Re: [WIRELESS-LAN] MRTG/ARUBA
Here are some useful oids. We graph Total user count via cacti. I use the others via some bash scripting and store to disk and web for stats. .1.3.6.1.4.1.14823.2.2.1.4.1.1 = Total User count .1.3.6.1.4.1.14823.2.2.1.4.1.4.3 = Web auth'd user count .1.3.6.1.4.1.14823.2.2.1.4.1.4.1 = 802.1x auth'd user count .1.3.6.1.4.1.14823.2.2.1.4.1.4.4 = MAC auth'd user count .1.3.6.1.4.1.14823.2.2.1.4.1.2.1.3 = user names .1.3.6.1.4.1.14823.2.2.1.4.1.2.1.10 = AP Names .1.3.6.1.4.1.14823.2.2.1.4.1.2.1.5 = User Timeticks/uptime .1.3.6.1.4.1.14823.2.2.1.4.1.2.1.4 = user Role Ken Connell Intermediate Network Engineer Computer Communication Services Ryerson University 350 Victoria St RM AB50 Toronto, Ont M5B 2K3 416-979-5000 x6709 - Original Message - From: Phil p...@stlawu.edu Date: Saturday, July 9, 2011 2:18 pm Subject: [WIRELESS-LAN] MRTG/ARUBA To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Anyone have examples of MRTG/perl script for graphing user stats from ARUBA controllers? More spefically, running ARUBA OS 6.0/6.1 Thanks. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] option 43 for finding master controller
After looking at your config the light bilb went off and we did a re-org on
the config and got it working :)
Ken Connell
Intermediate Network Engineer
Computer Communication Services
Ryerson University
350 Victoria St
RM AB50
Toronto, Ont
M5B 2K3
416-979-5000 x6709
- Original Message -
From: Colantuoni, Robert r...@buffalo.edu
Date: Thursday, June 2, 2011 12:00 pm
Subject: Re: [WIRELESS-LAN] option 43 for finding master controller
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Here's ours... we use option 43 and we set the 'campus' code later in
the config so that we can pass different controllers based on
different parts of the campus. The link in the comments will take you
to the cisco doc for their LWAPs.
option campus code 180 = string;
option controllers code 43 = string;
class wireless_controller {
match hardware;
default-lease-time 604800; # 7 days.
max-lease-time 1209600; # 14 days.
min-lease-time 604800; # 7 days.
#
http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo1130/1130hig5/113h_g.htm#wp1007971
#
# The hex string is assembled by concatenating the TLV values
shown below:
# Type + Length + Value
#
# Type is always f1(hex). Length is the number of controller
management IP addresses
# times 4 in hex. Value is the IP address of the controller
listed sequentially in hex.
#
# For example, suppose that there are two controllers with
management interface IP addresses,
# 10.126.126.2 and 10.127.127.2. The type is f1(hex). The
length is 2 * 4 = 8 = 08 (hex).
# The IP addresses translate to 0a7e7e02 and 0a7f7f02.
Assembling the string then yields
# f1080a7e7e020a7f7f02. The resulting Cisco IOS command
added to the DHCP scope is listed below:
#
# option 43 hex f1080a7e7e020a7f7f02
if config-option campus = north {
log(error, wireless controller - north);
# North
# 10.3.240.2 == 0A.03.F0.02
# 10.3.240.4 == 0A.03.F0.04
option controllers f1:08:0a:03:f0:02:0a:03:f0:04;
} elsif config-option campus = south {
log(error, wireless controller - south);
# South
# 10.3.241.2 == 0A.03.F1.02
# 10.3.241.4 == 0A.03.F1.04
option controllers f1:08:0a:03:f1:02:0a:03:f1:04;
} else {
log(error, wireless controller - no campus);
log(error, handing off no controllers!);
}
}
---
Robert G Colantuoni
Senior Programmer Analyst
CIT - Network and Classroom Services
SUNY Buffalo
r...@buffalo.edu
716.645.3552
-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Danner, Mearl
Sent: Thursday, June 02, 2011 11:37 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] option 43 for finding master controller
Here's ours - at the top of dhcpd.conf. We got it from:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_
example09186a00808714fe.shtml
option space Cisco_LWAPP_AP;
option Cisco_LWAPP_AP.server-address code 241 = string;
class Cisco AP c1130 {
match if option vendor-class-identifier = Cisco AP c1130;
option vendor-class-identifier Cisco AP c1130;
vendor-option-space Cisco_LWAPP_AP;
option Cisco_LWAPP_AP.server-address
ac:1e:00:0d:ac:1e:00:96:ac:1e:00:97:ac:1e:00:98:ac:1e:00:99;
}
My assumption would be to declare the class definitions at the top
and
move the option line to the scope.
Can't remember why we hex encoded the controller addresses.
-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Ken Connell
Sent: Thursday, June 02, 2011 10:11 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] option 43 for finding master controller
The following is at the top of my dhcpd.conf:
option serverip code 43 = ip-address;
class vendor-class {
match option vendor-class-identifier;
}
.
.
.
Scope is as follows:
subnet 10.16.0.0 netmask 255.255.254.0
{
option broadcast-address 10.16.1.255;
option domain-name rbb.ryerson.ca;
option domain-name-servers 141.117.100.1, 141.117.100.4;
option routers 10.16.0.1;
range 10.16.0.5 10.16.0.9;
default-lease-time infinite;
max-lease-time infinite;
subclass vendor-class ArubaAP {
option vendor-class-identifier ArubaAP
Re: [WIRELESS-LAN] NAT in large scale wireless networks
Stan... Since we've touched on Aruba and SyslogI have a question... We too are an Aruba shop, and do push info to a syslog server. In previous code 2.x, as you mentioned, an authentication log would include username, mac, IP, and APbut since we've upgraded to 3.x, it seems the username and mac/IP have been separated and are no longer tied together. I do get username authentications, and mac/IP info, but I have no way of tying them together... What ver code are you running and/or do you have the same issue ? Ken Connell Intermediate Network Engineer Computer Communication Services Ryerson University 350 Victoria St RM AB50 Toronto, Ont M5B 2K3 416-979-5000 x6709 - Original Message - From: Brooks, Stan [EMAIL PROTECTED] Date: Thursday, July 3, 2008 5:39 pm Subject: Re: [WIRELESS-LAN] NAT in large scale wireless networks To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Greg, Depending on the code version, you can set the logging levels to capture user associations and authentications to a syslog server. The data logged includes the location name/group of the AP the user connected to, the SSID, along with the user's MAC, IP and user ID. - Stan Brooks - CWNA/CWSP Emory University Network Communications Division 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: [EMAIL PROTECTED] GoogleTalk: [EMAIL PROTECTED] -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Scholz, Greg Sent: Thursday, July 03, 2008 8:55 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] NAT in large scale wireless networks Stan, Can you tell me what type of location information you get and from what log? 802.1x/WPA-Enterprise, so we have usernames and locations in our logs We are trying to figure out if there is a way to determine what APs user are/have been on but all we have seen in the radius logs is the controller as the NAS. Thanks, Greg -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Brooks, Stan Sent: Wednesday, July 02, 2008 6:34 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] NAT in large scale wireless networks Mike, We, too, are an Aruba shop, and have been doing NAT on our academic and ResNet wireless networks for about a year now. Two years ago, we ran out of IP addresses on our wireless network on Move-In Weekend and had to scramble to add additional subnets - a scarce commodity here at Emory. To prevent that from happening last year, we implemented NAT for our wireless clients and now have plenty of address space for our growing user base. We let the Aruba controllers perform the NAT function (very easy to set up - just a firewall rule in the user role in the Aruba config). We've not had any complaints from users regarding NAT issues; we were concerned that it might break some apps, but no problems have been observed or reported. We've even got our homegrown NAC (NetReg/CAT) working over the wireless, too - NetReg DHCP traffic is not NAT'ed, but all other traffic is. This all works great, thanks to the Aruba capabilities. The only issue we've had with NAT have been voiced by Philippe - DCMA notices are hard to isolate. Our wired network has some protection in place to identify and reduce peer-to-peer traffic (Tipping Points), so we don't generally get a lot of notices. User tracking and RF location still works well as those are functions of the radio and authentication subsystems. Our academic users log on using 802.1x/WPA-Enterprise, so we have usernames and locations in our logs. Connecting those usernames to the NAT pool IP addresses is the hard part. I'd be happy to share some basic configuration tips and tricks regarding NAT with you off-list, or on-list if other s are interested. BTW - We've been NAT'ing our guest access users since day one on the Aruba equipment. Guests log in through the captive portal and are given limited access - bandwidth limited web access and VPN access back to their home organizations. - Stan Brooks - CWNA/CWSP Emory University Network Communications Division 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: [EMAIL PROTECTED] GoogleTalk: [EMAIL PROTECTED] -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Michael Dickson Sent: Tuesday, July 01, 2008 9:47 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] NAT in large scale wireless networks Though we currently have enough available routed IP space for our wireless clients we are looking toward the future and wondering if NAT-ing the wireless network makes sense
Re: [WIRELESS-LAN] WAP Enclosures
We have never used any type on enclosures. In the past 9 years we've had only 2 APs stolen, but we tend to install our APs in sight below the ceiling. Users know what they are, and knocking them down is only going to affect their access, so for the most part they're left untouched. We have had issues with leaving them in the ceiling though...contractors will come in and demo a room which has APs and I find out the hard way that a particual area is under reno...with the APs below ceiling, they usually ask about it, and I get call about removing APs before renos start... Ken Connell Intermediate Network Engineer Computer Communication Services Ryerson University 350 Victoria St RM AB50 Toronto, Ont M5B 2K3 416-979-5000 x6709 - Original Message - From: Jim Gogan [EMAIL PROTECTED] Date: Monday, April 14, 2008 9:51 am Subject: [WIRELESS-LAN] WAP Enclosures To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU I'm curious to know what other campuses are doing in regards to ceiling enclosures for access points. We've been using PANDUIT-PZXIFIED and PANDUIT-PZW2X2DCB ceiling enclosure hardware but our Facilities folks and our Infrastructure Engineering folks in conversations with the State Building Code officers have determined that the labor/installation costs for those enclosures are now going to go up (see below) and, well suffice it to say, when it gets to the point that the enclosures themselves start to get closer in cost to the APs, you gotta wonder. Would be interested to hear what others are doing in this regard. Thanks in advance. -- Jim Gogan Director, Networking / ITS Telecommunications Univ of North Carolina at Chapel Hill Original Message Subject: Re: WAP - Mounting Brackets and Enclosures - Support Requirements Reseach and Conclusions-11-01-07 Date: Fri, 04 Apr 2008 11:41:18 -0400 All: I just concluded a conversation with Mike WardDepartment of Insurance Risk Management (Electrical Section) State Building Code Enforcement Officer.the AHJ (Authority Having Jurisdiction) on Campus. Mr. Ward had done research regarding our request for clarification on the support requirements for WAP (Wireless Access Point) back boxes. Simply stated: * to satisfy NEC requirementsthe back box must be secured to the ceiling grid system w/ approved clips or brackets. * to satisfy DOI requirementsthe back box must be secured to the building support structure. This can be accomplished by securing at least a single support wireof gauge adequate to support weight of devicefrom the back box to an anchor in structure. The anchor may be newor an existing ceiling support eye (existing support of grid system) or an anchor in structure that currently is used in support of duct workconduit trapeze.etc. Thank you. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Adding wireless without losing the jacks?
For the most part, our wired network is up 100% of the time and fully redundant in the core and data centers. Edge devices such as L2 switches if down will be replaced ASAP, so uses pretty much know the wired network is always avail... With our wireless, even though it's virtually up 100% of the time, our wireless policy' states there is no guarantees. Faculty/staff therefore shy away from living on the wireless. Ken Connell Intermediate Network Engineer Computer Communication Services Ryerson University 350 Victoria St RM AB50 Toronto, Ont M5B 2K3 416-979-5000 x6709 - Original Message - From: Michael Dickson [EMAIL PROTECTED] Date: Thursday, December 27, 2007 1:24 pm Subject: [WIRELESS-LAN] Adding wireless without losing the jacks? To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Wondering if others face a similar situation and what they are doing about it. In short, what is *wireless* used for and what is *wired* used for and how are the intended uses enforced? We currently have a funding model that includes a per-jack monthly charge for wired users. As we add wireless coverage to these traditionally wired floors we are faced with the potential of canceled jacks and a migration to wireless. If other schools have a similar funding model, how have you dealt with this issue? How are other schools dealing with a wireless overlay in traditionally fully wired areas with respect to migration onto wireless? Is migration away from the jacks desired? Is it suppressed through policy restrictions? What has worked for ensuring the wired infrastructure is still used? Just saying stay on the jack for better performance and security doesn't appear to be enough. In IT we often discuss the need to upgrade older Cat3 jacks to the newest cabling, as well as install wireless coverage in the same areas. These two efforts seem at odds with each other and appears financially risky to management. How are schools achieving harmony in a mixed wired/wireless world? Thanks, Mike --- Michael Dickson Network Analyst University of Massachusetts Amherst Network Systems and Services [EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Classroom wireless WAP counts
We are currently running a 4-channel plan with Aruba gear and try to max out with 25 clients per radio...I try not to have more than 4 WAPs in any one room because of the channel limitaltions, but we do have a few cases, like a 500 seat lecture hall, where we have 12 WAPs in the room. We let Aruba take care of the RF and power levels...so far so good I try to add/plan for one of two more WAPs than needed and disable (or not install some but have cabling/PoE avail if need be)...of couse that's only of budget allows... Ken Connell Intermediate Network Engineer Computer Communication Services Ryerson University 350 Victoria St RM AB50 Toronto, Ont M5B 2K3 416-979-5000 x6709 - Original Message - From: Gruenhagen, Timothy T. Mr. [EMAIL PROTECTED] Date: Friday, December 14, 2007 12:23 pm Subject: [WIRELESS-LAN] Classroom wireless WAP counts To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU I am working to develop a rule of thumb number of seats per classroom WAP for our institution. I realize that it is a highly variable ratio depending on what type of applications are being run, size of room, etc. I'm considering 1 WAP per 25- 50 seats. Does anyone have a number they use for a starting point? Thanks, Tim Gruenhagen Manager of Network Engineering Miami University Oxford Ohio ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Guest wireless access at University Conference Centers
Here at Ryerson University we have GUEST SSID with captive portal along with a username/password which changes daily and is available to faculty/staff from our helpdesk. Special GUEST accounts can also be created to be valid for days or weeks if need be. Those accounts are then limited to web access only. Ken Connell Intermediate Network Engineer Computer Communication Services Ryerson University 350 Victoria St RM AB50 Toronto, Ont M5B 2K3 416-979-5000 x6709 - Original Message - From: John Center [EMAIL PROTECTED] Date: Friday, September 14, 2007 9:20 am Subject: [WIRELESS-LAN] Guest wireless access at University Conference Centers To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Hi, We're planning to offer guest wireless access at our Conference Center. Several questions have come up as to how much information we need to collect from guests, and how long we would need to retain the information. We were wondering what other schools are doing in this regard. Any information you would share with us would be greatly appreciated. Thanks. -John -- John Center Assistant Director Network/Communications Office for University Information Technologies Villanova University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Cisco vs. Meru article
Kevin, Regarding feedback on Aruba, I can tell you this: We been extremely happy with Aruba's solution which has allowed us to load balanced users with easy, manage our WLAN from one GUI, and config changes are a snap. We had a think AP (Proxim) deployment of 150 AP's and had major issues with the classroom environment. Every time there was a test with 40-50 students there was always complaints afterwords with connectivity and thoroughtput issues. Our deployment stratagie now is based more on user count and not coverage. We have some classrooms that have upto 9 AP's with a 4 channel plan and Aruba takes care of the channel assignment and radio power levels. We've had plenty of online tests and the results for us have been like night and day ... Ken Connell Intermediate Network Engineer Computer Communication Services Ryerson University 350 Victoria St RM AB50 Toronto, Ont M5B 2K3 416-979-5000 x6709 - Original Message - From: Kevin Whitney [EMAIL PROTECTED] Date: Thursday, June 14, 2007 2:37 pm Subject: Re: [WIRELESS-LAN] Cisco vs. Meru article To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU May be a little off subject but I would like to post question out there as it seems there are some happy Meru users here on this forum.. Any thoughts or advice on implementing/selecting a wireless system for use in a High School environment ? Specifically, would love any feedback on pros/cons of a central controller based system (ie -Meru, Aruba, etc) vs installing Fat AP's around our building. While our needs are quite simple I am sure, compared to the size of other user's who have posted, I can see there is a great deal of knowledge and experience in this area. Basic site surveys conducted here have indicated we need somewhere around 25 access points to provide coverage throughout our building. Appreciate any input on this subject. Kevin Whitney District Technology Coordinator Cresskill Public Schools 1 Lincoln Drive Cresskill, NJ 07626 201-541-4162 [EMAIL PROTECTED] http://www.cresskillboe.k12.nj.us -Original Message- From: Dave Molta [mailto:[EMAIL PROTECTED] Sent: Thursday, June 14, 2007 12:21 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Cisco vs. Meru article Debbie, They were Intel 2915 clients. I have some pretty dense spreadsheets covering various permutations of clients and infrastructure if you are interested in seeing raw results. We didn't come away from this with any firm conclusions about what's good and what's bad (I guess we've learned our lesson about pointing the finger too soon!). What was most interesting to us was the fact that there was so much variation, which is something we didn't expect from such a mature standard. dm -Original Message- From: debbie fligor [mailto:[EMAIL PROTECTED] Sent: Thursday, June 14, 2007 11:59 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Cisco vs. Meru article On Jun 14, 2007, at 10:24, Dave Molta wrote: Just to elaborate a bit, the article James sent around was not the original Meru-Cisco feature story but rather a column that reports on results of subsequent testing. In this column, I reported three things. First, Cisco was unsuccessful in getting the Wi-Fi Alliance to rescind Meru's certification. Since WFA certifies interoperability rather than standards compliance, this is not proof that Meru isn't stretching standards a bit but it still casts a cloud over Cisco's allegations. Second, I reported findings from subsequent tests where we added Aruba to the mix and found that Cisco's performance also cratered when co-located with Aruba gear. Again, that could indicate that Aruba is also somehow playing foul as well (Cisco speculated that they might be using a variation of PCF interframe spacing, though Aruba denied it) but it doesn't look that way to me. Finally, we decided to re-run these interference tests with different mixes of clients, using Atheros, Broadcom, and Intel chipsets. We found significant differences in the performance results. Atheros-based clients performed best. Something I noticed in the article was that Meru did the worst with Intel chipsets, but which chipset wasn't mentioned. The 3945 Intel micro code bug makes them work very poorly with Meru and causes some problems with other vendors APs. We've been waiting for an update from Intel, but still don't have it. What Intel has done is ceased to sell that chipset -- this worries me that there wont be a microcode fix, but at least we wont have new equipment coming in with that card. So if the testing was with all 3945 cards, I don't think that accurately indicates Meru doesn't work well with Intel in general. Dave do you happen to know what the cards were? For those not following the problem
Re: [WIRELESS-LAN] wireless guest access
We have a GUEST SSID with WEP and captive portal. There is a daily username/password any faculty/staff member can get for the day, or accounts can be made for guests who need access for longer periods. So far that's worked for us... Ken Connell Intermediate Network Engineer Computer Communication Services Ryerson University 350 Victoria St RM AB50 Toronto, Ont M5B 2K3 416-979-5000 x6709 - Original Message - From: Lee Badman [EMAIL PROTECTED] Date: Monday, February 26, 2007 1:05 pm Subject: Re: [WIRELESS-LAN] wireless guest access To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Would like to expand out Kevin's question- what of wireless access for guests, and for the non-affiliated folks (anonymous) that might end up on campus? Anybody rethinking any of their sponsored guest/open access policies because of CALEA concerns? Regards- Lee Badman Network/Wireless Engineer Syracuse University 315 443-3003 Kevin Lanning [EMAIL PROTECTED] 2/26/2007 12:46:48 PM Wondering what academic institutions are doing these days regarding wireless access for guests? -- -- Kevin Lanning lanning at unc.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Guest access
We take our GUEST traffic, wired and/or wireless, pump that through a vlan which sits behind some RovingPlanet equipment and pass on username/password to a different leaf in LDAP that's specific to GUEST accounts. Ken Connell Intermediate Network Engineer Computer Communication Services Ryerson University 350 Victoria St RM AB50 Toronto, Ont M5B 2K3 416-979-5000 x6709 - Original Message - From: Entwistle, Bruce [EMAIL PROTECTED] Date: Thursday, March 30, 2006 7:32 pm Subject: [WIRELESS-LAN] Guest access We have recently installed a wireless network on a portion of the campus. The student and administrators are all authenticated through a front end device which validates user accounts against an LDAP server running on a domain controller. However we now have the requirement for guests of the campus to connect to the wireless network. We have some ideas how we would like to handle this issue but are curious as to what others have done to accommodate these guest connections. Please let me know. Thank you Bruce Entwistle Network Manager University of Redlands ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless Power! Finally
Is this for real, you gotta be kidin me... I love the warning... Ken Connell Intermediate Network Engineer Computer Communication Services Ryerson University 350 Victoria St RM AB50 Toronto, Ont M5B 2K3 416-979-5000 x6709 - Original Message - From: Ryon Price [EMAIL PROTECTED] Date: Friday, March 31, 2006 11:38 am Subject: [WIRELESS-LAN] Wireless Power! Finally Now I can get get rid of all those POE injectors. http://www.thinkgeek.com/stuff/41/wec.shtml?cpg=28H Ryon Price - WLAN Manager Information Technology Utah Valley State College Office : (801) 863-7019 [EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless Guest Access
We offer guest access with captive portal. Users must ask for access and a temp account will be created. Ken Connell Intermediate Network Engineer Computer Communication Services Ryerson University 350 Victoria St RM AB50 Toronto, Ont M5B 2K3 416-979-5000 x6709 - Original Message - From: David Gillett [EMAIL PROTECTED] Date: Wednesday, March 22, 2006 3:25 pm Subject: Re: [WIRELESS-LAN] Wireless Guest Access At the moment, all of our access is guest except for specific client laptops that belong to the college. This will provide access to our portal when it comes online, so users with portal accounts will be able to reach additional resources through that. Eventually, deployment of Identity Management and 802.1x and VPN may, in some combination, allow us to offer non-guest access at the wireless connection, but that's still somewhere in the pipeline. Note that there are a variety of wireless security products which focus on access to the wireless service, and so don't apply if you offer guest access. Instead, attention needs to focus on where can these clients get to, and that applies as well to open wired ports (we're starting to see these in some classrooms and drop-in areas) as to wireless. David Gillett, CISSP CCNP Foothill-DeAnza College District -Original Message- From: Bennefield, Cully A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 22, 2006 12:03 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Wireless Guest Access We are exploring the possibility of offering guest wireless access and I would like to get a feel for how others might be handling it. Any and all information and opinions will be greatly appreciated. Thanks, Cully Cully Bennefield Baylor University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Free WiFi Hotspot Authentication
A simple linux box with http://nocat.net/ will do the trick for you. It's basically a box with 2 nics and captive portal that will re-write iptables rules. Not too sure about the logging though... Ken Connell Intermediate Network Engineer Computer Communication Services Ryerson University 350 Victoria St RM AB50 Toronto, Ont M5B 2K3 416-979-5000 x6709 - Original Message - From: Bill Barge [EMAIL PROTECTED] Date: Thursday, March 16, 2006 7:16 pm Subject: [WIRELESS-LAN] Free WiFi Hotspot Authentication I am looking for help/ideas on solving a problem. I have a small sandwich shop/deli. I am swamped from about 11:15 to 1:15 each day, but am pretty dead otherwise. A few weeks ago, I put a wireless access point in my shop and advertised in the window that I now have free WiFi Internet. I now have a few regulars that come in with their laptops, but I have not had problems (yet). I am using a Netgear wireless router switch. It was about $10 on sale at Staples. I would like to track who is using my Internet. I looked at a D- Link setup that would print receipts with an access code, but that is $900. I would like to identify each user (via MAC address?) and record where they go while online, how long, etc. Any suggestions? Thanks, Bill - Yahoo! Mail Use Photomail to share photos without annoying attachments. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Guest Access
We provide GUEST access as follows: - The SSID is not hidden - Static WEP. They are given the key (don't want every Tom, Dick Harry associating just because) - Captive Portal with limited rights - Given an ID for x amount of days which is in LDAP We have a group/dept that deals with users coming on-site for conferences, meeting, and so on... They have a GUI to input guest names into LDAP and provide basic support for the guest users. Ken Connell Intermediate Network Engineer Computer Communication Services Ryerson University 350 Victoria St RM AB50 Toronto, Ont M5B 2K3 416-979-5000 x6709 - Original Message - From: Casey, J Bart [EMAIL PROTECTED] Date: Tuesday, January 31, 2006 12:07 pm Subject: [WIRELESS-LAN] Guest Access Hey All, It has been deemed necessary by the powers that be that we provide somelevel of wireless access to guests on our campus. Some of these people might include members of the Media for athletic events, alumni visitingthe campus, and guest professors/speakers. While I am not exactlythrilled about the idea, I can certainly understand the need. I would like some feedback on how other schools are handling issues such as this. Our current wireless network is comprised solely of Cisco Aironet 1200 series APs. We use a single SSID which allows authenticated users to be placed in a wireless VLAN. We do not beacon our SSID. In order to connect to the wireless network, our users must know the SSID. We require users to install a secure certificate, and also require them to authenticate their domain user credentials against a radius server. We currently use IAS but are migrating to CSACS. My initial plan is as follows: 1.Determine which APs are going to provide this guest access. Guest access won't be necessary for all APs 2.Configure the selected APs with a second SSID 3.Create a new VLAN for the second SSID 4.Place users who use the second SSID into the new VLAN 5.Only allow the new VLAN to access the internet 6.Limit the bandwidth to the internet to about 512Kbps (This should be sufficient for the Media's needs and allow any guest to checkemail etc.) 7.Provide some sort of security but not as in depth as we currently use. What are your comments on beaconing the new SSID? What are you thoughts on security and encryption? Does a user that connects to our network have expectations of security and encryption? Are we obligated to provide some sort of security and encryption to protect these guest users? At what point does administrative burden overcome security? Your thoughts and ideas are greatly appreciated. Thanks in advance, J. Bart Casey ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Quick Wireless Survey
1. Number of user on your Wireless network? - Typical day ranges from 400 to 1000 2. Number of AP’s? - just over 200 (mix of Aruba Proxim) 3. What type of line do you have (i.e T1, T3)? - 100Meg, 40Meg, 4. How many lines do you have (Just for wireless)? - nothing dedicated 5. What type of speed do you students get(both download and upload) just an average? - Not sure, but P2P apps are throttled Ken Connell Intermediate Network Engineer Computer Communication Services Ryerson University 350 Victoria St RM AB50 Toronto, Ont M5B 2K3 416-979-5000 x6709 - Original Message - From: Patel, Amish [EMAIL PROTECTED] Date: Wednesday, January 25, 2006 12:18 pm Subject: [WIRELESS-LAN] Quick Wireless Survey Hello everyone, I just wanted to do a quick survey about wireless, if you have a minuteyour input would be greatly appreciated. 1.Number of user on your Wireless network? 2.Number of AP's? 3.What type of line do you have (i.e T1, T3)? 4.How many lines do you have (Just for wireless)? 5.What type of speed do you students get(both download and upload) just an average? Thank you in advance, Amish Patel Computer Services The John Marshall Law School [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 312-427-2737 x550 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] wireless survey results
Here at Ryerson people visiting and wanting wireless access are to contact our conference services at which point a staff member will enter in a temporary user ID into LDAP via a custom web page and choose a date to expire that entry. The user then falls into 1 of 3 guest networks and is forced to login via captive portal. Ken Connell Intermediate Network Engineer Computer Communication Services Ryerson University 350 Victoria St RM AB50 Toronto, Ont M5B 2K3 416-979-5000 x6709 - Original Message - From: ray [EMAIL PROTECTED] Date: Monday, July 18, 2005 10:42 am Subject: Re: [WIRELESS-LAN] wireless survey results Here's how we handle guest access. All of our APs are on a separate VLAN behind a linux firewall/router. Your mac address must be registered in LDAP before you're permitted past the firewall (which is done online). For guests, they have to know someone on campus. They click the guest link on the wireless login page, fill in their name, email, company, and the email address of someone they know on campus (with selu.edu domain).That person will get an email saying Joe Somebody wants wireless access, click here to approve it or ignore this message to deny it. If they approve, the guest will be allowed wireless access for two days. It isn't the best security, it's basically the honor system. But it's a good tradeoff between security, usability, and low administration. To date, we haven't had any problems with anyone abusing the guest system. I'd also like to hear how others are handling guest access. ray =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Ray DeJean http://www.r-a-y.org Systems EngineerSoutheastern Louisiana University IBM Certified Specialist AIX Administration, AIX Support =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= On Mon, 18 Jul 2005, Scott, Candice C wrote: Good morning, All. I would also like to know what other campuses are doing for guest access. We have several camps here during the summer and this is the first year that we've also had people assuming that they could get access -- also assuming no charges for it. Have any of you been down this road? How are you handling it? thanks -- candice Candice Scott Dir. of Library and IT Services Schreiner University Kerrville, TX 78028 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
