RE: Eapol-Rate-Optimization
Are you sure the CRL server is accessible from the client? Turning off that check sound like added security risk. From: Marcelo Lew [mailto:marcelo@du.edu] Sent: Wednesday, December 4, 2013 11:32 AM Subject: Re: Eapol-Rate-Optimization We also tried EAPOL-rate-opt. It did help with the Mac roaming issue, but it adds too much overhead and affects throughput quite a bit. We are on 6.3.1.1, and I still see the issue (testing on Macbook running Mavericks). Only fix that worked (per user fix) for us, is unchecking OCSP and CRL under keychain/preferences/certificates. Marcelo Marcelo Lew Wireless Network Architect Engineer University Technology Services University of Denver Desk: (303) 871-6523 Cell: (303) 669-4217 Fax: (303) 871-5900 Email: m...@du.edumailto:m...@du.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeff Kell Sent: Tuesday, December 03, 2013 7:44 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Eapol-Rate-Optimization On 12/3/2013 9:34 PM, Wright, Don wrote: Just curious, have any Aruba shops tried enabling EAPOL rate optimization to try helping with the Apple roaming/dropping issue? It's a new setting in 6.1 and while it didn't help in my testing, I've heard others have had success with it. Would someone care to update with details? We have had issues with MacOS devices and roaming. Three variables were suggested - OKC, PMKID, and EAPOL-rate-opt. We had OKC / PMKID both enabled, no EAPOL-rate-opt, and interval between ID requests at 30 seconds. Wandering around a well-covered building with a MacOS laptop pinging a fixed target and it would disassociate / reassociate / reauthenticate with significant delay in between; Windows laptop did not have this issue (maybe drop a packet or two between roaming targets). We tried disabling OKC by itself, but it seemed to make no difference. This was discussed on the list before so I'll not repeat the whole issue. We tried the EAPOL-rate-opt, and we would drop a handful of pings, but essentially keep a connection intact. So yes, it did appear to help. It's not 100% still (is anything wireless ever 100%?) but was a solid improvement over the previous case. We're still grabbing at straws to improve the mobility, and hoping perhaps the sticky client voodoo in 6.3 might help the issue as well. Jeff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Eapol-Rate-Optimization
Yes on both. It is unclear to me however why a Mac would check crl when roaming between WAPs. Seems like a bug to me. [email signature] From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W (Network Services) Sent: Thursday, December 05, 2013 7:20 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Eapol-Rate-Optimization Are you sure the CRL server is accessible from the client? Turning off that check sound like added security risk. From: Marcelo Lew [mailto:marcelo@du.edu] Sent: Wednesday, December 4, 2013 11:32 AM Subject: Re: Eapol-Rate-Optimization We also tried EAPOL-rate-opt. It did help with the Mac roaming issue, but it adds too much overhead and affects throughput quite a bit. We are on 6.3.1.1, and I still see the issue (testing on Macbook running Mavericks). Only fix that worked (per user fix) for us, is unchecking OCSP and CRL under keychain/preferences/certificates. Marcelo Marcelo Lew Wireless Network Architect Engineer University Technology Services University of Denver Desk: (303) 871-6523 Cell: (303) 669-4217 Fax: (303) 871-5900 Email: m...@du.edumailto:m...@du.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeff Kell Sent: Tuesday, December 03, 2013 7:44 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Eapol-Rate-Optimization On 12/3/2013 9:34 PM, Wright, Don wrote: Just curious, have any Aruba shops tried enabling EAPOL rate optimization to try helping with the Apple roaming/dropping issue? It's a new setting in 6.1 and while it didn't help in my testing, I've heard others have had success with it. Would someone care to update with details? We have had issues with MacOS devices and roaming. Three variables were suggested - OKC, PMKID, and EAPOL-rate-opt. We had OKC / PMKID both enabled, no EAPOL-rate-opt, and interval between ID requests at 30 seconds. Wandering around a well-covered building with a MacOS laptop pinging a fixed target and it would disassociate / reassociate / reauthenticate with significant delay in between; Windows laptop did not have this issue (maybe drop a packet or two between roaming targets). We tried disabling OKC by itself, but it seemed to make no difference. This was discussed on the list before so I'll not repeat the whole issue. We tried the EAPOL-rate-opt, and we would drop a handful of pings, but essentially keep a connection intact. So yes, it did appear to help. It's not 100% still (is anything wireless ever 100%?) but was a solid improvement over the previous case. We're still grabbing at straws to improve the mobility, and hoping perhaps the sticky client voodoo in 6.3 might help the issue as well. Jeff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. inline: image001.jpg
RE: [WIRELESS-LAN] Windows 8 and Broadcom wireless cards
Just a thought. Is anyone using a different certificate other than Globalsign with their ACS server? If you’re successful in using the certificates on all Windows 8/8.1pro machines, could you please let me know what certificate you’re using? We’re using GeoTrust Global CA and GeoTrust DV SSL on our ACS server, and I’m wondering if this is the root cause of it not working. We have to install the certificates manually when getting on our secure network and since Globalsign is already installed, I’m wondering if this might be the problem. Thanks again! Shayne *From:* T. Shayne Ghere [mailto:sgh...@fsmail.bradley.edu] *Sent:* Wednesday, December 04, 2013 1:48 PM *To:* The EDUCAUSE Wireless Issues Constituent Group Listserv *Subject:* RE: [WIRELESS-LAN] Windows 8 and Broadcom wireless cards Has anyone seen people upgrading their Windows 7 computers to Windows 8 or 8.1 and the wireless breaks completely? That’s what I’m seeing here with the Broadcom and some Atheros cards. I’ve been working on this since Monday (solid) and cannot get any Broadcom wlan cards to connect with Windows 8 or 8.1pro, but if I re-image the computer to Windows 7 pro, it works just fine. We are a complete Cisco shop with about 500 1142N AP’s and 128 1231, 1232 and 1251 AP’s so unless we replace the 1200’s we’re stuck at the 7.0.253.5 code (which is supposed to fix it). But that’s not what we’re seeing if they’re upgrading their computers. All the new computers are working just fine that come pre-installed with Windows 8. Upgrade to 8.1pro and that’s the gotcha we’re seeing too. Thanks for all the suggestions, but I’ve shelved the Broadcom chipset as a “Won’t work on our wireless network” if you upgrade to 8. Now moving on to some of the others that are coming in. Going to be fun after Christmas. /ugh Thanks Shayne *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Lee H Badman *Sent:* Wednesday, December 04, 2013 1:23 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Windows 8 and Broadcom wireless cards During our opening, and after a Windows update on my own son’s machine at the same time, we saw many cases where both WLAN adapter and chipset drivers both had to be updated to connect to secure networks. -Lee *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [ mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUWIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Michael Hulko *Sent:* Wednesday, December 04, 2013 1:40 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Windows 8 and Broadcom wireless cards Not necessarily related to Windows 8, but we have had the same issue with Intel Centrino family chipsets. We had the users upgrade the chipset to the latest version available from Intel's site and that seemed to resolve the issues. Never rely on the user to tell you that they have updated the drivers MH On 2013-12-04, at 12:59 PM, Joe Roth wrote: Shayne, We have seen this as well. The instructions from the blog that Don posted are essentially what we use. Our Help Desk has a flash drive with a pile of wireless nic drivers that they keep handy. On Wed, Dec 4, 2013 at 12:50 PM, Sullivan, Don dsulli...@samford.edu wrote: Here is what we did: http://blogs.technet.com/b/dennis_schnell/archive/2013/08/31/windows-8-1-wifi-showing-quot-limitied-quot-or-quot-no-internet-access-quot.aspx More specifically – Here's the instructions: # Open Device Manager (search Windows Help if you don't know what this is) # Select 'Network adaptors' and then open (double-click) Broadcom 802.11n Network Adaptor # Go to the Driver tab and click the Update Driver... button # Select 'Browse my computer for driver software' # Select 'Let me pick from a list of device drivers on my computer' # Select the Broadcom 802.11n Network Adaptor (Broadcom) entry from the list, and click Next We have had this occur at 3 times and this fixed the issue for us. Hope it helps you. *Don Sullivan* *Network Adminstrator* *Technology Services* 205-726-2111 | office 205-566-1432 | mobile 205-726-2524 | fax dsulli...@samford.edu www.samford.edu 800 Lakeshore Drive, Birmingham, AL 35229http://maps.google.com/maps?q=800+Lakeshore+Drive,+Birmingham,+AL+35229,+US image001.png *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *T. Shayne Ghere *Sent:* Wednesday, December 04, 2013 11:25 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* [WIRELESS-LAN] Windows 8 and Broadcom wireless cards Good morning, I was wondering if any other school is having issues with the Broadcom Wireless network cards running Windows 8/8.1 pro on a WPA2/AES network? We have students that are upgrading their Dell computers from Windows 7 to Windows 8 and the cards stop working on our secure
RE: [WIRELESS-LAN] Windows 8 and Broadcom wireless cards
They have to accept the CERT for the RADIUS servers if they are auto configuring, but the verbiage about which server may be on a second page of the alert, which is likely ignored From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of T. Shayne Ghere Sent: Thursday, December 5, 2013 1:06 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Windows 8 and Broadcom wireless cards Lee, Do the students have to install the certificate when authenticating, or to they just use their username/password and it's in there already? I'm beginning to think Windows 8 is Vista all over again. Thanks Shayne From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman Sent: Thursday, December 05, 2013 12:00 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Windows 8 and Broadcom wireless cards GoDaddy here, working fine. Lee H. Badman Network Architect/Wireless TME ITS, Syracuse University 315.443.3003 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of T. Shayne Ghere [sgh...@fsmail.bradley.edumailto:sgh...@fsmail.bradley.edu] Sent: Thursday, December 05, 2013 12:57 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Windows 8 and Broadcom wireless cards Just a thought. Is anyone using a different certificate other than Globalsign with their ACS server? If you're successful in using the certificates on all Windows 8/8.1pro machines, could you please let me know what certificate you're using? We're using GeoTrust Global CA and GeoTrust DV SSL on our ACS server, and I'm wondering if this is the root cause of it not working. We have to install the certificates manually when getting on our secure network and since Globalsign is already installed, I'm wondering if this might be the problem. Thanks again! Shayne From: T. Shayne Ghere [mailto:sgh...@fsmail.bradley.edumailto:sgh...@fsmail.bradley.edu] Sent: Wednesday, December 04, 2013 1:48 PM To: The EDUCAUSE Wireless Issues Constituent Group Listserv Subject: RE: [WIRELESS-LAN] Windows 8 and Broadcom wireless cards Has anyone seen people upgrading their Windows 7 computers to Windows 8 or 8.1 and the wireless breaks completely? That's what I'm seeing here with the Broadcom and some Atheros cards. I've been working on this since Monday (solid) and cannot get any Broadcom wlan cards to connect with Windows 8 or 8.1pro, but if I re-image the computer to Windows 7 pro, it works just fine. We are a complete Cisco shop with about 500 1142N AP's and 128 1231, 1232 and 1251 AP's so unless we replace the 1200's we're stuck at the 7.0.253.5 code (which is supposed to fix it). But that's not what we're seeing if they're upgrading their computers. All the new computers are working just fine that come pre-installed with Windows 8. Upgrade to 8.1pro and that's the gotcha we're seeing too. Thanks for all the suggestions, but I've shelved the Broadcom chipset as a Won't work on our wireless network if you upgrade to 8. Now moving on to some of the others that are coming in. Going to be fun after Christmas. /ugh Thanks Shayne From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman Sent: Wednesday, December 04, 2013 1:23 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Windows 8 and Broadcom wireless cards During our opening, and after a Windows update on my own son's machine at the same time, we saw many cases where both WLAN adapter and chipset drivers both had to be updated to connect to secure networks. -Lee From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Michael Hulko Sent: Wednesday, December 04, 2013 1:40 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Windows 8 and Broadcom wireless cards Not necessarily related to Windows 8, but we have had the same issue with Intel Centrino family chipsets. We had the users upgrade the chipset to the latest version available from Intel's site and that seemed to resolve the issues. Never rely on the user to tell you that they have updated the drivers MH On 2013-12-04, at 12:59 PM, Joe Roth wrote: Shayne, We have seen this as well. The instructions from the blog that Don posted are essentially what we use. Our Help Desk has a flash drive with a pile of wireless nic drivers that they keep handy. On Wed, Dec 4, 2013 at 12:50
RE: [WIRELESS-LAN] 802.11k
Note the distance between RIM's headquarters and Dennis's work. =) Frank -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Ian McDonald Sent: Wednesday, November 20, 2013 9:15 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.11k You have a lot of Z10s? A recent article described Blackberry as deader than paisley flares. I don't think I've even seen *one*. -- ian -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dennis Xu Sent: 20 November 2013 14:57 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.11k We have implemented it on all production WLANs for one month. There is only one issue: BlackBerry Z10 cannot connect to our 802.1X secure wlan, but it can connect to the open wlan. I tested in my lab and confirmed that Z10 can connect to the secure wlan without 802.11k. We are considering roll back this change. --- Dennis Xu Analyst 3, Network Infrastructure Computing and Communications Services(CCS) University of Guelph 519-824-4120 Ext 56217 d...@uoguelph.ca www.uoguelph.ca/ccs - Original Message - From: Alan Nord an...@macalester.edu To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Sent: Wednesday, November 20, 2013 9:22:38 AM Subject: Re: [WIRELESS-LAN] 802.11k Looked into enabling this after a recent upgrade, but there is one major hurdle for my environment: This feature must be implemented only if you are using one controller. The assisted roaming feature is not supported across multiple controllers. See here for more detail. On Tue, Nov 19, 2013 at 4:32 PM, Mike Albano mike.alb...@unlv.edu wrote: Curious if others have enabled 802.11k and if doing so has resulted in any client connectivity issues for clients that do not support it. Also, for the Cisco shops, the same question for non-802.11k assisted roamingie config wlan assisted-roaming prediction {enable | disable} wlan-id Mike Albano Network Engineer UNLV ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ . -- Alan Nord, CCNA Infrastructure Manager Information Technology Services Macalester College 1600 Grand Avenue St. Paul, MN 55105 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.