RE: [WIRELESS-LAN] Authentication failures at peak times (Cisco)
If the controllers are showing authentication error what does the ISE and AD servers say for the same requests? Being able to identify which segment the rejects start should help. Or where the requests are failing to get through if they aren't even reaching AD. It can be challenging to identify the same requests on production gear with heaps of logs, but perhaps a new test UID or one rarely used will help that situation. -- Jason Cook The University of Adelaide, AUSTRALIA 5005 Ph: +61 8 8313 4800 e-mail: jason.c...@adelaide.edu.aumailto:jason.c...@adelaide.edu.au -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Eric T. Barnett Sent: Thursday, 28 August 2014 5:46 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Authentication failures at peak times (Cisco) So many questions :) Thanks for all of the input folks! Here's some answers: 1. We changed from one controller to two during the summer and we also have ISE setting the VLAN depending on username type. Eight characters (ebarnett) gets one IP, name.name (eric.barnett) gets another. 2. No load balancer in the middle of anything. 3. We have four psn's and are having problems with all of them. 4. Reboots of the controller and ISE have no effect. 5. Using Microsoft AD and we have about 6000 users connected to our SSID right now. Thanks again for the interest! We're very, very stuck right now. --Eric -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jason Wang Sent: Wednesday, August 27, 2014 2:28 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Authentication failures at peak times (Cisco) We saw similar symptoms in the past. Our setup was a bit different though. What it came down to for us was that the EAP conversation would start on one backend RADIUS server, but it would jump to a different backend server part way through. The backend servers didn't share state, so when the EAP conversation changed backend servers, it would return a failure. In our case, it turned out to be a problem with the RADIUS load balancers that our controllers were pointed to. Do your controllers talk through an intermediate proxy/load balancer? Do the RADIUS servers themselves show access-rejects for those failed auths? Do those access-rejects show up on both (or all) of your RADIUS servers almost simultaneously? I don't know how ISE implements its RADIUS function, but do auths go directly against the server, or is there another intermediate layer? Some things you might be able to try for troubleshooting: - Have the controller point to only one RADIUS server directly (no proxies/load balancers) - Try a different RADIUS server Jason On 08/27/2014 01:11 PM, Eric T. Barnett wrote: We've got a relatively small deployment compared to many on this list, but we've run into a problem we just can't put our finger on. We're using 5508s and ISE as a RADIUS server and we're having HUGE latencies on WPA2-Enterprise PEAP authentication. There's times when almost no one can authenticate. What's really weird is that the controllers show AAA Authentication Error when this happens even though the username and password is correct. None of the devices seem distressed and there's no network problems we can see. Anyone ever seen this before or have any ideas how to troubleshoot? TAC so far has been not incredibly useful but they have only been on the case for a day or so now. I can hear my users sharpening the pitchforks... Thanks, Eric Barnett Wireless Administrator Information and Technology Services Arkansas State University 870 680 4243 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
mac OSx 10.9 wpa2 enterprise connection issues
Hi , has anyone else seen issues using wpa2 enterprise wireless where a Macbook OSX 10.9.X will authenticate but it will not pull a dhcp address, I have read that this was an issue with 10.6 snow leopard, but I am seeing the same issue with 10.9 . I have some machines connect no problem but I have a good amount that will only authenticate and not pull a dhcp address. I have checked our DHCP pools and we are not running out of address. Is this just one of the many wireless issues that are plaguing OSX 10.9 ? Pino Peppino Muraca Sr. Network Administrator Stonehill College 320 Washington St. Easton, MA 02357 508-565-1193 pmur...@stonehill.edumailto:pmur...@stonehill.edu www.stonehill.eduhttp://www.stonehill.edu [cid:image001.png@01CFC2C1.9187B360] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] mac OSx 10.9 wpa2 enterprise connection issues
In general I have seen this on various versions of OS X. First thing I try is disable IPv6. I have also had to delete the Airport interface and re-add. Walter Reynolds Principal Systems Security Development Engineer Information and Technology Services University of Michigan (734) 615-9438 On Thu, Aug 28, 2014 at 1:11 PM, Muraca, Peppino P. pmur...@stonehill.edu wrote: Hi , has anyone else seen issues using wpa2 enterprise wireless where a Macbook OSX 10.9.X will authenticate but it will not pull a dhcp address, I have read that this was an issue with 10.6 snow leopard, but I am seeing the same issue with 10.9 . I have some machines connect no problem but I have a good amount that will only authenticate and not pull a dhcp address. I have checked our DHCP pools and we are not running out of address. Is this just one of the many wireless issues that are plaguing OSX 10.9 ? Pino Peppino Muraca Sr. Network Administrator Stonehill College 320 Washington St. Easton, MA 02357 508-565-1193 pmur...@stonehill.edu www.stonehill.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] mac OSx 10.9 wpa2 enterprise connection issues
It's interesting that this is still a fix for these types of issues. We have been running v6 on our Cisco wireless infrastructure for parts of 3 academic years now (since winter of 2012) and have not had to do this. Not saying it won't help, just interesting. -dan Dan Brisson Network Engineer University of Vermont (Ph) 802.656.8111 dbris...@uvm.edu On 8/28/14, 4:20 PM, Lee H Badman wrote: I second the IPv6 disabling. *From:*The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Walter Reynolds *Sent:* Thursday, August 28, 2014 1:59 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] mac OSx 10.9 wpa2 enterprise connection issues In general I have seen this on various versions of OS X. First thing I try is disable IPv6. I have also had to delete the Airport interface and re-add. Walter Reynolds Principal Systems Security Development Engineer Information and Technology Services University of Michigan (734) 615-9438 On Thu, Aug 28, 2014 at 1:11 PM, Muraca, Peppino P. pmur...@stonehill.edu mailto:pmur...@stonehill.edu wrote: Hi , has anyone else seen issues using wpa2 enterprise wireless where a Macbook OSX 10.9.X will authenticate but it will not pull a dhcp address, I have read that this was an issue with 10.6 snow leopard, but I am seeing the same issue with 10.9 . I have some machines connect no problem but I have a good amount that will only authenticate and not pull a dhcp address. I have checked our DHCP pools and we are not running out of address. Is this just one of the many wireless issues that are plaguing OSX 10.9 ? Pino Peppino Muraca Sr. Network Administrator Stonehill College 320 Washington St. Easton, MA 02357 508-565-1193 tel:508-565-1193 pmur...@stonehill.edu mailto:pmur...@stonehill.edu www.stonehill.edu http://www.stonehill.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] mac OSx 10.9 wpa2 enterprise connection issues
I second the IPv6 disabling. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Walter Reynolds Sent: Thursday, August 28, 2014 1:59 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] mac OSx 10.9 wpa2 enterprise connection issues In general I have seen this on various versions of OS X. First thing I try is disable IPv6. I have also had to delete the Airport interface and re-add. Walter Reynolds Principal Systems Security Development Engineer Information and Technology Services University of Michigan (734) 615-9438 On Thu, Aug 28, 2014 at 1:11 PM, Muraca, Peppino P. pmur...@stonehill.edumailto:pmur...@stonehill.edu wrote: Hi , has anyone else seen issues using wpa2 enterprise wireless where a Macbook OSX 10.9.X will authenticate but it will not pull a dhcp address, I have read that this was an issue with 10.6 snow leopard, but I am seeing the same issue with 10.9 . I have some machines connect no problem but I have a good amount that will only authenticate and not pull a dhcp address. I have checked our DHCP pools and we are not running out of address. Is this just one of the many wireless issues that are plaguing OSX 10.9 ? Pino Peppino Muraca Sr. Network Administrator Stonehill College 320 Washington St. Easton, MA 02357 508-565-1193tel:508-565-1193 pmur...@stonehill.edumailto:pmur...@stonehill.edu www.stonehill.eduhttp://www.stonehill.edu [cid:image001.png@01CFC2DC.01804190] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] mac OSx 10.9 wpa2 enterprise connection issues
If you run v6 network, is not issue. -Original Message- From: Dan Brisson [dbris...@uvm.edu] Received: Thursday, 28 Aug 2014, 17:13 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] Subject: Re: [WIRELESS-LAN] mac OSx 10.9 wpa2 enterprise connection issues It's interesting that this is still a fix for these types of issues. We have been running v6 on our Cisco wireless infrastructure for parts of 3 academic years now (since winter of 2012) and have not had to do this. Not saying it won't help, just interesting. -dan Dan Brisson Network Engineer University of Vermont (Ph) 802.656.8111 dbris...@uvm.edumailto:dbris...@uvm.edu On 8/28/14, 4:20 PM, Lee H Badman wrote: I second the IPv6 disabling. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Walter Reynolds Sent: Thursday, August 28, 2014 1:59 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] mac OSx 10.9 wpa2 enterprise connection issues In general I have seen this on various versions of OS X. First thing I try is disable IPv6. I have also had to delete the Airport interface and re-add. Walter Reynolds Principal Systems Security Development Engineer Information and Technology Services University of Michigan (734) 615-9438 On Thu, Aug 28, 2014 at 1:11 PM, Muraca, Peppino P. pmur...@stonehill.edumailto:pmur...@stonehill.edu wrote: Hi , has anyone else seen issues using wpa2 enterprise wireless where a Macbook OSX 10.9.X will authenticate but it will not pull a dhcp address, I have read that this was an issue with 10.6 snow leopard, but I am seeing the same issue with 10.9 . I have some machines connect no problem but I have a good amount that will only authenticate and not pull a dhcp address. I have checked our DHCP pools and we are not running out of address. Is this just one of the many wireless issues that are plaguing OSX 10.9 ? Pino Peppino Muraca Sr. Network Administrator Stonehill College 320 Washington St. Easton, MA 02357 508-565-1193tel:508-565-1193 pmur...@stonehill.edumailto:pmur...@stonehill.edu www.stonehill.eduhttp://www.stonehill.edu [cid:part5.07080802.00040705@uvm.edu] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Rogue Wireless Process
Now that school has started back for us, the influx of rogue wireless routers has started. It is against policy to have them in the residence halls, but the teeth are somewhat vague. We generally start with general communications to all students through emails as well as their RAs. After a grace period, we begin hunting them down and asking them nicely to remove them. After that, we shutdown the wired port and have their RA / other residential authority ask them nicely. Thankfully it hasn't progressed beyond that point. I want a fair but strong process for dealing with these and wanted to poll the list on what your actual process is. How much and how quickly do you involve organizations outside of IT? Do you have IT punishments (removal of access, wireless countermeasures, etc) or just general school discipline? Thomas Carter Network and Operations Manager Austin College 903-813-2564 [cid:image002.gif@01CFC2DE.6FA00500] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
