, December 20, 2017 at 5:09 AM
To: "wireless-lan@listserv.educause.edu" 
Subject: Re: [WIRELESS-LAN] Another Cisco WLC Code Thread

Thanks, Yahya. Now here’s an axe-grinding moment for me: from Cisco’s list of 
recommended code versions, 8.2.166.0 is the version to go with. Easy enough- 
yes?

No. Look at the note regarding the x800 AP-related bug CSCve57121  Client when 
auto-connects to SSID unable to reach gateway after a few secs

It’s a nasty one, with 27 reported cases. The fix is to get MR7- but you 
seemingly have to prove that you’re hitting the bug before you can get it.

So… the culture here on the vendor side:


  *   Recommend a code version- to upgrade large environments, there will be 
downtime required and coordinated after testing of this code, as normal.
  *   Leave an extremely disruptive bug out there for people to hit
  *   Make them prove that the bug is actually being hit before they can get 
the fix code
  *   Meanwhile, potentially thousands of clients are being impacted and can’t 
use the WLAN
  *   Make the fix code available after a TAC case has been opened
  *   Back to step one- scheduling a code upgrade and re-disrupting the 
environment

So why isn’t MR7 the recommended code to begin with?


Lee Badman | Network Architect

Certified Wireless Network Expert (#200)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Yahya M. Jaber
Sent: Wednesday, December 20, 2017 12:06 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Another Cisco WLC Code Thread

Hi,

This is what Cisco Says, 
https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html#anc6


HTH

Yahya Jaber.
Sr. Wireless Engineer
IT Network & Communications – Engineering
Building 14, Level 3, Rm 308-WS07
KAUST 23955-6900 Thuwal, KSA

Email yahya.ja...@kaust.edu.sa
Office +966 (0) 12 8081237
Mobile +966 (0) 558697555
On Call Rotation Mobile: +966 54 470 1177

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Britton Anderson
Sent: Tuesday, December 19, 2017 11:43 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Another Cisco WLC Code Thread

Happy Holidays,

Like many others I'm sure, I've been studying all of the email threads from 
this list to see if anyone has settled on any of the current code releases on 
their controllers. With all of the bugs disabling several AP models, we have 
been holding off our code upgrade and wireless migration.

I have a plan to move about half of our wireless APs off of a pair of WiSM2s to 
our new 8540's next week. We've had the 8540's up since the summer running on 
8.4.100.0 seemingly without many issues. It's been pretty stable but there has 
only been about 80 APs on it for our Fall semester. That code release is now 
deferred and we've looked at going up to 8.5.110.0 which released just a few 
days ago. Release notes list the open caveats, and there are several that still 
impact the 3500/3600/3700 lines pretty hard. 8.6.101.0 released a day after, 
and its even more grim.

Has anyone found anything stable? We have a pretty wide deployment of APs, but 
most of them are 3500/3600/3700s with a fleet of 702W/1810W in residences. We 
simply don't have the manpower to run around and console into APs that lose 
their marbles, and our time slot to move forward is narrowing by the day.

And more importantly, I would like to sleep better over the holidays, like we 
all would I'm sure.

Thanks for the input,
Britton

Britton Anderson |

 Lead Network Communications Specialist |

 University of Alaska |

 907.450.8250


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list 

Re: [WIRELESS-LAN] Another Cisco WLC Code Thread

[Jeffrey D. Sessler]

Mike,

The 1815w, as far as I’m aware, is also supported on 8.4 – but your point is 
well taken. The M and T models are 8.5-only, forcing one’s hand.

I actually liked the support matrix with the x800 series, where they were 
supported from 8.2 on beyond. This is where having a relationship with the BU 
can help here i.e. getting NDA knowledge and testing of new products, and then 
pushing back on decisions where support is only in the bleeding-edge controller 
code. I’ve suggested that the BU support newer WAPs, even if in a diminished 
feature capacity, on older code e.g. support 3800 series on 8.1, but they work 
like a fixed dual-radio 3700 AP – allowing the customer to get current-gen WAPs 
but on ultra-stable controller code.

All of that said, I believe that 8.5 is the new 8.2. I recall being told it’s 
the primary platform for new hardware and gets all the bug fix attention, with 
back/forward ports to the other versions. It will likely be the new stable and 
will have a longer life than other builds, especially given it’s the last to 
support the 5508 controllers.

But this also goes back to the “not every customer is the same” statement. I’m 
deploying only x800 series including in my residential-halls, so from my 
perspective, I have three releases to choose from, or four if I wanted to run 
8.6 beta! ;-)

Jeff


From: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
on behalf of "m...@mpking.com" <m...@mpking.com>
Reply-To: "wireless-lan@listserv.educause.edu" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Date: Tuesday, December 19, 2017 at 7:13 PM
To: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Another Cisco WLC Code Thread

Jeff,   I'm semi-seriously picking a fight over this statement.

I get what you mean about cutting edge. They are choosing the bleeding edge.   
But how can you reconcile that with if you want to the new access point we're 
selling, you have to run X?   IE, Cisco still recommends on it's website 
8.3.133.0 as the release you should run, but the 1815w (Which went First 
Customer Ship on December 5th, 2016) REQUIRES 8.5.x.  Is it bleeding edge, when 
the product has been out for over 1 year?

We all know Cisco (and other vendors) give these products the shortest shelf 
life they can reasonable get away with.  And Cisco usually prices new models at 
the same price as the old model (usually), so why would you buy the 3700 
series, when the 3800 is out, and we all know the EOS for the 3700 will 
probably hit fairly soon.  So buying old AP's is not helping you in the long 
run.  (I used the 3800 cause I know that model, I have no idea what the 1815w 
is targeted to replace)

Mike

On Tue, Dec 19, 2017 at 9:27 PM, Jeffrey D. Sessler 
<j...@scrippscollege.edu<mailto:j...@scrippscollege.edu>> wrote:
Discussions like this just reinforce the notion that no one-customer is the 
same as another. Folks like myself have been rock solid where others seem to 
excite every little bug. There are also customers who want to push the cutting 
edge with code version and feature-set, but are not well-resourced to support 
it and/or have the expectation that it should be as stable as general 
deployment code.

The important part is to make sure you have a great relationship with your 
local wireless SE’s as well as the Wireless BU. I can’t say enough good things 
about the folks in the BU, especially the engineering teams, who I’ve 
interfaced with over the years.

Jeff
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Another Cisco WLC Code Thread

[Jeffrey D. Sessler]

Discussions like this just reinforce the notion that no one-customer is the 
same as another. Folks like myself have been rock solid where others seem to 
excite every little bug. There are also customers who want to push the cutting 
edge with code version and feature-set, but are not well-resourced to support 
it and/or have the expectation that it should be as stable as general 
deployment code.

The important part is to make sure you have a great relationship with your 
local wireless SE’s as well as the Wireless BU. I can’t say enough good things 
about the folks in the BU, especially the engineering teams, who I’ve 
interfaced with over the years.

Jeff

From: "wireless-lan@listserv.educause.edu"  
on behalf of "lhbad...@syr.edu" 
Reply-To: "wireless-lan@listserv.educause.edu" 

Date: Tuesday, December 19, 2017 at 4:50 PM
To: "wireless-lan@listserv.educause.edu" 
Subject: Re: [WIRELESS-LAN] Another Cisco WLC Code Thread

I really hope someone from Cisco's Wireless BU monitors these conversations. It 
just never seems to improve for very long. Whereas you have no faith in HA, 
we've written off AVC.

But hey, Fastlane!

-Original Message-
From: Joseph Bernard [j...@clemson.edu]
Received: Tuesday, 19 Dec 2017, 19:35
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
Subject: Re: [WIRELESS-LAN] Another Cisco WLC Code Thread
To expand, we instantly had issues with 8.5.105.0.  We haven't tried 8.5.110.0 
yet, but I'm sure our wireless team is looking for anything better.  They have 
little hope of ever getting HA working.

Thanks,
Joseph B.

Sent from my iPhone

On Dec 19, 2017, at 3:48 PM, Joseph Bernard 
> wrote:
Don’t move off 8.4.100.0 if you can help it.

Thanks,
Joseph B.


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
on behalf of Britton Anderson 
>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>
Date: Tuesday, December 19, 2017 at 3:43 PM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
>
Subject: [WIRELESS-LAN] Another Cisco WLC Code Thread

Happy Holidays,

Like many others I'm sure, I've been studying all of the email threads from 
this list to see if anyone has settled on any of the current code releases on 
their controllers. With all of the bugs disabling several AP models, we have 
been holding off our code upgrade and wireless migration.

I have a plan to move about half of our wireless APs off of a pair of WiSM2s to 
our new 8540's next week. We've had the 8540's up since the summer running on 
8.4.100.0 seemingly without many issues. It's been pretty stable but there has 
only been about 80 APs on it for our Fall semester. That code release is now 
deferred and we've looked at going up to 8.5.110.0 which released just a few 
days ago. Release notes list the open caveats, and there are several that still 
impact the 3500/3600/3700 lines pretty hard. 8.6.101.0 released a day after, 
and its even more grim.

Has anyone found anything stable? We have a pretty wide deployment of APs, but 
most of them are 3500/3600/3700s with a fleet of 702W/1810W in residences. We 
simply don't have the manpower to run around and console into APs that lose 
their marbles, and our time slot to move forward is narrowing by the day.

And more importantly, I would like to sleep better over the holidays, like we 
all would I'm sure.

Thanks for the input,
Britton

Britton Anderson |

 Lead Network Communications Specialist |

 University of 
Alaska
 |

 907.450.8250


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 

Re: [WIRELESS-LAN] upgrade from 802.11n to 802.11ac

[Jeffrey D. Sessler]

If it’s a coverage-based design, all of your gains in 11ac are in 5GHz, so your 
performance gains have a lot to do with density i.e. if the WAPs are still 
installed in hallways you may not see the gains you are expecting. If you’re 
making the jump to 11ac it’s best to redesign around performance and density 
rather than coverage.

Jeff

From: "wireless-lan@listserv.educause.edu"  
on behalf of Ying Zhang 
Reply-To: "wireless-lan@listserv.educause.edu" 

Date: Wednesday, December 6, 2017 at 9:34 AM
To: "wireless-lan@listserv.educause.edu" 
Subject: [WIRELESS-LAN] upgrade from 802.11n to 802.11ac

Hi,

We are looking at a campus wide wireless upgrade from 802.11n to 802.11ac. Just 
wondering for anyone out there who has done this before, do you have an 
approximate number (in percentage) with regards to # of additional APs in a 
mainly coverage-based design.

Thanks in advance.

Ying

University of New Brunswick
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Wi-Fi Temperature Sensor Inquiry

[Jeffrey D. Sessler]

There are a whole host of Zigbee mesh sensors in the facilities management 
space. Way easier to deploy and less expensive than a device that connects to 
802.11a/b/g/n, and most of the sensors are battery powered with a life of up to 
five years.

Jeff

From: "wireless-lan@listserv.educause.edu"  
on behalf of "Johnson, Christopher" 
Reply-To: "wireless-lan@listserv.educause.edu" 

Date: Monday, December 4, 2017 at 9:10 AM
To: "wireless-lan@listserv.educause.edu" 
Subject: [WIRELESS-LAN] Wi-Fi Temperature Sensor Inquiry

Good Morning,

Was curious if anyone had any experience with any particular types of Wi-Fi 
Temperature Sensors for labs/green houses, etc – such as headaches and/or 
lessons learned? From what I’ve gathered – all of the ones on the market are 
2.4GHz only with a majority capable of 802.11g only – a couple exceptions I’ve 
found are 802.11n capable with WPA2 Enterprise security as well.

Christopher Johnson
Wireless Network Engineer
AT Infrastructure Operations & Networking (ION)
Illinois State University
(309) 438-8444
Stay connected with ISU IT news and tips with @ISU IT Help on 
Facebook and Twitter
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Managing static power/channel assignments?

[Jeffrey D. Sessler]

I'm curious about what's driving the need for two AP's in each elevator, or to 
have them there in the first place? Even in medical/hospital settings, I 
typically see an AP placed on each floor in the elevator lobby. Given how 
sticky clients are today, it seems to work very well even for latency sensitive 
services like VoIP. It also reduces problems with location-based services 
because the AP isn't changing elevation all the time. 

Jeff 


On 12/1/17, 7:10 AM, "Joachim Tingvold"  wrote:

On 1 Dec 2017, at 15:31, McClintic, Thomas wrote:
> It won't see them as rogues so you need not be concerned there. It is 
> common practice to create a RF Profile variant for multiple AP Groups 
> and those groups be within RF range of each other on the same 
> controller.

Yeah, that was my assumption on the matter as well, but this [1] 
document might disagree with that, as it states the following;

“[…] the access points will then select the beacon/probe-response 
frames in neighboring access point messages to see if they contain an 
authentication information element (IE) that matches that of the RF 
group. If the select is successful, the frames are authenticated. 
Otherwise, the authorized access point reports the neighboring access 
point as a rogue, records its BSSID in a rogue table, and sends the 
table to the Cisco WLC […]”.

[1] 




> I'm confused on the DCA being one channel, you may want to reevaluate 
> that. It would cause you to have separate RF Profiles per channel 
> which sounds daunting. May want to just set the channel statically or 
> change the DCA interval/time.

The point was to avoid having to fiddle with manually configuring 
several static parameters per AP, that essentially would be identical 
for each deployment. Hence the idea to “simulate” static assignments 
via the RF Profiles, solely so that we can assign such static 
configurations through just AP Groups assignment. This is easier than 
manual configuration of each parameter (less things to configure), and 
also less prone to human errors (compared to manual assignments).

I’m not entirely convinced yet; it was more of a shower thought (-:

-- 
Joachim

**
Participation and subscription information for this EDUCAUSE Constituent 
Group discussion list can be found at http://www.educause.edu/discuss.



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Feedback for Cisco WLC software release 8.2.166.0

[Jeffrey D. Sessler]

What version of 8.2 are you currently on? In general for the x800 series, the 
latest code is recommended. If you are already on .164.0 then 166.0 probably 
won't make a difference. If you're not on 164.0 then do get to the latest code.

Jeff


On 11/22/17, 10:52 AM, "The EDUCAUSE Wireless Issues Constituent Group 
Listserv on behalf of Hahues, Sven"  wrote:

Hi everyone,

We have been having an on-again-off-again problem with some of our newer 
1832s where the APs will randomly not accept connections from new clients that 
they have not had associations with.  The current fix is to reboot the AP and 
then it works again for a random time before the behavior comes back.  Cisco 
recommended to upgrade to WLC 8.2.166.0 which was just recently released, and I 
wanted to find out if anyone had upgraded to the code and seen any issues with 
it.

Thanks in advance, and happy Thanksgiving to everyone,

Sven

Sven Hahues
Florida Gulf Coast University
Director, BTS Helpdesk, Network Services & Security
Tel: (239) 590 1337
E-Mail: shah...@fgcu.edu

**
Participation and subscription information for this EDUCAUSE Constituent 
Group discussion list can be found at http://www.educause.edu/discuss.



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] WLC Mobility Groups

[Jeffrey D. Sessler]

As far as I know, mobility scales with the controllers, and the limit is 24 
controllers in the same mobility group. With a mobility list (bundle of 
different mobility groups) you can have up to 72 members. 24 8540's would get 
you 144,000 WAPs in a single mobility group. 

Jeff

On 11/15/17, 7:58 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
on behalf of Eriks Rugelis"  wrote:

FWIW, our Keele campus has twelve WLC5508's which together support approx. 
4900 APs.  We have a single Mobility Group configured for all APs located at 
this campus.  The campus has daily peaks of approx. 25K concurrent devices 
associated.   We are not aware of any operationally 'bad' system behaviour 
related to mobility group configuration which is impacting the ability of our 
end-users to successfully use the service.   Perhaps we aren't paying enough 
attention to the relevant metrics?

We are presently running v8.0.152.0 and are pre-production testing v8.5 due 
to imminent deployment of AP1815w's in residence buildings.

Eriks Rugelis,
Manager, Network Development
York University, Toronto

**
Participation and subscription information for this EDUCAUSE Constituent 
Group discussion list can be found at http://www.educause.edu/discuss.



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Wireless Door Locks?

[Jeffrey D. Sessler]

It is very fascinating. I do encourage folks to get a DMARC record created for 
their respective domain(s), and set it to an initial policy of none e.g. p=none 
(do nothing). Include a third party processor to act as the record keeper for 
the receiving systems that honor DMARC and will send reports back on actions 
taken. It’s the first, and most important step, in understanding what’s going 
on with your domain’s email i.e. who’d spoofing what, and are you missing 
authorized third parties. Eventually you’ll get to a point where you can get to 
a p=quarantine or p=reject.

I use https://dmarcian.com/ and have found it enlightening – especially the 
number of list servers that still spoof users.

Jeff

From: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
on behalf of "Forrester, Matthew" <mforres...@berry.edu>
Reply-To: "wireless-lan@listserv.educause.edu" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Date: Friday, November 10, 2017 at 10:39 AM
To: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Wireless Door Locks?

Fascinating!  I appreciate this information.  I did find that “blog” by Terry 
Zink once I started googling the error.  I’m glad to understand this function.  
Again, I apologize for the off-topic conversation.

Hope you all enjoy the weekend,

Matt Forrester (07C)
Senior Systems Engineer
Berry College
O: 706-802-6725

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
Sent: Friday, November 10, 2017 1:15 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless Door Locks?

This is likely a DMARC failure based on that sender’s record for their domain. 
They’ve basically told other receiving systems to reject messages that fail 
DKIM/SPF. In the case of listservers like this one, which may spoof the 
sender’s address, it will result in rejections or warnings on receiving systems 
that honor DMARC.

This is partially solvable if the LSOFT listserve platform is up-to-date and 
has enabled DMARC handling. In the case of senders who have a DMARC record with 
reject or quarantine, listserv will not spoof the sender.

There is more on the O365 anti-spoofing here.
https://blogs.msdn.microsoft.com/tzink/2016/11/02/troubleshooting-the-red-suspicious-safety-tip-for-fraud-detection-checks/

LSOFT (makers of Listserv) really hate DMARC, DKIM, and so on because they 
break a fundamental feature (user spoofing) that the software tends to default 
to.

Jeff

From: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "Forrester, Matthew" 
<mforres...@berry.edu<mailto:mforres...@berry.edu>>
Reply-To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Friday, November 10, 2017 at 8:49 AM
To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Wireless Door Locks?

Hi all,

Off-topic, but I received an odd error when sending this last e-mail to the 
listserv.  Did anyone else receive this notice shown in this screenshot?  It 
appears that this is probably just an issue with some security setting in our 
Office 365 tenant, but I was just curious.  Apologies for the off-topic message.

[cid:image001.png@01D35A19.C316A600]

Thank you,

Matt Forrester (07C)
Senior Systems Engineer
Berry College
O: 706-802-6725

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Forrester, Matthew
Sent: Friday, November 10, 2017 11:37 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Wireless Door Locks?


This sender failed our fraud detection checks and may not be who they appear to 
be. Learn about spoofing<http://aka.ms/LearnAboutSpoofing>

Feedback<http://aka.ms/SafetyTipsFeedback>

Hi all,

I hope I’m not late in replying to this e-mail thread.  We had a number of Assa 
Abloy wifi locks in one of our residence halls.  The wireless coverage in that 
building was not up to snuff to cover those locks, unfortunately.  As we could 
not upgrade wireless in that location and more and more issues popped up with 
those locks, we eventually pulled them out in favor of wired locks that were 
replaced by the vendor.

This doesn’t totally address the question here, but our locks would have been 
perfectly fine and required nearly no attention had WAPs been deplo

Re: [WIRELESS-LAN] Wireless Door Locks?

[Jeffrey D. Sessler]

This is likely a DMARC failure based on that sender’s record for their domain. 
They’ve basically told other receiving systems to reject messages that fail 
DKIM/SPF. In the case of listservers like this one, which may spoof the 
sender’s address, it will result in rejections or warnings on receiving systems 
that honor DMARC.

This is partially solvable if the LSOFT listserve platform is up-to-date and 
has enabled DMARC handling. In the case of senders who have a DMARC record with 
reject or quarantine, listserv will not spoof the sender.

There is more on the O365 anti-spoofing here.
https://blogs.msdn.microsoft.com/tzink/2016/11/02/troubleshooting-the-red-suspicious-safety-tip-for-fraud-detection-checks/

LSOFT (makers of Listserv) really hate DMARC, DKIM, and so on because they 
break a fundamental feature (user spoofing) that the software tends to default 
to.

Jeff

From: "wireless-lan@listserv.educause.edu"  
on behalf of "Forrester, Matthew" 
Reply-To: "wireless-lan@listserv.educause.edu" 

Date: Friday, November 10, 2017 at 8:49 AM
To: "wireless-lan@listserv.educause.edu" 
Subject: Re: [WIRELESS-LAN] Wireless Door Locks?

Hi all,

Off-topic, but I received an odd error when sending this last e-mail to the 
listserv.  Did anyone else receive this notice shown in this screenshot?  It 
appears that this is probably just an issue with some security setting in our 
Office 365 tenant, but I was just curious.  Apologies for the off-topic message.

[cid:image001.png@01D35A19.C316A600]

Thank you,

Matt Forrester (07C)
Senior Systems Engineer
Berry College
O: 706-802-6725

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Forrester, Matthew
Sent: Friday, November 10, 2017 11:37 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless Door Locks?


This sender failed our fraud detection checks and may not be who they appear to 
be. Learn about spoofing

Feedback

Hi all,

I hope I’m not late in replying to this e-mail thread.  We had a number of Assa 
Abloy wifi locks in one of our residence halls.  The wireless coverage in that 
building was not up to snuff to cover those locks, unfortunately.  As we could 
not upgrade wireless in that location and more and more issues popped up with 
those locks, we eventually pulled them out in favor of wired locks that were 
replaced by the vendor.

This doesn’t totally address the question here, but our locks would have been 
perfectly fine and required nearly no attention had WAPs been deployed properly 
up front.  Best wishes!

Thank you,

Matt Forrester (07C)
Senior Systems Engineer
Berry College
O: 706-802-6725

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Barros, Jacob
Sent: Thursday, November 9, 2017 10:47 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless Door Locks?

I am not directly involved, but my understanding is the wireless locks are less 
than ideal.  Two primary issues are that the units we use have a limited 
character string, so we had to create a process to truncate the IDs before 
uploading to the lock.  Also, these have a limited amount of IDs they can hold 
and don't purge records when the database is updated. Inactive IDs are only 
disabled so a manual purge of each individual lock at least once a year.

Jake




Jacob Barros

Associate Director of IT, Network and Operations

Email: jkbar...@grace.edu

Phone: 574.372.5100 ext. 6178

[https://lh4.googleusercontent.com/UL13vM331_cldE--6pe0tmF8xi10XejwQWh_iIo3_WnKqa3GNTj7qfC8zMm-AathAnMQoUG1LNv5GzD35OyxQ_x_V2RG30D4r5ucKFdYJkE1-Z-d98UW1NPWapbWxgOAi68e0c7q]


On Wed, Nov 8, 2017 at 3:16 PM, Greg Briggs 
> wrote:
I said co-channel, but I meant adjacent.

Greg

On Wed, Nov 8, 2017 at 12:05 PM, Greg Briggs 
> wrote:
We have a couple locks on campus that use 802.15.4.  I think it is a Stanley 
product.  I was told by the engineer who was trying to sell us on the product 
campus wide, that it would cause no interference.  (haha!)  I can confirm 
co-channel interference, but no user reported problems wifi problems that i 
could specifically say were caused by that equipment.  So that statement was 
inaccurate, as I knew it would be, but only in a boastful way.  It also took a 
couple of visits an i want to say a couple of months to get it to work.  (I 
don't remember exactly) I have expressed to our access staff that I do not like 
the deployment, and if I was the deciding vote, I would say no to a proposal to 
deploy more like it.

I was initially skeptical of the 

Re: [WIRELESS-LAN] Wireless printers and other devices in residence halls

[Jeffrey D. Sessler]

The way to present that 30+% increase in capital investment is to talk about 
the FTE resources it frees up, caps, or eliminates i.e. by increasing density 
the need for residential life/IT to police personal devices is significantly 
reduced/eliminated, freeing up or eliminating [x]FTE for other mission-aligned 
activities. There isn’t a CBO/CFO alive that doesn’t react well to proposals 
that cap/reduce FTE investments in exchange for capital investment. Hardware 
doesn’t require 34% benefits, raises, and so on.

Spend $10,000 for 20 more APs, or spend $650,000 in salary/benefits over five 
years to hire an RF engineer to go out and find these problems. Even when 
pitted against a $20/hr user support position, it’s still $10,000 for 20 APs, 
or $265,000 salary/benefits over five years for that person to do policing.

In other words, you have to add a lot of APs before you get close to the cost 
of a single FTE.

Jeff

From: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
on behalf of Thomas Carter <tcar...@austincollege.edu>
Reply-To: "wireless-lan@listserv.educause.edu" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Date: Thursday, October 19, 2017 at 10:06 AM
To: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Wireless printers and other devices in residence 
halls

You’re correct, but it just sucks that we now have to justify a 30+% increase 
in capital spent on wireless infrastructure for something that (at least 
according to those who manage the budgets) worked fine 5 years ago, AKA why do 
you need to put 50 APs in a building that once had 30?

Thomas Carter
Network & Operations Manager / IT
Austin College
900 North Grand Avenue
Sherman, TX 75090
Phone: 903-813-2564
www.austincollege.edu<http://www.austincollege.edu/>

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
Sent: Thursday, October 19, 2017 11:13 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless printers and other devices in residence 
halls

If you move your design planning toward dense 5GHz and designate 2.4 as a 
legacy wasteland, these devices have little impact. Even if these devices more 
toward 5GHz, the abundance of channels coupled with low signal propagation and 
vendor channel management e.g. DCA in Cisco speak, greatly enhance coexistence. 
Since you mention Cisco, use of CleanAir equipped APs in residence halls (even 
in small quantities) provide significant RF visibility, and you’ll know exactly 
what’s out there and impacting your environment.

That’s a long way of saying you will never legislate these devices out of 
existence, and it’s far better to invest resources in technology that help with 
coexistence vs expending energy on confiscating/banning them.

Jeff

From: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "Davis, Steve" <sda...@lockhaven.edu<mailto:sda...@lockhaven.edu>>
Reply-To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Thursday, October 19, 2017 at 8:06 AM
To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] Wireless printers and other devices in residence halls

I wanted to get an idea how everyone is handling students bringing in all types 
of wireless devices, which are basically access points.  We have so many 
printers, TVs, Roku devices, game systems and who knows what else out there in 
the student rooms and these devices are causing issues with our campus wireless 
network.

Do you allow these devices on your network?  If not, how do you prevent the 
students from having them?

I have Cisco wireless controllers where I can block rogue APs but that keeps 
the APs which are containing the rogue AP from servicing the clients and I 
don’t have dense enough coverage to be able to do this for every rogue device.

Thanks in advance
-Steve

Steve Davis | Network Manager
Department of Technology Infrastructure

Lock Haven University
519 Robinson Hall
401 North Fairview Street, Lock Haven, PA 17745
Phone: 570-484-2290 | sda...@lockhaven.edu<mailto:sda...@lockhaven.edu> | 
www.lockhaven.edu<http://www.lockhaven.edu/>

Connect with us: Facebook<https://www.facebook.com/LockHavenUniv/> | 
Twitter<https://twitter.com/LockHavenUniv> | 
YouTube<https://www.youtube.com/user/LHU1870>

** Participation and subscription information for this 

Re: [WIRELESS-LAN] Wireless printers and other devices in residence halls

[Jeffrey D. Sessler]

If you move your design planning toward dense 5GHz and designate 2.4 as a 
legacy wasteland, these devices have little impact. Even if these devices more 
toward 5GHz, the abundance of channels coupled with low signal propagation and 
vendor channel management e.g. DCA in Cisco speak, greatly enhance coexistence. 
Since you mention Cisco, use of CleanAir equipped APs in residence halls (even 
in small quantities) provide significant RF visibility, and you’ll know exactly 
what’s out there and impacting your environment.

That’s a long way of saying you will never legislate these devices out of 
existence, and it’s far better to invest resources in technology that help with 
coexistence vs expending energy on confiscating/banning them.

Jeff

From: "wireless-lan@listserv.educause.edu"  
on behalf of "Davis, Steve" 
Reply-To: "wireless-lan@listserv.educause.edu" 

Date: Thursday, October 19, 2017 at 8:06 AM
To: "wireless-lan@listserv.educause.edu" 
Subject: [WIRELESS-LAN] Wireless printers and other devices in residence halls

I wanted to get an idea how everyone is handling students bringing in all types 
of wireless devices, which are basically access points.  We have so many 
printers, TVs, Roku devices, game systems and who knows what else out there in 
the student rooms and these devices are causing issues with our campus wireless 
network.

Do you allow these devices on your network?  If not, how do you prevent the 
students from having them?

I have Cisco wireless controllers where I can block rogue APs but that keeps 
the APs which are containing the rogue AP from servicing the clients and I 
don’t have dense enough coverage to be able to do this for every rogue device.

Thanks in advance
-Steve

Steve Davis | Network Manager
Department of Technology Infrastructure

Lock Haven University
519 Robinson Hall
401 North Fairview Street, Lock Haven, PA 17745
Phone: 570-484-2290 | sda...@lockhaven.edu | 
www.lockhaven.edu

Connect with us: Facebook | 
Twitter | 
YouTube

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Best Wireless Solution for Residence Hall Rooms

[Jeffrey D. Sessler]

Move to in-room design even if the cost seems problematic. Vendors have never 
recommended in-hallway as a solution (well, maybe with the exception of xirrus 
because of their technology), and all the magic sauce works best when WAPs are 
deployed properly. While a WAP in every-room isn’t a necessity unless dictated 
by construction materials, looking at the crystal ball of WiFi futures, it’s 
pretty clear it’s headed in that direction.

As for the cost, make sure to analyze all factors and not just the cost of the 
WAPs. If you invest in moving to in-room, you’ll likely free up a lot of user 
support/wifi engineering time for other more interesting activities and/or 
avoid/delay staff adds.

Best,
Jeff

From: "wireless-lan@listserv.educause.edu"  
on behalf of Umut Arus 
Reply-To: "wireless-lan@listserv.educause.edu" 

Date: Wednesday, October 11, 2017 at 8:49 AM
To: "wireless-lan@listserv.educause.edu" 
Subject: [WIRELESS-LAN] Best Wireless Solution for Residence Hall Rooms

Hello all,

We have 500 Aruba APs for 3000 students in dorm building hallways however we 
are getting complaint still even if fine tuning because of walls. I think it is 
very contemporary issue for many.

In every room with Aruba solution would be very expensive. We'd like to ask you 
what is your best solution that you have resolved it?

thanks.

--
Umut Arus
System Specialist
Information Technology
Sabancı University

Phone: +90216 483 9172

[https://docs.google.com/uc?export=download=0B5qkmZRroo4EbGxaYWxRY0FkRG8=0B5qkmZRroo4EVzArd21xSDFZbitsNzJ1RmthSWNnREszWklJPQ]
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] FTE's for Wireless

[Jeffrey D. Sessler]

Hector,

I’d recommend starting with your Institutional Research group and ask them who 
they consider cohorts for Louisiana State. From there, I’d query those 
universities directly as they’ll likely provide useful/actionable data vs a 
general request here. That is, my numbers won’t do you a lot of good because 
we’re too small in comparison. You’ll likely want to find someone near your 27K 
FTE and with a comparable residential population. Items like faculty/student 
ratio will also play into it since that impacts the number of classrooms. 

Best,
Jeff

On 9/26/17, 2:03 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
on behalf of Hector J Rios"  wrote:

Need your help. What is the number of network engineers you have dedicated 
to wireless? Please indicate the size of your network, the scope of your 
wireless team's responsibilities, whether you rely on other resources (like 
contractors or other internal groups) to complement your efforts, and the most 
important question, is this enough people or do you need more (if so, what 
would the ideal number be)?

Not sure if this has been done before, if so, please let me know. 

Here at LSU, we have 3600 APs, and two wireless engineers. The scope of 
their work includes plan reviews (designing WLANs for new construction), 
requests for additional coverage, site surveys, Tier 3 level of support, 
Controller/AP config/monitoring/maintenance, lifecycle replacements, 
testing/evals/research of new technologies. We rely on cable contractors to run 
cable and mount APs , NOC personnel to install some switches, APs, and 
troubleshooting, and student workers to configure APs and minor deployments. 
Two wireless engineers is not enough for us. We need at least one more. 

If you think there is value in this information and would prefer a better 
format let me know. 

Regards, 

Hector Rios
Louisiana State University

**
Participation and subscription information for this EDUCAUSE Constituent 
Group discussion list can be found at http://www.educause.edu/discuss.



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Two RF Questions

[Jeffrey D. Sessler]

GT,

A better conclusion to draw may be, “Many wireless deployments suffer from 
questionable design choices and execution, often leading to less-than-optimal 
configuration decisions.” That I can get behind.

In the case of the university with 20/40 channelization, would the same 
improvement been possible by enabling the vendor’s dynamic bandwidth selection? 
The conclusion drawn is problematic given there is no detail in what the 
environment looked like before, or what was attempted.

Jeff


From: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
on behalf of GT Hill <g...@gthill.com>
Reply-To: "wireless-lan@listserv.educause.edu" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Date: Tuesday, September 26, 2017 at 11:52 AM
To: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Two RF Questions

I’m a Wi-Fi guy first and foremost but I work for a vendor and that’s where I 
get that information, not from a user survey.

My point was to show that I’ve seen quantifiable data showing that excessive 
use of 40 MHz channels can have negative effects. Of course everyone’s mileage 
will vary but in my experience larger channels are overused in many 
environments, not just EDU.

I suppose another way to summarize would be this: Default to 20 MHz channels 
and go UP to 40 MHz on a case by case basis when channel utilization exceeds a 
threshold. Off the cuff I’m saying 40% channel utilization but I’d need to do 
some more research on.

If channel utilization isn’t excessive all that 40 MHz buys you is higher noise 
and fewer available channels.

GT

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "Jeffrey D. Sessler" 
<j...@scrippscollege.edu<mailto:j...@scrippscollege.edu>>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Tuesday, September 26, 2017 at 1:41 PM
To: 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Two RF Questions

“After a switch to 20 MHz only, there was a 35% improvement in end-user Wi-Fi 
experience.”

I would argue that this is a meaningless statement without context, and 
probably a bad question to ask a user in the first place. What does the user 
think “experience” means i.e. the ability to connect or how well their 
speedtest performs? It’s not specific enough to draw a conclusion.

For example:

  1.  If 1/3 of my users had a device that could not associate because of how 
the primary channel was selected in a 40 or 80 MHz wide deployment, then those 
people would not be happy. If I then change to 20 MHz only, allowing those 
users with the problematic device to connect, there will obviously be a 
significant improvement in those user’s WiFi experience. The other users may 
still be happy because they can still connect.
  2.  If my buildings are open-concept (no walls/doors), and I have 24 AP’s on 
a 1000 sq/ft floor plan, and statically set to 80 MHz channels, then the 
end-user WiFi experience is going to be really poor. If I then switch all those 
APs to 20 Mhz only, of course it’s going to be a huge improvement. Clearly, it 
was a poor design, and less about the channel width and more about the person 
who thought they knew better.

Of course, if the survey questions were more specific, and had questions like, 
“Do you consistently receive the highest 4K stream rate from NetFlix”, the 
satisfaction for this question may trend down.

Jeff



From: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of GT Hill <g...@gthill.com<mailto:g...@gthill.com>>
Reply-To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Tuesday, September 26, 2017 at 8:47 AM
To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Two RF Questions

I know that this is just one example, but I was at a large university site 
(Cisco Wi-Fi) that was running 20/40 channelization. After a switch to 20 MHz 
only, there was a 35% improvement in end-user Wi-Fi experience.

Jake – One feature that I think many people agree is missing in FRA is the 
ability to dynamically turn off a radio. In some cases an extra radio in either 
band hurts more than it helps.

And to just stir the pot a bit, I wish there were

Re: [WIRELESS-LAN] Two RF Questions

[Jeffrey D. Sessler]

Jake,

GT’s statement doesn’t speak to the quality of the university’s WiFi design, 
only that this change made a difference. Again, without the context, I still 
assert it’s meaningless.

Jeff

From: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
on behalf of Jake Snyder <jsnyde...@gmail.com>
Reply-To: "wireless-lan@listserv.educause.edu" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Date: Tuesday, September 26, 2017 at 11:49 AM
To: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Two RF Questions

Jeff,
Take in context that GT works for a company that builds a tool to quantify 
wireless problems based in depth packet analysis.  So when he says he sees 35% 
improvement, there’s a lot of data that goes into it.
Sent from my iPhone

On Sep 26, 2017, at 12:41 PM, Jeffrey D. Sessler 
<j...@scrippscollege.edu<mailto:j...@scrippscollege.edu>> wrote:
“After a switch to 20 MHz only, there was a 35% improvement in end-user Wi-Fi 
experience.”

I would argue that this is a meaningless statement without context, and 
probably a bad question to ask a user in the first place. What does the user 
think “experience” means i.e. the ability to connect or how well their 
speedtest performs? It’s not specific enough to draw a conclusion.

For example:

  1.  If 1/3 of my users had a device that could not associate because of how 
the primary channel was selected in a 40 or 80 MHz wide deployment, then those 
people would not be happy. If I then change to 20 MHz only, allowing those 
users with the problematic device to connect, there will obviously be a 
significant improvement in those user’s WiFi experience. The other users may 
still be happy because they can still connect.
  2.  If my buildings are open-concept (no walls/doors), and I have 24 AP’s on 
a 1000 sq/ft floor plan, and statically set to 80 MHz channels, then the 
end-user WiFi experience is going to be really poor. If I then switch all those 
APs to 20 Mhz only, of course it’s going to be a huge improvement. Clearly, it 
was a poor design, and less about the channel width and more about the person 
who thought they knew better.

Of course, if the survey questions were more specific, and had questions like, 
“Do you consistently receive the highest 4K stream rate from NetFlix”, the 
satisfaction for this question may trend down.

Jeff



From: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of GT Hill <g...@gthill.com<mailto:g...@gthill.com>>
Reply-To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Tuesday, September 26, 2017 at 8:47 AM
To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Two RF Questions

I know that this is just one example, but I was at a large university site 
(Cisco Wi-Fi) that was running 20/40 channelization. After a switch to 20 MHz 
only, there was a 35% improvement in end-user Wi-Fi experience.

Jake – One feature that I think many people agree is missing in FRA is the 
ability to dynamically turn off a radio. In some cases an extra radio in either 
band hurts more than it helps.

And to just stir the pot a bit, I wish there were SMALLER than 20 MHz 
channelization. In many high density environments 20 MHz is just too big. Give 
me some more radios at smaller channel sizes and I’ll show you a spectacular 
Wi-Fi network. :-)

GT

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Jake Snyder <jsnyde...@gmail.com<mailto:jsnyde...@gmail.com>>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Tuesday, September 26, 2017 at 9:39 AM
To: 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Two RF Questions

My challenge, as I’ve stated on this list before, is that Mac OS X preferences 
width in its AP selection criteria.  So while you may get more capacity, in a 
large Mac environment you lose most of that with Macs hanging onto APs linger 
and having to rate-shift down to slower PHY speeds due to that AP having a 
wider channel than its neighbors. Yes, it’s dumb.  But he’s the driver of that 
lambo.

Also, couple that with increasing the noise floor by 3db every time you double 
the channel width and there are many c

Re: [WIRELESS-LAN] Two RF Questions

[Jeffrey D. Sessler]

All of this comes with the obvious statement, “It depends on your environment.”

Speaking only to our residential, the construction is such that with 
life/safety and occupant comfort high on the list, our residential building, 
including those constructed in the mid-late 1920’s (with renovations), tend to 
use materials that have high attenuation properties. Fire-rated doors, walls, 
and ceilings. Concrete, concrete block, metal studs, metal lath/plaster, rock 
or mineral wool, and high-performance window glazing.

Our residential construction means that those APs, with few exceptions, can use 
the wider channels with no consequences. It also means we’re installing nearly 
one AP per room. It’s not a terrible place to be, as it leads to WiFi nirvana 
where we have few devices per AP, excellent signal quality, and little CCI. 
Coupled with our 80% Apple population, and those 3SS 11ac clients are pretty 
happy.

Jeff

From: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
on behalf of Chuck Enfield <chu...@psu.edu>
Reply-To: Chuck Enfield <chu...@psu.edu>
Date: Tuesday, September 26, 2017 at 9:37 AM
To: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Two RF Questions

Your experience is consistent with ours Jeff.  We get good use of 40MHz 
channels in most areas.  That said, complaints about basic connectivity greatly 
outnumber complaints about speed, so I recommend that when in doubt people 
should use 20MHz.  However, we currently have locations where speed is an 
issue, and I’m expecting those to increase with time.  Once your APs are close 
enough together to provide an SNR of 30dB or more (See GT’s contributions for 
reasons why this is important), adding 20MHz APs is more costly and less 
effective effective than enabling 40 MHz.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
Sent: Tuesday, September 26, 2017 11:43 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Two RF Questions

For your residential, is that concern rooted in belief/assumption or proven by 
testing in production? I remember channel-width discussions with the advent of 
11n, and people here advocated sticking to 20 MHz for the same reasons, only 
our in-field testing said it was a bad assumption, reaffirmed by our vendor and 
SEs. We’re been using 40 MHz-wide channels since 2008, and adopted DBS with the 
deployment of 11ac.

Unless our campus and/or residential is unique in some way, shape, or fashion – 
our dense deployments overwhelmingly prefer 80 MHz wide channels, and data on 
both sides (client and infrastructure) reaffirms the software is making the 
right decision.

Jeff

From: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Rob Harris 
<robert.har...@culinary.edu<mailto:robert.har...@culinary.edu>>
Reply-To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Tuesday, September 26, 2017 at 7:33 AM
To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Two RF Questions

While there are performance gains to be sure (by going to 40, or 80), there are 
other concerns as well. We use 20 in our dorms because of the density of APs 
and users, we need those additional channels (even with dfs in use). We use 40 
in our public spaces when there’s adequate capacity for it, and 80 in our 
theater area since we designed for it.

[e Culinary Institute of America]
Robert Harris
Manager of Network Services
Culinary Institute of America
1946 Campus Drive
Hyde Park, NY
845-451-1681
www.ciachef.edu<http://www.ciachef.edu/>
Food is Life
Create and Savor Yours.™

Please consider the environment before printing this e-mail.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
Sent: Tuesday, September 26, 2017 10:20 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Two RF Questions

It’s surprising to me that anyone would purchase a Lamborghini, then disconnect 
ten of the twelve cylinders and drive it at 25 mph on the autobahn.

When I see static 20 MHz channels, or using 40 MHz in only limited areas, I 
wonder what’s behind the purposeful neutering of the system. If you are a Cisco 
customer running 8.1 or above, and not using DBS (Dynamic Bandwidth Selection), 
then it’s the

Re: [WIRELESS-LAN] Two RF Questions

[Jeffrey D. Sessler]

“After a switch to 20 MHz only, there was a 35% improvement in end-user Wi-Fi 
experience.”

I would argue that this is a meaningless statement without context, and 
probably a bad question to ask a user in the first place. What does the user 
think “experience” means i.e. the ability to connect or how well their 
speedtest performs? It’s not specific enough to draw a conclusion.

For example:

  1.  If 1/3 of my users had a device that could not associate because of how 
the primary channel was selected in a 40 or 80 MHz wide deployment, then those 
people would not be happy. If I then change to 20 MHz only, allowing those 
users with the problematic device to connect, there will obviously be a 
significant improvement in those user’s WiFi experience. The other users may 
still be happy because they can still connect.
  2.  If my buildings are open-concept (no walls/doors), and I have 24 AP’s on 
a 1000 sq/ft floor plan, and statically set to 80 MHz channels, then the 
end-user WiFi experience is going to be really poor. If I then switch all those 
APs to 20 Mhz only, of course it’s going to be a huge improvement. Clearly, it 
was a poor design, and less about the channel width and more about the person 
who thought they knew better.

Of course, if the survey questions were more specific, and had questions like, 
“Do you consistently receive the highest 4K stream rate from NetFlix”, the 
satisfaction for this question may trend down.

Jeff



From: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
on behalf of GT Hill <g...@gthill.com>
Reply-To: "wireless-lan@listserv.educause.edu" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Date: Tuesday, September 26, 2017 at 8:47 AM
To: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Two RF Questions

I know that this is just one example, but I was at a large university site 
(Cisco Wi-Fi) that was running 20/40 channelization. After a switch to 20 MHz 
only, there was a 35% improvement in end-user Wi-Fi experience.

Jake – One feature that I think many people agree is missing in FRA is the 
ability to dynamically turn off a radio. In some cases an extra radio in either 
band hurts more than it helps.

And to just stir the pot a bit, I wish there were SMALLER than 20 MHz 
channelization. In many high density environments 20 MHz is just too big. Give 
me some more radios at smaller channel sizes and I’ll show you a spectacular 
Wi-Fi network. :-)

GT

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Jake Snyder <jsnyde...@gmail.com<mailto:jsnyde...@gmail.com>>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Tuesday, September 26, 2017 at 9:39 AM
To: 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Two RF Questions

My challenge, as I’ve stated on this list before, is that Mac OS X preferences 
width in its AP selection criteria.  So while you may get more capacity, in a 
large Mac environment you lose most of that with Macs hanging onto APs linger 
and having to rate-shift down to slower PHY speeds due to that AP having a 
wider channel than its neighbors. Yes, it’s dumb.  But he’s the driver of that 
lambo.

Also, couple that with increasing the noise floor by 3db every time you double 
the channel width and there are many cases where your lambo just spins it’s 
tires.  All that power and you can’t hook it up.

Remember that spectrum is our constraining resource.

Figure out what width of channel you can run in a building, and run that.  
That’s the best use of spectrum and sure to give you the most smiles/hour on 
your lambo.

I really like what cisco did with FRA.  Give me the ability to see what it 
thinks the overlap is.  I would LOVE to see the same with DBS, and give me what 
width it thinks all the APs in the building can pull off.

Sent from my iPhone

On Sep 26, 2017, at 8:19 AM, Jeffrey D. Sessler 
<j...@scrippscollege.edu<mailto:j...@scrippscollege.edu>> wrote:
It’s surprising to me that anyone would purchase a Lamborghini, then disconnect 
ten of the twelve cylinders and drive it at 25 mph on the autobahn.

When I see static 20 MHz channels, or using 40 MHz in only limited areas, I 
wonder what’s behind the purposeful neutering of the system. If you are a Cisco 
customer running 8.1 or above, and not using DBS (Dynamic Bandwidth Selection), 
then it’s the equivalent of the Lamborghini above running on only two cylinders.

Don’t miss out on the significant advancements in bandwidth management. Free 
those resources spent doing point-in-time simulation and surveys for something 
the software doesn’t al

Re: [WIRELESS-LAN] Two RF Questions

[Jeffrey D. Sessler]

For your residential, is that concern rooted in belief/assumption or proven by 
testing in production? I remember channel-width discussions with the advent of 
11n, and people here advocated sticking to 20 MHz for the same reasons, only 
our in-field testing said it was a bad assumption, reaffirmed by our vendor and 
SEs. We’re been using 40 MHz-wide channels since 2008, and adopted DBS with the 
deployment of 11ac.

Unless our campus and/or residential is unique in some way, shape, or fashion – 
our dense deployments overwhelmingly prefer 80 MHz wide channels, and data on 
both sides (client and infrastructure) reaffirms the software is making the 
right decision.

Jeff

From: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
on behalf of Rob Harris <robert.har...@culinary.edu>
Reply-To: "wireless-lan@listserv.educause.edu" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Date: Tuesday, September 26, 2017 at 7:33 AM
To: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Two RF Questions

While there are performance gains to be sure (by going to 40, or 80), there are 
other concerns as well. We use 20 in our dorms because of the density of APs 
and users, we need those additional channels (even with dfs in use). We use 40 
in our public spaces when there’s adequate capacity for it, and 80 in our 
theater area since we designed for it.

[he Culinary Institute of America]
Robert Harris
Manager of Network Services
Culinary Institute of America
1946 Campus Drive
Hyde Park, NY
845-451-1681
www.ciachef.edu<http://www.ciachef.edu/>
Food is Life
Create and Savor Yours.™

Please consider the environment before printing this e-mail.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
Sent: Tuesday, September 26, 2017 10:20 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Two RF Questions

It’s surprising to me that anyone would purchase a Lamborghini, then disconnect 
ten of the twelve cylinders and drive it at 25 mph on the autobahn.

When I see static 20 MHz channels, or using 40 MHz in only limited areas, I 
wonder what’s behind the purposeful neutering of the system. If you are a Cisco 
customer running 8.1 or above, and not using DBS (Dynamic Bandwidth Selection), 
then it’s the equivalent of the Lamborghini above running on only two cylinders.

Don’t miss out on the significant advancements in bandwidth management. Free 
those resources spent doing point-in-time simulation and surveys for something 
the software doesn’t already do far better at. I promise, DBS won’t hurt a bit 
and your users will thank you a hundred times over.

Jeff


From: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "Street, Chad A" <cstr...@emory.edu<mailto:cstr...@emory.edu>>
Reply-To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Tuesday, September 26, 2017 at 6:59 AM
To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Two RF Questions

What is your reasoning behind not wanting 40 megahertz channels if you have 
plenty of overhead with your channel utilization?  People saying you should or 
should not do something without Gathering any type of metric worry me.

On Sep 25, 2017 3:28 PM, Chuck Enfield <chu...@psu.edu<mailto:chu...@psu.edu>> 
wrote:

1.  Enable it in places to check for radar events.  If you get few, then 
yes.  Client devices are almost fully capable now.  Hidden SSID’s are the only 
issue.  Some clients don’t probe on DFS channels, and will only respond to 
beacons.  Make sure 2.4 is usable for the small number of incompatible devices.

2.  No.  Don’t even consider 40MHz unless you’re using almost all the DFS 
channels, but even then you’ll probably have to disable it in some high density 
areas.



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of David Blahut
Sent: Monday, September 25, 2017 3:17 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Two RF Questions



Greetings,

I have two hopefully simple RF related questions:

1.  Should I enable the extended UNII-2 channels campus wide?

2.  Should I enable 40Mhz channel width campus wide?

In other words what are you doing on your campus and what is the "best practice?



Our wireless i

Re: [WIRELESS-LAN] Two RF Questions

[Jeffrey D. Sessler]

It’s surprising to me that anyone would purchase a Lamborghini, then disconnect 
ten of the twelve cylinders and drive it at 25 mph on the autobahn.

When I see static 20 MHz channels, or using 40 MHz in only limited areas, I 
wonder what’s behind the purposeful neutering of the system. If you are a Cisco 
customer running 8.1 or above, and not using DBS (Dynamic Bandwidth Selection), 
then it’s the equivalent of the Lamborghini above running on only two cylinders.

Don’t miss out on the significant advancements in bandwidth management. Free 
those resources spent doing point-in-time simulation and surveys for something 
the software doesn’t already do far better at. I promise, DBS won’t hurt a bit 
and your users will thank you a hundred times over.

Jeff


From: "wireless-lan@listserv.educause.edu"  
on behalf of "Street, Chad A" 
Reply-To: "wireless-lan@listserv.educause.edu" 

Date: Tuesday, September 26, 2017 at 6:59 AM
To: "wireless-lan@listserv.educause.edu" 
Subject: Re: [WIRELESS-LAN] Two RF Questions

What is your reasoning behind not wanting 40 megahertz channels if you have 
plenty of overhead with your channel utilization?  People saying you should or 
should not do something without Gathering any type of metric worry me.

On Sep 25, 2017 3:28 PM, Chuck Enfield  wrote:

1.  Enable it in places to check for radar events.  If you get few, then 
yes.  Client devices are almost fully capable now.  Hidden SSID’s are the only 
issue.  Some clients don’t probe on DFS channels, and will only respond to 
beacons.  Make sure 2.4 is usable for the small number of incompatible devices.

2.  No.  Don’t even consider 40MHz unless you’re using almost all the DFS 
channels, but even then you’ll probably have to disable it in some high density 
areas.



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of David Blahut
Sent: Monday, September 25, 2017 3:17 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Two RF Questions



Greetings,

I have two hopefully simple RF related questions:

1.  Should I enable the extended UNII-2 channels campus wide?

2.  Should I enable 40Mhz channel width campus wide?

In other words what are you doing on your campus and what is the "best practice?



Our wireless infrastructure:



3 Cisco 5508s running 8.2.141.0



20 - 3800 APs

368 - 3700 APs

414 - 3600 APs

8 - 3500 APs

7 - 1810 APs

32 - 1142 APs



Prime 3.1.0



Thanks for your input.

David

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.




This e-mail message (including any attachments) is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this message (including any attachments) is strictly
prohibited.

If you have received this message in error, please contact
the sender by reply e-mail message and destroy all copies of the
original message (including attachments).
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] AAA Override Bug?

[Jeffrey D. Sessler]

That bug is fixed in 8.0.150.0 released about two weeks ago.

Jeff

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Mccormick, Kevin
Sent: Friday, September 15, 2017 8:32 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] AAA Override Bug?

Are you hitting this bug?

80MR4:AAA override VLAN lost on inter-controller roaming

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb21254

Kevin 
McCormick
Network Administrator
University Technology - Western Illinois University
ke-mccorm...@wiu.edu | (309) 
298-1335 | Morgan Hall 106b
Connect with uTech: Website | 
Facebook | 
Twitter
[http://www.wiu.edu/university_technology/images/signatures/currentimage.jpg]

On Fri, Sep 15, 2017 at 10:06 AM, Yahya M. Jaber 
> wrote:
I used to have 8.0.140.0 and now 8.0.140.9 both were working fine with AAA 
override.
Yahya Jaber.
CCIE Wireless.
055-869-7555
ITNC Engineering.
KAUST.



Sent from an Android

On Sep 15, 2017 17:39, Hector J Rios > 
wrote:

This week we identified a bug in our wireless software that is affecting 
eduroam. The behavior we are seeing is the following: when an LSU user connects 
to eduroam we look up their AD group membership. If it is a student, the user 
is placed on network “Y”; if it is an employee (faculty/staff), the user is 
placed on network “Z”. We have noticed employees being incorrectly placed on 
the student network (which is the default WLAN interface). We haven’t yet 
identified why this is happening but we are working with our Cisco. We do have 
AAA override enabled. We have WiSM2s running 8.0.140.0 code. We have confirmed 
that our RADIUS server is sending the correct VLAN id attribute. Anybody 
noticed the same behavior?



Hector Rios

Louisiana State University
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.



This message and its contents including attachments are intended solely for the 
original recipient. If you are not the intended recipient or have received this 
message in error, please notify me immediately and delete this message from 
your computer system. Any unauthorized use or distribution is prohibited. 
Please consider the environment before printing this email.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] spurious cpi report of mass AP disassociation

[Jeffrey D. Sessler]

Did you go back and correlate the event? For example, SSH into a few of the 
WAP’s and look at their logs to see what they thought happened. Did the CAPWAP 
uptime actually change on their WAPs qne/or the hours they report being 
connected. The WAP logs tend to be very informative.

If you use DHCP to hand out IPs for the WAPs, did you have a look at your DHCP 
logs? Many years ago, I saw something similar and it turned out to be the DHCP 
server – a mass of WAPs went to renew at the same time, DHCP server couldn’t 
take the load, and failing the renewal, a mass of WAPs disassociated/associated.

Jeff

From: "wireless-lan@listserv.educause.edu"  
on behalf of "mark.dul...@biola.edu" 
Reply-To: "wireless-lan@listserv.educause.edu" 

Date: Monday, September 11, 2017 at 11:48 AM
To: "wireless-lan@listserv.educause.edu" 
Subject: [WIRELESS-LAN] spurious cpi report of mass AP disassociation

We're using Cisco 8540 on code 8.2.151.0. Last week CPI reported a great number 
of simultaneous AP disassociations and then reassociation. CPI shows all the 
events had the exact same timestamp right down to the hundredth second. It was 
just a single event.

But I can find no event preceding it that would cause such a thing. No 
preceding controller errors that I can see. At least a hundred APs were on the 
list. The APs weren't the same type or in the same buildings. I can find no 
common thing at all about it.

No one called in to report any issues. I would think if they really did drop 
those on an affected AP would have noticed. Only one AP in the building housing 
IT was on the report, so perhaps not surprising that none of us noticed 
anything.

Has anyone out there seen anything like this? Aside from the unknown cause, is 
it possible for disassocation and reassociation happened fast enough that users 
wouldn't see any serious disruption if only doing stateless stuff? I'd have 
trouble believing the controller would report AP drops that didn't happen.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Defeating Android 8.X Captive Portal detection

[Jeffrey D. Sessler]

On 9/6/17, 8:46 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv on 
behalf of Curtis K. Larsen"  wrote:



It would be really nice if Google would join the club and allow their 
captive browser to switch to a full browser after the internet is reachable, 
but until then I think it's the best we can do.





I’d argue, that again, why are we in EDU making it so hard for users with these 
devices to get access to WIFi? It those devices work in every other setting, be 
it at Starbucks, Panara, Hospitals, HomeDepot, and so on… Then EDU is doing 
something wrong.



The vendors will continue to support/do what’s most compatible with “the rest 
of the world” so it’s up to EDU to come to terms with why we are so different, 
and so device hostile.



Jeff

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

[Jeffrey D. Sessler]

Is this something you still see on the client-side, or was it a problem mainly 
with older OS versions that aren’t around now?

What client exclusion timeout are you currently using?

Jeff

From: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
on behalf of "lhbad...@syr.edu" <lhbad...@syr.edu>
Reply-To: "wireless-lan@listserv.educause.edu" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Date: Thursday, August 31, 2017 at 11:05 AM
To: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

Part of it is your EAP type, and whether users are forced to onboard to get 
configured enough to use the WLAN (like w/ TLS). With PEAP/MS-CHAPv2, I’ve seen 
many out of box, un-onboarded client device “auto connect” situations where OS 
X or Windows does figure out what it needs for EAP type, but first tries a 
couple others which fail. These can land the client in the penalty box if 
things are too tight. That’s where it feels broken to otherwise OK clients. Saw 
a lot of this on the default 60 second timer, when the client exclusion 
threshold was 3 strikes and you’re out. We had a long-running feature request 
to stretch 3 failures out to a selectable value (can now go to 10) which does 
make the longer penalty times more palatable and less likely to ensnare 
unconfigured-but-eventually-get-on-OK clients.



-Lee

Lee Badman | Network Architect

Certified Wireless Network Expert (#200)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
Sent: Thursday, August 31, 2017 1:10 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

Longer client exclusion times coupled with longer session timeouts mean the 
clients most impacted are the troublesome clients i.e.  it only feels broken 
for the already broken clients.

I use a 60 second exclusion timeout with very long user session timeouts. The 
longer exclusion timeouts are necessary to combat those troubling devices that 
create the equivalent of a auth DoS when they have a bad password or other 
misconfiguration. Seldom have I seen this impact a well-behaved client.

The long session timeouts are a realization that disabling a user is a rare 
thing, so why inundate the radius server every ½ hour, hour, etc. with tens of 
thousands of requests just to see if the user is still OK to be connected. If 
immediate action is necessary, use client exclusion.

Been running the above configuration for some eight years and the helpdesk 
phone is very quiet.

Jeff

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Thursday, August 31, 2017 8:12 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

Interesting, hopefully you get some relief. On this document about RADIUS 
timers 
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/118703-technote-wlc-00.html
 I can’t buy in to Client Exclusion being set to 120 seconds as a rule. Even at 
60 it’s too long and makes the network feel broken. I agree 100% that it needs 
to be used on .1X networks, but with a short enough timer that the helpdesk 
phone doesn’t ring off the hook.

Wondering what value others are using here?

-Lee

Lee Badman | Network Architect

Certified Wireless Network Expert (#200)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hector J Rios
Sent: Thursday, August 31, 2017 9:32 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

BTW, 8.2.161.0 just came out.

-H

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Wednesday, August 30, 2017 2:50 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

Great information. Thanks, Hector. Now I have some homework too.

-Original Message-
From: Hector J Rios [hr...@lsu.edu]
Received: Wednesday, 30 Aug 2017, 15:41
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto

RE: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

[Jeffrey D. Sessler]

Longer client exclusion times coupled with longer session timeouts mean the 
clients most impacted are the troublesome clients i.e.  it only feels broken 
for the already broken clients.

I use a 60 second exclusion timeout with very long user session timeouts. The 
longer exclusion timeouts are necessary to combat those troubling devices that 
create the equivalent of a auth DoS when they have a bad password or other 
misconfiguration. Seldom have I seen this impact a well-behaved client.

The long session timeouts are a realization that disabling a user is a rare 
thing, so why inundate the radius server every ½ hour, hour, etc. with tens of 
thousands of requests just to see if the user is still OK to be connected. If 
immediate action is necessary, use client exclusion.

Been running the above configuration for some eight years and the helpdesk 
phone is very quiet.

Jeff

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Thursday, August 31, 2017 8:12 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

Interesting, hopefully you get some relief. On this document about RADIUS 
timers 
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/118703-technote-wlc-00.html
 I can’t buy in to Client Exclusion being set to 120 seconds as a rule. Even at 
60 it’s too long and makes the network feel broken. I agree 100% that it needs 
to be used on .1X networks, but with a short enough timer that the helpdesk 
phone doesn’t ring off the hook.

Wondering what value others are using here?

-Lee

Lee Badman | Network Architect

Certified Wireless Network Expert (#200)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hector J Rios
Sent: Thursday, August 31, 2017 9:32 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

BTW, 8.2.161.0 just came out.

-H

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Wednesday, August 30, 2017 2:50 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

Great information. Thanks, Hector. Now I have some homework too.

-Original Message-
From: Hector J Rios [hr...@lsu.edu]
Received: Wednesday, 30 Aug 2017, 15:41
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?
Thank you for the good thoughts on the storm. Luckily we are fine.

So far we’ve been told that the issue we experienced was a combination of two 
things: 1) the 8540’s memory queues and buffers reached their maximum capacity. 
This affected both 802.1X and CAPWAP. Thus the AP flapping. 2) RADIUS and EAP 
timers must be EXTRA optimized. I say EXTRA, because we’ve always followed best 
practices and recommendations from TAC.

This is a good document to read: 
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/118703-technote-wlc-00.html

Finally, what is most interesting is the fact that even though the 8540 is 
advertised to support 6000 APs and 64000 clients, these numbers do not seem to 
be valid if your environment is mainly 802.1X. So, if your environment is 
mainly 802.1X, and you have an 8540, I would recommend you talk to your Cisco 
SE so they can tell you what the official supported number of APs is. I’ve yet 
to find any official documentation that even hints to this. Miercom performed a 
comparative test in 2015 between Aruba and Cisco, and in the report they did 
test client authentication rate, but only for the Cisco 5520.

https://www.cisco.com/c/dam/en/us/products/collateral/wireless/8540-wireless-controller/miercom-report-wlcs-cisco-aruba.pdf

TAC’s recommendation is for us to use 8.2.160 on the 8540s. We will make all 
necessary config changes and start moving APs in waves of 500 slowly so we can 
watch utilization. Our plan also includes not to exceed the AP capacity of the 
8540s by 50%-60%. If this works, we will have to get an additional pair of 
8540s. I’ll let you know if we are successful.

BTW, we require to have AVC turned on. TAC is very concerned about this. We’ll 
also be watching this.

-Hector

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Wednesday, August 30, 2017 6:43 AM
To: 

Re: [WIRELESS-LAN] Plastered buildings

[Jeffrey D. Sessler]

You have to mount them in-room, and likely every or every-other room depending 
on the wall makeup between them.

My campus is made of nothing but plastered walls with metal mesh, compounded by 
the internal construction which is mainly reinforced block/concrete. This was a 
curse in the early WiFi days when we just wanted coverage. We’ve long since 
moved to dense in-room AP deployment and it’s a huge benefit. It’s the best RF 
gift imaginable, it just forces a more-costly design that most desire to use 
anyway.

Jeff

From: "wireless-lan@listserv.educause.edu"  
on behalf of John Rodkey 
Reply-To: "wireless-lan@listserv.educause.edu" 

Date: Monday, August 28, 2017 at 9:20 PM
To: "wireless-lan@listserv.educause.edu" 
Subject: [WIRELESS-LAN] Plastered buildings

How do you deal with buildings that have plaster and fine metal mesh enclosing 
them?  We have placed access points on the exterior of the building, but the 
signal isn't getting through.  The rooms all open onto an outside hallway - 
there is no common internal hallway.

John Rodkey
Director of Servers and Networks
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] DFS Scans Seem to Have Run Amok

[Jeffrey D. Sessler]

John,

The link I included has the process for requesting the build. It’s TAC 
recommended if you have x700-series.

Jeff

From: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
on behalf of "Watters, John" <john.watt...@ua.edu>
Reply-To: "wireless-lan@listserv.educause.edu" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Date: Monday, August 28, 2017 at 9:39 AM
To: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] DFS Scans Seem to Have Run Amok

TAC has not mentioned 8.0.141.46 (or any other 8.0 version). They would like 
for me to move to 8.2. However, school just started. This is not the time to 
make a level change. Maybe in a month or so though.

However, I would strongly consider 8.0.141.46 if I could find it (which I 
can’t; it is not listed on the Cisco software download site). Maybe my local 
Cisco tech can get it for me. I wonder why TAC didn’t even mention it.

Thanks.



John Watters
Network Engineer, Office of Information Technology
The University of Alabama<https://www.ua.edu/>
A115 Gordon Palmer Hall
Box 870346
Tuscaloosa, AL 35487
Phone 205-348-3992
john.watt...@ua.edu<mailto:john.watt...@ua.edu>
[he University of Alabama]<https://www.ua.edu/>

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
Sent: Monday, August 28, 2017 10:10 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] DFS Scans Seem to Have Run Amok

TAC will likely suggest you install 8.0MR5 interim (8.0.141.46) given you have 
2700’s (couple of radio bugs are fixed). DFS is as much art as science and 
older code isn’t always perfect i.e. I’ve seen newer devices that much older 
code sees as radar. You can request the code here and see the fixes including a 
number of DFS-related.
https://supportforums.cisco.com/t5/wireless-mobility-blogs/8-0mr5-interim-release-availability/ba-p/3098510

Probably too late, but you may want to consider getting to newer code. If you 
have x700 series WAPs, it’s strongly recommended to be on at least 8.2.  8.2 
and beyond have additional innovation in DFS area among many other improvements.

Jeff

From: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "Watters, John" <john.watt...@ua.edu<mailto:john.watt...@ua.edu>>
Reply-To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Monday, August 28, 2017 at 7:42 AM
To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] DFS Scans Seem to Have Run Amok

We are a Cisco shop running 8510 HA WLCs and a variety of AP including 1142s, 
2702s, others in smaller quantities for a current total of 6600+ APs. We are 
running WLC code 8.0.140.16. This was installed on JAN 4.

A couple of months ago we started seeing a lot of DFS scans. This was several 
months after our last code upgrade. When these scans are done, the users of the 
5 GHz radio that is doing the scanning for a clear frequency are all kicked off 
of their connections. Since the scans lasts for 1 minute & 2 seconds, this is 
very disruptive to the clients. We do not understand why this behavior has 
suddenly started all over campus. We are not particularly near an airport. 
There in one on the other side of town but it does not handle commercial 
service – private planes only plus an occasional charter for a sporting event. 
And, the APs that do the most frequent DFS scans are located in interior rooms, 
often on the ground floor of a multistory building. APs located near windows 
are rarely affected. This is happening in a lot of buildings, and not just in 
buildings that may tend to have noise in the 5 GHz range (e.g., an engineering 
building).

Has anyone else seen this problem? And, have you found the cause of this 
behavior. And, more importantly, a fix for the problem.

Following is an example from one AP (BRU-202-E2) showing two DSF scans almost 
back-to-back (2 sec gap) which lasted 3+ minutes:

*Aug 28 04:15:52.930: %DOT11-6-DFS_TRIGGERED: DFS: triggered on frequency 5540 
MHz
*Aug 28 04:15:53.708: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to 
down
*Aug 28 04:15:53.710: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to 
reset
*Aug 28 04:15:54.707: %LINEPROTO-5-UPDOWN: Line protocol on Interface 
Dot11Radio1, changed state to down
*Aug 28 04:15:54.739: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Aug 28 04:15:55.739: %LI

Re: [WIRELESS-LAN] DFS Scans Seem to Have Run Amok

[Jeffrey D. Sessler]

TAC will likely suggest you install 8.0MR5 interim (8.0.141.46) given you have 
2700’s (couple of radio bugs are fixed). DFS is as much art as science and 
older code isn’t always perfect i.e. I’ve seen newer devices that much older 
code sees as radar. You can request the code here and see the fixes including a 
number of DFS-related.
https://supportforums.cisco.com/t5/wireless-mobility-blogs/8-0mr5-interim-release-availability/ba-p/3098510

Probably too late, but you may want to consider getting to newer code. If you 
have x700 series WAPs, it’s strongly recommended to be on at least 8.2.  8.2 
and beyond have additional innovation in DFS area among many other improvements.

Jeff

From: "wireless-lan@listserv.educause.edu"  
on behalf of "Watters, John" 
Reply-To: "wireless-lan@listserv.educause.edu" 

Date: Monday, August 28, 2017 at 7:42 AM
To: "wireless-lan@listserv.educause.edu" 
Subject: [WIRELESS-LAN] DFS Scans Seem to Have Run Amok

We are a Cisco shop running 8510 HA WLCs and a variety of AP including 1142s, 
2702s, others in smaller quantities for a current total of 6600+ APs. We are 
running WLC code 8.0.140.16. This was installed on JAN 4.

A couple of months ago we started seeing a lot of DFS scans. This was several 
months after our last code upgrade. When these scans are done, the users of the 
5 GHz radio that is doing the scanning for a clear frequency are all kicked off 
of their connections. Since the scans lasts for 1 minute & 2 seconds, this is 
very disruptive to the clients. We do not understand why this behavior has 
suddenly started all over campus. We are not particularly near an airport. 
There in one on the other side of town but it does not handle commercial 
service – private planes only plus an occasional charter for a sporting event. 
And, the APs that do the most frequent DFS scans are located in interior rooms, 
often on the ground floor of a multistory building. APs located near windows 
are rarely affected. This is happening in a lot of buildings, and not just in 
buildings that may tend to have noise in the 5 GHz range (e.g., an engineering 
building).

Has anyone else seen this problem? And, have you found the cause of this 
behavior. And, more importantly, a fix for the problem.

Following is an example from one AP (BRU-202-E2) showing two DSF scans almost 
back-to-back (2 sec gap) which lasted 3+ minutes:

*Aug 28 04:15:52.930: %DOT11-6-DFS_TRIGGERED: DFS: triggered on frequency 5540 
MHz
*Aug 28 04:15:53.708: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to 
down
*Aug 28 04:15:53.710: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to 
reset
*Aug 28 04:15:54.707: %LINEPROTO-5-UPDOWN: Line protocol on Interface 
Dot11Radio1, changed state to down
*Aug 28 04:15:54.739: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Aug 28 04:15:55.739: %LINEPROTO-5-UPDOWN: Line protocol on Interface 
Dot11Radio1, changed state to up
*Aug 28 04:17:53.253: %DOT11-6-DFS_TRIGGERED: DFS: triggered on frequency 5280 
MHz
*Aug 28 04:17:54.747: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to 
down
*Aug 28 04:17:54.750: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to 
reset
*Aug 28 04:17:55.747: %LINEPROTO-5-UPDOWN: Line protocol on Interface 
Dot11Radio1, changed state to down
*Aug 28 04:17:55.773: %DOT11-6-DFS_SCAN_START: DFS: Scanning frequency 5300 MHz 
for 60 seconds.
*Aug 28 04:17:55.774: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Aug 28 04:17:56.774: %LINEPROTO-5-UPDOWN: Line protocol on Interface 
Dot11Radio1, changed state to up
*Aug 28 04:18:57.382: %DOT11-6-DFS_SCAN_COMPLETE: DFS scan complete on 
frequency 5300 MHz


THANKS.


John Watters
Network Engineer, Office of Information Technology
The University of Alabama
A115 Gordon Palmer Hall
Box 870346
Tuscaloosa, AL 35487
Phone 205-348-3992
john.watt...@ua.edu
[he University of Alabama]

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

[Jeffrey D. Sessler]

James, that’s 600Mbps for the building. LOL!

That said, on all of our 11ac WAPs including the Cisco 3800-series, even in our 
dense areas, the AP’s are auto-picking 80Mhz channel-width. From the client 
stats, many of them are at a tx: rate of 867 to 1300  in the residential halls.

Clients are mostly Apple, and mostly 11ac-cablable. My 1st-gen Macbook Pro 
touch easily does 600Mbps against the 3800-series.

Last year I only had one building on the 3800-series and when compared to a 
similar building using the 3700-series, the 3800-residential hall was 10-30x 
the amount of traffic. I’m seeing similar performance in four others updated to 
the 3800-series this summer. Everything else being equal, the 3800-series 
appear to offer a new level of performance over last generation. I suspect it 
has a lot to do with the new OS underpinning them.

As for the traffic, it’s a general mix of everything you expect to see in a 
residential hall, but given most of the steaming services adjust bases on 
available bandwidth, it looks like most are now getting the highest bit rates 
possible.

Jeff

From: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
on behalf of James Andrewartha <jandrewar...@ccgs.wa.edu.au>
Reply-To: "wireless-lan@listserv.educause.edu" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Date: Friday, August 25, 2017 at 8:47 AM
To: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

600Mbps on a single AP is impressive, is that with a 40MHz or 80MHz channel? 
What sort of client mix is generating that much traffic?

--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of "Jeffrey D. Sessler" 
<j...@scrippscollege.edu>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Date: Friday, 25 August 2017 at 11:00 pm
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

Pair of 8540’s running 8.2.160
About half of all WAPs are now 2800/3800. 3800’s on multi-gig
20Gb Internet connection

3800-series equipped 110-bed residence hall, partially filled with a few early 
arrivals, already seeing peaks at over 600Mbps.

No observed problems yet, but our first-years just arrived and returning 
student are due soon.

Interesting stats:
#1 - 70% of devices are Apple, 90% of traffic. On the 1st day our 330 
first-years arrived they did over 12TB of traffic.

Jeff


From: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
on behalf of "lhbad...@syr.edu" <lhbad...@syr.edu>
Reply-To: "wireless-lan@listserv.educause.edu" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Date: Friday, August 25, 2017 at 6:22 AM
To: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

It might be beneficial to share notes in case other schools are hitting common 
problems. I’m wondering how everyone who is in the thick of it is faring with 
back-to-school?

On this end, we are doing OK halfway to our expected total daily peak clients 
(we’re at 15K now high water mark).

Our significant WLAN-related changes since end of Spring semester

  *   Running 8.2.151 on our 8540s
  *   Significant quantities of Wave 2 APs
  *   ISE as RADIUS (only, no NAC, no onboarding)

No changes to:

  *   our guest WLAN (Clearpass/an Aruba controller pair)
  *   onboarding (Cloudpath Wiz)
  *   overall topology
  *   open network in dorms for gadgets
  *   non-use of AVC, it crapped out and never got solved after hundreds of 
hours with TAC

Fears:

  *   We haven’t yet hit the scale that will reveal problems with any of the 
newer stuff listed above

Anyone else care to share?

-Lee


Lee Badman | Network Architect

Certified Wireless Network Expert (#200)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

[Jeffrey D. Sessler]

Pair of 8540’s running 8.2.160
About half of all WAPs are now 2800/3800. 3800’s on multi-gig
20Gb Internet connection

3800-series equipped 110-bed residence hall, partially filled with a few early 
arrivals, already seeing peaks at over 600Mbps.

No observed problems yet, but our first-years just arrived and returning 
student are due soon.

Interesting stats:
#1 - 70% of devices are Apple, 90% of traffic. On the 1st day our 330 
first-years arrived they did over 12TB of traffic.

Jeff


From: "wireless-lan@listserv.educause.edu"  
on behalf of "lhbad...@syr.edu" 
Reply-To: "wireless-lan@listserv.educause.edu" 

Date: Friday, August 25, 2017 at 6:22 AM
To: "wireless-lan@listserv.educause.edu" 
Subject: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

It might be beneficial to share notes in case other schools are hitting common 
problems. I’m wondering how everyone who is in the thick of it is faring with 
back-to-school?

On this end, we are doing OK halfway to our expected total daily peak clients 
(we’re at 15K now high water mark).

Our significant WLAN-related changes since end of Spring semester
· Running 8.2.151 on our 8540s
· Significant quantities of Wave 2 APs
· ISE as RADIUS (only, no NAC, no onboarding)

No changes to:
· our guest WLAN (Clearpass/an Aruba controller pair)
· onboarding (Cloudpath Wiz)
· overall topology
· open network in dorms for gadgets
· non-use of AVC, it crapped out and never got solved after hundreds of 
hours with TAC

Fears:
· We haven’t yet hit the scale that will reveal problems with any of 
the newer stuff listed above

Anyone else care to share?

-Lee


Lee Badman | Network Architect

Certified Wireless Network Expert (#200)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Cisco 2802i and 3rd party injectors or switches

[Jeffrey D. Sessler]

At the appropriate discount for EDU, the AIR-PWRINJ6= is only slightly more 
than the third-parties and fully supported by TAC.

Personally, if you have to power more than six in one location, invest the 
money in a new switch with UPoE so you’re covered for the next 7-10+ years.

Jeff

From: "wireless-lan@listserv.educause.edu"  
on behalf of Jason Watts 
Reply-To: "wireless-lan@listserv.educause.edu" 

Date: Tuesday, August 22, 2017 at 6:27 AM
To: "wireless-lan@listserv.educause.edu" 
Subject: [WIRELESS-LAN] Cisco 2802i and 3rd party injectors or switches

Has anyone on-list successfully used a 3rd party 802.3at injector to fully 
power one or more 2802i APs?

I’m interested in single-port, multi-port midspan, and switches big and small 
so long as it is non-Cisco.
The word from Cisco seems to be that only the AIR-PWRINJ-6 single-port injector 
from Cisco is compatible, though I have heard of a “same part number” 
small-business injector that costs a bit less as working as well.

So far I can find no evidence of a 3rd party injector working beyond providing 
15.4 watts medium power, hence no radios up.

Manufacturer and part numbers are much appreciated.

Thanks,

Jason Watts | Senior Network Administrator

PRATT INSTITUTE
Academic Computing



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] EAP-TLS

[Jeffrey D. Sessler]

“Our campus isn't comfortable with an open ESSID without verifying the identity 
of the user, so that's the value of eduroam - identity.”

How exactly have you verified the identity of the user? Is it blind trust that 
other EDUs verify and manage identity in the same fashion that your campus 
does? A device that shows up with an account that grants access to eduroam is 
not verification of the person’s identity.

There are EDUs out there that hand out free (and unverified or lightly 
verified) accounts to their local public, parents, guests, and so on with no 
questions asked. The person fills in a basic online form and they are granted 
an account with limited rights – typically including Library and WIFi access. 
How many of those accounts also work on eduroam?

It could be interesting to look at the global eduroam data to see just how 
often accounts show up in multiple places simultaneously.

Jeff

From: "wireless-lan@listserv.educause.edu"  
on behalf of Hunter Fuller 
Reply-To: "wireless-lan@listserv.educause.edu" 

Date: Tuesday, August 15, 2017 at 7:54 AM
To: "wireless-lan@listserv.educause.edu" 
Subject: Re: [WIRELESS-LAN] EAP-TLS

Our campus isn't comfortable with an open ESSID without verifying the identity 
of the user, so that's the value of eduroam - identity.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] EAP-TLS

[Jeffrey D. Sessler]

Couple of comments:



  *   eduroam – using your point of “…most users can access what they want 
off-campus…”, what long-term value is there to eduroam? IMHO – not at lot. Back 
in the day, this would facilitate quick access for a visiting educator who may 
be collaborating with someone locally and needing access to local resources. 
Today, in age of cloud-based collaboration platforms and access from anywhere, 
how important is eduroam over an open wifi network? With few exceptions, all 
the visitor needs is Internet access. eduroam doesn’t add value here, but does 
add complexity to manage.
  *   Location data – Yeah, this can have some value, but at least here, our 
emergency management moved to mobile-based applications that allow the user to 
opt-in to being tracked with the addition of panic-button-like services. I tend 
to shy away from using location-based services within WiFi where life-safety is 
involved. It can be a wonderful tool, until it doesn’t work that one-time 
management believes it should. In other words, finding a missing AV cart is 
different than a missing person.

Jeff



On 8/14/17, 7:23 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
on behalf of Jason Cook"  wrote:



This is a good topic, we are slowly moving towards a preferred EAP-TLS from 
PEAP-MChapv2 but not current date to force and perhaps never. The points made 
about why do we bother at all though are pretty relevant, most users can access 
what they want off-campus from whatever network they want, and VPN for more 
restricted access. So a properly segmented internal network providing 
appropriate access would be fine. *PSK/ open networks are theoretically ok.



At this point we are still confident that dot1x based auth is still the 
best way to go for users accessing our wifi, though this discussion has 
certainly opened my eyes a lot.





There's a couple of other reasons though why dot1x (which ever method) does 
have advantages to us. This may not be relevant to all, and there maybe 
better/other ways.



eduroam will break down via other methods, so you'll still need to manage a 
dot1x service no matter what. Then you have still have calls to SD because the 
service is now different when you want to use it, requires special setup that's 
different to on-campus.We've had Cloudpath a while, originally for PEAP config 
and now TLS. We do roll with a main SSID so our onboarding will configure our 
network  UofA and eduroam and users will just work wherever they go once done.



Occasionally for security reasons we use location data to track missing 
people. This is possible without auth to network data but it's better having 
that auth data. Same goes for identifying users acting inappropriately online. 
User ID to IP mapping is also fed into our firewall for web filtering 
exceptions (including group and personal)



Originally we went with Cloudpath to help users get configured easier which 
worked well (though this is less of requirement with auto-configs now pretty 
good), as well as properly since auto-config on OS's doesn't get the 
certificate right (so it ensure proper config). Configuring eduroam at the same 
time for windows was problematic however with PEAP (can't remember other OS's). 
As it would only save 1 SSID User info properly, so the second SSID it wouldn't 
save user ID and users would get prompted and not add the @adelaide.edu.au .. 
TLS resolves that little windows issue.



So for us one additional positive the EAP-TLS over PEAP but overall 
user-auth has its value.







--

Jason Cook

Technology Services

The University of Adelaide, AUSTRALIA 5005

Ph: +61 8 8313 4800



-Original Message-

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman

Sent: Tuesday, 15 August 2017 2:59 AM

To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU

Subject: Re: [WIRELESS-LAN] EAP-TLS



One interesting trade-off: if I have good AD credentials and pop up a new 
Mac or Windows machine without any kind of onboarding in play, I will get on 
the network quickly one way or the other with PEAP/MS-CHAPv2. . Maybe I'm 
prompted to accept the server, but I'll get on. This is good and bad. I got on, 
but not the way that the Security and Network folks might have wanted me to get 
on- because the cert stuff is optional with PEAP/MS-CHAPv2 on non-AD machines 
that you don't control. That's arguably bad.



But... I got on. And I got authentication and encryption, without IT 
intervention. From the user perspective, this is good. I didn't have to 
onboard, I didn't need IT help. I wasn't stranded if I didn't understand what 
the onboarding SSID is all about, etc.



With TLS- you get properly onboarded, or you're sucking wind until you do. 
But once you do, TLS'