Re: [WIRELESS-LAN] eduroam question(s)
On Nov 13, 2012, at 09:11 , Hanset, Philippe C phan...@utk.edu wrote: For sanity, we will only pass to you *.northwestern.edu or other domains that you own and would like to be resolved e.gnorthwestern-1.edu Are there any stats available as to how many institutions are using a different eduroam domain than their regular top-level DNS domain? I'm thinking about tossing together a quick surveymonkey survey to collect some of this info if it's not available. -- Julian Y. Koh Manager, Network Transport, Telecommunications and Network Services Northwestern University Information Technology (NUIT) 2001 Sheridan Road #G-166 Evanston, IL 60208 847-467-5780 NUIT Web Site: http://www.it.northwestern.edu/ PGP Public Key:http://bt.ittns.northwestern.edu/julian/pgppubkey.html ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] eduroam question(s)
Julian, I can answer that for you. All Universities connected to the eduroam-US server are only using domains that they own, and in the form *.domainowned.edu. Some use multiple domains (e.g. utk.edu and tennessee.edu), but all are owned by the University. Best, Philippe Hanset www.eduroamus.org On Nov 14, 2012, at 12:14 PM, Julian Y Koh kohs...@northwestern.edu wrote: On Nov 13, 2012, at 09:11 , Hanset, Philippe C phan...@utk.edu wrote: For sanity, we will only pass to you *.northwestern.edu or other domains that you own and would like to be resolved e.gnorthwestern-1.edu Are there any stats available as to how many institutions are using a different eduroam domain than their regular top-level DNS domain? I'm thinking about tossing together a quick surveymonkey survey to collect some of this info if it's not available. -- Julian Y. Koh Manager, Network Transport, Telecommunications and Network Services Northwestern University Information Technology (NUIT) 2001 Sheridan Road #G-166 Evanston, IL 60208 847-467-5780 NUIT Web Site: http://www.it.northwestern.edu/ PGP Public Key:http://bt.ittns.northwestern.edu/julian/pgppubkey.html ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] eduroam question(s)
On the metrics, is there any way of showing how many of the Eduroam clients are bona ride visitors versus your own clients on the Eduroam SSID? That's the real delta I'm curious about in general- how many true visitors using it. Thanks, Lee Lee H. Badman Network Architect/Wireless TME ITS, Syracuse University 315.443.3003 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Jason Cook [jason.c...@adelaide.edu.au] Sent: Monday, November 12, 2012 11:33 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] eduroam question(s) We keep statistics for eduroam, have attached graphs of monthly unique users for viewing. May 2011 had a large spike, this was a single person who had a new randomly generated outer identity for every authentication. We have considered just using eduroam as an SSID, but there is definitely a preference internally to keep some branding in the air. We also border with another University, if we only offered eduroam then there could be some big issues for users who get good signal from both networks. The final point of interest on that is quality of service. Do people implement a different qos for eduroam over their own network? I'm not sure on implementing qos for radius assigned networks within 1 SSID, e.g. within wireless can vlan x be provided with a different qos than vlan y for a given SSID. Not something we've ever looked into. -- Jason Cook Technology Services The University of Adelaide, AUSTRALIA 5005 Ph: +61 8 8313 4800 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman Sent: Tuesday, 13 November 2012 1:12 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] eduroam question(s) Also... Does anyone get a bit turned off about having yet another SSID in the air, or debranding your own in favor of pushing Eduroam as your SSID? Again, just wondering. Let's task Phillipe with figuring out a way to make the Eduroam underpinnings work automagically with any SSID we choose. Can we get that by Friday? On Nov 12, 2012, at 21:36, Lee H Badman lhbad...@syr.edu wrote: Nah, just like to understand the benefit before making changes. Trying to gage how many nomadic WLAN users are really roaming from school to school, as opposed to users connecting to it on their own campus. Seems like a fair exercise:) Sent from an Etch-a-Sketch. Please excuse squiggly lines. On Nov 12, 2012, at 19:44, Hanset, Philippe C phan...@utk.edu wrote: On Nov 12, 2012, at 6:39 PM, Lee H Badman lhbad...@syr.edu wrote: Does anyone keep stats on how much your Eduroam efforts get used? Like, other than just being in the club, is it really providing benefits that an easy-to-use guest network wouldn't? Not being snarky, but genuinely wondering. How can you beat instant authentication with encryption over the air? Even an open network doesn't give that! I walk on a campus and my phone automatically switches from 3G to Wi-Fi for Data, not hitting my less than adequate quotas You are the hardest man to convince Lee ;-) Philippe Our email addresses are first-l...@utc.edu unless there are conflicts, in which case we use a middle initial or a suffix. Our official UTCid is a rather arbitrary string (3 letters, 3 numbers, where that came from don't ask me, it was back in the no-SSNs conversion). The directory key / userID is in fact the UTCid, and is typically used as a login for everything. It's also the Active Directory ID. And now the bonus... the AD domain is in fact utc.tennessee.edu (we're a branch of the state's tennessee.edu domain), so there's already some confusion as to using the tennessee.edu versus utc.edu. Even worse... there are root forest entries for ut...@tennessee.edu as well as @utc.tennessee.edu. And of course UTK started the whole eduroam thing, and they're already taking tennessee.edu as local :( although they still take utk.edu as well. So we more or less got stuck with ut...@utc.edu to avoid the domain/realm confusion with the big orange one. I would advise you rig up your local .1X to authenticate with your fully-qualified eduroam username, just so users can consistently login with the same credentials (assuming you're not using eduroam for production .1X). Jeff On 11/12/2012 6:11 PM, Julian Y Koh wrote: So we're looking at an eduroam deployment here, and one question that has come up is one of credentials. Here at NU, we have 2 identifiers - the NetID and the alias. All of the directories and the like are keyed off of the NetID, which does not have to be the same as the alias. Top-level email addresses take the form alias@northwestern.edu. Under a basic default eduroam deployment, a user would use netid@northwestern.edu as his/her username
RE: [WIRELESS-LAN] eduroam question(s)
-Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hanset, Philippe C Sent: 13 November 2012 00:35 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] eduroam question(s) ... We have the stats but are not publishing institution specific them for privacy reasons. http://www.eduroamus.org/node/232 I have testimonials from Schools like UCSD and UChicago that immediately noticed hundreds of visitors on their campuses. Drexel University, for instance, had 40 eduroam users the first day they turned the SSID on. In general large institutions are amazed at how many eduroam visitors they have on campus. This said, the largest benefit is to make your campus population compatible with locations that heavily use eduroam (e.g. if your study abroad students go to Europe or Australia). There are places in Europe that make very difficult to use anything else than eduroam. ...we would probably count as one of those institutions ;) A graph of our weekly users here/there/visitors-here is on this page: http://www.wireless.bris.ac.uk/eduroam/#graph eduroam is the only SSID we offer to our staff/students. We've also got a graph that shows a monthly snapshot of where visitors come from: http://www.wireless.bris.ac.uk/gfx/random/eduroamvisitors.png It's definitely true that there is a critical mass point at which point most places have it, users start to expect it, and usage rises rapidly. Kind regards, James -- James J J Hooper Senior Network Specialist, University of Bristol http://wireless.bristol.ac.uk -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] eduroam question(s)
For sanity, we will only pass to you *.northwestern.edu or other domains that you own and would like to be resolved e.g northwestern-1.edu On Nov 13, 2012, at 9:24 AM, Julian Y Koh kohs...@northwestern.edu wrote: On Nov 12, 2012, at 18:34 , Hanset, Philippe C phan...@utk.edu wrote: To answer the sub-domain question: we pass to your University everything in the form @*.university.edu So you decide what to do. But that's still not recommended as per the eduroam best practices? Is there a requirement that the university.edu match what we actually use? i.e., could we do something like nu-eduroam.edu instead of northwestern.edu? (note: I'm not saying that would be a good idea, just trying to understand what's possible :) ) -- Julian Y. Koh Manager, Network Transport, Telecommunications and Network Services Northwestern University Information Technology (NUIT) 2001 Sheridan Road #G-166 Evanston, IL 60208 847-467-5780 NUIT Web Site: http://www.it.northwestern.edu/ PGP Public Key:http://bt.ittns.northwestern.edu/julian/pgppubkey.html ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] eduroam question(s)
James, That's a cool graph. What tool(s) did you use to create it? Thanks. -Neil -- Neil Johnson Network Engineer The University of Iowa Phone: 319 384-0938 Fax: 319 335-2951 Mobile: 319 540-2081 E-Mail: neil-john...@uiowa.edu On 11/13/12 5:26 AM, James JJ Hooper jjj.hoo...@bristol.ac.uk wrote: -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hanset, Philippe C Sent: 13 November 2012 00:35 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] eduroam question(s) ... We have the stats but are not publishing institution specific them for privacy reasons. http://www.eduroamus.org/node/232 I have testimonials from Schools like UCSD and UChicago that immediately noticed hundreds of visitors on their campuses. Drexel University, for instance, had 40 eduroam users the first day they turned the SSID on. In general large institutions are amazed at how many eduroam visitors they have on campus. This said, the largest benefit is to make your campus population compatible with locations that heavily use eduroam (e.g. if your study abroad students go to Europe or Australia). There are places in Europe that make very difficult to use anything else than eduroam. ...we would probably count as one of those institutions ;) A graph of our weekly users here/there/visitors-here is on this page: http://www.wireless.bris.ac.uk/eduroam/#graph eduroam is the only SSID we offer to our staff/students. We've also got a graph that shows a monthly snapshot of where visitors come from: http://www.wireless.bris.ac.uk/gfx/random/eduroamvisitors.png It's definitely true that there is a critical mass point at which point most places have it, users start to expect it, and usage rises rapidly. Kind regards, James -- James J J Hooper Senior Network Specialist, University of Bristol http://wireless.bristol.ac.uk -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] eduroam question(s)
On Nov 12, 2012, at 20:55, Jeff Kell jeff-k...@utc.edu wrote: On 11/12/2012 9:41 PM, Lee H Badman wrote: Also... Does anyone get a bit turned off about having yet another SSID in the air, or debranding your own in favor of pushing Eduroam as your SSID? Again, just wondering. Let's task Phillipe with figuring out a way to make the Eduroam underpinnings work automagically with any SSID we choose. Can we get that by Friday? Ah hah... it's a battle of the Oranges :) If you have separate SSIDs you can get better statistics, I suppose; but perhaps your Radius can drop them in different buckets. For us it was a combination of things, primarily having our production 1X being NAC-enforced and role-based (requiring an agent, and proxying Radius through the NAC controller), whereas the eduroam SSID is off-the-grid (and also locked down by the eduroam firewall recommendations). We have separate Eduroam and local (IllinoisNet) .1x networks. Partly because we had already fully deployed, documented and pushed the IllinoisNet SSID, and partly because we treat Eduroam differently. Our security group didn't want the Eduroam SSID on the same network with all our campus users, and our Eduroam deployment has all the required ports open, but not any extra. That way when people travel to other schools, they're never disappointed by what works -- anything they test on Eduroam here before they leave should work anywhere. We don't have a large number of Eduroam users, Champaign-Urbana is pretty much in the middle of no-where (unlike Chicago locations :-), but we get a small but somewhat regular set of happy emails from our own faculty and from visitors saying that they were traveling (or visiting) and Eduroam just worked for them. Since it's not a heavy support load for us, it's a nice thing to be able to provide. Additionally, we don't have a unified SSID across our campuses (each campus does it's own IT support), and since we already had Eduroam, the other campuses are doing that (have done that?) so that staff that do move between campuses have an easy way to do so. Jeff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- -debbie Debbie Fligor, n9dn Lead Network Engineer, CITES, Univ. of Il email: fli...@illinois.edu Every keystroke can be monitored. And the computers never forget. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] eduroam question(s)
Hey Julian, We recently went through this after cranking up eduroam officially this past fall. We have similar points of confusion, plus a bonus. Our email addresses are first-l...@utc.edu unless there are conflicts, in which case we use a middle initial or a suffix. Our official UTCid is a rather arbitrary string (3 letters, 3 numbers, where that came from don't ask me, it was back in the no-SSNs conversion). The directory key / userID is in fact the UTCid, and is typically used as a login for everything. It's also the Active Directory ID. And now the bonus... the AD domain is in fact utc.tennessee.edu (we're a branch of the state's tennessee.edu domain), so there's already some confusion as to using the tennessee.edu versus utc.edu. Even worse... there are root forest entries for ut...@tennessee.edu as well as @utc.tennessee.edu. And of course UTK started the whole eduroam thing, and they're already taking tennessee.edu as local :( although they still take utk.edu as well. So we more or less got stuck with ut...@utc.edu to avoid the domain/realm confusion with the big orange one. I would advise you rig up your local .1X to authenticate with your fully-qualified eduroam username, just so users can consistently login with the same credentials (assuming you're not using eduroam for production .1X). Jeff On 11/12/2012 6:11 PM, Julian Y Koh wrote: So we're looking at an eduroam deployment here, and one question that has come up is one of credentials. Here at NU, we have 2 identifiers - the NetID and the alias. All of the directories and the like are keyed off of the NetID, which does not have to be the same as the alias. Top-level email addresses take the form alias@northwestern.edu. Under a basic default eduroam deployment, a user would use netid@northwestern.edu as his/her username to authenticate to the wireless network. This is not 100% ideal from an end user point of view, though, since that could potentially lead to some confusion since at least here, netid rarely is the same as alias. Obviously, at some schools, netid = alias, so this is a moot point, but have other schools encountered support/documentation issues because of this? As an alternative, has anyone looking into using a subdomain for the realm? i.e., netid@eduroam.northwestern.edu? I tried going through the FAQs and documentation at http://www.eduroamus.org/, and there is some mention of avoiding subdomains at http://www.eduroamus.org/node/29. Personally, I think with good enough documentation we should be able to do the standard netid@northwestern.edu without a lot of trouble, but we also need to do due diligence and explore these options. :) Thanks!! ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] eduroam question(s)
Does anyone keep stats on how much your Eduroam efforts get used? Like, other than just being in the club, is it really providing benefits that an easy-to-use guest network wouldn't? Not being snarky, but genuinely wondering. Lee Badman On Nov 12, 2012, at 18:27, Jeff Kell jeff-k...@utc.edu wrote: Hey Julian, We recently went through this after cranking up eduroam officially this past fall. We have similar points of confusion, plus a bonus. Our email addresses are first-l...@utc.edu unless there are conflicts, in which case we use a middle initial or a suffix. Our official UTCid is a rather arbitrary string (3 letters, 3 numbers, where that came from don't ask me, it was back in the no-SSNs conversion). The directory key / userID is in fact the UTCid, and is typically used as a login for everything. It's also the Active Directory ID. And now the bonus... the AD domain is in fact utc.tennessee.edu (we're a branch of the state's tennessee.edu domain), so there's already some confusion as to using the tennessee.edu versus utc.edu. Even worse... there are root forest entries for ut...@tennessee.edu as well as @utc.tennessee.edu. And of course UTK started the whole eduroam thing, and they're already taking tennessee.edu as local :( although they still take utk.edu as well. So we more or less got stuck with ut...@utc.edu to avoid the domain/realm confusion with the big orange one. I would advise you rig up your local .1X to authenticate with your fully-qualified eduroam username, just so users can consistently login with the same credentials (assuming you're not using eduroam for production .1X). Jeff On 11/12/2012 6:11 PM, Julian Y Koh wrote: So we're looking at an eduroam deployment here, and one question that has come up is one of credentials. Here at NU, we have 2 identifiers - the NetID and the alias. All of the directories and the like are keyed off of the NetID, which does not have to be the same as the alias. Top-level email addresses take the form alias@northwestern.edu. Under a basic default eduroam deployment, a user would use netid@northwestern.edu as his/her username to authenticate to the wireless network. This is not 100% ideal from an end user point of view, though, since that could potentially lead to some confusion since at least here, netid rarely is the same as alias. Obviously, at some schools, netid = alias, so this is a moot point, but have other schools encountered support/documentation issues because of this? As an alternative, has anyone looking into using a subdomain for the realm? i.e., netid@eduroam.northwestern.edu? I tried going through the FAQs and documentation at http://www.eduroamus.org/, and there is some mention of avoiding subdomains at http://www.eduroamus.org/node/29. Personally, I think with good enough documentation we should be able to do the standard netid@northwestern.edu without a lot of trouble, but we also need to do due diligence and explore these options. :) Thanks!! ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] eduroam question(s)
In Nov 12, 2012, at 6:26 PM, Jeff Kell wrote: I would advise you rig up your local .1X to authenticate with your fully-qualified eduroam username, just so users can consistently login with the same credentials (assuming you're not using eduroam for production .1X). Sorry, what's the benefit of not using eduroam for production .1X? For us it is a key feature that the same wifi setup our people use here on campus will just work with absolutely no changes at any eduroam campus. (Of course, it does take some extra user training to get them to include the domain for their eduroam login but not for any other on-campus logins, but having a different production SSID wouldn't help any on that.) Steve Bohrer Network Admin Bard College at Simon's Rock 413-528-7645 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] eduroam question(s)
On 11/12/2012 6:39 PM, Lee H Badman wrote: Does anyone keep stats on how much your Eduroam efforts get used? Like, other than just being in the club, is it really providing benefits that an easy-to-use guest network wouldn't? Not being snarky, but genuinely wondering. Well, again, I have a biased answer. I think all of our (UT) campuses have eduroam available. If for no other benefit, it certainly makes inter-campus visits much more pleasant to have working wireless when you arrive :) And guest access requests from other UT visitors have dropped significantly. Most of the issues where it doesn't work is due to the visitor not having their device configured properly (certificate issues, or Windows defaulting to computer authentication via AD). We use XpressConnect for our dot-1X setup, and it uses the same Radius server as eduroam. If you are setup for our dot-1X, eduroam will just work. If you are not, it probably won't. The certificate checks are against your home server, regardless of where you actually are connecting from. I don't have accurate statistics at the moment as we are currently dropping eduroam folks into a wireless role shared by another group or two (plan to adjust that soon). Jeff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] eduroam question(s)
On Nov 12, 2012, at 6:39 PM, Lee H Badman wrote: Does anyone keep stats on how much your Eduroam efforts get used? Like, other than just being in the club, is it really providing benefits that an easy-to-use guest network wouldn't? Not being snarky, but genuinely wondering. Not actual stats, but we are so tiny that anecdote covers pretty much all of our cases. As it happens, last summer when we were first testing eduroam, and had it deployed only to one AP in our office, we got an email from a math prof who was going to a conference in Germany. The advance material they sent her suggested that eduroam was the best way to connect at the conference campus, and she wanted to know if we had that. So, we got her connected to on our test AP, and it worked for her in both Germany and Scotland. More recently, a few IT and Library staff used it at the EDUCAUSE conference. Thus, so far, only about 2% of our users have connected to Eduroam at a remote site. We've not noticed any eduroam guests here yet, but we are small and out of the way. My sense is that in the US it is still very much in the chicken-and- egg stage: It is not so useful yet, because it is not so widely deployed; and thus no one feels the need to deploy it. However, looks like in Europe there is very solid coverage, so I assume that it is more heavily used there. I hope enough people deploy it to make it more widely useful here, but even if not, it's useful enough: I haven't really seen any downside to our deployment, as we already were doing 802.1x, so it was not much effort to change to a new SSID. Thus, even if the benefit is only for the occasional professor or student traveling overseas, it seems useful enough to cover the hassle of deployment. (Also, being in the club seems pretty cool to me :-) Steve Bohrer Network Admin Bard College at Simon's Rock 413-528-7645 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] eduroam question(s)
... We have the stats but are not publishing institution specific them for privacy reasons. http://www.eduroamus.org/node/232 I have testimonials from Schools like UCSD and UChicago that immediately noticed hundreds of visitors on their campuses. Drexel University, for instance, had 40 eduroam users the first day they turned the SSID on. In general large institutions are amazed at how many eduroam visitors they have on campus. This said, the largest benefit is to make your campus population compatible with locations that heavily use eduroam (e.g. if your study abroad students go to Europe or Australia). There are places in Europe that make very difficult to use anything else than eduroam. To answer the using eduroam as the main 1X network, we have seen schools doing that very successfully. (your are definitely ready to roam...just by using it at your school) Here at UT Knoxville, we have opted to still keep the UTK branded 1x network and the eduroam network together for a while with the idea of getting rid of the UTK 1x (called ut-wpa2) in the future. In reality this is just a beaconing difference...in the back we resolve people that join eduroam with @utk.edu credentials to the exact same VLANs as the people joining ut-wpa2. To answer the sub-domain question: we pass to your University everything in the form @*.university.edu So you decide what to do. If you have alias issues, in some cases, an installer like Xpressconnect can be very helpful Best Philippe Hanset www.eduroamus.org (eduroam is now an Internet2 NET+ Service) On Nov 12, 2012, at 6:39 PM, Lee H Badman lhbad...@syr.edu wrote: Does anyone keep stats on how much your Eduroam efforts get used? Like, other than just being in the club, is it really providing benefits that an easy-to-use guest network wouldn't? Not being snarky, but genuinely wondering. Lee Badman On Nov 12, 2012, at 18:27, Jeff Kell jeff-k...@utc.edu wrote: Hey Julian, We recently went through this after cranking up eduroam officially this past fall. We have similar points of confusion, plus a bonus. Our email addresses are first-l...@utc.edu unless there are conflicts, in which case we use a middle initial or a suffix. Our official UTCid is a rather arbitrary string (3 letters, 3 numbers, where that came from don't ask me, it was back in the no-SSNs conversion). The directory key / userID is in fact the UTCid, and is typically used as a login for everything. It's also the Active Directory ID. And now the bonus... the AD domain is in fact utc.tennessee.edu (we're a branch of the state's tennessee.edu domain), so there's already some confusion as to using the tennessee.edu versus utc.edu. Even worse... there are root forest entries for ut...@tennessee.edu as well as @utc.tennessee.edu. And of course UTK started the whole eduroam thing, and they're already taking tennessee.edu as local :( although they still take utk.edu as well. So we more or less got stuck with ut...@utc.edu to avoid the domain/realm confusion with the big orange one. I would advise you rig up your local .1X to authenticate with your fully-qualified eduroam username, just so users can consistently login with the same credentials (assuming you're not using eduroam for production .1X). Jeff On 11/12/2012 6:11 PM, Julian Y Koh wrote: So we're looking at an eduroam deployment here, and one question that has come up is one of credentials. Here at NU, we have 2 identifiers - the NetID and the alias. All of the directories and the like are keyed off of the NetID, which does not have to be the same as the alias. Top-level email addresses take the form alias@northwestern.edu. Under a basic default eduroam deployment, a user would use netid@northwestern.edu as his/her username to authenticate to the wireless network. This is not 100% ideal from an end user point of view, though, since that could potentially lead to some confusion since at least here, netid rarely is the same as alias. Obviously, at some schools, netid = alias, so this is a moot point, but have other schools encountered support/documentation issues because of this? As an alternative, has anyone looking into using a subdomain for the realm? i.e., netid@eduroam.northwestern.edu? I tried going through the FAQs and documentation at http://www.eduroamus.org/, and there is some mention of avoiding subdomains at http://www.eduroamus.org/node/29. Personally, I think with good enough documentation we should be able to do the standard netid@northwestern.edu without a lot of trouble, but we also need to do due diligence and explore these options. :) Thanks!! ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion
Re: [WIRELESS-LAN] eduroam question(s)
On Nov 12, 2012, at 6:39 PM, Lee H Badman lhbad...@syr.edu wrote: Does anyone keep stats on how much your Eduroam efforts get used? Like, other than just being in the club, is it really providing benefits that an easy-to-use guest network wouldn't? Not being snarky, but genuinely wondering. How can you beat instant authentication with encryption over the air? Even an open network doesn't give that! I walk on a campus and my phone automatically switches from 3G to Wi-Fi for Data, not hitting my less than adequate quotas You are the hardest man to convince Lee ;-) Philippe Our email addresses are first-l...@utc.edu unless there are conflicts, in which case we use a middle initial or a suffix. Our official UTCid is a rather arbitrary string (3 letters, 3 numbers, where that came from don't ask me, it was back in the no-SSNs conversion). The directory key / userID is in fact the UTCid, and is typically used as a login for everything. It's also the Active Directory ID. And now the bonus... the AD domain is in fact utc.tennessee.edu (we're a branch of the state's tennessee.edu domain), so there's already some confusion as to using the tennessee.edu versus utc.edu. Even worse... there are root forest entries for ut...@tennessee.edu as well as @utc.tennessee.edu. And of course UTK started the whole eduroam thing, and they're already taking tennessee.edu as local :( although they still take utk.edu as well. So we more or less got stuck with ut...@utc.edu to avoid the domain/realm confusion with the big orange one. I would advise you rig up your local .1X to authenticate with your fully-qualified eduroam username, just so users can consistently login with the same credentials (assuming you're not using eduroam for production .1X). Jeff On 11/12/2012 6:11 PM, Julian Y Koh wrote: So we're looking at an eduroam deployment here, and one question that has come up is one of credentials. Here at NU, we have 2 identifiers - the NetID and the alias. All of the directories and the like are keyed off of the NetID, which does not have to be the same as the alias. Top-level email addresses take the form alias@northwestern.edu. Under a basic default eduroam deployment, a user would use netid@northwestern.edu as his/her username to authenticate to the wireless network. This is not 100% ideal from an end user point of view, though, since that could potentially lead to some confusion since at least here, netid rarely is the same as alias. Obviously, at some schools, netid = alias, so this is a moot point, but have other schools encountered support/documentation issues because of this? As an alternative, has anyone looking into using a subdomain for the realm? i.e., netid@eduroam.northwestern.edu? I tried going through the FAQs and documentation at http://www.eduroamus.org/, and there is some mention of avoiding subdomains at http://www.eduroamus.org/node/29. Personally, I think with good enough documentation we should be able to do the standard netid@northwestern.edu without a lot of trouble, but we also need to do due diligence and explore these options. :) Thanks!! ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] eduroam question(s)
On 11/12/2012 6:39 PM, Lee H Badman wrote: Does anyone keep stats on how much your Eduroam efforts get used? Like, other than just being in the club, is it really providing benefits that an easy-to-use guest network wouldn't? Not being snarky, but genuinely wondering. We don't have any officially generated stats but a quick check of the numbers for this month shows we've had about 2000 traditional guests and 500 eduroam guests. The advantage eduroam guests had is that they were pre-approved before coming to campus and their devices were already setup. Our guest system is a little clunky and could use some cleanup, but it will never just work like eduroam does for it's users. We also get good feedback from our faculty and staff who visit other institutions, and that is hard to quantify with stats. So far this month about 150 of our folks have authenticated at other eduroam sites. -Karl ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] eduroam question(s)
Nah, just like to understand the benefit before making changes. Trying to gage how many nomadic WLAN users are really roaming from school to school, as opposed to users connecting to it on their own campus. Seems like a fair exercise:) Sent from an Etch-a-Sketch. Please excuse squiggly lines. On Nov 12, 2012, at 19:44, Hanset, Philippe C phan...@utk.edu wrote: On Nov 12, 2012, at 6:39 PM, Lee H Badman lhbad...@syr.edu wrote: Does anyone keep stats on how much your Eduroam efforts get used? Like, other than just being in the club, is it really providing benefits that an easy-to-use guest network wouldn't? Not being snarky, but genuinely wondering. How can you beat instant authentication with encryption over the air? Even an open network doesn't give that! I walk on a campus and my phone automatically switches from 3G to Wi-Fi for Data, not hitting my less than adequate quotas You are the hardest man to convince Lee ;-) Philippe Our email addresses are first-l...@utc.edu unless there are conflicts, in which case we use a middle initial or a suffix. Our official UTCid is a rather arbitrary string (3 letters, 3 numbers, where that came from don't ask me, it was back in the no-SSNs conversion). The directory key / userID is in fact the UTCid, and is typically used as a login for everything. It's also the Active Directory ID. And now the bonus... the AD domain is in fact utc.tennessee.edu (we're a branch of the state's tennessee.edu domain), so there's already some confusion as to using the tennessee.edu versus utc.edu. Even worse... there are root forest entries for ut...@tennessee.edu as well as @utc.tennessee.edu. And of course UTK started the whole eduroam thing, and they're already taking tennessee.edu as local :( although they still take utk.edu as well. So we more or less got stuck with ut...@utc.edu to avoid the domain/realm confusion with the big orange one. I would advise you rig up your local .1X to authenticate with your fully-qualified eduroam username, just so users can consistently login with the same credentials (assuming you're not using eduroam for production .1X). Jeff On 11/12/2012 6:11 PM, Julian Y Koh wrote: So we're looking at an eduroam deployment here, and one question that has come up is one of credentials. Here at NU, we have 2 identifiers - the NetID and the alias. All of the directories and the like are keyed off of the NetID, which does not have to be the same as the alias. Top-level email addresses take the form alias@northwestern.edu. Under a basic default eduroam deployment, a user would use netid@northwestern.edu as his/her username to authenticate to the wireless network. This is not 100% ideal from an end user point of view, though, since that could potentially lead to some confusion since at least here, netid rarely is the same as alias. Obviously, at some schools, netid = alias, so this is a moot point, but have other schools encountered support/documentation issues because of this? As an alternative, has anyone looking into using a subdomain for the realm? i.e., netid@eduroam.northwestern.edu? I tried going through the FAQs and documentation at http://www.eduroamus.org/, and there is some mention of avoiding subdomains at http://www.eduroamus.org/node/29. Personally, I think with good enough documentation we should be able to do the standard netid@northwestern.edu without a lot of trouble, but we also need to do due diligence and explore these options. :) Thanks!! ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] eduroam question(s)
Also... Does anyone get a bit turned off about having yet another SSID in the air, or debranding your own in favor of pushing Eduroam as your SSID? Again, just wondering. Let's task Phillipe with figuring out a way to make the Eduroam underpinnings work automagically with any SSID we choose. Can we get that by Friday? On Nov 12, 2012, at 21:36, Lee H Badman lhbad...@syr.edu wrote: Nah, just like to understand the benefit before making changes. Trying to gage how many nomadic WLAN users are really roaming from school to school, as opposed to users connecting to it on their own campus. Seems like a fair exercise:) Sent from an Etch-a-Sketch. Please excuse squiggly lines. On Nov 12, 2012, at 19:44, Hanset, Philippe C phan...@utk.edu wrote: On Nov 12, 2012, at 6:39 PM, Lee H Badman lhbad...@syr.edu wrote: Does anyone keep stats on how much your Eduroam efforts get used? Like, other than just being in the club, is it really providing benefits that an easy-to-use guest network wouldn't? Not being snarky, but genuinely wondering. How can you beat instant authentication with encryption over the air? Even an open network doesn't give that! I walk on a campus and my phone automatically switches from 3G to Wi-Fi for Data, not hitting my less than adequate quotas You are the hardest man to convince Lee ;-) Philippe Our email addresses are first-l...@utc.edu unless there are conflicts, in which case we use a middle initial or a suffix. Our official UTCid is a rather arbitrary string (3 letters, 3 numbers, where that came from don't ask me, it was back in the no-SSNs conversion). The directory key / userID is in fact the UTCid, and is typically used as a login for everything. It's also the Active Directory ID. And now the bonus... the AD domain is in fact utc.tennessee.edu (we're a branch of the state's tennessee.edu domain), so there's already some confusion as to using the tennessee.edu versus utc.edu. Even worse... there are root forest entries for ut...@tennessee.edu as well as @utc.tennessee.edu. And of course UTK started the whole eduroam thing, and they're already taking tennessee.edu as local :( although they still take utk.edu as well. So we more or less got stuck with ut...@utc.edu to avoid the domain/realm confusion with the big orange one. I would advise you rig up your local .1X to authenticate with your fully-qualified eduroam username, just so users can consistently login with the same credentials (assuming you're not using eduroam for production .1X). Jeff On 11/12/2012 6:11 PM, Julian Y Koh wrote: So we're looking at an eduroam deployment here, and one question that has come up is one of credentials. Here at NU, we have 2 identifiers - the NetID and the alias. All of the directories and the like are keyed off of the NetID, which does not have to be the same as the alias. Top-level email addresses take the form alias@northwestern.edu. Under a basic default eduroam deployment, a user would use netid@northwestern.edu as his/her username to authenticate to the wireless network. This is not 100% ideal from an end user point of view, though, since that could potentially lead to some confusion since at least here, netid rarely is the same as alias. Obviously, at some schools, netid = alias, so this is a moot point, but have other schools encountered support/documentation issues because of this? As an alternative, has anyone looking into using a subdomain for the realm? i.e., netid@eduroam.northwestern.edu? I tried going through the FAQs and documentation at http://www.eduroamus.org/, and there is some mention of avoiding subdomains at http://www.eduroamus.org/node/29. Personally, I think with good enough documentation we should be able to do the standard netid@northwestern.edu without a lot of trouble, but we also need to do due diligence and explore these options. :) Thanks!! ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] eduroam question(s)
On 11/12/2012 9:41 PM, Lee H Badman wrote: Also... Does anyone get a bit turned off about having yet another SSID in the air, or debranding your own in favor of pushing Eduroam as your SSID? Again, just wondering. Let's task Phillipe with figuring out a way to make the Eduroam underpinnings work automagically with any SSID we choose. Can we get that by Friday? Ah hah... it's a battle of the Oranges :) If you have separate SSIDs you can get better statistics, I suppose; but perhaps your Radius can drop them in different buckets. For us it was a combination of things, primarily having our production 1X being NAC-enforced and role-based (requiring an agent, and proxying Radius through the NAC controller), whereas the eduroam SSID is off-the-grid (and also locked down by the eduroam firewall recommendations). Jeff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] eduroam question(s)
Done. It's called 802.11u which is now part of 802.11 The SSID will soon be irrelevant anyway. All you will do is a Roaming Operator challenge! Philippe On Nov 12, 2012, at 9:41 PM, Lee H Badman lhbad...@syr.edu wrote: Also... Does anyone get a bit turned off about having yet another SSID in the air, or debranding your own in favor of pushing Eduroam as your SSID? Again, just wondering. Let's task Phillipe with figuring out a way to make the Eduroam underpinnings work automagically with any SSID we choose. Can we get that by Friday? On Nov 12, 2012, at 21:36, Lee H Badman lhbad...@syr.edu wrote: Nah, just like to understand the benefit before making changes. Trying to gage how many nomadic WLAN users are really roaming from school to school, as opposed to users connecting to it on their own campus. Seems like a fair exercise:) Sent from an Etch-a-Sketch. Please excuse squiggly lines. On Nov 12, 2012, at 19:44, Hanset, Philippe C phan...@utk.edu wrote: On Nov 12, 2012, at 6:39 PM, Lee H Badman lhbad...@syr.edu wrote: Does anyone keep stats on how much your Eduroam efforts get used? Like, other than just being in the club, is it really providing benefits that an easy-to-use guest network wouldn't? Not being snarky, but genuinely wondering. How can you beat instant authentication with encryption over the air? Even an open network doesn't give that! I walk on a campus and my phone automatically switches from 3G to Wi-Fi for Data, not hitting my less than adequate quotas You are the hardest man to convince Lee ;-) Philippe Our email addresses are first-l...@utc.edu unless there are conflicts, in which case we use a middle initial or a suffix. Our official UTCid is a rather arbitrary string (3 letters, 3 numbers, where that came from don't ask me, it was back in the no-SSNs conversion). The directory key / userID is in fact the UTCid, and is typically used as a login for everything. It's also the Active Directory ID. And now the bonus... the AD domain is in fact utc.tennessee.edu (we're a branch of the state's tennessee.edu domain), so there's already some confusion as to using the tennessee.edu versus utc.edu. Even worse... there are root forest entries for ut...@tennessee.edu as well as @utc.tennessee.edu. And of course UTK started the whole eduroam thing, and they're already taking tennessee.edu as local :( although they still take utk.edu as well. So we more or less got stuck with ut...@utc.edu to avoid the domain/realm confusion with the big orange one. I would advise you rig up your local .1X to authenticate with your fully-qualified eduroam username, just so users can consistently login with the same credentials (assuming you're not using eduroam for production .1X). Jeff On 11/12/2012 6:11 PM, Julian Y Koh wrote: So we're looking at an eduroam deployment here, and one question that has come up is one of credentials. Here at NU, we have 2 identifiers - the NetID and the alias. All of the directories and the like are keyed off of the NetID, which does not have to be the same as the alias. Top-level email addresses take the form alias@northwestern.edu. Under a basic default eduroam deployment, a user would use netid@northwestern.edu as his/her username to authenticate to the wireless network. This is not 100% ideal from an end user point of view, though, since that could potentially lead to some confusion since at least here, netid rarely is the same as alias. Obviously, at some schools, netid = alias, so this is a moot point, but have other schools encountered support/documentation issues because of this? As an alternative, has anyone looking into using a subdomain for the realm? i.e., netid@eduroam.northwestern.edu? I tried going through the FAQs and documentation at http://www.eduroamus.org/, and there is some mention of avoiding subdomains at http://www.eduroamus.org/node/29. Personally, I think with good enough documentation we should be able to do the standard netid@northwestern.edu without a lot of trouble, but we also need to do due diligence and explore these options. :) Thanks!! ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can