RE: Servers on Guest Networks
Add Amazon Echo. We had the first one of those last Fall. Mike Cunningham Penn College -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W (Network Services) Sent: Monday, June 13, 2016 7:44 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Servers on Guest Networks On our non-802.1x network, we have Game consoles & handhelds (Sony, Microsoft, Nintendo) Windows phones Apple TV, Chromecast, Roku, etc. Internet connected televisions e-Readers That is just a quick list from my memory. Bruce Osborne Wireless Engineer IT Network Services - Wireless (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 -Original Message- From: Curtis K. Larsen [mailto:curtis.k.lar...@utah.edu] Sent: Wednesday, June 8, 2016 5:53 PM Subject: Re: Servers on Guest Networks Interesting Hunter, Are the Xboxes the only use case causing you to look at this? I'm trying to identify as many use cases as possible before we apply the inbound deny. Let me know. Thanks, Curtis On Wed, June 8, 2016 3:45 pm, Hunter Fuller wrote: > We are looking at giving users the option to use a wide-open ESSID for > their Xboxes. The user would register the MAC, and we would put them > into a wide-open-inbound area with public addresses, for the best > experience. But we would limit some outgoing stuff (Google, our LMS, > etc.) to try to nudge people toward eduroam (our 802.1X solution). > None of this is in production but it's the direction I think we are > leaning when we discontinue our legacy PSK ESSIDs. > > -- > Hunter Fuller > Network Engineer > VBRH Annex B-1 > +1 256 824 5331 > > Office of Information Technology > The University of Alabama in Huntsville Systems and Infrastructure > > > On Tue, Jun 7, 2016 at 6:34 PM, Curtis K. Larsen > <curtis.k.lar...@utah.edu> wrote: >> Hello, >> >> We're looking at a default deny inbound and possibly opening ports as >> required later on the guest wireless network. If you have already >> done this I am curious to know what you and your user community defined as >> being required on the guest network. >> >> I think primary drivers might include devices that are not capable of >> WPA2-Enterprise *and* needing to run a service. Google cloud >> printers come to mind, someone also mentioned multi-player Xbox? Do >> you have other examples or use cases for allowing services like http/https >> from the internet to your guest wireless network? If so, please share. >> >> Thanks, >> >> Curtis >> ** >> Participation and subscription information for this EDUCAUSE >> Constituent Group discussion list can be found at >> http://www.educause.edu/groups/. > > ** > Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Servers on Guest Networks
On our non-802.1x network, we have Game consoles & handhelds (Sony, Microsoft, Nintendo) Windows phones Apple TV, Chromecast, Roku, etc. Internet connected televisions e-Readers That is just a quick list from my memory. Bruce Osborne Wireless Engineer IT Network Services - Wireless (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 -Original Message- From: Curtis K. Larsen [mailto:curtis.k.lar...@utah.edu] Sent: Wednesday, June 8, 2016 5:53 PM Subject: Re: Servers on Guest Networks Interesting Hunter, Are the Xboxes the only use case causing you to look at this? I'm trying to identify as many use cases as possible before we apply the inbound deny. Let me know. Thanks, Curtis On Wed, June 8, 2016 3:45 pm, Hunter Fuller wrote: > We are looking at giving users the option to use a wide-open ESSID for > their Xboxes. The user would register the MAC, and we would put them > into a wide-open-inbound area with public addresses, for the best > experience. But we would limit some outgoing stuff (Google, our LMS, > etc.) to try to nudge people toward eduroam (our 802.1X solution). > None of this is in production but it's the direction I think we are > leaning when we discontinue our legacy PSK ESSIDs. > > -- > Hunter Fuller > Network Engineer > VBRH Annex B-1 > +1 256 824 5331 > > Office of Information Technology > The University of Alabama in Huntsville Systems and Infrastructure > > > On Tue, Jun 7, 2016 at 6:34 PM, Curtis K. Larsen > <curtis.k.lar...@utah.edu> wrote: >> Hello, >> >> We're looking at a default deny inbound and possibly opening ports as >> required later on the >> guest wireless network. If you have already done this I am curious to know >> what you and your >> user community defined as being required on the guest network. >> >> I think primary drivers might include devices that are not capable of >> WPA2-Enterprise *and* >> needing to run a service. Google cloud printers come to mind, someone also >> mentioned >> multi-player Xbox? Do you have other examples or use cases for allowing >> services like >> http/https from the internet to your guest wireless network? If so, please >> share. >> >> Thanks, >> >> Curtis >> ** >> Participation and subscription information for this EDUCAUSE Constituent >> Group discussion list >> can be found at http://www.educause.edu/groups/. > > ** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can > be found at http://www.educause.edu/groups/. > ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Servers on Guest Networks
I have a couple of concerns with solutions like that. Why special treatment for Xboxes? Or would this be open to anything a student wanted to place on there? And are you setting up unrealistic expectations of workarounds for anything that doesn't play nice on the network? Maybe it boils down to fairness to me - spend time and energy (and IP space) for a subset of our students. Is that fair? I don't know, but it's something to think about. Thomas Carter Network & Operations Manager Austin College -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hunter Fuller Sent: Wednesday, June 8, 2016 4:46 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Servers on Guest Networks We are looking at giving users the option to use a wide-open ESSID for their Xboxes. The user would register the MAC, and we would put them into a wide-open-inbound area with public addresses, for the best experience. But we would limit some outgoing stuff (Google, our LMS, etc.) to try to nudge people toward eduroam (our 802.1X solution). None of this is in production but it's the direction I think we are leaning when we discontinue our legacy PSK ESSIDs. -- Hunter Fuller Network Engineer VBRH Annex B-1 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Systems and Infrastructure On Tue, Jun 7, 2016 at 6:34 PM, Curtis K. Larsen <curtis.k.lar...@utah.edu> wrote: > Hello, > > We're looking at a default deny inbound and possibly opening ports as > required later on the guest wireless network. If you have already done this > I am curious to know what you and your user community defined as being > required on the guest network. > > I think primary drivers might include devices that are not capable of > WPA2-Enterprise *and* needing to run a service. Google cloud printers come > to mind, someone also mentioned multi-player Xbox? Do you have other > examples or use cases for allowing services like http/https from the internet > to your guest wireless network? If so, please share. > > Thanks, > > Curtis > ** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Servers on Guest Networks
Interesting Hunter, Are the Xboxes the only use case causing you to look at this? I'm trying to identify as many use cases as possible before we apply the inbound deny. Let me know. Thanks, Curtis On Wed, June 8, 2016 3:45 pm, Hunter Fuller wrote: > We are looking at giving users the option to use a wide-open ESSID for > their Xboxes. The user would register the MAC, and we would put them > into a wide-open-inbound area with public addresses, for the best > experience. But we would limit some outgoing stuff (Google, our LMS, > etc.) to try to nudge people toward eduroam (our 802.1X solution). > None of this is in production but it's the direction I think we are > leaning when we discontinue our legacy PSK ESSIDs. > > -- > Hunter Fuller > Network Engineer > VBRH Annex B-1 > +1 256 824 5331 > > Office of Information Technology > The University of Alabama in Huntsville > Systems and Infrastructure > > > On Tue, Jun 7, 2016 at 6:34 PM, Curtis K. Larsen >wrote: >> Hello, >> >> We're looking at a default deny inbound and possibly opening ports as >> required later on the >> guest wireless network. If you have already done this I am curious to know >> what you and your >> user community defined as being required on the guest network. >> >> I think primary drivers might include devices that are not capable of >> WPA2-Enterprise *and* >> needing to run a service. Google cloud printers come to mind, someone also >> mentioned >> multi-player Xbox? Do you have other examples or use cases for allowing >> services like >> http/https from the internet to your guest wireless network? If so, please >> share. >> >> Thanks, >> >> Curtis >> ** >> Participation and subscription information for this EDUCAUSE Constituent >> Group discussion list >> can be found at http://www.educause.edu/groups/. > > ** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can > be found at http://www.educause.edu/groups/. > ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Servers on Guest Networks
We are looking at giving users the option to use a wide-open ESSID for their Xboxes. The user would register the MAC, and we would put them into a wide-open-inbound area with public addresses, for the best experience. But we would limit some outgoing stuff (Google, our LMS, etc.) to try to nudge people toward eduroam (our 802.1X solution). None of this is in production but it's the direction I think we are leaning when we discontinue our legacy PSK ESSIDs. -- Hunter Fuller Network Engineer VBRH Annex B-1 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Systems and Infrastructure On Tue, Jun 7, 2016 at 6:34 PM, Curtis K. Larsenwrote: > Hello, > > We're looking at a default deny inbound and possibly opening ports as > required later on the guest wireless network. If you have already done this > I am curious to know what you and your user community defined as being > required on the guest network. > > I think primary drivers might include devices that are not capable of > WPA2-Enterprise *and* needing to run a service. Google cloud printers come > to mind, someone also mentioned multi-player Xbox? Do you have other > examples or use cases for allowing services like http/https from the internet > to your guest wireless network? If so, please share. > > Thanks, > > Curtis > ** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Servers on Guest Networks
Very good point Jeff. I may be worrying for nothing. Thanks, Curtis On Wed, June 8, 2016 11:22 am, Jeffrey D. Sessler wrote: > Most of the IoT devices use external cloud services, where the device > establishes a connection > outbound with the external service. As such, your typical “established” rules > take care of the > rest. For something like the XBOX, the games tend to pick the best host for > multiplayer (if it’s > doing xbox<->xbox communications), so it will take the one that’s wide open > vs one that is > blocking all inbound connections (MS calls it strict NAT). Pretty much any > XBOX on a home network > is going to use UPnP to open up all the necessary ports, allowing a “strict > NAT” XBOX to connect > to it. > > Even for something like Google Cloud Print – the device e.g. Printer, opens > an outbound connection > to Google, and communication happens over that persistent connection. Again, > as long as your > firewall/ACL has an allow for established connections, this works as it > should. It’s always the > device establishing the outbound connection rather than the external service > trying to establish > an inbound connection. > > If anything, the need to poke holes is diminishing. Device/service companies > realize that the > average person isn’t going to know how to poke holes in their router, and a > corporation is > unlikely to do so at all. Thus, everything is about the device establishing > the connection > outbound, and communication occurring on that persistent connection. > > > Jeff > > On 6/8/16, 8:37 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv > on behalf of Curtis > K. Larsen" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of > curtis.k.lar...@utah.edu> wrote: > > So today we have the 1x student, faculty, staff network, and the open guest > network only. So > essentially the "guest" network doubles as the non-1x option. We are > contemplating a PSK network > that could accommodate registered non-1x devices for students in student > housing areas for > example > and that could solve some of these problems, but that is farther out and not > the main point of my > post. > > My original question was for those that do have the default deny inbound > already (and it sounds > like the majority are doing this). What are the top requests that you get > for exceptions to the > rule, if any? We want to forecast a little and understand what might break > when we add the deny > inbound. And, yes we've been looking at flow data and AVC dat from the WLC. > > My concern is that particularly in housing areas (but also some on campus) > the number of devices > that act like a server in some way, requiring inbound connections is probably > growing. The > multi-player xbox explanation is interesting. Any other common examples > you've seen? > > Thanks, > > Curtis > > > On Wed, June 8, 2016 7:59 am, Thomas Carter wrote: >> What do you consider a "guest" network? I ask, because we have a "guest" >> network that is just >> for >> use by people not directly associated with the college (i.e. not faculty, >> staff, or a student). >> Saying that, we don't have enough public IP space to give out public IPs or >> even 1-1 nat, so >> all >> traffic (guest and internal) uses traditional NAT with default deny inbound. >> The only real >> issues >> we've had are related to Xbox multiplayer; the person on campus cannot host >> the game, but can >> join >> someone else's game. With so many free/cheap cloud options, things like >> physical "servers" run >> by >> students seems to be a thing of the past. >> >> Thomas Carter >> Network & Operations Manager >> Austin College >> >> >> -Original Message- >> From: The EDUCAUSE Wireless Issues Constituent Group Listserv >> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Curtis K. Larsen >> Sent: Tuesday, June 7, 2016 6:34 PM >> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU >> Subject: [WIRELESS-LAN] Servers on Guest Networks >> >> Hello, >> >> We're looking at a default deny inbound and possibly opening ports as >> required later on the >> guest >> wireless network. If you have already done this I am curious to know what >> you and your user >> community defined as being required on the guest network. >> >> I think primary drivers might include devices that are not capable of >> WPA2-Enterprise *and* >> needing to run a service. Google cloud printers come to mind, someo
Re: [WIRELESS-LAN] Servers on Guest Networks
So today we have the 1x student, faculty, staff network, and the open guest network only. So essentially the "guest" network doubles as the non-1x option. We are contemplating a PSK network that could accommodate registered non-1x devices for students in student housing areas for example and that could solve some of these problems, but that is farther out and not the main point of my post. My original question was for those that do have the default deny inbound already (and it sounds like the majority are doing this). What are the top requests that you get for exceptions to the rule, if any? We want to forecast a little and understand what might break when we add the deny inbound. And, yes we've been looking at flow data and AVC dat from the WLC. My concern is that particularly in housing areas (but also some on campus) the number of devices that act like a server in some way, requiring inbound connections is probably growing. The multi-player xbox explanation is interesting. Any other common examples you've seen? Thanks, Curtis On Wed, June 8, 2016 7:59 am, Thomas Carter wrote: > What do you consider a "guest" network? I ask, because we have a "guest" > network that is just for > use by people not directly associated with the college (i.e. not faculty, > staff, or a student). > Saying that, we don't have enough public IP space to give out public IPs or > even 1-1 nat, so all > traffic (guest and internal) uses traditional NAT with default deny inbound. > The only real issues > we've had are related to Xbox multiplayer; the person on campus cannot host > the game, but can join > someone else's game. With so many free/cheap cloud options, things like > physical "servers" run by > students seems to be a thing of the past. > > Thomas Carter > Network & Operations Manager > Austin College > > > -Original Message- > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Curtis K. Larsen > Sent: Tuesday, June 7, 2016 6:34 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: [WIRELESS-LAN] Servers on Guest Networks > > Hello, > > We're looking at a default deny inbound and possibly opening ports as > required later on the guest > wireless network. If you have already done this I am curious to know what > you and your user > community defined as being required on the guest network. > > I think primary drivers might include devices that are not capable of > WPA2-Enterprise *and* > needing to run a service. Google cloud printers come to mind, someone also > mentioned multi-player > Xbox? Do you have other examples or use cases for allowing services like > http/https from the > internet to your guest wireless network? If so, please share. > > Thanks, > > Curtis > ** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can > be found at http://www.educause.edu/groups/. > > ** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can > be found at http://www.educause.edu/groups/. > ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Servers on Guest Networks
We do not allow servers on the wireless network, guest or the 802.1X SSID's. Our wireless is all IPv4 private addressing, with NAT, and our Juniper SRX firewall does not allow inbound connections. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Curtis K. Larsen Sent: Tuesday, June 07, 2016 6:34 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Servers on Guest Networks Hello, We're looking at a default deny inbound and possibly opening ports as required later on the guest wireless network. If you have already done this I am curious to know what you and your user community defined as being required on the guest network. I think primary drivers might include devices that are not capable of WPA2-Enterprise *and* needing to run a service. Google cloud printers come to mind, someone also mentioned multi-player Xbox? Do you have other examples or use cases for allowing services like http/https from the internet to your guest wireless network? If so, please share. Thanks, Curtis ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. !DSPAM:911,57575a2728022110920739! ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Servers on Guest Networks
Hello, We're looking at a default deny inbound and possibly opening ports as required later on the guest wireless network. If you have already done this I am curious to know what you and your user community defined as being required on the guest network. I think primary drivers might include devices that are not capable of WPA2-Enterprise *and* needing to run a service. Google cloud printers come to mind, someone also mentioned multi-player Xbox? Do you have other examples or use cases for allowing services like http/https from the internet to your guest wireless network? If so, please share. Thanks, Curtis ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.