Re: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X?

[Scott Bertilson]

Wow, apologies.  I misread your comment, even after I copied it.  Ouch.

On Wed, Aug 19, 2020 at 4:01 PM Tim Cappalli <
0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote:

> I was saying there are very few organizations that truly have every
> resource, where the primary password is used, enabled for MFA.
>
> --
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Scott Bertilson <
> 01d368c4bbc6-dmarc-requ...@listserv.educause.edu>
> *Sent:* Wednesday, August 19, 2020 4:45:27 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject:* Re: [WIRELESS-LAN] New certificate expiration for certificates
> affecting 802.1X?
>
> Tim commented:
> ...I highly doubt a majority of organizations have every single non-Wi-Fi
> resource protected with strong MFA at this point in time.
>
> In our case, we use PEAP and use the same PW for WiFi as for everything
> else, but most of everything else (and growing) requires MFA.  I hope
> that's what he meant or else I'm missing something about how you make MFA
> work for WiFi in any large installation.
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C9017b6bf7ed84dae2cfe08d84480d90a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637334667477262286=mvBwerz%2FDEVShRIIxKtFZe5BAt8Jh%2BPTKBGAp6HEBV0%3D=0>
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X?

[Scott Bertilson]

Tim commented:
...I highly doubt a majority of organizations have every single non-Wi-Fi
resource protected with strong MFA at this point in time.

In our case, we use PEAP and use the same PW for WiFi as for everything
else, but most of everything else (and growing) requires MFA.  I hope
that's what he meant or else I'm missing something about how you make MFA
work for WiFi in any large installation.

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] Wireless printers and other devices in residence halls

[Scott Bertilson]

and there's always the peer-pressure approach of telling them that their
device acting as an AP is messing up wireless coverage for them and their
neighbors.  and perhaps letting neighbors know through res-life why there
is a problem if they're nearby.

On Thu, Oct 19, 2017 at 10:13 AM, Hales, David  wrote:

> Our residence hall policy and campus acceptable use policy specify that
> students are not allowed to connect routers, switches, or access points to
> the wired network, or operate independent wireless access points in campus
> facilities.  Our NAC and switches are able to handle any that get plugged
> into wired drops.  We don’t have too many wireless issues caused by rogue
> APs, but when we detect an issue related to one, we locate them rather than
> mitigate them.  We haven’t run into one where the student was really trying
> to hide an AP, so we can usually localize it to a room or two, and then
> residential life finds them during one of their room inspections.  Usually
> the student is just ignorant of the policy violation, and packs the device
> away.  We haven’t had any really rebellious students that insisted on
> bringing the device back online at a later time.
>
>
>
> *David Hales*
>
> *Network Systems Administrator*
>
> *Information Technology Services*
>
> 1010 N. Peachtree
> 
>
> Clement Hall 117
>
> Cookeville, TN 38505
>
> *P* 931-372-3983
>
> *F* 931-372-6130
>
> *E* *dha...@tntech.edu* 
>
> *www.tntech.edu/its* 
>
> *[image: Tennessee Tech Logo]* 
>
> *[image: TTU Facebook] * *[image:
> TTU Twitter] * *[image: TTU
> Instagram] * *[image: TTU
> Youtube] * *[image: TTU Pintrest]*
> 
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Davis, Steve
> *Sent:* Thursday, October 19, 2017 9:56 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* [WIRELESS-LAN] Wireless printers and other devices in
> residence halls
>
>
>
> I wanted to get an idea how everyone is handling students bringing in all
> types of wireless devices, which are basically access points.  We have so
> many printers, TVs, Roku devices, game systems and who knows what else out
> there in the student rooms and these devices are causing issues with our
> campus wireless network.
>
>
>
> Do you allow these devices on your network?  If not, how do you prevent
> the students from having them?
>
>
>
> I have Cisco wireless controllers where I can block rogue APs but that
> keeps the APs which are containing the rogue AP from servicing the clients
> and I don’t have dense enough coverage to be able to do this for every
> rogue device.
>
>
>
> Thanks in advance
>
> -Steve
>
>
>
> *Steve Davis* | Network Manager
>
> *Department of Technology Infrastructure *
>
>
>
> *Lock Haven University *
> 519 Robinson Hall
>
> 401 North Fairview Street, Lock Haven, PA 17745
> 
>
> Phone: 570-484-2290 | sda...@lockhaven.edu | www.lockhaven.edu
>
>
>
> Connect with us: Facebook  |
> Twitter  | YouTube
> 
>
>
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at http://www.educause.edu/
> discuss.
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at http://www.educause.edu/
> discuss.
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Clearpass Bug - Posture and Profile Data update

[Scott Bertilson]

Ironically we were at 6.6.4 until early sunday morning at which point we
upgraded to 6.6.8 just in time for more fun.

On Wed, Oct 11, 2017 at 8:37 PM, Patrick McEvilly <
patrick_mcevi...@harvard.edu> wrote:

> We are on 6.6.7 and we’re affected.
>
> Patrick
>
> On Oct 11, 2017, at 7:27 PM, Norton, Thomas (Network Operations) <
> tnort...@liberty.edu> wrote:
>
> Fortunately for us we weren’t affected by this, what code rev were you
> guys running?
>
>
>
> We are currently running 6.6.5
>
>
>
> *T.J. Norton*
>
> *Wireless Network Architect*
>
> *Network Operations*
>
>
>
> *(434) 592-6552 *
>
>
>
> 
>
> *Liberty University  |  Training Champions for Christ since 1971*
>
>
>
>
>
> *From: *The EDUCAUSE Wireless Issues Constituent Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Scott Bertilson <
> s...@umn.edu>
> *Reply-To: *The EDUCAUSE Wireless Issues Constituent Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Date: *Wednesday, October 11, 2017 at 7:23 PM
> *To: *"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <WIRELESS-LAN@LISTSERV.
> EDUCAUSE.EDU>
> *Subject: *Re: [WIRELESS-LAN] Clearpass Bug - Posture and Profile Data
> update
>
>
>
> Bit us at 2:38 AM, took until 5 AM before I got called.  By the time I got
> to it the necessary correct update was in place so the policy server
> restart got us on the air again.
>
>
>
> Pretty tempted to block CP access to the CP update site so that we can
> open it up at times more convenient for us.  We're so new to Aruba and
> ClearPass that we're not even using the feature.
>
>
>
> Definitely want to see syslog messages for this activity.  Going to have
> to activate SNMP traps.
>
>
>
> On Wed, Oct 11, 2017 at 5:43 PM, Joachim Tingvold <joac...@tingvold.com>
> wrote:
>
> On 11 Oct 2017, at 19:01, Ferguson, Michael wrote:
>
> I didn’t see any (until Chad posted later) and so we thought our issue was
> more isolated. We wasted 20 minutes of valuable MTTR time collecting Server
> Logs when all we needed to do was start the “Policy server” service.
>
>
> "Only start the Policy Server" was not the case for most of us. The bad
> update came, followed by failure of the "Policy Server". CPPM tried to
> restart it (entries in event viewer), but seems to only try that for a
> pre-defined number of times before "giving up", at which point the "Policy
> Server" becomes "permanently" stopped (regardless of updates, unless
> manually started).
>
> In our case, the bad update came in at around 09:03 CEST, we discovered it
> a few minutes later, went on call with Aruba/HPE support (which after about
> 10-15 minutes could tell us that "the whole world has the same issue", more
> or less). At about 10:10 CEST a new update came, followed by yet another
> update at 10:50 CEST or so. At this point we had an Aruba-engineer on the
> phone, but even when starting "Policy Server" manually, it shut down after
> a few seconds. It wasn't until a third update, at around 11:23 CEST, that
> the service remained running after a manual start. We had to manually start
> it on all members in the cluster, for all our clusters.
>
> Fun times (-:
>
> --
> Joachim
>
>
>
> **
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/discuss
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__na01.safelinks.protection.outlook.com_-3Furl-3Dhttp-253A-252F-252Fwww.educause.edu-252Fdiscuss-26data-3D02-257C01-257Ctnorton7-2540liberty.edu-257C0531a7a9af7249a535af08d510ff1ab5-257Cbaf8218eb3024465a9934a39c97251b2-257C0-257C0-257C636433610201392266-26sdata-3D1iSifxYhd2ssTAfmZSq945UlBkfyAITsbPIXeLJyHog-253D-26reserved-3D0=DwMGaQ=WO-RGvefibhHBZq3fL85hQ=NEt1bAdOCtalVd4Ws0dvlC8LeF95Hl1p6yYgtTh8luM=G0nk5DxykfBvYWtZfp6hqy6gskqxowoKV773Gczyv-0=jjYWjYZvgcX69tq4hQZkC5ykTwiJRXXhuVjTSLc43qU=>
> .
>
>
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at http://www.educause.edu/
> discuss
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__na01.safelinks.protection.outlook.com_-3Furl-3Dhttp-253A-252F-252Fwww.educause.edu-252Fdiscuss-26data-3D02-257C01-257Ctnorton7-2540liberty.edu-257C0531a7a9af7249a535af08d510ff1ab5-257Cbaf8218eb3024465a9934a39c97251b2-257C0-257C0-257C636433610201392266-26sdata-3D1iSifxYhd2ssTAfmZSq945UlBkfyAITsbPIXeLJyHog-253D-26reserved-3D0=DwMGaQ=WO-RGvefibhHBZq3fL85hQ=NEt1bAdOCtalVd4Ws0dvlC8LeF95Hl1p6yYgtTh8luM=G0nk5DxykfBvYWtZfp6hqy6gskqx

Re: [WIRELESS-LAN] Clearpass Bug - Posture and Profile Data update

[Scott Bertilson]

Bit us at 2:38 AM, took until 5 AM before I got called.  By the time I got
to it the necessary correct update was in place so the policy server
restart got us on the air again.

Pretty tempted to block CP access to the CP update site so that we can open
it up at times more convenient for us.  We're so new to Aruba and ClearPass
that we're not even using the feature.

Definitely want to see syslog messages for this activity.  Going to have to
activate SNMP traps.

On Wed, Oct 11, 2017 at 5:43 PM, Joachim Tingvold 
wrote:

> On 11 Oct 2017, at 19:01, Ferguson, Michael wrote:
>
>> I didn’t see any (until Chad posted later) and so we thought our issue
>> was more isolated. We wasted 20 minutes of valuable MTTR time collecting
>> Server Logs when all we needed to do was start the “Policy server” service.
>>
>
> "Only start the Policy Server" was not the case for most of us. The bad
> update came, followed by failure of the "Policy Server". CPPM tried to
> restart it (entries in event viewer), but seems to only try that for a
> pre-defined number of times before "giving up", at which point the "Policy
> Server" becomes "permanently" stopped (regardless of updates, unless
> manually started).
>
> In our case, the bad update came in at around 09:03 CEST, we discovered it
> a few minutes later, went on call with Aruba/HPE support (which after about
> 10-15 minutes could tell us that "the whole world has the same issue", more
> or less). At about 10:10 CEST a new update came, followed by yet another
> update at 10:50 CEST or so. At this point we had an Aruba-engineer on the
> phone, but even when starting "Policy Server" manually, it shut down after
> a few seconds. It wasn't until a third update, at around 11:23 CEST, that
> the service remained running after a manual start. We had to manually start
> it on all members in the cluster, for all our clusters.
>
> Fun times (-:
>
> --
> Joachim
>
>
> **
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/discuss.
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] ArubaOS 8.X Experiences

[Scott Bertilson]

It really does seem to work quite well.  We probably should have used it on
more of our controllers and APs (>2000 at the time) a week or so ago, but
did most of the upgrade by forcing controllers to reboot because we were
under a time crunch to test out the support for 303H APs.  We did try the
hitless upgrade in our own building though and it was pretty entertaining
watching APs slowly migrate between controllers and upgrade and, though I
don't think we had a continuous ping running or anything, it did seem very
smooth.  It doesn't choose the APs randomly, there are several criteria
that are applied which take into account where the clients are so that it
doesn't pull multiple APs simultaneously in a given area leaving no
coverage.  It takes a substantial amount of time, but it really is
amazing.  Can't wait for the next upgrade to do it campus-wide (which will
imply over 8000 APs).

On Thu, Jun 8, 2017 at 3:49 PM, Harris, Robert 
wrote:

> What he said, basically it’s a “client aware” option for AP upgrades..
>
>
>
>
>
>
> *Robert Harris **Manager of Network Services*
>
> *Culinary Institute of America*
>
> 1946 Campus Drive
>
> Hyde Park, NY
> 845-451-1681
>
> www.ciachef.edu
>
> *Food is Life*
>
> *Create and Savor Yours.™*
>
>
>
> *Please consider the environment before printing this e-mail.*
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Samuel Clements
> *Sent:* Thursday, June 8, 2017 4:46 PM
> *To:* The EDUCAUSE Wireless Issues Constituent Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>; Harris, Robert <
> robert.har...@culinary.edu>
> *Subject:* Re: [WIRELESS-LAN] ArubaOS 8.X Experiences
>
>
>
> At AirHeads it was described this way:
>
>
>
> Code is loaded on one WLC, WLC is rebooted and running new code.
>
> Client match is used to encourage clients to leave APs on a selected
> channel.
>
> All APs on that selected channel are elected for update and moved to the
> WLC with the new code.
>
> Moved APs get new code, reboot, come back into service.
>
> APs running new code are eligible for taking on new clients and client
> match should start moving clients to the new code APs.
>
> Lather, rinse, repeat until all channels have been rotated through.
>
> Once the WLC is unloaded, it gets new code and is rebooted.
>
>
>
> So, not really 'hitless' as advertised, but yes- far better than taking
> them all out at once. Assuming of course that client match successfully
> behaves. ;-)
>
>   -Sam
>
>
>
>
>
>
>
> On Thu, Jun 8, 2017 at 3:38 PM, Joachim Tingvold 
> wrote:
>
> On 8 Jun 2017, at 19:11, Sweetser, Frank E wrote:
>
> […] and from there I'm really looking forward to seeing how well the live
> upgrades work!
>
>
> Hi,
>
> Do you know how that works in detail? All I can find is the sales
> mumbo-jumbo that over-promises (as usual); "[…] allows customers to upgrade
> their wireless network in real time without any impact to user
> connectivity. Upgrade process is simplified, no maintenance downtime […]".
>
> Looking at the installation manual of 8.1.0, it doesn't say how it's done,
> but I managed to find a "dumbed down" non-official explanation that went
> something along the lines of "[…] move all APs to secondary controller,
> then upgrade the primary controller. After primary is upgraded, APs are
> gradually upgraded/moved to the primary controller (i.e. not all at once).
> Once all APs is upgraded, the secondary controller is upgraded, and then
> the redundancy is restored".
>
> How are those APs selected? Just random order? If so, that doesn't really
> mean "no downtime" or "no impact on users", as you could risk neighboring
> APs to be upgraded at the same time, causing smaller or larger blindspots.
> Of course it sounds better than to "take it all down", but, yeah, not
> really ISSU…
>
> --
> Joachim
>
>
>
> **
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/discuss.
>
>
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at http://www.educause.edu/
> discuss.
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at http://www.educause.edu/
> discuss.
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.