Re: [WIRELESS-LAN] New Device Activation WLAN
Thanks Curtis. Good to know this DNS ACL feature works with non-ISE third party NAC solutions. --- Dennis Xu, MASc, CCIE #13056 Analyst 3, Network Infrastructure Computing and Communications Services(CCS) University of Guelph 519-824-4120 Ext 56217 d...@uoguelph.ca www.uoguelph.ca/ccs - Original Message - From: Curtis K. Larsen curtis.k.lar...@utah.edu To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Sent: Wednesday, January 14, 2015 7:16:43 PM Subject: Re: [WIRELESS-LAN] New Device Activation WLAN We are using the ACL's returned from PacketFence on a Guest WLAN which is configured using MAC-filtering and RADIUS-NAC. I just tested this with the DNS ACL and it is working fine. Thanks, Curtis Larsen University of Utah Wireless Network Engineer From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Dennis Xu [d...@uoguelph.ca] Sent: Friday, January 09, 2015 8:32 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] New Device Activation WLAN I did not have any luck with dns acl feature without having ISE. Our onboarding SSID is using local web authentication(versus central web authentication or Radius NAC) and I couldn't make the DNS ACL work in our setup. I opened a case with TAC and found out actually DNS ACL has to work in central web authentication setup(needs ISE to return the redirect-ACL attribute to WLC). This point was not clear written in 7.6 configuration guide, but they fixed it and made it clear in the 8.0 configuration guide. http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_0110101.html DNS-based ACLs work only when RADIUS NAC (central web authentication or posture) are done on the SSID. DNS-based ACLs do not work with local web authentication or any other form of ACL other than a redirect-ACL used in the case of RADIUS NAC. Has anyone successfully deployed the Cisco WLC DNS ACL feature? --- Dennis Xu, MASc, CCIE #13056 Analyst 3, Network Infrastructure Computing and Communications Services(CCS) University of Guelph 519-824-4120 Ext 56217 d...@uoguelph.ca www.uoguelph.ca/ccs - Original Message - From: Trent Hurt trent.h...@louisville.edu To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Sent: Thursday, January 8, 2015 8:53:41 PM Subject: Re: [WIRELESS-LAN] New Device Activation WLAN 7.6 and up have dns acl feature… http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-6/configuration-guide/b_cg76/b_cg76_chapter_0110101.html#concept_AEEDD6D25578413784092B48A4636163 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Britton Anderson Sent: Thursday, January 08, 2015 8:42 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] New Device Activation WLAN These devices prompt for a wireless network during the activation process, but won't let a webauth succeed. I like Hunter's idea of adding the Apple/Google/Antivirus sites to the pre-webauth ACL. Cisco WLC's won't let you use DNS names for ACL entries, d'oh! Is there a known list of these hosts somewhere before I go sniffing wireless traffic? Thanks, Britton Britton Anderson | Senior Network Communications Specialist | University of Alaska | 907.450.8250 On Thu, Jan 8, 2015 at 4:24 PM, Mike King m...@mpking.com wrote: Maybe I'm over simplifying this, but for the average user, don't those devices have to be activated BEFORE you can see the settings screen? Mike On Thu, Jan 8, 2015 at 6:31 PM, Hunter Fuller hf0...@uah.edu wrote: This is what we do. While not authenticated to wireless you can still get to a few places - Microsoft, apple, Google search, antivirus vendors. -- Hunter Fuller OIT Sent from my phone. On Jan 8, 2015 5:11 PM, Frank Sweetser f...@wpi.edu wrote: We already have an unencrypted ssid for students to get to our onboarding system (Cloudpath). Our plan for this summer is to poke enough firewall holes for students to also run through the device activation process. If we were to try to impose any kind of device security policies, we would do it in the onboarding process. On January 8, 2015 5:54:01 PM EST, Britton Anderson blanders...@alaska.edu wrote: I just wanted to ask the question to see what all of you are doing at your institutions to handle users activating new devices. New iOS devices for example have to reach out to iCloud to validate themselves and make sure they're not stolen. Android now with version 5 is very similar, having to reach out to the mothership and join to a Google account. Are any of you doing an SSID-Activate WLAN, or requiring clients to bring it by your respective Help Desks for activation? Right now, we are requiring anyone that wants a device activated to have our
Re: [WIRELESS-LAN] New Device Activation WLAN
On 10/01/15 06:31, Britton Anderson wrote: I found albert.apple.com http://albert.apple.com is the DNS request the iPhone makes when trying to activate today. Resolves to one IP in Akamai's CDN network from our campus. Will give that a shot today. I added that, however I also needed to add init.ess.apple.com (found via wireshark) before activation would succeed. We're using Extreme (Enterasys) NAC and wifi, which allows DNS whitelisting. -- James Andrewartha Network Projects Engineer Christ Church Grammar School Claremont, Western Australia Ph. (08) 9442 1757 Mob. 0424 160 877 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] New Device Activation WLAN
We are using the ACL's returned from PacketFence on a Guest WLAN which is configured using MAC-filtering and RADIUS-NAC. I just tested this with the DNS ACL and it is working fine. Thanks, Curtis Larsen University of Utah Wireless Network Engineer From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Dennis Xu [d...@uoguelph.ca] Sent: Friday, January 09, 2015 8:32 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] New Device Activation WLAN I did not have any luck with dns acl feature without having ISE. Our onboarding SSID is using local web authentication(versus central web authentication or Radius NAC) and I couldn't make the DNS ACL work in our setup. I opened a case with TAC and found out actually DNS ACL has to work in central web authentication setup(needs ISE to return the redirect-ACL attribute to WLC). This point was not clear written in 7.6 configuration guide, but they fixed it and made it clear in the 8.0 configuration guide. http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_0110101.html DNS-based ACLs work only when RADIUS NAC (central web authentication or posture) are done on the SSID. DNS-based ACLs do not work with local web authentication or any other form of ACL other than a redirect-ACL used in the case of RADIUS NAC. Has anyone successfully deployed the Cisco WLC DNS ACL feature? --- Dennis Xu, MASc, CCIE #13056 Analyst 3, Network Infrastructure Computing and Communications Services(CCS) University of Guelph 519-824-4120 Ext 56217 d...@uoguelph.ca www.uoguelph.ca/ccs From: Trent Hurt trent.h...@louisville.edu To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Sent: Thursday, January 8, 2015 8:53:41 PM Subject: Re: [WIRELESS-LAN] New Device Activation WLAN 7.6 and up have dns acl feature… http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-6/configuration-guide/b_cg76/b_cg76_chapter_0110101.html#concept_AEEDD6D25578413784092B48A4636163 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Britton Anderson Sent: Thursday, January 08, 2015 8:42 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] New Device Activation WLAN These devices prompt for a wireless network during the activation process, but won't let a webauth succeed. I like Hunter's idea of adding the Apple/Google/Antivirus sites to the pre-webauth ACL. Cisco WLC's won't let you use DNS names for ACL entries, d'oh! Is there a known list of these hosts somewhere before I go sniffing wireless traffic? Thanks, Britton Britton Andersonmailto:blanders...@alaska.edu | Senior Network Communications Specialist | University of Alaskahttp://www.alaska.edu/oit | 907.450.8250 On Thu, Jan 8, 2015 at 4:24 PM, Mike King m...@mpking.commailto:m...@mpking.com wrote: Maybe I'm over simplifying this, but for the average user, don't those devices have to be activated BEFORE you can see the settings screen? Mike On Thu, Jan 8, 2015 at 6:31 PM, Hunter Fuller hf0...@uah.edumailto:hf0...@uah.edu wrote: This is what we do. While not authenticated to wireless you can still get to a few places - Microsoft, apple, Google search, antivirus vendors. -- Hunter Fuller OIT Sent from my phone. On Jan 8, 2015 5:11 PM, Frank Sweetser f...@wpi.edumailto:f...@wpi.edu wrote: We already have an unencrypted ssid for students to get to our onboarding system (Cloudpath). Our plan for this summer is to poke enough firewall holes for students to also run through the device activation process. If we were to try to impose any kind of device security policies, we would do it in the onboarding process. On January 8, 2015 5:54:01 PM EST, Britton Anderson blanders...@alaska.edumailto:blanders...@alaska.edu wrote: I just wanted to ask the question to see what all of you are doing at your institutions to handle users activating new devices. New iOS devices for example have to reach out to iCloud to validate themselves and make sure they're not stolen. Android now with version 5 is very similar, having to reach out to the mothership and join to a Google account. Are any of you doing an SSID-Activate WLAN, or requiring clients to bring it by your respective Help Desks for activation? Right now, we are requiring anyone that wants a device activated to have our Desktop techs touch it and give them pointers to secure it. However, we've lost some budget, and some employees, and they can't keep a guy in the office to handle that influx of people anymore. And I don't want the headache of a wide open WLAN everywhere, and none of the devices will allow the webauth transaction to happen before the device ! is activated. Thanks, --Britton Britton Andersonmailto:blanders...@alaska.edu | Senior Network Communications Specialist | University
Re: [WIRELESS-LAN] New Device Activation WLAN
I did not have any luck with dns acl feature without having ISE. Our onboarding SSID is using local web authentication(versus central web authentication or Radius NAC) and I couldn't make the DNS ACL work in our setup. I opened a case with TAC and found out actually DNS ACL has to work in central web authentication setup(needs ISE to return the redirect-ACL attribute to WLC). This point was not clear written in 7.6 configuration guide, but they fixed it and made it clear in the 8.0 configuration guide. http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_0110101.html DNS-based ACLs work only when RADIUS NAC (central web authentication or posture) are done on the SSID. DNS-based ACLs do not work with local web authentication or any other form of ACL other than a redirect-ACL used in the case of RADIUS NAC. Has anyone successfully deployed the Cisco WLC DNS ACL feature? --- Dennis Xu, MASc, CCIE #13056 Analyst 3, Network Infrastructure Computing and Communications Services(CCS) University of Guelph 519-824-4120 Ext 56217 d...@uoguelph.ca www.uoguelph.ca/ccs - Original Message - From: Trent Hurt trent.h...@louisville.edu To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Sent: Thursday, January 8, 2015 8:53:41 PM Subject: Re: [WIRELESS-LAN] New Device Activation WLAN 7.6 and up have dns acl feature… http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-6/configuration-guide/b_cg76/b_cg76_chapter_0110101.html#concept_AEEDD6D25578413784092B48A4636163 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Britton Anderson Sent: Thursday, January 08, 2015 8:42 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] New Device Activation WLAN These devices prompt for a wireless network during the activation process, but won't let a webauth succeed. I like Hunter's idea of adding the Apple/Google/Antivirus sites to the pre-webauth ACL. Cisco WLC's won't let you use DNS names for ACL entries, d'oh! Is there a known list of these hosts somewhere before I go sniffing wireless traffic? Thanks, Britton Britton Anderson | Senior Network Communications Specialist | University of Alaska | 907.450.8250 On Thu, Jan 8, 2015 at 4:24 PM, Mike King m...@mpking.com wrote: Maybe I'm over simplifying this, but for the average user, don't those devices have to be activated BEFORE you can see the settings screen? Mike On Thu, Jan 8, 2015 at 6:31 PM, Hunter Fuller hf0...@uah.edu wrote: blockquote This is what we do. While not authenticated to wireless you can still get to a few places - Microsoft, apple, Google search, antivirus vendors. -- Hunter Fuller OIT Sent from my phone. On Jan 8, 2015 5:11 PM, Frank Sweetser f...@wpi.edu wrote: blockquote We already have an unencrypted ssid for students to get to our onboarding system (Cloudpath). Our plan for this summer is to poke enough firewall holes for students to also run through the device activation process. If we were to try to impose any kind of device security policies, we would do it in the onboarding process. On January 8, 2015 5:54:01 PM EST, Britton Anderson blanders...@alaska.edu wrote: blockquote I just wanted to ask the question to see what all of you are doing at your institutions to handle users activating new devices. New iOS devices for example have to reach out to iCloud to validate themselves and make sure they're not stolen. Android now with version 5 is very similar, having to reach out to the mothership and join to a Google account. Are any of you doing an SSID-Activate WLAN, or requiring clients to bring it by your respective Help Desks for activation? Right now, we are requiring anyone that wants a device activated to have our Desktop techs touch it and give them pointers to secure it. However, we've lost some budget, and some employees, and they can't keep a guy in the office to handle that influx of people anymore. And I don't want the headache of a wide open WLAN everywhere, and none of the devices will allow the webauth transaction to happen before the device ! is activated. Thanks, --Britton Britton Anderson | Senior Network Communications Specialist | University of Alaska | 907.450.8250 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ . -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ . /blockquote ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http
Re: [WIRELESS-LAN] New Device Activation WLAN
You can run this to get Google IP ranges. Thanks to Todd Swatling of Vassar for this. dig +noall +answer TXT _netblocks.google.com _netblocks2.google.com _netblocks3.google.com | cut -d'' -f2 | tr ' ' '\n' | grep ^ip | sed 's/ip[4-6]://g' -- Hunter Fuller Network Engineer VBRH M-9B +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Systems and Infrastructure I am part of the UAH Safe Zone LGBTQIA support network: http://www.uah.edu/student-affairs/safe-zone On Thu, Jan 8, 2015 at 7:41 PM, Britton Anderson blanders...@alaska.edu wrote: These devices prompt for a wireless network during the activation process, but won't let a webauth succeed. I like Hunter's idea of adding the Apple/Google/Antivirus sites to the pre-webauth ACL. Cisco WLC's won't let you use DNS names for ACL entries, d'oh! Is there a known list of these hosts somewhere before I go sniffing wireless traffic? Thanks, Britton Britton Anderson | Senior Network Communications Specialist | University of Alaska | 907.450.8250 On Thu, Jan 8, 2015 at 4:24 PM, Mike King m...@mpking.com wrote: Maybe I'm over simplifying this, but for the average user, don't those devices have to be activated BEFORE you can see the settings screen? Mike On Thu, Jan 8, 2015 at 6:31 PM, Hunter Fuller hf0...@uah.edu wrote: This is what we do. While not authenticated to wireless you can still get to a few places - Microsoft, apple, Google search, antivirus vendors. -- Hunter Fuller OIT Sent from my phone. On Jan 8, 2015 5:11 PM, Frank Sweetser f...@wpi.edu wrote: We already have an unencrypted ssid for students to get to our onboarding system (Cloudpath). Our plan for this summer is to poke enough firewall holes for students to also run through the device activation process. If we were to try to impose any kind of device security policies, we would do it in the onboarding process. On January 8, 2015 5:54:01 PM EST, Britton Anderson blanders...@alaska.edu wrote: I just wanted to ask the question to see what all of you are doing at your institutions to handle users activating new devices. New iOS devices for example have to reach out to iCloud to validate themselves and make sure they're not stolen. Android now with version 5 is very similar, having to reach out to the mothership and join to a Google account. Are any of you doing an SSID-Activate WLAN, or requiring clients to bring it by your respective Help Desks for activation? Right now, we are requiring anyone that wants a device activated to have our Desktop techs touch it and give them pointers to secure it. However, we've lost some budget, and some employees, and they can't keep a guy in the office to handle that influx of people anymore. And I don't want the headache of a wide open WLAN everywhere, and none of the devices will allow the webauth transaction to happen before the device ! is activated. Thanks, --Britton Britton Anderson | Senior Network Communications Specialist | University of Alaska | 907.450.8250 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] New Device Activation WLAN
Thanks for that script! I found albert.apple.com is the DNS request the iPhone makes when trying to activate today. Resolves to one IP in Akamai's CDN network from our campus. Will give that a shot today. --Britton BTW Hunter, nice sweep for your Chargers hockey team last weekend! ;) Britton Anderson blanders...@alaska.edu | Senior Network Communications Specialist | University of Alaska http://www.alaska.edu/oit | 907.450.8250 On Fri, Jan 9, 2015 at 12:42 PM, Hunter Fuller hf0...@uah.edu wrote: You can run this to get Google IP ranges. Thanks to Todd Swatling of Vassar for this. dig +noall +answer TXT _netblocks.google.com _netblocks2.google.com _netblocks3.google.com | cut -d'' -f2 | tr ' ' '\n' | grep ^ip | sed 's/ip[4-6]://g' -- Hunter Fuller Network Engineer VBRH M-9B +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Systems and Infrastructure I am part of the UAH Safe Zone LGBTQIA support network: http://www.uah.edu/student-affairs/safe-zone On Thu, Jan 8, 2015 at 7:41 PM, Britton Anderson blanders...@alaska.edu wrote: These devices prompt for a wireless network during the activation process, but won't let a webauth succeed. I like Hunter's idea of adding the Apple/Google/Antivirus sites to the pre-webauth ACL. Cisco WLC's won't let you use DNS names for ACL entries, d'oh! Is there a known list of these hosts somewhere before I go sniffing wireless traffic? Thanks, Britton Britton Anderson | Senior Network Communications Specialist | University of Alaska | 907.450.8250 On Thu, Jan 8, 2015 at 4:24 PM, Mike King m...@mpking.com wrote: Maybe I'm over simplifying this, but for the average user, don't those devices have to be activated BEFORE you can see the settings screen? Mike On Thu, Jan 8, 2015 at 6:31 PM, Hunter Fuller hf0...@uah.edu wrote: This is what we do. While not authenticated to wireless you can still get to a few places - Microsoft, apple, Google search, antivirus vendors. -- Hunter Fuller OIT Sent from my phone. On Jan 8, 2015 5:11 PM, Frank Sweetser f...@wpi.edu wrote: We already have an unencrypted ssid for students to get to our onboarding system (Cloudpath). Our plan for this summer is to poke enough firewall holes for students to also run through the device activation process. If we were to try to impose any kind of device security policies, we would do it in the onboarding process. On January 8, 2015 5:54:01 PM EST, Britton Anderson blanders...@alaska.edu wrote: I just wanted to ask the question to see what all of you are doing at your institutions to handle users activating new devices. New iOS devices for example have to reach out to iCloud to validate themselves and make sure they're not stolen. Android now with version 5 is very similar, having to reach out to the mothership and join to a Google account. Are any of you doing an SSID-Activate WLAN, or requiring clients to bring it by your respective Help Desks for activation? Right now, we are requiring anyone that wants a device activated to have our Desktop techs touch it and give them pointers to secure it. However, we've lost some budget, and some employees, and they can't keep a guy in the office to handle that influx of people anymore. And I don't want the headache of a wide open WLAN everywhere, and none of the devices will allow the webauth transaction to happen before the device ! is activated. Thanks, --Britton Britton Anderson | Senior Network Communications Specialist | University of Alaska | 907.450.8250 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] New Device Activation WLAN
Same here. Thomas Carter Network and Operations Manager Austin College 903-813-2564 [cid:image001.gif@01D02BE6.0788C260] From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hunter Fuller Sent: Thursday, January 08, 2015 5:32 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] New Device Activation WLAN This is what we do. While not authenticated to wireless you can still get to a few places - Microsoft, apple, Google search, antivirus vendors. -- Hunter Fuller OIT Sent from my phone. On Jan 8, 2015 5:11 PM, Frank Sweetser f...@wpi.edumailto:f...@wpi.edu wrote: We already have an unencrypted ssid for students to get to our onboarding system (Cloudpath). Our plan for this summer is to poke enough firewall holes for students to also run through the device activation process. If we were to try to impose any kind of device security policies, we would do it in the onboarding process. On January 8, 2015 5:54:01 PM EST, Britton Anderson blanders...@alaska.edumailto:blanders...@alaska.edu wrote: I just wanted to ask the question to see what all of you are doing at your institutions to handle users activating new devices. New iOS devices for example have to reach out to iCloud to validate themselves and make sure they're not stolen. Android now with version 5 is very similar, having to reach out to the mothership and join to a Google account. Are any of you doing an SSID-Activate WLAN, or requiring clients to bring it by your respective Help Desks for activation? Right now, we are requiring anyone that wants a device activated to have our Desktop techs touch it and give them pointers to secure it. However, we've lost some budget, and some employees, and they can't keep a guy in the office to handle that influx of people anymore. And I don't want the headache of a wide open WLAN everywhere, and none of the devices will allow the webauth transaction to happen before the device ! is activated. Thanks, --Britton Britton Andersonmailto:blanders...@alaska.edu | Senior Network Communications Specialist | University of Alaskahttp://www.alaska.edu/oit | 907.450.8250tel:907.450.8250 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] New Device Activation WLAN
7.6 and up have dns acl feature… http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-6/configuration-guide/b_cg76/b_cg76_chapter_0110101.html#concept_AEEDD6D25578413784092B48A4636163 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Britton Anderson Sent: Thursday, January 08, 2015 8:42 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] New Device Activation WLAN These devices prompt for a wireless network during the activation process, but won't let a webauth succeed. I like Hunter's idea of adding the Apple/Google/Antivirus sites to the pre-webauth ACL. Cisco WLC's won't let you use DNS names for ACL entries, d'oh! Is there a known list of these hosts somewhere before I go sniffing wireless traffic? Thanks, Britton Britton Andersonmailto:blanders...@alaska.edu | Senior Network Communications Specialist | University of Alaskahttp://www.alaska.edu/oit | 907.450.8250 On Thu, Jan 8, 2015 at 4:24 PM, Mike King m...@mpking.commailto:m...@mpking.com wrote: Maybe I'm over simplifying this, but for the average user, don't those devices have to be activated BEFORE you can see the settings screen? Mike On Thu, Jan 8, 2015 at 6:31 PM, Hunter Fuller hf0...@uah.edumailto:hf0...@uah.edu wrote: This is what we do. While not authenticated to wireless you can still get to a few places - Microsoft, apple, Google search, antivirus vendors. -- Hunter Fuller OIT Sent from my phone. On Jan 8, 2015 5:11 PM, Frank Sweetser f...@wpi.edumailto:f...@wpi.edu wrote: We already have an unencrypted ssid for students to get to our onboarding system (Cloudpath). Our plan for this summer is to poke enough firewall holes for students to also run through the device activation process. If we were to try to impose any kind of device security policies, we would do it in the onboarding process. On January 8, 2015 5:54:01 PM EST, Britton Anderson blanders...@alaska.edumailto:blanders...@alaska.edu wrote: I just wanted to ask the question to see what all of you are doing at your institutions to handle users activating new devices. New iOS devices for example have to reach out to iCloud to validate themselves and make sure they're not stolen. Android now with version 5 is very similar, having to reach out to the mothership and join to a Google account. Are any of you doing an SSID-Activate WLAN, or requiring clients to bring it by your respective Help Desks for activation? Right now, we are requiring anyone that wants a device activated to have our Desktop techs touch it and give them pointers to secure it. However, we've lost some budget, and some employees, and they can't keep a guy in the office to handle that influx of people anymore. And I don't want the headache of a wide open WLAN everywhere, and none of the devices will allow the webauth transaction to happen before the device ! is activated. Thanks, --Britton Britton Andersonmailto:blanders...@alaska.edu | Senior Network Communications Specialist | University of Alaskahttp://www.alaska.edu/oit | 907.450.8250tel:907.450.8250 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] New Device Activation WLAN
These devices prompt for a wireless network during the activation process, but won't let a webauth succeed. I like Hunter's idea of adding the Apple/Google/Antivirus sites to the pre-webauth ACL. Cisco WLC's won't let you use DNS names for ACL entries, d'oh! Is there a known list of these hosts somewhere before I go sniffing wireless traffic? Thanks, Britton Britton Anderson blanders...@alaska.edu | Senior Network Communications Specialist | University of Alaska http://www.alaska.edu/oit | 907.450.8250 On Thu, Jan 8, 2015 at 4:24 PM, Mike King m...@mpking.com wrote: Maybe I'm over simplifying this, but for the average user, don't those devices have to be activated BEFORE you can see the settings screen? Mike On Thu, Jan 8, 2015 at 6:31 PM, Hunter Fuller hf0...@uah.edu wrote: This is what we do. While not authenticated to wireless you can still get to a few places - Microsoft, apple, Google search, antivirus vendors. -- Hunter Fuller OIT Sent from my phone. On Jan 8, 2015 5:11 PM, Frank Sweetser f...@wpi.edu wrote: We already have an unencrypted ssid for students to get to our onboarding system (Cloudpath). Our plan for this summer is to poke enough firewall holes for students to also run through the device activation process. If we were to try to impose any kind of device security policies, we would do it in the onboarding process. On January 8, 2015 5:54:01 PM EST, Britton Anderson blanders...@alaska.edu wrote: I just wanted to ask the question to see what all of you are doing at your institutions to handle users activating new devices. New iOS devices for example have to reach out to iCloud to validate themselves and make sure they're not stolen. Android now with version 5 is very similar, having to reach out to the mothership and join to a Google account. Are any of you doing an SSID-Activate WLAN, or requiring clients to bring it by your respective Help Desks for activation? Right now, we are requiring anyone that wants a device activated to have our Desktop techs touch it and give them pointers to secure it. However, we've lost some budget, and some employees, and they can't keep a guy in the office to handle that influx of people anymore. And I don't want the headache of a wide open WLAN everywhere, and none of the devices will allow the webauth transaction to happen before the device ! is activated. Thanks, --Britton Britton Anderson blanders...@alaska.edu | Senior Network Communications Specialist | University of Alaska http://www.alaska.edu/oit | 907.450.8250 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] New Device Activation WLAN
This is what we do. While not authenticated to wireless you can still get to a few places - Microsoft, apple, Google search, antivirus vendors. -- Hunter Fuller OIT Sent from my phone. On Jan 8, 2015 5:11 PM, Frank Sweetser f...@wpi.edu wrote: We already have an unencrypted ssid for students to get to our onboarding system (Cloudpath). Our plan for this summer is to poke enough firewall holes for students to also run through the device activation process. If we were to try to impose any kind of device security policies, we would do it in the onboarding process. On January 8, 2015 5:54:01 PM EST, Britton Anderson blanders...@alaska.edu wrote: I just wanted to ask the question to see what all of you are doing at your institutions to handle users activating new devices. New iOS devices for example have to reach out to iCloud to validate themselves and make sure they're not stolen. Android now with version 5 is very similar, having to reach out to the mothership and join to a Google account. Are any of you doing an SSID-Activate WLAN, or requiring clients to bring it by your respective Help Desks for activation? Right now, we are requiring anyone that wants a device activated to have our Desktop techs touch it and give them pointers to secure it. However, we've lost some budget, and some employees, and they can't keep a guy in the office to handle that influx of people anymore. And I don't want the headache of a wide open WLAN everywhere, and none of the devices will allow the webauth transaction to happen before the device ! is activated. Thanks, --Britton Britton Anderson blanders...@alaska.edu | Senior Network Communications Specialist | University of Alaska http://www.alaska.edu/oit | 907.450.8250 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] New Device Activation WLAN
We already have an unencrypted ssid for students to get to our onboarding system (Cloudpath). Our plan for this summer is to poke enough firewall holes for students to also run through the device activation process. If we were to try to impose any kind of device security policies, we would do it in the onboarding process. On January 8, 2015 5:54:01 PM EST, Britton Anderson blanders...@alaska.edu wrote: I just wanted to ask the question to see what all of you are doing at your institutions to handle users activating new devices. New iOS devices for example have to reach out to iCloud to validate themselves and make sure they're not stolen. Android now with version 5 is very similar, having to reach out to the mothership and join to a Google account. Are any of you doing an SSID-Activate WLAN, or requiring clients to bring it by your respective Help Desks for activation? Right now, we are requiring anyone that wants a device activated to have our Desktop techs touch it and give them pointers to secure it. However, we've lost some budget, and some employees, and they can't keep a guy in the office to handle that influx of people anymore. And I don't want the headache of a wide open WLAN everywhere, and none of the devices will allow the webauth transaction to happen before the device is activated. Thanks, --Britton Britton Anderson blanders...@alaska.edu | Senior Network Communications Specialist | University of Alaska http://www.alaska.edu/oit | 907.450.8250 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
