A Change of Scenery
Over the years I have enjoyed engaging with the members of this list. Recently I have decided to accept a position outside of Higher Education as a Systems Engineer with Meru Networks. While education will always remain a passion and while I may someday return, I have had an exciting time working with the Meru product line over the past 18 moths at Hobart and William Smith. I will keep up with the list from my personal email account ([EMAIL PROTECTED]). Should anyone ever need a straight perspective from someone who has lived on both sides of the proverbial fence, I will be there. Likewise should anyone be interested in the Meru Wi-Fi products I would be happy to help ensure you get the support you want. Thanks to all for a great run, Mike - Michael G. Ruiz, ESSE ACP-Altiris ACP-Aventail A+ Network and Systems Engineer Hobart and William Smith Colleges Information Technology Services ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Cisco vs. Meru article
Jamie, My Meru network was one of the test networks used in the evaluation of the product for that article. While onsite the engineers were not able, on the latest GA code, to verify any violation of the standard and found no problems with good neighbor behaviours. It is very important to pay close attention to the raw data, which is available for download. Yes when Meru and Cisco co-exist the Meru network provides more throughput to the clients. The question though: Does that mean it is not sharing the RF approximately equally? Meru equivocally states that the bandwidth difference, which can also be demonstrated in a non-overlapping environment, is an effect of more efficient use of the spectrum. Mike - Michael G. Ruiz H'99 ESSE, ACP, A+ Network and Systems Engineer Hobart and William Smith Colleges Information Technology Services v.315.781.3711 f.315.781.3409 [EMAIL PROTECTED] Skype:MichaelGRuiz - From: Jamie Savage [mailto:[EMAIL PROTECTED] Sent: Thursday, June 14, 2007 10:50 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Cisco vs. Meru article Hi, The attached article was in the May 28th issue of Network Computing. Regarding Meru vs. Cisco and the possibility of interference with co-located APs. I'd be interested in any commentary. We're currently a Cisco shop (autonomous APs) and realize we're heading for a forklift wireless change in the near future (most of our fat APs can't be converted to thin). Even if Meru violates the 802.11 standard (as claimed by Cisco), as we control the airspace on campus, I guess we don't care if we cause interference issues with devices (ie..rogues) that shouldn't be there in the first place. ...comments anyone?...thx...J James Savage York University Senior Communications Tech. 108 Steacie Building [EMAIL PROTECTED]4700 Keele Street ph: 416-736-2100 ext. 22605Toronto, Ontario fax: 416-736-5701M3J 1P3, CANADA ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Cisco vs. Meru article
Flexibility is paramount in any Wireless network. We all want to build the minimum to meet the coverage and performance expectations for today and tomorrow. The problem is what about day after tomorrow? Once wireless kindles in minor uses and innovation begins then the usage patterns start to change. Of course there are the fixed laptop cart classrooms that make user density planning easy. Ideally we would all deploy a maximum level of capacity at all locations -- if money were no object. This is, in my opinion, the most outstanding feature and benefit that Meru delivers above all others in the a/b/g and even in the n range. Where else can you paint for coverage with an access point that can handle between 128 clients. *This is a tested number with VoWLAN phones by one of their clients* Then take that paint for coverage model and deploy additional capacity on non-overlapping channels anywhere it is needed. Now you've provided the optimal formula, the minimum to operate everywhere with the minimum costs (both financial and technical) to upgrade. You don't sacrifice your tech staffs time to resurvey by changing power levels on micro or pico cells. You don't waste resources buying more access points than you need. You DO at absolute maximum deployment gain the ability to deploy EVERYWHERE in your environment the full 3 non overlapping channels of b/g or the ful 8-16 channels of a (depending on region) l thus providing the absolute maximum possible bandwidth that either standard can supply for more clients per ap than any other vendor can support. The added option of using centralized architecture with the ability to detach the dataplane of any AP from tunneled to bridged brings management and flexibility. This way when you have multi-radio ap's capable of generating more bandwidth than you have deliverable to your controllers you don't have to decentralize your controllers, you have a choice. WIth Meru when you do this you still get configuration and firmware maintenance from the central controller. The various rules of thumb out there are wise but become less critical as scaling the network becomes less of a hassle and less of a cost. Perhaps I've had too much Meru kool-aid but this is one case where there isn't too much of a good thing. The data from their variety of clients bears it out quite well. Mike - Michael G. Ruiz, ESSE ACP A+ Network and Systems Engineer Hobart and William Smith Colleges Information Technology Services P.315-781-3711 F.315-781-3409 Team Leader: Derek Lustig ([EMAIL PROTECTED]) Did you know that HWS Students, Faculty, Staff, Alums, etc can purchase computers, accessories, electronics and software at a discount through our partner CDW-G? http://www.cdwg.com/hws/ - From: Brooks, Stan [mailto:[EMAIL PROTECTED] Sent: Thu 6/14/2007 3:42 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Cisco vs. Meru article Kevin - I would caution against just looking at coverage for your high school deployment. I would also consider your user density. We originally went for coverage over capacity at our Law School deployment a couple of years ago. When the instructors discovered wireless coverage, they had their students all try opening web pages at once - 5 classrooms of about 120 students each that was covered by 4 APs. Needless to say, not all the students were able to get on, much less surf to the web pages. We use a rule of 20-30 maximum users per AP here at Emory; less if we expect any sort of multi-media traffic on the wireless network. Personally, I definitely see value of a centralized architecture for as little as 6-10 APs. The centralized systems allow for much easier configuration and management than fat APs, and it will give you a better view into your wireless network. BTW - Emory is an Aruba shop with about 1525 APs and 21 controllers. - Stan Brooks - CWNA/CWSP Emory University Network Communications Division 404.727.0226 [EMAIL PROTECTED] AIM: WLANstan Yahoo!: WLANstan MSN: [EMAIL PROTECTED] -Original Message- From: Kevin Whitney [mailto:[EMAIL PROTECTED] Sent: Thursday, June 14, 2007 2:34 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Cisco vs. Meru article May be a little off subject but I would like to post question out there as it seems there are some happy Meru users here on this forum.. Any thoughts or advice on implementing/selecting a wireless system for use in a High School environment ? Specifically, would love any feedback on pros/cons of a central controller based system (ie -Meru, Aruba, etc) vs installing Fat AP's around our building. While our needs are quite simple I am sure, compared to the size of other user's who have posted, I can see there is a great deal of knowledge and experience in this area. Basic site surveys conducted here have
RE: [WIRELESS-LAN] Site Survey Tools?
Steve, We use the Meru EzRF Coverage Planner tool which is the Ekahau Site Survey product. It works well and is really easy to get used to. Some of our surveys we contracted out to folks and they were using the Berkeley Varitronics handhelds. Cheers- Mike -Original Message- From: Steve Fletty [mailto:[EMAIL PROTECTED] Sent: Monday, February 19, 2007 1:23 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Site Survey Tools? Anyone using any site survey tools? I'd be interested in hearing what you're using and how easy the tools are to use and what level of training is required. -- Steve Fletty Network Design Engineer University of Minnesota Networking Telecomm ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Looking for alternative wireless solutions
To be clear and avoid confusion about Meru. It offers the the same features as a standard thin/controller based AP set with the ability to coordinate RFand thus use ALL available channels or a subset. This allows a single channel deployment or the ability to provide one, two or all three channels 1/6/11 of b/g (or multiple a) EVERYWHERE with load balancing and lots of network side intelligence not client side. Not to mention the bandwidth you recoup by reducing the co-channel interference in a cell and across cells. Lots of folks hear single channel and think that is all it can do. Mike - Michael G. Ruiz, ESSE ACP A+ Network and Systems Engineer Hobart and William Smith Colleges Information Technology Services From: Wim Bos [mailto:[EMAIL PROTECTED] Sent: Tue 2/6/2007 4:18 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Looking for alternative wireless solutions Mike, I would certainly add Proxim and HP to the list as well. They have a very good priced 2.4-5 ghz access point and in combination with airwave they are featurewise comparable to all the others. Meru is indeed a complete different solution with the one radio channel. In a separate email I will sent you a pre release of a layer3 roaming test we performed. That was performed on: Cisco, Aruba, Trapeze, Proxim, Lancom (german supplier), HP and Colubris. Wim Bos -Original Message- From: Mike Tennyson [mailto:[EMAIL PROTECTED] Sent: dinsdag 6 februari 2007 22:01 To: wim Subject: [WIRELESS-LAN] Looking for alternative wireless solutions Washburn University is beginning the process of creating an RFI for a new wireless network on our campus. I currently have local contacts for Cisco, Meru, Trapeze, Arbua and Motorola. I am looking for a solution that will cover our entire 160 acre campus end to end. I am interested in any vendor other than the those I have already listed contacting me personally. If there are any users on this list who have had their expectations exceeded by an alternative solution, I would greatly appreciate your input. Mike Tennyson Washburn University [EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Problems with Windows 802.1x supplicant
Lee, The Windows 802.1x supplicant operates by default with some annoying timers that are nearly always the cause of your #1 and #2 issue. Essentially the system starts and the supplicant allows authentication as the computer account with a timer counting down. IF the timer reaches zero before a user authentication event happens then the supplicant deauthenticates completely. Zero usually always comes before the user can even type in their username/password and press okay, or comes so closely after that bad things happen during login. Oddly enough issue #3 can be related to this as well. I recommend you pick up a free utility called XTweak for Windows 2k/XP/2k3. It's written by Enterasys and is a free applet that gives you a GUI to tweak the hidden registry parameters for the MS 802.1x supplicant. The great thing is that it also shows all the keys to you in the log output so you can quickly see what does what. The utility will allow you to do computer only authentication which is great for labs, as well as tweaking how the user/computer handoff operates. http://www.enterasys.com/support/Tools2/XTweakSetup.exe Cheers, Mike - Michael G. Ruiz, ESSE ACP A+ Network and Systems Engineer Hobart and William Smith Colleges Information Technology Services P.315-781-3711 F.315-781-3409 Team Leader: Derek Lustig ([EMAIL PROTECTED]) Did you know that HWS Students, Faculty, Staff, Alums, etc can purchase computers, accessories, electronics and software at a discount through our partner CDW-G? http://www.cdwg.com/hws/ - From: Lee Weers [mailto:[EMAIL PROTECTED] Sent: Wed 1/31/2007 6:00 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Problems with Windows 802.1x supplicant I'd appreciate any help I can get on my problems. Environment: I've setup a secure SSID that is using WPA-TKIP/WPA2-AES encryption. The EAP type is PEAP and MS-CAHP-V2. The wireless hardware is a mix of Aruba, and HP Procurve (thin). The SSID name is the same on both vendors. MS IAS is the Radius server with the Versign wireless LAN certificate. Laptops are XP SP2 all fully patched through Nov 06 or newer. The problems I am having are as follows: 1. A laptop that belongs to our domain, but the user has never logged into it before (so no cached creditentials exist) it errors with the Domain is not available. If cached creditentials do exist then they get logged in. 2. When the user gets logged in the login scripts may or may not run so drive may or may not be mapped. 3. Users who connect to the encrypted SSID take it home and connect to the wireless network at home, but then they don't get connected again when they come back. The logs show that it is using the domainname\computername rather than domainname\username, hence access denied. It doesn't seem to matter if the Authenticate as computer is checked or unchecked. 4. UTStar vx6700 does not recoginize the Verisign root certificate. When we installed the Verisign root certificate again on the device it broke a bunch of other things like activesync and being able to make a wifi connection. Other than #4, this is reproducable on Dell D510's, IBM Tablets, and other older laptops. I have not seen these problems with the Mac iBook's. It doesn't make a difference if the WPA2 patch (KB893357) is installed or not. What I would like to see happen is the same behavior whether it is a wire connection to the network or using the wireless connection. That was my interpretation as to the advantage of 802.1x. We do not currently use 802.1x on the wired network. Thank you, Lee Weers Assistant Director for Network Services Central College IT Services (641) 628-7675 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Problems with Windows 802.1x supplicant
If someone has handy the GPO for this I'd be interested. I would like to compare the changes made to the registry ptions for the supplicant. - Michael G. Ruiz, ESSE ACP A+ Network and Systems Engineer Hobart and William Smith Colleges Information Technology Services P.315-781-3711 F.315-781-3409 Team Leader: Derek Lustig ([EMAIL PROTECTED]) Did you know that HWS Students, Faculty, Staff, Alums, etc can purchase computers, accessories, electronics and software at a discount through our partner CDW-G? http://www.cdwg.com/hws/ - From: Michael Griego [mailto:[EMAIL PROTECTED] Sent: Wed 1/31/2007 6:52 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Problems with Windows 802.1x supplicant We push a group policy to all of our machines to re-enable the Windows-2000-esque behavior that forces the client to wait until network connectivity is established before presenting the login screen. I don't remember the exact GPO off the top of my head, but it does allow our wireless/802.1x clients to process domain credentials, login scripts, etc. as expected since a network connection is established before the user attempts to login. --Mike On Jan 31, 2007, at 5:40 PM, Ruiz, Mike wrote: Lee, The Windows 802.1x supplicant operates by default with some annoying timers that are nearly always the cause of your #1 and #2 issue. Essentially the system starts and the supplicant allows authentication as the computer account with a timer counting down. IF the timer reaches zero before a user authentication event happens then the supplicant deauthenticates completely. Zero usually always comes before the user can even type in their username/password and press okay, or comes so closely after that bad things happen during login. Oddly enough issue #3 can be related to this as well. I recommend you pick up a free utility called XTweak for Windows 2k/XP/2k3. It's written by Enterasys and is a free applet that gives you a GUI to tweak the hidden registry parameters for the MS 802.1x supplicant. The great thing is that it also shows all the keys to you in the log output so you can quickly see what does what. The utility will allow you to do computer only authentication which is great for labs, as well as tweaking how the user/computer handoff operates. http://www.enterasys.com/support/ Tools2/XTweakSetup.exe Cheers, Mike - Michael G. Ruiz, ESSE ACP A+ Network and Systems Engineer Hobart and William Smith Colleges Information Technology Services P.315-781-3711 F.315-781-3409 Team Leader: Derek Lustig ([EMAIL PROTECTED]) Did you know that HWS Students, Faculty, Staff, Alums, etc can purchase computers, accessories, electronics and software at a discount through our partner CDW-G? http://www.cdwg.com/hws/ - From: Lee Weers [mailto:[EMAIL PROTECTED] Sent: Wed 1/31/2007 6:00 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Problems with Windows 802.1x supplicant I'd appreciate any help I can get on my problems. Environment: I've setup a secure SSID that is using WPA-TKIP/WPA2-AES encryption. The EAP type is PEAP and MS-CAHP-V2. The wireless hardware is a mix of Aruba, and HP Procurve (thin). The SSID name is the same on both vendors. MS IAS is the Radius server with the Versign wireless LAN certificate. Laptops are XP SP2 all fully patched through Nov 06 or newer. The problems I am having are as follows: 1. A laptop that belongs to our domain, but the user has never logged into it before (so no cached creditentials exist) it errors with the Domain is not available. If cached creditentials do exist then they get logged in. 2. When the user gets logged in the login scripts may or may not run so drive may or may not be mapped. 3. Users who connect to the encrypted SSID take it home and connect to the wireless network at home, but then they don't get connected again when they come back. The logs show that it is using the domainname\computername rather than domainname\username, hence access denied. It doesn't seem to matter if the Authenticate as computer is checked or unchecked. 4. UTStar vx6700 does not recoginize the Verisign root certificate. When we installed the Verisign root certificate again on the device it broke a bunch of other things like activesync and being able to make a wifi connection. Other than #4, this is reproducable on Dell D510's, IBM Tablets, and other older laptops. I have not seen these problems with the Mac iBook's. It doesn't make a difference if the WPA2 patch (KB893357) is installed or not. What I would like to see happen is the same behavior whether it is a wire connection to the network or using the wireless connection. That was my interpretation as to the advantage of 802.1x. We do not currently use 802.1x on the wired
RE: [WIRELESS-LAN] Vista Wireless Networking...
Justin, We've been in testing with Vista for a while now and no one has experienced similar issues. Sorry. Cheers, Mike - Michael G. Ruiz H'99 ESSE, ACP, A+ Network and Systems Engineer Hobart and William Smith Colleges Information Technology Services v.315.781.3711 f.315.781.3409 [EMAIL PROTECTED] Skype:MichaelGRuiz - -Original Message- From: Justin Aharoni [mailto:[EMAIL PROTECTED] Sent: Thursday, January 25, 2007 10:12 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Vista Wireless Networking... Well I'm just about at my wits end here. We have a full installation of Vista running and I'm trying to get a Belkin USB Wireless adapter working. For the life of me (and my co-workers) I can't get it to work. It recognizes the network but refuses to connect. All I get is the Limited or no connectivity error. I'm reaching out to the community in hopes that someone has encountered similar problems and knows of a fix. Much thanks. Justin -- ~~~ Justin Aharoni Network Security Specialist Albert Einstein College of Medicine 1300 Morris Park Ave. Belfer 1402 Bronx, NY 10461 Phone: (718) 430-3774 Fax: (718) 430-4030 Email: [EMAIL PROTECTED] ~~~ ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Is anybody using (IAS) internet authentication service for RADIUS?
Microsoft RADIUS does PEAP and TLS not just PEAP. For us and over 2500 users authenticating on wired and wireless ports IAS works great. We have Windows, MAC OS X clients as well as port authentication from Enterasys hardware authenticating against it. Mike -Original Message- From: Wim Bos [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 10, 2007 3:43 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Is anybody using (IAS) internet authentication service for RADIUS? Nick, I miss Radiator in your list. A basic pentium4 based server would cover your needs as far as hardware is concerned. All will work correctly. The Microsoft radius server only does peap. The issue with that it needs a very controlled client setup. Not all windows solutions work nicely. The other configuration that is typically used is radiator or free radius or openradius in combination with secureW2 (www.securew2.com). All these radius servers can make a connection to windows AD to check username-PW. Just as a note. It is possible to show the usernames instead of mac addresses in Airwave by connecting the airwave as a billing server to the radius server. Wim Bos -Original Message- From: Urrea, Nick [mailto:[EMAIL PROTECTED] Sent: woensdag 10 januari 2007 21:31 To: wim Subject: [WIRELESS-LAN] Is anybody using (IAS) internet authentication service for RADIUS? I want to setup a RADIUS server here at UC Hastings Is anybody using IAS in Windows Server 2003 for their RADIUS server? Is there a recommended solution from Microsoft to Install WPA / 802.1x Free Radius vs. a Microsoft Solution. Also what is the volume of users you have accessing the RADIUS server. What would be a suggested hardware requirement for 800 users We currently have a Bluesocket Solution with an Airwave AMP manageing Cisco 1231 APs in Thick mode. Bluesocket allows you to do 802.1x pass through for authentication. We use the Bluesocket for QoS, Firewall, and DHCP. -- Nicholas Urrea IT Department UC Hastings College of the Law [EMAIL PROTECTED] 415-565-4718 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] authentication policy question
If you're using PAP then the password is fair game at any step along the way. You need to look into another EAP type. Mike Michael G Ruiz Network and Systems Engineer Hobart and William Smith Colleges Information Technology Services v 315.781.3711 f 315.781.3409 From: Matt Ashfield [mailto:[EMAIL PROTECTED] Sent: Monday, January 08, 2007 2:22 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] authentication policy question The authentication process works correctly, it is more the issue of the Radius server seeing the cleartext password and that it could potentially be seen by those who have or gain access to the radius server. Matt Ashfield Network Analyst Integrated Technology Services University of New Brunswick (506) 447-3033 [EMAIL PROTECTED] -Original Message- From: Lelio Fulgenzi [mailto:[EMAIL PROTECTED] Sent: January 8, 2007 3:18 PM To: [EMAIL PROTECTED]; WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] authentication policy question There is a Windows hotfix to allow windows PEAP clients to authenticate to non-windows radius servers. Perhaps that is what you are running into? http://support.microsoft.com/kb/885453 Lelio Fulgenzi, B.A. Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1 (519) 824-4120 x56354 (519) 767-1060 FAX (JNHN) ^^ I can eat fifty eggs. Nobody can eat fifty eggs. - Original Message - From: Matt Ashfield mailto:[EMAIL PROTECTED] To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Sent: Monday, January 08, 2007 2:13 PM Subject: [WIRELESS-LAN] authentication policy question Hi All We're in the process of setting up our wireless system to use radius authentication against our usernames/passwords which are stored in LDAP. We have come across an issue in testing the radius server. We are using Freeradius. The way we have this setup is quite standard (I hope). The user associates to the AccessPoint (AP) and is prompted for authentication credentials for access to the network. The AP sends the client's username/password credentials to the Radius server. This connection is secured. The Radius server then attempts to bind to the ldap server (again, a secured connection) using the clients credentials. The issue we have is when running the Radius server in debug mode with full log-level, we see the cilent's username and password in clear-text as it attempts to bind to the LDAP server. Certainly we could change the debug mode level to not see this, but the fact that the ability to see that is available is troubling. I'm sure many others on this list use FreeRadius and I'm wondering what sort of policies you have in place to address this security risk. Anyone with high-level access to the box could certainly login, make a change to the debug level and capture sensitive login information. Any advice/feedback is appreciated. Thanks Matt Ashfield [EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Meru Wireless AP's Intel Wireless Cards
I wasn't sure if this got posted to this thread or not. http://www.intel.com/support/wireless/wlan/sb/cs-006205.htm Mike -Original Message- From: Brandon Pinsky [mailto:[EMAIL PROTECTED] Sent: Monday, December 11, 2006 12:16 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Meru Wireless AP's Intel Wireless Cards Any updates on this? Thanks, === BJ Pinsky Manager, Network Engineering Project Mgmt. Network Infrastructure, Columbia University IT (CUIT) 212.854.7962 On Dec 5, 2006, at 1:34 PM, debbie fligor wrote: On Dec 5, 2006, at 12:18, Jack Vizelter wrote: Recently, our users have been having issues in connecting to our Meru Wireless AP's on campus. These users were using the latest Intel Pro wireless cards on their laptops. The fix that Meru support suggested of disabling the power save mode on the cards does not work 100% of the time. Upgrading the latest firmware/drivers for the wireless cards do not work 100% all the time as well. Plus, certain Mac's are having same problems. With Mac's, we've noticed that an older firmware has no issues, where a laptop with the latest is experiencing the disconnect problems. We saw similar issues, but thought that the workaround provided by Meru had been working. I just was told yesterday that no, a number of people are still having problems. I don't have any good answers for you, since we're just starting to ask some of these questions. Basically a laptop can connect, it says it's connected with a good signal, but can't get online. If one can get online, the connection is lost in about a minute or so. There are two things that we've noticed when this had started. 1. The Meru software was upgraded to the latest version recently 2. The Meru switches are almost maxed on the # of AP's allowed per. We had a handful of Fujitsu Levono laptops internally within IT that had connectivity problems prior to the software upgrade on the Meru controllers and an upgrade of the firmware/drivers resolved the problem. We have open tickets with various vendors (Dell, Levono, HP, etc) as well and aren't getting anywhere with them. Is anyone else experiencing similar problems with Meru wireless AP's and connectivity? Thnx, -jack ^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^ Jack Vizelter Help Desk Audio/Visual Manager Information Technology 212.327.7573 (Direct) 212.327.8712 (Fax) mailto:[EMAIL PROTECTED] The Rockefeller University 1230 York Avenue, Box 175 New York, NY 10021 http://www.rockefeller.edu http://it.rockefeller.edu http://itmd.rockefeller.edu ^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^ ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. - -debbie Debbie Fligor, n9dn Network Engineer, CITES, Univ. of Il email: [EMAIL PROTECTED] http://www.uiuc.edu/ph/www/fligor Every keystroke can be monitored. And the computers never forget. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Intel NIC's and Setting CAM Mode bug
http://www.intel.com/support/wireless/wlan/sb/cs-006205.htm It appears that disabling Power Savings (i.e setting CAM mode) may not actually set CAM mode the first time. Mike Michael G Ruiz Network and Systems Engineer Hobart and William Smith Colleges Information Technology Services v 315.781.3711 f 315.781.3409 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Frequent reassociations/reauthentications in 802.1x WLAN
Old driver versions can seriously hurt the performance of any wireless network given various issues and various configurations. This is the very reason that a smarter wireless infrastructure is key in minimizing problems and maximizing performance. This is also one of the points in our evaluation protocol that led us to Meru. Michael G Ruiz ESSE ACP A+ Network and Systems Engineer Hobart and William Smith Colleges Information Technology Services v 315.781.3711 f 315.781.3409 -Original Message- From: Emerson Parker [mailto:[EMAIL PROTECTED] Sent: Thursday, September 28, 2006 8:49 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Frequent reassociations/reauthentications in 802.1x WLAN Here's an example of the Intel 2100 roaming algorithm. This is an old card and EOLd but is sheds some light on why it has major problems... When the device driver first connects, a timer is started - a roam will not occur until the timer expires. As the connection quality may degrade, the timer is reduced (13 minutes, 4 minutes, 2 minutes, 30 seconds, then 10seconds). Example: Two AP's 150' apart. The user us near AP1 and makes connection. Timer is initially set to 13 minutes. The user moves towards AP2. The signal quality to AP1 decreases and the timer drops to 4 minutes, and then 2 minutes as the user comes near AP2. So now the user is near AP2 and still connected to AP1 (with a decent connection, so the timer does not decrease further) - the roam to AP2 will not occur until the 2 minute timer expires. There are no adjustments to the roaming behavior. Old driver versions make most wireless NIC perform extremely bad in a dense deployment. -Emerson -Original Message- From: Shumon Huque [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 27, 2006 4:16 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Frequent reassociations/reauthentications in 802.1x WLAN We rolled out a WPA/802.1x authenticated WLAN to our student residences this semester. We're using EAP-TTLS with PAP as the inner authentication protocol. The EAP servers are a set of centralized RADIUS servers that perform Kerberos5 password verification to our KDCs in the backend. We've noticed several problems that we didn't observe when we had it running on a much smaller scale in our own offices. A large number of users seem to be repeatedly authenticating, some of them as frequently as every 30 seconds or every few minutes. Some debugging revealed that these users are frequently oscillating their associations between a number of different access points. A smaller number of users keep reassociating with the same access point. This is causing a very large load on the authentication server infrastructure, which we've temporarily worked around by load balancing the APs across additional RADIUS servers. However, we're also assuming that this is causing lots of user visible performance problems due to roaming latency (scan, reassociate, authenticate, 802.11i handshake, DHCP address acquisition etc). Surprisingly, not many users have complained. Perhaps they are only browsing the web or using other non- interactive apps which can tolerate delay. Or they might simultaneously have a wired ethernet connection. Is frequent reassociation the normal behavior in a dense deployment of APs? I can understand that it might be for highly mobile stations like wireless VoIP phones. But our environment is composed of mostly stationary wireless laptops in student rooms. My assumption was that roaming typically happened when a user moves towards a stronger signal AP and at some configured signal quality threshold, the station started scanning for a better AP. Am I wrong? Or is this more likely something in our radio environment or insufficient coverage etc? Our wireless LAN engineers are currently investigating this, but I'd be interested to hear the experience of others. Do we need a fast roaming solution to deal with this? Having access points and stations able to cache the PMK (Pairwise Master Key) would probably help the best, as that would allow them to often establish a secure association without conducting a heavyweight authentication dialog with the RADIUS server. But I'm not sure if access points or typical endstations support this. TLS session resumption will probably help a bit also (if supported). We use cisco aironet 1200/1100 access points. The clients are mostly PCs running SecureW2, Macs running with the built-in EAP-TTLS/802.1x support in Mac OS X, and a smaller number of Linux machines. Thanks for any advice! --- Shumon Huque3401 Walnut Street, Suite 221A, Network Engineering Philadelphia, PA 19104-6228, USA. Information Systems Computing (215)898-2477, (215)898-9348 (Fax) University of Pennsylvania / MAGPI. E-mail: shuque -at- isc.upenn.edu ** Participation and subscription information for this EDUCAUSE Constituent Group
RE: [WIRELESS-LAN] Cisco Wireless network system
While 12 users on the AP *SHOULD* not break it, depending on the amount of traffic being passed, simultaneity of the transmissions, whether there is any external interference from other devices ( being in a 4 channel rotation, rogue AP's, bleed from neighboring AP on overlapping channel) it is certainly possible. Looking at an RF clean environment with all 11g users on an 11g AP the performance declines very very sharply after 3 users. I personally had similar issues on older AP's mind with 12-15 users and had to find alternative solutions. Michael G Ruiz Network and Systems Engineer Hobart and William Smith Colleges Information Technology Services v 315.781.3711 f 315.781.3409 -Original Message- From: Jorge Bodden [mailto:[EMAIL PROTECTED] Sent: Thursday, September 07, 2006 4:22 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Cisco Wireless network system Allen, If you go to each controller via WCS on the left hand side drop down the system options. Under general you will see something called 'aggressive load balancing'. This is supposed to solved your problems. We have not really tested it, so I cannot say that it works or it does not. However, I do know 12 users on one of these APs is not enough to break it. You should be able to have all the users connect to that AP and not have any issues. I would actually prefer for them to connect to the immediate AP. The aggressive load balancing feature would be more useful if someone was running a VOIP solution, where the number of users per AP drops dramatically. Thanks. Jorge Bodden Frank Bulk wrote: Allen: There is a load-balancing feature in the controller that you can take advantage of, to require, for example, that only 8 users are on each AP. The specific details are fuzzy to me (and I couldn't find any detailed online documentation), but the options will be obvious once you find the configuration screen. If I remember correctly, there was no percentage based load-balancing, that is, the ability of the system to split clients among APs based on a percentage basis. Regards, Frank -Original Message- From: Allen Matthews [mailto:[EMAIL PROTECTED] Sent: Thursday, September 07, 2006 1:03 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Cisco Wireless network system I am having problem of more than 12 users connecting to one access points even through there are access points in next classrooms. For example, there are 3 access points in each different classroom. Access Point A is in classroom 1. Access Point B is in Classroom 2. Access point C is in classroom 3. We have 14 laptops in classroom 2 and all are connect to Access point B even through AP A and AP C are showing no users connections. Wireless survey shows that laptop can see 3 access points in classroom 2. We are using Cisco LWAPP connecting to 4 4404 wireless LAN controllers and wireless network is monitored by Cisco Wireless Control system (WCS). For this case, all 3 ap are connect to same controller. All 3 ap are broadcasting same SSID. How do we make user's laptop connect to other AP? or make ap force user to connect to other access point. This electronic message is intended to be for the use only of the named recipient, and may contain information that is confidential or privileged. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of the contents of this message is strictly prohibited. If you have received this message in error or are not the named recipient, please notify us immediately by contacting the sender at the electronic mail address noted above, and delete and destroy all copies of this message. Thank you. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Meru Question
Don, As a Meru user I can personally tell you that Merus system does not negatively impact any other access points unless you put them on overlapping channels or use the rogue suppression. As far as the bug this is simply not true, and I can provide more detail regarding this if you want but didnt want to bore anyone. There are lots of tests here and independent tests to verify the first. Likewise Meru uses Atheros technology and 100% 802.11 standards compliant client side technology. My perspective on 802.11n is that Meru is most uniquely positioned to make 11n a workable reality. Forget the fact that they will continue to eliminate co-channel interference and contention across cells making the bandwidth promised by 11n a reality. The real core of what makes 11n work is that each channel uses more bandwidth. Thus in the 2.4GHz space you will essentially need two of the three available channels to serve 11n. Well if youre using 1 and 6 or 6 and 11 what are you left with for neighboring cells? A coordinated design that can overlap without interfering will be required unless another band-aid solution like micro-cells is developed. Or you can move the 5Ghz space, cut the number of channels in half and then be faced with all the problems plaguing 802.11g today. Its consistently amazing to me that vendors tout 11n as a solution when problems like the crash in available bandwidth when 3 or more users come online remains a reality. Cheers, Mike -- Michael Ruiz Network and Enterprise Systems Engineer Hobart and William Smith Colleges From: Donald R Gallerie [mailto:[EMAIL PROTECTED] Sent: Monday, June 26, 2006 3:47 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Meru Question Here at the University at Albany, we had Meru come in and give us an overview on their wireless offering. From our vantage point, it does appear that Cisco is pushing the controller-based system so we decided to look at other vendors in this space. As part of this effort, we asked Cisco to come in and give us an overview of their offering as if they didnt already have a presence on campus. One of the items that came up had to do with Merus method of distributing timeframes to clients (dont know if Im phrasing this correctly). The Cisco engineers said that Merus methodology works well in a Meru-only rollout but that they would negatively impact other, non-Meru access points. Additionally, the said that there is a bug in the current 802.11b/g standard that Meru takes advantage of and that it may not be there in future (802.11n) standards. Not that I would doubt anything Cisco says but has anyone heard any similar remarks or can anyone expand on Ciscos claims? Thanks. Don Gallerie The University at Albany ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Meru Question
Frank, Any WAP will affect any neighboring AP on the same or overlapping channels. What are you getting at here? Mike From: Frank Bulk [mailto:[EMAIL PROTECTED] Sent: Monday, June 26, 2006 6:31 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Meru Question Don: Meru's technology does have the potential to impact neighboring APs on the same channel that are not participating the Meru-based wireless network, but that should be an issue for a campus-based network, and I believe there are some tweaks that can be made to limit their impact on neighboring APs using the same channel. As for this 'bug' in the 802.11b/g standard, I would be interested in hearing your Cisco SE's substantiation for this. If this is real, I would like this brought to the surface for further scrutiny. Regards, Frank From: Donald R Gallerie [mailto:[EMAIL PROTECTED] Sent: Monday, June 26, 2006 2:47 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Meru Question Here at the University at Albany, we had Meru come in and give us an overview on their wireless offering. From our vantage point, it does appear that Cisco is pushing the controller-based system so we decided to look at other vendors in this space. As part of this effort, we asked Cisco to come in and give us an overview of their offering as if they didnt already have a presence on campus. One of the items that came up had to do with Merus method of distributing timeframes to clients (dont know if Im phrasing this correctly). The Cisco engineers said that Merus methodology works well in a Meru-only rollout but that they would negatively impact other, non-Meru access points. Additionally, the said that there is a bug in the current 802.11b/g standard that Meru takes advantage of and that it may not be there in future (802.11n) standards. Not that I would doubt anything Cisco says but has anyone heard any similar remarks or can anyone expand on Ciscos claims? Thanks. Don Gallerie The University at Albany ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Meru Question
Technically youre correct in that Meru could schedule a neighboring AP to some degree anyway. That said if you have a neighboring AP on the same channel as Meru you have other problems. Namely your design is flawed. The thing to do in that case is either move the channel off overlap or lower the power on the neighboring Meru AP so it doesnt overlap. This isnt really a Meru issue though. If your overlapping APs were both Cisco you would be generating collisions between the APs and likely cause more delays than Meru would as it would be totalliy unpredictable. Mike From: Frank Bulk [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 27, 2006 9:20 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Meru Question Mike: Meru APs can use virtual carrier sense (see http://sysnet.ucsd.edu/~bellardo/pubs/usenix-sec03-80211dos-html/node12.htmlfor an extreme example) to help manage timing access to the air. By manipulating the time they are able to make clients and neighboring APs on the same channel wait longer then they would 'normally'. This can impact non-Meru neighboring APs on the same channel because they wouldn't have as quick access to the medium as they would in a traditional 80211 configuration. Does this match your understanding of Meru's technology But you're absolutely right, co-channel interference will do the same thing, just that Meru's is intentional while co-channel interference is generally non-intentional. Regards, Frank From: Ruiz, Mike [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 27, 2006 7:59 AM To: [EMAIL PROTECTED]; WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: RE: [WIRELESS-LAN] Meru Question Frank, Any WAP will affect any neighboring AP on the same or overlapping channels. What are you getting at here? Mike From: Frank Bulk [mailto:[EMAIL PROTECTED] Sent: Monday, June 26, 2006 6:31 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Meru Question Don: Meru's technology does have the potential to impact neighboring APs on the same channel that are not participating the Meru-based wireless network, but that should be an issue for a campus-based network, and I believe there are some tweaks that can be made to limit their impact on neighboring APs using the same channel. As for this 'bug' in the 802.11b/g standard, I would be interested in hearing your Cisco SE's substantiation for this. If this is real, I would like this brought to the surface for further scrutiny. Regards, Frank From: Donald R Gallerie [mailto:[EMAIL PROTECTED] Sent: Monday, June 26, 2006 2:47 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Meru Question Here at the University at Albany, we had Meru come in and give us an overview on their wireless offering. From our vantage point, it does appear that Cisco is pushing the controller-based system so we decided to look at other vendors in this space. As part of this effort, we asked Cisco to come in and give us an overview of their offering as if they didnt already have a presence on campus. One of the items that came up had to do with Merus method of distributing timeframes to clients (dont know if Im phrasing this correctly). The Cisco engineers said that Merus methodology works well in a Meru-only rollout but that they would negatively impact other, non-Meru access points. Additionally, the said that there is a bug in the current 802.11b/g standard that Meru takes advantage of and that it may not be there in future (802.11n) standards. Not that I would doubt anything Cisco says but has anyone heard any similar remarks or can anyone expand on Ciscos claims? Thanks. Don Gallerie The University at Albany ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Extending an external antenna
Title: Extending an external antenna Weve successfully used microwave cable for b/g/a for shorter distances, up to 50 on LMR400 but Id recommend LMR400 up to only 10, LMR600 up to 50 or 75. Ive never tried anything that far but a panel antenna and perhaps LMR900 would be a way to go. An omni will pick up a lot of noise and you will want to minimize noise especially given the distances. LMR900 will work up to 6GHz. Mike - Michael Ruiz Network and Systems Engineer Hobart and William Smith Colleges From: Lee Weers [mailto:[EMAIL PROTECTED] Sent: Friday, May 19, 2006 11:42 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Extending an external antenna We have a situation in which we need to cover our baseball and softball fields wirelessly. There is currently no infrastructure there. What we are looking to do is put a high gain antenna on the football stadiums scoreboard. There is a conduit that we can run some coax through out to the scoreboard. My question is this: 1. Can you extend an antenna from an AP 250 ft? (That's how long it is to the scoreboard) 2. What kind of coax do we need to use to do a/b/g? We would like to mount the ap inside of the building and then just extend the external antenna to the scoreboard. Thank you, Lee Weers Assistant Directorfor Network Services Central College IT Services (641) 628-7675 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Meru question
Lee, While it may seem I'm a bit of a Meru junkie of late it's because I've been so impressed by their system. Having just participated in the 2nd Western NY Meru Users group this past week I can tell you that aside from some occasional work to make various 802.1x supplicants and various RADIUS servers interoperate I haven't heard of a single Meru rollout issue that wasn't overcome. We are running over 200 access points now in a data environment with the only issues we see being caused by old wireless drivers on clients at this stage. Some bugs we ran into were fixed early on in the 3.0 code (such as a situation where only 128 802.1x clients could authenticate, or where rogue AP mitigation was taking too much airtime). While I'm not in a mixed voice-data environment I've seen the test results and know of too many clients doing just that. This sounds like FUD to me because it is what the Meru system was designed to excel at. While there are limits to bandwidth in any system, proper architecture and planning can solve most issues. These issues are more easily planned for with Meru. I would be happy to discuss the Meru architecture and strategy from an end-user perspective with anyone who may be interested. Cheers, Mike - Michael Ruiz Network and Systems Engineer Hobart and William Smith Colleges [EMAIL PROTECTED] V315-781-3711 -Original Message- From: Lee Badman [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 28, 2006 8:17 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Meru question I recently entertained one of the leading wireless vendors, and the topic of Meru came up. I mentioned that it seemed Meru had a growing fan club, and thus vendor's engineer said that there are a lot of horror stories with Meru rollouts as well. It was presented that Meru's unique approach works quite well with voice-only deployments, but often falters where voice and data are mixed in the WLAN. So- in the name of figuring out fact from fiction- wondering if anyone can bear this out one way or the other. (I will be visiting with Meru soon, will ask them directly as well.) Be happy to take responses off the list if it's more appropriate. Regards- Lee Lee Badman Network Engineer CWNA, CWSP Information Technology and Services (Formerly Computing and Media Services) Syracuse University (315) 443-3003 [EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. smime.p7s Description: S/MIME cryptographic signature
RE: [WIRELESS-LAN] WIRELESS-LAN Digest [Another RADIUS Question (802.1x)]
Forgive me if this is redundant but I lost track of this thread. However Apple has acknowledged a bug in the 10.4.5 802.1x implementation and is currently in beta with 10.4.6 that solves it. - Michael G. Ruiz, ESSE ACP A+ Network and Systems Engineer Hobart and William Smith Colleges Information Technology Services P.315-781-3711 F.315-781-3409 Team Leader: Derek Lustig ([EMAIL PROTECTED]) Did you know that HWS Students, Faculty, Staff, Alums, etc can purchase computers, accessories, electronics and software at a discount through our partner CDW-G? http://www.cdwg.com/hws/ - From: Chris Hessing [mailto:[EMAIL PROTECTED] Sent: Fri 3/24/2006 7:24 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WIRELESS-LAN Digest [Another RADIUS Question (802.1x)] On Fri, 2006-03-24 at 09:20 -0500, Earl Barfield wrote: Date:Thu, 23 Mar 2006 15:33:20 -0500 From:Keith Moores [EMAIL PROTECTED] Subject: Re: WIRELESS-LAN [Another RADIUS Question (802.1x)] We are running 12.3(4)JA... but we also run 12.2(15)XR2 on our older 350 APs, we haven't had a problem with Apple clients before. The problem we are having only occurs with the MacBook Pro's AirPort Extreme card (its probably an intel wireless chipset), not the original AirPort Extreme card (broadcom chipset) that the PowerPC Macs use. The problem only appears for networks using 802.1X WEP encryption, no encryption or WPA (802.1X TKIP) work fine for the MacBook Pro. Our APs encrypted VLAN accepts the following Authentication methods: -Open Authentication + EAP -Network EAP This sounds suspiciously similar to our Apple problems with 12.3(4)JA. I dug up the email from our Cisco engineer that put us on the right path. I'd suggest that you try IOS 12.3(7)JA2 and see if the problem persists. Email from Cisco (8-15-05): I found that you have run into bug CSCei12722 in verion 12.3.4(JA) That bug has been resolved in version 12.3.7(JA). Please upgrade the IOS on the AP and you should be fine. Also, I have verified 3 other TAC SRs that have the exact same issue with the exact same wireless adapters. So my confidence level is high for this fix. A bit more info on the MacBook issue. The chipset that is used in the MacBooks is an Atheros a/b/g chipset. The problem that you are seeing is that when using dynamic WEP, there is an error returned when the Mac OS X supplicant attempts to push the WEP key down to the card. You can verify this by turning on the debug mode for the supplicant in OS X and looking at the tail end of the output that is generated. (I think I have a copy of the relevant output if anyone wants to see it.) Interestingly enough, setting WEP keys when using WPA1 or WPA2 doesn't have a problem. Without having access to the API, I suspect this is because many operating systems have different API calls that are used to set WEP keys when dynamic WEP is in use, versus API calls that are used to set WEP keys when WPA is in use. This is usually due to some differences in the mechanics of WPA and WEP. (I can go in to more detail if anyone cares. ;) ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Wireless encryption
Were still using 802.1x to distribute WEP keys. Its not that bad from a security perspective really, far from ideal granted. While its getting to the point that WEP can be cracked faster it still takes a fairly significant number of packets. If someone really wants to crack it and they succeed they only succeed for that one user. Even if they succeed they are likely to find that most critical information is already encrypted anyway (Kerberos logins, HTTP over SSL, etc). We do plan on moving toward WPA or WPA2 at some point but it was a bit of work to get everyone on 802.1x over the past 4 years so it is a nice spot to rest for a bit. Mike Michael Ruiz Network and Systems Engineer, ESSE ACP A+ Hobart and William Smith Colleges ' 1-315-781-3711 [EMAIL PROTECTED] Monday to Friday, 08:30 A.M. 05:00 P.M. ET All support inquiries should be initiated with the IT Services Helpdesk at ' 1-315-781-4357 or on campus x4357 [EMAIL PROTECTED] or http://www.hws.edu/itservices From: Frank Bulk [mailto:[EMAIL PROTECTED] Sent: Friday, February 03, 2006 9:33 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless encryption WEP keys can be distributed via dynamic WEP in conjunction with 802.1X is also possible, but I wouldn't recommend it. Frank From: Tillman, Don [mailto:[EMAIL PROTECTED] Sent: Friday, February 03, 2006 8:09 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Wireless encryption Anthony, We have the Aruba system too, utilizing WPA-TKIP, which authenticates users on the AD via Microsofts IAS. We decided to use WPA-TKIP primarily because TKIP handles key creation as well as the interval key changes. WPA-PSK is more secure than WEP but you still have the overhead of distributing the PSK; like you would a WEP key. Sure this process could be automated, but if the key is intercepted, it must be changed to maintain the integrity of your network. Don From: Anthony R. Rosario [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 01, 2006 9:04 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Wireless encryption Hello all, Currently we have the Aruba wireless solution at our facility with a combination of the AP60s and 70s and we are considering using WPA-TKIP or WPA-PSK encryption. I am curious to know if any of you have deployed WPA encryption at an enterprise level and if so how were the encryption keys distributed to the end-users? Anthony R. Rosario Network Technician Fordham University Dealy Hall, B-14 718-817-3774 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Wireless Newbie
Jake, You're asking the right questions and clearly you've hit the same stumbling block most of us have. My answer to you would be that it depends on your environment. There are plenty of examples of places that let the WiFi be clear and authenticate folks at a gateway of some sort, or even at the wired port on a smart network. Some of those solutions offer encryption, some use VPN to provide authentication and encryption. Some only do authentication as most of their traffic (or important traffic) is encrypted. It's a matter of what works best for you and what your risk aversion is. For example with unencrypted wireless and no other encryption and some simple authentication (i.e. once per session web portal only) you may be more vulnerable to someone pretending to be one of your wireless clients in a man in the middle type scenario. But how likely is this really... We've chosen currently to have Clean Access running in an out of band solution to provide a database of MAC addresses that we know are safe. It provides also captive portal and ACL for our Guest Wireless. Right now the Wired network relies on MAC authentication and our wireless relies on 802.1x for user and computer authentication. Wireless will eventually do a MAC lookup as well. Mike Michael Ruiz Network and Systems Engineer, ESSE ACP A+ Hobart and William Smith Colleges -Original Message- From: Barros, Jacob [mailto:[EMAIL PROTECTED] Sent: Friday, February 03, 2006 9:32 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Wireless Newbie I am having trouble making two technology concepts mesh. We are looking at implementing Bradford Campus Manager and at the same time considering Aruba... speaking of encryption. So my question is two fold... Do those of you that are using a solution like Aruba's or Bluesocket's have a Campus Manager, Clean Access solution or SafeConnect solution? If so, is there really a point in requiring authentication for wireless? Jake Barros Grace College ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Wireless diagnostic PDAs?
We've found MiniStumbler from NetStumbler to be a good tool for basic status however many PDA's have significantly lower power wireless nic's than laptops or VoWLAN phones. This can change the usable area compared to netstumbler unit. Fortunately some PDA's that offer external wireless via CF or PCMCIA offer power controls. But at 100mW you can really drain a PDA battery. Mike Michael Ruiz Network and Systems Engineer, ESSE ACP A+ Hobart and William Smith Colleges -Original Message- From: David Gillett [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 25, 2006 12:39 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Wireless diagnostic PDAs? We've been deploying a handful of hotspots, but we're about to begin rolling out ubiquitous b/g coverage (with a reserved for hotspots with special needs). To support this, we want to start equipping our techs with wireless PDAs with which to quickly and easily determine the status of wireless service at their location. I've been using Kismet on a Sharp Zaurus, but its chipset support so far limits me to b only, and both the Zaurus 5500/5600 models and the LinkSys WCF12 have been superseded, so I don't think that's the right direction. I've been happy with the level of detail that NetStumbler shows, but a laptop is more device than we really want to require. So: I'm looking for recommendations of a PDA/wireless/software combo that will provide about the same level of detail as NetStumbler for at least b/g, and preferably also a. Are you using something like this? David Gillett ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Follow-Up to Rouge AP detection in Dorms....
Brad, It's exceptionally unfortunate that vendors do this. I am very fond of telling vendors that Colleges and Universities all talk to each other and a bad experience is a shared experience. Thus I think we should name the vendors that practice these poor sales procedures and perhaps even the sales person so we can react as a whole when the calls come in. On your question, I have to say we have been very pleased with the rogue detection and rogue mitigation built into the Meru system. Also we have often contemplated enforcing our single device per port policy using either port based MAC locking (built into our Enterasys network switches) or through our Clean Access implementation. Since we use CCA out of band it may be both that are needed. Mike - Mike Ruiz Hobart and William Smith Colleges Network and Systems Engineer -Original Message- From: Bradford Saul [mailto:[EMAIL PROTECTED] Sent: Thursday, January 05, 2006 10:52 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Follow-Up to Rouge AP detection in Dorms Just a note to all the vendors our there that participate in this listserv First I am sure I am not the first person this has happened to but when a question is posted to the listserv the expected response is from other companies/institutions real world experience with products/techniques they are implementing. Not a call for responses and inquiries from vendors. Since I posted my question yesterday I have received 3 phone calls and two e-mail messages from prospective vendors. I was looking for sage advise from other institutions that are having the same problems and hopefully find a solution. Again thanks for your participation in the listserv as you add a valuable component to the list, but please do not use this listserv as an initial potential sales contact list. Brad --- Bradford B. Saul Lead Network Engineer IT - Network Engineering Hoffman Hall Room 10 MSC 0601 James Madison University Harrisonburg, VA 22807 V: (540) 568-2379 F: (540) 568-1696 M: (540) 435-3079 [EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Cisco clean access and wireless
True, the out of band solution is cisco only which is a shame as it could easily be multi-vendor if they used a radius proxy on it and let switches do port mac authentication against it. We are porting info out of the CCA database using psql into our LDAP directory then using Port MAC auth against that thus taking registered people out of line with the CCA system. Michael Ruiz Network and Systems Engineer, ESSE ACP A+ Hobart and William Smith Colleges -Original Message- From: Christopher Cook [mailto:[EMAIL PROTECTED] Sent: Monday, December 19, 2005 1:00 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Cisco clean access and wireless As Dan pointed out, that's only for the Out-of-Band solution. We currently run the in-band solution and have different switch vendors that sit behind the CCA Server with multiple VLANS. Christopher Cook Network Engineer Oakland University [EMAIL PROTECTED] On Dec 19, 2005, at 12:46 PM, William Paraska wrote: If you are referring to the Perfigo product that they just pruchased, yes, it is restricted to use within a heterogenous CISCO environment only. Bummer as we liked the Perfigo product but can't be held hostage by a CISCO only architecture. Bill Paraska Director, University Computing and Communications Information Systems and Technology (404) 651-0881 [EMAIL PROTECTED] 12/19/05 12:26 PM Has anyone heard anythig about Cisco making clean access only available in their switch gear for wirelss and wired architectures. We currently run CCA on several servers through which we send VLANS associated with our wireless and wired nets. We don't use Cisco switches in our backbone so this would concern me. Thanks Mark McNeil Director of Network Services/CIMS Fordham University 718-817-3763 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] BSOD on Wireless Network
Clean Access is not supported on some OSes, like XP Tablet, etc We had this happen with CCA 3.5.5 on XP Home too. Michael Ruiz Network and Systems Engineer, ESSE ACP A+ Hobart and William Smith Colleges ' 1-315-781-3711 [EMAIL PROTECTED] Monday to Friday, 08:30 A.M. 05:00 P.M. ET All support inquiries should be initiated with the IT Services Helpdesk at ' 1-315-781-4357 or on campus x4357 [EMAIL PROTECTED] or http://www.hws.edu/itservices From: Eric Morgenroth [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 14, 2005 10:39 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] BSOD on Wireless Network We have recently installed the cisco airespace product at one of our locations. For a while everything was working fine. Recently at one of the locations numerous users are getting blue screens of death while using the wireless network. I would say its about 3% of the population. We are also using Cisco clean access on this segment as well. In any other location, users do not get this BSOD. The error is as follows: Driver_IRQL_Not Less_or_Equal Tech Info: NDIS.SYS If anyone has seen these issues, or may be able to give some insight on why this is happening, that would be great. Thanks in advance. Eric Morgenroth [EMAIL PROTECTED] 917.335.5477 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] wireless authentication for Macintosh
We are using 802.1x PEAP authentication for our Macintosh clients. It works in 10.3 and 10.4 pretty well. We have succesfully used it in earlier versions but it is trickier. We have also used TLS but the digital certs can be tricky. Self-signed certs can also be tricky. We have often seen issues with OS X, 10.everything, with PPTP VPN. It often works perfectly fine in one minor rev, then not in the next, and so on. Mike - Michael G. Ruiz, ESSE ACP A+ Network and Systems Engineer Hobart and William Smith Colleges Information Technology Services P.315-781-3711 F.315-781-3409 Team Leader: Derek Lustig ([EMAIL PROTECTED]) Did you know that HWS Students, Faculty, Staff, Alums, etc can purchase computers, accessories, electronics and software at a discount through our partner CDW-G? http://www.cdwg.com/hws/ - From: Jeffrey LeMay [mailto:[EMAIL PROTECTED] Sent: Thu 12/8/2005 1:40 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] wireless authentication for Macintosh I am interested in knowing how other academic institutions authenticate their wireless users, particularly for Macintosh clients. At Ithaca College, we currently require wireless users to authenticate via an SSL VPN device (firepass from F5 Networks). This allows us to see who is using the wireless network (via the logs) and provides a level of security for the users as well. This solution works very well for Windows clients but Macintosh clients have experienced a number of problems. We have been working with F5's technical support on the Mac problems for quite some time. Is there an alternative that we could look at? Do other institutions support SSL VPN for Macintosh clients? ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Issue with RF collision Domains
Title: Message I would have to agree with Chuck in that microcells often dont have the best cost to quality/performance ratio. The whole power tuning issue is also a sticking point for me, especially the dynamic cell sizing. Its very easy for someone to alter the cell sizes with rogue devices or ad-hoc devices if the system cant lock it down. Its also easy as you scale out to create dead zones so resurveying with each added AP after the initial plan is wise. I also know of no solution for dynamically controlling the client power levels. While it is true that no matter what you do there is limited bandwidth, channel overlap, etc these issues are precisely what drove us to the Meru solution. I believe that Ciscos AP aggregation uses a central controller MAC which further limits available bandwidth. Someone else can likely post more info on that. Mike Michael Ruiz Network and Systems Engineer, ESSE ACP A+ Hobart and William Smith Colleges ' 1-315-781-3711 [EMAIL PROTECTED] Monday to Friday, 08:30 A.M. 05:00 P.M. ET All support inquiries should be initiated with the IT Services Helpdesk at ' 1-315-781-4357 or on campus x4357 [EMAIL PROTECTED] or http://www.hws.edu/itservices From: Enfield, Chuck [mailto:[EMAIL PROTECTED] Sent: Thursday, November 17, 2005 2:44 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Issue with RF collision Domains It's correct that some of the Cisco APs can do this, but the client card must supportCisco's Aeronet Extensions. There are quite a few cards that do this, but many of Cisco's major competitors in theWLAN industryaren't interested in becoming Cisco Compatiblefor obvious reasons. I'm not aware of any standards based means of client power control, but would love to find one. I've thought aboutsetting the access point to a regulatory domain thatoperates within FCC rules but at a lower maximum power, thereby using 802.11d features to reduce client transmit levels.I haven't looked fora such a regulatory domain yet and there's a good chance that no suitable one exists. It's not quite fair to say you won't gain a thing by turning down your AP power. Typically, the AP does more talking than the clients. The extent to which that's true varies by the type of use, but I'm not aware of any cases where clients transmit more than the AP. Also, clients typically have smaller collision domains than do APs even when the output power is the same due to being only 2 or 3 feet above the floor. If your analysis leads you to believe you would benefit considerably from a little more aggregate bandwidth, a microcell type of design strategy may be in order. It's good to be aware, however, that a modest performance increase can require a large cost increase and there's a finite bandwidth limit regardless how much cash you're willing to spend. My opinion is microcells rarely provide good bang for the buck. Chuck Enfield Sr. Communications Engineer PSU, Information Technology Services Suite 110, University Support Bldg. 2 University Park, PA 16802 ph. (814) 863-8715 fx. (814) 865-3988 -Original Message- From: M. Sjulstad [mailto:[EMAIL PROTECTED] Sent: Thursday, November 17, 2005 12:59 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Issue with RF collision Domains I believe you can limit the client's transmit power with AP's... at least with cisco 1220 g radios. I do this in at least one situation where I have secure administrative wireless network within an environment where most of the building is an academic and open wireless network. MS _ M. Sjulstad Network/Electronics Engineer - IIT Dept. St. Olaf College Northfield, MN 55057 _ 1-507-646-3835 [EMAIL PROTECTED] www.stolaf.edu/people/sjulstad On Nov 17, 2005, at 11:28 AM, Stephen Holland wrote: Hello my Name is Stephen Holland and I am from Northeastern University. Glad to be part of the list. I am struggling with the whole concept of the microcell. For example I have three classrooms side by side end to end distance of 100 feet. Each classroom has 40 users. I have been asked to size at 20 users per AP. --100 feet- | | | | | | 1 | 2 | 3 | 50 Feet | (1) | (6) | (11) | | I could cover the three classrooms with AP's set to channels 1,6,11 but that would give me a density of 40 users per AP. I could add more AP's to bring up the density but I question whether I will gain anything by doing so. Well you can adjust the transmit power to limit the cell size you can't adjust the client power level. If you have a transmit level of 0dBM on the AP and a client power level of 15dBM the client is going to be heard a lot further. Assuming I could knock down the transmit power enough to cover a single classroom(unlikely!) I still have client issues. If a client
RE: [WIRELESS-LAN] WIRELESS-LAN Digest - 8 Nov 2005 to 9 Nov 2005 (#2005-111)
B/G Poisoning was one of the main reasons we went with the Meru Networks solution. By dedicating timeslices to b in a mixed mode 11g environment they are able to minimize the performance hit and provide better than average service to both the b and g customers. I think there was some information on that in the papers I sent out earlier, if not the Meru Website (www.merunetworks.com) has info on it I believe. Best, Mike - Michael G. Ruiz, ESSE ACP A+ Network and Systems Engineer Hobart and William Smith Colleges Information Technology Services P.315-781-3711 F.315-781-3409 Team Leader: Derek Lustig ([EMAIL PROTECTED]) Did you know that HWS Students, Faculty, Staff, Alums, etc can purchase computers, accessories, electronics and software at a discount through our partner CDW-G? http://www.cdwg.com/hws/ - From: Landry, Michael [mailto:[EMAIL PROTECTED] Sent: Sat 11/12/2005 12:34 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WIRELESS-LAN Digest - 8 Nov 2005 to 9 Nov 2005 (#2005-111) I just came back from Aruba Networks' AirHeads conference, and they are recommending to customers to do the exact opposite: run your data on 802.11a and voice on 802.11g. This way, you get 54mb speed for your data, and by using only 802.11g phones for voice, you'll get the full 54mb all the time. Remember that as soon as one B client associates to a G access point, it cuts all throughput in half or more. If you only have G phones, and don't allow B connections, you end up with two networks with full bandwidth. I'm not sure I explained that clearly, it's late and I just flew in. Michael -Original Message- From: Frank Bulk [mailto:[EMAIL PROTECTED] Sent: Friday, November 11, 2005 1:50 PM Subject: Re: WIRELESS-LAN Digest - 8 Nov 2005 to 9 Nov 2005 (#2005-111) A significant point to make is that with using the 5 GHz frequencies you have at least 8 channels, if not more, to work with. That helps with the co-channel interference. With the additional 200+ MHz that the FCC added, and the upper UNII, it's possible to have many more channels. Another reason to seriously consider 802.11a for data deployments, and 802.11 b/g for voice. Frank -Original Message- From: Ruiz, Mike [mailto:[EMAIL PROTECTED] Sent: Friday, November 11, 2005 7:30 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WIRELESS-LAN Digest - 8 Nov 2005 to 9 Nov 2005 (#2005-111) I am attaching a couple of white papers from meru and also here is a link to info on a pretty dense deployment at Northern Michigan University. Hope this helps a little bit. http://www.merunetworks.com/pdf/northern_mich_SS4-1005.pdf http://www.merunetworks.com/pdf/northern_mich_SS4-1005.pdf Mike - Michael G. Ruiz, ESSE ACP A+ Network and Systems Engineer Hobart and William Smith Colleges Information Technology Services P.315-781-3711 F.315-781-3409 Team Leader: Derek Lustig ([EMAIL PROTECTED]) Did you know that HWS Students, Faculty, Staff, Alums, etc can purchase computers, accessories, electronics and software at a discount through our partner CDW-G? http://www.cdwg.com/hws/ - From: ssl [mailto:[EMAIL PROTECTED] Sent: Thu 11/10/2005 3:12 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WIRELESS-LAN Digest - 8 Nov 2005 to 9 Nov 2005 (#2005-111) Michael Griego [EMAIL PROTECTED] wrote: ... the Meru Virtual AP architecture. The controllers in these systems keep track of every 802.11 device each AP can hear and employ a pretty darn impressive scheduling algorithm for getting the most out of the available channel capacity. Not only that, but they actually control when clients are allowed to transmit, further removing unknowns from the RF use equations and improving channel usage and capacity. I believe they do this using the PCF, or Point Coordination Function, in the 802.11 spec... --Mike --- Is anyone aware of a white paper or any literature which explains in some detail how this works? We are looking at a test install of Meru at the UA, and are exploring dense installations in some areas - Shanna Leonard AHS Library, Univ of Arizona ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http
RE: [WIRELESS-LAN] Wireless-only Dorms?
We have indeed reviewed both products. Currently we are a Meru user with nearly 150 AP's online. Since then we continue to monitor what similar technologies are emerging. In essence they are both similar, however there are key differences. The key differences are: The Extricom product doesn't operate at a full 100mW of power as most vendors, they run at 17dB according to their spec sheet. It also appears that the Extricom APs must connect directly to their switch and that they don't have seamless roaming from one switch to the next. *this is one where clarification is needed but based on their sheets and what I read from other sources* I am looking to find out if their switch operates as a centralized mac, it is a common solution for people trying to execute this architecture but would mean that all ap on a single switch would share bandwidth. We have been quite pleased with Meru from a user density and bandwidth perspective. Mike Mike Ruiz, ESSE ACP A+ Network and Systems Engineer Hobart and William Smith Colleges -Original Message- From: Jamie A. Stapleton [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 09, 2005 12:55 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless-only Dorms? I believe that http://www.extricom.com/ does almost the same thing that Meru does. Has anyone compared/contrasted the two? Jamie A. Stapleton CBSi - Connecting your problems with solutions. FlexiCall: (804) 412-1601 Facsimile: (804) 412-1611 -Original Message- From: Michael Griego [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 09, 2005 12:47 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless-only Dorms? All of the issues listed here are great examples of the complex nature of designing an 802.11 environment with such stringent requirements. With only 3 channels, even if you plan very carefully and precisely control the output power of your APs, you're going to get channel overlap. This will further reduce your capacity due to the inherent collisions/retransmissions. Especially when you factor in the client devices. A client device transmitting on a channel will force any other device operating on the same channel that can hear it (APs included if course) to wait on it to complete its transmission before it can commence. So, you have to realize that, even though 2 APs may not be able to hear each other, a client card between them that can hear both of them will tie up available bandwidth on BOTH APs while it is transmitting. Further complicating matters is a situation where two clients connected to two different APs on the same channel can hear each other but not both APs. In such a circumstance, client 1 and the AP 2 (the AP client 2 is connected) may transmit simultaneously. When this happens the signals will interfere with each other upon reaching client 2, causing client 2 to be unable to decode the packet, forcing AP 2 to retransmit the packet. Complicated indeed! Guaranteeing signal strengh and bandwidth alotments is extremely difficult. And, this totally ignores the problems inherent with outside interference or the fact that the environment (bookshelves, etc) change on a regular basis, possibly forcing you to revisit your ever-so-finely-tuned RF plan. Interestingly enough, all these issues are also extremely relevant if you're interested in looking to deploy any sort of VoIP/WiFi (VoFi). I'd suggest that, if you're truly interested in providing coverage/bandwidth that takes a lot of these issues into account, you might want to take a look at the Meru Virtual AP architecture. The controllers in these systems keep track of every 802.11 device each AP can here and employ a pretty darn impressive scheduling algorithm for getting the most out of the available channel capacity. Not only that, but they actually control when clients are allowed to transmit, further removing unknowns from the RF use equations and improving channel usage and capacity. I believe they do this using the PCF, or Point Coordination Function, in the 802.11 spec... I've not seen any other wireless switch system that makes use of it near to the level that the Meru system does. It's pretty cool. We're in the process of deploying Meru as our second generation wireless overlay here at UTD, mainly to decrease the need for complex channel planning, individual AP configuration, and to support a future VoFi implementation. --Mike Phil Raymond wrote: If someone forced me to assign a rule of thumb at this high level, I would assign a conservative data rate of 1 Mbps to each student as a requirement. For an 802.11g ONLY network running at the highest data rate (aka strongest signal) using enterprise class AP's (data thruput does vary between AP vendors, be careful here), you should expect to get 15-20 Mbps of upper layer thruput per AP. That would yield 15-20 students per AP. For 802.11a, this will probably hold.
RE: [WIRELESS-LAN] Meru vs. Cisco (airespace)
Debbie and All: We experienced much the same results you saw during our testing with meru last winter and since then we have nearly 130 AP's rolled out with plans headed into the 300-400 to serve our 101 buildings. In some buildings we have high user and/or AP density and in others we don't. In all a nice mix to say that the system works as promised and as tested. We did see a couple issues with high densities of AP in a small space but the issue was really with the early 9.0 Centrino drivers NOT meru. The single channeling simply made our summer roll out project go immensely smoother than expected but the time based algorithm is really the crown-jewel. We are supporting classrooms not supportable on traditional wireless due to user density (i.e. more than 20 users). With both thesee are easily prepared for upgrades where we have a 200-300 person auditorium currently served by 1 ap to multiple meru ap208s to handle the user density as more students start bringing laptops. The Meru system is really a wireless system. For security ACL's you must rely on your switches/routers. Their captive portal is nice and quite handy which we used out of the box but now we serve those users via Cisco Clean Access through Meru (the only inline services we provide using CCA). We serve WEP, and 802.1x using meru and Microsoft IAS RADIUS. If you would like to know any more about our Meru experience feel free to email me. Mike - Michael Ruiz (ESSE, ACP, A+) Network and Systems Engineer Hobart and William Smith Colleges Information Technology Services [EMAIL PROTECTED] -Original Message- From: debbie fligor [mailto:[EMAIL PROTECTED] Sent: Thursday, August 25, 2005 3:42 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Meru vs. Cisco (airespace) We just finished bringing in both vendors for a 1-week test, including getting a number of laptops in a lecture hall and seeing what issues arose. This was all production equipment and nothing is under NDA to the best of my knowledge. Here's the things we looked at and what we found, I'm wondering if this is what other people that used either product found as well in terms of strengths and weaknesses. Also, those of you using Meru, how big is your user base? we're looking to go from wireless in ~ 50 of 350 buildings to wireless in 200 of them in the next few years (this is a big part of the reason we want to move to central control from the stand alone Cisco 1232's we have now). I'm interested in experiences either similar or different than what we saw to get a feel for how well our tests represented real life. Thanks! Equipment: Meru AP 208s (a/b/g) and 1015 controller, with their current beta code Cisco: 2 Airespace 4016 controller and AP? (a/b/g), and WCS software, all with their current production load. (I didn't think to get software versions) The 3 lists below were supplied to the vendor, as well as a JPEG that included the test room. We used the same room for each vendor. - Testing Goals: 1. Demonstrate no-configure (or extremely easy, commodity) AP install. 2. Demonstrate all-on-one-channel self configuring features. [Meru only] 3. Demonstrate capability of providing service to 100 (or other large N) users in a classroom at once 4. Demonstrate rogue detection while still providing service to mobile users 5. Demonstrate internal security features, including firewall rules that mirror ours (full access to campus vpn server) and captive portal feature. 6. Demonstrate standard bridged AP mode using our normal wireless vlan. 7. Demonstrate database/inventory features (ie, all the stuff wmon does) 8. Demonstrate roaming with no noticeable lag to client Testing itself: Pre: 1. CITES identifies a large classroom that can be used for testing. CITES identifies a group of users who can bring wireless devices for test (sitecons, housing students, general invite?) 2. CITES communicates to Vendor networking details, such as radius server for captive portal solution, vpn server solution, etc. 3. Vendor communicates needs for back end gear to power Vendor hardware, such as controllers or management stations. 4. Cites Vendor to plan out networking scenarios. 5. Cites to create subnets vlans to support test. Test window: 1. Vendor to be given access to the install locations, both the server/support gear and the test classroom(s). 2. Vendor to do install. Cites person to watch, make notes on whether they make it look easy. Seriously. 3. Day of big test, get everyone we can grab with a wireless connection over there. See how well the network performs with as many people on it as we can. 3a. Everyone using bridged mode APs, using normal Cites UIUCnet Wireless. 3b. Rougher test, everyone using total Vendor security solution. Vendor serving as router, permitting access to VPN servers, running access via their captive portal and our radius server. 4. Day of big test, CITES brings in a rogue ap, with some
RE: [WIRELESS-LAN] Peap info
The machine account authentication does work on IAS for machines joined to the Windows Domain as they have the accounts to authenticate against in AD. However keep in mind the default behavior of the MS WinXP supplicant authenticates as the machine (when the box is checked) and starts a timer. I believe it is for 30seconds and if a user hasn't authenticated in that time it de-authenticates. It is possible in the registry to change the default behavior of the supplicant to *Default Machine w/Timer and User; Machine Only; User Only; Machine with no timer and User if provided. Mike - Michael Ruiz Network and Systems Engineer Hobart and William Smith Colleges Information Technology Services -Original Message- From: King, Michael [mailto:[EMAIL PROTECTED] Sent: Friday, June 24, 2005 4:17 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Peap info -Original Message- From: Bennefield, Cully A. [mailto:[EMAIL PROTECTED] Sent: Friday, June 24, 2005 3:59 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Peap info The students were unable to log on to the laptop since their credentials were not cached. We used the Meetinghouse client to authenticate with AD during the boot up process as a workaround. The feature you were looking for was Below the box where you select PEAP or Smartcard, there is a check box marked Authenticate as a computer when computer information is available I'm not sure how to set it up on IAS, but on Steel Belted Radius it was Allow Machine Accounts. Then the Computer account in Active Directory will provide network access, until the user logs in, then the user credentials will replace it during the logon process. There is also a registry key that controls this, so you can always use the machine account if you want to. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] MERU networks questions
Thanks Kevin for a great discussion on this I think that this is what makes this list so great. I have a real mix of deployment types. In some places we have deployed for coverage and in some such as dense classrooms we have deployed for density. In the dense locations we have looked at using more than one channel and also possibly using the high-density setting on the AP. We have not seen the bandwidth loss to the degree you have but our overlap hasn't been at real high signal strengths. The strength of the overlapping signal is likely the root of the difference. We have seen a much higher user density per AP (not voice clients at this time) so density has been much lower on my concern list of late. 50 users on an AP isn't really an issue unless they are using high and sustained bandwidth apps. I guess its best left at the real jewel of the Meru solution for us and in general is the flexibility to fit in any way you want. It's certainly nice to be able to use a multi-channel architecture and to still not have to worry about channel overlap where it happens. Mike -- Michael Ruiz Network and Enterprise Systems Engineer Hobart and William Smith Colleges Information Technology P 315-781-3711 F 315-781-3409 - HWS Faculty, Staff, Students and Alums Can purchase technology online and with an HWS DISCOUNT! http://www.cdwg.com/hws -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Miller Sent: Tuesday, April 05, 2005 4:58 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] MERU networks questions While a multi-channel approach will always deliver max Peak throughput (no surprise there), Meru's approach provides much better performance in high-density deployments (e.g. libraries) under all conditions and will always [provide far superior load balancing, handoff, QoS and RF management than a multi-channel approach. So if your main goal is Maximum Throughput at the expense of mobility, then Meru's flexibility will allow you to build that way also. Or a combination as you see fit. I agree -- the virtual AP system is perhaps the best technology to support seamless roaming of any that I know today. Especially as one considers WPA/WPA2, the overhead of reassociating is rather high and this is completely eliminated with virtual AP. Also, the type of testing that Kevin describes will actually show the worst case from a performance perspective, since it only used 2 APs which were probably pretty close to each other. So the clients likely ended up clumped on one AP and the 2nd AP just was there taking 'time slices' If the APs were far enough apart that the controller could actually distribute the load across both APs, performance would be much higher -- and this is why in our real-world deployment (vs. Kevin's lab testing) we are seeing excellent performance. The two APs were setup at either end of a large conference room in which 30 people were seated with laptops, so they were ~45' apart. Throughout the test I watched the controller and noticed that clients were distributed roughly evenly between the APs. The idea of the test was to simulate a typical bandwidth-intensive lecture room: the setup seems fairly reasonable in that regard. Do you deploy multiple APs on single channels for density in lecture halls? Or are you deploying solely for coverage? -Kevin Kevin C. Miller Network Architect Office of Information Technology Duke University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] hybrid Meru/non-Meru networking...
The latest Wi-Fi recertification and very robust testing for Meru specifically included ensuring that as long as there was no channel overlap between the Meru and Non-meru systems there was not any performance impingement. -- Michael Ruiz Network and Enterprise Systems Engineer Hobart and William Smith Colleges Information Technology P 315-781-3711 F 315-781-3409 - HWS Faculty, Staff, Students and Alums Can purchase technology online and with an HWS DISCOUNT! http://www.cdwg.com/hws -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Sascha Meinrath Sent: Wednesday, April 06, 2005 10:30 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] hybrid Meru/non-Meru networking... Hi Kevin, I was wondering if you did any tests with a non-Meru AP in the same physical space downloading with the Meru APs? Mainly, I'm interested in seeing if there is a marked performance drop-off. I suspect that the efficiencies in the Meru networks are gained at the expense of system robustness, but it would be very interesting to have an empirical test of this. --Sascha Date:Tue, 5 Apr 2005 11:25:13 -0400 From:Kevin Miller [EMAIL PROTECTED] Subject: Re: MERU networks questions To followup on some of these conversations.. I've been looking at the Meru technology a bit in the past few months, intrigued by the single channel claims. I recently ran a density test with the 'virtual AP' (two APs on a single channel) to test the performance. We had 30 clients (mix of b/g) in a room downloading a 10mb+ file simultaneously. In followup to this test, I've had a chance to talk with Meru's CTO and discuss their technology. Based upon my experience and conversations, I hope to clarify some points that have been raised here. The fundamental Meru technology is their ability to effectively manage co-channel interference. They do this with the virtual-AP concept; APs present the same BSSID so clients see a single AP where there are, in fact, multiple radios in space. They believe the technology coordinates APs utilizing the same channel well, reducing contention for the same space. The reason they see for needing to do this is based upon trying to deploy APs for 802.11g coverage. If you're trying to get 36Mbps coverage, the number of APs you need means that your 802.11b clients will see many radios on the same channel, and will thus be causing interference when they transmit. In our density test, we placed two APs on a two channels and tested the performance -- it was quite good, as we'd expect. We then tested two APs on a single channel, and found the performance was much less. In discussing these results with Meru, it was confirmed that in planning for density, the use of multiple channels is suggested. There's no magic here -- with two APs in close proximity on a single channel, the performance is expected to be approximately half that of two APs on two channels. However, the system continues to manage co-channel interference between APs on common channels. So I wanted to provide some insight on that.. if there are other questions, feel free to ask on or off list.. -Kevin -- Kevin C. Miller Network Architect Office of Information Technology Duke University -- Sascha Meinrath President * Project Coordinator * Policy Analyst Acorn Worker Collective *** CU Wireless Network *** Free Press www.acorncollective.com * www.cuwireless.net* www.freepress.net ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] MERU networks questions
Of course there is some bandwidth sharing whenever you have APs that are very close to each other that are sharing the exact same spectrum, however Meru recovers much of this bandwidth due to the fact that they are managing contention for all clients and APs (which others cannot) and therefore do not have the typical losses that most deployments have related to collisions. While a multi-channel approach will always deliver max Peak throughput (no surprise there), Meru's approach provides much better performance in high-density deployments (e.g. libraries) under all conditions and will always [provide far superior load balancing, handoff, QoS and RF management than a multi-channel approach. So if your main goal is Maximum Throughput at the expense of mobility, then Meru's flexibility will allow you to build that way also. Or a combination as you see fit. Also, the type of testing that Kevin describes will actually show the worst case from a performance perspective, since it only used 2 APs which were probably pretty close to each other. So the clients likely ended up clumped on one AP and the 2nd AP just was there taking 'time slices' If the APs were far enough apart that the controller could actually distribute the load across both APs, performance would be much higher -- and this is why in our real-world deployment (vs. Kevin's lab testing) we are seeing excellent performance. Mike -- Michael Ruiz Network and Enterprise Systems Engineer Hobart and William Smith Colleges Information Technology P 315-781-3711 F 315-781-3409 - HWS Faculty, Staff, Students and Alums Can purchase technology online and with an HWS DISCOUNT! http://www.cdwg.com/hws -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Miller Sent: Tuesday, April 05, 2005 3:44 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] MERU networks questions Eric T. Barnett wrote: So if you have 2 in close proximity on the same channel, then you end up with half the bandwidth of 2 AP's on different channels. How about when Correct; this was what Meru's CTO explicitly said. they are not in close proximity but they overlap as they would in a standard building situation. How was the performance in the overlap? Was it any better? I have not done a test with a number of clients in wide open spaces on the same channel. Based upon the results of this test I'm interested in doing this: having two APs separated by a reasonable distance and a group of clients clustered around each. Both APs would be on the same channel, and I'd test the performance. (Side-by-side lecture halls?) -Kevin -- Kevin C. Miller Network Architect Office of Information Technology Duke University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Redundancy question
I would add that my experience with auto-cell sizing has some negative consequences as well. While the healing perspective can be a real save if an AP goes down it is possible that if you have enough users you will overwhelm the AP's filling in the dead space and take even more users down (or at least make their connection nearly unusable). Also in an auto powered/cell sized environment it is possible for one rogue AP or an ad-hoc radio to cause your infrastructure to resize and create/move dead spots. Some vendors have nice ways around this. Self-healing through power control is a great feature and something I would not want to be without but it is not the solution to our wi-fi woes. Not to sound like a broken record but I think the single channel architecture is the perfect compliment to power/cell-size control. -- Michael Ruiz Network and Enterprise Systems Engineer Hobart and William Smith Colleges Information Technology P 315-781-3711 F 315-781-3409 - HWS Faculty, Staff, Students and Alums Can purchase technology online and with an HWS DISCOUNT! http://www.cdwg.com/hws -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Michael Dickson Sent: Friday, April 01, 2005 9:29 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Redundancy question In the Cisco AP world, their self-healing wireless topolgy requires that there are more APs in a given area operating at half (or lower) transmit power. When an AP goes down, the other APs automatically increase power to cover the gap. Mike *** Michael Dickson Phone: 413-545-9639 Network Analyst Fax: 413-545-3203 University of Massachusetts Email: [EMAIL PROTECTED] Network Systems and Services *** Yair Oren wrote: Many AP vendors are advocating power-adjustment-based redundancy schemes, i.e. if an AP fails its neighbors will power up to cover its territory. Does this mean the number of required APs grows 4X or is there a way to make this work with less APs ? Yair Oren ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] MERU networks questions
The advantages to single channel coordination are quite numerous really. *No need for elaborate site surveys in which you are concerned about channel overlap, you only need to paint for coverage *Roaming, primarily a VOIP concern, is more seamless *Addition or removal of cells has no effect on coverage model as it would in a three channel or autocell sizing architecture Also now imagine a whole Coordinated single channel architecture campus wide 11b/g on channel 11, now you have 1 and 6 free in the same spaces so you could roll out other dedicated meru networks there or other vendors wifi. T The bottom line is really the flexibility, performance, seamlessness, ease of management -- Michael Ruiz Network and Enterprise Systems Engineer Hobart and William Smith Colleges Information Technology P 315-781-3711 F 315-781-3409 - HWS Faculty, Staff, Students and Alums Can purchase technology online and with an HWS DISCOUNT! http://www.cdwg.com/hws -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Jonn Martell Sent: Wednesday, March 30, 2005 1:43 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] MERU networks questions Unfortunately, WLSE hasn't been able to keep up with the competitors. Some of us have been trying quite a bit but the development team is either understaffed or not understanding campus deployments. It could also be that campus environments are not that important for them (a small market share). The lack of completion for WLSE is likely the main reason they purchased Airespace. The future roadmap should be interesting; I hope they share it. It would be great to be able to turn the intelligent APs (1200, 1100s) into thin radios with hybrid capabilities. They could release a cheaper DSP based 1000 series which could support MIMO capabilities being discussed in 802.11n? We previously stayed away from the whole special switch concept because of our love affair with ethernet but there needs to be good 2D and 3D multi-building RF management tools to tune very large campus wireless networks in order to support next generation applications such as VOIP. Meru's offering is interesting but I don't understand the advantage of a single channel use in 2.4GHz. I would understand the ability to have three channel is campus-wide; that would seem like a far more capable network (up to eight in 5 GHz). I look forward in seeing Cisco's roadmap in relation to these competitors. ... Jonn Martell, UBC Wireless Eric T. Barnett wrote: I just saw some promising information on the web about Meru Networks' wireless solution. Anyone out there using Meru? What do you think? We're running a Cisco WLSE with about 120 AP's and 5 1200's working as WDS. Just wondering how Meru really stacks up to Cisco specifically in ease of use, returns, support, and lifespan of equipment. All of their press makes them sound too good to be true. Many thanks. Eric Barnett, CCNA Wireless Administrator Information and Technology Services Arkansas State University 870 972 3033 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] MERU networks questions
Eric, We are a Meru Shop, recently announced. I have about 30 AP deployed, 20 Ready to roll and plans for 200 more. When it comes to ease of use they simply blow the rest out of the water thats Cisco, Enterasys, and even the nex-gen stuff like Chantry or Trapeze. The interface is really simple like many of the centrally managed systems but with the savings on site surveys thanks to the coordinated single channel architecture is truly enormous. Their support has been great for us as well. We were an early adopter through v2.0 and v3.0. After some bugs in 3.0.0 they were right there working with us to isolate them and 3.0.1.1 has been solid as a rock, better than any others Ive used actually. Toss all that with the performance increase on the b/g mixed mode front and I dont understand how anyone couldnt be impressed. When I first met with their team 5 months ago I agree it all sounded too good to be true. Our testing with a few AP went well and I ordered a 15AP starter pack. I put all 15 in one room and was amazed at how well the roaming algorithms worked and with a nice mix of apps including voice, performance was quite astonishing. Bottom line, we have saved money and made my life a lot more predictable and smooth. I would love to put you in touch with our VAR/Integrator if youre interested in some more information. Mike -- Michael Ruiz Network and Enterprise Systems Engineer Hobart and William Smith Colleges Information Technology P 315-781-3711 F 315-781-3409 - HWS Faculty, Staff, Students and Alums Can purchase technology online and with an HWS DISCOUNT! http://www.cdwg.com/hws From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Eric T. Barnett Sent: Monday, March 28, 2005 11:29 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] MERU networks questions I just saw some promising information on the web about Meru Networks wireless solution. Anyone out there using Meru? What do you think? Were running a Cisco WLSE with about 120 APs and 5 1200s working as WDS. Just wondering how Meru really stacks up to Cisco specifically in ease of use, returns, support, and lifespan of equipment. All of their press makes them sound too good to be true. Many thanks. Eric Barnett, CCNA Wireless Administrator Information and Technology Services Arkansas State University 870 972 3033 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] MERU networks questions
Nothing that isnt going to be fixed in 3.1.0 such as grouping of AP rather than 1 long list etc. They dont have any routing ACL type security in the box so while they can dump users into a vlan, etc you have to control things like what networks they have access too etc on your wired network. Thats not a biggie but something I guess. However Id rather have them continue to excel at wireless rather than diluting that trying to do everything. -- Michael Ruiz Network and Enterprise Systems Engineer Hobart and William Smith Colleges Information Technology P 315-781-3711 F 315-781-3409 - HWS Faculty, Staff, Students and Alums Can purchase technology online and with an HWS DISCOUNT! http://www.cdwg.com/hws From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Eric T. Barnett Sent: Monday, March 28, 2005 12:04 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] MERU networks questions Thanks Mike! Ive sent an email to their sales department with a ton of questions on it last week and havent heard back yet. Ill give them a couple of more days to reply and then Ill take you up on that VAR info. Anything about Meru you DONT like? Anyone else using Meru? Eric Barnett, CCNA Wireless Administrator Information and Technology Services Arkansas State University 870 972 3033 From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Ruiz, Mike Sent: Monday, March 28, 2005 10:47 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] MERU networks questions Eric, We are a Meru Shop, recently announced. I have about 30 AP deployed, 20 Ready to roll and plans for 200 more. When it comes to ease of use they simply blow the rest out of the water thats Cisco, Enterasys, and even the nex-gen stuff like Chantry or Trapeze. The interface is really simple like many of the centrally managed systems but with the savings on site surveys thanks to the coordinated single channel architecture is truly enormous. Their support has been great for us as well. We were an early adopter through v2.0 and v3.0. After some bugs in 3.0.0 they were right there working with us to isolate them and 3.0.1.1 has been solid as a rock, better than any others Ive used actually. Toss all that with the performance increase on the b/g mixed mode front and I dont understand how anyone couldnt be impressed. When I first met with their team 5 months ago I agree it all sounded too good to be true. Our testing with a few AP went well and I ordered a 15AP starter pack. I put all 15 in one room and was amazed at how well the roaming algorithms worked and with a nice mix of apps including voice, performance was quite astonishing. Bottom line, we have saved money and made my life a lot more predictable and smooth. I would love to put you in touch with our VAR/Integrator if youre interested in some more information. Mike -- Michael Ruiz Network and Enterprise Systems Engineer Hobart and William Smith Colleges Information Technology P 315-781-3711 F 315-781-3409 - HWS Faculty, Staff, Students and Alums Can purchase technology online and with an HWS DISCOUNT! http://www.cdwg.com/hws From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Eric T. Barnett Sent: Monday, March 28, 2005 11:29 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] MERU networks questions I just saw some promising information on the web about Meru Networks wireless solution. Anyone out there using Meru? What do you think? Were running a Cisco WLSE with about 120 APs and 5 1200s working as WDS. Just wondering how Meru really stacks up to Cisco specifically in ease of use, returns, support, and lifespan of equipment. All of their press makes them sound too good to be true. Many thanks. Eric Barnett, CCNA Wireless Administrator Information and Technology Services Arkansas State University 870 972 3033 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] 802 Jamming the FCC
As a Meru user I would like to respond that from a tolerance of other Wi-Fi devices they are perfectly fine. Our Meru network resides on Channel 11 and any wi-fi networks that we don't manage on channels 1 and 6 can reside just fine in the same space. We have several places where we have not yet upgraded to the Meru technology where our legacy acces points on channels 1 and 6 even hand off (not as fast as meru to meru Ap) between the two systems. With Rogue Suppression enabled we simply have to list in an ACL the BSSID's of systems we either wish to suppress if it is set as implicit allow or the systems we wish to allow in an implicit deny configuration. It is similar to jamming but unlike other jamming technologies it is discriminatory. For example, some 1800MHz jammers used to prevent cell phone use in secure areas or perhaps in classrooms at some institutions disrupt all devices at a subset of that band. Rogue AP suppression at least allows flexibility with the AP and doesn't disrupt any devices using 2.4 or 5GHz that aren't wi-fi (even in an implicit deny). Mike -- Michael Ruiz Network and Enterprise Systems Engineer Hobart and William Smith Colleges Information Technology P 315-781-3711 F 315-781-3409 - HWS Faculty, Staff, Students and Alums Can purchase technology online and with an HWS DISCOUNT! http://www.cdwg.com/hws -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Sascha Meinrath Sent: Wednesday, March 09, 2005 1:12 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802 Jamming the FCC Hi all, I've combined comments raised in the latest digest into a single e-mail response. From:Ruiz, Mike [EMAIL PROTECTED] While it's a little off topic I would question whether the logic of=20 If a University allows users to plug into their network, probably they'll have to allow whatever devices are connected to these computers would then require that we don't restrict or require those computers to meet certain security requirements or be at certain determined specifications. =20 Many schools require student computers to be patched and enforce it through trusted end point systems such as Perfigo(Cisco Clean Access), or Campus Manager. =20 My guess and hope is that there must be difference between the example of an owned network which offers fee-based services to consumers and a private network. =20 Actually, the Hush-a-Phone and Carterphone decisions (in 1956 1968 respectively) set a fairly good precedent that foreign attachements must be allowed so long as they don't harm the network as a whole. Obviously, computers with viruses and other problems, would harm the network; however, you're right to point out that this is a legal grey area (in that no standards have been set for determining device requirements). In the end, it would probably fall upon the network administrators to demonstrate that harm is caused by specific classes of devices. But I'm not a lawyer, so you may want to check with a professional about this. Additionally I would suggest thought around the extension of the logic of the inverse or open network. Open source, open standards should not suggest a free-for-all but an inverse or open network does in some way. A network that is a free-for-all makes quality assurance, reliability, security and support difficult and arguably more costly than making security and access control a concept spread across all layers of IT. I would agree -- what's really needed is some sort of basic standards for networks; however this can be done in one of several ways (e.g., security standards on end-user devices, intelligent bandwidth-shaping that can automatically isolate problem devices, etc.). I was really excited to hear about some of the trustable network work that various EDUCAUSE members are working on -- I think the solutions they are working on are going to be vital as we move more towards a multi-layered wireless environment. But I suspect this will be an ongoing tension for the foreseeable future. From: Frank Bulk [EMAIL PROTECTED] Sascha: On what basis are you saying that some EDUCAUSE member institutions are already having problems with Meru-type equipment and the FCC. Unless my email feed is dropping messages, I don't remember reading anything on this listserv about Meru-type equipment causing problems. I'm inferring that based upon recent FCC clarifications on the illegality of jamming devices in unlicensed spectrum and the concerns raised by several folks to me, that this may be an issue. I actually _really_ like what Meru is doing -- but during our discussions in Tempe, it became fairly clear that the boosted throughput speeds of Meru-type networks come at the cost of tolerance of other WiFi sources. Mike did say that Meru system can perform rogue suppression, but I believe that enforcing a security policy in a physically isolated environment
RE: [WIRELESS-LAN] 802 Jamming the FCC
While it's a little off topic I would question whether the logic of If a University allows users to plug into their network, probably they'll have to allow whatever devices are connected to these computers would then require that we don't restrict or require those computers to meet certain security requirements or be at certain determined specifications. Many schools require student computers to be patched and enforce it through trusted end point systems such as Perfigo(Cisco Clean Access), or Campus Manager. My guess and hope is that there must be difference between the example of an owned network which offers fee-based services to consumers and a private network. Additionally I would suggest thought around the extension of the logic of the inverse or open network. Open source, open standards should not suggest a free-for-all but an inverse or open network does in some way. A network that is a free-for-all makes quality assurance, reliability, security and support difficult and arguably more costly than making security and access control a concept spread across all layers of IT. -- Michael Ruiz Network and Enterprise Systems Engineer Hobart and William Smith Colleges Information Technology P 315-781-3711 F 315-781-3409 - HWS Faculty, Staff, Students and Alums Can purchase technology online and with an HWS DISCOUNT! http://www.cdwg.com/hws -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Sascha Meinrath Sent: Tuesday, March 08, 2005 11:23 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802 Jamming the FCC Hi Stewart (et al.), Actually, the right to prevent APs from connecting to the network is itself doubtful -- there's already been ample legal precedent (e.g., in telephone communications a la the Carterphone Hushaphone legal decisions) that owning the network itself doesn't necessarily give you the right to restrict foreign attachments (which, for example, is why we can now use answering machines legally). If a University allows users to plug into their network, probably they'll have to allow whatever devices are connected to these computers. More importantly, it would be an absolute administration nightmare to attempt to prevent WAP-based LANS. Finally, the devices themselves are useful even if not connected directly to a University's network (e.g., as a bridge between various dorm machines for LAN parties, sharing a printer, etc.) -- which means that you'll end up with these APs even if they can't directly connect to the network. In the end, my own bias is that Uiversities would be _much_ better served going with an open architecture, open source wireless solution. I mean, Universities pioneered the Internet itself, yet are currently outsourcing wireless technologies (and paying exorbitant prices because of this) for proprietary systems that'll lock you into a specific brand. It would seem to me that an inter-institutional effort to develop a non-proprietary wireless solution would be a wiser allocation of our resources, would avoid some of the pitfalls of various closed solutions, and would save a bundle in the long-term. In the end, we're probably talking about a several-hundred-thousand dollar investment and a year's effort and one could cut the price you pay for wireless hardware by one-tenth -- think about it. --Sascha *** Date:Mon, 7 Mar 2005 08:47:25 -0500 From:Seruya, Stewart [EMAIL PROTECTED] Subject: Re: 802 Jamming the FCC: If it's true that jamming is not allowed, let's not forget that ultimately students and faculty plug their wireless APs into the University network. The university still retains the right to not permit these APs to connect to the network, making them useless. Am I correct? Stewart -- Sascha Meinrath President * Project Coordinator * Policy Analyst Acorn Worker Collective *** CU Wireless Network *** Free Press www.acorncollective.com * www.cuwireless.net* www.freepress.net ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] WinXP 802.1x and password changes
If you use EAP-TLS this isn't an issue. However you may need to tweak the supplicant between machine only auth, machine+user reauth on timer, or machine user reauth not on timer. PEAP here in testing at least did not present this issue against MS IAS RADIUS. -- Michael Ruiz Network and Enterprise Systems Engineer Hobart and William Smith Colleges Information Technology P 315-781-3711 F 315-781-3409 - HWS Faculty, Staff, Students and Alums Can purchase technology online and with an HWS DISCOUNT! http://www.cdwg.com/hws -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Michael Griego Sent: Monday, January 24, 2005 4:28 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes Are these machines members of a domain? Which RADIUS server are you using? When users change their passwords here, the .1x auth fails, then XP asks for the credentials again. The only case I've seen where it wouldn't happen that way is if the option to use the Windows credentials for the authentication is left checked, so the machine is using the Windows credentials to authenticate. Oh, and I'm also assuming here that you're using PEAP... --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas Katie Christman wrote: We're in the midst of a pilot for wireless authentication here at ND. We've got 802.1x up and working, however we ran into a glitch when using the built-in Windows XP 1x supplicant. When a user changes their password, it never prompts the user to re-type their credentials, authentication just fails. According to the MS knowledgebase, this behavior was purposely designed this way. The only 2 ways we've found to force reauthentication are to either delete the reg key that stores the cached credentials, or to remove the 1x connection and recreate it. For those of you who are using the built-in XP supplicant with 1x - how are you dealing with this behavior? Thanks in advance, Katie -- - Katie Christman University of Notre Dame Office of Information Technologies Notre Dame, IN 46556 Phone: 574.631.3130 Fax: 574.631.9883 Email: [EMAIL PROTECTED] - ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] AP Vendors ( WAS : Re: [WIRELESS-LAN] Vanderbilt Residential Housing RFI)
Greetings all, I would like to thank Chris for a spot on exemplary overview of many access points and clients. The only additions I would make are: Enterasys: We have been extensively testing and utilizing Enterasys R2 Access points with mixed 11a/11b and 11b/b radios in them in a hybrid 802.1x/MAC address authentication mode against RADIUS. This allows us to support Dynamic WEP for our good 1x clients (read XP) and our OS X.3 and below Macs can use either Static WEP combined with MAC registration or No Encryption combined with MAC registration. That all said the R2 offers a spectacular flexibility of management (L3/L4 policy) and scalability. The AP3000 a ODM product has much the same authentication flexibility but not in the L3/4 policy arena. It does bring auto channeling to the table. They are probably going to have a new wireless product in the not so distant future as well. Meru: While we are thrilled with the Enterasys product we are aggressively approaching meru. The idea of single channel, no configuration per AP and still retaining all the authentication options of the R2 is very appealing. While we don't have any VoWLAN yet or VoIP really the flexibility outweighs the fact that these are areas they are focused on. I think they take thin AP to a new level. Mike _ Michael G. Ruiz | ESSE, ACP, A+ Network/Enterprise Systems Engineer | Hobart and William Smith Colleges | Ph 315-781-3711 Geneva NY 14456 |Fax 315-781-3409 __ Did you know? Faculty, Staff, Students, and Alums Can purchase hardware and software at educational DISCOUNT pricing by visiting http://www.cdwg.com/hws -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Chris Hessing Sent: Tuesday, November 02, 2004 3:19 PM To: [EMAIL PROTECTED] Subject: [WIRELESS-LAN] AP Vendors ( WAS : Re: [WIRELESS-LAN] Vanderbilt Residential Housing RFI) Anyone else out there want to share who your wireless vendors are? I've heard a lot about Chantry, Cisco, Enterasys, Proxim and some of Airespace, but not Legra, Aruba, Foundry, or Extreme. We have started to deploy Trapeze equipment. For reasons I will go in to below. (For anyone that is interested. ;) We have done a lot of testing with different vendors. In general, we have found that if you are doing basic insecure wireless (with, or without a web authentication device) pretty much any AP works. Perhaps the only thing to check is to look at how vlans are set up, in case you want to put the management end of the AP on a different vlan than the users. The VLAN capabilities vary wildly from AP to AP. Some are limited to using tags that are lower than 63, others require that the management always be on vlan 1, etc. For APs that are using some form of security, things get a little more interesting. There are a few things to look at if you are thinking of doing 802.1X (with dynamic WEP, or WPA). If you have Apple machines in your network, picking the right AP will require a bit of leg work. With Mac OS X.3, Macs now have a built in client that is 802.1X with dynamic WEP, and WPA enabled. However, there is a nasty bug in the WPA implementation that causes things to break for Macs. With WPA, when a station associates it is expected to put a WPA Information Element (IE) in to the association beacons. This does two things, it informs that AP that the STA can do WPA, and also informs the AP of the encryption type that the STA wants to do. Later when the STA gets in to the 4-way handshake that is required by WPA, the STA should send the exact same IE to the AP. If the IE doesn't match, the AP disassociates the STA. Because the beacons happen as part of the card hardware/driver, and the 4 way handshake happens in the supplicant software, there needs to be some communication between the two pieces about what the IE needs to be. On Macs, the beacon seems to respond to the AP with what the AP suggests should be used for encryption. But, the supplicant will always tell the AP that it wants to use TKIP for both the pairwise, and group ciphers. So, if you are running your AP in a mixed mode, Macs will fail. (A mixed mode would be TKIP with WEP, in order to support older clients that can't handle TKIP.) So, this sounds like a problem with the Macs, why does the choice of AP matter? In certain APs, specifically those based on the Accton reference design, it isn't always possible to disable WPA. You are given the choice to either run in a straight WPA mode (TKIP/TKIP) or a mixed mode (TKIP/WEP). So, you may be in a situation where you need to choose which group of users can't get on. (Those that can't support WPA, or those that use Macs.) So, (my point) here is a rundown of APs that I have played with, and some of the pros/cons of each. Foundry -- We have a LOT
