Re: [WIRELESS-LAN] MAC Randomization, a step further...

[Tim Cappalli]

EAP-TTLS is simply an EAP method. What credential and subject type you use is 
up to your configuration and policy.

RE: EMMs (speaking generically), yes many need to have additional config 
options exposed for Passpoint parameters but you don't need client certificates 
for Passpoint. If no customers ask for a capability, it likely will not be 
implemented in any product. It won't be an overnight flip of the switch to 
eliminate your existing 802.1X SSID so those EMM managed devices can continue 
as they normally would. Visitors with credentials from another IdP can 
seamlessly connect in the meantime. It's a marathon, not a sprint.

Unfortunately there's been so much negativity around Passpoint over the years 
that not many people have engaged with vendors on it. Just my opinion. Outside 
of the eduroam advisory council and historical interest in the technology, I 
really have no other vested interest in the topic.

Tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of James Andrewartha 

Sent: Monday, July 20, 2020, 23:11
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...

On 21/7/20 11:04 am, Tim Cappalli wrote:
> Both major Wi-Fi vendors have Passpoint offerings that are either
> available or in preview.

I'm talking about the client side. Intune doesn't even have a CA either
(no the short-lived one for conditional access doesn't count). Where's
the Microsoft supported agent that does device-specific TTLS-PAP like
you suggest?

Also 
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.securew2.com%2Fblog%2Fpitfalls-of-eap-ttls-pap%2Fdata=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Ca83f24666b4f421d719408d82d23afd8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637308978591817681sdata=AsFb0%2BDplHGzVWHxo6qWKqw9XYJuH5Md3YhdYEpQFzY%3Dreserved=0
 is the top
google result for [TTLS-PAP], admittedly it's about user credentials not
device credentials but it's still a risk.

--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunitydata=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Ca83f24666b4f421d719408d82d23afd8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637308978591817681sdata=SMZUP69xXENTzXPmKbytbI%2FMYBuP3Hwk4jsSDy9D1rA%3Dreserved=0


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] MAC Randomization, a step further...

[James Andrewartha]

On 21/7/20 11:04 am, Tim Cappalli wrote:
> Both major Wi-Fi vendors have Passpoint offerings that are either
> available or in preview.

I'm talking about the client side. Intune doesn't even have a CA either
(no the short-lived one for conditional access doesn't count). Where's
the Microsoft supported agent that does device-specific TTLS-PAP like
you suggest?

Also https://www.securew2.com/blog/pitfalls-of-eap-ttls-pap/ is the top
google result for [TTLS-PAP], admittedly it's about user credentials not
device credentials but it's still a risk.

-- 
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] MAC Randomization, a step further...

[Tim Cappalli]

Both major Wi-Fi vendors have Passpoint offerings that are either available or 
in preview.

Tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Monday, July 20, 2020 at 22:34
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...
On 21/7/20 5:21 am, Tim Cappalli wrote:
> Passpoint solves all of these issues.

Where is the vendor support for it? Autopilot white glove doesn't even
support wireless networks at all.

--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunitydata=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C3cb035d18c7248779cf308d82d1ea118%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637308956870326069sdata=8LcqGwSOQ31E0JZYw3WMIcq2zVYQ9fYbb%2Bj7zl1RzGY%3Dreserved=0

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] MAC Randomization, a step further...

[James Andrewartha]

On 21/7/20 5:21 am, Tim Cappalli wrote:
> Passpoint solves all of these issues.

Where is the vendor support for it? Autopilot white glove doesn't even
support wireless networks at all.

-- 
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] WIRELESS-LAN Digest - 20 Jul 2020 to 21 Jul 2020 - Special issue (#2020-88)

[Tim Cappalli]

Agreed that there are some privacy concerns, but many are in the process of 
being addressed. I’d argue that the privacy concerns with Passpoint are no 
different than with eduroam today. At least Passpoint gives the user more 
visibility into the actual operator of the network they’re connected to. 
"Traditional" eduroam (SSID-based) is a mystical, random thing for end users.

Certificate management is not a new problem for Wi-Fi either.  Passpoint 
actually makes it a bit easier though because the profile can be lifecycle 
managed through an existing app, often with little to no user interaction.

You also don’t have to use client certs for Passpoint. Actually, right now, my 
recommendation is to not use certificate-based auth due to privacy concerns. 
Device-specific credentials with EAP-TTLS/PAP and an anonymous outer identity 
is the recommended path.

There’s really no path forward without Passpoint (unless you really don’t care 
about user experience and security).

tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Monday, July 20, 2020 at 21:56
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] WIRELESS-LAN Digest - 20 Jul 2020 to 21 Jul 2020 - 
Special issue (#2020-88)
Passpoint solves some issues (less SSIDs, encryption, instant access) and then 
it brings other issues like Privacy and authentication pains
(certificate expiration, loss of credentials)

Philippe Hanset, CEO
www.anyroam.net
Operator of eduroam-US
+1 (865) 236-0770






On Jul 20, 2020, at 9:42 PM, Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
 wrote:

There has been an exponential increase in Passpoint rollouts in the past 18 
months, on both the network infrastructure side as well as clients.

Ping your vendor. The more people talk about it (and ask for it), the faster it 
will be adopted and rolled out.

tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Monday, July 20, 2020 at 21:39
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] WIRELESS-LAN Digest - 20 Jul 2020 to 21 Jul 2020 - 
Special issue (#2020-88)
Passpoint solves all of these issues.

Tim

Count me in the fan bucket when widely deployed.  But when will that be I 
wonder?  MAC rotation increases in a few months.

I recognize institutions have different relations with their guests.  For ours 
the friction/intrusiveness of onboarding processes was considered too high a 
cost.  I know I would not want to run another institutions software on my 
device to onboard it to their Wi-Fi (and for some it is prohibited).


--
William Green, Director of Networking and Telecommunications
The University of Texas at Austin | ITS | 512-475-9295 | 
gr...@austin.utexas.edu


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community
**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 

Re: [WIRELESS-LAN] WIRELESS-LAN Digest - 20 Jul 2020 to 21 Jul 2020 - Special issue (#2020-88)

[Philippe Hanset]

Passpoint solves some issues (less SSIDs, encryption, instant access) and then 
it brings other issues like Privacy and authentication pains
(certificate expiration, loss of credentials)

Philippe Hanset, CEO
www.anyroam.net
Operator of eduroam-US
+1 (865) 236-0770






> On Jul 20, 2020, at 9:42 PM, Tim Cappalli 
> <0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote:
> 
> There has been an exponential increase in Passpoint rollouts in the past 18 
> months, on both the network infrastructure side as well as clients.
>  
> Ping your vendor. The more people talk about it (and ask for it), the faster 
> it will be adopted and rolled out.
>  
> tim 
>  
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  >
> Date: Monday, July 20, 2020 at 21:39
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
>  
>  >
> Subject: Re: [WIRELESS-LAN] WIRELESS-LAN Digest - 20 Jul 2020 to 21 Jul 2020 
> - Special issue (#2020-88)
> 
> Passpoint solves all of these issues.
>  
> Tim
>  
> Count me in the fan bucket when widely deployed.  But when will that be I 
> wonder?  MAC rotation increases in a few months.
>  
> I recognize institutions have different relations with their guests.  For 
> ours the friction/intrusiveness of onboarding processes was considered too 
> high a cost.  I know I would not want to run another institutions software on 
> my device to onboard it to their Wi-Fi (and for some it is prohibited).
>  
> 
> --
> William Green, Director of Networking and Telecommunications
> The University of Texas at Austin | ITS | 512-475-9295 | 
> gr...@austin.utexas.edu 
>  
>  
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community 
> 
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community 

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] WIRELESS-LAN Digest - 20 Jul 2020 to 21 Jul 2020 - Special issue (#2020-88)

[Tim Cappalli]

There has been an exponential increase in Passpoint rollouts in the past 18 
months, on both the network infrastructure side as well as clients.

Ping your vendor. The more people talk about it (and ask for it), the faster it 
will be adopted and rolled out.

tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Monday, July 20, 2020 at 21:39
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] WIRELESS-LAN Digest - 20 Jul 2020 to 21 Jul 2020 - 
Special issue (#2020-88)
Passpoint solves all of these issues.

Tim

Count me in the fan bucket when widely deployed.  But when will that be I 
wonder?  MAC rotation increases in a few months.

I recognize institutions have different relations with their guests.  For ours 
the friction/intrusiveness of onboarding processes was considered too high a 
cost.  I know I would not want to run another institutions software on my 
device to onboard it to their Wi-Fi (and for some it is prohibited).


--
William Green, Director of Networking and Telecommunications
The University of Texas at Austin | ITS | 512-475-9295 | 
gr...@austin.utexas.edu



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: WIRELESS-LAN Digest - 20 Jul 2020 to 21 Jul 2020 - Special issue (#2020-88)

[Green, William C]

Passpoint solves all of these issues.

Tim

Count me in the fan bucket when widely deployed.  But when will that be I 
wonder?  MAC rotation increases in a few months.

I recognize institutions have different relations with their guests.  For ours 
the friction/intrusiveness of onboarding processes was considered too high a 
cost.  I know I would not want to run another institutions software on my 
device to onboard it to their Wi-Fi (and for some it is prohibited).


--
William Green, Director of Networking and Telecommunications
The University of Texas at Austin | ITS | 512-475-9295 | 
gr...@austin.utexas.edu



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Request for outdoor wifi access point mounting example photos

[Blake Brown]

How are you providing AC/DC power and are these setup in a mesh configuration 
or wired back into the network?

Thanks,
Blake

Sent from my cell phone

On Jul 20, 2020, at 6:20 PM, Smith, Nayef  wrote:

 External Email

Thanks Ricardo.  I agree with your observation regarding limited options. We’ve 
deployed the x75s using the nearest utility poles up to this point and painted 
them. We’re now challenged with providing service to our main quad with few 
utilities structures and buildings with specialized exterior surfaces.  The 
“bee hives” just aren’t subtle.

Nayef

Nayef Z Smith
Emory University - Network Services
404-727-6019

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Ricardo Stella 

Sent: Monday, July 20, 2020 8:47:45 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: [External] Re: [WIRELESS-LAN] Request for outdoor wifi access point 
mounting example photos


When you mention "minimizing visual impact" you reduce your options big time. 
Basically for this, my suggestion is to use NEMA enclosures for the AP. For 
Aruba, you could use AP-367 for example (not sure which are the 500 equivalent) 
which can be mounted horizontally and don't require antennas. Otherwise you 
would need an enclosure for the AP and another one for the external antennas. 
The enclosures can be painted to somewhat match the exterior color.

Otherwise, omni units will need an arm that extends out, and the AP hanging 
below it. Aruvb's x75 units look like a bucket. x65 units are narrow but also 
hang below.

You can always hide them like Disney does. Except in Galaxy's Edge..




On Mon, Jul 20, 2020 at 5:26 PM Hales, David 
mailto:dha...@tntech.edu>> wrote:

We had a really good thread about this a while back, The subject line was 
“Aruba AP-3XX mounting question” and it was last July in case anyone wants to 
look in the old digests.  I’m forwarding you a copy of the thread directly.



David Hales

Network Systems Administrator

Information Technology Services

1010 N. Peachtree

Clement Hall 117

Cookeville, TN 38505

P 931-372-3983

F 931-372-6130

E dha...@tntech.edu

www.tntech.edu/its






From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Smith, Nayef
Sent: Monday, July 20, 2020 4:22 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Request for outdoor wifi access point mounting example 
photos



External Email Warning

This email originated from outside the university. Please use caution when 
opening attachments, clicking links, or responding to requests.



Hello All,



We are in the process of designing an outdoor wifi deployment utilizing APs 
mounted on building exteriors.  We want to minimize their visual impact where 
possible.  Any photos or lessons learned you can share would be appreciated.  
We're particularly interested to see what others have done to camouflage or 
creatively conceal the mountings to reduce visibility.



Thanks in advance,

Nayef



Nayef Z. Smith | Emory LITS Network Services | Suite 1700 | 1762 Clifton Road | 
Atlanta GA 30322 | Voice: 404-727-6019 | 
nayef.z.sm...@emory.edu





This e-mail message (including any attachments) is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this message (including any attachments) is strictly
prohibited.

If you have received this message in error, please contact
the sender by reply e-mail message and destroy all copies of the
original message (including attachments).

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 

Re: [External] Re: [WIRELESS-LAN] Request for outdoor wifi access point mounting example photos

[Smith, Nayef]

Thanks Ricardo.  I agree with your observation regarding limited options. We’ve 
deployed the x75s using the nearest utility poles up to this point and painted 
them. We’re now challenged with providing service to our main quad with few 
utilities structures and buildings with specialized exterior surfaces.  The 
“bee hives” just aren’t subtle.

Nayef

Nayef Z Smith
Emory University - Network Services
404-727-6019

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Ricardo Stella 

Sent: Monday, July 20, 2020 8:47:45 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: [External] Re: [WIRELESS-LAN] Request for outdoor wifi access point 
mounting example photos


When you mention "minimizing visual impact" you reduce your options big time. 
Basically for this, my suggestion is to use NEMA enclosures for the AP. For 
Aruba, you could use AP-367 for example (not sure which are the 500 equivalent) 
which can be mounted horizontally and don't require antennas. Otherwise you 
would need an enclosure for the AP and another one for the external antennas. 
The enclosures can be painted to somewhat match the exterior color.

Otherwise, omni units will need an arm that extends out, and the AP hanging 
below it. Aruvb's x75 units look like a bucket. x65 units are narrow but also 
hang below.

You can always hide them like Disney does. Except in Galaxy's Edge..




On Mon, Jul 20, 2020 at 5:26 PM Hales, David 
mailto:dha...@tntech.edu>> wrote:

We had a really good thread about this a while back, The subject line was 
“Aruba AP-3XX mounting question” and it was last July in case anyone wants to 
look in the old digests.  I’m forwarding you a copy of the thread directly.



David Hales

Network Systems Administrator

Information Technology Services

1010 N. Peachtree

Clement Hall 117

Cookeville, TN 38505

P 931-372-3983

F 931-372-6130

E dha...@tntech.edu

www.tntech.edu/its

[Tennessee Tech 
Logo]



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Smith, Nayef
Sent: Monday, July 20, 2020 4:22 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Request for outdoor wifi access point mounting example 
photos



External Email Warning

This email originated from outside the university. Please use caution when 
opening attachments, clicking links, or responding to requests.



Hello All,



We are in the process of designing an outdoor wifi deployment utilizing APs 
mounted on building exteriors.  We want to minimize their visual impact where 
possible.  Any photos or lessons learned you can share would be appreciated.  
We're particularly interested to see what others have done to camouflage or 
creatively conceal the mountings to reduce visibility.



Thanks in advance,

Nayef



Nayef Z. Smith | Emory LITS Network Services | Suite 1700 | 1762 Clifton Road | 
Atlanta GA 30322 | Voice: 404-727-6019 | 
nayef.z.sm...@emory.edu





This e-mail message (including any attachments) is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this message (including any attachments) is strictly
prohibited.

If you have received this message in error, please contact
the sender by reply e-mail message and destroy all copies of the
original message (including attachments).

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent 

Re: MAC Randomization, a step further...

[Jeffrey D. Sessler]

As higer-ed transitions more and more to SaaS/IaaS services, and we are running 
fewer services on-premise,  WiFi is nothing more than a commodity gateway to 
the Internet.  Why not make it easier on everyone and move to less obtrusive 
ways to get folks connected?

Passpoint, or rather, OpenRoaming, looks to be the direction everyone is head 
in.  The bigger question is if one wants to be an identity provider, or let 
users gain access via their mobile, ISP, Cable, or other providers.

Jeff

From: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Monday, July 20, 2020 at 2:21 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...
Passpoint solves all of these issues.

Tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Monday, July 20, 2020 at 17:14
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...

For guests, I've been tossing around the idea of an open network. No

.1x, no PSK, no captive portal. Affiliates would be encouraged to use

eduroam via SSO nag. Columbia University had a presentation on how they

are doing the open network side of this. I suspect the most difficult

part will be getting legal on board. Who has an open network? What have

your experiences been? This is only tangentially related, so feel free

to split it into a new thread.

We run an open network for guests.  It has been wonderful for guests and they 
all like it.

The major problem has been student, faculty, staff devices connect to the guest 
network (usually unbeknown to the user).  Restrictions on that network then 
cause support calls.  Google decided the network was “good” and so Android 
devices connect by default (then VPN tunnel back to Google).  We don’t want to 
block that due to guests.

But maybe there will be a new problem.  When devices have been found infected 
on any of our networks we’ve quarantined by MAC address.  Hmmm… so for our 
users we can quarantine by their user name (much less helpful to take all their 
devices offline instead of just the one infected, but hey this progress right). 
 I don’t know what we do with infected guest devices (or as our users’ device 
decides to move to the guest network because they were blocked on the main 
network) if they are randomizing between connections.  Vendors haven’t thought 
this through.  That may push a registration method with credentials for guests 
— meaning less privacy?


--
William Green, Director of Networking and Telecommunications
The University of Texas at Austin | ITS | 512-475-9295 | 
gr...@austin.utexas.edu


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] Request for outdoor wifi access point mounting example photos

[Scott Himes]

Hi Nayef,

Also search for the thread from May 2018 with the subject line of "Photos
of outdoor APs on building" – there were a number of great examples in that
thread as well.

Best,
*Scott Himes | Biola University *
*Director, Network Operations | Information Technology*
WebEx Meeting Room  | +15627774090


On Mon, Jul 20, 2020 at 2:26 PM Hales, David  wrote:

> We had a really good thread about this a while back, The subject line was
> “Aruba AP-3XX mounting question” and it was last July in case anyone wants
> to look in the old digests.  I’m forwarding you a copy of the thread
> directly.
>
>
>
> *David Hales*
>
> *Network Systems Administrator*
>
> *Information Technology Services*
>
> 1010 N. Peachtree
>
> Clement Hall 117
>
> Cookeville, TN 38505
>
> *P* 931-372-3983
>
> *F* 931-372-6130
>
> *E* *dha...@tntech.edu* 
>
> *www.tntech.edu/its* 
>
> *[image: Tennessee Tech Logo]* 
>
>
>
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Smith, Nayef
> *Sent:* Monday, July 20, 2020 4:22 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* [WIRELESS-LAN] Request for outdoor wifi access point mounting
> example photos
>
>
>
> *External Email Warning*
>
> *This email originated from outside the university. Please use caution
> when opening attachments, clicking links, or responding to requests.*
> --
>
> Hello All,
>
>
>
> We are in the process of designing an outdoor wifi deployment utilizing
> APs mounted on building exteriors.  We want to minimize their visual impact
> where possible.  Any photos or lessons learned you can share would be
> appreciated.  We're particularly interested to see what others have done to
> camouflage or creatively conceal the mountings to reduce visibility.
>
>
>
> Thanks in advance,
>
> Nayef
>
>
>
> Nayef Z. Smith | *Emory LITS* *Network Services* | Suite 1700 | 1762
> Clifton Road | Atlanta GA 30322 | Voice: 404-727-6019 |
> nayef.z.sm...@emory.edu
>
>
> --
>
>
> This e-mail message (including any attachments) is for the sole use of
> the intended recipient(s) and may contain confidential and privileged
> information. If the reader of this message is not the intended
> recipient, you are hereby notified that any dissemination, distribution
> or copying of this message (including any attachments) is strictly
> prohibited.
>
> If you have received this message in error, please contact
> the sender by reply e-mail message and destroy all copies of the
> original message (including attachments).
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Chromebook Suggestions

[Gray, Sean]

Hi wi-fi peeps!

Our ITS department is looking to buy a Chromebook, and I've been asked to look 
into whether there are better ones for testing wi-fi. So before I start 
trawling the web, I though I'd throw it out to the forum and see what 
experiences you folks have had with Chromebooks, and if you would recommend any 
to use for a quick and easy wi-fi troubleshooting tool for our 1st line group. 
From a high level this will essentially be used as a means of comparison when 
students bring in their device, so they can help to narrow down the cause of 
the issue, before potentially escalating to me. Also it would be beneficial if 
it could host some kind of app that gave them a simple (perhaps graphical) 
interface showing audible WLANs & RSSI.

I realize that one way to look at this is to try and identify the most commonly 
used Chromebook by our students, so we can truly mirror their experience. So 
this is something that is being taken into consideration.

Thanks

Sean

Sean Gray | B.Sc (Hons)
Voice, Collaboration & Wireless Network Analyst
ITS, University of Lethbridge


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: Request for outdoor wifi access point mounting example photos

[Hales, David]

We had a really good thread about this a while back, The subject line was 
"Aruba AP-3XX mounting question" and it was last July in case anyone wants to 
look in the old digests.  I'm forwarding you a copy of the thread directly.

David Hales
Network Systems Administrator
Information Technology Services
1010 N. Peachtree
Clement Hall 117
Cookeville, TN 38505
P 931-372-3983
F 931-372-6130
E dha...@tntech.edu
www.tntech.edu/its
[Tennessee Tech Logo]

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Smith, Nayef
Sent: Monday, July 20, 2020 4:22 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Request for outdoor wifi access point mounting example 
photos


External Email Warning

This email originated from outside the university. Please use caution when 
opening attachments, clicking links, or responding to requests.


Hello All,

We are in the process of designing an outdoor wifi deployment utilizing APs 
mounted on building exteriors.  We want to minimize their visual impact where 
possible.  Any photos or lessons learned you can share would be appreciated.  
We're particularly interested to see what others have done to camouflage or 
creatively conceal the mountings to reduce visibility.

Thanks in advance,
Nayef

Nayef Z. Smith | Emory LITS Network Services | Suite 1700 | 1762 Clifton Road | 
Atlanta GA 30322 | Voice: 404-727-6019 | 
nayef.z.sm...@emory.edu



This e-mail message (including any attachments) is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this message (including any attachments) is strictly
prohibited.

If you have received this message in error, please contact
the sender by reply e-mail message and destroy all copies of the
original message (including attachments).

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Request for outdoor wifi access point mounting example photos

[Smith, Nayef]

Hello All,

We are in the process of designing an outdoor wifi deployment utilizing APs 
mounted on building exteriors.  We want to minimize their visual impact where 
possible.  Any photos or lessons learned you can share would be appreciated.  
We're particularly interested to see what others have done to camouflage or 
creatively conceal the mountings to reduce visibility.

Thanks in advance,
Nayef

Nayef Z. Smith | Emory LITS Network Services | Suite 1700 | 1762 Clifton Road | 
Atlanta GA 30322 | Voice: 404-727-6019 | nayef.z.sm...@emory.edu



This e-mail message (including any attachments) is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this message (including any attachments) is strictly
prohibited.

If you have received this message in error, please contact
the sender by reply e-mail message and destroy all copies of the
original message (including attachments).

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: MAC Randomization, a step further...

[Tim Cappalli]

Passpoint solves all of these issues.

Tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Monday, July 20, 2020 at 17:14
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...

For guests, I've been tossing around the idea of an open network. No

.1x, no PSK, no captive portal. Affiliates would be encouraged to use

eduroam via SSO nag. Columbia University had a presentation on how they

are doing the open network side of this. I suspect the most difficult

part will be getting legal on board. Who has an open network? What have

your experiences been? This is only tangentially related, so feel free

to split it into a new thread.

We run an open network for guests.  It has been wonderful for guests and they 
all like it.

The major problem has been student, faculty, staff devices connect to the guest 
network (usually unbeknown to the user).  Restrictions on that network then 
cause support calls.  Google decided the network was “good” and so Android 
devices connect by default (then VPN tunnel back to Google).  We don’t want to 
block that due to guests.

But maybe there will be a new problem.  When devices have been found infected 
on any of our networks we’ve quarantined by MAC address.  Hmmm… so for our 
users we can quarantine by their user name (much less helpful to take all their 
devices offline instead of just the one infected, but hey this progress right). 
 I don’t know what we do with infected guest devices (or as our users’ device 
decides to move to the guest network because they were blocked on the main 
network) if they are randomizing between connections.  Vendors haven’t thought 
this through.  That may push a registration method with credentials for guests 
— meaning less privacy?


--
William Green, Director of Networking and Telecommunications
The University of Texas at Austin | ITS | 512-475-9295 | 
gr...@austin.utexas.edu


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: MAC Randomization, a step further...

[Green, William C]

For guests, I've been tossing around the idea of an open network. No
.1x, no PSK, no captive portal. Affiliates would be encouraged to use
eduroam via SSO nag. Columbia University had a presentation on how they
are doing the open network side of this. I suspect the most difficult
part will be getting legal on board. Who has an open network? What have
your experiences been? This is only tangentially related, so feel free
to split it into a new thread.


We run an open network for guests.  It has been wonderful for guests and they 
all like it.

The major problem has been student, faculty, staff devices connect to the guest 
network (usually unbeknown to the user).  Restrictions on that network then 
cause support calls.  Google decided the network was “good” and so Android 
devices connect by default (then VPN tunnel back to Google).  We don’t want to 
block that due to guests.

But maybe there will be a new problem.  When devices have been found infected 
on any of our networks we’ve quarantined by MAC address.  Hmmm… so for our 
users we can quarantine by their user name (much less helpful to take all their 
devices offline instead of just the one infected, but hey this progress right). 
 I don’t know what we do with infected guest devices (or as our users’ device 
decides to move to the guest network because they were blocked on the main 
network) if they are randomizing between connections.  Vendors haven’t thought 
this through.  That may push a registration method with credentials for guests 
— meaning less privacy?


--
William Green, Director of Networking and Telecommunications
The University of Texas at Austin | ITS | 512-475-9295 | 
gr...@austin.utexas.edu


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] MAC Randomization, a step further...

[Johnson, Christopher]

Jonathan, I was thinking the same thing about possibility of multiple macs onto 
a single unique certificate for Airwave.

I am curious though. Does anyone happen to know the maximum number of 
"unique/randomized mac addresses" that can be allotted?

Christopher Johnson
Wireless Network Engineer
Office of Technology Solutions | Illinois State University
(309) 438-8444

Stay connected with ISU IT news and tips with @ISU IT Help on Facebook and 
Twitter

-Original Message-
From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jonathan Waldrep
Sent: Monday, July 20, 2020 12:46 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...

[This message came from an external source. If suspicious, report to 
ab...@ilstu.edu]

For .1x connections, per device certs seems to be the way to go. I'm not sure 
if Airwave and other monitoring tools have a way to consolidate multiple macs 
to a single device based on the cert, though.

For guests, I've been tossing around the idea of an open network. No .1x, no 
PSK, no captive portal. Affiliates would be encouraged to use eduroam via SSO 
nag. Columbia University had a presentation on how they are doing the open 
network side of this. I suspect the most difficult part will be getting legal 
on board. Who has an open network? What have your experiences been? This is 
only tangentially related, so feel free to split it into a new thread.

On 2020-07-20 15:18:46, Johnson, Christopher wrote:
> Default behavior matters indeed. Got a preview of what to expect over the 
> weekend.
>
> Found one individual that was in Aruba Airwave “12 Times” for their iPhone 
> 14.0 over past couple of weeks and another “6 times”. It appears that as long 
> as the device remains “connected” to the network beyond the 24 hours, the MAC 
> Address will remain the same. Although if they’re fully de-authenticated or 
> move say into an elevator or outside (or a class phone reboot occurs in the 
> pocket) – then the MAC Address will update upon establishing a new connection 
> – that is just the initial observation I saw.
> Christopher Johnson
> Wireless Network Engineer
> Office of Technology Solutions | Illinois State University
> (309) 438-8444
>
> Stay connected with ISU IT news and tips with @ISU IT Help on 
> Facebook and 
> Twitter
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  On Behalf Of Enfield, Chuck
> Sent: Tuesday, July 14, 2020 12:36 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...
>
> [This message came from an external source. If suspicious, report to 
> ab...@ilstu.edu]
> True, but default behavior matters.
>
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
> mailto:WIRELESS-LAN@LISTSERV.EDUCA
> USE.EDU>> On Behalf Of Rios, Hector J
> Sent: Tuesday, July 14, 2020 1:12 PM
> To: 
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU SE.EDU>
> Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...
>
> Please note that MAC randomization is not just a feature of Android and iOS. 
> It is supported across other operating systems.
>
> Hector Rios, Wireless Network Architect The University of Texas at 
> Austin
>
>
>
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
> mailto:WIRELESS-LAN@LISTSERV.EDUCA
> USE.EDU>> On Behalf Of Jonathan Miller
> Sent: Tuesday, July 14, 2020 11:32 AM
> To: 
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU SE.EDU>
> Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...
>
> For those of us using ClearPass to authenticate users to eduroam, does this 
> mean that every iOS device will get registered as a new endpoint every day?  
> For others, does your NAC store a client's MAC persistently?  I'm assuming 
> that the answer to both is yes.
>
> How can we plan for the impact of that on our databases?  Should we delete 
> all iOS and Android devices after 48 hours?  Am I missing something obvious?
>
> Jonathan Miller
> Senior Network Analyst
> Franklin and Marshall College
>
>
> On Fri, Jul 10, 2020 at 4:37 PM Enfield, Chuck 
> mailto:cae...@psu.edu>> wrote:
> PS – My plan for supporting our guest network will be to tell any user who 
> contacts us with an Apple device that the network is fine and they should 
> contact Apple for device support.  I can’t get away with that for our 
> enterprise network, but Apple is going to own the guest problem.
>
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
> mailto:WIRELESS-LAN@LISTSERV.EDUCA
> USE.EDU>> On Behalf Of Enfield, Chuck
> Sent: Friday, July 10, 2020 4:34 PM
> To: 
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU SE.EDU>
> Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...
>
> My point wasn’t to 

Re: [WIRELESS-LAN] MAC Randomization, a step further...

[Jonathan Waldrep]

For .1x connections, per device certs seems to be the way to go. I'm not
sure if Airwave and other monitoring tools have a way to consolidate
multiple macs to a single device based on the cert, though.

For guests, I've been tossing around the idea of an open network. No
.1x, no PSK, no captive portal. Affiliates would be encouraged to use
eduroam via SSO nag. Columbia University had a presentation on how they
are doing the open network side of this. I suspect the most difficult
part will be getting legal on board. Who has an open network? What have
your experiences been? This is only tangentially related, so feel free
to split it into a new thread.

On 2020-07-20 15:18:46, Johnson, Christopher wrote:
> Default behavior matters indeed. Got a preview of what to expect over the 
> weekend.
> 
> Found one individual that was in Aruba Airwave “12 Times” for their iPhone 
> 14.0 over past couple of weeks and another “6 times”. It appears that as long 
> as the device remains “connected” to the network beyond the 24 hours, the MAC 
> Address will remain the same. Although if they’re fully de-authenticated or 
> move say into an elevator or outside (or a class phone reboot occurs in the 
> pocket) – then the MAC Address will update upon establishing a new connection 
> – that is just the initial observation I saw.
> Christopher Johnson
> Wireless Network Engineer
> Office of Technology Solutions | Illinois State University
> (309) 438-8444
> 
> Stay connected with ISU IT news and tips with @ISU IT Help on 
> Facebook and 
> Twitter
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  On Behalf Of Enfield, Chuck
> Sent: Tuesday, July 14, 2020 12:36 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...
> 
> [This message came from an external source. If suspicious, report to 
> ab...@ilstu.edu]
> True, but default behavior matters.
> 
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
>  On Behalf Of Rios, Hector J
> Sent: Tuesday, July 14, 2020 1:12 PM
> To: 
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...
> 
> Please note that MAC randomization is not just a feature of Android and iOS. 
> It is supported across other operating systems.
> 
> Hector Rios, Wireless Network Architect
> The University of Texas at Austin
> 
> 
> 
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
>  On Behalf Of Jonathan Miller
> Sent: Tuesday, July 14, 2020 11:32 AM
> To: 
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...
> 
> For those of us using ClearPass to authenticate users to eduroam, does this 
> mean that every iOS device will get registered as a new endpoint every day?  
> For others, does your NAC store a client's MAC persistently?  I'm assuming 
> that the answer to both is yes.
> 
> How can we plan for the impact of that on our databases?  Should we delete 
> all iOS and Android devices after 48 hours?  Am I missing something obvious?
> 
> Jonathan Miller
> Senior Network Analyst
> Franklin and Marshall College
> 
> 
> On Fri, Jul 10, 2020 at 4:37 PM Enfield, Chuck 
> mailto:cae...@psu.edu>> wrote:
> PS – My plan for supporting our guest network will be to tell any user who 
> contacts us with an Apple device that the network is fine and they should 
> contact Apple for device support.  I can’t get away with that for our 
> enterprise network, but Apple is going to own the guest problem.
> 
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
>  On Behalf Of Enfield, Chuck
> Sent: Friday, July 10, 2020 4:34 PM
> To: 
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...
> 
> My point wasn’t to debate Passpoint either.  I’m wondering if Apple actually 
> has a plan, and if so, if they’ve bothered to tell anybody.
> 
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
>  On Behalf Of Tim Cappalli
> Sent: Friday, July 10, 2020 4:22 PM
> To: 
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...
> 
> Passpoint is not just about mobile network operators. Any identity provider 
> can provision a Passpoint profile. That is the whole drive behind 
> OpenRoaming. The industry goal is that every user has at least 2 Passpoint 
> profiles on their devices: one tied to their enterprise/school identity and 
> the other tied to a personal identity. The traditional 

RE: [WIRELESS-LAN] MAC Randomization, a step further...

[Johnson, Christopher]

Default behavior matters indeed. Got a preview of what to expect over the 
weekend.

Found one individual that was in Aruba Airwave “12 Times” for their iPhone 14.0 
over past couple of weeks and another “6 times”. It appears that as long as the 
device remains “connected” to the network beyond the 24 hours, the MAC Address 
will remain the same. Although if they’re fully de-authenticated or move say 
into an elevator or outside (or a class phone reboot occurs in the pocket) – 
then the MAC Address will update upon establishing a new connection – that is 
just the initial observation I saw.
Christopher Johnson
Wireless Network Engineer
Office of Technology Solutions | Illinois State University
(309) 438-8444

Stay connected with ISU IT news and tips with @ISU IT Help on 
Facebook and 
Twitter
From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Enfield, Chuck
Sent: Tuesday, July 14, 2020 12:36 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...

[This message came from an external source. If suspicious, report to 
ab...@ilstu.edu]
True, but default behavior matters.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Rios, Hector J
Sent: Tuesday, July 14, 2020 1:12 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...

Please note that MAC randomization is not just a feature of Android and iOS. It 
is supported across other operating systems.

Hector Rios, Wireless Network Architect
The University of Texas at Austin



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Jonathan Miller
Sent: Tuesday, July 14, 2020 11:32 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...

For those of us using ClearPass to authenticate users to eduroam, does this 
mean that every iOS device will get registered as a new endpoint every day?  
For others, does your NAC store a client's MAC persistently?  I'm assuming that 
the answer to both is yes.

How can we plan for the impact of that on our databases?  Should we delete all 
iOS and Android devices after 48 hours?  Am I missing something obvious?

Jonathan Miller
Senior Network Analyst
Franklin and Marshall College


On Fri, Jul 10, 2020 at 4:37 PM Enfield, Chuck 
mailto:cae...@psu.edu>> wrote:
PS – My plan for supporting our guest network will be to tell any user who 
contacts us with an Apple device that the network is fine and they should 
contact Apple for device support.  I can’t get away with that for our 
enterprise network, but Apple is going to own the guest problem.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Enfield, Chuck
Sent: Friday, July 10, 2020 4:34 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...

My point wasn’t to debate Passpoint either.  I’m wondering if Apple actually 
has a plan, and if so, if they’ve bothered to tell anybody.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tim Cappalli
Sent: Friday, July 10, 2020 4:22 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...

Passpoint is not just about mobile network operators. Any identity provider can 
provision a Passpoint profile. That is the whole drive behind OpenRoaming. The 
industry goal is that every user has at least 2 Passpoint profiles on their 
devices: one tied to their enterprise/school identity and the other tied to a 
personal identity. The traditional enterprise/school onboarding process stays 
largely the same, except some additional Passpoint logic is added.

Mobile network operators / cell providers are only one (optional) piece of the 
puzzle.

Probably should start a separate thread for anything deeper on Passpoint beyond 
it being a solution for network access. Don’t want to take away from the OG 
conversation.

tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Friday, July 10, 2020 at 16:17
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...
Understood, but few Wi-Fi operators actually support Passpoint on their 
networks.  Since Apple is eliminating the alternatives, they either must be 
idiots (my bet) or have a proposal for what we 

Re: [WIRELESS-LAN] XPS 15 Laptop - Killer Networking NIC Experience

[Jonathan Waldrep]

Killer doesn't make its own chipsets. I would use the drivers for the
underlying chip. For example, Killer's Wi-Fi 6 card is just a rebranded
Intel AX200. IIRC, the Wi-Fi 5 cards use Qualcomm. Use the
Intel/Qualcomm drivers and ditch the KCC.

On 2020-07-17 20:58:37, Johnson, Christopher wrote:
> Joel - You are correct. Intel bought/acquired them in May this year from an 
> article I saw.
> 
> Brad - Thank you! That was very helpful - I'm skeptic when I see NICs 
> 'demolished' on a forum - while at same time - I my self have come across 
> terrible NICs (Broadcom Adapter that sees the worst 5GHz signal as 100% 
> Quality - Face Palm). I would be interested in discussing further and can 
> e-mail you directly.
> 
> Thank you all for your input and hope you have a good weekend!
> Christopher Johnson
> Wireless Network Engineer
> Office of Technology Solutions | Illinois State University
> (309) 438-8444
> 
> Stay connected with ISU IT news and tips with @ISU IT Help on 
> Facebook and 
> Twitter
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  On Behalf Of Floyd, Brad
> Sent: Friday, July 17, 2020 1:59 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] XPS 15 Laptop - Killer Networking NIC Experience
> 
> [This message came from an external source. If suspicious, report to 
> ab...@ilstu.edu]
> Christopher,
> We have had a group of users for years that have Alienware laptops with the 
> Killer Wireless chips in them. The only wireless connection / reliability 
> issue we have seen were due to a couple of settings in the "Killer Control 
> Center" (KCC) that manages wireless chip settings / features. The settings we 
> have found in KCC are extremely wirelessly disruptive to a percentage of 
> users. We change those settings, but find that some driver version upgrades 
> reset them. These settings affect users on both our 802.1X and open guest 
> wireless networks. I hope this helps. If you want to discuss further, let me 
> know.
> Thanks,
> Brad
> 
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Johnson, Christopher
> Sent: Friday, July 17, 2020 12:50 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] XPS 15 Laptop - Killer Networking NIC Experience
> 
> [EXTERNAL SENDER]
> Good Afternoon everyone,
> 
> Curious what everyone's experience has been with the "Killer Networking  - 
> https://support.killernetworking.com/; NICs - probably not the best name for 
> a product? Which seemed to have been included with the Dell XPS 15 laptop? If 
> they're as "stay far away from" as a couple forum posts I've seen - where 
> Dell was just flat out been replacing them under warranty with Intel 8265 
> NICs - 
> https://www.dell.com/community/Laptops-General-Read-Only/XPS-15-9560-Killer-Wireless-killing-my-network/td-p/5095933
> I'm not looking at replacing them. One of the staff members on campus 
> mentioned this issue to me (issues at home and on-campus) - latest drivers, 
> etc. Trying to determine if recommending an alternate card preferable - or 
> tweaking some of the driver sets might be best.
> Christopher Johnson
> Wireless Network Engineer
> Office of Technology Solutions | Illinois State University
> (309) 438-8444

-- 
Jonathan Waldrep
Network Engineer
Network Infrastructure and Services
Virginia Tech

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community