Re: [WIRELESS-LAN] Locating forgotten WiFi auth enabled systems

2018-08-10 Thread John Kristoff 
On Wed, 18 Jul 2018 14:38:14 +
"Kristoff, John"  wrote:

> What do you do or do you recommend to locate and eradicate poorly
> managed and inspid WiFi clients?

Thanks to those who offered suggestions.  The past few weeks I have
asked our student interns to help locate and trouble shoot those
forgotten devices, with some success.

For posterity, a brief follow up.

One thing that has helped is the using the AirCheck (formerly Fluke,
now Netscout) hand held tool.  They may be alternative choices, this is
just what we happen to have.  This tool has a locate feature.  Just
select the L2 MAC address you're looking for, then a display, signal
meter, and audible alert helps you locate more precisely where a
particular station is.  Obviously it helps if you know the physical AP
location where associations are being attempted.

In our most recent case, there was a PC-attached scanner with a WiFi
Protected Setup (WPS) button that didn't need WiFi connectivity.  Once
that button was pressed and the feature turned off, we eliminated a very
noisy auth-failing client.

WPS may be worth an institutional tech note on, but that is for another
day.

John

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Locating forgotten WiFi auth enabled systems

2018-07-18 Thread John Kristoff 
Friends,

Over time there is some non-negligible number of devices and systems
that attempt to connect and authenticate to an institution's WiFi
network.  Many of these seem to be from devices or systems that had
been configured with a former employee, student, or affiliated user's
credentials that are no longer valid if they ever were.  Some of these
forgotten clients might try to authenticate thousands of times a day.

While they may not cause a significant operational problems hammering
away, it would be nice to keep the airspace and auth logs as clean as
possible.

I've perused a couple of odd solutions that purport to do some form of
triangulation, but before I dig too far done this road I thought I'd
issue a query here.

What do you do or do you recommend to locate and eradicate poorly
managed and inspid WiFi clients?

Thank you,

John

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

2017-04-24 Thread John Kristoff 
On Mon, 24 Apr 2017 19:18:51 +
Marcelo Maraboli  wrote:

> I still wonder why Universities like MIT,Harvard,Stanford and Berkeley
> only use Eduroam as a secondary SSID and still keep their main SSID.
> The only thing I can think of is branding.

Branding and inertia of the installed base may preclude an easy change.
I've also heard it suggested that in dense areas, if you connect to the
"wrong" eduroam, not being on the network you expect to be on may cause
some access-related problems for those that use them based on SSID or
assignment wireless network address/id.

John

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Cost effective alternatives to AP-220-MNT-W2

2016-08-26 Thread John Kristoff 
Has anyone found, purchased or produced wall mounting kits suitable for
attaching an AP to a gang box.  Specifically for Aruba APs like the 325
(or the 220).  We've found the AP-220-MNT-W2, but if you get a lot of them,
it gets costly quick.

Thank you,

John

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] VLAN spanning on Cisco wireless nets

2004-06-23 Thread John Kristoff 
On Wed, 23 Jun 2004 10:19:02 -0500
Michael Griego [EMAIL PROTECTED] wrote:

 The MAC Miniport Bridge adapter on XP can be enabled quite easily by
 accident.  It is *not* enabled by default.  A user can enable it by
 right-clicking on a physical adapter in the Network Connections folder
 and choosing Bridge Connections.  It is also quite easy to enable it
 by accident in the Wizard that sets up a network connection.  I suspect
 a lot of uninformed users get caught in the latter of these two.

Furthermore on this topic, if an end host does have this enabled and
is generating BPDUs, it can wreak havoc on a multicast enabled network.
It turns out that these BPDUs if not filtered out on your edge bridges
(or switches if you prefer), will result in a spanning tree topology
recalculation.  At least on Cisco, this causes multicast forwarding
state in the layer 2 devices (learned from CGMP for example) to go
away and all multicast on the segment will be flooded for some period
of time until multicast state in the edge box is rebuilt.

Note, you can turn on BPDU guard on Cisco devices, but I believe this
will completely disable the port if a Windows XP host enables bridging.
This could be a pain to manage for some of you.  You may be surprised
at how many XP devices will have bridging turned on.  Alternatively,
some bridges/switches can filter on the ethertype field.  You could
filter out BPDUs on the edge host facing ports.  Coupled with what
Cisco calls port security or similar mechanisms you should be able to
prevent loops if they were to occur.

Isn't this is the wireless list?  :-)

John

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/cg/.