RE: Cisco 8540 Code Recommendation, Based on Stability?

[Tariq Adnan]

Just checking if there is any consensus on a stable code in 8.10 train?

Cisco is 
recommending
 both 8.10.151 and 8.10.162, has anyone tried the latter (.162) and how stable 
it is?

[cid:image001.png@01D7AF32.A192B150]


We have 2 pairs of 8540s; one will remain on 8.5 because of 3600 APs, other 
will need to be upgraded (currently running 8.10.121.7).

Thanks,

-
Cheers,

Kind regards,
Tariq

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Lee H Badman
Sent: Thursday, 3 June 2021 12:40 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Cisco 8540 Code Recommendation, Based on Stability?

Hi all,

After a tumultuous series of code versions, awhile back we settled on 8.5.151.0 
and hung on to it like grim death because it was very, very reliable.

Given that 8.5 code goes end-of-support at end of 2021, combined with latest 
rounds of announced vulnerabilities, I’m looking for recommendations in the 
8.10 train based on wanting stability above all. We have 3800s and 3700s 
currently, likely to stay that way through the next academic year.

Has anyone found an 8.10. code version for the 8540 that supports the 3700 and 
3800 while providing good daily stability?

Thanks,


Lee Badman | Network Architect (CWNE#200)
Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   e lhbad...@syr.edu w its.syr.edu
Campus Wireless Policy: 
https://answers.syr.edu/display/network/Wireless+Network+and+Systems
SYRACUSE UNIVERSITY
syr.edu


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: ISE Dynamic VLAN redirect with single eduroam WLAN

[Tariq Adnan]

Hi Sean,

Here is how we have implemented this same setup:

There are 3 scenarios:

  *   eduroam-local: our student/staff accessing eduroam within campus, they 
are authenticated against our radius/AD and then depending upon which group 
they belong to (member_of_student or member_of_staff), radius returns 
VLAN/Interface/Interface Group (student interface group or staff interface 
group) to WLC. If a person is both student and staff, he/she is given staff 
status.
  *   eduroam-inbound: our student/staff accessing eduroam in other 
institutions; our radius receives the auth request via ISP (here in Australia 
it is AARNET).
  *   eduroam-outbound: Affiliates from other institutions accessing eduroam 
within our campus; the auth request is sent to ISP which takes it to his/her 
parent institution. Upon successful authentication, radius returns 
VLAN/Interface/Interface Group (guest interface group) to WLC.



Controller:
-create student, staff and guest interfaces. Group the interfaces into 
interface group. One IG can have up to 64 interfaces.
-point the eduroam SSiD to your radius server (ISE here)

Radius server:

  *   create 3 policies or services (we are using Aruba clearpass so we use 
services)
 *   1st service/policy: eduroam-local: all conditions need to be met
*   username contains "@our institution domain"
*   is connecting to eduroam
*   request is coming from our controllers

*   then authenticate against our AD
*   return student or staff interface group to WLC

 *   2nd service/policy: eduroam-inbound: all conditions need to be met
*   Request is coming from ISP (proxy servers)

*   Then just do authentication

 *   3rd service/policy: eduroam-outbound: all conditions need to be met

*   Username contains institutions other than ours
*   Is connecting to eduroam

*   Then send auth request to ISP and upon successful auth, return 
guest interface group from radius to WLC.

Let me know if you need any further details.

-
Cheers,

Kind regards,
Tariq

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Gray, Sean
Sent: Thursday, 8 July 2021 2:52 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] ISE Dynamic VLAN redirect with single eduroam WLAN

Hi Everyone,

We are looking to amalgamate our 3 dot1x WLANs (employees/student/eduroam) into 
a single WLAN (eduroam). Behind the scenes we still need to authenticate and 
route clients to their respective network segment. So to achieve this we need 
to implement dynamic vlan redirects behind the scenes.

Eduroam users from other institutions will be sent out to eduroam to be handled 
appropriately

Authentication will be handled by ISE cluster, running 2.6.0.156
WLC - 5520 (pair) running 8.8.130.0

The process, from a high level should look something like this

  *   Staff/faculty will connect to our new single WLAN, namely Eduroam
  *   They will be caught by the appropriate policy and authenticated against 
AD, validating that they are staff/faculty
  *   Now they will be redirected to the appropriate VLAN


  *   Student will follow the same process, but will be validated that they are 
a student, and redirected to a different VLAN


  *   All others (externals) will be sent to an external RADIUS server for auth 
and then redirected to yet another different VLAN.

Currently unique policies exist for each of these processes, without the added 
complexities of the VLAN redirect. So my mission is to combine these, filtering 
each client to their auth point, and then upon receiving the authorization, 
assign the appropriate vlan tag, for IP assignment, prior to them getting 
on-net.

I've been unable to find any meaningful documentation around how to handle 
internal vs external radius redirection in this scenario.

So has anyone done this, and are they able to share their process, inclusive of 
vlan redirect?

Thanks

Sean

Sean Gray | B.Sc (Hons)
Voice, Collaboration & Wireless Network Analyst
ITS, University of Lethbridge


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Multiple Vulnerabilities in Frame Aggregation and Fragmentation Implementations of 802.11

[Tariq Adnan]

FYI

https://therecord.media/wifi-devices-going-back-to-1997-vulnerable-to-new-frag-attacks/

Cisco's response:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWu


-
Cheers,

Kind regards,
Tariq


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Macbook zoom wireless dropout issues

[Tariq Adnan]

Hello everyone,

Just checking if you have recently come across any macbook zoom wireless 
dropout (and frozen screen) issues and have taken any step to resolve it.

So I have come across a Macbook running Catalina 10.15.7 reporting zoom 
dropouts from time to time.

The AP is 3700 and the controller model is 8540 running code 8.5.161.6. The 
session time out on the SSiD is set to 24 hours. The QOS is default "silver".

I was running debug on WLC (debug client mac) and AP and there is no helpful 
log generated at the time of issue. The utilization for both radios on the AP 
is close to 1% (not busy) and the noise and interference reported by AP is not 
unusual. The switchport have no errors etc.

I have searched this forum and few people have reported that the mac's were 
having issues with specific 5G channels. Some suggested to change few things on 
the mac (turn off unlock with apple watch) etc.

So if you have recently dealt with something similar, can you please share your 
thoughts and if you have resolved the issue, how did you do that (code upgrade 
etc.)?

Few things I can try:
-Set Qos profile to platinum
-Disable Aironet IE
-Configure Idle timeout on the ssid (less than session timeout) : currently it 
is default 5 minutes
-Disable 11ac MU-MIMO on ssid
-upgrade macos to Big Sur

Thanks,
Tariq



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] Transitioning from older controller to new controller

[Tariq Adnan]

Please add me as well.

Thanks,

-
Cheers,

Kind regards,
Tariq Adnan
tariq.ad...@sydney.edu.au

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Michael Usher
Sent: Thursday, 12 November 2020 7:52 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Transitioning from older controller to new 
controller

I took a list of names a few weeks ago, but then I went dark when work got 
busy.  My apologies for the silence.

I'm reaching out to Mike Atkins to see if we can get everyone together on a 
single session.  I envisioned more of a "panel discussion" than a formal 
presentation -- but I've sure got my list of "gotchas" to share, so I'm sure it 
will be useful.

Looking forward to sharing experiences with others.

Michael Usher



On Wed, Nov 11, 2020 at 12:48 PM Matthew Craig 
mailto:matcr...@nmsu.edu>> wrote:
I am intersted as well.




-
Matt Craig
Network Engineer
Information and Communication Technologies
New Mexico State University









On Nov 11, 2020, at 1:25 PM, Mike Atkins 
mailto:matk...@nd.edu>> wrote:

WARNING: This email originated external to the NMSU email system. Do not click 
on links or open attachments unless you are sure the content is safe.
You are not late at all.  I certainly am.  I have 8-9 e-mails for interest.  
I'll send out a quick survey to collect information from those that responded.  
I will send it to the list again to pickup others that might be interested.


On Wed, Nov 11, 2020 at 3:17 PM Michael Heflin 
<02002057e293-dmarc-requ...@listserv.educause.edu<mailto:02002057e293-dmarc-requ...@listserv.educause.edu>>
 wrote:
Little late but would be interested in this as we are moving from 8540's to 
9800's

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://protect-au.mimecast.com/s/ja8GC1WLPxcNVYJmcGS8bR?domain=nam01.safelinks.protection.outlook.com>


--




Mike Atkins
Infrastructure Architect
Office of Information Technology
University of Notre Dame





**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://protect-au.mimecast.com/s/ES8sC2xMQzizMw5GhBsDja?domain=nam01.safelinks.protection.outlook.com>


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://protect-au.mimecast.com/s/hUI5CZY1Nqi9JNKRizbmIR?domain=educause.edu>


--
Michael Usher
Interim Network Operations Manager
Senior Wireless Network Engineer
University of California, Santa Cruz
mus...@ucsc.edu<mailto:mus...@ucsc.edu>831-459-3697

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://protect-au.mimecast.com/s/hUI5CZY1Nqi9JNKRizbmIR?domain=educause.edu>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: MacOS Disconnections on Cisco Controllers

[Tariq Adnan]

Few months back we came across an issue, not sure how relevant it is.

My iPhone (and colleague's MacBook) would be fine for 5 minutes and then it 
would lose connectivity to internet. The workaround would be to reconnect the 
device or renew the IP address and then it would work for 5 minutes and then 
stop working again and the cycle would repeat.

To troubleshoot it, I started continuous pings from the phone to 8.8.8.8, AP 
saw the traffic, WLC had ARP entry for my phone, the gateway (Juniper switch) 
had Arp entry for the first 5 minutes of the fresh connection and then all of 
sudden it removed the entry although my phone was constantly sending traffic 
and was not idle.

Since the issue started after the reboot of one Juniper device in the pair (the 
traffic going through another device was fine, the traffic is load balanced 
across the pair), we had to restart that device and that fixed the issue.

Jordan: you could reproduce this issue on both 8.5 codes?

Thanks,
-
Cheers,
Tariq

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Cox, Jordan D
Sent: Tuesday, 27 October 2020 2:38 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] MacOS Disconnections on Cisco Controllers

Good morning,

We have been working with Cisco TAC to troubleshoot an issue where our MacOS 
clients will randomly lose connectivity to the default gateway (and thus 
internet etc.). The wireless will stay connected in the run state, but the Mac 
will send out repeated ARP requests for the default gateway during the outages. 
The outages last between 20 seconds to 5 minutes and is resolved once the 
client gets an ARP response from the gateway.

We have packet captures showing ARP requests going through the CAPWAP tunnel to 
the controller but NOT leaving the controller to the gateway during the 
outages. TAC has acknowledged the problem is on the controller, and I'm waiting 
to hear back from them.

I'm wondering if anyone else has seen similar issues?

More details:

  *   WLC is two 5508 in HA configuration
  *   WLC was running 8.5.161.0 and we upgraded to 8.5.161.7 to troubleshoot
  *   250 APs are running in local mode (the issue does not happen when testing 
in Flexconnect mode with local switching)
  *   Default gateway is a Palo Alto firewall
  *   The MacOS client sends an ARP broadcast to find the gateway every 20 
minutes but the outage doesn't happen every 20 minutes
  *   It seems like the issue appears during high utilization on the controller 
since I didn't see any issues when testing over a campus break when many 
students were gone
  *   I've seen the issue on multiple SSID's including a test SSID which only 
had my clients on it
  *   Client debug on the controller shows no issues
  *   This doesn't seem to affect Windows machines

Thank you!

[cid:image001.png@01CE70F7.648A6EB0]
Jordan Cox
Network Admin II, Information Technology
P: 651-882-3995
jdc...@unwsp.edu  |   
www.unwsp.edu

Equipping Christ-centered learners and leaders
to invest in others and impact the world.



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] Mac wireless issue

[Tariq Adnan]

Hi Anthony,

What code you are running on your WLC? Is the issue specific to particular 
model of APs.
We have not come across any such issue - perhaps there are not many people on 
the campus.

Thanks,

-
Cheers,

Kind regards,
Tariq Adnan

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Anthony Croome
Sent: Thursday, 15 October 2020 9:55 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Mac wireless issue

Sharing a summary of macbook suggestions seen on the internet for poor 
performance, stuck on 2.4GHz, zoom, etc:

- delete the wifi network on macbook, add a new location and assign it the wifi 
network
- disable "Use your Apple Watch to unlock apps and your Mac"
- delete the wifi service and re-add (ie "delete the selected service")
- check/fix country code on macbook wifi interface
- doing an SMC, PRAM, and NVRAM reset
- upgrading or downgrading the firmware on the wifi card
- uninstalling/reinstalling Zoom (for zoom specific issues)

I am still waiting on feedback from affected users whether any item in the list 
made things better.  Maybe the next Cisco WLC 8540 code upgrade will help.

Anthony
QUT


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Anthony Croome
Sent: Friday, 9 October 2020 11:07 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Mac wireless issue

We also have plenty of apple laptop users complaining about wifi performance.  
We have at least one macbook user who seems not to be able to connect to 
u-nii-1 channels and falls back to 2.4GHz.  One suggestion I read today was to 
'turn off unlock with Apple Watch and reboot'.

Anthony


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Jeffrey D. Sessler 
mailto:j...@scrippscollege.edu>>
Sent: Thursday, 8 October 2020 9:45 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Mac wireless issue


What channels are the impacted AP's running on?



A few weeks ago I had a similar issue (Cisco wireless), My Mac laptop would 
attach to our WPA2 network no problem - auth was successful (5 GHz), but would 
never get an IP. If I walked the Mac laptop (running Catalina) into rage of 
another AP (also 5GHz), it worked perfectly. Same switch, same AP type, with 
the only difference being the channel the AP was on. I could replicate this in 
another area, where a user reported a similar issue.   I don't have my notes in 
front of me, but I believe the problematic AP's were on unni-3 channels, and 
the ones that were OK, were not.  With COVID, students remote, and work from 
home, I've not had time to go back in to the campus and really drill into it.



There had been no reported problems when our campus closed in March, and no 
changes to our wireless deployment since that date.



Jeff







From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Barros, Jacob
Sent: Tuesday, October 06, 2020 12:25 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Mac wireless issue



We are seeing oddities with macbooks as well. Our experience is similar both in 
scope and behavior, however, I am a Ruckus customer.  Any Cisco or Meraki users 
with the same issue?







[https://lh6.googleusercontent.com/ne_lTqgFJdoXUoU7gASzv0xOtDuEXE2aaf5NZNvmQ2e_NgyV_DSK_fBjBsHc5NeluIdDut6CDq9B7cQn3WHBZgFO5U9IyPePBYnuLPQ27XRP9oq2Snrkz_l8X0iU-z242JWJVv4Z]<https://protect-au.mimecast.com/s/TTu8CWLVXkURwRy7sxmwxR?domain=urldefense.com>

Jacob Barros

Associate Director of IT, Network and Operations /

Information Security Officer | Office of Information Technology

E: barro...@grace.edu<mailto:barro...@grace.edu> | W: 574.372.5100 ext. 6178

[https://lh5.googleusercontent.com/7qgaEy3R8t0pg6-FqBft4irBB3Tn07-iqWUmhV6zOMpEbI5uO8cZ-QGJaLvBqImKUw5TiHuVJNKO7jpbZJvnqIDHN1iXBMJRLUHfWS2DWYy_oyi4x1cp3kP8s3fz-xsskqXr4Ram]<https://protect-au.mimecast.com/s/TTu8CWLVXkURwRy7sxmwxR?domain=urldefense.com>









On Tue, Oct 6, 2020 at 3:04 PM Stacey Frye 
mailto:sfry...@manhattan.edu>> wrote:

Greetings,



We are seeing a weird issue on our campus and hoping some of you may give us 
some ideas to check on.



Background: We are using Aruba wireless controllers/APs (sadly, no airwave). 
All buildings are using the same VLAN ID for the wireless subnet, but each 
building has their own subnet for wireless. All APs are configured in the same 
AP-group. We have an open wireless network and not using any NAT (public IPs 
are being given out). IPv4 only.



A lot of our Mac users, though not all

RE: [WIRELESS-LAN] Android 11 and WPA-Enterprise

[Tariq Adnan]

Hi Tim,

How about choosing “use system certificate”, provided the CA cert is a valid 
public cert (QuoVadis CA) and in default certificate store of Android?

Thanks,



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Fishel Erps
Sent: Wednesday, 23 September 2020 5:17 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise

Tim,

Thank you.  This was extremely helpful.


__
__


Fishel Erps,
Sr. Network & Infrastructure Engineer
School of Visual Arts

136 W 21st St., 8th Floor

New York, NY, 10011

LL: 212-592-2416
E:  fe...@sva.edu
___

Please excuse any typographical
errors as this e-mail has been sent
from my mobile device
___




On Sep 22, 2020, at 15:13, Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
 wrote:

Fishel - as an aside, if the configuration guidance to users has been to ignore 
the EAP server identity or configure their devices to not validate it and the 
credential used for Wi-Fi is their primary password, I highly recommend you 
issue an organization-wide password reset as all of those credentials may have 
been compromised.



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Felix Windt 
mailto:felix.wi...@dartmouth.edu>>
Sent: Tuesday, September 22, 2020 15:10
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise


https://www.eduroam.org/configuration-assistant-tool-cat/



thx,

felix



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Patrick Mauretti 
mailto:pmaure...@massasoit.mass.edu>>
Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Tuesday, September 22, 2020 at 3:02 PM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise



Okay I’ll bite.  What’s the CAT tool you mentioned?  Link?



-Patrick





From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Floyd, Brad
Sent: Tuesday, September 22, 2020 3:00 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise



CAUTION: This email originated from outside of Massasoit. Do not click links or 
open attachments unless you recognize the sender and know the content is safe.



Fishel,

We have run into this on some versions of Android OS and the solution that 
works for us is to import our CA’s root certificate into the device. Once we 
import the root certificate and select it during the profile setup, the 
connection is established.

Thanks,

Brad



From: The EDUCAUSE Wireless Issues Community Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Fishel Erps
Sent: Tuesday, September 22, 2020 12:10 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise



Tim,



We use:



EAP Method = PEAP

Phase 2 = MSCHAPv2

CA Certificate = Unspecified

Identity = [username]

Password = [password]



The credentials trigger the return of a filter-ID from the RADIUS server to the 
controller, which the controller then uses to put the user into a VLAN.



Some android devices that are running version 11 no-longer have an option of 
“unspecified” under CA Certificate, and none of the other choices seem to work.







__
__


Fishel Erps,

Sr. Network & Infrastructure Engineer

School of Visual Arts

136 W 21st St., 8th Floor

New York, NY, 10011

LL: 212-592-2416

E:  fe...@sva.edu
___

Please excuse any typographical

errors as this e-mail has been sent

from my mobile device

___





On Sep 22, 2020, at 12:04, Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
 wrote:

Can you please provide some basic details?

  *   What exactly is "broken"?
  *   Which EAP method?
  *   Which credential type?
  *   How is/was the supplicant provisioned?
  *   Are only new devices affected or just upgraded devices?



From: The EDUCAUSE Wireless Issues Community Group Listserv 

RE: Cisco 3800 AP code 8.10 wireless disconnections/drops

[Tariq Adnan]

Thanks Gertjan for sharing this information.
I am going to look into this bug and let the TAC take notice as well.


-
Cheers,

Kind regards,
Tariq Adnan  |  Senior Network Engineer
ICT, Campus Network Services

THE UNIVERSITY OF SYDNEY
316 Abercrombie Street, (G17) | The University of Sydney | NSW | 2006
T +61 2 8627 7885 |  M +61 478 492 080
E tariq.ad...@sydney.edu.au<mailto:nadia.berto...@sydney.edu.au>  |  W 
http://sydney.edu.au<http://sydney.edu.au/>

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Gertjan Scharloo
Sent: Friday, 24 July 2020 6:32 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco 3800 AP code 8.10 wireless 
disconnections/drops
Importance: High

Hi ,

Please aware about bug : 
CSCvu61194<https://tools.cisco.com/bugsearch/bug/CSCvu61194> : AP 2800/3800 
sends burst of RTS and BAR randomly leading to low client data rates

Symptom:
During normal operation, randomly we see bunch of RTS/BAR packets being sent 
from the AP to the client. This leads to lower data rates or packet drops in 
the network.

Customers might also see quality degradation issues with 
Webex/Skype/MicrosoftTeams audio/video

https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html#anc10
Bug is fixed in 8.5.161.6 -> The CCO 8.10 releases, up through 8.10.122.0 is 
also effecting.  Issue is fixed in 8.10MR2 Escalation code

Regards,

ICT Services
Netwerkbeheer - draadloos

Gertjan Scharloo
ICT consultant
_

Universiteit van Amsterdam | Hogeschool van Amsterdam

Leeuwenburg | kamer A10.20
Weesperzijde 190 | 1097 DZ Amsterdam
Tel: +31(0)20 525 4885
Mobiel: +31(0) 61013-5880
www.uva.nl<http://www.uva.nl/>
uva.nl/profile/g.scharloo
https://time.is/nl/CET
 Je kunt mij ook bereiken via Skype for Business 
[cid:image001.png@01D37B11.F4E316A0]

Van: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
Namens Tariq Adnan
Verzonden: Friday, July 24, 2020 4:18 AM
Aan: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Onderwerp: [WIRELESS-LAN] Cisco 3800 AP code 8.10 wireless disconnections/drops

Hello everyone,

Just checking if anyone else is experiencing the wireless disconnection issues 
like us.

So far we have received complaints from multiple sites where we have deployed 
3800 model AP on 8.10.121.0. The 3800 on a different controller running code 
8.5.161.4 seems to have no issue so far.

The drop outs are very random and sometime would happen in the middle of a zoom 
meeting - very frustrating for students during lecture.

I have raised a TAC case and we couldn't reproduce the issue during 1.5 hours 
troubleshooting session.

I am suspecting below bug but unless we recreate the issue and take some logs, 
Cisco won't recommend any workaround or code upgrade:
CSCvt22353<https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fprotect-au.mimecast.com%2Fs%2Fv4EjCL7EwMf43ozMc11Fat%3Fdomain%3Dtools.cisco.com=02%7C01%7Cg.scharloo%40UVA.NL%7C75f61532a6344f78b6bc08d82f77cca8%7Ca0f1cacd618c4403b94576fb3d6874e5%7C1%7C0%7C637311538874423741=eOsW%2BbAAv45rHAp5bNOcm5agsWHe3u2%2BSW2D5v1NHVE%3D=0>
 2800/3800/4800/1560 APs not sending DHCP messages over the air
>From bug details:
"From AP debugs and OTA captures, we can see some traffic exchange, but at some 
point AP stops transmitting data frames over the air (could be DHCP, or ICMP, 
or other data traffic), affecting all clients connected at that time."
Thanks,
-
Cheers,

Kind regards,


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=02%7C01%7Cg.scharloo%40UVA.NL%7C75f61532a6344f78b6bc08d82f77cca8%7Ca0f1cacd618c4403b94576fb3d6874e5%7C1%7C0%7C637311538874433734=mTatkIxEAJsyMge%2FMLsJeFYnNuftvkPy42C05YmgOeU%3D=0>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: Cisco 3800 AP code 8.10 wireless disconnections/drops

[Tariq Adnan]

Thanks Hector,

We wanted to move to 8.10.122.0 but then were told to wait for 8.10MR3 which 
will have fix for below bug. I am not sure if 8.10MR3 is still under testing:
CSCvq90572<https://protect-au.mimecast.com/s/qmcVCK1DvKTm1ARxIniadB?domain=tools.cisco.com>
 Receive throughput degrades for 2800/3800/4800/1560 - AP fails to send block 
ACKs

-
Cheers,

Kind regards,
Tariq Adnan

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Rios, Hector J
Sent: Saturday, 25 July 2020 2:52 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco 3800 AP code 8.10 wireless 
disconnections/drops

8.10.121.0 is a deferred code. There are two major bugs you should be aware of:

CSCvt47413   IW-6300H/1562/2800/3800/4800 series APs are failing DFS 
compliance
CSCvt98797   Channel Availability Check (CAC) is skipped after channel 
change on 2800/3800/4800/1560/IW6300

Hector Rios, Wireless Network Architect
The University of Texas at Austin



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tariq Adnan
Sent: Thursday, July 23, 2020 9:18 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Cisco 3800 AP code 8.10 wireless disconnections/drops

Hello everyone,

Just checking if anyone else is experiencing the wireless disconnection issues 
like us.

So far we have received complaints from multiple sites where we have deployed 
3800 model AP on 8.10.121.0. The 3800 on a different controller running code 
8.5.161.4 seems to have no issue so far.

The drop outs are very random and sometime would happen in the middle of a zoom 
meeting - very frustrating for students during lecture.

I have raised a TAC case and we couldn't reproduce the issue during 1.5 hours 
troubleshooting session.

I am suspecting below bug but unless we recreate the issue and take some logs, 
Cisco won't recommend any workaround or code upgrade:
CSCvt22353<https://protect-au.mimecast.com/s/oqS6CQnMBZfxK7kPuxNg0G?domain=tools.cisco.com>
 2800/3800/4800/1560 APs not sending DHCP messages over the air
>From bug details:
"From AP debugs and OTA captures, we can see some traffic exchange, but at some 
point AP stops transmitting data frames over the air (could be DHCP, or ICMP, 
or other data traffic), affecting all clients connected at that time."
Thanks,
-
Cheers,

Kind regards,


This message is from an external sender. Learn more about why this 
matters.<https://protect-au.mimecast.com/s/UUg1CROND2uVpNvWHNoPIf?domain=ut.service-now.com>


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://protect-au.mimecast.com/s/2JjXCVARKgCvEMxyCyqC9F?domain=educause.edu>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://protect-au.mimecast.com/s/2JjXCVARKgCvEMxyCyqC9F?domain=educause.edu>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Cisco 3800 AP code 8.10 wireless disconnections/drops

[Tariq Adnan]

Hello everyone,

Just checking if anyone else is experiencing the wireless disconnection issues 
like us.

So far we have received complaints from multiple sites where we have deployed 
3800 model AP on 8.10.121.0. The 3800 on a different controller running code 
8.5.161.4 seems to have no issue so far.

The drop outs are very random and sometime would happen in the middle of a zoom 
meeting - very frustrating for students during lecture.

I have raised a TAC case and we couldn't reproduce the issue during 1.5 hours 
troubleshooting session.

I am suspecting below bug but unless we recreate the issue and take some logs, 
Cisco won't recommend any workaround or code upgrade:
CSCvt22353
 2800/3800/4800/1560 APs not sending DHCP messages over the air
>From bug details:
"From AP debugs and OTA captures, we can see some traffic exchange, but at some 
point AP stops transmitting data frames over the air (could be DHCP, or ICMP, 
or other data traffic), affecting all clients connected at that time."
Thanks,
-
Cheers,

Kind regards,


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: Cisco WLC Stable code in 8.5 train

[Tariq Adnan]

Hi Hector,

No release date as of yet. Cisco is testing this new code.


-
Cheers,

Kind regards,
Tariq Adnan  |  Senior Network Engineer
ICT, Campus Network Services

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Rios, Hector J
Sent: Wednesday, 1 July 2020 3:06 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco WLC Stable code in 8.5 train

Did TAC mention when they will release 8.10MR3?

Hector Rios, Wireless Network Architect
The University of Texas at Austin



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tariq Adnan
Sent: Tuesday, June 30, 2020 7:56 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Cisco WLC Stable code in 8.5 train

Hi Gertjan,

A tac engineer today confirmed with BU that the fix is not even in 8.5.161.5.

I was told to wait for 8.10mr3 which supposedly has a fix for this bug. We 
can’t go above 8.5 because of presence of old Aps (3500, 3600) so we are stuck 
.

We have another pair of 8540 and I plan to upgrade it to 8.10mr3 and then 
migrate all 3800’s to it. Hopefully that will fix the issue for us.

-
Cheers,

Kind regards,
Tariq Adnan  |  Senior Network Engineer
ICT, Campus Network Services

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Scharloo, Gertjan
Sent: Friday, 26 June 2020 10:47 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Cisco WLC Stable code in 8.5 train

Hi all,

We have some serious issues with 8.5.161.x . We are now trying 8.5.161.5 )

Zoom / Team / Skype4Business customers are complaining . We see Drops on our 
Access-switch (port) <-> Access-Points 2802

packet drops could be explained by CSCvq90572 Receive throughput degrades for 
2800/3800/4800/1560 - AP fails to send block ACKs



I think this bug is not solved yet and is present in all version of 8.5.16x



8.5.161.5



…..

CSCvq99108 Cisco 3700 AP series reloads unexpectedly due to reason 44



8.5.161.4

…..

CSCvp69474 Access point reloads unexpectedly generating capwapd core dumps

CSCvq90572 Receive throughput degrades for 2800/3800/4800/1560 - AP fails to 
send block ACKs

CSCvo33808 Cisco 2802,3802,4800,1562 AP reloads unexpectedly with radio 
firmware crash

CSCvp06909 DOT11-2-RADIO_FAILED, Not Beaconing for too long, 
get_vap_mcast_q_len: invalid interface

CSCvt53819 CPU increases to 90+% with hight volume traffic.

CSCvo10708 Cisco 2800, 3800 APs exhibit choppiness with the Vocera client 
during the multicast voice call

CSCvp54103 IOS APs reloads unexpectedly with 'Unexpected exception to CPU' in 
logs

CSCvq76143 Cisco 2800 AP reloads unexpectedly on Sxpd process

CSCvs38511 5508 silent crash

CSCvs41893 3702 AP running 8.5.151.0 release software reloads unexpectedly
….

Etc etc…


ICT Services
Netwerkbeheer – draadloos

Gertjan Scharloo
ICT consultant
_

Universiteit van Amsterdam | Hogeschool van Amsterdam

Leeuwenburg | kamer A10.20
Weesperzijde 190 | 1097 DZ Amsterdam
Tel: +31(0)20 525 4885
Mobiel: +31(0) 61013-5880
www.uva.nl<https://protect-au.mimecast.com/s/vzS-C4QOPEi3ZjgXfOQBFr?domain=uva.nl/>
uva.nl/profile/g.scharloo
https://time.is/nl/CET<https://protect-au.mimecast.com/s/04XJC5QPXJi4ynEBsOX8Xc?domain=time.is>
 Je kunt mij ook bereiken via Skype for Business 
[cid:image001.png@01D64FC0.911B5110]

at 
https://www.educause.edu/community<https://protect-au.mimecast.com/s/o5VsC71R2NTorPlDiNVjGN?domain=eur04.safelinks.protection.outlook.com>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://protect-au.mimecast.com/s/2vWdC6XQ4Lf8R3z5tmo0GY?domain=educause.edu>

This message is from an external sender. Learn more about why this 
matters.<https://protect-au.mimecast.com/s/k-XuC81V0PTLmJ1oIovhtj?domain=ut.service-now.com>


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://protect-au.mimecast.com/s/2vWdC6XQ4Lf8R3z5tmo0GY?domain=educause.edu>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 

RE: Cisco WLC Stable code in 8.5 train

[Tariq Adnan]

Hi Gertjan,

A tac engineer today confirmed with BU that the fix is not even in 8.5.161.5.

I was told to wait for 8.10mr3 which supposedly has a fix for this bug. We 
can’t go above 8.5 because of presence of old Aps (3500, 3600) so we are stuck 
.

We have another pair of 8540 and I plan to upgrade it to 8.10mr3 and then 
migrate all 3800’s to it. Hopefully that will fix the issue for us.

-
Cheers,

Kind regards,
Tariq Adnan  |  Senior Network Engineer
ICT, Campus Network Services

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Scharloo, Gertjan
Sent: Friday, 26 June 2020 10:47 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco WLC Stable code in 8.5 train

Hi all,

We have some serious issues with 8.5.161.x . We are now trying 8.5.161.5 )

Zoom / Team / Skype4Business customers are complaining . We see Drops on our 
Access-switch (port) <-> Access-Points 2802

packet drops could be explained by CSCvq90572 Receive throughput degrades for 
2800/3800/4800/1560 - AP fails to send block ACKs



I think this bug is not solved yet and is present in all version of 8.5.16x



8.5.161.5



…..

CSCvq99108 Cisco 3700 AP series reloads unexpectedly due to reason 44



8.5.161.4

…..

CSCvp69474 Access point reloads unexpectedly generating capwapd core dumps

CSCvq90572 Receive throughput degrades for 2800/3800/4800/1560 - AP fails to 
send block ACKs

CSCvo33808 Cisco 2802,3802,4800,1562 AP reloads unexpectedly with radio 
firmware crash

CSCvp06909 DOT11-2-RADIO_FAILED, Not Beaconing for too long, 
get_vap_mcast_q_len: invalid interface

CSCvt53819 CPU increases to 90+% with hight volume traffic.

CSCvo10708 Cisco 2800, 3800 APs exhibit choppiness with the Vocera client 
during the multicast voice call

CSCvp54103 IOS APs reloads unexpectedly with 'Unexpected exception to CPU' in 
logs

CSCvq76143 Cisco 2800 AP reloads unexpectedly on Sxpd process

CSCvs38511 5508 silent crash

CSCvs41893 3702 AP running 8.5.151.0 release software reloads unexpectedly
….

Etc etc…


ICT Services
Netwerkbeheer – draadloos

Gertjan Scharloo
ICT consultant
_

Universiteit van Amsterdam | Hogeschool van Amsterdam

Leeuwenburg | kamer A10.20
Weesperzijde 190 | 1097 DZ Amsterdam
Tel: +31(0)20 525 4885
Mobiel: +31(0) 61013-5880
www.uva.nl<http://www.uva.nl/>
uva.nl/profile/g.scharloo
https://time.is/nl/CET
 Je kunt mij ook bereiken via Skype for Business 
[cid:image001.png@01D64F31.47704460]

at 
https://www.educause.edu/community<https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=02%7C01%7Cg.scharloo%40UVA.NL%7Cfe0b5c3d66604a37143a08d819cb0e3f%7Ca0f1cacd618c4403b94576fb3d6874e5%7C1%7C0%7C637287707192316895=gPhsxZQzHuYE%2BmvlnKy6o0hdK%2F8MICwCZivlsFiNmeE%3D=0>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: Cisco WLC Stable code in 8.5 train

[Tariq Adnan]

Hi Jeff,

Do you know the bug ID for the issue you were facing with 8.5.161.0? Just 
checking what were the conditions under which the issue triggered.

Thanks,


-
Cheers,

Kind regards,
Tariq Adnan  |  Senior Network Engineer
ICT, Campus Network Services

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Kushner, Jeff
Sent: Friday, 26 June 2020 11:01 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco WLC Stable code in 8.5 train

We had to upgrade to 8.5.161.4 due to issues we experienced with the 8.5.161.0. 
We had a problem where an AP would allow clients to associate but they would 
not pass traffic. The new code, as recommended by TAC appears to have fixed the 
issue, we have been running it for 36 days. But we won’t know for sure until we 
get our normal client levels back with the return of students to campus.

Jeff

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tariq Adnan
Sent: Friday, June 26, 2020 1:30 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Cisco WLC Stable code in 8.5 train

*Message sent from a system outside of UConn.*

Hello everyone,

We are running code 8.5.135.0 on one of our WLC 8540 pair. We can’t go past 8.5 
because of presence of 3500 and 3600 model Aps which are not supported beyond 
code 8.5.

What code you are running in 8.5 train and how satisfied you are with it?

Is anyone running code 8.5.161.0 recommended by Cisco TAC? How stable is it? 
Have you encountered any major issues in your environment?

Has anyone tried 8.5.16.4 (escalation code)?

Thanks in advance for your responses 

-
Cheers,
Tariq

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://protect-au.mimecast.com/s/EcMHCZY1Nqi2ARWOIjpUG5?domain=nam10.safelinks.protection.outlook.com>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://protect-au.mimecast.com/s/guhwCYW8NocOmZyGI0pRHL?domain=educause.edu>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: WLC 8.10.121 Deferred

[Tariq Adnan]

Hello Dennis,

You are hitting a bug 
CSCvu24770<https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu24770>:


  1.  Some Android 10 devices having issues connecting to wireless network
 *   Some devices from Nokia, Sony and Xiaomi running Android 10 and having 
specific Qualcomm chipsets having issues
 *   The issue is due to a firmware bug in some Qualcomm chipsets.

i. Qaulcomm is fixing 
it per device model with new security patches (Mi10 received it with April 2020 
security 
Patch).<https://community.cisco.com/t5/wireless-and-mobility/issues-connecting-android-10-to-cisco-me/m-p/4096960#M116570>



-
Cheers,

Kind regards,
Tariq Adnan  |  Senior Network Engineer

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Dennis Xu
Sent: Saturday, 27 June 2020 2:45 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WLC 8.10.121 Deferred

We have upgraded to 8.10.121.0 for one month. We have seen some devices not 
able to connect. When they run into this issue, we don’t see any association 
requests from the devices. There are something in the beacon which are not 
liked by the devices so they do not want to join. Not a lot of devices 
affected, mainly from Android 10 devices(from MI, Huawei and Nokia vendors).  I 
also have two Windows 10 laptops having similar issue but they were able to 
connect after a wireless driver upgrade. We only have WPA2 checked for WLAN 
security. I opened a TAC case. The only workaround for Android 10 is to set FT 
to enable instead of Adaptive, but I did not accept that as I am afraid it will 
cause bigger problem for other devices. My TAC engineer said Cisco is working 
on a fix for this issue and ETA of the release is in July.

Dennis

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Christina Klam
Sent: Friday, June 26, 2020 12:19 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] WLC 8.10.121 Deferred

CAUTION: This email originated from outside of the University of Guelph. Do not 
click links or open attachments unless you recognize the sender and know the 
content is safe. If in doubt, forward suspicious emails to 
ith...@uoguelph.ca<mailto:ith...@uoguelph.ca>

All,

FYI:   I noticed that  "over-the-ds" setting changed when we upgraded from 8.5 
to 8.10.121.0.  There may be other settings that changed as well.


Christina Klam
Network Engineer
Institute for Advanced Study
1 Einstein Dr
Princeton, NJ 08540
(m) +1 609-751-7899
(o) +1 609-734-8154
ck...@ias.edu<mailto:ck...@ias.edu>


From: "Mallon, Jason" mailto:jemal...@ua.edu>>
To: "The EDUCAUSE Wireless Issues Community Group Listserv" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Sent: Friday, June 26, 2020 10:24:20 AM
Subject: Re: [WIRELESS-LAN] WLC 8.10.121 Deferred

Paul,
Are you by any chance running WPA2 + WPA3 Enterprise with both the WPA2 and 
WPA3 boxes checked?  We are currently on 8.10.121 and seeing this issue as well 
primarily with Windows devices.  I have not seen any issues with Macs and 
authentication.


Jason Mallon

Network Engineer III, OIT

The University of Alabama
<https://protect-au.mimecast.com/s/lnN_CROND2uBN0nRt95bgh?domain=ua.edu/>jemal...@ua.edu<mailto:jemal...@ua.edu>



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Paul Smith mailto:psmi...@marian.edu>>
Sent: Friday, June 26, 2020 9:44 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [EXTERNAL] Re: [WIRELESS-LAN] WLC 8.10.121 Deferred

We were running 8.10.121 on our 5520 and began having authentication issues. It 
is weird because radius isn't even seeing the attempts (or weren't logging 
rejections). The behavior persists even using local authentication. Eventually 
we can get the clients to connect, but it takes a number of attempts. It's very 
frustrating.

Cisco had us upgrade to 8.10.122, but the problem still persists. We would roll 
back, but we have 9130's on the campus now and we need 8.10.122 to manage them.

Such a headache right now.

Paul Smith
Network Administrator
Marian University
psmi...@marian.edu<mailto:psmi...@marian.edu>
317.955.6069

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://protect-au.mimecast.com/s/v0k5CVARKgC9Mk05czoQIY?domain=educause.ed

RE: Cisco WLC Stable code in 8.5 train

[Tariq Adnan]

Thanks Bryn for the reply.

Just curious, did you run the WLAN Poller before upgrade and were there any Aps 
identified having flash corruption issue?


-
Cheers,

Kind regards,
Tariq Adnan  |  Senior Network Engineer
ICT, Campus Network Services

THE UNIVERSITY OF SYDNEY
316 Abercrombie Street, (G17) | The University of Sydney | NSW | 2006
T +61 2 8627 7885 |  M +61 478 492 080
E tariq.ad...@sydney.edu.au<mailto:nadia.berto...@sydney.edu.au>  |  W 
http://sydney.edu.au<http://sydney.edu.au/>

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Bryn Jones
Sent: Friday, 26 June 2020 6:39 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco WLC Stable code in 8.5 train

We have been running 8.5.161.0 for the last 30 days without incident.

We are in the same situation as you with regards to the 3500/3600 models 
restricting us going any higher.

Regards
]

Bryn

Bryn Jones
IT Technical Lead
University of Leeds (UK)
@home

From: Tariq Adnan<mailto:tariq.ad...@sydney.edu.au>
Sent: 26 June 2020 06:30
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Cisco WLC Stable code in 8.5 train

Hello everyone,

We are running code 8.5.135.0 on one of our WLC 8540 pair. We can’t go past 8.5 
because of presence of 3500 and 3600 model Aps which are not supported beyond 
code 8.5.

What code you are running in 8.5 train and how satisfied you are with it?

Is anyone running code 8.5.161.0 recommended by Cisco TAC? How stable is it? 
Have you encountered any major issues in your environment?

Has anyone tried 8.5.16.4 (escalation code)?

Thanks in advance for your responses 

-
Cheers,
Tariq

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://protect-au.mimecast.com/s/BZaIC2xMQziOWVxJsnM7_e?domain=educause.edu>


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://protect-au.mimecast.com/s/BZaIC2xMQziOWVxJsnM7_e?domain=educause.edu>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Cisco WLC Stable code in 8.5 train

[Tariq Adnan]

Hello everyone,

We are running code 8.5.135.0 on one of our WLC 8540 pair. We can’t go past 8.5 
because of presence of 3500 and 3600 model Aps which are not supported beyond 
code 8.5.

What code you are running in 8.5 train and how satisfied you are with it?

Is anyone running code 8.5.161.0 recommended by Cisco TAC? How stable is it? 
Have you encountered any major issues in your environment?

Has anyone tried 8.5.16.4 (escalation code)?

Thanks in advance for your responses 

-
Cheers,
Tariq

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: WLC 8.10.121 Deferred

[Tariq Adnan]

I am planning to upgrade one 8540 pair from 8.10.121.0 to 8.10.122.0. It is 
associating 3700, 3800 and 9120 Aps. Though we have not hit this bug (I have 
reloaded the AP and upgraded it) so far but it is better to be on the safer end.


-
Cheers,

Kind regards,
Tariq Adnan  |  Senior Network Engineer
ICT, Campus Network Services

THE UNIVERSITY OF SYDNEY
316 Abercrombie Street, (G17) | The University of Sydney | NSW | 2006
T +61 2 8627 7885 |  M +61 478 492 080
E tariq.ad...@sydney.edu.au<mailto:nadia.berto...@sydney.edu.au>  |  W 
http://sydney.edu.au<http://sydney.edu.au/>

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Rios, Hector J
Sent: Tuesday, 23 June 2020 9:23 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] WLC 8.10.121 Deferred

Not sure if everyone saw the deferral of 8.10.121.0 There is a single bug that 
is fixed on 8.10.122.0 Must be bad enough for Cisco to decide to pull 
8.10.121.0 off the suggested list of releases.

Regards,

Hector Rios, Wireless Network Architect
The University of Texas at Austin


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://protect-au.mimecast.com/s/tHFXCp81lrtX3XOGHPrGoO?domain=educause.edu>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: WLC interface groups?

[Tariq Adnan]

Hi Eric,

We use Interface groups and they work fine. We have 4 x 8540 WLC's, 6k x APs 
and we see 36K concurrent devices during semester.


  *   Depending upon end user's LDAP role (student or staff), radius server 
(Aruab CP server) returns a interface group to controller
  *   For students, the interface group contains 64 interfaces, each /21 
private subnets (10.x.x.x/21)
  *   For Staff, the interface group contains 32 interfaces, each /20 private 
subnets (10.x.x.x/20)
  *   The interface group failure mode is set to "non-aggressive" - this avoids 
interfaces getting dirty (frequently) and hence clients don't jump from one 
interface to another and normally keeps same IP address (this avoids DHCP 
exhaustion).
  *   We have enabled DHCP proxy on the controller

-
Cheers,

Kind regards,
Tariq Adnan  |  Senior Network Engineer

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Glinsky, Eric
Sent: Thursday, 29 August 2019 5:36 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] WLC interface groups?

This question is for large universities with WLCs that tunnel traffic through a 
controller. Do you use a single interface (VLAN) for, say, 30k clients, or do 
you use two or more interfaces in an interface group, and why? Do you use DHCP 
proxy? Is there any documentation or generally-accepted rules of thumb on this?

Historically, on all three Cisco 8540 pairs, we had a core interface and an 
interface for res halls, and depending on the AP's location (6k APs) our 
branded SSID would map clients to one interface or the other.

All our wireless clients have public IPs, and we've faced issues running out. 
Throughout the day, we'd see the majority of clients move from the res hall 
network to the core network, and vice versa at night. At one point, we merged 
both the interfaces in an interface group to utilize all IPs at all times. 
However, the way it's currently set up, there are more IPs available in the 
core interface than in the res hall interface.

We are considering these options on how to move forward with or without the 
interface group:


  1.  Consolidating down to one interface. More efficient use of IP space, 
clients wouldn't change IPs as often. Could probably increase lease time to 1 
hour, but what about broadcast and ARP traffic for all 30k addresses in the 
VLAN at the router - understanding that client device broadcast traffic doesn't 
leave the controller except DHCP (we do not use DHCP proxy in the controllers).
  2.  Staying with the group of two interfaces and balancing the IP space 
between them. Avoids wasted IPs, depending how intelligent the 8540s are at 
distributing clients between all interfaces in the group.
  3.  Splitting out to more interfaces. We'd cut down on broadcast traffic but 
we'd be liable to have one client taking up three or more addresses between all 
the interfaces for up to the 30-minute lease time we have, and a client would 
change IPs more throughout the day as it re-associates and gets put in a 
different interface.

Interestingly, a consultant we're working with hasn't seen a single customer 
besides us use interface groups.

Eric Glinsky
Network Technician
University of Connecticut
ITS - Network Operations
Temporary Administration Building
25 Gampel Service Drive | Storrs, CT 06269-1138
(860) 486-9199
e...@uconn.edu<mailto:e...@uconn.edu>


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://protect-au.mimecast.com/s/wbhECD1jy9tz8ppvcW8JBh?domain=educause.edu>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: Cisco 8540 WLC random reboots

[Tariq Adnan]

Hi Will,

How did you fix the issue? Did you manually uploaded the cert to your 
controller?

We have 8540 in a HA pair and I plan to upgrade to code 8.5.131.0 in near 
future. Have you come across any other issue with this code so far?

Thanks.


-
Cheers,
Tariq

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 On Behalf Of Will Dawes
Sent: Tuesday, 10 July 2018 7:30 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco 8540 WLC random reboots

We had this issue very recently when upgrading our 8540s from 8.2.166.0 to 
8.5.131.0 (MR3):

A few days after the upgrade, the Standby 8540s started going through reboot 
loop, because it had an NaServCaCert_p12.pem certificate missing from the 
Active 8540. When the Standby can’t find the certificate on the Active 8540, it 
starts rebooting, until the Standby mercifully goes into Maintenance mode. 
During one of the reboots the certificate is restored on the Standby (I am 
told), but the Active 8540 still needs the NaServCaCert_p12.pem  certificate 
manually uploaded, in order for the HA SSO pair to be restored.

If one took the path of 8.2.x … upgrade to 8.3 (NaServCaCert_p12.pem created 
here?) … THEN upgraded to 8.5.X, you do not encounter the missing 
NaServCaCert_p12.pem certificate and rebooting standby WLC.

HTH,
--
Will Dawes
Wireless Network Engineer
- CWNA (Certified Wireless Network Administrator)
- ECSE  (Ekahau Certified Survey Engineer)
ITS / Network and Engineering Architecture
Louisiana State University
200 Frey Computing Services Center, Baton Rouge, LA  70803
office 225.578.5926
wda...@lsu.edu


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Mallon, Jason
Sent: Monday, July 09, 2018 11:44 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Cisco 8540 WLC random reboots

We are currently in the process of migrating to 8540s (8.5.120) from 8510s.  
Here recently we started noticing the HA unit on two of the pairs was in 
maintenance mode.  We rebooted the controllers and they seem to have stayed in 
a continuous boot loop.  We restarted one of the controllers to its emergency 
code (8.2.166) and it rebooted correctly without any issues, disabled SSO mode, 
rebooted back into 8.5.120 with no issues.  We enabled SSO again and 
immediately went back to having boot loop issues.  Is anybody else seeing this 
issue?

Jason Mallon
Network Engineer II, OIT
The University of Alabama
jemal...@ua.edu
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Recommendations for wireless site surveyor in Australia

[Tariq Adnan]

Hello everyone,

Could you please recommend someone who could site survey some sites here at 
University of Sydney?

We do perform site surveys ourselves but at times we get too busy with other 
project works hence outsource this work to third parties.

We have worked with several parties in past but were not happy with the quality 
of their work.

At this stage I am preparing RFQ and would like to send to multiple parties and 
then review their responses for grant of works.

Thanks,


-
Cheers,

Kind regards,
Tariq Adnan  |  Senior Network Engineer
THE UNIVERSITY OF SYDNEY


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] Re-authentication times for guest wireless solutions

[Tariq Adnan]

Self-registration: 24 hours (from the time the account is created)
Arranging access via Servicedesk: could be anything depending upon the need 
(duration of conference etc.)


-
Cheers,

Kind regards,
Tariq Adnan  |  Senior Network Engineer
ICT, Campus Network Services

THE UNIVERSITY OF SYDNEY
316 Abercrombie Street, (G17) | The University of Sydney | NSW | 2006
T +61 2 8627 7885 |  M +61 478 492 080
E tariq.ad...@sydney.edu.au<mailto:nadia.berto...@sydney.edu.au>  |  W 
http://sydney.edu.au<http://sydney.edu.au/>

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> On Behalf Of Daniel Wurst
Sent: Friday, 11 May 2018 2:00 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Re-authentication times for guest wireless solutions

Hi all!

This summer we plan to make changes to our guest wireless solution. We plan to 
have users go to a captive portal page on our Aruba controllers. Currently we 
have our re-authentication interval set to 8 hours. We were wondering how often 
other universities are making wireless guests re-authenticate to their networks.

Any feedback is greatly appreciated.

Have a good one!

Dan
--
Daniel Wurst
Network Engineer
Denison University
wur...@denison.edu<mailto:wur...@denison.edu>
740-587-6229

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss<https://protect-au.mimecast.com/s/5ooGCq7BKYt9EOWLuZibZl?domain=educause.edu>.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

multicast enabled on your wireless network?

[Tariq Adnan]

Hello everyone,

Just checking if you guys have multicast enabled on your wireless network and 
if you have come across any performance issues arising after enabling it? Is 
multicast widely used in your network?

I am working on a POC which has requirements that can be fulfilled by either 
enabling multicast or converting few APs to flexconnect mode. I am more in 
favour of later method but again want to know your views.

Thanks,
-
Cheers,

Kind regards,
Tariq Adnan


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Cisco 3800 Series APs

[Tariq Adnan]

I have deployed few 3800s for testing before rolling them out throughout the 
campus.

Only issue I saw was that they don't support "tkip" so have to only enable 
"AES" as WPA2 encryption. I haven't come across any further issues. I am 
running code 8.2.141.0 on WLCs.

Cheers

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Bryan Ward
Sent: Thursday, 6 July 2017 2:07 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Cisco 3800 Series APs

Couldn't find a recent discussion on the list archives, so I'll ask my question.

For those of you that have Cisco 3800 series APs in production, how have they 
been working for you recently?
We currently purchase 3700 series APs as our standard for new installs and 
replacement of our 3500 series APs, but are now considering switching to the 
3800 series.
I heard there were a lot of issues with them at first, but was wondering if 
they're still troublesome now that they've been out in the wild for some time.
Also, does anyone currently have issues using Prime to manage them?

Thanks all,

--
Bryan Ward
Network Engineer
Dartmouth College Network Services
603-646-2245
bryan.w...@dartmouth.edu

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] WLC P2P traffic drop

[Tariq Adnan]

Thanks Bruce and Jeremy,

Looks like blocking P2P is going to block some vital applications. I will think 
about Vlan ACLs (VACLs) rather, and block certain ports (for instance SMB 
TCP/445) and not all traffic.

-
Cheers,

Kind regards,
Tariq Adnan  |  Senior Network Engineer
ICT, Campus Network Services

THE UNIVERSITY OF SYDNEY
316 Abercrombie Street, (G17) | The University of Sydney | NSW | 2006
T +61 2 8627 7885 |  M +61 478 492 080
E tariq.ad...@sydney.edu.au<mailto:nadia.berto...@sydney.edu.au>  |  W 
http://sydney.edu.au<http://sydney.edu.au/>

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeremy Mooney
Sent: Thursday, 25 May 2017 4:49 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WLC P2P traffic drop

We block broadcast/multicast for other reasons, but don't block P2P between 
wireless clients. Services like Google Hangouts will try to do a direct 
connection when possible (facilitated by the server, so don't need local 
discovery). They'll fallback to via a server if necessary, but there are 
latency and bandwidth considerations when doing so.

One thing to consider is wireless probably means these devices get connected to 
other wireless networks (including open/unknown ones), and really need to be 
configured reasonably hardened to protect themselves. While things like NLA can 
have a different profile for domain, unless there's a specific need it doesn't 
seem reasonable to just say the domain network is wide open (especially on a 
higher-ed network). If the client already needs to have a reasonable security 
posture, how much does the p2p block gain compared to the work/investigation 
involved?


On Tue, May 23, 2017 at 12:54 AM, Tariq Adnan 
<tariq.ad...@sydney.edu.au<mailto:tariq.ad...@sydney.edu.au>> wrote:
Hello everyone,

In regards to recent ransomware attacks, we have been planning to take few 
steps to secure our wireless networks.

I am thinking about dropping P2P traffic for a main WLAN on WLC but I am not 
sure if that could break any application like zoom, remote desktop, 
file-sharing, wireless printers, Apple TV etc.

Can anyone, who have implemented this, shed some light on this topic? Were 
applications similar to mentioned above affected after P2P traffic blocking ?

Thanks,
-
Cheers,
Tariq
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss<http://www.educause.edu/discuss>.



--
Jeremy Mooney
ITS - Bethel University
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss<http://www.educause.edu/discuss>.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] Measuring Class usage with wifi or anything other

[Tariq Adnan]

Hi Lee,

I think my (not so well) description of requirement has caused confusion.

Firstly, I am not after attendance system.

The requirement is to check class usage throughout day. This way if class is 
popular among students, it could be kept open for 24 hours to assist students 
to study in it and not walking all the way to library (which is bit farther 
way). Also if there is some refurbishment works happening in a classroom, we 
could find out what percentage of students could be affected at xyz time. In 
addition, concerned team is interested in who will be using these classrooms 
(usernames, faculty etc. - this could be captured from AD).

For example:
Class room 201 has 20 users at 3pm. The number increased to 35 at 3:15pm etc.


-
Cheers,

Kind regards,
Tariq Adnan

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Monday, 1 May 2017 10:20 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Measuring Class usage with wifi or anything other

There is so much wrong here. Many reasons why using an L1/L2 technology for 
attendance tracking is just not a sound idea.

Lee Badman
Network Architect/Wireless TME
Syracuse University
315.443.3003

-Original Message-
From: Tariq Adnan [tariq.ad...@sydney.edu.au]
Received: Sunday, 30 Apr 2017, 20:58
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
Subject: [WIRELESS-LAN] Measuring Class usage with wifi or anything other
Hello everyone,

Just checking if you have come across similar requirements and what did you use 
and how did you report on that.

Requirement: Find out class occupancy

* How many students are in class from time to time

* What are their details (names, usernames, etc.)

* For how long they have been in class (session duration)

* Etc.

I have explored 2 things:

* Prime session reports: but how do you know if the device connected 
was in classroom xyz? I can assume that if device was connected to AP inside 
class, that device is inside class. Though it's not completely right as users 
outside class (sitting in corridor) can connect to the AP. Secondly how do you 
tell where AP is? We don't have room location info in AP name. Though you can 
add location to AP when configuring it in Prime but that location info is not 
recorded in reports. It will be very tedious to change all APs labels and names 
to include room locations for them (currently name looks like 
air-BuildingCode-LeveL-number)

* CMX location analytics and Heatmaps: but this doesn't give me enough 
details about connected devices as session reports from Prime.

I am not sure if there is some other parallel technology that can be used.

Thnaks for your valuable time.


-
Cheers,

Kind regards,
Tariq

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Measuring Class usage with wifi or anything other

[Tariq Adnan]

Hello everyone,

Just checking if you have come across similar requirements and what did you use 
and how did you report on that.

Requirement: Find out class occupancy

* How many students are in class from time to time

* What are their details (names, usernames, etc.)

* For how long they have been in class (session duration)

* Etc.

I have explored 2 things:

* Prime session reports: but how do you know if the device connected 
was in classroom xyz? I can assume that if device was connected to AP inside 
class, that device is inside class. Though it's not completely right as users 
outside class (sitting in corridor) can connect to the AP. Secondly how do you 
tell where AP is? We don't have room location info in AP name. Though you can 
add location to AP when configuring it in Prime but that location info is not 
recorded in reports. It will be very tedious to change all APs labels and names 
to include room locations for them (currently name looks like 
air-BuildingCode-LeveL-number)

* CMX location analytics and Heatmaps: but this doesn't give me enough 
details about connected devices as session reports from Prime.

I am not sure if there is some other parallel technology that can be used.

Thnaks for your valuable time.


-
Cheers,

Kind regards,
Tariq


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: CMX base vs advance license

[Tariq Adnan]

Hello everyone,

I have done investigation and found below information so I will share with you 
just in case someone is after similar information.

Given below are some features I think are relevant to campus environment:

1-presence (#visitors, dwell time etc.) - Base
2-movement behavior (pattern) inside venue - Advanced – any analytics is 
advanced
3-Location (basic, enhanced and hyperlocation) - Base
4-customised portal (guest welcome page, connect via facebook etc.) - Base
5-push notifications (personal engagement via text message, for example send 
text message to user for a deal in a zone where he/she is located) - Base if 
using the Location API,   Advanced if using the Analytics API
6-way finding application support - Base
7-traffic foot print - Advanced as it would use analytics
-Staff management: which stall on open day is flooded with users that need more 
staff
-Less crowded areas in library

Cheers
Tariq

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Tariq Adnan
Sent: Tuesday, 8 November 2016 3:48 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] CMX base vs advance license

Hello Team,

We have recently acquired MSE 3365 and obtained Cisco One license.

Cisco One license comes with base license for CMX and NOT advance license which 
needs to be purchased separately.

I would like to know if anyone of you have CMX with advance license and how 
much value you’re getting out of it. If you’re happy with base license, please 
share your experience as well.

I am bit confused about features support on base vs advance license, like 
presence vs presence analytics, location vs location analytics etc . As per 
cisco documentation:

http://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/connected-mobile-experiences/guide-c07-734430.html


●   CMX Base license provides the following services:

◦ Location: The ability to determine the location of Wi-Fi clients, 
Bluetooth low energy (BLE) beacons, devices, and RFID tags. Includes tracking 
devices using FastLocate or Hyperlocation

◦ CMX Connect: Visitor Wi-Fi on boarding platform

◦ Location APIs: Third-party integration using standard REST APIs

●

  CMX Advanced license provides the following services:

◦ Includes all the CMX Base services - Location, Location APIs, CMX Connect

◦ CMX Analytics (I would call Presence & Location Analytics)

◦ Analytics API

◦ CMX Presence Analytics


Thanks for your time.

Tariq



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

CMX base vs advance license

[Tariq Adnan]

Hello Team,

We have recently acquired MSE 3365 and obtained Cisco One license.

Cisco One license comes with base license for CMX and NOT advance license which 
needs to be purchased separately.

I would like to know if anyone of you have CMX with advance license and how 
much value you’re getting out of it. If you’re happy with base license, please 
share your experience as well.

I am bit confused about features support on base vs advance license, like 
presence vs presence analytics, location vs location analytics etc . As per 
cisco documentation:

http://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/connected-mobile-experiences/guide-c07-734430.html


●   CMX Base license provides the following services:

◦ Location: The ability to determine the location of Wi-Fi clients, 
Bluetooth low energy (BLE) beacons, devices, and RFID tags. Includes tracking 
devices using FastLocate or Hyperlocation

◦ CMX Connect: Visitor Wi-Fi on boarding platform

◦ Location APIs: Third-party integration using standard REST APIs

●

  CMX Advanced license provides the following services:

◦ Includes all the CMX Base services - Location, Location APIs, CMX Connect

◦ CMX Analytics (I would call Presence & Location Analytics)

◦ Analytics API

◦ CMX Presence Analytics


Thanks for your time.

Tariq




**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] high density wireless improvement features

[Tariq Adnan]

Thank you everyone for your valuable tips. I’ve been trialling some 
changes/features over the past few weeks. Once all done, I will share my 
findings. May be it could help someone with HD design.

Sam: regarding point 2, I aim to disable few 2.4G radios. As per your 
experience, should I be following some pattern ? Or disable every 4th one, for 
instance ? Highly appreciate your help, I can see you love HD wireless :)

FYI: Cisco is going to introduce Next Gen AP’s which will automatically adjust 
bandwidth (20, 40MHz etc.), automatically disable 2.4G radio or convert it to 
5G radio or put it in monitoring mode.


Cheers,
--

Tariq Adnan

From: , "Bruce W (Network Services)" 
<bosbo...@liberty.edu<mailto:bosbo...@liberty.edu>>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Friday, 15 January 2016 6:26 am
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] high density wireless improvement features

Aruba also does a *very* good job on their LPV (Large Public Venue) deployments 
too. I believe they are also usually lower cost than Cisco.

​

Bruce Osborne
Wireless Engineer
IT Infrastructure & Media Solutions

(434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Frans Panken [mailto:frans.pan...@surfnet.nl]
Sent: Wednesday, January 13, 2016 12:27 PM
Subject: Re: high density wireless improvement features

In addition to what Sam shared (thanks!), I think Aruba did a very good job 
with their very detailed description of very high density design that is well 
applicable for other vendors: 
http://community.arubanetworks.com/t5/Validated-Reference-Design/Very-High-Density-802-11ac-Networks-Validated-Reference-Design/ta-p/230891
-Frans
Op 13/01/16 om 17:14 schreef Samuel Clements:
Hi all! I'm new to the list (well, I've been lurking for a while), but this 
seems to be a good time to say hi! High Density being near and dear to my heart 
- I'd give the following guidance:

1) Don't underestimate your gear if you have good equipment. It's not a stretch 
for a Cisco 2700/3700 to support 100+ active association (shameless self-plug: 
http://nsashow.com/AP2700/).
2) There is such a thing as too much RF. If you're not disabling all but 3 
2.4GHz radios in a single room, you're not disabling enough of them. If you see 
two APs on the same channel (as a general rule) and they're both above -80dBm, 
you're not adding any capacity to your RF. In fact, you're hurting yourself.
3) Use narrow channels in 5GHz (20MHz), always. There is an overwhelming need 
for density of users (aggregate throughput), not individual throughput. This is 
one of the best ways to leverage the finite amount of air we have to use.
4) Use all channels in 5GHz including 2e/DFS channels. The more channels the 
better. If you're using a sane RRM product (Cisco does this for sure), RRM will 
try to avoid stacking 2e channels next to each other. In the event you have a 
client that doesn't support a channel you're using, this improves the likely 
hood that they can still function on a further AP.
5) Once you hit a number of APs that matches the number of 5GHz channels you 
have deployed, be very cautious about channel overlap (this is the same as rule 
2, just in 5GHz and further away).
6) Design for RRM and enable RRM (sorry Lee!). If you know how RRM works (there 
are many and numerous white papers and Cisco Live sessions on the specifics of 
how AP layout impacts RRM), you can safely run it without shooting yourself in 
the foot. I can't speak to ARM since there doesn't seem to be a good guide on 
how it actually works. 99% of the time, RRM works every time. The great thing 
about Cisco RRM is that you can watch the CLI of the process and it will tell 
you exactly what it's doing and why it's doing it. Use min and max thresholds 
if you can't get it to do what you'd like.
7) Use RF Groups to segregate your high density areas from other areas of your 
campus. This allows you to tweak and tune your HD area without impacting other 
users.
8) Use RX-SOP only when you've violated rules 2 and 5 and use it sparingly. 
RX-SOP is like a brick wall. Once you hit it, your clients fall off into never 
never land.

I hope that helps! There is a ton of guidance that can be given for designing 
cells (using directional antennas, stadium antennas with narrow beams from far 
away, APs under seats, in walls, etc) but those are covered in great detail 
elsewhere and all of the above advice can be taken regardless of antenna or 
location of installation.
  -Sam


On Tue, Jan 12, 2016 at 11:00 PM, Tariq Adnan 
<t.ad...@unsw.edu.au<mailto:t.ad...@unsw.edu.au>> wrote:

Hello everyone,



I am working on improving 

high density wireless improvement features

[Tariq Adnan]

Hello everyone,


I am working on improving wireless performance in high density areas (lecture 
theaters, auditoriums etc) and doing research on some features. I would like to 
know if you people have made below changes and how was your experience with it 
? We're using cisco gear (3702i/e APs, WiSM2 controllers, Prime 3.0).


1-set channel and power manually (not use RRM) : reduce power to limit coverage 
and disable 2.4GHz radios on every 3rd/4th AP.

2-load-balancing

3-band-select

4-RX-SOP (already deployed and happy with it, channel utilization is dropped)

5-optimized roaming

6-please suggest if i am missing something


In our setup, same controller is handling APs from HD and non-HD (high density) 
environments. My concern is if i make change which is controller wide, for 
instance optimized roaming, it could improve performance in HD areas but what 
could it do to non-HD areas (APs far away from each other).


I am using airmagnet PRO and Prime planning tool for survey and planning 
purposes.


Thanks everyone for your precious time []


Cheers,

--


Tariq Adnan

Network Engineer

NSW, Australia

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.