Re: [WIRELESS-LAN] Restricting of wireless access in classrooms
I know the original poster asked not to mention this, but the wave of netbooks/laptops with 3G/wifi will be upon us soon. Technology band-aid solutions cannot win this battle, IMHO. Don Wright On 12/3/09 9:52 AM, Peter P Morrissey ppmor...@syr.edu wrote: I have to say that I disagree that this would be in any way evil, assuming we could do it effectively. Sure, if it was done in a manner that is partially effective, then yeah, it would be awful. However, if there really was a way to limit by class, who can get on the Internet and only during the class period without any undesirable side effects that have been mentioned, and if it was cost effective and manageable, and controlled by the instructor etc etc, then I think it would be a great idea. I think that from what I have heard thus far, nobody has surmounted all the challenges and has done this effectively. The danger is that it would be implemented, but implemented poorly because an IT shop wasn't able to effectively communicate the problems and deficiencies of the implementation. I have taught a lot of classes and I can tell you that it takes an extremely gifted instructor to compete with something as compelling as the Internet. I have found that even graduate students, and professionals using their laptops in meetings have a hard time disciplining themselves not to be distracted. I simply tell students they can't have laptops on during the lecture. Not only are these compelling distractions hurting them, but it also distracts other students who really do want to pay attention. And it hurts the tone of the class when you call on people who are not paying attention. Sure, that problem has been around forever, but again, the Internet just magnifies an already difficult problem many times. There are a lot of rules that are up to the discretion of the instructor to set to enhance learning. Some are easier to enforce than others, but I think that if, (and again, it is very much an if) there was a way to allow students to use their laptops without having Internet access it could be very useful. It seems that it is very common in Law Schools for students to use laptops for taking notes so it is not as simple as being able to tell them to just turn them off. That is why you see them asking for this the most. In defense of the professors, I don't blame them at all for asking IT to use IT to solve a problem that in their eyes is caused by technology. It is our job to communicate to them the challenges and tradeoffs. Peter M. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Philippe Hanset Sent: Thursday, December 03, 2009 8:54 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Restricting of wireless access in classrooms Nick, We have explored the possibility of not allowing some students on the wireless network based on various criteria. Though a lot of Controller Based Architectures (Cisco, Aruba, ...) might let you do such a thing as far as the capability is concerned, the main problem resides into the control mechanism. At one point you will have to rely on a database of enrollment to block a particular student from joining at a particular location (if you don't do it for a location, you will prevent students from joining all together) The two limitations were: -who will decide and enable the rules? (sub-admin privileges to Faculty?) (Have Faculty call the helpdesk prior to class) -How accurate is the enrollment database (add/remove) (classroom assignments do change a lot) And finally (but you asked us not to mention the philosophical approach...) it's not because we can that we should! We ended up abandoning the idea (though we had a lot of fun brainstorming about it) because it would have been a management nightmare, and it is totally evil. Philippe Hanset Univ. of TN p.s. We brainstormed that idea 3-4 years ago and we are glad we didn't do it. We see so many Iphones (using 3G) in classrooms that it would have been a waste of time. There is also a wallpaper that can be turned ON/ OFF, effectively shutting the classroom from most microwaves. If one is looking at a special classroom without connectivity, this could be a solution. On Dec 2, 2009, at 7:56 PM, Urrea, Nick wrote: Thank you everybody for contributing to the conversation. It has been very helpful. Nicholas Urrea Information Technology UC Hastings College of the Law urr...@uchastings.edu x4718 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman Sent: Wednesday, December 02, 2009 3:52 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Restricting of wireless access in classrooms I'm
Many users, one room, high bandwidth
I know the large classroom/auditorium topic gets tossed out there from time to time, but how about this time with a new twist. We are in the process of building a Medical Education Center and anticipate users will be downloading large files such as hi-res images. There could also be classrooms with a high user count and similar high bandwidth requirements. We will be installing Aruba 11N AP¹s and are wondering if anyone else has experience with this kind of setting. From what I¹ve been able to find out so far, we should just let ARM take care of this. A couple of recommended changes are the Min TX and Max TX power settings and turning on Band-Steering and BC/MC Optimization. Has anyone else had success with this using Aruba or any other vendors settings? Thanks in advance. -- Don Wright, CWNA, ACMP Network Technologies Group Brown University wire --- less, wi-fi ))) more ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] separating 'types' of users
We do basically the same with Aruba using Radius/LDAP. Two ssid¹s- captive portal and WPA2, four identities - student, staff, faculty and guest. Different rules and access based on ssid and identity. Geographically independent and scales across my campus thanks to vlan pools and VAP¹s. Don Wright CIS - NTG Brown University On 9/18/09 6:02 PM, Rigdon, Dennis drig...@okcu.edu wrote: Given the fact that there is a broadcast payload, not only for each ESSID on the wireless side, but also for the Ethernet broadcast domain, we¹ve taken measures to segment wireless clients without increasing the number of ESSIDs. We have an Aruba Wireless solution We have only two ESSIDs one for Faculty/Staff/Students on WPA2 and one for Wireless Guests open. We further segment the OKCU wireless users into VLANS/Subnets based upon their function or discipline. We have separate subnets for Business, Nursing, Art-Sci, Music both Faculty and Students. The Aruba controller assigns a VLAN at authentication based upon AD Group Membership the VLAN via RADIUS. This allows the client to maintain their IP address as they move across the campus. It also allows us to provide or restrict access to network resources to logical groups of users already established in AD. Guests client are divided into a pool of VLANs with limited bandwidth and WEB traffic only. Dennis Rigdon, MCSE Asst. Dir. Campus Technology - Network Services Okla. City Univ. 405-208-5849 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jamie Savage Sent: Friday, September 18, 2009 2:33 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] separating 'types' of users Hi, We're entertaining the idea of providing separate wireless services to our academic and admin communities. Currently, we have a single SSID that we broadcast campus-wide that everyone uses. We could simply provide separate SSIDs or perhaps provide separate SSIDs on separate channels (ie...RF separation of services as well). I presume there are other methods in use out there?? I'd be interested in hearing what others are doing in this regard. ..thanks in advance..J James Savage York University Senior Communications Tech. 108 Steacie Building jsav...@yorku.ca 4700 Keele Street ph: 416-736-2100 ext. 22605Toronto, Ontario fax: 416-736-5830 M3J 1P3, CANADA ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Blackberry 8900 on 802.1x w PEAP, MS-CHAPv2
I was handed an 8900 today to see if I could get it working on our WPA/EAP-TTLS/PAP/FreeRadius wireless. I¹m not optimistic, but I let the list know how I make out with that. -- Don Wright Senior Network Engineer Brown University, CIS NTG P Please don't print this e-mail or any other electronic documents unless you really need to. On 2/24/09 7:19 AM, Lee H Badman lhbad...@syr.edu wrote: Beats me. These little devices are all over the place in cert-friendliness and EAP implementation, sometimes to the point of being self-defeating. Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Frank Bulk Sent: Tuesday, February 24, 2009 7:17 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Blackberry 8900 on 802.1x w PEAP, MS-CHAPv2 Any good reason why RIM shouldn¹t have installed the intermediate certificate on its device? Seems like a missing element. Frank From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman Sent: Sunday, February 22, 2009 5:20 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Blackberry 8900 on 802.1x w PEAP, MS-CHAPv2 Thanks very much, James. I was contemplating which level cert this needed- but hopefully you've given me enough to go on to muddle through. Will let you know how I fare. -Lee -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of James J J Hooper Sent: Sat 2/21/2009 2:30 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Blackberry 8900 on 802.1x w PEAP, MS-CHAPv2 James J J Hooper wrote: Lee H Badman wrote: Wondering if anyone has gone down this road. according to http://na.blackberry.com/eng/deliverables/4133/BB_Ent_Soln_Security_4.1.6_ST O.pdf the Blackberry 8900 should be able to do 802.1x with PEAP and MS-CHAPv2- which does not require a client-side cert. And even though you can tell the device not to verify server cert, this has nothing to do with the fact that the Blackberry seemingly demands a cert or won't even let you go on (certainly not the first handheld to act like this). This is a client device, so I don't have the luxury of playing with it very much, and so looking to glom onto anyone else's success if you may have figured out how to work past this. We have multiple auth servers as well, which may or may not complicate it. I know these EAP types are not standards and device manufacturers have freedom to implement as they see fit. Hi Lee, Not specifically on a 8900, but we did get PEAP/MS-CHAPv2 on a 8120: http://www.wireless.bris.ac.uk/getconnected/services/uobroam/manual-blackberr y/ I had more of a think the certificate mentioned in those instructions is an intermediate certificate. Our radius server sends it to clients along with its server cert, but we couldn't get the blackberry to connect without specifically installing the intermediate cert first. So, if your cert is chained one, you have to install the intermediate certs (but not the final radius server cert) on to the blackberry first. As long as all your auth servers are signed by the same CA, once one works, they all will. The 'UoB-Wireless' SSID mentioned is open (only lets you get to the wireless web site and a VPN server), so we can use it to get certs directly to a device. The blackberry recognises certs with .cer extension, mime type application/x-x509-ca-cert in x509 format. Regards, James -- James J J Hooper University of Bristol http://www.wireless.bris.ac.uk -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless controllers and Spanning Tree
We connect our controllers with port-channels, which at least provides some redundancy in case of an interface or gbic failure. -- Don Wright Brown University P Please don't print this e-mail or any other electronic documents unless you really need to. On 12/15/08 1:35 PM, Brian J David davi...@bc.edu wrote: I was wondering what other Aruba schools are doing for spanning tree? Do you use it or not? Aruba uses Mono spanning tree so how does it play in your network environment if you are. If you are a Cisco shop same as above for you? Thanks Brian Brian J David Network Systems Engineer Boston College ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Channel Selection on APs
We've used Aruba Network's ARM (Adaptive Radio Management) over the past two years and have had no issues whatsoever with channel or power settings. Once you get past critical mass of a hundred or so AP's, no one should have to manually adjust those settings in dense deployments. Not to mention being impossible when you get into thousands of AP's. RF management should improve even more with Aruba's next generation ARM 2.0. http://www.arubanetworks.com/company/arm2.0.php -- Don Wright Brown University CIS - NTG On 10/16/08 5:22 PM, P Thompson [EMAIL PROTECTED] wrote: Martin Jr., D. Michael [EMAIL PROTECTED] 10/16/2008 8:52 AM In the past, we have always setup wireless access points to use channels 3, 6, and 11, since these channels are the non-overlapping channels. We have tried to be careful in spacing out APs and picking one of these three channels where it seems appropriate to prevent interference from one another. A question was posed by someone in my staff about using the least congested channel setting instead of going through all the trouble of determining and setting the channel. So, the questions are... 1. What are you other institutions doing about channel selection on your Access Points? 2. If you are using 3, 6, and 11, what is your strategy for use and what problems and/or successes have you seen? 3. If you are not using 3, 6, and 11, why not? What are you doing? And what problems and/or successes have you seen? We ran into a situation with Cisco ABG PCMCIA cards which seemed consistent with caveat CSCsj85294. Our wireless was standalone and set up to use 1,6,11/50% power per a professional survey and the clients were Winterms with embedded XP and the CPU would max and performance would be sluggish with an extreme number of CRC errors logging in the ADU - my tip off of this situation was the CRC to valid frame ratio in the advanced statistics was basically an order of magnitude off after running several hours. I set the standalone AP's in the area to least congested channel and the problem went away. We converted the AP's to LWAPP and tried to revert to the site survey recommendations and ran back into the problem. We tried the adaptive radio management features in the WLC and it did not help. Eventually I would pick an access point in the area and randomly hardcode it to a not recommended channel and leave the rest to adapt among the 1/6/11 channels and the problem would vanish. For reference, here is that caveat: .CSCsj85294.Clients with CB21AG at 100% CPU because of DPC and ISR Wireless clients with CB21AG adapters sometimes run at 100% CPU for extended periods of time, which causes slow wireless connections and disconnections. The process monitor spikes to 100% CPU utilization because CPU is consumed by Deferred Procedure Calls (DPCs) and ISRs. Workaround: None. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] FYI: Cisco controllers may put radios on UNII-2e channels
Charles, I'd be interested to know which client/drivers you've already tested this with. Maybe others have some as well to add to a list of either working or not. Thanks, -- Don Wright Brown University CIS - NTG On 9/10/08 10:41 AM, Charles Spurgeon [EMAIL PROTECTED] wrote: FYI. This documents something that we have stumbled over with UNII-2e channels and is a heads up for anyone running Cisco LWAPP gear and using the auto channel selection component of RRM (Dynamic Channel Assignment (DCA) in Cisco-speak). The Cisco WLC release notes for v4.1.185.0 have an important caveat (CSCsi86794) that describes the behavior of DCA and the UNII-2 Extended channels (UNII-2e).(1) For some reason this caveat is missing in 4.2.130.0 release notes, while the DCA issue still appears to be present in that code. (Based on the text in the 4.1.185.0 release notes the UNII-2e support appears to have first shown up in 4.1.171.0.) Briefly, Cisco has added support for the UNII-2e channels to the wireless lan controller and LWAPP APs, and these channels are automatically enabled for use by DCA. As a result of the new support, AP radios may be automatically assigned by DCA to one of the UNII-2e channels. We found several radios in our system where that had happened. Unfortunately, none of the 802.11a clients that we have tested know about the UNII-2e channels, and therefore most (all?) 802.11a clients cannot associate with AP radios that have been assigned to the UNII-2e channels. An AP radio on one of those channels is no longer available to dot11a clients and your wireless coverage will have holes in it even though the AP is up and system monitors are happy. If the client NIC has an 802.11an radio then it may have support for the UNII-2e channels. You would need to test against an AP radio set to one of the UNII-2e channels to find out, since the vendor docs that we have looked at don't tend to have any documentation about the presence or absence of UNII-2e support. To avoid this issue, Cisco's release notes tell you to disable the UNII-2e channels in DCA. However, the release notes incorrectly tell you to also disable channel 149, which is NOT one of the UNII-2e channels. Instead, it is one of the older channels that is supported by all 802.11a NICs that we've tested. If you want to avoid issues with AP radios being set to UNII-2e channels that are invisible to clients then you can do that by disabling all DCA channels in the UNII-2e range of 100-140. Note that when you disable these channels using either the CLI or the Web GUI the AP radios must be disabled and then re-enabled to make that change. We would be interested in hearing about the experience at other sites with UNII-2e channels, especially the results of any tests of UNII-2e support in clients. Thanks, -Charles Charles E. Spurgeon / UTnet UT Austin ITS / Networking [EMAIL PROTECTED] / 512.475.9265 (1) The UNII-2e channels appear to be relatively recent additions. This Cisco doc mentions them in the context of DFS support requirements: http://tinyurl.com/yq7y9r ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
many clients, one room
I know this has been talked about and debated on this list before, but what are people doing today when faced with a request like the need ³for 100 students simultaneously downloading a powerpoint presentation. Recently there was discussion on MCA vs. SCA vendors and how each handles this worst case scenario. Since we are an MCA (Aruba), I¹d be interested in hearing what others have done or are planning for large classrooms and auditoriums. -- Don Wright Network Technologies Group Brown University wire --- less, wi-fi ))) more ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Aruba's SCA vs. MCA whitepaper [was: Open Wireless in Higher Ed]
Hi Philippe, We'd be very interested, as others are I'm sure to hear what you find out from your testing. -- Don Wright Brown University CIS - NTG On 4/1/08 10:53 AM, Philippe Hanset [EMAIL PROTECTED] wrote: Dave, At Univ of TN, our intention is to deploy 802.11n capable APs where our 802.11b/g AP are located right now, use one radio at 2.4 GHz (b/g only, no n) the second radio at 5 GHz (n and a). This should provide a decent access for b/g users and a fast lane for n users. I'm not sure that best effort on b/g will be good enough when you consider devices like Iphones or future Voice over WiFi devices. One aspect of this kind of approach will be the performance of coverage algorithms. n has such a wierd shape compared to b/g or a...I'm a little suspicious as how vendors will deal with n's behavior! As a side note: We are testing in our info-commons (the worse enviroment you can think of...tons of users and tons of APs) 802.11n APs from Aruba and Meru (we have just replaced locations of our existing Proxim APs with the test APs, and those n APs are surrounded by legacy Proxim APs as well) One week with Aruba, one week with Meru. We might test Cisco...TBD. Our main issue is to get enough people with 802.11n adapters, so we loaded our loaners laptop (30+...very successfull program BTW) with external 802.11n adapters (USB 2.0, Linksys). Philippe Although the issue of co-channel interference is an important one, I think it may be reasonable to assert that its importance will be reduced with the adoption of 5 GHz 802.11n. With over 20 non-overlapping channels, I believe it will be possible to design high-density, micro-cellular WLANs that do not suffer from performance degradation as a resulting of co-channel interference. Over time, I believe 2.4 GHz will be thought of as a best-effort legacy technology for most enterprises. I'd be curious how others are viewing this. dm -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Charles Spurgeon Sent: Monday, March 31, 2008 4:31 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Aruba's SCA vs. MCA whitepaper [was: Open Wireless in Higher Ed] On Wed, Mar 26, 2008 at 10:31:50PM -0500, Frank Bulk - iNAME wrote: I wish it was easier to evaluate the performance (not only aggregrate throughput, but also QoS) of the MCA and SCA products in various scenarios and density and usage, but unfortunately examining the impact of co-channel interference on a large scale in variety of building types and architectures with lots of APs and clients with realistic traffic patterns (in terms of type and longitudinally over time) is not currently possible with the tools available. I think we would learn that there certain scenarios where one performs generally better over another. I, for one, would like to see more vendors step up and do the kind of testing of co-channel interference issues that was described in the recent Novarum whitepaper: http://www.novarum.com/documents/WLANScaleTesting.pdf As a user of typical multi-channel equipment, I'm not focussed on the SCA versus MCA debate. Instead, I would very much like to see more real-world test results on how the typical multiple APs on multiple channels (MCA) approach works at scale and under traffic loads. I think it's very interesting that the author of the Novarum whitepaper is also one of the developers of the 802.11 MAC, and that he states that he was surprised at how easily we could drive these systems to unstable behavior. I've heard complaints from the vendors whose gear was used in the Novarum test. But I haven't seen any third-party tests commissioned by those vendors to replicate the tests and show where the problems were in the Novarum tests. I would be much more impressed by actual third-party test results based on a significant scale layout like the one used in the Novarum tests, rather than hearing complaints about the how the test was unfair since it was done under the auspices of Meru. The problems of co-channel interference and wireless channel meltdown under load are too important to be left to the marketing departments of the wireless vendors. On our campus the community has been adopting wireless networking at extremely high rates, and this technology has become much too important to allow it to be supported this poorly. Isn't it long past time for more real-world scale testing like the Novarum tests to be done to investigate the issues with CCI and channel meltdown under load in 802.11b/g systems and to develop some approaches for identifying and dealing with those issues? -Charles Charles E. Spurgeon / UTnet UT Austin ITS / Networking [EMAIL PROTECTED] / 512.475.9265 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can
