date:20210203

RE: android 11 upcoming changes Feb 15th 2021

2021-02-03 Thread Edward Ip

Funny you bring up this product, I just had a meeting with our Aruba 
territorial rep and have being told Aruba QuickConnect is end of life. We used 
to use it to onboard client devices. It is pretty easy to use for everyone. 
However now that it is end of life, so I need to look for a replacement without 
killing the bank.

Edward Ip
Algonquin College

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jennifer Minella
Sent: Wednesday, February 3, 2021 4:25 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021


AC ITS Caution: This email originated from an external sender. Be careful of 
phishing attacks.

Security Tip of the Month: Be cautious of valentine's themed scams. They are 
always associated with virtual greeting cards, applications, chat rooms, and 
social media sites. Common scams involve the gaining of trust and then a pivot 
to finances such as gift cards, a medical emergency, a stolen wallet, a lottery 
win, or a request to cover an unexpected or unplanned expense.

Aruba added the ClearPass QuickConnect app/tool recently - specifically to 
allow end users to easily provision secure/1X networks. It's obviously geared 
for BYOD but perfect for HED. I don't know how well it works, it's relatively 
new. Have y'all seen it used anywhere?
https://www.arubanetworks.com/assets/ds/DS_ClearPass_QuickConnect.pdf

>From the datasheet:
How it works Aruba's exclusive cloud-hosted provisioning utility lets IT create 
a ClearPass QuickConnect deployment package with all necessary endpoint 
variables. It can then be run from a web server or distributed via a USB 
storage device or CD.The cloud-hosted utility also lets IT quickly create and 
distribute new packages that contain configuration changes as your network 
changes. For example, IT can quickly push out SSID changes and support new 
features in a timely and transparent manner.

Supported supplicants* Windows native supplicant - Vista and 7* Macintosh 
native supplicant* iPhone, iPad and iPod native supplicants* Android native 
supplicant

Supported EAP methods** PEAP - EAP-MSCHAPv2, EAP-GTC, EAP-TLS* EAP-TLS* 
EAP-TTLS - PAP, MSCHAPv2 * EAP-FAST

___
Jennifer Minella, CISSP, HP MASE
VP of Engineering & Security
Carolina Advanced Digital, Inc.
www.cadinc.com
j...@cadinc.com
919.460.1313 Main Office
919.539.2726 Mobile/text
[CAD LOGO EMAIL SIG]

From: Michael Holden 
mailto:mhol...@datanetworksolutions.com>>
Sent: Tuesday, February 2, 2021 1:16 PM
Subject: Re: android 11 upcoming changes Feb 15th 2021

We've seen much the same.
A Pixel 2XL and a Pixel3XL fully updated, the 2XL had the Don't Validate 
option, but the Pixel3XL did not.

We added the CA cert to a subpage on the guest captive portal for ease of 
access to the Wireless device, and provided some instructions for the devices.
The workflow to manually add the Wireless Trust was a bit flaky too with Modify 
Settings not really working.

The instruction set that appeared to work as of the current (January 2021) 
Android software release on the Pixel 3XL not tested on Pixel 4/4a/5:


1.  Download the CA cert from the ClearPass Guest Captive Portal Page

2.  Go to Settings

3.  Network & Internet

4.  Wi-Fi

5.  Wi-Fi preferences

6.  Advanced

7.  Install Certificate

8.  Choose the Certificate downloaded in the first step

9.  Name the Certificate

10.   Connect to the Secure SSID

a.  Change the Certificate from System Certs to the Certificate name 
entered in the previous step

b.  Domain to 

c.  Identity as the username

d.  Password as the user's password

e.  Connect

11.   Confirm Wireless is connected to the WPA2-Enterprise SSID

a.  You

Re: android 11 upcoming changes Feb 15th 2021

2021-02-03 Thread Richie Penuela

Count me in!

Get Outlook for iOS

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Sent: Wednesday, February 3, 2021 5:05:54 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

100% agree and I've been preaching that for years, but there are many folks who 
have shared opinions that user experience is more important than credential 
security.

And a slightly tangential but still very related topic: what are you going to 
do when users no longer have passwords? It's coming sooner than you may think. 
Kill two birds with one stone and ditch passwords while improving user 
experience for network access as soon as possible.

We should probably fork this topic to a new thread or even maybe have an ad hoc 
virtual meeting on this topic! Every single (quarterly) thread about EAP server 
certificates and supplicant config ends with us drifting off course.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Enfield, Chuck 

Sent: Wednesday, February 3, 2021 16:56
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

I know I’m singing to the choir when responding to you two, but it’s worth 
reminding readers that the main risk here isn’t to the network.  It’s to the 
user’s account credentials.  I’m pretty sure we think that’s important in 
higher ed too.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Tim Cappalli
Sent: Wednesday, February 3, 2021 4:31 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

For higher ed, you're absolutely right. For all other enterprise use cases, 
credential security is super important.

Unfortunately a network supplicant is not aware of the deployment type and 
can't adapt.

tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Jennifer Minella 

Sent: Wednesday, February 3, 2021 16:26
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

There’s a fine, grey line between optimal security and usability ??

___

Jennifer Minella, CISSP, HP MASE

VP of Engineering & Security

Carolina Advanced Digital, Inc.

www.cadinc.com

j...@cadinc.com

919.460.1313 Main Office

919.539.2726 Mobile/text

[CAD LOGO EMAIL SIG]

From: Tim Cappalli 
Sent: Monday, February 1, 2021 5:53 PM
Subject: Re: android 11 upcoming changes Feb 15th 2021

Jennifer, this has been extensively discussed on this list for the past few 
months which I why I said that nothing has changed since those conversations. 
This current thread makes it seem like more changes are coming in Android on 
February 15th which is NOT the case. There have been no changes since the 
December update and I'm not aware of any other changes in the Android 11 code 
train.

RE: Apple already does this: Android is the only operating system that requires 
a properly configured supplicant. Apple's TOFU model does not result in a 
proper configuration.

RE: wildcard, from the bottom of the message:

For example:

If the RADIUS server certificate’s Common Name = radius.domain.com Connect to 
these server names should be radius.domain.com

If the RADIUS server certificate’s Common Name = 
radius.lab.department.domain.com Connect to these server names should be 
*.department.domain.com or *.domain.com

They're recommending wildcard subject name matching if the environment uses a 
non-standard configuration. This is poor guidance and will result in credential 
compromise via MitM.

tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Jennifer Minella mailto:j...@cadinc.com>>
Sent: Monday, February 1, 2021 17:25
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

I may disagree with some of the other feedback here…  I think this is a big 
deal.

It sounds like Google will be enforcing proper server validation for 
802.1X-secured networks, based on what Trent sent originally. I believe Apple 
already has been enforcing this for a bit.

If my guess is correct

Re: android 11 upcoming changes Feb 15th 2021

2021-02-03 Thread Tim Cappalli

100% agree and I've been preaching that for years, but there are many folks who 
have shared opinions that user experience is more important than credential 
security.

And a slightly tangential but still very related topic: what are you going to 
do when users no longer have passwords? It's coming sooner than you may think. 
Kill two birds with one stone and ditch passwords while improving user 
experience for network access as soon as possible.

We should probably fork this topic to a new thread or even maybe have an ad hoc 
virtual meeting on this topic! Every single (quarterly) thread about EAP server 
certificates and supplicant config ends with us drifting off course.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Enfield, Chuck 

Sent: Wednesday, February 3, 2021 16:56
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021


I know I’m singing to the choir when responding to you two, but it’s worth 
reminding readers that the main risk here isn’t to the network.  It’s to the 
user’s account credentials.  I’m pretty sure we think that’s important in 
higher ed too.



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Tim Cappalli
Sent: Wednesday, February 3, 2021 4:31 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021



For higher ed, you're absolutely right. For all other enterprise use cases, 
credential security is super important.



Unfortunately a network supplicant is not aware of the deployment type and 
can't adapt.



tim



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Jennifer Minella 

Sent: Wednesday, February 3, 2021 16:26
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021



There’s a fine, grey line between optimal security and usability ??



___

Jennifer Minella, CISSP, HP MASE

VP of Engineering & Security

Carolina Advanced Digital, Inc.

www.cadinc.com

j...@cadinc.com

919.460.1313 Main Office

919.539.2726 Mobile/text

[CAD LOGO EMAIL SIG]



From: Tim Cappalli 
Sent: Monday, February 1, 2021 5:53 PM
Subject: Re: android 11 upcoming changes Feb 15th 2021



Jennifer, this has been extensively discussed on this list for the past few 
months which I why I said that nothing has changed since those conversations. 
This current thread makes it seem like more changes are coming in Android on 
February 15th which is NOT the case. There have been no changes since the 
December update and I'm not aware of any other changes in the Android 11 code 
train.



RE: Apple already does this: Android is the only operating system that requires 
a properly configured supplicant. Apple's TOFU model does not result in a 
proper configuration.



RE: wildcard, from the bottom of the message:



For example:

If the RADIUS server certificate’s Common Name = radius.domain.com Connect to 
these server names should be radius.domain.com



If the RADIUS server certificate’s Common Name = 
radius.lab.department.domain.com Connect to these server names should be 
*.department.domain.com or *.domain.com



They're recommending wildcard subject name matching if the environment uses a 
non-standard configuration. This is poor guidance and will result in credential 
compromise via MitM.



tim



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Jennifer Minella mailto:j...@cadinc.com>>
Sent: Monday, February 1, 2021 17:25
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021



I may disagree with some of the other feedback here…  I think this is a big 
deal.



It sounds like Google will be enforcing proper server validation for 
802.1X-secured networks, based on what Trent sent originally. I believe Apple 
already has been enforcing this for a bit.



If my guess is correct (I’ll try to find a link) then what it means is – after 
this update, you can’t tell the endpoint to ignore or bypass the server 
certificate for 802.1X (any EAP method).



The impact of this is…

  *   If you’re organization has any endpoints that have been configured to use 
a secured network but are ignoring the server’s certificate – then that will 
STOP working suddenly at

RE: android 11 upcoming changes Feb 15th 2021

2021-02-03 Thread Enfield, Chuck

I know I’m singing to the choir when responding to you two, but it’s worth 
reminding readers that the main risk here isn’t to the network.  It’s to the 
user’s account credentials.  I’m pretty sure we think that’s important in 
higher ed too.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Tim Cappalli
Sent: Wednesday, February 3, 2021 4:31 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

For higher ed, you're absolutely right. For all other enterprise use cases, 
credential security is super important.

Unfortunately a network supplicant is not aware of the deployment type and 
can't adapt.

tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Jennifer Minella 

Sent: Wednesday, February 3, 2021 16:26
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

There’s a fine, grey line between optimal security and usability 

___

Jennifer Minella, CISSP, HP MASE

VP of Engineering & Security

Carolina Advanced Digital, Inc.

www.cadinc.com

j...@cadinc.com

919.460.1313 Main Office

919.539.2726 Mobile/text

[CAD LOGO EMAIL SIG]

From: Tim Cappalli 
Sent: Monday, February 1, 2021 5:53 PM
Subject: Re: android 11 upcoming changes Feb 15th 2021

Jennifer, this has been extensively discussed on this list for the past few 
months which I why I said that nothing has changed since those conversations. 
This current thread makes it seem like more changes are coming in Android on 
February 15th which is NOT the case. There have been no changes since the 
December update and I'm not aware of any other changes in the Android 11 code 
train.

RE: Apple already does this: Android is the only operating system that requires 
a properly configured supplicant. Apple's TOFU model does not result in a 
proper configuration.

RE: wildcard, from the bottom of the message:

For example:

If the RADIUS server certificate’s Common Name = radius.domain.com Connect to 
these server names should be radius.domain.com

If the RADIUS server certificate’s Common Name = 
radius.lab.department.domain.com Connect to these server names should be 
*.department.domain.com or *.domain.com

They're recommending wildcard subject name matching if the environment uses a 
non-standard configuration. This is poor guidance and will result in credential 
compromise via MitM.

tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Jennifer Minella mailto:j...@cadinc.com>>
Sent: Monday, February 1, 2021 17:25
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

I may disagree with some of the other feedback here…  I think this is a big 
deal.

It sounds like Google will be enforcing proper server validation for 
802.1X-secured networks, based on what Trent sent originally. I believe Apple 
already has been enforcing this for a bit.

If my guess is correct (I’ll try to find a link) then what it means is – after 
this update, you can’t tell the endpoint to ignore or bypass the server 
certificate for 802.1X (any EAP method).

The impact of this is…

  *   If you’re organization has any endpoints that have been configured to use 
a secured network but are ignoring the server’s certificate – then that will 
STOP working suddenly at the update.
  *   This setting (ignore/don’t validate server cert) is not ideal but it’s 
prevalent especially for things like BYOD or HED device onboarding, testing, 
etc. It should be fixed but this is one of those things that could have a huge 
widespread impact if the endpoints/networks aren’t configured properly now.
  *   Typically proper settings for secured 1X networks are pushed through GPO, 
MDM, or an onboarding process through vendor tools (can be a server-based tool 
or a client-based config assist tool). If that wasn’t done then the endpoints 
may not have the server certificate installed and trusted, and if that’s the 
case they will just cease to work after the device upgrade.

Tim it’s not referencing a wildcard cert; they’re still using the specific FQDN 
for the COMMON NAME. The article references the connect to domains as a 
different field which is not the certificate CN.. ?

Yeah, here are some links…

•A reddit article I hope is accurate

RE: [WIRELESS-LAN] [External] [WIRELESS-LAN] Aruba 8.6.0.5 and 8.6.0.7 intel 8260

2021-02-03 Thread Hurt,Trenton W.

Yes 8260, I had 8.6.0.5 and the workaround that I was able to make work was 
disable HT and VHT modes on the card itself.  But now I have upgraded to 
8.6.0.7 and those workarounds don’t seem to make any difference and now cant 
connect to any aruba wlan.  Of course I can take 8260 laptop to one of my cisco 
legacy wlan buildings and it works without issue

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Christopher H Ressel
Sent: Wednesday, February 3, 2021 4:28 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [External] [WIRELESS-LAN] Aruba 8.6.0.5 and 8.6.0.7 
intel 8260

CAUTION: This email originated from outside of our organization. Do not click 
links, open attachments, or respond unless you recognize the sender's email 
address and know the contents are safe.
Have you only seen this issue on 8260 NICs? We are having very similar reports 
of connections/disconnections in our residence halls, but have been unable to 
replicate it in the lab after our upgrade to 8.6.0.6. Perhaps unrelated, but we 
are also seeing high rates of CRC errors on 515s that TAC believes may be a 
bug. We have not had any reports from buildings with 21X and 31X APs.

Chris

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Wednesday, February 3, 2021 at 12:28 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] [External] [WIRELESS-LAN] Aruba 8.6.0.5 and 8.6.0.7 
intel 8260
Client doesn’t show with either of those commands

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Cody Ensanian
Sent: Tuesday, February 2, 2021 9:18 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [External] [WIRELESS-LAN] Aruba 8.6.0.5 and 8.6.0.7 
intel 8260

CAUTION: This email originated from outside of our organization. Do not click 
links, open attachments, or respond unless you recognize the sender's email 
address and know the contents are safe.
+1 check for blacklisted client…  “show ap blacklist-clients | include xx:xx:xx”

Cody
University of Colorado Colorado Springs


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Norton, Thomas (Network Operations)
Sent: Tuesday, February 2, 2021 7:10 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [External] [WIRELESS-LAN] Aruba 8.6.0.5 and 8.6.0.7 
intel 8260

Super weird man, what do you get when you do a “show ap client trail-info” for 
that device?

 any blacklist thresholds enabled?

T.J. Norton
Wireless Network Architect
Network Operations

Office: (434) 592-6552

[http://www.liberty.edu/media/1616/40themail/wordmark-for-email.jpg]

Liberty University  |  Training Champions for Christ since 1971

On Feb 2, 2021, at 9:06 PM, Hurt,Trenton W. 
mailto:trent.h...@louisville.edu>> wrote:

What model aps are you running?
515,535
- Are you running standard data rates and default profiles for the most part?
12 meg and up and for most part defaults are what I’m running any changes have 
come from the 802.11ac roaming guide or via Tac cases

- If running 802.11ax/Wi-FI 6 enabled access point make a new HE profile, 
disable “High Efficiency Enable” in the HE profile, and possibly apply on a 
dedicated SSID for testing.

802.11ax is disabled

- Also is WiDS enabled in your environment?
No dedicated wips/wids


Trent Hurt

University of Louisville


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Norton, Thomas (Network Operations) 
mailto:tnort...@liberty.edu>>
Sent: Tuesday, February 2, 2021 8:51:53 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] [External] [WIRELESS-LAN] Aruba 8.6.0.5 and 8.6.0.7 
intel 8260


CAUTION: This email originated from outside of our organization. Do not click 
links, open attachments, or respond unless you recognize the sender's email 
address and know the contents are safe.
Hey Trent,

Couple quick things:

- What model aps are you running?
- Are you running standard data rates and default profiles for the most part?
- If running 802.11ax/Wi-FI 6 enabled access point make a new HE profile, 
disable “High Efficiency Enable” in the HE profile, and possibly apply on a 
dedicated SSID for testing.
- Also is WiDS enabled in your environment?



T.J. Norton

Wireless Network Architect
Network Operations

Office: (434) 592-6552



[http://www.liberty.edu/media/1616/40themail/wordmark-for-email.jpg]

Liberty University  |  Training Champions for Christ since 1971

On Feb 2, 2021, at 8:33 PM,

Re: android 11 upcoming changes Feb 15th 2021

2021-02-03 Thread Tim Cappalli

For higher ed, you're absolutely right. For all other enterprise use cases, 
credential security is super important.

Unfortunately a network supplicant is not aware of the deployment type and 
can't adapt.

tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Jennifer Minella 

Sent: Wednesday, February 3, 2021 16:26
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021


There’s a fine, grey line between optimal security and usability 



___

Jennifer Minella, CISSP, HP MASE

VP of Engineering & Security

Carolina Advanced Digital, Inc.

www.cadinc.com

j...@cadinc.com

919.460.1313 Main Office

919.539.2726 Mobile/text

[CAD LOGO EMAIL SIG]



From: Tim Cappalli 
Sent: Monday, February 1, 2021 5:53 PM
Subject: Re: android 11 upcoming changes Feb 15th 2021



Jennifer, this has been extensively discussed on this list for the past few 
months which I why I said that nothing has changed since those conversations. 
This current thread makes it seem like more changes are coming in Android on 
February 15th which is NOT the case. There have been no changes since the 
December update and I'm not aware of any other changes in the Android 11 code 
train.



RE: Apple already does this: Android is the only operating system that requires 
a properly configured supplicant. Apple's TOFU model does not result in a 
proper configuration.



RE: wildcard, from the bottom of the message:



For example:

If the RADIUS server certificate’s Common Name = radius.domain.com Connect to 
these server names should be radius.domain.com



If the RADIUS server certificate’s Common Name = 
radius.lab.department.domain.com Connect to these server names should be 
*.department.domain.com or *.domain.com



They're recommending wildcard subject name matching if the environment uses a 
non-standard configuration. This is poor guidance and will result in credential 
compromise via MitM.



tim



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Jennifer Minella mailto:j...@cadinc.com>>
Sent: Monday, February 1, 2021 17:25
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021



I may disagree with some of the other feedback here…  I think this is a big 
deal.



It sounds like Google will be enforcing proper server validation for 
802.1X-secured networks, based on what Trent sent originally. I believe Apple 
already has been enforcing this for a bit.



If my guess is correct (I’ll try to find a link) then what it means is – after 
this update, you can’t tell the endpoint to ignore or bypass the server 
certificate for 802.1X (any EAP method).



The impact of this is…

  *   If you’re organization has any endpoints that have been configured to use 
a secured network but are ignoring the server’s certificate – then that will 
STOP working suddenly at the update.
  *   This setting (ignore/don’t validate server cert) is not ideal but it’s 
prevalent especially for things like BYOD or HED device onboarding, testing, 
etc. It should be fixed but this is one of those things that could have a huge 
widespread impact if the endpoints/networks aren’t configured properly now.
  *   Typically proper settings for secured 1X networks are pushed through GPO, 
MDM, or an onboarding process through vendor tools (can be a server-based tool 
or a client-based config assist tool). If that wasn’t done then the endpoints 
may not have the server certificate installed and trusted, and if that’s the 
case they will just cease to work after the device upgrade.



Tim it’s not referencing a wildcard cert; they’re still using the specific FQDN 
for the COMMON NAME. The article references the connect to domains as a 
different field which is not the certificate CN.. ?



Yeah, here are some links…

·A reddit article I hope is accurate b/c I only skimmed it

RE: android 11 upcoming changes Feb 15th 2021

2021-02-03 Thread Jennifer Minella

There’s a fine, grey line between optimal security and usability 

___
Jennifer Minella, CISSP, HP MASE
VP of Engineering & Security
Carolina Advanced Digital, Inc.
www.cadinc.com
j...@cadinc.com
919.460.1313 Main Office
919.539.2726 Mobile/text
[CAD LOGO EMAIL SIG]

From: Tim Cappalli 
Sent: Monday, February 1, 2021 5:53 PM
Subject: Re: android 11 upcoming changes Feb 15th 2021

Jennifer, this has been extensively discussed on this list for the past few 
months which I why I said that nothing has changed since those conversations. 
This current thread makes it seem like more changes are coming in Android on 
February 15th which is NOT the case. There have been no changes since the 
December update and I'm not aware of any other changes in the Android 11 code 
train.

RE: Apple already does this: Android is the only operating system that requires 
a properly configured supplicant. Apple's TOFU model does not result in a 
proper configuration.

RE: wildcard, from the bottom of the message:


For example:

If the RADIUS server certificate’s Common Name = radius.domain.com Connect to 
these server names should be radius.domain.com



If the RADIUS server certificate’s Common Name = 
radius.lab.department.domain.com Connect to these server names should be 
*.department.domain.com or *.domain.com

They're recommending wildcard subject name matching if the environment uses a 
non-standard configuration. This is poor guidance and will result in credential 
compromise via MitM.


tim


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Jennifer Minella mailto:j...@cadinc.com>>
Sent: Monday, February 1, 2021 17:25
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021


I may disagree with some of the other feedback here…  I think this is a big 
deal.



It sounds like Google will be enforcing proper server validation for 
802.1X-secured networks, based on what Trent sent originally. I believe Apple 
already has been enforcing this for a bit.



If my guess is correct (I’ll try to find a link) then what it means is – after 
this update, you can’t tell the endpoint to ignore or bypass the server 
certificate for 802.1X (any EAP method).



The impact of this is…

  *   If you’re organization has any endpoints that have been configured to use 
a secured network but are ignoring the server’s certificate – then that will 
STOP working suddenly at the update.
  *   This setting (ignore/don’t validate server cert) is not ideal but it’s 
prevalent especially for things like BYOD or HED device onboarding, testing, 
etc. It should be fixed but this is one of those things that could have a huge 
widespread impact if the endpoints/networks aren’t configured properly now.
  *   Typically proper settings for secured 1X networks are pushed through GPO, 
MDM, or an onboarding process through vendor tools (can be a server-based tool 
or a client-based config assist tool). If that wasn’t done then the endpoints 
may not have the server certificate installed and trusted, and if that’s the 
case they will just cease to work after the device upgrade.



Tim it’s not referencing a wildcard cert; they’re still using the specific FQDN 
for the COMMON NAME. The article references the connect to domains as a 
different field which is not the certificate CN.. ?



Yeah, here are some links…

·A reddit article I hope is accurate b/c I only skimmed it

https://www.reddit.com/r/networking/comments/j7ero1/psa_android_11s_december_security_update_will/

The security patch for Android 11 (QPR1) will remove the "Do not validate" 
option under "CA certificate" for EAP server certificate validation to prevent 
misconfiguration resulting in credential leaks. This is very good news from a 
security standpoint!

·Secure W2 article with the setting in reference to WPA3 (which removes 
several less-secure options for confgs)

Re: [WIRELESS-LAN] [External] [WIRELESS-LAN] Aruba 8.6.0.5 and 8.6.0.7 intel 8260

2021-02-03 Thread Christopher H Ressel

Have you only seen this issue on 8260 NICs? We are having very similar reports 
of connections/disconnections in our residence halls, but have been unable to 
replicate it in the lab after our upgrade to 8.6.0.6. Perhaps unrelated, but we 
are also seeing high rates of CRC errors on 515s that TAC believes may be a 
bug. We have not had any reports from buildings with 21X and 31X APs.

Chris

From: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Wednesday, February 3, 2021 at 12:28 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] [External] [WIRELESS-LAN] Aruba 8.6.0.5 and 8.6.0.7 
intel 8260
Client doesn’t show with either of those commands

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Cody Ensanian
Sent: Tuesday, February 2, 2021 9:18 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [External] [WIRELESS-LAN] Aruba 8.6.0.5 and 8.6.0.7 
intel 8260

CAUTION: This email originated from outside of our organization. Do not click 
links, open attachments, or respond unless you recognize the sender's email 
address and know the contents are safe.
+1 check for blacklisted client…  “show ap blacklist-clients | include xx:xx:xx”

Cody
University of Colorado Colorado Springs


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Norton, Thomas (Network Operations)
Sent: Tuesday, February 2, 2021 7:10 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [External] [WIRELESS-LAN] Aruba 8.6.0.5 and 8.6.0.7 
intel 8260

Super weird man, what do you get when you do a “show ap client trail-info” for 
that device?

 any blacklist thresholds enabled?

T.J. Norton
Wireless Network Architect
Network Operations

Office: (434) 592-6552

[http://www.liberty.edu/media/1616/40themail/wordmark-for-email.jpg]

Liberty University  |  Training Champions for Christ since 1971

On Feb 2, 2021, at 9:06 PM, Hurt,Trenton W. 
mailto:trent.h...@louisville.edu>> wrote:

What model aps are you running?
515,535
- Are you running standard data rates and default profiles for the most part?
12 meg and up and for most part defaults are what I’m running any changes have 
come from the 802.11ac roaming guide or via Tac cases

- If running 802.11ax/Wi-FI 6 enabled access point make a new HE profile, 
disable “High Efficiency Enable” in the HE profile, and possibly apply on a 
dedicated SSID for testing.

802.11ax is disabled

- Also is WiDS enabled in your environment?
No dedicated wips/wids


Trent Hurt

University of Louisville


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Norton, Thomas (Network Operations) 
mailto:tnort...@liberty.edu>>
Sent: Tuesday, February 2, 2021 8:51:53 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] [External] [WIRELESS-LAN] Aruba 8.6.0.5 and 8.6.0.7 
intel 8260


CAUTION: This email originated from outside of our organization. Do not click 
links, open attachments, or respond unless you recognize the sender's email 
address and know the contents are safe.
Hey Trent,

Couple quick things:

- What model aps are you running?
- Are you running standard data rates and default profiles for the most part?
- If running 802.11ax/Wi-FI 6 enabled access point make a new HE profile, 
disable “High Efficiency Enable” in the HE profile, and possibly apply on a 
dedicated SSID for testing.
- Also is WiDS enabled in your environment?



T.J. Norton

Wireless Network Architect
Network Operations

Office: (434) 592-6552



[http://www.liberty.edu/media/1616/40themail/wordmark-for-email.jpg]

Liberty University  |  Training Champions for Christ since 1971

On Feb 2, 2021, at 8:33 PM, Hurt,Trenton W. 
mailto:trent.h...@louisville.edu>> wrote:



[ EXTERNAL EMAIL: Do not click any links or open attachments unless you know 
the sender and trust the content. ]


So I’ve updated/downgraded drivers and still can’t get this card to keep 
connection on aruba wlan.  I had disabled HT and VHT on the card and it at 
least was able to keep stable connection.  That was on 8.6.0.5 code.  I 
upgraded to 8.6.0.7 and now user can’t connect to any ssid on aruba 
infrastructure with those disabled or enabled and regardless of driver.  I’m 
meeting in person Thursday to get some pcaps but was wondering if any aruba 
folks may have already seen this and or have possible fix to try?

Trent Hurt

University of Louisville


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and

RE: android 11 upcoming changes Feb 15th 2021

2021-02-03 Thread Jennifer Minella

Aruba added the ClearPass QuickConnect app/tool recently - specifically to 
allow end users to easily provision secure/1X networks. It's obviously geared 
for BYOD but perfect for HED. I don't know how well it works, it's relatively 
new. Have y'all seen it used anywhere?
https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.arubanetworks.com%2fassets%2fds%2fDS_ClearPass_QuickConnect.pdf=E,1,PbDzKBXmgYWw5ZSEl0LejlGZKeAtDuH2fFD6rMFPbgTc4EIC37SzOLJ6oeHa6GHVcZCfvdpROSroTWjH20472Y4nq-qHt99yV14dkj3iwOiOww,,=1

>From the datasheet:
How it works Aruba's exclusive cloud-hosted provisioning utility lets IT create 
a ClearPass QuickConnect deployment package with all necessary endpoint 
variables. It can then be run from a web server or distributed via a USB 
storage device or CD.The cloud-hosted utility also lets IT quickly create and 
distribute new packages that contain configuration changes as your network 
changes. For example, IT can quickly push out SSID changes and support new 
features in a timely and transparent manner.

Supported supplicants* Windows native supplicant - Vista and 7* Macintosh 
native supplicant* iPhone, iPad and iPod native supplicants* Android native 
supplicant

Supported EAP methods** PEAP - EAP-MSCHAPv2, EAP-GTC, EAP-TLS* EAP-TLS* 
EAP-TTLS - PAP, MSCHAPv2 * EAP-FAST

___
Jennifer Minella, CISSP, HP MASE
VP of Engineering & Security
Carolina Advanced Digital, Inc.
https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.cadinc.com=E,1,7ibcnlS3iFZVLjlthdWrn6ymfGDpuJi7tEYiEA0nrf_RQnI4PRd90IQMbUcMS1eRlDw3ljDz4O1tae_orokmFBqy1ImABenp0gV9I7q6N6V7JKmDrLIGu0U,=1
j...@cadinc.com
919.460.1313 Main Office
919.539.2726 Mobile/text
[CAD LOGO EMAIL SIG]

From: Michael Holden 
Sent: Tuesday, February 2, 2021 1:16 PM
Subject: Re: android 11 upcoming changes Feb 15th 2021

We've seen much the same.
A Pixel 2XL and a Pixel3XL fully updated, the 2XL had the Don't Validate 
option, but the Pixel3XL did not.

We added the CA cert to a subpage on the guest captive portal for ease of 
access to the Wireless device, and provided some instructions for the devices.
The workflow to manually add the Wireless Trust was a bit flaky too with Modify 
Settings not really working.

The instruction set that appeared to work as of the current (January 2021) 
Android software release on the Pixel 3XL not tested on Pixel 4/4a/5:


1.  Download the CA cert from the ClearPass Guest Captive Portal Page

2.  Go to Settings

3.  Network & Internet

4.  Wi-Fi

5.  Wi-Fi preferences

6.  Advanced

7.  Install Certificate

8.  Choose the Certificate downloaded in the first step

9.  Name the Certificate

10.   Connect to the Secure SSID

a.  Change the Certificate from System Certs to the Certificate name 
entered in the previous step

b.  Domain to 

c.  Identity as the username

d.  Password as the user's password

e.  Connect

11.   Confirm Wireless is connected to the WPA2-Enterprise SSID

a.  You may have to forget and add network as the Modify Setting on the 
SSID does not appear to work properly as of January, 2021 Android Software 
release


There is a QR code that can be created for PSK networks, has anyone seen if 
this is possible for WPA2/3-Enterprise?



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Sent: Tuesday, February 2, 2021 12:54
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

Screenshot please.





From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Walter Reynolds mailto:wa...@umich.edu>>
Sent: Tuesday, February 2, 2021 12:46
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

Can someone explain something to me?

I have a Pixel 3 that I did a factory rest on.  Next I did all the updates 
needed and it is running Android 11.  The build number is RQ1A.210205.004 which 
includes the latest security patch for the phone.

When I go to configure a WPA2 Enterprise network I still have the "Don't 
validate" option.

What am I missing here?


Walter Reynolds
Network Architect
Information and Technology Services
University of Michigan
(734) 615-9438


On Tue, Feb 2, 2021 at 8:51 AM Hurt,Trenton

RE: [WIRELESS-LAN] [External] [WIRELESS-LAN] Aruba 8.6.0.5 and 8.6.0.7 intel 8260

2021-02-03 Thread Hurt,Trenton W.

Client doesn’t show with either of those commands

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Cody Ensanian
Sent: Tuesday, February 2, 2021 9:18 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [External] [WIRELESS-LAN] Aruba 8.6.0.5 and 8.6.0.7 
intel 8260

CAUTION: This email originated from outside of our organization. Do not click 
links, open attachments, or respond unless you recognize the sender's email 
address and know the contents are safe.
+1 check for blacklisted client…  “show ap blacklist-clients | include xx:xx:xx”

Cody
University of Colorado Colorado Springs

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Norton, Thomas (Network Operations)
Sent: Tuesday, February 2, 2021 7:10 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [External] [WIRELESS-LAN] Aruba 8.6.0.5 and 8.6.0.7 
intel 8260

Super weird man, what do you get when you do a “show ap client trail-info” for 
that device?

 any blacklist thresholds enabled?

T.J. Norton
Wireless Network Architect
Network Operations

Office: (434) 592-6552

[http://www.liberty.edu/media/1616/40themail/wordmark-for-email.jpg]

Liberty University  |  Training Champions for Christ since 1971

On Feb 2, 2021, at 9:06 PM, Hurt,Trenton W. 
mailto:trent.h...@louisville.edu>> wrote:

What model aps are you running?
515,535
- Are you running standard data rates and default profiles for the most part?
12 meg and up and for most part defaults are what I’m running any changes have 
come from the 802.11ac roaming guide or via Tac cases

- If running 802.11ax/Wi-FI 6 enabled access point make a new HE profile, 
disable “High Efficiency Enable” in the HE profile, and possibly apply on a 
dedicated SSID for testing.

802.11ax is disabled

- Also is WiDS enabled in your environment?
No dedicated wips/wids

Trent Hurt

University of Louisville

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Norton, Thomas (Network Operations) 
mailto:tnort...@liberty.edu>>
Sent: Tuesday, February 2, 2021 8:51:53 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] [External] [WIRELESS-LAN] Aruba 8.6.0.5 and 8.6.0.7 
intel 8260

CAUTION: This email originated from outside of our organization. Do not click 
links, open attachments, or respond unless you recognize the sender's email 
address and know the contents are safe.
Hey Trent,

Couple quick things:

- What model aps are you running?
- Are you running standard data rates and default profiles for the most part?
- If running 802.11ax/Wi-FI 6 enabled access point make a new HE profile, 
disable “High Efficiency Enable” in the HE profile, and possibly apply on a 
dedicated SSID for testing.
- Also is WiDS enabled in your environment?

T.J. Norton

Wireless Network Architect
Network Operations

Office: (434) 592-6552

[http://www.liberty.edu/media/1616/40themail/wordmark-for-email.jpg]

Liberty University  |  Training Champions for Christ since 1971

On Feb 2, 2021, at 8:33 PM, Hurt,Trenton W. 
mailto:trent.h...@louisville.edu>> wrote:

[ EXTERNAL EMAIL: Do not click any links or open attachments unless you know 
the sender and trust the content. ]

So I’ve updated/downgraded drivers and still can’t get this card to keep 
connection on aruba wlan.  I had disabled HT and VHT on the card and it at 
least was able to keep stable connection.  That was on 8.6.0.5 code.  I 
upgraded to 8.6.0.7 and now user can’t connect to any ssid on aruba 
infrastructure with those disabled or enabled and regardless of driver.  I’m 
meeting in person Thursday to get some pcaps but was wondering if any aruba 
folks may have already seen this and or have possible fix to try?

Trent Hurt

University of Louisville

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email

Re: [WIRELESS-LAN] Cisco licensing - alternative vendors

2021-02-03 Thread Jen Gautier

We are a small school but we did basically the same thing as Blake about a
year and a half ago.  We also ended up going with Meraki and have had great
results.  We are in an urban area with surrounded by tall apartment
buildings which means lots of interference, etc. which caused lots of wifi
woes.   The Merakis handle it great!


*Jennifer Gautier*

Office Manager and Technology Coordinator

jgaut...@mustardseedschool.org




On Wed, Feb 3, 2021 at 10:44 AM Blake Brown  wrote:

> We did a POC this past year for wireless which included Cisco (we were a
> Cisco wireless shop), Meraki, Adtran, Mist and Ruckus. Meraki was the
> winner for us and we do not regret that decision to date. It hit all of the
> checkmarks from a deployment, management, open API, and troubleshooting
> perspective. The lifetime hardware warranty and multi-year licensing
> options also made the sale easier up the chain.
>
> If you want more info on our deployment please let me know.
>
> Thanks,
> Blake
> --
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Fishel Erps <
> 0030ecf871d2-dmarc-requ...@listserv.educause.edu>
> *Sent:* Wednesday, February 3, 2021 5:58 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject:* Re: [WIRELESS-LAN] Cisco licensing - alternative vendors
>
> *External Email*
>
> Hi Mathieu,
>
> We have been using BlueSocket (Now Adtran) for years.  They offer an
> on-prem VM controller solution, and a cloud-based option.
> https://adtran.com/web/page/portal/Adtran/group/4044
>
> We are a Cisco shop for all-things network - except wireless.
> Adtran/BlueSocket’s products, functionality/performance, and pricing are
> pretty well-rounded and solid, and integrate very nicely within our Cisco
> wired network.
>
> If you have any detailed questions, please feel free to reach out to me
> off list.
>
>
> __
> __
>
> Fishel Erps,
> Sr. Network & Infrastructure Engineer
> School of Visual Arts
> 136 W 21st St., 8th Floor
> New York, NY, 10011
> LL: 212-592-2416
> E:  fe...@sva.edu
> ___
>
> Please excuse any typographical
> errors as this e-mail has been sent
> from my mobile device
> ___
>
>
> On Feb 3, 2021, at 03:44, Mathieu Sturm  wrote:
>
> 
>
> Hello all,
>
>
>
> We are a Cisco shop when it comes to wireless (Cisco AP’s, controllers and
> ISE).
>
> Since Cisco is becoming a nightmare when it comes to licensing and
> software quality we want to explore new vendors.
>
>
>
> We are looking at Fortinet and Aruba.
>
>
>
> Any thoughts on these concerning licensing model, software/hardware
> quality, user community, support?
>
>
>
> Best Regards,
>
>
>
>
>
> *Mathieu Sturm*
> Hoofdmedewerker Netwerkbeheer
>
> 
>
>
> *Directie Financiën, Infrastructuur en IT*
>
> Afdeling Netwerkbeheer
>
> Campus Schoonmeerssen - Gebouw B  Lokaal B0.75
>
> Valentin Vaerwyckweg 1 - 9000 Gent
>
> +32 9 243 35 23
>
> www.hogent.be
> 
>
>
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
>

-- 


201.653.5548

mustardseedschool.org 

Accredited by NJAIS





  
 


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] Cisco licensing - alternative vendors

2021-02-03 Thread Blake Brown

We did a POC this past year for wireless which included Cisco (we were a Cisco 
wireless shop), Meraki, Adtran, Mist and Ruckus. Meraki was the winner for us 
and we do not regret that decision to date. It hit all of the checkmarks from a 
deployment, management, open API, and troubleshooting perspective. The lifetime 
hardware warranty and multi-year licensing options also made the sale easier up 
the chain.

If you want more info on our deployment please let me know.

Thanks,
Blake

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Fishel Erps 
<0030ecf871d2-dmarc-requ...@listserv.educause.edu>
Sent: Wednesday, February 3, 2021 5:58 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] Cisco licensing - alternative vendors

External Email

Hi Mathieu,

We have been using BlueSocket (Now Adtran) for years.  They offer an on-prem VM 
controller solution, and a cloud-based option.
https://adtran.com/web/page/portal/Adtran/group/4044

We are a Cisco shop for all-things network - except wireless.  
Adtran/BlueSocket’s products, functionality/performance, and pricing are pretty 
well-rounded and solid, and integrate very nicely within our Cisco wired 
network.

If you have any detailed questions, please feel free to reach out to me off 
list.


__
__

Fishel Erps,
Sr. Network & Infrastructure Engineer
School of Visual Arts
136 W 21st St., 8th Floor
New York, NY, 10011
LL: 212-592-2416
E:  fe...@sva.edu
___

Please excuse any typographical
errors as this e-mail has been sent
from my mobile device
___


On Feb 3, 2021, at 03:44, Mathieu Sturm 
mailto:mathieu.st...@hogent.be>> wrote:



Hello all,



We are a Cisco shop when it comes to wireless (Cisco AP’s, controllers and ISE).

Since Cisco is becoming a nightmare when it comes to licensing and software 
quality we want to explore new vendors.



We are looking at Fortinet and Aruba.



Any thoughts on these concerning licensing model, software/hardware quality, 
user community, support?



Best Regards,





Mathieu Sturm
Hoofdmedewerker Netwerkbeheer





Directie Financiën, Infrastructuur en IT

Afdeling Netwerkbeheer

Campus Schoonmeerssen - Gebouw B  Lokaal B0.75

Valentin Vaerwyckweg 1 - 9000 Gent

+32 9 243 35 23

www.hogent.be



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] Cisco licensing - alternative vendors

2021-02-03 Thread Fishel Erps

Hi Mathieu,

We have been using BlueSocket (Now Adtran) for years.  They offer an
on-prem VM controller solution, and a cloud-based option.
https://adtran.com/web/page/portal/Adtran/group/4044

We are a Cisco shop for all-things network - except wireless.
Adtran/BlueSocket’s products, functionality/performance, and pricing are
pretty well-rounded and solid, and integrate very nicely within our Cisco
wired network.

If you have any detailed questions, please feel free to reach out to me off
list.


__
__

Fishel Erps,
Sr. Network & Infrastructure Engineer
School of Visual Arts
136 W 21st St., 8th Floor

New York, NY, 10011

LL: 212-592-2416
E:  fe...@sva.edu
___

Please excuse any typographical
errors as this e-mail has been sent
from my mobile device
___


On Feb 3, 2021, at 03:44, Mathieu Sturm  wrote:



Hello all,



We are a Cisco shop when it comes to wireless (Cisco AP’s, controllers and
ISE).

Since Cisco is becoming a nightmare when it comes to licensing and software
quality we want to explore new vendors.



We are looking at Fortinet and Aruba.



Any thoughts on these concerning licensing model, software/hardware
quality, user community, support?



Best Regards,





*Mathieu Sturm*
Hoofdmedewerker Netwerkbeheer




*Directie Financiën, Infrastructuur en IT*

Afdeling Netwerkbeheer

Campus Schoonmeerssen - Gebouw B  Lokaal B0.75

Valentin Vaerwyckweg 1 - 9000 Gent

+32 9 243 35 23

www.hogent.be




**
Replies to EDUCAUSE Community Group emails are sent to the entire community
list. If you want to reply only to the person who sent the message, copy
and paste their email address and forward the email reply. Additional
participation and subscription information can be found at
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] Wireless Segmentation and NAC

2021-02-03 Thread David Logan

> As mentioned on the page to download the NIST Zero Trust Network
> Architecture document
>
> "Zero trust focuses on protecting resources (assets, services, workflows,
> network accounts, etc.), not network segments, as the network location is
> no longer seen as the prime component to the security posture of the
> resource."
>
> https://csrc.nist.gov/publications/detail/sp/800-207/final
>
> The document itself says
>
> "Zero trust provides a set of principles and concepts around moving the
> PDP/PEPs closer to the resource. The idea is to explicitly authenticate and
> authorize all subjects, assets and workflows that make up the enterprise.”
>
> That is NIST-speak saying one of the principles of Zero Trust is to
> protect a resource as close as possible to the resource.  An example of a
> resource is information on a server etc.  NAC is the opposite, NAC is
> trying to protect a resource as far away from the resource as possible.
>
>
Respectfully, I don't believe the NIST document says or implies this.



*Clients are resources.   *

"All data sources and computing services are considered resources. A
network may be composed of multiple classes of devices. A network may also
have small footprint devices that send data to aggregators/storage,
software as a service (SaaS), systems sending instructions to actuators,
and other functions. Also, an enterprise may decide to classify personally
owned devices as resources if they can access enterprise-owned resources."

*The implementation of a ZTS architecture is up to the end-organization,
but can and should include network-layered security if the risk management
profile or Enterprise environment / complexity warrants it.*

[image: image.png]

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Cisco licensing - alternative vendors

2021-02-03 Thread Mathieu Sturm

Hello all,

We are a Cisco shop when it comes to wireless (Cisco AP's, controllers and ISE).
Since Cisco is becoming a nightmare when it comes to licensing and software 
quality we want to explore new vendors.

We are looking at Fortinet and Aruba.

Any thoughts on these concerning licensing model, software/hardware quality, 
user community, support?

Best Regards,


Mathieu Sturm
Hoofdmedewerker Netwerkbeheer

[https://www.hogent.be/www/assets/Image/logo2018.png]

Directie Financiën, Infrastructuur en IT
Afdeling Netwerkbeheer
Campus Schoonmeerssen - Gebouw B  Lokaal B0.75
Valentin Vaerwyckweg 1 - 9000 Gent
+32 9 243 35 23
www.hogent.be


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: android 11 upcoming changes Feb 15th 2021

Re: android 11 upcoming changes Feb 15th 2021

Re: android 11 upcoming changes Feb 15th 2021

RE: android 11 upcoming changes Feb 15th 2021

RE: [WIRELESS-LAN] [External] [WIRELESS-LAN] Aruba 8.6.0.5 and 8.6.0.7 intel 8260

Re: android 11 upcoming changes Feb 15th 2021

RE: android 11 upcoming changes Feb 15th 2021

Re: [WIRELESS-LAN] [External] [WIRELESS-LAN] Aruba 8.6.0.5 and 8.6.0.7 intel 8260

RE: android 11 upcoming changes Feb 15th 2021

RE: [WIRELESS-LAN] [External] [WIRELESS-LAN] Aruba 8.6.0.5 and 8.6.0.7 intel 8260

Re: [WIRELESS-LAN] Cisco licensing - alternative vendors

Re: [WIRELESS-LAN] Cisco licensing - alternative vendors

Re: [WIRELESS-LAN] Cisco licensing - alternative vendors

Re: [WIRELESS-LAN] Wireless Segmentation and NAC

Cisco licensing - alternative vendors

15 matches

Site Navigation

Mail list logo

Footer information