RE: [WIRELESS-LAN] Android 7.1.1 and DHCP issues?

[Kanan E Simpson]

Are you sure the phone is sending DHCP Discover packets? You mentioned it's not 
working on the open SSID, you may want to try connecting the phone to the open 
SSID and capture OTA packets to see what it's doing and start from there and 
move towards the DHCP server.

-Kanan

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of McClintic, Thomas
Sent: Monday, March 13, 2017 3:31 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Android 7.1.1 and DHCP issues?

Danny,

Try adding the domain in the profile for which the cert was issued

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Danny Eaton
Sent: Monday, March 13, 2017 12:20 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Android 7.1.1 and DHCP issues?


So, I've got one client (1!) who is running Android 7.1.1 and no matter which 
network (our 802.1X, eduroam, or even the "open" captive portal SSID) the user 
tries to connect into, he gets authenticated (on eduroam and our 802.1X SSID), 
but we never see a DHCPDISCOVER from his phone; it passes the AAA (802.1X), but 
will just not get an IP.  Thoughts?  (other devices work just fine).
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Certificate for 802.1x

[Cappalli, Tim (Aruba)]

One trick with configuring clients: You can configure the client with common 
name validation and then validate the root CA. When you have to renew the 
certificate, users *shouldn’t* receive any messages because the validation 
information in the supplicant remains the same.

The ideal solution is to move to EAP-TLS and move away from legacy protocols 
like PEAPv0 and EAP-TTLS that have known issues and security concerns.


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of "Oakes, Carl W" 

Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 

Date: Monday, March 13, 2017 at 3:42 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] Certificate for 802.1x

This one hits home for me, going through this now on a certificate expiring and 
battling on what to do next.

Most clients don't trust any certificate, even if the device is set to trust 
them OS wide (web browser, etc).  The wireless / supplicant configuration needs 
to be setup to trust specific certs or CA's.

Onboarding tools can be used like SecureW2, Aruba , Cloudpath, eduroam CAT 
to load and enable the RADIUS cert and set it active/trusted.

If clients onboard themselves, just by manually attaching to the network, they 
trust the immediate certificate, and I think in some cases, just the digest of 
the cert, making future cert updates "eventful".

Clients when authenticating can't check the CRL or OCSP for certificate 
revocation, since they aren't on the network yet while trying to authenticate.

So, with all that, I really don't want to get another 3 or 4 year cert and deal 
with the expiring cert again.Not a pretty scenario.
Last time this happened, it hit us by surprise since we couldn't get a new cert 
based on the previously trusted CA.  E

I'm tempted to create a self-signed local CA just for the RADIUS server 
validation, and a then generate a single cert off that CA.   Then have SecureW2 
(what we have) provide that CA and mark it as trusted.
Since it's our own CA, was going to make it good for 20 years (just shy of the 
2038 unix time clock issue).Avoids the problem until after I retire. :)

In testing, so far this seems to work great.But test is very different than 
thousands of random student devices.

In theory it could be just a single self-signed cert, but I liked have the 
added bonus / flexibility / futures of the self-signed CA just in case.

Either way, if the private key of the RAIDUS cert gets compromised (commercial 
or self-signed), it's a world of hurt to get folks moved over in a secure way.

Has anyone done this?  Good or bad? Am I missing anything key?

Next up will be client based certs, but that doesn't fix/resolve the above 
issue.

Carl Oakes
California State University Sacramento




From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Eric Glinsky
Sent: Monday, March 13, 2017 12:11 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Certificate for 802.1x

Hi everyone,

I’m looking for thoughts/opinions/experiences on 802.1x and security 
certificates. I dug through the archives from a few years ago, and from what I 
gather it isn’t even possible to use a 3rd-party cert so devices (iOS, OS X, 
Windows, Android) trust it automatically, but maybe someone has succeeded with 
this by now? If so, which CA would you recommend?

For us, our GoDaddy wildcard cert failed to authenticate clients, so we went 
with DigiCert. That isn’t trusted by clients by default, offering no benefit 
over our domain-generated cert, with which all Apple and Windows 8/10 devices 
must be told to “trust,” Windows 7 fails to authenticate entirely, and Android 
just works. We have a Cisco WLC and Windows NPS.

Thanks for any pointers you can give!

- Eric
This e-mail message is intended only for the person or entity to which it is 
addressed and may contain CONFIDENTIAL or PRIVILEGED material. Any unauthorized 
review, use, disclosure or distribution is prohibited. If you are not the 
intended recipient, please contact the sender and destroy all copies of the 
original message. If you are the intended recipient but do not wish to receive 
communications through this medium, please so advise the sender immediately.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] Cisco WLC code recommendations

[Danny Eaton]

Strangely enough, I just got an email from our Cisco team, and here's what
was sent.

 

Recommendations for AireOS:


 

AireOS Release

Mobility Services Engine

Prime Infrastructure

Identity Services Engine


Most WLCs

8.0.140.0 (MR4)

8.0.140.0 (MR4)

3.1.5

2.1.0 (Patch 3)


For 5520/8540 and/or 1810/1830/1850/2800/3800

8.2.151.0 (MR5)*

8.0.140.0 (MR4)

3.1.5

2.1.0 (Patch 3)


For 1562/1815i

8.3.111.0 (MR1)

8.0.140.0 (MR4)

3.1.5

2.1.0 (Patch 3)

*NOTE:  Targeted for later this week - Latest info is here
 

 

 

Recommendations for IOS-XE (For Wireless):


 

IOS-XE Release

Mobility Services Engine

Prime Infrastructure

Identity Services Engine


5760/3850/3650

3.7.5E

8.0.140.0 (MR4)

3.1.5

2.1.0 (Patch 3)


Sup-8E

3.8.3E

8.0.140.0 (MR4)

3.1.5

2.1.0 (Patch 3)

 

 

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Ken LeCompte
Sent: Monday, March 13, 2017 2:36 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco WLC code recommendations

 

We are currently running a handful of 5508s with 8.0.133.0 and have been
stable for some time with around 400 APs and upwards of 1.5k clients. We
also run a half dozen 5520s with 8.2.141.0 and they have been running solid
with around 1k APs each and upwards of 10k clients. We do not however run
anything but 2600, 3600, 2700 and 3700 APs.  

 

The only issue I have seen that I don't understand well yet is related to
some APs losing the minds during network interruptions. The APs will appear
up from CDP neighbor information, but will have lost their name and will not
connect to their configured primary or secondary controllers. A power cycle
will often recover the AP, but not always. I believe that issue started with
8.2. 

 

Thank you.

 

Ken

 

-- 
Ken LeCompte - Consulting Telecommunications Analyst
Telecommunications Division

Office of Information Technology
Rutgers, The State University of New Jersey
Office ~ (848) 445-4823

 

On Mar 10, 2017, at 1:52 PM, Entwistle, Bruce  > wrote:





We are currently running version 8.0.133.0 on our Cisco 5508 controllers, as
our current access points are primarily 3500s and 3600s. However we have
recently purchased a batch of 2802i access points whose minimum supported
version is 8.2.110.0.  I was looking to the group for their recommendations
on a stable version of code which will support our new 2802i access points.

 

Thank you

Bruce Entwistle

Network Manager

University of Redlands

 

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
 http://www.educause.edu/discuss.

 

!DSPAM:109,58c6f48a151615036922747! 

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/discuss. 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Certificate for 802.1x

[Oakes, Carl W]

This one hits home for me, going through this now on a certificate expiring and 
battling on what to do next.

Most clients don't trust any certificate, even if the device is set to trust 
them OS wide (web browser, etc).  The wireless / supplicant configuration needs 
to be setup to trust specific certs or CA's.

Onboarding tools can be used like SecureW2, Aruba , Cloudpath, eduroam CAT 
to load and enable the RADIUS cert and set it active/trusted.

If clients onboard themselves, just by manually attaching to the network, they 
trust the immediate certificate, and I think in some cases, just the digest of 
the cert, making future cert updates "eventful".

Clients when authenticating can't check the CRL or OCSP for certificate 
revocation, since they aren't on the network yet while trying to authenticate.

So, with all that, I really don't want to get another 3 or 4 year cert and deal 
with the expiring cert again.Not a pretty scenario.
Last time this happened, it hit us by surprise since we couldn't get a new cert 
based on the previously trusted CA.  E

I'm tempted to create a self-signed local CA just for the RADIUS server 
validation, and a then generate a single cert off that CA.   Then have SecureW2 
(what we have) provide that CA and mark it as trusted.
Since it's our own CA, was going to make it good for 20 years (just shy of the 
2038 unix time clock issue).Avoids the problem until after I retire. :)

In testing, so far this seems to work great.But test is very different than 
thousands of random student devices.

In theory it could be just a single self-signed cert, but I liked have the 
added bonus / flexibility / futures of the self-signed CA just in case.

Either way, if the private key of the RAIDUS cert gets compromised (commercial 
or self-signed), it's a world of hurt to get folks moved over in a secure way.

Has anyone done this?  Good or bad? Am I missing anything key?

Next up will be client based certs, but that doesn't fix/resolve the above 
issue.

Carl Oakes
California State University Sacramento




From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Eric Glinsky
Sent: Monday, March 13, 2017 12:11 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Certificate for 802.1x

Hi everyone,

I'm looking for thoughts/opinions/experiences on 802.1x and security 
certificates. I dug through the archives from a few years ago, and from what I 
gather it isn't even possible to use a 3rd-party cert so devices (iOS, OS X, 
Windows, Android) trust it automatically, but maybe someone has succeeded with 
this by now? If so, which CA would you recommend?

For us, our GoDaddy wildcard cert failed to authenticate clients, so we went 
with DigiCert. That isn't trusted by clients by default, offering no benefit 
over our domain-generated cert, with which all Apple and Windows 8/10 devices 
must be told to "trust," Windows 7 fails to authenticate entirely, and Android 
just works. We have a Cisco WLC and Windows NPS.

Thanks for any pointers you can give!

- Eric
This e-mail message is intended only for the person or entity to which it is 
addressed and may contain CONFIDENTIAL or PRIVILEGED material. Any unauthorized 
review, use, disclosure or distribution is prohibited. If you are not the 
intended recipient, please contact the sender and destroy all copies of the 
original message. If you are the intended recipient but do not wish to receive 
communications through this medium, please so advise the sender immediately.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Cisco WLC code recommendations

[Ken LeCompte]

We are currently running a handful of 5508s with 8.0.133.0 and have been stable 
for some time with around 400 APs and upwards of 1.5k clients. We also run a 
half dozen 5520s with 8.2.141.0 and they have been running solid with around 1k 
APs each and upwards of 10k clients. We do not however run anything but 2600, 
3600, 2700 and 3700 APs.

The only issue I have seen that I don’t understand well yet is related to some 
APs losing the minds during network interruptions. The APs will appear up from 
CDP neighbor information, but will have lost their name and will not connect to 
their configured primary or secondary controllers. A power cycle will often 
recover the AP, but not always. I believe that issue started with 8.2.

Thank you.

Ken

--
Ken LeCompte - Consulting Telecommunications Analyst
Telecommunications Division
Office of Information Technology
Rutgers, The State University of New Jersey
Office ~ (848) 445-4823

On Mar 10, 2017, at 1:52 PM, Entwistle, Bruce 
> wrote:

We are currently running version 8.0.133.0 on our Cisco 5508 controllers, as 
our current access points are primarily 3500s and 3600s. However we have 
recently purchased a batch of 2802i access points whose minimum supported 
version is 8.2.110.0.  I was looking to the group for their recommendations on 
a stable version of code which will support our new 2802i access points.

Thank you
Bruce Entwistle
Network Manager
University of Redlands

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] Android 7.1.1 and DHCP issues?

[McClintic, Thomas]

Danny,

Try adding the domain in the profile for which the cert was issued

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Danny Eaton
Sent: Monday, March 13, 2017 12:20 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Android 7.1.1 and DHCP issues?


So, I've got one client (1!) who is running Android 7.1.1 and no matter which 
network (our 802.1X, eduroam, or even the "open" captive portal SSID) the user 
tries to connect into, he gets authenticated (on eduroam and our 802.1X SSID), 
but we never see a DHCPDISCOVER from his phone; it passes the AAA (802.1X), but 
will just not get an IP.  Thoughts?  (other devices work just fine).
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Certificate for 802.1x

[Kevin Fitzgerald]

Hi Eric,

>From what I understand, the reason that even 3rd party certificates fail is
that the clients do not have a trusted radius store as they do with SSL.
That is to say, by default, most clients will not trust any radius
certificate regardless of the issuer.

Some vendors provide an on-boarding module that distributes the trust
parameters to the client as a workaround to the above.

Kevin

On Mon, Mar 13, 2017 at 2:10 PM, Eric Glinsky  wrote:

> Hi everyone,
>
>
>
> I’m looking for thoughts/opinions/experiences on 802.1x and security
> certificates. I dug through the archives from a few years ago, and from
> what I gather it isn’t even possible to use a 3rd-party cert so devices
> (iOS, OS X, Windows, Android) trust it automatically, but maybe someone has
> succeeded with this by now? If so, which CA would you recommend?
>
>
>
> For us, our GoDaddy wildcard cert failed to authenticate clients, so we
> went with DigiCert. That isn’t trusted by clients by default, offering no
> benefit over our domain-generated cert, with which all Apple and Windows
> 8/10 devices must be told to “trust,” Windows 7 fails to authenticate
> entirely, and Android just works. We have a Cisco WLC and Windows NPS.
>
>
>
> Thanks for any pointers you can give!
>
>
>
> - Eric
> This e-mail message is intended only for the person or entity to which it
> is addressed and may contain CONFIDENTIAL or PRIVILEGED material. Any
> unauthorized review, use, disclosure or distribution is prohibited. If you
> are not the intended recipient, please contact the sender and destroy all
> copies of the original message. If you are the intended recipient but do
> not wish to receive communications through this medium, please so advise
> the sender immediately.
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at http://www.educause.edu/
> discuss.
>
>


-- 
Kevin Fitzgerald | Project/Program Specialist
University of Arkansas at Little Rock | Information Technology Services
501.916.5019 | kwfitzger...@ualr.edu | ualr.edu

Reminder: IT Services will never ask for your password over the phone or in
an email. Always be suspicious of requests for personal information that
comes via email, even from known contacts. For more information or to
report suspicious email, visit http://ualr.edu/itservices/security/

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Certificate for 802.1x

[Cappalli, Tim (Aruba)]

Couple of things


-   Wildcard and EV certificates should never be used for RADIUS

-   Keep in mind that EAP server certificate trust is different than system 
level certificate trust.

o   Even with a public certificate,  you will still receive a certificate 
prompt on initial connection if the client has not been manually configured

o   The common name of the RADIUS server certificate does NOT need to have a 
DNS entry, it’s “visual” only.

-   A standard “generic” web server certificate from any of the major 
providers will work. I always recommend using a user friendly name for the 
common name like wireless.domain.xyz or network-login.domain.xyz since users 
will see it.

tim

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of Eric Glinsky 

Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 

Date: Monday, March 13, 2017 at 3:10 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: [WIRELESS-LAN] Certificate for 802.1x

Hi everyone,

I’m looking for thoughts/opinions/experiences on 802.1x and security 
certificates. I dug through the archives from a few years ago, and from what I 
gather it isn’t even possible to use a 3rd-party cert so devices (iOS, OS X, 
Windows, Android) trust it automatically, but maybe someone has succeeded with 
this by now? If so, which CA would you recommend?

For us, our GoDaddy wildcard cert failed to authenticate clients, so we went 
with DigiCert. That isn’t trusted by clients by default, offering no benefit 
over our domain-generated cert, with which all Apple and Windows 8/10 devices 
must be told to “trust,” Windows 7 fails to authenticate entirely, and Android 
just works. We have a Cisco WLC and Windows NPS.

Thanks for any pointers you can give!

- Eric
This e-mail message is intended only for the person or entity to which it is 
addressed and may contain CONFIDENTIAL or PRIVILEGED material. Any unauthorized 
review, use, disclosure or distribution is prohibited. If you are not the 
intended recipient, please contact the sender and destroy all copies of the 
original message. If you are the intended recipient but do not wish to receive 
communications through this medium, please so advise the sender immediately. 
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Android 7.1.1 and DHCP issues?

[Jeremy Mooney]

Are you only looking on the DHCP server for the discover? Could a radius
server be returning an option setting an incorrect VLAN or specific ACL for
the client causing it to be dropped at the AP/WLC level? If it's happening
on an open network it'd probably have to be hitting a MAC-based rather than
user-based access rule (or possibly profiled and put in a blocked group).

On Mon, Mar 13, 2017 at 12:40 PM, Danny Eaton  wrote:

> It’s set to not validate the radius-server certificate; and like I said,
> it’s authenticating, just not doing the DHCPDISCOVER; I never see it in the
> DHCP server logs.
>
>
>
>
>
>
>
> *From:* Shayne Ghere [mailto:sgh...@fsmail.bradley.edu]
> *Sent:* Monday, March 13, 2017 12:36 PM
> *To:* dannyea...@rice.edu; WIRELESS-LAN@listserv.educause.edu
> *Subject:* RE: [WIRELESS-LAN] Android 7.1.1 and DHCP issues?
>
>
>
> If you’re using certs, there’s a setting under CA Certificate that you
> have to set as “Do not validate” and it will then DHCP.
>
>
>
> I have a Pixel XL and that’s the only way I can get 802.1x working on my
> phone.
>
>
>
> Shayne
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Danny Eaton
> *Sent:* Monday, March 13, 2017 12:20 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* [WIRELESS-LAN] Android 7.1.1 and DHCP issues?
>
>
>
>
>
> So, I’ve got one client (1!) who is running Android 7.1.1 and no matter
> which network (our 802.1X, eduroam, or even the “open” captive portal SSID)
> the user tries to connect into, he gets authenticated (on eduroam and our
> 802.1X SSID), but we never see a DHCPDISCOVER from his phone; it passes the
> AAA (802.1X), but will just not get an IP.  Thoughts?  (other devices work
> just fine).
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at http://www.educ
> ause.edu/discuss .
>
> !DSPAM:109,58c6d86b151612066850947!
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at http://www.educause.edu/
> discuss.
>
>


-- 
Jeremy Mooney
ITS - Bethel University

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Certificate for 802.1x

[Eric Glinsky]

Hi everyone,

I'm looking for thoughts/opinions/experiences on 802.1x and security 
certificates. I dug through the archives from a few years ago, and from what I 
gather it isn't even possible to use a 3rd-party cert so devices (iOS, OS X, 
Windows, Android) trust it automatically, but maybe someone has succeeded with 
this by now? If so, which CA would you recommend?

For us, our GoDaddy wildcard cert failed to authenticate clients, so we went 
with DigiCert. That isn't trusted by clients by default, offering no benefit 
over our domain-generated cert, with which all Apple and Windows 8/10 devices 
must be told to "trust," Windows 7 fails to authenticate entirely, and Android 
just works. We have a Cisco WLC and Windows NPS.

Thanks for any pointers you can give!

- Eric
This e-mail message is intended only for the person or entity to which it is 
addressed and may contain CONFIDENTIAL or PRIVILEGED material. Any unauthorized 
review, use, disclosure or distribution is prohibited. If you are not the 
intended recipient, please contact the sender and destroy all copies of the 
original message. If you are the intended recipient but do not wish to receive 
communications through this medium, please so advise the sender immediately.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] Android 7.1.1 and DHCP issues?

[Danny Eaton]

It’s set to not validate the radius-server certificate; and like I said, it’s 
authenticating, just not doing the DHCPDISCOVER; I never see it in the DHCP 
server logs.

 

 

 

From: Shayne Ghere [mailto:sgh...@fsmail.bradley.edu] 
Sent: Monday, March 13, 2017 12:36 PM
To: dannyea...@rice.edu; WIRELESS-LAN@listserv.educause.edu
Subject: RE: [WIRELESS-LAN] Android 7.1.1 and DHCP issues?

 

If you’re using certs, there’s a setting under CA Certificate that you have to 
set as “Do not validate” and it will then DHCP.

 

I have a Pixel XL and that’s the only way I can get 802.1x working on my phone. 
  

 

Shayne

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
 ] On Behalf Of Danny Eaton
Sent: Monday, March 13, 2017 12:20 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
 
Subject: [WIRELESS-LAN] Android 7.1.1 and DHCP issues?

 

 

So, I’ve got one client (1!) who is running Android 7.1.1 and no matter which 
network (our 802.1X, eduroam, or even the “open” captive portal SSID) the user 
tries to connect into, he gets authenticated (on eduroam and our 802.1X SSID), 
but we never see a DHCPDISCOVER from his phone; it passes the AAA (802.1X), but 
will just not get an IP.  Thoughts?  (other devices work just fine).  

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at http://www.educ 
ause.edu/discuss  . 

!DSPAM:109,58c6d86b151612066850947! 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] Android 7.1.1 and DHCP issues?

[Shayne Ghere]

If you’re using certs, there’s a setting under CA Certificate that you have
to set as “Do not validate” and it will then DHCP.



I have a Pixel XL and that’s the only way I can get 802.1x working on my
phone.



Shayne



*From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Danny Eaton
*Sent:* Monday, March 13, 2017 12:20 PM
*To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
*Subject:* [WIRELESS-LAN] Android 7.1.1 and DHCP issues?





So, I’ve got one client (1!) who is running Android 7.1.1 and no matter
which network (our 802.1X, eduroam, or even the “open” captive portal SSID)
the user tries to connect into, he gets authenticated (on eduroam and our
802.1X SSID), but we never see a DHCPDISCOVER from his phone; it passes the
AAA (802.1X), but will just not get an IP.  Thoughts?  (other devices work
just fine).

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Android 7.1.1 and DHCP issues?

[Danny Eaton]

 

So, I've got one client (1!) who is running Android 7.1.1 and no matter
which network (our 802.1X, eduroam, or even the "open" captive portal SSID)
the user tries to connect into, he gets authenticated (on eduroam and our
802.1X SSID), but we never see a DHCPDISCOVER from his phone; it passes the
AAA (802.1X), but will just not get an IP.  Thoughts?  (other devices work
just fine).  


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] Wireless Door lock systems

[Matthew Ballard]

We're using the Assa Abloy IN120 Wi-Fi locks.

We haven't been using them long enough to get a good idea on battery life, but 
a number of them have been dying faster than expected, but better monitoring 
has helped to minimize the problems from that.

Personally I would not use these locks in dorms again (nor would I use Wi-Fi 
locks in dorms).  Due to that they only update periodically (once a day by 
default), if you cut-off access for a card, replace/issue a card for a user, 
etc, it won't work right away.  Cut-offs and new cards won't update until after 
the next lock update, although that can be forced by an non-access read at the 
lock, but it creates hassles for the user and in teaching them to deal with the 
situation (instead of just tapping once and assuming it doesn't work).  This 
isn't so bad for employees (but still annoying), but it's a big pain with 
students.

Also, the IN120, at least used in conjunction with CBORD CS Gold, isn't 
compatible with mobile apps for access (a keypad is needed for Wi-Fi locks).

I would use a non-Wi-Fi wireless locks instead of Wi-Fi, as they can be online 
locks without these issues (it does cost a bit more for infrastructure, but 
gets rid of a lot of issues).


Matthew Ballard
Director of Technology Infrastructure
Otis College of Art and Design
mball...@otis.edu


CONFIDENTIALITY NOTICE: This electronic message transmission contains 
information from Otis College of Art and Design, which may be confidential. If 
you are not the intended recipient, be aware that any  disclosure, copying, 
distribution or use of the content of this information is prohibited. If you 
have received this communication in error, please notify us immediately by 
e-mail and delete the original message and any attachment without reading or 
saving in any manner.



-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Brian David
Sent: Saturday, March 11, 2017 3:59 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Wireless Door lock systems

All,

I was wondering what other Universities experience with wireless door locks?

How have the door locks been working? Is there a lot of maintenance with your 
systems?

For example battery life, wifi connection problems, broken locks.


Brian

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Aruba controller loading

[Hinojosa,Rafael]

I agree w/ others, in that it all depends on your design & what kind of SLA you 
have in place (LOL).

At Drexel, we have roughly 2500 APs & typically see a max between 17K-18K 
clients.

We’re running AOS 6.4.3.6 on a total of 6 x 7200 series controllers.  2 x 7210s 
configured for Master - Backup Master VRRP redundancy & 4 x 7240s with each 
pair configured for VRRP redundancy & relying on Backup-LMS Redundancy 
utilizing each alternating VRRP instance; we’ve not yet moved to HA, but it’s 
in the works.  Each local controller (7240) is loaded w/ roughly 25% of its 
capacity (a little over 600 APs).  The idea for us is that we should be able to 
survive more than one controller failure and still have the majority of our APs 
migrate to the other pair (or one) as & if needed.


What I’m curious to know, from those folks that have loaded their controllers 
w/ more than 50% max. capacity…

Do you see any Datapath or Controlpath CPU threshold messages?   Have you 
tweaked your threshold triggers to something higher than the default?

Resource 'Controlpath CPU' has exceeded  45%  threshold (actual:54%).
Resource 'Datapath CPU 21' has exceeded  30%  threshold (actual:31%).

I had a case open w/ Aruba regarding these messages, but attempts to try and 
isolate what their cause is have yielded no results.  Their recommended action 
was to increase the threshold.

Thanks,

—Raf


On Mar 10, 2017, at 8:58 AM, Earl Barfield 
> wrote:

I know that the Aruba / Hewlett Packard literature says that you can
support 2000 APs on their biggest controller (7240XM).

Is anyone actually running that many APs per controller in real
production?  If not, then how may APs per controller do you run?

For relative size info, we're a diverse higher-ed installation with
about 5000 APs and peak simultaneous user counts right about 30,000.

Thanks.


--
Earl Barfield -- Academic & Research Tech / Information Technology
Georgia Institute of Technology, Atlanta Georgia, 30332
Internet: earl.barfi...@oit.gatech.edu
e...@gatech.edu

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] Wireless Door lock systems

[Thomas Carter]

We have a small deployment of Stanley locks for special needs students; they 
aren't 802.11 wireless, but are 802.15.4 (on 2.4GHz) wireless. I only bring 
this up as it uses dedicated Stanly gateways, and we had to work to minimize 
the cross-interference between the two systems.

Thomas Carter
Network & Operations Manager / IT
Austin College
900 North Grand Avenue 
Sherman, TX 75090
Phone: 903-813-2564
www.austincollege.edu



-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Brian David
Sent: Saturday, March 11, 2017 5:59 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Wireless Door lock systems

All,

I was wondering what other Universities experience with wireless door locks?

How have the door locks been working? Is there a lot of maintenance with your 
systems?

For example battery life, wifi connection problems, broken locks.


Brian

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Wireless Door lock systems

[Brian J David]

Thanks for the information Bruce. We have the same locks. about 1800 of 
them. Some of the batteries are dying quickly. Mostly Bathrooms because 
they get the most use. Do you find the Lock antenna to be very powerful?


Brian


On 3/13/17 7:55 AM, Osborne, Bruce W (Network Operations) wrote:

We have been using Assa Abloy wireless locks in our newest residences on our 
802.1X SSID. The AA batteries do not last as long as advertised. We place Aps 
in rooms and the lock wireless antenna is on the insode of the door. Obviously, 
rekeying maintenance is reduced. The locks update once a day. If they see an 
unknown badge, they check toe server to get a new badge list.

Other than that, be sure to stagger the regular lock scanning times. When we 
first deployed, they has 600+ locks all trying to hit our management VM-based 
server at the same time. The server was overwhelmed. With times staggered, the 
server now handles the load.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

  (434) 592-4229
  
LIBERTY UNIVERSITY

Training Champions for Christ since 1971

-Original Message-
From: Brian David [mailto:davi...@bc.edu]
Sent: Saturday, March 11, 2017 6:59 AM
Subject: Wireless Door lock systems

All,

I was wondering what other Universities experience with wireless door locks?

How have the door locks been working? Is there a lot of maintenance with your 
systems?

For example battery life, wifi connection problems, broken locks.


Brian

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.



--

*/Brian J David/*

*/Senior Network Systems Engineer/*

*/Boston College/*

*//*


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Wireless Door lock systems

[Osborne, Bruce W (Network Operations)]

We have been using Assa Abloy wireless locks in our newest residences on our 
802.1X SSID. The AA batteries do not last as long as advertised. We place Aps 
in rooms and the lock wireless antenna is on the insode of the door. Obviously, 
rekeying maintenance is reduced. The locks update once a day. If they see an 
unknown badge, they check toe server to get a new badge list.

Other than that, be sure to stagger the regular lock scanning times. When we 
first deployed, they has 600+ locks all trying to hit our management VM-based 
server at the same time. The server was overwhelmed. With times staggered, the 
server now handles the load.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229
 
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

-Original Message-
From: Brian David [mailto:davi...@bc.edu] 
Sent: Saturday, March 11, 2017 6:59 AM
Subject: Wireless Door lock systems

All,

I was wondering what other Universities experience with wireless door locks?

How have the door locks been working? Is there a lot of maintenance with your 
systems?

For example battery life, wifi connection problems, broken locks.


Brian

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.