RE: [WIRELESS-LAN] idEngines AAA server
The short answer (I'm a little pressed for time this morning) The Ignition server (The radius server) has a lot of policy features, that are very well laid out. We're slowly implementing policy based wireless networking using the policy features. Immediate plans are to have our Staff and Students on separate VLANS. (This is determined via group membership in Active directory) We are using the Guest Manager, and the Autoconnect Product. We have a Open broadcasted SSID out there, that resolves back to a splash page. The splash page has two buttons. The top button launches Autoconnect, which will configure all the 802.1x settings for our Staff/Students (anyone with a BSC account). The bottom button launches the guest manager application, which allows the user to create a time limited account. (We have a bunch of other restrictions on it like bandwidth, and access to college resources). After the account is created, it then launches the Autoconnect to configure they're wireless settings. We are also using the above mentioned Policy features, so our Guest users are on the same SSID, but they are on a third VLAN. From your use requirements, it sounds like the Provisioner feature is right up your ally. As the Guest Manager Admin, you can create Provisioners. Each Provisioner account can be configured for the max amount of time they are allowed to create accounts, what access zones, and network right are allowed (This all ties back to the policy features.) Provisioner can be configured to 1. Not be able to see or edit password. 2. Edit but not see password (Reset it) 3. See and edit password. Please don't hesitate to ask more questions. Mike -Original Message- From: Hector J Rios [mailto:[EMAIL PROTECTED] Sent: Thursday, November 15, 2007 4:02 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] idEngines AAA server Mike, We demoed the product last week and we were very impressed. In fact, the amount of features and things you can do with it were actually overwhelming. I'm interested to hear how you are using it and exactly what features you've found helpful that other products don't have. In particular, I liked the guest manager because it allows you to provide an interface to your users to be able to create guest accounts and also manage them. We currently have an application that we wrote in-house where our staff and faculty can go to to create guest accounts for up to seven days. The challenge is that among our staff and faculty, there are those that have special needs and need to be able to create accounts for longer than 7 days, change passwords, that kind of thing. I know this is not available now, but I was told that with guest manager you will be able to provide this type of access. In our case, we authenticate users via AD. So if and when this feature becomes available, we should be able to create an AD group where we can add the users with special needs. The other reason why we are interested in idEngines is because if you create guest accounts using Cisco's Lobby Ambassador (if you are familiar with WCS), those accounts are only valid for WLANs with WebAuth. We've been having to pull all kinds of tricks to be able to create accounts for our secure PEAP WLAN, our guest WebAuth WLAN, and our wired LAN. It would be nice to have one interface that does it all. Thanks, -Hector -Original Message- From: King, Michael [mailto:[EMAIL PROTECTED] Sent: Thursday, November 15, 2007 8:39 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] idEngines AAA server We have it here. You may contact me on or off list. (We also have the Autoconnect product, and the Guest Manager) Mike -Original Message- From: Hector J Rios [mailto:[EMAIL PROTECTED] Sent: Thursday, November 15, 2007 9:33 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] idEngines AAA server This is for those of you that are familiar with idEngines' AAA server, Ignition Server. We are considering this product to replace our Cisco ACS servers. From what I've seen so far, the Ignition Server seems much more granular and feature-rich. One of the features that we liked the most is their Guest manager. Is there anybody that is currently using this product? I'd be interested to hear what you think about it. Thanks Hector Rios Telecommunications Analyst, NI LSU Information Technology Services ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion
RE: [WIRELESS-LAN] idEngines AAA server
We have it here. You may contact me on or off list. (We also have the Autoconnect product, and the Guest Manager) Mike -Original Message- From: Hector J Rios [mailto:[EMAIL PROTECTED] Sent: Thursday, November 15, 2007 9:33 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] idEngines AAA server This is for those of you that are familiar with idEngines' AAA server, Ignition Server. We are considering this product to replace our Cisco ACS servers. From what I've seen so far, the Ignition Server seems much more granular and feature-rich. One of the features that we liked the most is their Guest manager. Is there anybody that is currently using this product? I'd be interested to hear what you think about it. Thanks Hector Rios Telecommunications Analyst, NI LSU Information Technology Services ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] WCS 4.2
Doug, Every release that you put on a Controller loads new software onto the AP's. There is always downtime with an upgrade. Also, they upped the limit in the 4.0.206 to 10 APs at a time. -Original Message- Also the 4.2.62 has new code for the access points, so each will need to download the new code. Remember this takes about 4 minutes per access point and each WLC can only upgrade 4 at a time, so 8 per WiSM. If you have a large installed wireless network plan on this downtime. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Authentication method comparison
Hi Don, You could look at IDEngines. They sell a service (Autoconnect) that scripts the install of the 802.1x Supplicant on Windows / Mac We currently use the built-in XP/Vista Supplicant with PEAP, but I know that IDEngines also supports (and distributes) the SecureW2 client. They are also funding the opensource development of the http://open1x.sourceforge.net/ agent as well. We used the Autoconnect service this fall, and it significantly reduced the amount of people that needed Wireless Config. Michael King Technology Systems Networking Bridgewater State College From: Wright, Donald [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 23, 2007 1:56 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Authentication method comparison We currently have a WPA wlan using TTLS as the auth method and SecureW2 for the PC client software. We occasionally receive trouble calls from users having issues with SecureW2, and are now being asked if there is a more user-friendly auth method we could move to. I know the short list of other reasonable possibilities comes down TLS and PEAP. Since we don't have our users credentials stored in AD, and we don't currently have a PKI, neither of those would seem to be a possibility for us right now. I am wondering about others experiences with using any of the above auth methods, in particular from the user perspective. Are there still client issues with TLS or PEAP? Are those configurations scriptable for the client? How well do these other methods work with Macintoshes? Is anyone else having significant user issues with SecureW2? Has anyone had success with the supported third-party TTLS clients, Odyessy. etc? Don Wright Network Technology Group Brown University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Vendor Choice
Just for reference, we chose Cisco LWAPP. I personally feel you can't go wrong with either choice. Aruba has some cool features Cisco doesn't have, and Cisco has some cool features Aruba doesn't have. Choose based on the features you want, not on the features you may never use. I'd be interested to see Frank Bulk's take, since he's done a bunch of real-world interop testing with both vendors. Mike From: Jay Howell [mailto:[EMAIL PROTECTED] Sent: Friday, October 19, 2007 10:12 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Vendor Choice I am in the process of evaluating vendors for a campus-wide rollout of wireless. I have narrowed my choices down to Cisco and Aruba. We are planning on creating three roles which are faculty/staff, student, and guest.Each of these roles will have varying degrees of access to systems on the network. Because of manpower issues we will be broadcasting the SSID and using Novell's LDAP to authenticate to the system. We are not a Cisco shop so there is no advantage either way as far as dropping into our existing system. My question is are there any gotchas I might be missing with these two vendors? From what I have seen, both systems seem to work nearly identically. You can access the same information from each controller, and both are self-healing when an AP goes out. Are there any support issues I should be aware of? We plan on making our decision around the first of November, so I look forward to any comments this group might have. -- * Jay Howell Executive Director of Information Technology Chowan University Ph: 252-398-6361 * ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Open Cisco Controller Caveat/DHCP issue
The bug (thru cisco's bug tool) specifically calls out a customer using Symbol scanners, and having them all power on at once. I wasn't going to post because I thought you had read the actual bug text. From the Cisco bug tool (Which is working a bit spastically this morning) Symptom: symptom When 200+ wireless clients are trying to associate to a WLC at the same time, the WLC starts experience problems: 1. scanners stuck in DHCP_REQD state. The attached sniffer trace shows that the WLC receive DHCP offer from an external DHCP server, but the WLC does not send out the DHCP offer in LWAPP 2. the following message is logged in show tech: apf_policy.c:258 APF-1-MOBSTA_ADD_FAILED: Unable to add mobile xx:xx:xx:xx:xx:x to PEM module: 3. CPU is running high (e.g. 70+%) symptom When the partner power off 200+ Symbol scanners, the WLC starts experience problems: 1. scanners stuck in DHCP_REQD state. The attached sniffer trace shows that the WLC receive DHCP offer from an external DHCP server, but the WLC does not send out the DHCP offer in LWAPP 2. the following message is logged in show tech: apf_policy.c:258 APF-1-MOBSTA_ADD_FAILED: Unable to add mobile 00:15:70:32:5a:b5 to PEM module: 3. CPU is running high (77%) 4. A sniffer trace on the WLC shows that the WLC receives DHCP offer from an external DHCP server, but the corresponding DHCP offer is not sent to the AP in LWAPP. Conditions: The problem is verified in 4.0(217.0) and 4.1(171.0). Workaround: None Further Problem Description: From: Lee H Badman [mailto:[EMAIL PROTECTED] Sent: Friday, October 05, 2007 9:00 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Open Cisco COntroller Caveat/DHCP issue Hi Frank- I would hope. But the wording leaves a lot to the imagination, and we are seeing enough oddities on occasion that could point at something like this that clarification is in order, if nothing more than for a sanity check. Lee From: Frank Bulk [mailto:[EMAIL PROTECTED] Sent: Friday, October 05, 2007 8:45 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Open Cisco COntroller Caveat/DHCP issue Lee: I think the key phrase is at the same time. This may be a bug found when Cisco or someone else did scalability testing with test tools, not a likely event in production. Frank From: Lee H Badman [mailto:[EMAIL PROTECTED] Sent: Friday, October 05, 2007 7:29 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Open Cisco COntroller Caveat/DHCP issue I'm trying to get clarification on this open caveat, but so far can't get a clear answer on the specifics of the bug: CSCsj25953-When 200 or more wireless clients try to associate to a controller at the same time, the clients become stuck in the DHCP_REQD state. The controller receives the DHCP offer from an external DHCP server but does not send the offer to the access point in LWAPP. Obviously, getting to 200 clients on a single controller is routine operations on a busy network, especially when one controller has 150 associated access points. Has anyone else dug in on this one, and gotten any real details? It sounds potentially catastrophic, or that it could be relatively harmless, but without more detail it's hard to know... Regards- Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] WPA Countermeasures - radios shutting down in LWAPP for legitimate users
Hi Lee. I too am having 100 of these errors a day. We've also been getting large number of complaints that students are getting dropped off. (Up and down as the students term it) It started with the 4.0 code for us. Reports from the Cisco Netpro forums that 4.1.185.0 is the code that fixed this. Nothing was mentioned about turning off the radio off period. This is from customers, not Cisco itself. The only concern I have with the 4.1 code right now is I still have 40 ap's that won't support it. (Pre Cisco Acquisition AP's, they don't have enough RAM to load the image) I hope to remedy this in the next few days, and get onto 4.1 in a real hurry. From: Lee H Badman [mailto:[EMAIL PROTECTED] Sent: Thursday, October 04, 2007 9:23 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] WPA Countermeasures - radios shutting down in LWAPP for legitimate users We are seeing huge quantities of this: The AP '00:0f:f7:a7:a0:c0' received a WPA MIC error on protocol '0' from Station '00:13:02:82:1c:8d'. Counter measures have been activated and traffic has been suspended for 60 seconds. Which means that radios are being disabled for 60 seconds- and all networks on those radios- each time this countermeasure is invoked because of something viewed as a potential attack happens for each user listed, at the front end of the 802.1x authentication/encryption key setup (we're using PEAP w/ MS-CHAP v/TKIP/WPA1). What is very confusing- each user listed ends up on the network, just fine. But in the meantime, we have radios being shut down all over the place. This countermeasure is defined by the standard, so it's hard to bash the hardware in this case. Clients involved are using Mac, XP, and Vista- hundreds daily, and not consistent (sometimes a client has the issue, sometimes not). Our controllers are 4.0.207. Cisco is saying a few things in response: this is likely a client driver issue and that all drivers need to be kept up to date (easier said than done on our campus). Also- in version 4.1 of the controllers, the 60-second radio off period can be turned off. Finally, WPA2 negates this. My questions- is anyone else seeing this, and have you found any causes for good clients to show up as attackers and cause the radios to turn off? And, has anyone found any real concerns with 4.1 code on the controllers? Thanks very much- Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Outdoor Antenna
Allen, You might want to enlist the services of a qualified reseller. Doing an outdoor deployment gets complex fast. That being said, lets see what we can do. Some information that will help. 1. What are your goals? 100% outdoor coverage? Just the area's that people walk on? Just the quad? This is the single most important bit of information that you can provide. 2. What is your supported network frequency? 802.11a, 802.11g, 802.11n, 802.11h? (Cisco supports all four for the LWAPP (the AP-1250 was announced this week that supports 802.11n draft 2.0 support) 3. What access point model are you using? 1240? 1020? 1510? To answer your questions. Can anyone help me with this? Yes. We'll try. I'm still recommending finding a qualified reseller. Your Cisco rep should have a local favorite. Who do you order equipments to support AP from? Not sure what you mean. We've bought Antenna Masts and non-penetrating roof mounts from Tessco. Distance Problem Distance is always a problem, and is a function of Throughput. You'll have to answer my goals answer to answer your question. Should AP be on 1 or 2 story building. See above answer. What kind of Antenna do you recommend. Depends on the AP you have. Dipole antennas are better, but if you only have a single pole AP, what's the point. Omni's vs Patch, depends on your goals. I have pictures, but when I know more what you want, I can show you one's that apply. Mike -Original Message- From: Allen Matthews [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 05, 2007 2:20 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Outdoor Antenna I am working to set up outdoor antenna for Wi-FI.. We are using Cisco 4404 and LWAPP Access point. Can anyone help me with this? Who do you order equipments to support AP from? (I have seen Cisco LWAPP package) Distance problem? Should AP be place on 2 story or 1 story building? What kind of antenna do you recommend? Dipole? Omni? or Patch Panel? Any information will be helpful.. If you have picture of your outdoor antenna, can I see it? Thanks.. -- --- Allen Matthews Network Engineer Gallaudet University Information Technology Services Washington, DC ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Cisco LWAPP, multicast/peer to peer blocking modes
Make sure your on release 4.0.206.0 or greater. There was a bad bug that was fixed in 4.0.206.0 that had significant packet loss on the wireless network if Multicast was enabled. We don't have multicast enabled. We do have Peer to Peer blocking disabled (so we are enabling Peer to Peer). It wasn't a conscious decision, just the default setting on the box, and we haven't changed it. My only recommendation is try to limit the bandwidth allowed for Multicast. From: Lee H Badman [mailto:[EMAIL PROTECTED] Sent: Friday, August 31, 2007 8:28 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Cisco LWAPP, multicast/peer to peer blocking modes We have 12 WiSMs at SU (24 controllers) and around 1,550 APs online. By default on the controllers under General System configuration options, Ethernet Multicast Support is disabled by default, and we chose to enable Peer to Peer Blocking Mode. We are being asked a by a researcher to change both of these settings to allow both multicast and peer to peer connections in the WLAN, and our first reaction is to grimace and gnash teeth a bit. Am wondering if anyone is actually allowing multicast on a large WLAN and seeing any problems, added load, or general observations worth noting? Same with peer to peer. Regards to the group- Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Release 4.0.219.0 for Cisco LWAPP Wireless
Has anyone upgraded to Release 4.0.219.0 for Cisco LWAPP yet? It contains the fix for the Wireless ARP Storm issue. (I know the 3.2 and the 4.1 version were available last week) ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] WiSM SUP720 Performance Issue
WPA2, WPA, or WEP? From: Dennis Xu [mailto:[EMAIL PROTECTED] Sent: Friday, June 08, 2007 9:11 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] WiSM SUP720 Performance Issue We use WiSM 4.0.217.0 and SUP720 12.2(18) SXF5. We experience bad performance with wireless client download, for only about 70kbps. I tried with a WLC2006 connected to the same SUP720 with similar configurations with WiSM and I got 2Mbps download speed via WLC2006. Has anyone experienced this issue before? Thanks! Dennis Xu Network Analyst(CCS) University of Guelph 5198244120 x 56217 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Cisco Version 4.1 WiSM Code (Concannon)- Anyone upgraded yet? (3)
The AP1200's were an unreleased Airespace model, you could only obtain them via the beta program. They eventually became the AP1510's. (After several model number changes) -Original Message- From: Lee H Badman [mailto:[EMAIL PROTECTED] Sent: Thursday, May 03, 2007 12:07 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Cisco Version 4.1 WiSM Code (Concannon)- Anyone upgraded yet? (3) For clarity- I believe that these 1200s are the old Airespace originals- NOT the Cisco 1200s... Lee H. Badman Wireless/Network Engineer KC2IYK, CWNA/CWSP Information Technology and Services Syracuse University 315 443-3003 -Original Message- From: Fred Archibald [mailto:[EMAIL PROTECTED] Sent: Thursday, May 03, 2007 11:00 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Cisco Version 4.1 WiSM Code (Concannon)- Anyone upgraded yet? (3) It is my understanding that the AP1200s will never be able to support 4.1 due to a memory limitation in the APs. This is also an issue for us. Fred Earl Barfield wrote: We are feeling compelled to migrate to the latest WiSM code version for several reasons. Wondering if anyone has done the upgrade yet? If so, any pain, problems, stuff to watch out for? Anything would be helpful- offline responses OK , too. Note that the description says Emergency Release. That doesn't exactly sound fully baked. The release notes say that 4.1.171.0 does not support AP1200s. That is a show stopper for us. I haven't yet asked our Cisco engineer when AP1200 support will be in the 4.1 chain. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Cisco Version 4.1 WiSM Code (Concannon)- Anyone upgraded yet?
Read the release notes. You HAVE to hit a certain version before you can use the 4.1 code. Contemplating the upgrade myself. Mike From: Lee H Badman [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 02, 2007 12:09 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Cisco Version 4.1 WiSM Code (Concannon)- Anyone upgraded yet? We are feeling compelled to migrate to the latest WiSM code version for several reasons. Wondering if anyone has done the upgrade yet? If so, any pain, problems, stuff to watch out for? Anything would be helpful- offline responses OK , too. Thanks- Lee H. Badman Wireless/Network Engineer KC2IYK, CWNA/CWSP Information Technology and Services Syracuse University 315 443-3003 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Site survey Wifi deployment software and methodology queries
We use Ekahau software. Wireless Valley is better product, (It thinks in 3 dimensions, where Ekahau is two dimensional) You load a floorplan onto the software. You scale it. (Measure a wall, and tell the software how long the wall is) First, you Simulate the layout. You draw all the walls on the floorplan, giving then RF values. (usually I stick with concrete, drywall, and elevator shaft) Then you place virtual AP's on the floorplan, and try to figure a good placement. When you have a good simulation you: Test the design You place an AP, (with Cisco (and most auto RF type AP's) they recommend 50% power, so the AP can boost it's signal to fill in gaps if necessary.) You walk around, clicking on the floorplan, making data points on the map. You Freeze the AP in the software. (That's the term they used, essential it munges the MAC of the AP so you can simulate many AP's with a single one) Move the AP to the next placement point. Repeat until the whole floor is covered. Based on the graphs, you make some intelligent guesses, and adjust the AP placement. Repeat the whole Survey until you get it right. It is time consuming, but buying the software, and doing it yourself is usually cheaper than a consultant. I know the Cisco Software on the WCS controller software (not the controller itself) can do this simulation as well. We've have never used it in this capacity, since we have the Ekahau software, and we know it works very well. (We had the Ekahau software a year before the Cisco Product) Mike King From: Christian Hroux [mailto:[EMAIL PROTECTED] Sent: Thursday, April 26, 2007 3:58 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Site survey Wifi deployment software and methodology queries Hello! We are planning a campus wide Wifi deployment. I am looking for tool and advice on how to do site survey. We are looking at Cisco airspace solution with controller. The test deployment 20 AP was done with consultant and the actual site survey was to install and move around one mobile AP and check the reception with a laptop to determine the final AP spot. This process was repeated until the floor was covered. Not a very scientific approach and quite costly. From my reading there are 2 types of site survey: -Spectrum analyser to evaluate noise in your environment. -Simulation software tool where you load your (autocad) floor plan and the software will help to define the location of your access-points. -Another survey is to install all access-points and walk the floor and take sample reading with a laptop and software and analyse the result. -Once you have your Wifi network Cisco seem to have some functionality where AP can listen to each other and adjusted their power and maybe recommend to move some AP around. (WLSE walkabout feature old aeronet solution) but at this point you need to have your network install before using this tool. I was looking at air magnet software to those 2 functions any comments? What was your experience with those softwares? Any other that I should look at? In only few lines, how do you proceed with your WIFI site survey and what tool do you use? Thanks Christian Héroux University of Quebec Montréal, Canada ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Supporting Wireless clients using LEAP
-Original Message- Can you please let me know if your school is currently using 802.1x and LEAP? 802.1x and PEAP TTLS, and WPA/WPA2 PEAP TTLS If you can let me know if you are using a supplicant client or just the vendor supplied utilities, I would appreciate it. Built in clients (2000, XP, Vista, Mac) Any other insights would be appreciate as to how schools are supporting a secure wireless network. Don't use LEAP under any circumstances. It has been broken, compromised, etc, since 2003. That, coupled with the fact that very few to no clients actually support LEAP should dissuade you from it. Further more, Cisco has recommended that users migrated to another EAP type, or strengthen they're password policy to mitigate the vulnerabilities. http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_bulletin09186 a00801cc901.html The two MAIN EAP protocols in public use at this time are: PEAP TTLS PEAP is built into every Microsoft OS since 2000, and Both Mac and Linux support it as well. TTLS is built into almost every Mac and Linux box, and a third party supplicant (SecureW2) allows use on Microsoft OS's. Actually, you can support more than ONE EAP type per SSID, so you can conceivable have both PEAP and TTLS on ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] LWAPP APs Disassociating From Controllers
What version code are you running on the controllers? -Original Message- Am opening a TAC case, but to save some some time from the loathsome LWAPP debug process, wondering if anyone has experienced this condition? ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] LWAPP APs Disassociating From Controllers
Ok.. You have the release I was going to suggest. You can try 4.0.206.0, but I don't see anything specific for your model AP's. (I have the 1010's, and there is a specific bug fix in that release we've been chasing) But you never know, it might be related. -Original Message- From: Lee Badman [mailto:[EMAIL PROTECTED] Sent: Friday, February 02, 2007 10:47 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] LWAPP APs Disassociating From Controllers 4.0.179.11. [EMAIL PROTECTED] 2/2/2007 10:42 AM What version code are you running on the controllers? -Original Message- Am opening a TAC case, but to save some some time from the loathsome LWAPP debug process, wondering if anyone has experienced this condition? ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Problems with Windows 802.1x supplicant
Hey, what user's do you have in your IAS's remote access policy? Do you have DOMAIN COMPUTERS allowed? (It's not part of DOMAIN USERS) Mike -Original Message- From: Lee Weers [mailto:[EMAIL PROTECTED] Sent: Thursday, February 01, 2007 4:42 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Problems with Windows 802.1x supplicant I've changed the name and marked out the ip addresses. Here is an example of the deny User host/bob_10884.central.edu was denied access. Fully-Qualified-User-Name = CENTRALCOLLEGE\BOB_10884$ NAS-IP-Address = xxx.xxx.xxx.xxx NAS-Identifier = WESM1 Called-Station-Identifier = 00-14-C2-A3-A4-85:airCentral-Academic Calling-Station-Identifier = 00-18-DE-66-6E-C4 Client-Friendly-Name = HP Wesm Client-IP-Address = xxx.xxx.xxx.xxx NAS-Port-Type = Wireless - IEEE 802.11 NAS-Port = 1 Proxy-Policy-Name = Use Windows authentication for all users Authentication-Provider = Windows Authentication-Server = undetermined Policy-Name = undetermined Authentication-Type = EAP EAP-Type = undetermined Reason-Code = 48 Reason = The connection attempt did not match any remote access policy. I wouldn't think I need to setup a policy for machine authentication. Here is the success. User CENTRALCOLLEGE\bob was granted access. Fully-Qualified-User-Name = central.edu/Computers-AutoUpdate Fac-Staff/Roaming Profiles/Bob NAS-IP-Address = xxx.xxx.xxx.xxx NAS-Identifier = WESM1 Client-Friendly-Name = HP Wesm Client-IP-Address = xxx.xxx.xxx.xxx Calling-Station-Identifier = 00-18-DE-66-6E-C4 NAS-Port-Type = Wireless - IEEE 802.11 NAS-Port = 1 Proxy-Policy-Name = Use Windows authentication for all users Authentication-Provider = Windows Authentication-Server = undetermined Policy-Name = Authenticate wireless network Authentication-Type = PEAP EAP-Type = Secured password (EAP-MSCHAP v2) I've changed the name and marked out the ip addresses. -Original Message- From: Doug Payne [mailto:[EMAIL PROTECTED] Sent: Thursday, February 01, 2007 3:19 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Problems with Windows 802.1x supplicant On 01/02/2007 3:32 PM, Lee Badman wrote: Automatically Use My Windows Credentials- implies that the same user name and password used to simply open up Windows is the same used to login to the network, like against AD- which is not always the same (in our case it is very likey almost never the same as the users set up their own laptops and give themselves all sorts of exotic and or silly names and passwords that wouldn't match theur network IDs) Not to mention that WXP automatically uses the computer name as the domain name, which doesn't work if you use IAS as your Radius server. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Vista Wireless Networking...
Quick question, What's your radius server? ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Debug Cisco LWAPP
Someone has already mentioned the Syslog, and disabling the timeout. One other thing. You can force AP's to associate to specific controllers. -Original Message- From: Lee Badman [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 03, 2007 7:41 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Debug Cisco LWAPP Am working with Aironet 1500 Mesh nodes, but have seen the same problem with converted legacy APs that don't play well with controllers for whatever reason. For troubleshooting, command line debug is required at the controllers. In my case, I have 16 controllers- and there's often no obvious rhyme or reason to what controller trouble APs will try to associate to. Cisco's current answer is to open 16 command line windows- 1 for each controller- and issue multiple debug commands in each while looking for signs of trouble. This can be challenging, as these windows time out for inactivity and the process has to be repeated until the trouble is found. WCS doesn't appear to aggregate this debug data... Has anyone else found a way of dealing with this debug process when it needs to be distibuted accross a large number of controllers? Lee Badman Network/Wireless Engineer Syracuse University 315 443-3003 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] SSID of Free Public WiFi
Microsoft has released a new wireless utility update, that changes Ad-HOC functionality. Maybe that is the fix you're looking for. http://support.microsoft.com/kb/917021 Changes for ad hoc networks On a computer that does not have the Wireless Client Update installed, Wireless Auto Configuration automatically tries to connect to all the wireless networks in the preferred networks list that have previously been connected to. If no infrastructure mode networks are present, Wireless Auto Configuration sends probe requests to try to connect to the first ad hoc wireless network in the preferred networks list. An observer could monitor these probe requests and establish an unsecured connection with a Windows wireless client. On a computer that has the Wireless Client Update installed, Wireless Auto Configuration does not send probe requests to connect to newly created ad hoc wireless networks in the preferred networks list. Because many ad hoc wireless networks are created for temporary wireless connectivity, you must use the Choose a Wireless Network dialog box to manually initiate a connection to an ad hoc mode wireless network. -Original Message- From: Philippe Hanset [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 28, 2006 9:56 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] SSID of Free Public WiFi Martin, I have asked the same question before on this list after having searched for quite a while the key that turns ad-hoc off. The best I got was the following command line script: http://www.engl.co.uk/products/zwlancfg/ Best, Philippe Hanset Univ. of Tennessee On Tue, 28 Nov 2006, Flagg, Martin D. wrote: Thanks, but what I am looking for is a reg key to turn off ICS without turning off the firewall. or Some other way to prevent a client from broadcasting a SSID. From: Robinson, Ronald [mailto:[EMAIL PROTECTED] Sent: Tue 11/28/2006 9:18 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] SSID of Free Public WiFi Hi Martin, I don't know if this is what you are looking for but it may help. Under the Wireless Networks tab of the network card properties there is and Advanced button that will allow you to set a check box to only allow connection to Access point networks. The default is any network. Ron Robinson [EMAIL PROTECTED] From: Flagg, Martin D. [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 28, 2006 7:19 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] SSID of Free Public WiFi Does anyone know how to shutdown the ability of XP to act as an ad-hoc network? I would like this add this check to CCA but have not figured out how to do it. Martin Flagg Hiram College From: David Warner [mailto:[EMAIL PROTECTED] Sent: Monday, November 27, 2006 3:09 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] SSID of Free Public WiFi If a computer were doing this, it could also be logging sensitive data for exploitation. At 02:55 PM 11/27/2006, you wrote: I have been seeing the same SSID as well as several others that are continually showing up on our network. After further investigation, and some testing to verify, I have determined that it is caused by wireless profiles configured on a Windows computer. I set up a test using a unique broadcast SSID on an access point, then connected to it with a WinXP box (which automatically creates a wireless profile for that SSID). I then shut down both the AP and the WinXP client. Using another wireless client I viewed available wireless networks, the unique SSID was not seen. I then turned the WinXP box back on, without connecting to any wireless network, and there it was, the unique SSID being broadcast as an Ad-Hoc network. Turn off the XP box and the SSID disappears, turn it back on and there it is again. I then removed the profile for that SSID from the XP box and the Ad-Hoc network never appeared again. Ron Robinson [EMAIL PROTECTED] -Original Message- From: Lee Badman [mailto:[EMAIL PROTECTED] Sent: Monday, November 27, 2006 1:18 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] SSID of Free Public WiFi SSID: Free Public WiFi Am seeing dozens and dozens of these on any given day as detected by our Cisco LWAPP system- all ad hoc. Internet searching digs up articles like this http://www.tek-tips.com/viewthread.cfm?qid=1239995page=1 and this http://www.broadbandreports.com/forum/remark,16550092 With some speculation that
Windows XP SP2 Wireless hotfix
Found this on the SANS site: http://isc.sans.org/diary.php?storyid=1849 Seems Microsoft has released a hotfix (This means it will NOT appear on Windows Update) that changes the default behavior of the Wireless Supplicant. Allows group policy to control WPA2 settings. Allows networks in the preferred network list to be set as broadcast or non-broadcast. Setting all to broadcast prevents the computers from leaking the list of preferred networks when they do not find one in their list. 'parked' wireless cards are given encryption. Parking a card is according to Microsoft: "Wireless Auto Configuration may create a random wireless network name and put the wireless network adapter in infrastructure mode. In this situation, the wireless adapter is not connected to any wireless network. However, the wireless adapter continues to scan for preferred wireless networks every 60 seconds". They go on with: "Some wireless network adapter drivers may interpret this parking operation as a request to connect to a wireless network. Therefore, these drivers may send probe requests in search of a network that has the random name. Because the parking operation passes no security configuration the driver, the random wireless network might be an open system-authenticated wireless network that uses no encryption. An observer could monitor these probe requests and establish a connection with a parked Windows XP wireless client". Now encrypting will surely help, but it does feel funny to let it sit there configured randomly while there is no use for it doing anything. Stop trying to connect to ad-hoc networks in the preferred network list. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Feedback on Plan
-Original Message- BSSID3 No encryption, Throttled via CCA, two hour limit before having to select Guest again. Internet Only and Limited Access. I'd suggest that you find out your average class duration, and make sure that your Guest is at least that long. Two hours sounds about right. (We are 1 hour here) ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] How many SSID's?
-Original Message- 1. Legacy VPN-protected 2. 802.1x 3. Guest 4. EduRoam (Travelling scholars can use their home RADIUS server to use WiFi) 5. Ad Hoc local department network with legit special need (Health Center?) 6. Appliances - for Tivos, game consoles, whatever. access via mac address registration access to internet, with some blocks, but not campus perhaps access across the dorm network Here's a couple more: 7. Conference and Events. Not a permanite SSID, but one that is requested and activated for each conference. 8. Legecy Devices. (Very Similar to your Appliances SSID, assuming you Applicances SSID is using WPA-PSK, this would just use WEP) ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Streaming multicast over wireless
-Original Message- So I'd say it's good for the press release but at a decent resolution it's going to be difficult to support more than a few channels. -Kevin I've talked a bit with Dartmouth when they first rolled this out. If I remember correctly, they have the multicast ONLY on the 802.11a band. They have more than 20 channels, but they can only support 4 channels per AP simultaneously. (The same 4 channels don't have to be on every AP I believe) All of these were not limitations on the Aruba gear, but conscious choices made in design to present the best experience. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE:Multicast with CCA was Sreaming multicast over wireless
Bill, There are two ways to make Multicast work with CCA right now. (The problem is CCA's internal router does not currently route Multicast Packets.) The Cisco Offically supported way is to run your CAS's in Virtual Gateway mode. (Since CCA is not the router, it doesn't have to route the Multicast) The second way is not officially supported but has been used in a few scenairo's, and we've extensively tested it here. (We're Real-IP Gateway Mode) You create an interface, with an IP that doesn't exist on your network for the VLAN that is being managed. You also make the subnet it's on only large enough for a single IP. Then Add the multicast commands to that interface. Apply approriate ACL's so that you can control which the direciton the traffic flows. (IE, do you want your studnets mailing up a multicast stream in the dorms?) The way it works is essentially, it's a hidden router that routes the multicast traffic to the rest of the network and/or injects it after the CAS. Since it only has a valid range of one address, which is the router, student's can't use it as a bypass of CCA. ACL's can further ensure this. But the Multicast traffic will bypass CCA. From: Bill Cole [mailto:[EMAIL PROTECTED] Sent: Thursday, November 02, 2006 10:24 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Streaming multicast over wireless] We are currently setting up a pilot with VideoFurnace. We are using LWAP as well, but are not looking to stream over the wireless network for a while. This is partially due to the Cisco CCA application we run to do authentication for our wireless network. As of now multicast does not work over CCA. It is expected to be fixed in the future. I would really hesitate to run this over 802.11b/g access points since all it takes is one b user to drive everyone from 54Mbs to 11Mbs and really clog up the network unless you really limit the bandwidth you set up when you encode. 802.11a is a much better choice. I think that Dartmouth has totally replaced their wireless infrastructure with Aruba 802.11a access points. Duke University ran a pilot with VideoFurnace over wireless in their Tower Dorm for a while. You might want to contact them about their result and density of access points. From my discussions with them they had used quite a few access points to do the coverage. The point of contact at Duke is Kevin Miller. Regards, Bill Cole -- Bill Cole Video Network Engineer North Carolina State University Communication Technologies/ITD Campus Box 7208 2114 Avent Ferry Road Raleigh, NC 27695 Voice: 919.515.0100 Email: [EMAIL PROTECTED] IP/Video: 152.1.5.156 VideNet/GDS: 00111899195151349 On Nov 2, 2006, at 9:48 AM, Rick Brown wrote: Original Message Subject:Re: [WIRELESS-LAN] Streaming multicast over wireless Date: Wed, 1 Nov 2006 20:09:58 -0500 From: Joyce, Todd N [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Reply-To: 802.11 wireless issues listserv ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Dynamic WEP transition to WPA
-Original Message- When you deploy 802.1x wep, it is very secure as well. Just a note, this was true up till a few weeks ago. http://www.ja.net/development/wireless/wag/wep-strongly-deprecated.pdf The synopis of this paper is, it is now possible to crack WEP with 1 packet, and several seconds. Most Key Rotation schemes are every 5 minutes, or more. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Cisco/Airespace and Radius authentication (also a location appliance comment)
-Original Message- We'd like to allow or deny permission to each WLAN based on group membership. Is anyone else doing this and willing to share their Radius and WCS configs? We're not doing this. But it is possible. I know because I saw a very similar question on the FreeRADIUS mailinglist a few weeks ago. I think it involves hunt-groups. Wish I could have more information for you. Have you tried the FreeRADIUS list? Apparently the location appliance can only handle a very limited number of these obstructions. But it's been months since we've heard anything new. Mark, Have you upgraded code recently on the Location Applicance? They up'd the tracked Items, and obstruction limits Since the release in June. (I believe it's 2500 now, up from 1500) ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Cisco LWAPP
Title: Re: [WIRELESS-LAN] Cisco LWAPP Actually, that's a little misleading. Newer versions of WCS with older WISM code is OK. (Not the best, but OK) Newer versions of WISM, with older WCS is NOT OK. (WCS asks a question, WISM gives a response WCS is not prepared to answer) From: Roth, Joe [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 20, 2006 1:24 PMTo: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUSubject: Re: [WIRELESS-LAN] Cisco LWAPP We actually installed 4.0 on a new box and just pulled the configs off of the controllers again without any problems. But we were told by Cisco that you should not run a newer ver of WCS with an older ver of the WiSM code, or vice versa. From: BennettJ [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 20, 2006 12:51 PMTo: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUSubject: Re: [WIRELESS-LAN] Cisco LWAPP Joe,Did you have any problems upgrading the controllers or WCS from version 3.0.x.x to the 4.0.66.0 version of WCS. While upgrading a controller from 3.0.x.x to a 4.0.x.x I found that not all the settings were saved. Several previously made interfaces (but not all) as well as a few Wlans were missing from the config. It was easy enough to consult the backup configs to replace these settings but I felt like this loss of configuration should not have happened.Has anyone else had a similar experience?-JimJim BennettSr. Network EngineerCollege of Charleston** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Users getting disconnected
What version of Controller code are you running? There was a bug in 4.0.155.0 that cause AP's to reboot randomly. This was fixed in 4.0.155.5 -Original Message- From: Jorge Bodden [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 29, 2006 11:46 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Users getting disconnected Has anyone had a problem with users getting disconnected from the wireless network every 4 hours or so. I get a hit on the wireless at designated intervals (roughly) where they just get kicked off the network. I have sniffed the traffic and noticed that every time a disconnect takes place, the clients re-authenticate onto the network. I really do not see anything out of the ordinary. I do see a lot of requests going to the NetBios server and none coming back, further confuses me. Does anyone have any experience with this? Thanks. Jorge This electronic message is intended to be for the use only of the named recipient, and may contain information that is confidential or privileged. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of the contents of this message is strictly prohibited. If you have received this message in error or are not the named recipient, please notify us immediately by contacting the sender at the electronic mail address noted above, and delete and destroy all copies of this message. Thank you. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] SSIDs: broadcast and non-broadcast, and command line access
Just in from the front. (sorta, it's dated april) http://www.microsoft.com/technet/community/columns/cableguy/cg0406.mspx Non-broadcasting wireless networks A non-broadcasting wireless network does not advertise its network name, also known as its Service Set Identifier (SSID). A wireless access point of a non-broadcasting wireless network can be configured to either not send Beacon frames or to send Beacon frames with an SSID set to NULL. A non-broadcasting wireless network is also known as a hidden wireless network. In Windows(r) XP, you could not configure a preferred wireless network as a non-broadcasting wireless network. The behavior of Wireless Auto Configuration in Windows XP is to attempt connections to broadcasting wireless networks before non-broadcasting wireless networks. Therefore, a computer running Windows XP could automatically connect to a broadcasting network instead of a non-broadcasting network that is higher in the preferred wireless networks list. In Windows Vista, you can now configure wireless networks as broadcast or non-broadcast. A computer running Windows Vista will attempt to connect to wireless networks in the preferred networks list order, regardless of whether they are broadcast or non-broadcast. Further more Microsoft has added to the methods to connect to networks Wireless network configuration methods You can configure connections to wireless networks, known as wireless profiles, for a computer running Windows Vista with the following methods: * Connect to a network dialog box This is the principal method by which individual users will configure connections to wireless networks. * Group Policy Network administrators can use Group Policy settings in an Active Directory(r) directory service environment to centrally configure and deploy wireless network settings and automatically configure domain member computers. * Command line Network administrators can use commands in the new netsh wlan context of the Netsh.exe tool to manually configure wireless networks and their settings. There are Netsh commands to export an existing wireless profile to an XML file and then import the wireless profile settings stored in the XML file on another computer. -Original Message- From: Zeller, Tom S [mailto:[EMAIL PROTECTED] Sent: Monday, July 10, 2006 8:21 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] SSIDs: broadcast and non-broadcast Yes, Microsoft has documented that XP will prefer a broadcast SSID over a non-broadcast SSID irrespective of their order in the list. http://www.microsoft.com/technet/itsolutions/network/evaluate/hiddennet. mspx However, if you remove the broadcast SSID from the list, there's no conflict. The issue I was experiencing attempting to use 802.1x on a non-broadcast SSID went beyond this problem. ON a wide range of laptops, including Macs, it was simply unreliable making a connection. 20-40% of the time the laptop would connect to the proper SSID and then everything worked great. But roaming to another AP or coming back gave mostly unsuccessful results. I should also mention that there is an optional patch from Microsoft (i.e. not pushed out by them) that improves the visibility of non-broadcast SSIDs once you have defined them on the system. They show up in the available networks list. http://support.microsoft.com/?id=893357 I should also point to Microsoft's documentation entitled: You cannot reconnect to a wireless network that uses a hidden SSID after you manually disconnect from that network on a Windows XP Service Pack 2-based computer http://support.microsoft.com/kb/907405 -Original Message- From: Kevin Miller [mailto:[EMAIL PROTECTED] Sent: Monday, July 10, 2006 12:12 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] SSIDs: broadcast and non-broadcast From observations and discussion with others, it seems that that wireless zero config on windows favors broadcast SSIDs... You may notice that sporadically it will connect to the broadcast one even if you've configured the non-broadcast with higher priority. -Kevin Jim Gogan wrote: Quick question: has anyone run into any support issues when some SSIDs are broadcast and some aren't on a campus? -- Jim Gogan ITS Telecommunications University of North Carolina at Chapel Hill ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at
RE: [WIRELESS-LAN] SSIDs: broadcast and non-broadcast
We're changing the SSID we've used in the past. In the past it was Broadcasted. We plan to Broadcast the New SSID, and non-broadcast the Old SSID. All new setups, and any calls for help would change people to the New SSID. The thought is to provide service for the old SSID, but not encourage it's use. Has anyone done this? I curious now, because of this email thread if I'm asking for problems. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] SSIDs: broadcast and non-broadcast
Jorge, I'm just trying to understand. Were the clients that were already configured OK? It was just the support people themselves that were saying the network is down. (I can't see it, It must be down) Or is it more serious than that, and people actually stopped working because it wasn't Broadcasted anymore? I'm hoping to have a few training sessions with the HD people to explain the matter before hand. -Original Message- From: Jorge Bodden [mailto:[EMAIL PROTECTED] Sent: Monday, July 10, 2006 10:11 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] SSIDs: broadcast and non-broadcast Michael, We tried this and it was immediately shot down by the people higher up. We only had it not broadcasting for 1 day. That takes a lot more preparation than a couple of calls to the HD and the unchecking of a box somewhere. Some people will scream wolf saying that the network is down, when in reality they are not capable of properly configuring their device, which is fine because it keeps us employed. Just remember that you will get a nice amount of calls regarding this matter. JB ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] 802.1x authentication using LDAP
-Original Message- On Fri, 7 Jul 2006, Matt Ashfield wrote: I am running FreeRadius and SunOne ldap server. Whoops, missed that part. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Cisco/Airespace Training
I went. Lots of good basics, plus they cover a lot of they why you click that button. I think it was worth it. I had figured out quite a few things on my own, but being in the classroom environment I got to ask a lot of questions about things I couldn't understand why you clicked that. There is an additional 1 day class for the Mesh product, you have to ask to be included. (I didn't know about it, wish I did) The biggest plus is they cover lots of features that are in the manuals, but you may not have realized the potential for. Example: Mobility anchors, you can put a controller outside of your firewall, and terminate guest sessions on that controller And Group AP's, you can have users on the same ssid end up on different VLAN's based on the AP they associated to. (In addition to the usual RADIUS return attributes) -Original Message- From: Lee Badman [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 21, 2006 11:01 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Cisco/Airespace Training Hello again to the group. Am contemplating whether the formal training on the Cisco/Airespace stuff is worth it from the perspective of one just getting started with it... I know the answer varies per individual, but has anyone sat in the classroom for Airespace training? Was the content good enough value to expend the time and money getting there versus figuring it out as you go? Any specific horror stories about individual training firms (answer offline if you want)? Thanks- Lee Lee H. Badman Network Engineer CWNA, CWSP Information Technology and Services Syracuse University 315.443.3003 [EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Nintendo DS on the WLAN
Nintendo, on they're support forum, Has stated, and I quote: http://forums.nintendo.com/nintendo/board/message?board.id=tech_question s_wifimessage.id=4196#M4196 We have no plans for WPA at this time. If your concerned about WEP, turn your computers are OFF after you've switch to WEP for the DS. I don't care if The Lone Gunmen are parked outside your door with a van full of equipment trying to bust in your computer files, they can't do it if your computers are off. And, yes, your wireless router will still work if your computer is off. Um, unless it's plugged into the same power strip and you power the whole strip off. If that's not an option for you, you may want to get the Nintendo USB WiFi Connector, as it works ONLY with the Nintendo DS, and you can leave your other WiFi router with WPA. NOTE: The reason the Nintendo DS is compatible with WEP, and not WPA, is that we found WEP to be the most prevalent standard for securing wi-fi connections. End Quote. So forget getting them to work easily, the company has no understanding of WiFi, or they're target audience -Original Message- From: Lee Badman [mailto:[EMAIL PROTECTED] Sent: Monday, June 12, 2006 12:39 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Nintendo DS on the WLAN Have been asked if we will allow the New Nintendo DS to use the campus WLAN for gaming... Has anyone else started looking at this sort of thing? Here's what I know so far: - The Old version of DS had a wireless (true Wi-Fi) dongle available, it provided wireless connectivty between the game console and the PC, then Internet connectivity was through the PC. Only real implication here is one more noise-making device contending for the 2.4 GHz spectrum. - The new DS (Lite) has built in 802.11b, but can go no better than 2 Mbps. It may use the 802.11 protocol, or the proprietary Nintendo Low Latency Protocol that wireless sniffers have a hard time correctly classifying. - They are just now starting to come out with games that rely on a TCP-IP stack, before it was just using the Wi-Fi for layer 1 and 2 functions, and some sort of funky tunneling was used to get games accross the Internet through an otherwise connected PC. I'm sure I'm way behind others that actually play these things, but am curious how other wireless folks feel or worry about the impact of these things both on the wireless networks and the campus Internet edge? Thanks- Lee ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Extending an external antenna
-Original Message- From: Lee Weers [mailto:[EMAIL PROTECTED] 1. Can you extend an antenna from an AP 250 ft? (That's how long it is to the scoreboard) Yes, you can. But it won't work very well. 2. What kind of coax do we need to use to do a/b/g? Expensive, and one for each Band. (One for A, one for B/G) I'm guessing much better than LMR 600 we used for our 50ft runs. We would like to mount the ap inside of the building and then just extend the external antenna to the scoreboard. Why not run an outdoor rated Cat 5 cable up the pipe, and mount an outdoor Access point at the antenna site. Several companys make these units. Depending on how big the complex is, you could even look into Mesh Units, (this would be your base station) and then put a repeater unit out at the pressbox (You need power and line of sight) of each of the field you want to cover. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Airespace/Cisco, SNMP monitoring, CiscoWorks, etc.
Lee From the controller Management - SNMP - Trap Receivers Put your NMS here Management - SNMP - Trap Controls Check off what you want. Sounds like you want to start with Cisco AP Traps AP Register AP Interface Up/Down With WCS, you could create a template, and apply this to all your controllers at once as well. (Here's a secret, this is how WCS get's it info in the first place) -Original Message- From: Lee Badman [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 10, 2006 3:22 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Airespace/Cisco, SNMP monitoring, CiscoWorks, etc. Has anyone using Airespace (now Cisco) done anything with CiscoWorks or external SNMP network monitoring that has worked out- like for basic device up/down, traps, alarms, etc. for the controllers? In this model, without going directly to WCS and controllers, how are you getting info on AP status- can the controllers send effective traps for AP trouble? Thanks- Lee ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Site Survey Software
Site survey as in: 1. Real time read out of all signal strength seen a single point of time. 2. Heat maps showing a the coverage pattern of 802.11 on a given floor plan. -Original Message- From: Flagg, Martin D. [mailto:[EMAIL PROTECTED] Sent: Friday, May 05, 2006 11:20 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Site Survey Software I am looking for the best free or really inexpensive (less then $1,000) site survey tools available. Our network is B/G we have MACs/Windows Laptops or IPAQs available. Any suggestions? Martin D. Flagg Network Engineer/Administrator Hiram College ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Site Survey Software
Keeping with the free/cheap theme: Spectrum analyzer http://www.thinkgeek.com/gadgets/electronic/80ce/ AP Power in Real-Time http://www.netstumbler.com/downloads/ You need a "Good" card in the fact that Netstumbler was designed for it's chipset I haven't found anything that puts stuff on a map for under $1000 But that tool is: http://www.ekahau.com/?id=4600 Which seems to retail right around $1200 for the basic package, and $3000 for the full boat (Prediction, Reporting, GPS Logging) For reference, the GranDaddy of this stuff is Wireless Valley at $8000 to $50,000 dollars. (3D predication) http://www.motorola.com/Enterprise/us/en_us/solution.aspx?navigationpath=id_801i/id_2720i/id_2732i From: Flagg, Martin D. [mailto:[EMAIL PROTECTED] Sent: Friday, May 05, 2006 12:04 PMTo: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUSubject: Re: [WIRELESS-LAN] Site Survey Software I like the Cisco tool but unless something has changed it does not show all APs only the one you are associated with. In answer to some other questions I have clarified my requirements. Requirements: AP Power in real Time Show all access points in range and channel/Freq must supportLEAP/PEAP Wish List: Quality Measurement Record measurements to a map Spectrum analyzer Martin D. Flagg Network Engineer/Administrator Hiram College From: Nathan Hay [mailto:[EMAIL PROTECTED] Sent: Friday, May 05, 2006 11:27 AMTo: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUSubject: Re: [WIRELESS-LAN] Site Survey Software I've always used a Cisco a/b/g card with the site survey tool that comes with it, either on a laptop or iPAQ. It gives signal strength, noise level, and signal-to-noise ratio. Some will tell you this might not be the best way to do it, but it has worked for our purposes. I usually couple this with a web-based bandwidth tester to see what kind of actual bandwidth I get at the places I take my readings. Nathan Nathan P. HayNetwork EngineerComputer ServicesCedarville UniversityOffice: 937-766-6516Email: [EMAIL PROTECTED]Web: www.cedarville.edu [EMAIL PROTECTED] 5/5/2006 11:19 AM I am looking for the best free or really inexpensive (less then $1,000)site survey tools available. Our network is B/G we have MACs/WindowsLaptops or IPAQs available. Any suggestions?Martin D. Flagg Network Engineer/Administrator Hiram College **Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] RADIUS accounting through WLSM
This won't help with your feature request, But in most RADIUS Server, (and for example, I know Funk and FreeRADIUS can do this) you can configure a default entry, or wildcard entry. It will allow you to collect the statistics while you configure your AP's. Also, (I'm pretty sure you have FUNK) you can import from a text file your list of Aps. I think a text file would be easier to generate. -Original Message- From: Julian Y. Koh [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 18, 2006 6:27 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] RADIUS accounting through WLSM -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 So we're making real progress on our 802.1X testing and rollout. Thanks again to everyone who's helped us over the months. Our next issue involves RADIUS accounting records. We've got the WLSM product from Cisco, and that's great as far as RADIUS authentication is concerned. Our ~700 APs send the authentication requests up to the WLSM through the GRE tunnels, and the WLSM handles relaying them to the RADIUS server. Piece of cake. Unfortunately, it looks like WLCCP doesn't work like that for accounting records, so we're facing having to configure 700 entries into our RADIUS server. Obviously, anything can be done with the right scripts, but overall it seems like a bit of a management nightmare. It would be much better to be able to have all the accounting records tunneled just like they are with authentication requests. The TAC said to report this to our SE as a feature request, but like all feature requests, they only come to fruition if enough people really ask and can show Cisco that there's a business case for it. So I thought I'd toss this out here and see what people think. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.0.5 (Build 5050) Comment: http://bt.ittns.northwestern.edu/julian/pgppubkey.html iQA/AwUBREVnxA5UB5zJHgFjEQKO+ACfbr0QZCedOiyb5LhvoODbfZny/eoAmQFo iOcOGqHGFs8QHEPRGCGvE4gh =pRvq -END PGP SIGNATURE- -- Julian Y. Koh mailto:[EMAIL PROTECTED] Network Engineer phone:847-467-5780 Telecommunications and Network Services Northwestern University PGP Public Key:http://bt.ittns.northwestern.edu/julian/pgppubkey.html ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] point to point wireless
Or Pre-WiMax Stuff as well Here's a list of everything Proxim sells.. (Had a very good product spread. Licensed, unlicensed, laser, etc. I've never used Proxim personally) http://www.proxim.com/products/bwa/point/ -Original Message- From: Philippe Hanset [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 19, 2006 1:21 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] point to point wireless Bruce, If it's for a point-to-point and you don't worry about standardization, you could always consider pre-802.11n solutions! http://www.extremetech.com/article2/0,1697,1949656,00.asp Just an idea, we haven't done anything like that...yet! Philippe Hanset University of Tennessee On Wed, 19 Apr 2006, Entwistle, Bruce wrote: We are currently using a pair of Cisco 1300 wireless bridges to connect some student residences to the campus network. While these bridges have worked well we now need something which is capable of a higher speed connection without using multiple links. The current distance between the two antennas is about 300 feet. I was wondering what products others have used and how they performed. Thank you Bruce Entwistle Network Manager University of Redlands ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] point to point wireless
Again, not another product that I've used, but the glossy sheet looked cool at a trade show http://www.rad.com/Article/0,6583,27242-Broadband_Wireless_Multiplexer,0 0.html Carries both Ethernet and T1 circuits over the same wireless equipment. (get's your phone over there as well) -Original Message- From: Michael Griego [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 19, 2006 3:22 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] point to point wireless Proxim and Bridgewave were the only two manufacturers I could find that had gigabit capable non-optical wireless solutions. Our not-so- happy experiences with Proxim is what pointed us initially towards Bridgewave for our current point to point project. --Mike On Apr 19, 2006, at 12:37 PM, King, Michael wrote: Or Pre-WiMax Stuff as well Here's a list of everything Proxim sells.. (Had a very good product spread. Licensed, unlicensed, laser, etc. I've never used Proxim personally) http://www.proxim.com/products/bwa/point/ -Original Message- From: Philippe Hanset [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 19, 2006 1:21 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] point to point wireless Bruce, If it's for a point-to-point and you don't worry about standardization, you could always consider pre-802.11n solutions! http://www.extremetech.com/article2/0,1697,1949656,00.asp Just an idea, we haven't done anything like that...yet! Philippe Hanset University of Tennessee On Wed, 19 Apr 2006, Entwistle, Bruce wrote: We are currently using a pair of Cisco 1300 wireless bridges to connect some student residences to the campus network. While these bridges have worked well we now need something which is capable of a higher speed connection without using multiple links. The current distance between the two antennas is about 300 feet. I was wondering what products others have used and how they performed. Thank you Bruce Entwistle Network Manager University of Redlands ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] WinXP 802.1x and password changes
It was a single file, and a directive in the config file -Original Message- From: Julian Y. Koh [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 11, 2006 9:21 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 22:00 -0400 04/10/2006, King, Michael wrote: After extensive packet captures, and comparisons, Funk/Juniper has identified and fixed the problem. Microsoft didn't follow they're own Spec when they made they're own client. Unfortunately, they only fixed it last week. So it's not in any public build yet. Funk/Juniper says that they're going to try to get us the new build. Hopefully we can just replace the executable and not go through a whole installation process. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.0.5 (Build 5050) Comment: http://bt.ittns.northwestern.edu/julian/pgppubkey.html iQA/AwUBRDutKA5UB5zJHgFjEQLLwQCg+8pNC+o/u/q+tZW2ya98fqKetHYAoN0W UrD0shfYSTIhHxbpwSXvP3Ks =CP1+ -END PGP SIGNATURE- -- Julian Y. Koh mailto:[EMAIL PROTECTED] Network Engineer phone:847-467-5780 Telecommunications and Network Services Northwestern University PGP Public Key:http://bt.ittns.northwestern.edu/julian/pgppubkey.html ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Guest access - CALEA rabbit trail
Jake, We too have begun to consider anonymous guest access. Where in CALEA are you to referring to? (A hyperlink would help) I'd like to approach this new initiative aware of all the facts, and this is one I hadn't considered before. -Original Message- From: Barros, Jacob [mailto:[EMAIL PROTECTED] Sent: Friday, March 31, 2006 9:00 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Guest access - CALEA rabbit trail We've been forcing all users to authenticate and were considering anonymous guest access as well, but in light of CALEA enforcement probability we are hesitant. For those of you that do allow anonymous guests, are you considering changing that policy in light of CALEA? Have you any other legal 'problems' with anonymous access? Jake Barros Grace College ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Tools
I suggest you find another cisco reseller if they're charging you list price http://www.cdwg.com/shop/products/default.aspx?EDC=801563 (And that is without calling and asking for educational pricing.) Since we have 6509's we purchased the WISM card. It does 300 AP's instead of 100, and it lists for around $46,000 (you have to have a 6500 to use this) I am in the middle of deploying 480 AP's with the 1010's and WISM's. I'm coming off of supporting 300 Thick AP's. I can tell you already, this is a dream to manage compared to chasing 300 Thick AP's. Plus, now I have management reports. (Eg.. What SNR the client has, and a graph of it for the last few days) BTW, airwave has a product that will manage the 1200's, but it would run you about the same amount of money. From: Flagg, Martin D. [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 15, 2006 9:30 AMTo: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUSubject: Re: [WIRELESS-LAN] Tools I have just received pricing for Cisco's latest solution for Wireless Solution. I have sticker price shock. The part number and list price are as follows; AIR-WLC4404-100-K9 $34,995 We have about 60 AP 1200's running IOS and using ACS/LEAP/PEAP. I thought that this solution would be the next logical step for our Wireless network. What are other schools our size doing? Even with our EDU discount this is a lot of money. Will Cisco continue to support the 1200's running IOS? What can I do to make the wireless network more manageable without spending this much money? Anyone running the lightweight access points with this appliance? Martin D. Flagg Network Engineer/Administrator Hiram College ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Few more 802.1X questions
Several. Securew2 seems the best supported and most popular http://www.securew2.com/ It supports batch configuration. Unfortunately the website seems a bit slow right this second. Wire1x is an Open1x port to windows. (Hasn't had any activity since 2004) http://wire.cs.nthu.edu.tw/wire1x/ -Original Message- From: Lee Badman [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 01, 2006 9:32 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Few more 802.1X questions Thanks, Frank- I realize LDAP is hamstringing us, but AD may not be ready for primetime for our environment from a timing perspective... Given that Cisco ACS is in house, LDAP MAY have to be used initially, and say we have to start with TTLS before we can run with PEAP- is there a known, PREFERRED, FREE!!!, Windows-friendly TTLS supplicant? I've seen Xsupplicant recommended, but it doesn't appear to have a Windows version. Again- thanks. Lee Frank Bulk [EMAIL PROTECTED] 2/28/2006 4:35 PM Lee: If you're using LDAP that limits many of your choices, unfortunately. == If your directory server is based on LDAP, your options are limited based on how your passwords are stored. Cisco's Secure ACS LDAP integration supports EAP-TLS and PEAPv1/EAP-GTC. In the first type, LDAP is used to retrieve the user's public-key certificate for comparison with both the client and the user's private-key certificate. In the second type, the environment must support one-time keys, as with token cards. If your passwords are stored in MSCHAPv2 format, as is the case with Windows Domains and Active Directory, you can use the LDAP features of other RADIUS vendors to take advantages of EAP-TTLS and PEAP. If your passwords are stored in your LDAP directory in the clear, you can use EAP-TLS/PAP and EAP-TTLS/PAP as well as a few others, depending on the RADIUS vendor. http://www.networkcomputing.com/mobile/archives/mobile_archive _011106.html == In other words, you should be able to front end your LDAP infrastructure with a 3rd-party RADIUS server. As for roaming, Cisco's CCKM (proprietary standard!) does support fast secure roaming with PEAP. Go here: http://www.cisco.com/univercd/cc/td/doc/product/wireless/cb21a g/acau02/au_pr of.htm#wp1094945 And scroll down to CCKM to see some background and caveats. Regards, Frank -Original Message- From: Lee Badman [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 28, 2006 12:53 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Few more 802.1X questions Given these specific resources: - Cisco ACS 3.3 - LDAP (moving to AD, but not at first) - Cisco 1130/1200s running latest 12.3(7) JA2 IOS code - Up-to-date Windows XP users native supplicants - Macintosh 10.4 users (latest) native supplicants And looking at piloting an 802.1x environment using PEAP... Looking for comments on- - Roaming (I believe fast secure roaming doesn't work with PEAP) satisfaction - Users that may have used 802.1X migration as a juncture to give up the typical wireless DMZ and make wireless an extension of the wired network (for authorized users) - Luck with WPA with a broad range of client hardware likely found in a bring what you have laptop/handheld environment - Success with Windows Mobile - General satisfaction - Horrors experienced - Anything else relevent to the exercise with the resources described above. As usual- thanks for the great input this list tends to provide! Lee Badman Lee Badman Network Engineer CWNA, CWSP Information Technology and Services (Formerly Computing and Media Services) Syracuse University (315) 443-3003 [EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Vocera over Aruba
I keep beating them up about not having it. :-) -Original Message- From: Frank Bulk [mailto:[EMAIL PROTECTED] Sent: Thursday, January 19, 2006 9:10 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Vocera over Aruba Let me know when you see WPA2-Enterprise support for a VoWLAN handset. ;) Frank ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Vocera over Aruba
Many of the Vendors that are direct competitors of Aruba (AireSpace, Trapeze) recommend disabling Aggressive load balancing for the problems that you have described.. Have you disabled Aruba's aggressive load balancing feature? Also, I know that WPA2 has features like Cached authentication, and Pre-authentication that speeds up roaming. So using WPA2 is the best security protocol for VoIP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, January 19, 2006 2:18 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Vocera over Aruba Does anyone have experience with running Vocera over an Aruba wireless network? If so, have you encountered any problems with roaming, voice quality, etc.? We would also be very interested in knowing about your experiences with Airespace as well. Thank you! Mark ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Multiple VLANs configuration
-Original Message- Where would you set the host to ask for credentials every time a connection is initiated? Short answer, Not sure you can do this. There is a registry key you would have to delete manually to effect this. You can also set the 802.1x to use the windows domain and username. (I believe this is the default setting) ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Vivato
I just got an email from a contact at Vivato. He forwarded this to me, with the note that his doors close tommorrow Last Call for Vivato? 12.15.05 Everyone is talking about rumors of the imminent demise of Vivato Inc., one of the startups that originally kick-started the wireless LAN switch movement. Multiple sources [ed. note: It's even on the message-board!] have told Unstrung that the company is expected to close down by the end of the year, with December 20 looking like the most likely date. We spoke to Vivato last week when these rumors first got too loud to ignore, and a spokesman denied them then. No one has yet replied to calls today. The firm is said to be looking for a buyer, but it is not clear what prospects are out there. Of course, Vivato has been pronounced dead in the water before and come back. But the wireless whisperers we've spoken to insist that the investor community is now saying that Vivato will close its doors soon. Vivato's closure could be seen as something of an end of an era for the WLAN market. The firm was one of the first to promote the idea of a centrally-managed wireless LAN switch network for enterprise users. (See Vivato Plans Ambitious WLAN.) But unlike successful startups, such as Airespace and Aruba Wireless Networks that followed in its wake, Vivato proposed to light up offices with one powerful box that used beam-steering technology to provide radio coverage over hundreds of square feet. (See WLAN Switches: The Brains Behind 802.11?.) The other players in this space preferred to use a central switch to manage a network of dumb access points. (See Vivato's Switch Bitch and Switch Tiff Heats Up .) But in practice, providing coverage in an office-space filled with cubes and other radio-dampening obstacles proved to be a tricky task for the Vivato. So the firm repositioned itself as a company that could provide coverage for stadiums, conference centers, and outdoor areas. (See Vivato's New Broom and Vivato Goes Wide.) But despite winning some contracts, the company has remained troubled. In April, the firm hired a new crisis CEO to restructure the company. (See Vivato Hires Crisis CEO.) Since its foundation in December 2000, Vivato has scored around $67 million in funding from investors like Intel Capital and U.S. Venture Partners. - Dan Jones, Site Editor, Unstrung Copyright (c) 2000-2005 Light Reading, Inc. - All rights reserved. www.unstrung.com ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] BSOD on Wireless Network
This points to the network card driver. Has the network driver been updated recently? Driver_IRQL_Not Less_or_Equal Tech Info: NDIS.SYS ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] 802.1x authentication on wired network
Dave, and Dave (or anyone else with Cisco ACS on a wireless network) Since you both have Cisco ACS servers, could you check something for me. Pre-requisites 1. User is not joined to the domain 2. User is using built-in XP supplicant 3. User changes password on the domain. (Any mechanism) Does the XP client reprompt them to change the password when you try to associate to the wireless network? (Or prompt for username, password, domain) We had a large problem with this with a couple of RADIUS servers. FreeRADIUS doesn't have this problem, and Funk had a fix coming out last I checked (August) Since we're considering using ACS, I'm trying to figure out if I'm going to have this problem again. -Original Message- From: David Morton [mailto:[EMAIL PROTECTED] Sent: Thursday, December 01, 2005 11:19 PM Subject: Re: [WIRELESS-LAN] 802.1x authentication on wired network If you're not using ACS, there are three Radius attributes that can be used to put a user in a particular VLAN. I don't recall the attribute numbers off the top of my head, but I am sure you can find them on Cisco's web site. I know that they are also in the Microsoft Wireless Provisioning Server documentation (which you can find on Microsoft's web site.) David On Nov 28, 2005, at 5:14 AM, David Warner wrote: Matt, Inside the Cisco ACS server(and other radius servers I assume) you can specify which vlan a group should be associated with. The dot1x configuration on the switch will then use that information to set the vlan when a user successfully authenticates. dave warner ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] WAP Installs on Pedestals
Both www.cisco.com Cisco, http://www.tropos.com/troposand http://www.belairnetworks.com/Bellair networks have wireless mesh networks. Cisco's is built on they're AireSpace acquisition, so it integrates with those controllers. Here is the Marketing line... http://www.belairnetworks.com/solutions/hospitality.cfm Is this what you were hinting at, or were you more looking at just outdoor coverage? FYI, it seems to be much more cost effective to deploy units mounted on buildings with external Antenna's vs. building a mesh topology. Another technology you might want to investigate is http://www.vivato.com/ You put one of these up above the tree line, at one end of your campus. From: Reggie Clarkson [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 29, 2005 3:37 PMTo: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUSubject: [WIRELESS-LAN] WAP Installs on Pedestals Is anyone using Code Blue pedestal phones for installation of wireless access points? We will not be able to install antennas or other wireless devices to our campus buildings so we are considering any and all possible alternatives. Reggie Ann Clarkson Manager, IT Telecommunications Rice University 713 348-4911 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Administrative Wireless Network
From: Eric Morgenroth [mailto:[EMAIL PROTECTED] This network will only be used by our IT staff, and the network has access to all university resources, based on firewall rules. If that is your premise, I would start out with the Highest level of security you can tolerate, but since most people cannot tolerate TLS certificates, I would recommend WPA2-Enterprise (Which is based on 802.1x) with AES encryption. You can control access based on the RADIUS server. I am also a strong proponent of security in layers. This means any system that you access via wireless, should use secure access methods. (example SSH, HTTPS) I will also warn you, once you introduce wireless, it will grow, and grow quickly. It won't just be IT only in a short period of time. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] PC's bridging wired to wireless
-Original Message- From: Dale W. Carder [mailto:[EMAIL PROTECTED] We have bpdu-guard enabled on the switchports, the network doesn't get into a loop state, but this has the side effect of taking the AP down. Slightly left of the topic at hand, Shouldn't bpdu-guard take the client's switchport down, and not the AP's port? That was my understanding of the technology. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] 802.1x Active Directory GPOs
You can use machine authentication, if your RADIUS server supports it. The computer will authenticate using it's computer account, and have access. When a user logs in, it will drop the computer credentials, and switch to the users credentials. When the user logs out, it will switch back to the computer account. What's your RADIUS server? -Original Message- From: Katie Rose [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 05, 2005 4:45 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] 802.1x Active Directory GPOs At Notre Dame, we're finding some issues when using 802.1x on computers that belong to our Active Directory domain. The authentication to access the wireless network appears to happen after the user has actually logged into the computer, so some GPOs to manage the computer don't get applied properly during login. Is anyone else seeing this issue? If so, how are you handling it? Thanks in advance, Katie Rose University of Notre Dame - OIT ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Guest access strategy
I don't support this, and don't use it. But you should know that it exists WPS Wireless Provisioning Services http://www.microsoft.com/whdc/device/network/wireless/wps.mspx Wireless Provisioning Services (WPS) enable the discovery of and connection to wireless networks. WPS enhancements are included in Microsoft Windows XP Service Pack 2 (SP2) and under consideration for Windows Server(tm) 2003 Service Pack 1 (SP1). WPS extends the wireless client software included with Windows XP and the Internet Authentication Service (IAS) included with Windows Server 2003 to allow for a consistent and automated configuration process when connecting to public wireless hotspots or private wireless networks that provide guest access to the Internet. The WPS APIs allow for the pre-provisioning of network information to connect to these networks and the provisioning of network settings to connect to private wireless networks. -Original Message- From: Mearl Danner [mailto:[EMAIL PROTECTED] Sent: Thursday, September 15, 2005 10:53 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Guest access strategy Samford is in the process of establishing policies for wireless access on campus. We have Airespace/Cisco 4100 controllers and are in the process of deploying model 1100 APs in various areas around campus. Using this hardware we are able to establish different default ACL's for each SSID, and have sucessfully applied custom ACL's using Radius (freeradius/eDirectory) reply items. We plan to provide restricted access to campus guests on an open SSID and a higher default level of access on an 802.1x authenticated SSID. We would like to make it a relatively simple process for campus visitors to access the guest SSID, but make it's access restrictive enough to encourage members of the campus community to go the extra steps required to configure for 802.1x. We'd appreciate any information on access strategies any list members have implemented (or are considering). Thanks, Mearl Danner Systems Programmer [EMAIL PROTECTED] Samford University http://www.samford.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] 802.1x rollout
- - is anyone using Active Directory as an authentication resource? We are - - who's using native 802.1x supplicants versus who is distributing additional software? Of the latter group, any recommendations? (my personal leanings are Funk's 802.1x supplicant mated with the Open.com Radiator RADIUS server). We're using WindowsXP/2k native supplicant. It didn't exist at the time we committed to 802.1x, but I would look at the SecureW2's http://www.securew2.com very hard right now. It's open source as well. SecureW2 3.1.0 now supports preconfiguration on Service Pack 2 allowing Administrators to deploy SecureW2 more easily. SecureW2 3.1.0 also contains the first SecureW2 Gina allowing users to authenticate using their interactive logon credentials. We're using FreeRADIUS for a Radius server. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] WinXP 802.1x and password changes
Funk has issued a fix for this problem, and is planning to have it available by Monday. Contact Alan Phillips [EMAIL PROTECTED] for further details. At 17:07 -0400 07/19/2005, King, Michael wrote: Can everyone that's using Funk SBR, and is Concerned with the password expiration on the Microsoft 802.1x client please Mail me off list. The Funk Bug ID is 5429, and Funk has stated that we are the only people to every experience this problem. The Product Manager of SBR has asked me to have people contact him. We opened a case with Funk referencing your bug ID. We were told that the bug is slated to be fixed with the 5.3 release of SBR. Beta is scheduled for the end of August, general release in September/October timeframe. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] WLAN Analysis Tools
We're looking for help from current WLAN managers. You can either provide general input or answer the following two questions. I hope in most cases you would be willing to post your thoughts publicly, but if you have comments that are of a sensitive nature, you can e-mail me directly. 1. What are the most common WLAN problems you face, either in the design or operation of your network, for which WLAN analysis tools might be helpful? Bridging of the wired and wireless interface, and interference from Rougue/AdHoc Wireless Networks. 2. Which specific available tools -- commercial or otherwise -- are most helpful in allowing you to do your job? Ethereal, Allows packet capture and basic decodes on wireless frames. Ekahau Site Survey. Site Survey tool that also is very good at detecting hidden networks (With appropriate card) Network Stumbler. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Apple Airport 4.2 software
Hmm.. Any have a Verisign/Thawte/Somebody Top level CA and a Mac to test this on? We're self generated CA's here as well, so this will be a problem for us as well. -Original Message- From: Julian Y. Koh [mailto:[EMAIL PROTECTED] Sent: Thursday, July 14, 2005 5:48 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Apple Airport 4.2 software -BEGIN PGP SIGNED MESSAGE- Apple released version 4.2 of their Airport software today. Most notably, it adds WPA2 support. However, after applying the update to my Mac OS X 10.3.9 laptop, I can no longer get it to trust the test certificates that we generated for testing out 802.1X and EAP-PEAP. Earlier today with the Airport 4.1.1 software, everything was fine after I imported the test root certificate and accepted the server cert. I can get connected now with the 4.2 software, but the computer asks me every time to verify the server certificate, claiming that the root certificate is untrusted -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.0.1 (Build 2185) Comment: http://bt.ittns.northwestern.edu/julian/pgppubkey.html iQEVAwUBQtbPky5elU+tqml1AQGTGQgAp1xRhzTt+pYvZkzCnVSGruZ0yCXFZntp C3zSSKl1wm/WTYLFFZua8fEthk4D8xxznC0ju6qIvfVx0JOKCOdWMikPDNa3UJQA F6uI3pColUol+zIbXQpbpGu3pwG1CNm/QE2ZhaJIMnF5yekWhUN2i0zptoGTZYPx svFB0163FTAIlJ6lSbP3vRidrPQE8hkoXC5dfdF/6Dior+GJQh97P92Hi+D3UVub 9dqR0qXTw0gcGFbB05dYZnHy1qQbIQxRdK5aqyRvnC7LfP2D68Km01ER5URuOErR 3OOfHuP1bQPSqod14mgbWsiSk17Aisti0kBTSsn3vcs9lJXsQlY0aw== =hf7O -END PGP SIGNATURE- -- Julian Y. Koh mailto:[EMAIL PROTECTED] Network Engineer phone:847-467-5780 Telecommunications and Network Services Northwestern University PGP Public Key:http://bt.ittns.northwestern.edu/julian/pgppubkey.html ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Peap info
One quick warning here. Be very careful about running Steel Belted RADIUS on Windows doing domain authentication or IAS in an environment where the machines authenticating via 802.1x are *not* domain member machines with users logging in via domain accounts. The builtin WinXP supplicant refuses to reprompt the user for his new password if his domain password is changed. It keeps trying to auth with the old password, resulting in an eventual account lockout. You have to actually remove the registry key that contains the cached network credentials to get the machine to stop attempting to auth with the bad credentials. The only ways to get around this are to a) make sure all machines are domain members and the users are logging in with their domain accounts or b) don't use IAS or SBR. We use FreeRADIUS, and we don't have this problem with our student laptops. Michael, I have spoken extensively with Funk Software, and have managed to deleve into why this is different between FreeRadius and Steel Belted Radius. FreeRadius - When a password is bad (fail MS-CHAPv2), the FreeRadius server will send an EAP-Failure inside the EAP-PEAP tunnel, then send a second payload of an EAP-Failure Steel-Belted Radius - When a password is bad (fail MS-CHAPv2), the SBR server will ONLY send an EAP-Failure, it will not send the EAP-Failure inside the EAP-PEAP tunnel, basically, it skips a step. Apparently, the EAP-Failure inside the EAP-PEAP tunnel is what triggers the XP client that the password is wrong and it should reprompt. Funk has told me they will open a case with engineering to have it addressed in their code, but I have no timetable. Maybe if people using Funk products would call them and push them for the same problem I did, it might get a little more of a push. Michael King Bridgewater State College ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Peap info
-Original Message- From: Bennefield, Cully A. [mailto:[EMAIL PROTECTED] Sent: Friday, June 24, 2005 3:59 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Peap info The students were unable to log on to the laptop since their credentials were not cached. We used the Meetinghouse client to authenticate with AD during the boot up process as a workaround. The feature you were looking for was Below the box where you select PEAP or Smartcard, there is a check box marked Authenticate as a computer when computer information is available I'm not sure how to set it up on IAS, but on Steel Belted Radius it was Allow Machine Accounts. Then the Computer account in Active Directory will provide network access, until the user logs in, then the user credentials will replace it during the logon process. There is also a registry key that controls this, so you can always use the machine account if you want to. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] mixing 'b' and 'g'
Close. .11b is of course 11meg .11g goes to compatibility mode, and drops down to something in the order of 19meg. -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Mike Yohe Sent: Thursday, May 12, 2005 4:42 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] mixing 'b' and 'g' I am not a wireless network expert, but it is my understanding that a b connection to a WAP slows all traffic on that WAP to b speed. - Mike ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] WinXP 802.1x and password changes
Still working with FUNK. I have confirmed that by building a FreeRADIUS server, it will prompt for the password if it's wrong, or if it changes. FreeRADIUS at this time cannot perform machine account authentications, but it supports proxying them off to another RADIUS server (for example, IAS, or FUNK) I'll post more when I know it. -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Frank Bulk Sent: Tuesday, April 26, 2005 11:12 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes Michael, it sounds like you're on to something with Funk. If Microsoft could just patch/fix their IAS regarding this issue the whole 802.1X thing would be a lot better for wireless users. Frank -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of King, Michael Sent: Tuesday, April 26, 2005 8:14 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes I did some digging. For my implementation (Funk SBR) It looks like when my users put a bad password, the Statistics counter increments Insufficient resources. When I disable authentication (by removing the authentication method) it starts incrementing Failed Authentication and my Windows XP client prompts me for a new password. I'm awaiting a callback from funk on how to fix this for my server -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Michael Griego Sent: Monday, April 25, 2005 6:44 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes Actually, a packet capture would likely be of little use. What's most likely different in the response from a FreeRADIUS server versus an IAS server (that manifests itself in the does-a-user-get-a-password-prompt question anyway) is the MSCHAPv2 response. Since this response is tunneled inside TLS, a packet capture would not show anything useful. --Mike King, Michael wrote: Anyone have FreeRadius? I'm sure this can answered with a packet capture. (The message the client is receiving) -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Michael Griego Sent: Monday, April 25, 2005 3:56 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes Are you running SBR on Windows doing full domain authentication? I wouldn't be surprised if SBR on Windows doing domain authentication is using some of the same API services that IAS is causing it to have the same difficulty. --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas King, Michael wrote: Interesting. I joined the list just because of this issue. I'm running on Funk SBR and it does not appear that the client is prompting for a new password. Could it be in the answerback that the radius server is sending? -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Frank Bulk Sent: Monday, April 25, 2005 2:57 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes I attend Mike Griego's excellent online webinar today (courtesy of EDUCAUSE), and he said that with FreeRADIUS the WinXP client properly prompts for a new password to be entered, which is not the case with IAS. Can anyone else confirm that? Frank -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Frank Bulk Sent: Tuesday, January 25, 2005 10:49 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes Can Mike and Katie report to the group what kind of access points and software revisions they are running? My aide in this diagnosis suspects it could be some kind of communication flow between the AP and the client that causes some WLAN systems to prompt for the credentials and others not to. Regards, Frank -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Michael Griego Sent: Tuesday, January 25, 2005 10:57 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes No problem. If the credentials they use to login to their personal machines (username and password only... domain/machine name is discarded), then they can leave the use my Windows login box checked. I have tested this and it does work. Of course, if the credentials get out of sync (perhaps by a password change in AD), then I suppose it would produce the symptoms seen by Katy. Removing the credentials cache key in the registry, however, would not solve this problem. Anyway, we don't tell our users to do this. With the use my Windows login unchecked, even
RE: [WIRELESS-LAN] WinXP 802.1x and password changes
I did some digging. For my implementation (Funk SBR) It looks like when my users put a bad password, the Statistics counter increments Insufficient resources. When I disable authentication (by removing the authentication method) it starts incrementing Failed Authentication and my Windows XP client prompts me for a new password. I'm awaiting a callback from funk on how to fix this for my server -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Michael Griego Sent: Monday, April 25, 2005 6:44 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes Actually, a packet capture would likely be of little use. What's most likely different in the response from a FreeRADIUS server versus an IAS server (that manifests itself in the does-a-user-get-a-password-prompt question anyway) is the MSCHAPv2 response. Since this response is tunneled inside TLS, a packet capture would not show anything useful. --Mike King, Michael wrote: Anyone have FreeRadius? I'm sure this can answered with a packet capture. (The message the client is receiving) -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Michael Griego Sent: Monday, April 25, 2005 3:56 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes Are you running SBR on Windows doing full domain authentication? I wouldn't be surprised if SBR on Windows doing domain authentication is using some of the same API services that IAS is causing it to have the same difficulty. --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas King, Michael wrote: Interesting. I joined the list just because of this issue. I'm running on Funk SBR and it does not appear that the client is prompting for a new password. Could it be in the answerback that the radius server is sending? -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Frank Bulk Sent: Monday, April 25, 2005 2:57 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes I attend Mike Griego's excellent online webinar today (courtesy of EDUCAUSE), and he said that with FreeRADIUS the WinXP client properly prompts for a new password to be entered, which is not the case with IAS. Can anyone else confirm that? Frank -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Frank Bulk Sent: Tuesday, January 25, 2005 10:49 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes Can Mike and Katie report to the group what kind of access points and software revisions they are running? My aide in this diagnosis suspects it could be some kind of communication flow between the AP and the client that causes some WLAN systems to prompt for the credentials and others not to. Regards, Frank -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Michael Griego Sent: Tuesday, January 25, 2005 10:57 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes No problem. If the credentials they use to login to their personal machines (username and password only... domain/machine name is discarded), then they can leave the use my Windows login box checked. I have tested this and it does work. Of course, if the credentials get out of sync (perhaps by a password change in AD), then I suppose it would produce the symptoms seen by Katy. Removing the credentials cache key in the registry, however, would not solve this problem. Anyway, we don't tell our users to do this. With the use my Windows login unchecked, even if the credentials happen to match, I have never seen the XP supplicant *not* ask for credentials, so they should get asked for their username and password in this scenario regardless. --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas Frank Bulk wrote: Mike: My apologies for misunderstanding your response. What happens if their personal credentials match the network credentials? Frank -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Michael Griego Sent: Tuesday, January 25, 2005 8:50 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes Frank, I very much understood Katy's question. As for us, this is an issue we simply have not run into. I have always seen the XP supplicant re-ask for credentials if its attempts to use cached credentials fail. That's why I provided the link to our setup pages, in case our client setups differed from
RE: [WIRELESS-LAN] WinXP 802.1x and password changes
Interesting. I joined the list just because of this issue. I'm running on Funk SBR and it does not appear that the client is prompting for a new password. Could it be in the answerback that the radius server is sending? -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Frank Bulk Sent: Monday, April 25, 2005 2:57 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes I attend Mike Griego's excellent online webinar today (courtesy of EDUCAUSE), and he said that with FreeRADIUS the WinXP client properly prompts for a new password to be entered, which is not the case with IAS. Can anyone else confirm that? Frank -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Frank Bulk Sent: Tuesday, January 25, 2005 10:49 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes Can Mike and Katie report to the group what kind of access points and software revisions they are running? My aide in this diagnosis suspects it could be some kind of communication flow between the AP and the client that causes some WLAN systems to prompt for the credentials and others not to. Regards, Frank -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Michael Griego Sent: Tuesday, January 25, 2005 10:57 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes No problem. If the credentials they use to login to their personal machines (username and password only... domain/machine name is discarded), then they can leave the use my Windows login box checked. I have tested this and it does work. Of course, if the credentials get out of sync (perhaps by a password change in AD), then I suppose it would produce the symptoms seen by Katy. Removing the credentials cache key in the registry, however, would not solve this problem. Anyway, we don't tell our users to do this. With the use my Windows login unchecked, even if the credentials happen to match, I have never seen the XP supplicant *not* ask for credentials, so they should get asked for their username and password in this scenario regardless. --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas Frank Bulk wrote: Mike: My apologies for misunderstanding your response. What happens if their personal credentials match the network credentials? Frank -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Michael Griego Sent: Tuesday, January 25, 2005 8:50 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes Frank, I very much understood Katy's question. As for us, this is an issue we simply have not run into. I have always seen the XP supplicant re-ask for credentials if its attempts to use cached credentials fail. That's why I provided the link to our setup pages, in case our client setups differed from hers in any way that could be helpful. The only time our help desk staff have had to perform the registry key removal is if they have used their personal credentials to test authentication and succeeded, causing the user's laptop to cache those credentials. --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas Frank Bulk wrote: Mike: Katie's question is not if 802.1x can be rolled out with AD, but what's challenging her is that upon changing the password the user is not re-asked for their credentials. Is that an issue you've been able to overcome? Regards, Frank -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Michael Griego Sent: Tuesday, January 25, 2005 6:46 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes Hi, Frank, Actually, I would disagree with this statement. We have the system working quite well here at UTD. Most of our students are using the built in Windows supplicant on machines we have no control of, and the users are not authenticated off of our AD forest. Take a look at http://www.utdallas.edu/ir/cats/network/wlan/8021x/index.html. This is the instructions we give our users for setting up their OSes for 802.1x. It includes instructions for WinXP, Win2K, MacOS 10.3+, and Linux. --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas Frank Bulk wrote: Katie: This is not from me, but from someone who has had experience with this: Unless they have an Active Directory backend (and can therefore use computer authentication and use their windows logon credentials for 802.1x) there
RE: [WIRELESS-LAN] WinXP 802.1x and password changes
Anyone have FreeRadius? I'm sure this can answered with a packet capture. (The message the client is receiving) -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Michael Griego Sent: Monday, April 25, 2005 3:56 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes Are you running SBR on Windows doing full domain authentication? I wouldn't be surprised if SBR on Windows doing domain authentication is using some of the same API services that IAS is causing it to have the same difficulty. --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas King, Michael wrote: Interesting. I joined the list just because of this issue. I'm running on Funk SBR and it does not appear that the client is prompting for a new password. Could it be in the answerback that the radius server is sending? -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Frank Bulk Sent: Monday, April 25, 2005 2:57 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes I attend Mike Griego's excellent online webinar today (courtesy of EDUCAUSE), and he said that with FreeRADIUS the WinXP client properly prompts for a new password to be entered, which is not the case with IAS. Can anyone else confirm that? Frank -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Frank Bulk Sent: Tuesday, January 25, 2005 10:49 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes Can Mike and Katie report to the group what kind of access points and software revisions they are running? My aide in this diagnosis suspects it could be some kind of communication flow between the AP and the client that causes some WLAN systems to prompt for the credentials and others not to. Regards, Frank -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Michael Griego Sent: Tuesday, January 25, 2005 10:57 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes No problem. If the credentials they use to login to their personal machines (username and password only... domain/machine name is discarded), then they can leave the use my Windows login box checked. I have tested this and it does work. Of course, if the credentials get out of sync (perhaps by a password change in AD), then I suppose it would produce the symptoms seen by Katy. Removing the credentials cache key in the registry, however, would not solve this problem. Anyway, we don't tell our users to do this. With the use my Windows login unchecked, even if the credentials happen to match, I have never seen the XP supplicant *not* ask for credentials, so they should get asked for their username and password in this scenario regardless. --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas Frank Bulk wrote: Mike: My apologies for misunderstanding your response. What happens if their personal credentials match the network credentials? Frank -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Michael Griego Sent: Tuesday, January 25, 2005 8:50 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes Frank, I very much understood Katy's question. As for us, this is an issue we simply have not run into. I have always seen the XP supplicant re-ask for credentials if its attempts to use cached credentials fail. That's why I provided the link to our setup pages, in case our client setups differed from hers in any way that could be helpful. The only time our help desk staff have had to perform the registry key removal is if they have used their personal credentials to test authentication and succeeded, causing the user's laptop to cache those credentials. --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas Frank Bulk wrote: Mike: Katie's question is not if 802.1x can be rolled out with AD, but what's challenging her is that upon changing the password the user is not re-asked for their credentials. Is that an issue you've been able to overcome? Regards, Frank -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Michael Griego Sent: Tuesday, January 25, 2005 6:46 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes Hi, Frank, Actually, I would disagree with this statement. We have the system
