am
Network Engineer
Institute for Advanced Study
1 Einstein Dr
Princeton, NJ 08540
(m) +1 609-751-7899
(o) +1 609-734-8154
ck...@ias.edu<mailto:ck...@ias.edu>
From: "Sweetser, Frank E." mailto:f...@wpi.edu>>
To: "The EDUCAUSE Wir
Having someone go out and put eyes on all of the hardware is also a great
chance to check for physical damage - broken mounts, evidence of water leaks,
and so on. For extra points, have them take a couple of pictures of each AP
for future reference, and to help find any of the more hidden
We've been running 8.7 for a while. There were a few glitches with the "AP
won't boot" issue (seems that in some models, it fails to mark the newly
upgraded partition as active, so gets stuck in a boot loop) but the last one
was painless. We're on 8.7.1.2 right now, and it's been solid.
We are using EAP-TLS.
For university owned machines that are joined to Active Directory, we have the
domain generate machine and user certificates that are trusted by our RADIUS
infrastructure.
For other devices, including personally owned, we are using SecureW2. Overall
it's been pretty
I just wanted to chime in with one more catch that we hit on Android. The WPA3
spec contains this language on comparing the client configured domain against
the name of the server certificate:
"The STA is configured with EAP credentials that explicitly specify a CA root
certificate that
One more point to consider is what wireless standards you want to monitor for.
If all you want to monitor is whether or not your clients are getting an
acceptable minimum performance level, older hardware can be fine (though as
mentioned, Aruba UXI or 7signals will most likely give you
UCAUSE Wireless Issues Community Group Listserv
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
On Behalf Of Sweetser, Frank E.
Sent: Friday, December 18, 2020 8:49 AM
To:
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] [EXT] R
I recently performed an upgrade that included about 90 505s, and strongly
suspect I hit the same bug on the entire batch - except, of course, for the one
that I kept and put in the lab environment. That one stubbornly refused to
fail, upgrading flawlessly every time.
Has anyone ever heard if
We have a multi-purpose unencrypted SSID available across campus. When an
unregistered device connects, it's dropped into a highly restricted firewall
role on the Aruba controller and redirected to a splash page where they can
choose the guest option (either self-serve pass creation, or log in
Personally, I'm a big fan of leveraging certificates for wireless
authentication. It completely decouples the username and password once you're
past the provisioning process, but you can still tie your RADIUS server into AD
to reject people with locked out accounts if you want. Machines on a
& ISE combo issues (10/09)
From: Kitri Waterman mailto:wate...@wwu.edu>>
* Re: WLC & ISE combo issues (10/09)
From: "Heavrin, Lynn" mailto:lheav...@wustl.edu>>
2. Aruba Wi-Gi 6 APs
* Re: Aruba Wi-Gi 6 APs (10/09)
From: Michael Davis mailto:da...@ude
h SecureW2, but only in the past 10 months and it's
encouraged, not required.
Did you have to request a custom report from SW2 support for this? I don't see
that info available
in the standard report templates and they also a 2 month window.
On 10/9/19 8:36 AM, Sweetser, Frank E wrote:
Are you doin
I saw some similar rates on the success levels. My guess is that it's because
devices that succeed then proceed to go about their business until they have to
reauthenticate for some legitimate reason, while ones that don't have correct
credentials just continue to hammer away.
Frank Sweetser
For what it's worth, we started running the v8 code about a year ago. We did
the initial rollout with hands-on help from Aruba engineering as part of the
early adopter program, which was very helpful in adapting to the new new code.
Given how major of an update it was, it's been relatively
It's probably new since the last time you looked, but Aruba definitely has all
virtual controller options now:
http://www.arubanetworks.com/assets/ds/DS_MobilityMaster.pdf
http://www.arubanetworks.com/assets/ds/DS_VMC.pdf
Frank Sweetser
Director of Network Operations
Worcester Polytechnic
"Wrong" is a very slippery term for this kind of flaw.
The short version is that the original specification in how the encryption key
state machine was not sufficiently tight to prevent this vulnerability from
happening. Spoofing certain messages could slip through the protections and
allow
Hi Mike,
yes, you're absolutely correct. Looking around the web, it looks like
Microsoft and Apple have already released patches, so those who are completely
up to date should be safe. Android is more of a mixed bag, but at least Pixel
phones should be patched in the November fixes in a few
The canonical answer is to set up Clearpass to do a RADIUS COA to proactively
change the device role when it's registration status gets updated. That way it
should happen pretty much immediately, rather than having to wait for a timeout.
Frank Sweetser
Director of Network Operations
Worcester
We were able to complete a couple of major changes in advance of our students
moving in.
The first is that we completed an upgrade to Aruba 8.1 (brave, I know). We
have just under 1,300 APs running on it, mostly 2xx series with a handful of
3xx. We had to upgrade our controllers to a pair
The folks at Cloudpath (pre Ruckus/Brocade/Broadcom/Arris) did some good tech
field day videos where they talk about why they like to push TLS over PEAP:
http://techfieldday.com/companies/cloudpath-networks/
Frank Sweetser
Director of Network Operations
Worcester Polytechnic Institute
"For
I think I can answer at least one question - my understanding is that
promiscuous mode is required on the vswitch to support any kind of VRRP, which
as you mentioned is used between the MM HA pair. This is a VMware limitation,
not unique to the Aruba MM controllers. If you were able to get
p Listserv
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Joachim Tingvold
<joac...@tingvold.com>
Sent: Thursday, June 8, 2017 4:38 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] ArubaOS 8.X Experiences
On 8 Jun 2017, at 19:11, Sweetser, Frank E wrote:
> […]
We just finished up a trial period of about six months or so. We put about 120
APs (10% of our total) onto a separate set of loaner controllers running 8.0
code. The APs terminated on a pair of 7210 controllers, and we used a pair of
VMMs to manage everything.
Overall, it went very well.
We rolled out eduroam a couple of years ago, and like most others appear to, we
have it give identical service to our own users. That said, we're planning on
keeping both our branded network and eduroam, as there are two cases where we
want to broadcast our branded SSID, but not eduroam:
-
3003 f 315.443.4325 e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Sweetser, Frank E
Sent: Thursday, March 02,
Any possibility of sharing that web page? This sounds like it could be
extremely useful!
Frank Sweetser
Director of Network Operations
Worcester Polytechnic Institute
"For every problem, there is a solution that is simple, elegant, and wrong." -
HL Mencken
ong term effectiveness.
One of the really nice things about the Veriwave setup was the everything was
repeatable.
On Thu, Feb 16, 2017 at 8:24 PM, Sweetser, Frank E
<f...@wpi.edu<mailto:f...@wpi.edu>> wrote:
I don't know that the demand for blocking is significant enough to justif
ve internal reflection
in the lab. No problem if there’s a normal amount of absorptive material in
the room, but could be a problem otherwise.
Just my two cents.
Chuck
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of
tituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Sweetser, Frank E
Sent: Thursday, February 16, 2017 3:27 PM
To:
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Wifi blocking paint?
Hi all,
we just got word that a p
Hi all,
we just got word that a professor here wants to start running a certificate
program around a wireless lab setup. To mitigate any potential problems from
this, we'd like to try to isolate the lab wireless to the one room as much
possible. Does anyone have any recommendations for
We've moved partially to that, though not completely.
Suite based dorms (typically a common room, bathroom, and two or three
bedrooms) and apartments get a single AP per suite/apartment.
Drywall or thinner brick construction, we typically do every other room. We
were able to get a drop in
Wireless
(434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971
From: Sweetser, Frank E [mailto:f...@wpi.edu]
Sent: Friday, October 7, 2016 10:27 PM
Subject: Anyone else jumping on Aruba 8.0 code?
Hey all,
For those of you who haven't been following the ea
Hey all,
For those of you who haven't been following the early code releases from Aruba,
AOS 8 is a major upgrade, to the point where there's no actual upgrade path
from AOS 6.x. It's got some pretty slick features, though, for those brave
enough to jump in and blow a test environment.
It never went into production for other reasons, but I had very good results
testing out Moxa bridges for use with some of our robotics programs. They'll
even take certs for EAP-TLS!
http://www.moxa.com/product/Industrial_Wireless_LAN.htm
Frank Sweetser
Director of Network Operations
Have you actually confirmed that both devices are getting the same IP address
offered via DHCP, or is it just that one of the clients is using that address
without DHCP? If the latter, I would strongly recommend you turn on the enable
DHCP feature on your VAPs to prevent statically configured
35 matches
Mail list logo
