Cisco Wireless Interface Groups
Hello All, I recently configured multiple /24 subnets into a wireless interface group on my controllers, in an effort to cut down on multicast as well as increase the IP address space. It seems to be working but DHCP addresses are still being consumed at an alarming rate. Is anyone else using the interface group feature? and if so is it working as expected? Thank you in advance! -- Vikki Cutrone Network Administrator Vassar College, Box 13 124 Raymond Ave Poughkeepsie, NY 12604-0013 845-437-7231 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
SV: [WIRELESS-LAN] Cisco Wireless Interface Groups
What version are you running on jour WLC? I know that there were hashing problems on older versions off 7.0 that resulted in that when a client reassociated it didnt come back to its former subnet. Try newer versions of 7.0 or 7.2 and Ill guess that it will work. It solved my problem. ;) Cheers Anders Nilsson Umeå university SUNET Sweden Från: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] För Vikki Cutrone Skickat: den 15 februari 2013 20:13 Till: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Ämne: [WIRELESS-LAN] Cisco Wireless Interface Groups Hello All, I recently configured multiple /24 subnets into a wireless interface group on my controllers, in an effort to cut down on multicast as well as increase the IP address space. It seems to be working but DHCP addresses are still being consumed at an alarming rate. Is anyone else using the interface group feature? and if so is it working as expected? Thank you in advance! -- Vikki Cutrone Network Administrator Vassar College, Box 13 124 Raymond Ave Poughkeepsie, NY 12604-0013 845-437-7231 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] SV: [WIRELESS-LAN] Cisco Wireless Interface Groups
Version 7.2.111.3 That seems to be exactly what is currently happening. On Fri, Feb 15, 2013 at 2:23 PM, Anders Nilsson anders.nils...@adm.umu.sewrote: What version are you running on jour WLC? I know that there were hashing problems on older versions off 7.0 that resulted in that when a client reassociated it didn’t come back to its former subnet. Try newer versions of 7.0 or 7.2 and I’ll guess that it will work. ** ** It solved my problem. ;) ** ** ** ** Cheers Anders Nilsson Umeå university SUNET Sweden ** ** *Från:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *För *Vikki Cutrone *Skickat:* den 15 februari 2013 20:13 *Till:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Ämne:* [WIRELESS-LAN] Cisco Wireless Interface Groups ** ** Hello All, I recently configured multiple /24 subnets into a wireless interface group on my controllers, in an effort to cut down on multicast as well as increase the IP address space. It seems to be working but DHCP addresses are still being consumed at an alarming rate. Is anyone else using the interface group feature? and if so is it working as expected? Thank you in advance! -- Vikki Cutrone Network Administrator Vassar College, Box 13 124 Raymond Ave Poughkeepsie, NY 12604-0013 845-437-7231 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- Vikki Cutrone Network Administrator Vassar College, Box 13 124 Raymond Ave Poughkeepsie, NY 12604-0013 845-437-7231 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: Cisco Wireless Interface Groups
On 2/15/2013 2:13 PM, Vikki Cutrone wrote: Is anyone else using the interface group feature? Yes. and if so is it working as expected? Yes. Great feature, happy it finally happened! -Rick -- Rick Coloccia, Jr. Network Manager State University of NY College at Geneseo 1 College Circle, 119 South Hall Geneseo, NY 14454 V: 585-245-5577 F: 585-245-5579 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
About the eduroam configuration on Freeradius
Dear All Do you use different radius servers for your local SSID and eduroam SSID? Currently, we are using the same radius servers for both of SSID, and we found that some of our local users login with eduroam SSID inside our campus. We want to block our local users (both user...@concordia.ca and user123)to login with eduroam SSID, could you please explain how to modify the proxy.conf or other configuration files on Freeradius (Linux version)? Furthermore, we want to block user...@concordia.ca to login with our local SSID, and let user123 login with our local SSID. Thank you, and have a nice weekend. Yours, Linchuan Yang (Antony) Wireless Networking Analyst Network Assessment and Integration, IITS-Concordia University Tel: (514)848-2424 ext. 7664 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] About the eduroam configuration on Freeradius
On Feb 15, 2013, at 14:24 , Linchuan Yang linchuan.y...@concordia.ca wrote: Currently, we are using the same radius servers for both of SSID, and we found that some of our local users login with eduroam SSID inside our campus. What we are thinking about doing for local users who connect to eduroam while on campus is to put them into a role on our Aruba controllers that sends them to a captive portal web page that says, Congratulations! You have successfully configured your device to use the eduroam network! When you travel to another eduroam-enabled institution, you should be all set! Something like that anyway. -- Julian Y. Koh Manager, Network Transport, Telecommunications and Network Services Northwestern University Information Technology (NUIT) 2001 Sheridan Road #G-166 Evanston, IL 60208 847-467-5780 NUIT Web Site: http://www.it.northwestern.edu/ PGP Public Key:http://bt.ittns.northwestern.edu/julian/pgppubkey.html ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] SV: [WIRELESS-LAN] Cisco Wireless Interface Groups
VLAN select feature is working good here on: 7.2.110.8, 7.4.100.0, 7.4.103.3 and now on 7.3.112.0. ;-) just fyi, tried 7.4.100.0 and small issue with RRM, (running at low signal strength) and with the 1142 model access points. Patch for the RRM and all was great, seeing more 5GHz N clients with 7.4.103.3 code than on 7.2.x and 7.3.x. The 1142 random rebooting continued though, patch on its way. Went to 7.3.112.0 and all is good since, running on 5508 controllers and AP1242, AP1252, AP1142, AP3502 access points. jim On 2/15/2013 2:27 PM, Hurt,Trenton W. wrote: http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bb4900.shtml In WLC release 7.2, the VLAN Select feature (which is supported only on the newer WLCs like 5508, WiSM-2, 7500, and 2500) was modified and now supports VLAN Select with a new modified algorithm. In the previous implementation, using the round robin algorithm was causing clients to obtain new IP addresses on every re-association, thus depleting IP addresses fast from the available DHCP pools. *From:*The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Anders Nilsson *Sent:* Friday, February 15, 2013 2:23 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* [WIRELESS-LAN] SV: [WIRELESS-LAN] Cisco Wireless Interface Groups What version are you running on jour WLC? I know that there were hashing problems on older versions off 7.0 that resulted in that when a client reassociated it didn't come back to its former subnet. Try newer versions of 7.0 or 7.2 and I'll guess that it will work. It solved my problem. ;) Cheers Anders Nilsson Umeå university SUNET Sweden *Från:*The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *För *Vikki Cutrone *Skickat:* den 15 februari 2013 20:13 *Till:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Ämne:* [WIRELESS-LAN] Cisco Wireless Interface Groups Hello All, I recently configured multiple /24 subnets into a wireless interface group on my controllers, in an effort to cut down on multicast as well as increase the IP address space. It seems to be working but DHCP addresses are still being consumed at an alarming rate. Is anyone else using the interface group feature? and if so is it working as expected? Thank you in advance! -- Vikki Cutrone Network Administrator Vassar College, Box 13 124 Raymond Ave Poughkeepsie, NY 12604-0013 845-437-7231 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] About the eduroam configuration on Freeradius
On Feb 15, 2013, at 3:24 PM, Linchuan Yang linchuan.y...@concordia.ca wrote: Dear All Do you use different radius servers for your local SSID and eduroam SSID? Currently, we are using the same radius servers for both of SSID, and we found that some of our local users login with eduroam SSID inside our campus. We want to block our local users (both user...@concordia.ca and user123)to login with eduroam SSID, could you please explain how to modify the proxy.conf or other configuration files on Freeradius (Linux version)? We take a different approach, and use eduroam as our primary SSID campus-wide. That is, all of our local users always connect to eduroam, even when they are not roaming. Our radius server knows they are local because they have our realm in their username, and we can use their other local LDAP attributes to put them into the proper VLAN. Our radius server also puts non-Simon's Rock eduroam users in to an eduroam guest VLAN. (We have an open SSID with instructions for connecting to eduroam, and some special case guest VLANs, but no other SSID for our local users). The benefit is that our users only ever need to do one wifi config, and eduroam just works when they travel to other federation campuses or to EDU conventions and such, because it is exactly the same wifi config that they use every day on campus. Steve Bohrer Network Admin, ITS Bard College at Simon's Rock 413-528-7645 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] About the eduroam configuration on Freeradius
Linchuan, There is a big drawback to no letting your users join the local eduroam SSID. They won't be able to setup their devices while on campus before traveling. Having the concordia.cahttp://concordia.ca users joining the eduroam SSID on campus will help them with two aspects of the connectivity: -Learn to use the REALM (user@reaml, in your case realm=concordia.cahttp://concordia.ca) -Learn to load the proper RADIUS infrastructure certificate on their machine before traveling somewhere else These two things alone could reduce your help desk calls quite a bit. If you do so, make sure to enforce the REALM requirement from your own users in your RADIUS config (we used to not enforce that at University of Tennessee and ended up with users not being able to use eduroam when traveling) What you can do (as explained by Steve and Julian) is to filter the concordia.cahttp://concordia.ca users and put them in special VLANs. For instance: University of Tennessee, Knoxville assigns users with @utk.eduhttp://utk.edu credentials to the same VLAN pool weather they join the eduroam SSID or the ut-wpa2 SSID. The only difference between the two is that users joining eduroam have to use ne...@utk.edumailto:ne...@utk.edu and users on ut-wpa2 can only use netid if they want. Have a good Weekend, Best, Philippe Hanset www.eduroamus.orghttp://www.eduroamus.org On Feb 15, 2013, at 3:24 PM, Linchuan Yang linchuan.y...@concordia.camailto:linchuan.y...@concordia.ca wrote: Dear All Do you use different radius servers for your local SSID and eduroam SSID? Currently, we are using the same radius servers for both of SSID, and we found that some of our local users login with eduroam SSID inside our campus. We want to block our local users (both user...@concordia.camailto:user...@concordia.ca and user123)to login with eduroam SSID, could you please explain how to modify the proxy.conf or other configuration files on Freeradius (Linux version)? Furthermore, we want to block user...@concordia.camailto:user...@concordia.ca to login with our local SSID, and let user123 login with our local SSID. Thank you, and have a nice weekend. Yours, Linchuan Yang (Antony) Wireless Networking Analyst Network Assessment and Integration, IITS-Concordia University Tel: (514)848-2424 ext. 7664 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] About the eduroam configuration on Freeradius
It's pretty common in Europe to only offer the eduroam ssid, and offer visitors 'different' connectivity than local users on it, (and have a captive portal containing all the setup etc on an open ssid). Making it so the wireless configuration is the same whether on campus or at another eduroam site is very popular amongst our academics students, as it means that in practice, it's set up once, and simply opening the lid on their laptop at another site gets them connectivity. -- ian -Original Message- From: phanset Sent: 15/02/2013, 21:35 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] About the eduroam configuration on Freeradius Linchuan, There is a big drawback to no letting your users join the local eduroam SSID. They won't be able to setup their devices while on campus before traveling. Having the concordia.cahttp://concordia.ca users joining the eduroam SSID on campus will help them with two aspects of the connectivity: -Learn to use the REALM (user@reaml, in your case realm=concordia.cahttp://concordia.ca) -Learn to load the proper RADIUS infrastructure certificate on their machine before traveling somewhere else These two things alone could reduce your help desk calls quite a bit. If you do so, make sure to enforce the REALM requirement from your own users in your RADIUS config (we used to not enforce that at University of Tennessee and ended up with users not being able to use eduroam when traveling) What you can do (as explained by Steve and Julian) is to filter the concordia.cahttp://concordia.ca users and put them in special VLANs. For instance: University of Tennessee, Knoxville assigns users with @utk.eduhttp://utk.edu credentials to the same VLAN pool weather they join the eduroam SSID or the ut-wpa2 SSID. The only difference between the two is that users joining eduroam have to use ne...@utk.edumailto:ne...@utk.edu and users on ut-wpa2 can only use netid if they want. Have a good Weekend, Best, Philippe Hanset www.eduroamus.orghttp://www.eduroamus.org On Feb 15, 2013, at 3:24 PM, Linchuan Yang linchuan.y...@concordia.camailto:linchuan.y...@concordia.ca wrote: Dear All Do you use different radius servers for your local SSID and eduroam SSID? Currently, we are using the same radius servers for both of SSID, and we found that some of our local users login with eduroam SSID inside our campus. We want to block our local users (both user...@concordia.camailto:user...@concordia.ca and user123)to login with eduroam SSID, could you please explain how to modify the proxy.conf or other configuration files on Freeradius (Linux version)? Furthermore, we want to block user...@concordia.camailto:user...@concordia.ca to login with our local SSID, and let user123 login with our local SSID. Thank you, and have a nice weekend. Yours, Linchuan Yang (Antony) Wireless Networking Analyst Network Assessment and Integration, IITS-Concordia University Tel: (514)848-2424 ext. 7664 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] About the eduroam configuration on Freeradius
Hi, It is an exceptionally bad idea to do what you're proposing, as it prevents local users from verifying their eduroam configuration actually works at your site before roaming to other sites. Yes, you can display a test page, but then you have to make sure that every user sets the priority of the SSIDs correctly so that your local SSID has a higher precedence, else every time they reconnect to wireless they'll get the test page. Many universities have transitioned to a single eduroam SSID which serves both local and remote users. They then assign different VLANs or wireless profiles dynamically based on where the user is authenticating from. This is, IMHO, far easier to support, and far better for the students/staff using the service. The only argument i've heard against eduroam as the primary SSID is that it reduces awareness of the university brand. -Arran ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] About the eduroam configuration on Freeradius
We have been using eduroam as our primary SSID since the fall. We could put non @uiowa.edu users in a separate VLAN that appears outside our border, but the acutual number of non iowa users on campus is so small that it wasn't deemed worth the effort to setup and maintain. Implementing eduroam as our primary SSID happened to happily conicide with campus encoraging users to use use...@uiowa.edumailto:use...@uiowa.edu as their default username in order for them to access cloud services being implemented in the near future. -Neil From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Steve Bohrer [skboh...@simons-rock.edu] Sent: Friday, February 15, 2013 3:13 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] About the eduroam configuration on Freeradius On Feb 15, 2013, at 3:24 PM, Linchuan Yang linchuan.y...@concordia.camailto:linchuan.y...@concordia.ca wrote: Dear All Do you use different radius servers for your local SSID and eduroam SSID? Currently, we are using the same radius servers for both of SSID, and we found that some of our local users login with eduroam SSID inside our campus. We want to block our local users (both user...@concordia.camailto:user...@concordia.ca and user123)to login with eduroam SSID, could you please explain how to modify the proxy.conf or other configuration files on Freeradius (Linux version)? We take a different approach, and use eduroam as our primary SSID campus-wide. That is, all of our local users always connect to eduroam, even when they are not roaming. Our radius server knows they are local because they have our realm in their username, and we can use their other local LDAP attributes to put them into the proper VLAN. Our radius server also puts non-Simon's Rock eduroam users in to an eduroam guest VLAN. (We have an open SSID with instructions for connecting to eduroam, and some special case guest VLANs, but no other SSID for our local users). The benefit is that our users only ever need to do one wifi config, and eduroam just works when they travel to other federation campuses or to EDU conventions and such, because it is exactly the same wifi config that they use every day on campus. Steve Bohrer Network Admin, ITS Bard College at Simon's Rock 413-528-7645 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] SV: [WIRELESS-LAN] Cisco Wireless Interface Groups
As Anders hinted, the mac hashing feature to solve dhcp exhaustion introduced in 7.2 was backported to later versions of 7.0 code (7.0.220.0 perhaps). We're running vlan select happily on 5508s on 7.2 and WiSM-1s on 7.0 and it works well on both. On Fri, Feb 15, 2013 at 11:27 AM, Hurt,Trenton W. trent.h...@louisville.edu wrote: http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bb4900.shtml ** ** ** ** “In WLC release 7.2, the VLAN Select feature (which is supported only on the newer WLCs like 5508, WiSM-2, 7500, and 2500) was modified and now supports VLAN Select with a new modified algorithm. In the previous implementation, using the round robin algorithm was causing clients to obtain new IP addresses on every re-association, thus depleting IP addresses fast from the available DHCP pools.” ** ** ** ** *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Anders Nilsson *Sent:* Friday, February 15, 2013 2:23 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* [WIRELESS-LAN] SV: [WIRELESS-LAN] Cisco Wireless Interface Groups ** ** What version are you running on jour WLC? I know that there were hashing problems on older versions off 7.0 that resulted in that when a client reassociated it didn’t come back to its former subnet. Try newer versions of 7.0 or 7.2 and I’ll guess that it will work. ** ** It solved my problem. ;) ** ** ** ** Cheers Anders Nilsson Umeå university SUNET Sweden ** ** *Från:* The EDUCAUSE Wireless Issues Constituent Group Listserv [ mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUWIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *För *Vikki Cutrone *Skickat:* den 15 februari 2013 20:13 *Till:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Ämne:* [WIRELESS-LAN] Cisco Wireless Interface Groups ** ** Hello All, I recently configured multiple /24 subnets into a wireless interface group on my controllers, in an effort to cut down on multicast as well as increase the IP address space. It seems to be working but DHCP addresses are still being consumed at an alarming rate. Is anyone else using the interface group feature? and if so is it working as expected? Thank you in advance! -- Vikki Cutrone Network Administrator Vassar College, Box 13 124 Raymond Ave Poughkeepsie, NY 12604-0013 845-437-7231 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** ** ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Cisco Wireless Interface Groups
I've never tried it but ISC dhcp server at some point added a one lease per client feature where the server terminates existing leases associated with a given MAC when it assigns a new address. Infoblox in its most recent release supports this but I've not tried it. Theoretically at least if you were using ISC or Infoblox this feature would make it so that you wouldn't get dhcp exhaustion with vlan select and without the hashing feature of later WLC releases. On Fri, Feb 15, 2013 at 11:13 AM, Vikki Cutrone vicutr...@vassar.eduwrote: Hello All, I recently configured multiple /24 subnets into a wireless interface group on my controllers, in an effort to cut down on multicast as well as increase the IP address space. It seems to be working but DHCP addresses are still being consumed at an alarming rate. Is anyone else using the interface group feature? and if so is it working as expected? Thank you in advance! -- Vikki Cutrone Network Administrator Vassar College, Box 13 124 Raymond Ave Poughkeepsie, NY 12604-0013 845-437-7231 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.