Eduroam adoption (and migration process)

2017-04-20 Thread Marcelo Maraboli 

Hello everyone.

We are finally adopting EduROAM in our University and we currently have one
SSID with MAC-based authentication, so moving to EduROAM is also a 
802.1x upgrade

for us as well.

Would you be so kind to respond a couple of questions?:


If you adopted EduROAM as your primary SSID:
- Did you leave an SSID for legacy devices ? (What AUTH mechanism for 
this SSID?)

- How did you "force-move" your users to EdoROAM from your old SSID ?

If you added EduROAM as just another SSID:
- why not adopt EduROAM as your primary SSID ? (Branding or no interest? )
- Is your primary SSID also 802.1x o MAC-based ?
- if 802.1x, why have 2 SSIDs with 802.1x ?


thank you all,

--
*Marcelo Maraboli Rosselott*
Subdirector de Redes y Seguridad
Dirección de Informática
Pontificia Universidad Católica de Chile
http://informatica.uc.cl/
--
Campus San Joaquín, Av. Vicuña Mackenna 4860, Macul
Santiago, Chile
Teléfono: (56) 22354 1341

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: Fw: Windows 10 Creators Update

2017-04-20 Thread Scot Colburn 
BTW, we found that Windows 10 Creators update 1703 fixed the problem we were 
having with installing eduroam certificates, previously discussed on this list 
as "Windows 10 eduroam EAP/TLS adding "host/" before username in RADIUS 
request?"

--Scot

colb...@ucar.edu

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Shared iPads

2017-04-20 Thread Marcelo Maraboli 
I was thinking of doing the same, but if you create 1 account for all 
the ipads, then
you do not have a "concurrent user" limit for the rest of the accounts 
in your AD, since

in your WLC you can limit concurrent users for _all_ users.

My students can only log in 802.1x with 3 concurrent devices, therefore 
the concurrent
limit in the WLC is set to 3. Hence, I'd have to create 1 account for 
every 3 shareable ipads.


So, I'm guessing the only way to do this is to create 1 account per ipad.

any comments ?


best regards,

On 4/18/17 11:08 AM, Eric Glinsky wrote:


For devices that aren’t assigned to or owned by a specific person, we 
either log them in the 802.1x SSID with one AD account we use for all 
the oddballs, or put them on the PSK SSID.


*From:*The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Benedick, Jason

*Sent:* Monday, April 17, 2017 4:17 PM
*To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
*Subject:* [WIRELESS-LAN] Shared iPads

How do you deal with shared iPads for students authenticating to the 
WiFi network? We currently use an 802.1x enabled SSID using RADIUS 
back to our Microsoft NPS server.


My initial thought is to create an AD account for each iPad, but if we 
start getting a lot of them I can see that becoming very tedious 
managing usernames and passwords for each device.


Thanks,

Jason R. Benedick

IT Generalist

Thaddeus Stevens College of Technology

Office: (717) 391-6957 Cell: (717) 587-9065

*This electronic communication from TSCT is confidential and 
intended solely for use by the individual to whom it is addressed. If 
you are not the named recipient do not forward, propagate or replicate 
this e-mail. Please notify the sender immediately by e-mail if you 
have received this message by mistake and remove from your system. If 
you are not the intended recipient you are notified that disclosing, 
copying, distributing or taking any action dependent upon the contents 
of this email or attachment is strictly prohibited.*


** Participation and subscription information for this 
EDUCAUSE Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.


This e-mail message is intended only for the person or entity to which 
it is addressed and may contain CONFIDENTIAL or PRIVILEGED material. 
Any unauthorized review, use, disclosure or distribution is 
prohibited. If you are not the intended recipient, please contact the 
sender and destroy all copies of the original message. If you are the 
intended recipient but do not wish to receive communications through 
this medium, please so advise the sender immediately. This e-mail 
message is intended only for the person or entity to which it is 
addressed and may contain CONFIDENTIAL or PRIVILEGED material. Any 
unauthorized review, use, disclosure or distribution is prohibited. If 
you are not the intended recipient, please contact the sender and 
destroy all copies of the original message. If you are the intended 
recipient but do not wish to receive communications through this 
medium, please so advise the sender immediately. ** 
Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.




--
*Marcelo Maraboli Rosselott*
Subdirector de Redes y Seguridad
Dirección de Informática
Pontificia Universidad Católica de Chile
http://informatica.uc.cl/
--
Campus San Joaquín, Av. Vicuña Mackenna 4860, Macul
Santiago, Chile
Teléfono: (56) 22354 1341

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] 5 GHz Only Admin WLAN

2017-04-20 Thread Steve Bohrer 
Just yesterday I was looking at the ticket scanners in one of our theaters,
 (Zebra MC67NA, basically an Android v4.1 phone with a barcode scanner)
because they were connecting at 2.4 rather than 5, and I found that their
Settings > Wifi > Advanced had channel-by-channel enable checkboxes, with
the default setting of only non-DFS channels selected. I checked the boxes
for all the DFS channels, and the scanners joined 5 GHz.

Not sure if this UI setting is in any consumer phones, but it was
interesting to find that level of control on a client device.

Steve Bohrer
IT Infrastructure, Emerson College
617-824-8523

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: 5 GHz Only Admin WLAN

2017-04-20 Thread Reimer, Paul 
I haven’t independently verified all of these of course but it’s interesting 
documentation.

http://clients.mikealbano.com/

Where I’ve been able to test with a client of a given model this has been 
accurate.

I don’t feel client compatibility is a major concern when considering enabling 
DFS channels.

It seems that 144 is the most broadly unsupported and is perhaps the only one I 
wouldn’t consider using.

-Paul Reimer

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W 
(Network Operations)
Sent: Thursday, April 20, 2017 7:33 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] 5 GHz Only Admin WLAN

Here at Liberty University, we generally do not use DFS channels. We are using 
them in a couple of areas where we have APs with a dedicated SSID for wireless 
computer labs, We know the NICs on those computers support the DFS channels. 
Thos areas also have light coverage from our normal APs with no DFS.

Management realized it was less expensive to but dedicated APs for a wireless 
lab than to buy switches for a wired lab.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Jason Cook [mailto:jason.c...@adelaide.edu.au]
Sent: Wednesday, April 19, 2017 7:49 PM
Subject: Re: 5 GHz Only Admin WLAN

A Good point.

Are all DFS channels a problem for  some  clients or is it primarily in the 
UNII2e spectrum and the UNII2 is ok? I was understand  the issue was with 
UNII2e only but don’t actually know

--
Jason Cook
Technology Services
The University of Adelaide, AUSTRALIA 5005
Ph: +61 8 8313 4800

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Chuck Enfield
Sent: Tuesday, 18 April 2017 10:26 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] 5 GHz Only Admin WLAN

In response to, “2.4 GHz is seeming less and less like a thing to worry about, 
as most devices are already using 5GHz.” I’d caution that 5GHz is a big band, 
and few devices support every channel in it.  If you want to get the most out 
of 5GHz by enabling DFS channels, you have to give clients that don’t support a 
particular channel something to connect to.  I can think of two ways to do 
that.  1) You can provide overlapping 5GHz coverage, but that’s only reliable 
if your radio management is smart enough to ensure there’s a non-DFS channels 
available everywhere.  I’m not sure any do that yet.  2) Dual-band clients in 
an area covered by a 5GHz channel they don’t support can use 2.4GHz if the SSID 
supports it.

My recommendation is to leave 2.4GHz enabled if you use DFS channels.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Steve Bohrer
Sent: Friday, 14 April 2017 2:00 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] 5 GHz Only Admin WLAN

Seems fine, but what's the big deal with having the 2.4 available? Are you 
trying to minimize the amount of (limited) 2.4 GHz bandwidth taken by beacons? 
Or do you just want to assure that the devices you care about don't 
inadvertently grab a slow 2.4 connection?

We are way smaller than you guys, but just with Aruba doing its standard ARM 
stuff, typically less than 10 percent of our connected devices are on 2.4 GHz. 
The majority of these are are "registered" student devices that can't do 802.1x 
or 5GHz, mostly game machines. Of the rest, many seem to things that have 
hopped on our "guest" network but then not actually signed in at the portal. My 
assumption has been that these are phones in the pockets of the many 
non-Emerson people who walk by our buildings.

So, 2.4 GHz is seeming less and less like a thing to worry about, as most 
devices are already using 5GHz.

Steve

On Thu, Mar 23, 2017 at 9:11 PM, Jason Cook 
> wrote:
We run 3 SSID”s essentially doing the same thing but with one 5ghz only. It 
wasn’t targeted for  devices where we have more control but as workaround to 
devices connecting at 2.4 when there’s a perfectly good 5ghz there.

UofA
UofA 5ghz
eduroam

However I don’t like the extra SSID. So the pencilled plan at this point is to 
disable 2.4Ghz on UofA, and remove the UofA 5ghz network. Anyone needing 2.4 
can use eduroam. That would be end of year, so we’ll see if it actually happens.

We don’t advertise on our website anything about the 5ghz only network, so 
there’s no huge take-up which is ok as it wasn’t meant to be permanent. However 
it’s certainly done its job with users on it no longer having the issue of 
jumping back to 2.4 (including me).

--
Jason Cook
Technology Services
The University of Adelaide, AUSTRALIA 5005
Ph: +61 8 8313

RE: 5 GHz Only Admin WLAN

2017-04-20 Thread Osborne, Bruce W (Network Operations) 
Here at Liberty University, we generally do not use DFS channels. We are using 
them in a couple of areas where we have APs with a dedicated SSID for wireless 
computer labs, We know the NICs on those computers support the DFS channels. 
Thos areas also have light coverage from our normal APs with no DFS.

Management realized it was less expensive to but dedicated APs for a wireless 
lab than to buy switches for a wired lab.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Jason Cook [mailto:jason.c...@adelaide.edu.au]
Sent: Wednesday, April 19, 2017 7:49 PM
Subject: Re: 5 GHz Only Admin WLAN

A Good point.

Are all DFS channels a problem for  some  clients or is it primarily in the 
UNII2e spectrum and the UNII2 is ok? I was understand  the issue was with 
UNII2e only but don’t actually know

--
Jason Cook
Technology Services
The University of Adelaide, AUSTRALIA 5005
Ph: +61 8 8313 4800

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Chuck Enfield
Sent: Tuesday, 18 April 2017 10:26 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] 5 GHz Only Admin WLAN

In response to, “2.4 GHz is seeming less and less like a thing to worry about, 
as most devices are already using 5GHz.” I’d caution that 5GHz is a big band, 
and few devices support every channel in it.  If you want to get the most out 
of 5GHz by enabling DFS channels, you have to give clients that don’t support a 
particular channel something to connect to.  I can think of two ways to do 
that.  1) You can provide overlapping 5GHz coverage, but that’s only reliable 
if your radio management is smart enough to ensure there’s a non-DFS channels 
available everywhere.  I’m not sure any do that yet.  2) Dual-band clients in 
an area covered by a 5GHz channel they don’t support can use 2.4GHz if the SSID 
supports it.

My recommendation is to leave 2.4GHz enabled if you use DFS channels.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Steve Bohrer
Sent: Friday, 14 April 2017 2:00 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] 5 GHz Only Admin WLAN

Seems fine, but what's the big deal with having the 2.4 available? Are you 
trying to minimize the amount of (limited) 2.4 GHz bandwidth taken by beacons? 
Or do you just want to assure that the devices you care about don't 
inadvertently grab a slow 2.4 connection?

We are way smaller than you guys, but just with Aruba doing its standard ARM 
stuff, typically less than 10 percent of our connected devices are on 2.4 GHz. 
The majority of these are are "registered" student devices that can't do 802.1x 
or 5GHz, mostly game machines. Of the rest, many seem to things that have 
hopped on our "guest" network but then not actually signed in at the portal. My 
assumption has been that these are phones in the pockets of the many 
non-Emerson people who walk by our buildings.

So, 2.4 GHz is seeming less and less like a thing to worry about, as most 
devices are already using 5GHz.

Steve

On Thu, Mar 23, 2017 at 9:11 PM, Jason Cook 
> wrote:
We run 3 SSID”s essentially doing the same thing but with one 5ghz only. It 
wasn’t targeted for  devices where we have more control but as workaround to 
devices connecting at 2.4 when there’s a perfectly good 5ghz there.

UofA
UofA 5ghz
eduroam

However I don’t like the extra SSID. So the pencilled plan at this point is to 
disable 2.4Ghz on UofA, and remove the UofA 5ghz network. Anyone needing 2.4 
can use eduroam. That would be end of year, so we’ll see if it actually happens.

We don’t advertise on our website anything about the 5ghz only network, so 
there’s no huge take-up which is ok as it wasn’t meant to be permanent. However 
it’s certainly done its job with users on it no longer having the issue of 
jumping back to 2.4 (including me).

--
Jason Cook
Technology Services
The University of Adelaide, AUSTRALIA 5005
Ph: +61 8 8313 4800

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
 On Behalf Of Lee H Badman
Sent: Friday, 24 March 2017 11:21 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] 5 GHz Only Admin WLAN

Existing SSID, turn off 2.4.

Lee Badman (mobile)

On Mar 23, 2017, at 10:17 AM, Jeffrey D. Sessler 
> wrote:
Are you speaking about a separately named SSID, or looking to use an existing 
SSID and radius to steer those clients into a different “admin” network?

Jeff

From:

RE: [WIRELESS-LAN] Cisco FlexConnect for large deployment

2017-04-20 Thread Mike Atkins 
My co-worker typically brings up IP space management when discussing flex
connect/hreap.  Overprovisioning subnets for usage that may never come, or
worse finding out that you under provisioned for that event you never
heard of.  Maybe not an issue for most or anyone.



Mike Atkins
Network Engineer
Office of Information Technology
University of Notre Dame

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Curtis, Bruce
Sent: Wednesday, April 19, 2017 7:48 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco FlexConnect for large deployment

  We have used flex connect in our Residence life buildings for many years
(even back when it was called HREAP).  About 4,300 students and around 500
APs.

  There have been some bugs which were annoying but usually there were
workarounds.

  If you roam between Residence Life buildings the IPs for the device will
change since we have different subnets in different Residence Life
buildings.  But the devices change IPs when they move from the Residence
Life to the Main Campus (local or non-FlexConnect) and that has not caused
any complaints.

> On Apr 19, 2017, at 12:21 PM, Dennis Xu  wrote:
>
> For Cisco customers, has anyone done large deployment with FlexConnect
mode APs? With the large capacity wireless controllers like 8540, all our
wireless clients are going to terminate layer 3 at the same switch where
the 8540 controlelr is connected to and that switch will have lots of ARP
entries. The best practice for SUP720's ARP table size from Cisco is only
30k, and SUP2T can handle 100K ARP but still not sure if a single switch
can serve large number of concurrent wireless users. FlexConnect has a
good idea to spread wireless users across the network, but not sure if
this solution is suitable for large deployment and if someone has success
story with it.
>
> Thanks.
>
> Dennis Xu
> University of Guelph
> d...@uoguelph.ca
> www.uoguelph.ca/ccs
>
> ** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/discuss.

---
Bruce Curtis bruce.cur...@ndsu.edu
Certified NetAnalyst II701-231-8527
North Dakota State University

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.