Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

2021-02-01 Thread Trenton Hurt 
gt; I'm very disappointed to see vendors making that recommendation.
>
>
>
> tim
> --
>
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Hurt,Trenton W. <
> trent.h...@louisville.edu>
> *Sent:* Monday, February 1, 2021 16:46
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject:* [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
>
>
>
> FYI
>
>
>
> I just received the following from securew2 about some additional security
> changes coming to android 11.
>
>
>
>
>
>
>
> This action will need to take place before the upcoming Android
> application update that is planned for February 15th, 2021.
>
>
>
> As you may already be aware, Google mandates server validation to be
> properly configured for WiFi from Android version 11. This means that any
> 802.1X WiFi configuration without the following two settings will fail to
> connect.
>
>
>
> 1.  Server Validation
>
> 2.  Connect to these server names
>
>
>
> For more information about these configurations, please read below.
>
>
>
> What is Server Validation in a Network Profile?
>
> This configuration item is for clients to validate a RADIUS server
> certificate chain during an EAP authentication. Clients would forward its
> requests only when the received server certificate is signed by the CA that
> is configured on the SecureW2 Network Profile.  It may be required to
> upload only the Root CA of the RADIUS server certificate, however, in some
> cases, the full chain may need to be provided.
>
>
>
> What is the Connect to these server names field?
>
> This field is used to specify the name of your RADIUS server certificate
> using its Common Name. If there is only one RADIUS server in your setup,
> you can quickly find this name from the certificate. If there are more than
> one RADIUS servers, or if the RADIUS server Common Name has more than two
> subdomains, we advise to use a wildcard name.
>
>
>
> For example:
>
> If the RADIUS server certificate’s Common Name = radius.domain.com
> Connect to these server names should be radius.domain.com
>
>
>
> If the RADIUS server certificate’s Common Name =
> radius.lab.department.domain.com Connect to these server names should be
> *.department.domain.com or *.domain.com
>
>
>
>
>
>
>
>
>
> Thanks
>
> Trent
>
>
>
> Trenton Hurt, CWNE #172,ACMP,ACCP,CCNP(W),CCNA(W),CCNA(V),CCNA(R/S)
>
> Network Analyst
>
> University of Louisville
>
> Phone (502) 852-1513
>
>
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
> <https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=04%7C01%7CTrent.hurt%40LOUISVILLE.EDU%7Cad2f6bab71374bc802e908d8c6fb75d6%7Cdd246e4a54344e158ae391ad9797b209%7C0%7C0%7C637478130614093542%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=Uwu8XHzvSAZAq%2Fl9EkS54eectdhHFaMiv9U6dDhZbsI%3D=0>
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
> <https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=04%7C01%7CTrent.hurt%40LOUISVILLE.EDU%7Cad2f6bab71374bc802e908d8c6fb75d6%7Cdd246e4a54344e158ae391ad9797b209%7C0%7C0%7C637478130614103536%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=XvD%2FEtsQUrSJz%2FFA3WpoF2BtLlqcExMsJ9HC9cBlaiY%3D=0>
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
>
> Visit https://cadinc.com/blog for tech articles and news.
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] Clearpass /AD /Palo fw

2019-11-06 Thread Trenton Hurt 
I’m seeing timeouts during initial auth against ad.  Clearpass trues dcerpc
on port 49195 but the fw sees it like clearpass is trying to reuse some old
tcp session and doesn’t allow it even though have allow all or even tried
pet based rules with all the ports specified from Aruba docs.   After the
timeout clearpass does new connection but on 135 and then things bind and
auth flows good. Also after that it can and does use the dynamic port range
from 49159 and up.  So it’s the first initial connection that fw doesn’t
like because it thinks it’s trying to reuse same tcp session but once the
flow is good all the ports work and auth good.

Anyone with palo have any insights on where or what to look at to allow
these initial connections.   I can’t believe clearpass is really trying to
resuse some tcp session that was 12+hrs old from previous day



On Wed, Nov 6, 2019 at 7:57 AM Michael Davis  wrote:

> What PanOS version?  We saw one case where the palo was delivering
> fragments in
> reverse order which wasn't technically incorrect, but some devices didn't
> like it.
>
>
> On 11/5/19 6:32 PM, Hurt,Trenton W. wrote:
>
> Hello
>
> Any folks using clearpass for radius auth against AD with a palo fw in
> between?   Have all the correct ports opened but still seeing some timeouts
> randomly during auth.
>
> Trent Hurt
>
> University of Louisville
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
>
>
>
> --
>  Mike Davis
>  IT - University of Delaware  - 302.831.8756
>  Newark, DE  19716 Email da...@udel.edu
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] Zoom Rooms and Wi-Fi

2018-07-19 Thread Trenton Hurt 
https://support.zoom.us/hc/en-us/articles/203680359   —> iOS airplay
requirements for zoom room


https://support.zoom.us/hc/en-us/articles/203680389-Firewall-Configuration-for-Zoom-Rooms
 —> fw ports needed for discovery



On Thu, Jul 19, 2018 at 4:02 PM Lee H Badman  wrote:

> I think I can answer this myself- lots of options, turns out the thorny
> ones are just that- options. Still, would be good to hear anyone’s
> experience with Zoom Rooms just out of curiosity.
>
>
>
> -Lee
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Lee H Badman
> *Sent:* Thursday, July 19, 2018 3:53 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* [WIRELESS-LAN] Zoom Rooms and Wi-Fi
>
>
>
> Hi All,
>
>
>
> We have a group that wants to use Zoom Rooms, including the display
> mirroring functionality. I can’t tell from first digging if
> Bonjour/Airplay/mDNS are required to be enabled on the WLAN for the
> application(s) to work, looking at what little Zoom has available for tech
> docs.
>
>
>
> Is anyone else supporting Zoom Rooms, and can you share any perspective
> from the WLAN requirements?
>
>
>
> Thanks,
>
>
>
> Lee
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Wireless Options

2018-05-17 Thread Trenton Hurt 
https://www.mist.com/

On Thu, May 17, 2018 at 2:10 PM John Rodkey  wrote:

> Our college - about 40 buildings, 1200 students, 3500 wireless clients per
> day, currently 310 WAPs - is considering a major upgrade in WAPs, replacing
> a number that are 9 years old and no longer supported.
>
> We could replace with the latest model of our existing vendor, but want to
> consider all the feasible alternatives.  We have a hard requirement that
> the controller be cloud-based, the system deal well with Mac clients,
> understand VLANs and an enterprise quality network, and have a rich set of
> configuration, logging, monitoring, and troubleshooting tools for dealing
> both with clients and access points. Responsive support is also required,
> and unsurprisingly  total system cost is a significant issue.
>
> 3 vendors come to mind:  Meraki, Ubiquiti, and Aerohive.
>
> Questions:
>  1) do other vendors come to mind that play well in this space?
>  2) what are your positive experiences with any of the above?
>  3) what are your negative experiences?
>  4) have you recently gone through this analysis, and if so, what were
> your conclusions?
>  5) what issues have you experienced with PoE capacity requirements with
> these devices?
>
> John Rodkey
> Director of Servers and Networks
> Westmont College
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] devices not connecting to open network

2018-01-10 Thread Trenton Hurt 
On Wed, Jan 10, 2018 at 11:42 AM Trenton Hurt <trenth...@gmail.com> wrote:

> Have you checked what role the devices are in when they have trouble with
> dhcp?  Might be worth checking firewall stuff for the role they are
> getting. Yes low data rates are needed for original wii but I’ve ran all
> the rest with 12 meg as min. with no issues on Cisco and Aruba gear.
>
> On Wed, Jan 10, 2018 at 11:18 AM Tufts, Mark <mtu...@stonehill.edu> wrote:
>
>> Hi,
>>
>>
>>
>> We have some wireless devices, WiiU, Nintendo Switch, PS4 etc. not
>> connecting to our open guest network.  Laptops, phones no issue at all.
>> The devices above will sometime connect first try but then upon additional
>> testing on a reconnect just will not pull a DHPC address. We are an Aruba
>> wireless shop AP 225 and 315 fails on both.
>>
>>
>>
>> Anyone else experience this issue?
>>
>>
>>
>> Thanks,
>>
>>
>>
>> Mark
>> ** Participation and subscription information for this EDUCAUSE
>> Constituent Group discussion list can be found at
>> http://www.educause.edu/discuss.
>>
>>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] devices not connecting to open network

2018-01-10 Thread Trenton Hurt 
Have you checked what role the devices are in when they have trouble with
dhcp?  Might be worth checking firewall stuff for the role they are
getting. Yes low data rates are needed for original wii but I’ve ran all
the rest with 12 meg as min. with no issues on Cisco and Aruba gear.

On Wed, Jan 10, 2018 at 11:18 AM Tufts, Mark  wrote:

> Hi,
>
>
>
> We have some wireless devices, WiiU, Nintendo Switch, PS4 etc. not
> connecting to our open guest network.  Laptops, phones no issue at all.
> The devices above will sometime connect first try but then upon additional
> testing on a reconnect just will not pull a DHPC address. We are an Aruba
> wireless shop AP 225 and 315 fails on both.
>
>
>
> Anyone else experience this issue?
>
>
>
> Thanks,
>
>
>
> Mark
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: Arubaos vulnerabilities

2017-10-12 Thread Trenton Hurt 
On Thu, Oct 12, 2017 at 11:29 AM Trenton Hurt <trenth...@gmail.com> wrote:

>
>
>
> http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-006.txt
>
> http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-005.txt
>
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Arubaos vulnerabilities

2017-10-12 Thread Trenton Hurt 
http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-006.txt

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-005.txt

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Web GUI unresponsive after HTTPS-redirect enabled

2017-08-03 Thread Trenton Hurt 
HTTPS redirect is used for redirect over web auth


https://supportforums.cisco.com/document/12398536/understanding-https-redirect-over-web-auth


On Thu, Aug 3, 2017 at 8:18 PM Jason Cook 
wrote:

> My understanding is that HTTPS Redirection is simply so the user can try
> connecting on http and will be automatically directed to https.
>
>
>
> Our config is below, we use https only. We don’t bother with re-direct,
> admins just have to remember to go to https, not http J
>
>
>
> The bug only says https redirection, so it doesn’t sound like you need to
> go to http only.
>
>
>
> Still on .152 here, no testing yet on 160
>
>
>
>
>
> --
>
> Jason Cook
>
> Technology Services
>
> The University of Adelaide, AUSTRALIA 5005
>
> Ph: +61 8 8313 4800
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Shayne Ghere
> *Sent:* Friday, 4 August 2017 3:51 AM
>
>
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] Web GUI unresponsive after HTTPS-redirect
> enabled
>
>
>
> I spoke with our Cisco Wireless team, and they said HTTPS re-direct is
> disabled by default and best practice.  Enabling HTTPS puts a heavy load on
> the WLC CPU.
>
>
>
> I’m unsure why “not” enabling HTTPS is best practice, but it’s a work
> around for now.  It’s always enabled with anything that has a front end GUI
> that I manage.
>
>
>
> We’re upgrading to 8.2.160.0 due to a bug in 151.0 that causes AP’s (3802,
> 1810W) to crash and reload with the error, “Reason for association 'AP
> Crashed Due To Software Failure'.” Which isn’t an ideal situation with the
> students moving back in a week.
>
>
>
> 160.0 fixed the bug that was found and is the only stable version that
> supports Flexconnect, Rlans and 802.1x without them reloading
> spontaneously.   I have 3-5 a day that this happens to right now.
>
>
>
>
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Bibin George
> *Sent:* Thursday, August 03, 2017 12:50 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] Web GUI unresponsive after HTTPS-redirect
> enabled
>
>
>
> I know this is not so secure, but our work around was enable http for
> management and login to the controller by http, that works great.
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [
> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> ] *On Behalf Of *Charles Francis
> *Sent:* Thursday, August 03, 2017 8:37 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] Web GUI unresponsive after HTTPS-redirect
> enabled
>
>
>
> We have not hit this one specifically, but we have noticed that once we
> start adding AP’s and clients to an 8540, the GUI response lags
> significantly.  CLI will lag at times as well.  We have an open case right
> now trying to pinpoint it.
>
>
>
>
>
>
>
> *From: *The EDUCAUSE Wireless Issues Constituent Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Bibin George <
> bibin.geo...@hofstra.edu>
> *Reply-To: *The EDUCAUSE Wireless Issues Constituent Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Date: *Thursday, August 3, 2017 at 4:03 AM
> *To: *"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject: *[WIRELESS-LAN] Web GUI unresponsive after HTTPS-redirect
> enabled
>
>
>
> Im running 8.2.160 on 8540, does anyone hit this bug yet?
>
> Terrible response from the management GUI.
>
>
>
>
> https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvc00271/?referring_site=bugquickviewredir
>
>
>
>
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Cisco Code Version

2017-08-01 Thread Trenton Hurt 
http://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-TAC-Recommended-AireOS.html#anc8


On Tue, Aug 1, 2017 at 5:00 PM Marcelo Maraboli 
wrote:

> Hello all
>
> I wonder why CISCO keeps 8.2.151 as "suggested" and not 8.2.160 ??
>
> just a precaution ?
>
> My Cisco partner is telling me to stay in 8.2.151 even if there is 8.5.x
> code our there.
>
>
> what's your opinion ?
>
>
> regards,
>
>
> On 7/31/17 4:11 PM, Paul Thompson wrote:
>
>
> .160 fixes some real world SIP and 802.11r Fast Transition bugs, if you're
> using either of those features.  I was told by a coworker that the
> engineering prereleases of it had helped with some real life Apple
> connectivity tics, but have less detail on specifics of that.
>
> On Mon, 31 Jul 2017, Lee H Badman wrote:
>
>
> 151 here as well- is a bit frustrating that 160 just came out as we’re in
> our “freeze” period now for making changes, pre-semester. Other than the
> typical laundry list of cryptic bugs corrected, does anyone know if 160
> addresses any real-world, commonly impactful 3800-related bugs?
>
>
>
> Lee Badman | Network Architect
>
> Certified Wireless Network Expert (#200) Information Technology Services
> 206 Machinery Hall 120 Smith Drive Syracuse, New York 13244
>
> t 315.443.3003 f 315.443.4325 e lhbad...@syr.edu w its.syr.edu
>
> SYRACUSE UNIVERSITY syr.edu
>
>
>
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv [
> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> ] On Behalf Of James Helzerman Sent:
> Monday, July 31, 2017 1:57 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] Cisco Code Version
>
>
>
> Hi.  For those with Cisco access points what code version are planning on
> running for start of fall semester?
>
>
>
> At this point we looking at 8.2.151 possibly 8.2.160 but havent tested
> yet.
>
>
>
> Thanks
>
>
>
> -Jimmy
>
>
>
> --
>
> James Helzerman Wireless Network Engineer University of Michigan - ITS
>
> Phone: 734-615-9541
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
>
>
>
>
> **
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/discuss.
>
>
> --
> *Marcelo Maraboli Rosselott*
> Subdirector de Redes y Seguridad
> Dirección de Informática
> Pontificia Universidad Católica de Chile
> http://informatica.uc.cl/
> --
> Campus San Joaquín, Av. Vicuña Mackenna 4860, Macul
> Santiago, Chile
> Teléfono: (56) 22354 1341
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Apple TV/Apple Configurator

2017-05-19 Thread Trenton Hurt 
The time issue was fixed couple software versions ago

https://community.arubanetworks.com/t5/Technology-Blog/Apple-TV-EAP-PEAP-Configuration-Clock-Fix/ba-p/143391

I still would always push to have these wired for performance and
stability.

I've followed these instructions to build profiles.  Of course you have to
use your certs.  You can get the required certs off a Mac that has
successfully connected to the dot1X network. Just find them in keychain
access and export them.

http://technology.pitt.edu/support/connecting-your-apple-tv-to-wireless-pittnet




On Fri, May 19, 2017 at 2:59 PM Kanan E Simpson 
wrote:

> Bruce,
>
>
>
> I’ve successfully built a wireless profile for Apple TVs using 802.1X
> (WPA2/AES)  and PEAP/MSChapv2 in my lab. It worked fine until I removed the
> power of the Apple TV. Once power is removed, the Apple TV loses its time
> and can no longer validate certificates. You must then connect the Apple TV
> to an open or PSK network to get the time corrected before another
> successful 802.1X connection.
>
>
>
> Because of this, we will not connect the Apple TV to our dot1X wireless
> network. We connect them via  guest/open WLAN and move them to another L3
> network on the back end.
>
>
>
>
>
> *Kanan Simpson*
>
> Network Services Engineer
>
> Valdosta State University
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Entwistle, Bruce
> *Sent:* Friday, May 19, 2017 1:32 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* [WIRELESS-LAN] Apple TV/Apple Configurator
>
>
>
> I am currently attempting to use the Apple configurator to build a
> wireless profile to be loaded to an Apple TV which will then make an
> authenticated connection to our wireless network.  We are currently using
> our ClearPass server to authenticate this connection.   I have utilized
> many different combinations of WPA/WPA2 authentication options along with
> different combinations of trusted certificates.  These included the
> certificate from the authentication server(ClearPass) along with the
> associated root and intermediate certs.  However the connection still fails
> with the following error message,  Radius EAP: Client doesn’t support
> configured EAP methods.  I was looking to see if anyone has been successful
> using the Apple configurator to build such a profile which contains the
> SSID, username, password, security type and certificates then pushing it to
> the Apple TV so it can connect to the wireless network.
>
>
>
> Thank you
>
> Bruce Entwistle
>
> Network Manager
>
> University of Redlands
>
>
>
>
>
>
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

2016-11-18 Thread Trenton Hurt 
For IPv4, the client’s IP address is available via the Framed-IP-Address
attribute in Interim-Update Accounting-Request packets. For IPv6, client IP
addresses are instead available via Framed-IPv6-Address attributes. They
are made available by NASes that implement DHCP snooping functionality.

On Fri, Nov 18, 2016 at 8:48 AM Wang, Yu  wrote:

> Edward,
>
>
>
> NPS servers (radius) do not have clients’ IP information as the whole
> 802.1X authentication process happens before a client can have an IP
> address. Once a client is successfully authenticated, radius’ job is done.
> The client is then assigned to a network and acquires an IP through DHCP.
> You can get a client’s IP from Aruba controllers or DHCP servers (client’s
> MAC address from NPS).
>
>
>
> Yu
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Edward Ip
>
>
> *Sent:* Thursday, November 17, 2016 2:38 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>
> *Subject:* Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?
>
>
>
> We have being using Microsoft NPS in a cluster as Radius for 80.21X for a
> while now. Our normal concurrent client load is about 12,000 users.
>
>
>
> Monitoring is now done via Airwave, specifically using the Clarity
> feature. In the pass, we used Solarwinds to query our Aruba controllers for
> the statistics and then graphing it in Solarwinds.
>
>
>
> We are not doing anything fancy with the NPS servers. My network architect
> wants to be able to query the AD network and set up network policies (like
> bandwidth control and app control) using Bluecoat PacketShaper and the
> Authentication and Authorization Agent (BCAAA) with User Awareness feature.
> However, the NPS servers do not update our ad directory with regards to
> what IP address the wireless client is currently using. So this feature is
> not useable on our wireless client (works great on wired domain clients).
> Investigating if we can use ClearPass to give the bluecoat the required
> information.
>
>
>
> *Edward Ip*
>
> *Algonquin College* | 1385 Woodroffe Avenue | Room C316 | Ottawa | Ontario
> | K2G 1V8 | Canada
>
> algonquincollege.com
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [
> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> ] *On Behalf Of *Lee H Badman
> *Sent:* Wednesday, November 16, 2016 9:40 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?
>
>
>
> Hello to the awesome group.
>
>
>
> We’ve used Cisco ACS with general satisfaction for many years as the
> RADIUS solution for our very, very large WLAN’s 802.1X authentication. We
> also have Aruba Clearpass in-house for guest wireless, and have poked
> around at ISE a bit. We’re weighing replacing our aging ACS environment,
> but as many of you know times are changing. When you shop for RADIUS, you
> have to wade through the fog of NAC systems because everything is getting
> ever more “feature rich”. For major vendors, RADIUS is just a slice of NAC
> now, and since everybody “is a software company!” licensing can be ugly.
> I’m not slamming those who find value in the many interesting features that
> the likes of ISE and Clearpass offer, but I also can’t help but be drawn to
> Microsoft NPS when I think about going forward with simple RADIUS.
>
>
>
> Way back when, we avoided Microsoft in this role as the reporting wasn’t
> particularly strong when it came time to troubleshoot clients. We **may**
> have found relief to this through Splunk, and also enjoy a robust Windows
> server environment staffed by absolutely brilliant MS-minded veteran
> admins.
>
>
>
> All that being said- is anyone using NPS as their RADIUS solution for a
> large secure WLAN environment? Can you share likes, dislikes, regrets,
> endorsements, horror stories, tales of success, etc?
>
>
>
>
>
> (Any vendor reps lurking- no, I’m not open to hearing about other RADIUS
> solutions. Please, no calls or emails)
>
>
>
>
>
> Kind regards-
>
>
>
> *Lee Badman* | CWNE #200 | Network Architect
>
> Information Technology Services
> 206 Machinery Hall
> 120 Smith Drive
> Syracuse, New York 13244
>
> *t* 315.443.3003  * f* 315.443.4325   *e* lhbad...@syr.edu *w* its.syr.edu
>
>
> *SYRACUSE UNIVERSITY *syr.edu
>
>
>
>
>
>
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list

Re: [WIRELESS-LAN] mDNS across L3 layer

2016-08-01 Thread Trenton Hurt 
Mdns ap

http://www.cisco.com/c/en/us/td/docs/wireless/technology/bonjour/7-5/Bonjour_Gateway_Phase-2_WLC_software_release_7-5.html#pgfId-44412

On Monday, August 1, 2016, Legge, Jeffry  wrote:

> We are currently using WISM2’s on flat L2 to Distribution switches. We
> have just begun L3 from a building to the Core and WISM2’s still on
> Distribution. The wireless via AP groups gets tunneled  through to WISM.
> Wired is on a separate L2 behind L3 to Core so Wism does not see it. Does
> anyone know of a way to make mDNS work in this situation?
>
>
>
> Jeff Legge
>
>
>
> Radford University
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Cisco Prime Infrastructure and Evolved Programmable Network Manager Authentication Bypass API Vulnerability

2016-07-01 Thread Trenton Hurt 
Cisco Prime Infrastructure and Evolved Programmable Network Manager
Authentication Bypass API Vulnerability


http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160629-piauthbypass

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] student residential routers?

2016-06-27 Thread Trenton Hurt 
Have you looked at sms over smtp

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/SMS-over-SMTP-in-CPPM/ta-p/192395



On Monday, June 27, 2016, Hector J Rios  wrote:

> Any recommendations on an SMS gateway service? We are implementing
> ClearPass and we want our sponsors to have the ability to send credentials
> via text. I know about leveraging SMTP, but I’m interested in that option.
>
>
>
> Regards,
>
>
>
> Hector Rios
>
> Louisiana State University
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] 802.11b data rates disabled?

2016-06-22 Thread Trenton Hurt 
It's 2.4 b/g/n for actually network connectivity but it doesn't require the
legacy data rates to connect.   This is the wifi chipset in it

http://pdf.datasheetarchive.com/indexerfiles/Datasheets-EC3/DSAQ00337826.pdf



The thing to watch out for on the wii u is that the console and controller
use miracast on a random 5GHz channel.   It does display mirroring of the
game to the controller and causes very high channel utilization on that
channel will console is in use.  Upwards of 60%

On Wednesday, June 22, 2016, Adam Forsyth  wrote:

> Wii is the most mentioned issue that people are mentioning that they
> encountered with turning off B rates (and that's the one I've feared and
> has made me hesitant to do this on our network).  Using a wired port
> instead is sometimes mentioned as a work around but that doesn't work for
> us in two of our residence halls that are wireless only and don't have
> wired ports.  For those that have wireless only residence halls and have
> disabled B rates, do you just say Wii's are not supported and there is no
> work around?
>
> Also, I don't think they have sold many of them, but does any one know if
> the Wii U solved this problem of B rates being required or if it has the
> same problem?
>
> On Tue, Jun 21, 2016 at 9:17 AM, Kanan E Simpson  > wrote:
>
>> Yes, I know. We still had some students using the Wii to stream Netflix.
>> Maybe this fall, they will have new updated devices. :)
>>
>>
>> Kanan Simpson, CWNA, JNCIA
>> Network Services Specialist
>> Information Technology Division
>> Valdosta State University
>>
>>
>> -Original Message-
>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
>> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> ] On
>> Behalf Of Osborne, Bruce W (Network Services)
>> Sent: Tuesday, June 21, 2016 8:03 AM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> 
>> Subject: Re: [WIRELESS-LAN] 802.11b data rates disabled?
>>
>> Really?
>>
>> Nintendo dropped Wii & DS support & closed the online store in 2014.
>>
>> ​
>>
>> Bruce Osborne
>> Wireless Engineer
>> IT Network Services - Wireless
>>
>> (434) 592-4229
>>
>> LIBERTY UNIVERSITY
>> Training Champions for Christ since 1971
>>
>>
>> -Original Message-
>> From: Kanan E Simpson [mailto:kesim...@valdosta.edu
>> ]
>> Sent: Monday, June 20, 2016 12:03 PM
>> Subject: Re: 802.11b data rates disabled?
>>
>> We disabled the 11b rates last summer. For the most part, we didn't have
>> too many complaints. The complaints that we received was from the students
>> that own the legacy Wii. All though the devices support 11g, it must see
>> the SSID broadcasted at a 11b (1mbps) rate in order to connect.  This was
>> the only complaint. We no longer support the original Wii.
>>
>> We also have institutional devices at that are older and only support
>> 11b. For these devices, we simply left the 11b rates on for the APs in the
>> area they connect. Thankfully, it's only one building.
>>
>>
>> Thanks,
>>
>> Kanan Simpson, CWNA, JNCIA
>> Network Services Specialist
>> Information Technology Division
>> Valdosta State University
>>
>> -Original Message-
>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
>> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> ] On
>> Behalf Of Todd M. Hall
>> Sent: Monday, June 20, 2016 11:50 AM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> 
>> Subject: [WIRELESS-LAN] 802.11b data rates disabled?
>>
>> Do you have all of the 802.11b data rates disabled?  If so, how long have
>> they been disabled?  Did you have many complaints when you disabled them?
>> Were there any particular devices that could not connect as a result?
>>
>> I'm hoping this information will help us move towards disabling these old
>> rates.
>> Thank you for your feedback.
>>
>> --
>> Todd M. Hall
>> Sr. Network Analyst
>> Information Technology Services
>> Mississippi State University
>> t...@msstate.edu 
>> 662-325-9311 (phone)
>>
>> **
>> Participation and subscription information for this EDUCAUSE Constituent
>> Group discussion list can be found at http://www.educause.edu/groups/.
>>
>> **
>> Participation and subscription information for this EDUCAUSE Constituent
>> Group discussion list can be found at http://www.educause.edu/groups/.
>>
>> **
>> Participation and subscription information for this EDUCAUSE Constituent
>> Group discussion list can be found at http://www.educause.edu/groups/.
>>
>>
>> **
>> Participation and subscription information for this EDUCAUSE