RE: eduroam AUP, revisit

2017-09-12 Thread Stobbs, Darren 
Hi Lee,


A perspective from the U.K. which might be different to how it works in the U.S.

All of the Eduroam member organisations in the UK must publish an Eduroam 
support page, known as the service information web site. The web site must be 
generally accessible and must post a link to the Eduroam AUP and a link to the 
organisation AUP. This web site may include other useful information such as 
how to configure Eduroam on specific devices.

In Europe, there is also an optional configuration tool called Eduroam CAT 
developed by GÉANT - this tool installs/configures Eduroam profiles on 
different devices but includes a section where the user must agree to the AUP 
before they can proceed with the install.

We also provide some documentation in printed and electronic format in the form 
of a handbook that is given to arriving students. The handbook includes a 
section about acceptable use of I.T. and what their responsibilities are. You 
could, and I think some organisations do, prompt users to accept the AUP when 
they login to the organisation Intranet for the first time and then have it 
send them an email to confirm they have accepted the AUP.

I'm sure there could be a situation where someone could connect to Eduroam 
without ever seeing the Eduroam AUP - but generally they will have seen an AUP 
at some point if they have been issued with some credentials by the 
organisation. There will be a lot of duplicate policies between an organisation 
and Eduroam.


Darren.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: 11 September 2017 17:56
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] eduroam AUP, revisit

Sorry to rehash a topic like this, but throwing the net out there again after 
only getting one reply (Thanks, Marcello). How are you who participate in 
eduroam as IDPs (Identity Providers)  making "reasonable effort" to inform your 
users about their responsibilities when visiting other campuses and using 
eduroam?

Thanks-

Lee

Lee Badman | Network Architect

Certified Wireless Network Expert (#200)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] EDUROAM PROBLEM RE: [WIRELESS-LAN] Any Stetson University Network Folks on the List? Live problem in progress

2017-08-14 Thread Stobbs, Darren 
Hi Lee,


I have seen something like this before.

It was related to incoming or outgoing RADIUS attribute filtering - possibly 
due to a typo or a character that has not been correctly escaped in the filter 
as you often have to use a backslash as an escape character.


Darren.



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: 14 August 2017 16:12
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] EDUROAM PROBLEM RE: [WIRELESS-LAN] Any Stetson 
University Network Folks on the List? Live problem in progress

I'll throw this out there for anyone who may be familiar with similar- all 
users from one school are getting this

Aug 14 11:01:10 eduroam2 CSCOacs_Failed_Attempts 850928 2 1 
NetworkDeviceName=Faraday London, NetworkDeviceGroups=Device Type:All Device 
Types, NetworkDeviceGroups=Location:All Locations, 
ServiceSelectionMatchedRule=eduroam user from off campus, 
Response={RadiusPacketType=AccessReject; Reply-Message=No response for 
@ad.stetson.edu\, Reject from eduroam-US.; }

The  is me. We're seemingly getting no response from the home school's 
RADIUS servers, and I've not seen that leading "\" before. Lots of other 
successful eduroam schools on in our environment though.

Does this ring bells for anyone? Thankfully, we've had many years of zero 
problems with eduroam to date.

-Lee



Lee Badman | Network Architect

Certified Wireless Network Expert (#200)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Monday, August 14, 2017 10:55 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Any Stetson University Network Folks on the List? Live 
problem in progress

If anyone from Stetson University is around, please respond off list. We have a 
group of law students from Stetson in our London center that are having 
problems with eduroam. All are getting rejected from Stetson's RADIUS servers 
and it looks like a leading "\" may be the problem.

Not seeing that on any other school's Network IDs.

Thanks-

Lee

Lee Badman | Network Architect

Certified Wireless Network Expert (#200)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] Cisco Code Version

2017-08-09 Thread Stobbs, Darren 
Hi Britton,


I’m aware of a couple of bugs on the 1810W if you’re trying to use 
RLAN/Flexconnect to drop the traffic out to a locally switched VLAN (local to 
where the access point is).

The workaround for this is to tunnel the wired traffic to controller for 
central switching, which seems to be the method used by most admins anyway.

If you are trying to do the former scenario, those bugs prevent it and it is 
fixed as an enhancement in 8.5+

I don’t think there is a workaround for the bug you mentioned, other than going 
to 8.3 or instructing users not to extend the wired interfaces with a 
hub/switch.


Darren.


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Britton Anderson
Sent: 08 August 2017 21:25
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco Code Version

Anybody else running 1810Ws on 8.2 running into the multiple devices per port 
bug?

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCux78581

We are deploying 8540's now running 8.2.160 with 1810s in a dorm hall that we 
are refreshing and we were doing some testing this morning and ran into this 
issue. First device recognized would get an IP address, but the second device 
doesn't get an IP and the DHCP renewal on the first device would then fail. ARP 
entries actually time out for the first learned device from the router upstream 
so the AP completely locks up and stops forwarding packets from those 
interfaces. Wireless still seems to function though.

With all of the discussion we've had on this list so far, I'm reluctant to move 
up to 8.3 or 8.4 this close to semester start (2 weeks away) at this point with 
all of our other testing going quite well on 8.2.160 for our roll out, and I 
would rather not run mixed code versions. Anyone have any experience with this 
bug in the wild, and how did you solve it?

Thanks,
Britton


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Cisco 1810W subtleties

2017-02-16 Thread Stobbs, Darren 
We have also been testing these.

We found that our switches would not pass traffic from the access point when 
the switch port hosting 1810W access point was configured in trunk mode.

We have implemented ‘vlan dot1q tag native’ on our switches and we found out 
that the 1810W was sending all traffic untagged, even when VLAN tagging is 
enabled in the GUI – and therefore traffic was being dropped at the switch.

You’re OK if you don’t use ‘vlan dot1q tag native’, but we use it everywhere 
for increased security, so removing that is not an option for us.

We found out that this is due to a bug - CSCva41204: Tagged Management VLAN 
Option Broken for 1800/3800 - that is peculiar to the COS-AP access points.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCva41204


I’ve been told this is going to be fixed in an upcoming version of code.


Darren Stobbs
University of Warwick


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@listserv.educause.edu] On Behalf Of Hector J Rios
Sent: 15 February 2017 21:40
To: WIRELESS-LAN@listserv.educause.edu
Subject: [WIRELESS-LAN] Cisco 1810W subtleties

If you are planning to buy the Cisco 1810W and you are planning to use the 
built-in switchports, I highly advise you to look at the deployment guide and 
learn about the subtleties of enabling local switching. Don’t expect for this 
AP to work just like the Cisco 702W. Cisco managed to make its configuration a 
little more “fun”.

Basically, in order to enable local switching, you have to configure the AP for 
FlexConnect. ND you also have to configure a WLAN and AP groups to make 
sure your switchports map to the right VLANs. Yeah, it’s like that. Have fun.

Bug ID: CSCva56348
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCva56348/?reffering_site=dumpcr

Deployment Guide
http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-3/b_AIR_AP_1810_Wall_Plate_Deployment_Guides.html


(It’s not as bad as I make it sound; it is just frustrating that there is no 
consistency)

Hector Rios
Louisiana State University
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.