Using Private IP addresses for wireless users.

[Johnson, Neil M]

We will be out of address space for one of our wireless nets (currently a /21) 
in the fall.

We do not have a larger block available, and attempts to obtain additional 
address space by fall are not looking promising, so there is a distinct 
possibility that will have to move our wireless users to private address space.

So I'm looking for information from other institutions who use private address 
space for their wireless networks.

We are primarily a Meru shop, although we have about 86 Cisco LWAPP AP's in 
production. We use 802.1X (WPA2 Enterprise) for authentication.

Here are the questions I have:

- How do you implement NAT ?
- How do you provide DHCP addresses to your clients ?
- How do you handle IDS and Flow data collection ?
- What tools and processes do you use to tie a public IP address back to an 
802.1X authenticated user ?
- What kind of application issues have you run into and how do you handle them ?
- Are your end-users satisfied with the service ?

Thanks.

--
Neil Johnson
Network Engineer
The University of Iowa
W: 319 384-0938
M: 319 540-2081
http://www.uiowa.edu

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Using Private IP addresses for wireless users.

[Johnson, Neil M]

Initially, we had two class B allocations. When address space was abundant we 
provided one to our Hospital. Let's just say the chances of getting some back 
are pretty low.

We're concerned that ARIN won't approve a new allocation because the hospital's 
address utilization appears low. A majority of their address space is now 
behind a firewall.

-Neil

--
Neil Johnson
Network Engineer
The University of Iowa
W: 319 384-0938
M: 319 540-2081
http://www.uiowa.edu

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL 
PROTECTED] On Behalf Of Kevin Miller
Sent: Thursday, May 29, 2008 9:38 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Using Private IP addresses for wireless users.

Neil,

With justification, you can request additional addresses from ARIN. I
think because many colleges and universities have legacy allocations,
the processes for doing so are unknown or believed to be cumbersome. I
would say that the ARIN processes are geared more for service providers,
  but things like deploying a new campus wide wireless network or
adding 500,000 square feet of building space that needs IP addresses
are, IMO, good justification for requesting additional space.

Now, it may be difficult to justify if you have a lot of internal
fragmentation (e.g. blocks allocated that have low usage), but it might
be simpler than going down this path.

Of course, the clock is ticking on how much more ipv4 can be allocated
(c.f. ipv6).

-Kevin

Johnson, Neil M wrote:
 We will be out of address space for one of our wireless nets (currently a 
 /21) in the fall.

 We do not have a larger block available, and attempts to obtain additional 
 address space by fall are not looking promising, so there is a distinct 
 possibility that will have to move our wireless users to private address 
 space.

 So I'm looking for information from other institutions who use private 
 address space for their wireless networks.

 We are primarily a Meru shop, although we have about 86 Cisco LWAPP AP's in 
 production. We use 802.1X (WPA2 Enterprise) for authentication.

 Here are the questions I have:

 - How do you implement NAT ?
 - How do you provide DHCP addresses to your clients ?
 - How do you handle IDS and Flow data collection ?
 - What tools and processes do you use to tie a public IP address back to an 
 802.1X authenticated user ?
 - What kind of application issues have you run into and how do you handle 
 them ?
 - Are your end-users satisfied with the service ?

 Thanks.

 --
 Neil Johnson
 Network Engineer
 The University of Iowa
 W: 319 384-0938
 M: 319 540-2081
 http://www.uiowa.edu

 **
 Participation and subscription information for this EDUCAUSE Constituent 
 Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Using Private IP addresses for wireless users.

[Johnson, Neil M]

We are looking at moving our AP's and controllers to Private address space as 
well, but that won't reclaim a large enough block that we can use for wireless.

As for other devices that would be a major undertaking.

-Neil


--
Neil Johnson
Network Engineer
The University of Iowa
W: 319 384-0938
M: 319 540-2081
http://www.uiowa.edu

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL 
PROTECTED] On Behalf Of Lee H Badman
Sent: Thursday, May 29, 2008 9:49 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Using Private IP addresses for wireless users.

Neal-

We also view our publicly routed IP space as a finite space, to be
managed carefully. Though we do no NAT or private IP space for wireless
users, we are seeing tremendous benefit in both security and public IP
space preservation by moving large blocks of devices that have no need
to see (or to be seen by) the Internet to private spaces.

For example, all or our APs and controllers are managed in private
space. The gain? Around 1,700 IP addresses today, well over 2,000 by
year's end.

We are starting to move management of our network switches into private
space- another 1,000 IPs saved.

Also, starting to work with folks responsible for vending machines, door
controllers, PCI-compliance devices, etc- all very good candidates for
private space. Hundreds more public addresses saved, and lots of
security gains.

NAT, on the other hand, has been an unpopular notion for many reasons
for us. Probably the most noteworthy is tracking who did what and when
(from both the nuisance traffic tracking and troubleshooting angles)
when thousands of users all NAT to a single IP address (or a few IP
addresses).

-Lee

Lee H. Badman
Wireless/Network Engineer
Information Technology and Services
Syracuse University
315 443-3003

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Johnson, Neil M
Sent: Thursday, May 29, 2008 9:56 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Using Private IP addresses for wireless users.

We will be out of address space for one of our wireless nets (currently
a /21) in the fall.

We do not have a larger block available, and attempts to obtain
additional address space by fall are not looking promising, so there is
a distinct possibility that will have to move our wireless users to
private address space.

So I'm looking for information from other institutions who use private
address space for their wireless networks.

We are primarily a Meru shop, although we have about 86 Cisco LWAPP AP's
in production. We use 802.1X (WPA2 Enterprise) for authentication.

Here are the questions I have:

- How do you implement NAT ?
- How do you provide DHCP addresses to your clients ?
- How do you handle IDS and Flow data collection ?
- What tools and processes do you use to tie a public IP address back to
an 802.1X authenticated user ?
- What kind of application issues have you run into and how do you
handle them ?
- Are your end-users satisfied with the service ?

Thanks.

--
Neil Johnson
Network Engineer
The University of Iowa
W: 319 384-0938
M: 319 540-2081
http://www.uiowa.edu

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

No virus found in this incoming message.
Checked by AVG.
Version: 8.0.100 / Virus Database: 269.24.3/1472 - Release Date:
5/29/2008 7:27 AM

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Using Private IP addresses for wireless users.

[Johnson, Neil M]

Identifying users is a big concern for us. We need to be able to identify users 
for DMCA purposes, for example.

--
Neil Johnson
Network Engineer
The University of Iowa
W: 319 384-0938
M: 319 540-2081
http://www.uiowa.edu

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL 
PROTECTED] On Behalf Of Brooks, Stan
Sent: Thursday, May 29, 2008 10:52 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Using Private IP addresses for wireless users.

Neil,

At Emory, we've been NAT'ing wireless users since last fall - ResNet users 
since before move in weekend, and regular academic users since last fall break. 
 We've not had any issues from the users that have been NAT'ed.

By far the more complicated NAT was ResNet as we use NetReg and CAT for network 
access control and scanning.  We end up internally routing the NAT addresses 
for NetReg - it hands out the DHCP addresses.  Once a ResNet client gets an IP 
address, the NAT function is handled by our Aruba controllers.  On the academic 
side, the controllers themselves handle DHCP for the wireless users along with 
NAT'ing the traffic.

We have 4 class C non-routeable subnets per controller (4 ResNet controllers 
and 6 Academic controllers).  The Aruba gear will load-balance users across 
those subnets for us.  The Aruba gear also NATs the traffic though a pool of 
(routeable) addresses.

IDS is handled by Tipping Points on the (routeable) network, just like any 
wired device.

We don't have any way of easily tying a user/session on the non-routeable 
subnets to an IP on the routeable network.  We can see the session as it 
happens, but there is not good way to go back through the logs and determine 
that this user hit a particular IP address on the Internet.  To date, we 
haven't needed to.

We originally moved to NAT because of scarce IP resources, and the number of 
wireless users was increasing at alarming rates.  With NAT'ed IP addresses, we 
can support huge numbers of wireless users and ease some of the pressure on our 
allocated IP addresses.  We felt and still feel that the benefits outweigh the 
problems with tracking individual users.

 - Stan Brooks - CWNA/CWSP
  Emory University
  Network Communications Division
  404.727.0226
  [EMAIL PROTECTED]
AIM: WLANstan  Yahoo!: WLANstan  MSN: [EMAIL PROTECTED]

From: The EDUCAUSE Wireless Issues Constituent Group Listserv [EMAIL PROTECTED] 
On Behalf Of Johnson, Neil M [EMAIL PROTECTED]
Sent: Thursday, May 29, 2008 9:55 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Using Private IP addresses for wireless users.

We will be out of address space for one of our wireless nets (currently a /21) 
in the fall.

We do not have a larger block available, and attempts to obtain additional 
address space by fall are not looking promising, so there is a distinct 
possibility that will have to move our wireless users to private address space.

So I'm looking for information from other institutions who use private address 
space for their wireless networks.

We are primarily a Meru shop, although we have about 86 Cisco LWAPP AP's in 
production. We use 802.1X (WPA2 Enterprise) for authentication.

Here are the questions I have:

- How do you implement NAT ?
- How do you provide DHCP addresses to your clients ?
- How do you handle IDS and Flow data collection ?
- What tools and processes do you use to tie a public IP address back to an 
802.1X authenticated user ?
- What kind of application issues have you run into and how do you handle them ?
- Are your end-users satisfied with the service ?

Thanks.

--
Neil Johnson
Network Engineer
The University of Iowa
W: 319 384-0938
M: 319 540-2081
http://www.uiowa.edu

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

This e-mail message (including any attachments) is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information.  If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this message (including any attachments) is strictly
prohibited.

If you have received this message in error, please contact
the sender by reply e-mail message and destroy all copies of the
original message (including attachments).

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Using Private IP addresses for wireless users.

[Johnson, Neil M]

We use VLSM and we are constantly shift subnets around to accommodate 
increasing numbers of devices even on the wired side.

-Neil

--
Neil Johnson
Network Engineer
The University of Iowa
W: 319 384-0938
M: 319 540-2081
http://www.uiowa.edu

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL 
PROTECTED] On Behalf Of Randall C Grimshaw
Sent: Thursday, May 29, 2008 11:10 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Using Private IP addresses for wireless users.

By vlsm, I only meant variable length subnet masks. A /29 subnet
provides enough numbers for interconnects, NAC, and other network
devices related to the backbone without the waste. These are still
routable addresses.

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of ray
Sent: Thursday, May 29, 2008 11:56 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Using Private IP addresses for wireless
users.

We've also moved all switches, AP, printers, clocks, vending machines,
etc
to private address space.  However I haven't moved backbone
interconnects,
as that would break traceroute from off campus.

On Thu, 29 May 2008, Randall C Grimshaw wrote:

 We also have moved all backbone interconnects and other small networks
 to vlsm. The tighter space became, the more creative we became.


--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Ray DeJean   http://www.r-a-y.org
Systems EngineerSoutheastern Louisiana University
IBM Certified Specialist  AIX Administration, AIX Support
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] NAT in large scale wireless networks

[Johnson, Neil M]

What supervisor were you running in the 6500's ?

-Neil

--
Neil Johnson
Network Engineer
The University of Iowa
W: 319 384-0938
M: 319 540-2081
http://www.uiowa.edu

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL 
PROTECTED] On Behalf Of Karl Reuss
Sent: Tuesday, July 01, 2008 9:51 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] NAT in large scale wireless networks

Last academic year we ran NAT on our main wireless network.  We had
about 13,000 unique users per day and about 8,000 simultaneous
connections at peak times, roughly 95% student traffic. It worked,
but there were a couple of issues for us:

1) Picking the correct NAT box.   Catalysts 6500s do wirespeed
NAT, but they can't keep up with the number of new connections
per second.  A single ASA5550 handled the job well, now we have
a pair.

2) The NAT logs are enormous.  Finding space to keep them is
fun, going through them to find incidents is painful.


We did NAT because we added wireless to our dorms last year
and we weren't sure what the pace of our rollout would be, or how
fast the users would migrate over.  We didn't want to be shuffling
IP ranges all year.  We'll be going back to fixed IP addresses
next year for most wireless use.

-Karl Reuss
  University of Maryland, College Park




Michael Dickson wrote:
 Though we currently have enough available routed IP space for our
 wireless clients we are looking toward the future and wondering if
 NAT-ing the wireless network makes sense.

 Does anyone have any experiences, good or bad, using NAT for the
 wireless client pool in a large scale environment? What features go
 away (i.e. RFID or user tracking, etc.) Are there any gotchas?

 We're an Aruba shop and expect about 3000+ wireless clients this
 semester and have been adding more APs by the week.

 Thanks,
  Mike

 ***
 Michael Dickson Phone: 413-545-9639
 Network Analyst [EMAIL PROTECTED]
 University of Massachusetts
 Network Systems and Services
 ***

 **
 Participation and subscription information for this EDUCAUSE Constituent
 Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Cisco WLAN 4400 Controllers and 802.1x

[Johnson, Neil M]

We have three remaining Cisco 4400 controllers and have been doing 802.1x using 
PEAP v0 and MS-CHAP-V2 for a couple of years. We finally killed off our Dynamic 
WEP SSID this summer.

We don't have full wireless coverage in our dorms (common areas only) so the 
X-Box, Playstation, etc. has not been an issue.

Our previous Wireless Engineer can be credited for debugging 8021.X issues for 
several vendors :).

Our help desk has the ability to generate guest id's.  We did set up a Captive 
portal for guests staying at the hotel in our Union (using a different vendor).

-Neil

--
Neil Johnson
Network Engineer
The University of Iowa
W: 319 384-0938
M: 319 540-2081
http://www.uiowa.edu
From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL 
PROTECTED] On Behalf Of Jenkins, Matthew
Sent: Thursday, July 24, 2008 3:01 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Cisco WLAN 4400 Controllers and 802.1x

How many others are doing 802.1x in a Cisco LWAPP environment?  Have you had 
success with it, or would you recommend another route for authentication?  
Currently we are using VPNs over our secure wireless and I am investigating 
whether we would be ahead to start using 802.1x coupled with WPA.  Any thoughts 
would be appreciated.

Thanks,

Matt

Matthew Jenkins
Network/Server Administrator
Fairmont State University
Visit us online at www.fairmontstate.eduhttp://www.fairmontstate.edu/

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Tracking Wireless Users on Private Address Space

[Johnson, Neil M]

We are seriously looking into moving our wireless nets to private address space 
in order to save IPv4 addresses.

I'm looking for other institutions that have done this to find out how they 
tracked NAT information in order to indentify wireless users for security and 
troubleshooting.

Specifically,

- How did you capture NAT sessions (SNMP, syslog, screen scrapes )?
- How did you store and search NAT session data ?
- What did your storage requirements end up being ?

Thanks.
-Neil

--
Neil Johnson
Network Engineer
The University of Iowa
Work: 319 384-0938
Mobile: 319 540-2081
Fax: 319 335-2951
http://www.uiowa.edu

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Channel Selection on APs

[Johnson, Neil M]

We have both Meru and Cisco AP's.

For Meru we put each controller on either channel 1 or 11, because it seems 
most SOHO routers choose channel 6. In high density locations (auditoriums) we 
will put AP's on different channels to increase density.

For the Cisco AP's we enable Radio Resource Manager (RRM) let it pick the 
channel and power settings and then turn it off. We had issues with AP's 
restarting with RRM enabled all the time (We also disabled DFS for the same 
reason). However, we are still running old versions of code because we have 
been migrating to Meru.

-Neil

--
Neil Johnson
Network Engineer
The University of Iowa
Work: 319 384-0938
Mobile: 319 540-2081
Fax: 319 335-2951
http://www.uiowa.edu


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL 
PROTECTED] On Behalf Of Martin Jr., D. Michael
Sent: Thursday, October 16, 2008 8:52 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Channel Selection on APs

In the past, we have always setup wireless access points to use channels 3, 6, 
and 11, since these channels are the non-overlapping channels.  We have tried 
to be careful in spacing out APs and picking one of these three channels where 
it seems appropriate to prevent interference from one another.

A question was posed by someone in my staff about using the least congested 
channel setting instead of going through all the trouble of determining and 
setting the channel.

So, the questions are...

1.  What are you other institutions doing about channel selection on your 
Access Points?
2.  If you are using 3, 6, and 11, what is your strategy for use and what 
problems and/or successes have you seen?
3.  If you are not using 3, 6, and 11, why not? What are you doing? And what 
problems and/or successes have you seen?


Any input is appreciated.

Thanks,

D. Michael Martin, Jr.
Network Administrator
University of Montevallo

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Enforcing and Ensuring Machine Auth 802.1x

[Johnson, Neil M]

We have similar issues in our library, and haven't found a solution yet.  We 
are a Meru shop.

Users attempting to log on to  laptops that are members of the domain get 
Unable to find a logon server errors when the wireless net in the library is 
being heavily utilized.

We are using a Vista SSO GPO configured to first authenticate users to the 
wireless network and then authenticate them to the domain.

One hack we've found is to reboot the machine and then don't attempt to login 
(don't hit ctrl-alt-del) until the screen saver starts.

We don't think it's an wireless  issue because Mac's and Linux systems don't 
have problems getting authenticated to the wireless  network.

-Neil

--
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
Work: 319 384-0938
Mobile: 319 540-2081
Fax: 319 355-2618
E-mail/MSN: neil-john...@uiowa.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Jason Appah
Sent: Friday, May 15, 2009 1:01 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Enforcing and Ensuring Machine Auth 802.1x

At our little campus we have about 100 computers that are pure wireless 
workstations provided in the library for student use. From time to time they 
will refuse to machine auth to the network. Typically they are reported after 
the fact as the student will bounce from workstation to workstation until they 
find a Hot one.

Troubleshooting:

We have tried JAMAP (Just add more access points). (for a stretch there we had 
36 to 50 people, including wireless workstations on a single access point).
Modifying the power settings so the machines never sleep.
Updating drivers for the mix of Broadcom, intel and Linksys wireless cards.

All to no avail. We are an all aruba shop and are quite pleased with their 
entire line, the system never bogs, higgs or given us any hint of trouble just 
the 802.1x problem.

The problem is difficult because there are so many workstations and that they 
don't do it on any predicable scale. So. any tips for 802.1x machine auth?


Thanks!

Jason Appah
Systems Administrator
Oregon Institute of Technology
http://www.oit.edu
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] WLAN Deployment-High number of users

[Johnson, Neil M]

Meru is not consistent about what RADIUS attributes they send when using 
different authentication methods.  This burned us when we tried to restrict 
users to particular controller and SSID. It worked okay for  1X authentication, 
but when using Web authentication the called-station-id attribute is not sent 
to the Radius server.

I complained rather loudly that it be a software feature request.

-Neil


--
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
Work: 319 384-0938
Mobile: 319 540-2081
Fax: 319 355-2618
E-mail/MSN: neil-john...@uiowa.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Scholz, Greg
Sent: Friday, May 22, 2009 3:24 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users

We are a Brocade (OEM Meru) wireless shop and use MS IAS for radius. You can 
use the nas-ip-address attribute which is the IP of the controller and the 
called-station-id which in Meru/IAS land is the Mac of the controller:SSID 
(unlike Cisco per the posting below where it is the AP mac:SSID - I actually 
wish we could get the AP Mac).

So you may be able to get the NASID either by one of these attributes + the 
SSID from the called-station-id using wildcard matching.

If these are more like fat APs where it will always be the AP's  IP or MAC 
(not the controller's) reported as the NAS then what about if putting all 
their management IPs into logical groups so you could wildcard match on a 
portion of the APs Mac? Just another thought.


Hope this helps,
Greg





From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Johnson, Bruce T
Sent: Friday, May 22, 2009 3:42 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users

Thanks Mike and Lee,

If I could somehow leverage the NASID and SSID as a name-couplet, this would 
provide the differentiation I need while making provisioning relatively simple 
(I don't want to have to resort to MAC addresses).  The packet data pretty much 
reflects what I see in the RADIUS logs on the Cisco ACS.  It's in the creating 
of the policy where the wireless rubber meets the road.

Much appreciated guys,

--Bruce Johnson


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman
Sent: Friday, May 22, 2009 8:26 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users

It may be stating the obvious, but if you use AD, you can leverage attributes 
there to allow/restrict a range of network/WLAN functions...

Lee

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Mike King
Sent: Friday, May 22, 2009 7:53 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users

It all depends on:
1.  Your Wireless AP / Wireless Controller Implementation
2.  Your Radius Server's ability to use policies.

Each Radius server returns different information in a RADIUS packet.  The Cisco 
Controllers return the attributes of:
  CalledStationID 00-00-00-00-00-00:SSID(Where 00-00-00-00-00-00 is the 
AP's MAC, and SSID is the SSID they are connecting to)
  CallingStationID 00-00-00-00-00-00  (Where 00-00-00-00-00-00 is the MAC of 
the laptop)
  NASIPv4Address 0.0.0.0  (Where 0.0.0.0 is the IP of the Wireless LAN 
Controller
  NASIPv6Address -
  NASIdentifier Controller-Name(Where Controller-Name is the name of the 
controller as configured in the WebGUI)
  NASPortType Wireless - IEEE 802.11
  NASPort 29   (The port number, I think with LAG ports, it's always 29)

The second part of the question, is can your Radius Server deal with this 
information.
I know IDEngines has the concept of policies.  I know NPS (IAS for server 2008) 
also has policies, and I know know FreeRADIUS can pull of some cool matching 
features.

NPS and IDEEngines allows you to create policies that match like firewall 
rules, and apply based on policy matches.  I'm unsure if IAS on 2003 can do 
this.  I'm not sure Steel belted Radius has this functionality.  It didn't when 
I looked at it 4 years ago, but that is a very long time ago in a product 
lifecycle for a currently shipping product.

Mike



On Thu, May 21, 2009 at 8:06 PM, Johnson, Bruce T 
bjohns...@partners.orgmailto:bjohns...@partners.org wrote:

Jason et al,



Following up on the earlier the two-SSID Nirvana (open and EAP-TLS) dialogue.



We have a multi-controller/multi-campus environment.  I'd love to have a single 
EAP-TLS SSID handle all devices/applications, several with unique walled-garden 
isolation requirements that would otherwise require their own SSID.  How 
difficult is this to 

Generating 3rd party CSR for NPS

[Johnson, Neil M]

Can someone detail the steps to generate a 3rd party CSR and import the 
resulting cert for NPS on Windows Server 2008 ?

I tried the steps at 
https://blogs.technet.com/rrasblog/archive/2008/01/03/getting-certificate-from-third-party-authorities.aspx
 but it appears that I have an error that my private is not being associated 
with the signed cert.

Thanks.

-Neil


Thanks.
-Neil


--
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
Work: 319 384-0938
Mobile: 319 540-2081
Fax: 319 355-2618
E-mail/MSN: neil-john...@uiowa.edu


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Looking for T-SQL Code for SQL logging of NPS Accounting Information

[Johnson, Neil M]

Does anyone have some sample T-SQL code that they could share for logging 
Windows Server 2008 NPS accounting data to a SQL Server database ?

I have the example from Microsoft at 
http://msdn.microsoft.com/en-us/library/bb960723(VS.85).aspx , but I'm looking 
for something that is a little more specific .

Thanks.
-Neil


--
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
Work: 319 384-0938
Mobile: 319 540-2081
Fax: 319 355-2618
E-mail/MSN: neil-john...@uiowa.edu


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

NPS and Outer Identities

[Johnson, Neil M]

Is anyone using Microsoft NPS as their RADIUS server ? Do you have make sure 
the  outer and inner identities match in order for authentications  to be 
successful ?

Thanks.
-Neil


--
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
Work: 319 384-0938
Mobile: 319 540-2081
Fax: 319 355-2618
E-mail: neil-john...@uiowa.edu


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] wireless DHCP lease time

[Johnson, Neil M]

We are running a 10 minute lease on our 2 /21's with no issues that I know of.  
Generates a lot of logs though. I wouldn't want to go much shorter.

-Neil

--
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
Work: 319 384-0938
Mobile: 319 540-2081
Fax: 319 355-2618
E-mail: neil-john...@uiowa.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Garrett Harmon
Sent: Wednesday, September 30, 2009 1:09 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] wireless DHCP lease time

We're running into some issues at the ramp up of a quarter with our DHCP lease 
time attempting to utilize the /24's we currently pool for our main essid. We 
moved from 1hr. to 30 minutes, but are still running out of leases 
occasionally. For instance, we have 160 users in a /24, but due to the 
transient nature of wireless/classes leases that are used for a brief moment 
the cycle isn't quite efficient enough.

What is everyone else using for wireless DHCP lease times? I know I can just 
add another /24 to the pool, but the networks are not being utilized enough. We 
want to try 15 minutes but are wondering if we will start to run into issues 
related with that? Your input is greatly appreciated!!

Garrett Harmon
Network Engineer
Office of Information Technology
The Ohio State University
614.292.2122 (o)
614.747.5539 (c)

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

NAT Appliance Recommendations

[Johnson, Neil M]

For those of you who have moved your wireless clients to private IP address 
space, what are you using to do NAT ?

We are a Meru shop and Meru doesn't do NAT native on  their controllers.

Thanks.
-Neil


--
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
Work: 319 384-0938
Mobile: 319 540-2081
Fax: 319 355-2618
E-mail: neil-john...@uiowa.edu


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] PhiHong

[Johnson, Neil M]

We tested several different vendors and settled on Powerdsine.

The biggest issue we ran into was the robustness of the on-board management 
software. We had several instances where other vendors would crash, requiring 
the box to be restarted. The Powerdsine boxes were the most robust, but not 
perfect so we still have switchport ACL's in place to restrict traffic to 
campus nets and are moving them to private  IP address space.

-Neil


-- 
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
Work: 319 384-0938
Mobile: 319 540-2081
Fax: 319 355-2618
E-mail: neil-john...@uiowa.edu


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Caroline Owens
Sent: Wednesday, November 11, 2009 8:27 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] PhiHong

Joe,

What midspans did you finally settle on? if you don't mind me asking.
We've been using Powerdsine and I guess I'm looking for an alternative...
This question is open to anyone else who wants to weigh in and thank you 
in advance!

Caroline

On 11/10/2009 6:31 PM, Roth, Joe wrote:
 We ordered some of their managed midspans about 2 years ago, but soon stopped.

 The quality was terrible. Out of about 10 midspans we had to RMA 5 or 6. Some 
 were DOA. Most had issues with their management card. Of the ones that worked 
 the management piece was a pain to configure and maintain.

 We even had one of the RMA'd units come back with different issues than we 
 sent it back with.

 --Joe

 -Original Message-
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 [mailto:wireless-...@listserv.educause.edu] On Behalf Of Watters, John
 Sent: Tuesday, November 10, 2009 2:41 PM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] PhiHong

 I just ordered some of the new high power models (6, 12,  24-port sizes). 
 Some arrived in less than a week. The remaining ones took about 2 weeks.

 -jcw

 -
 John WattersUA: OIT  205-348-3992


 -Original Message-
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 [mailto:wireless-...@listserv.educause.edu] On Behalf Of Caroline Owens
 Sent: Tuesday, November 10, 2009 12:58 PM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: [WIRELESS-LAN] PhiHong

 Does anyone have anything good or bad to say about the PhiHong power
 injectors?
 I've historically used the Powerdsine ones and I'm getting shipping lead
 times of 4 weeks on them all of a sudden from my vendor, so I'm looking
 for other options.
 Actually, is anyone else having that problem as well?  While I'm on the
 topic

 Thanks!
 Caroline Owens
 Networking and Telecommunications
 Saint Joseph's University

 **
 Participation and subscription information for this EDUCAUSE Constituent 
 Group discussion list can be found at http://www.educause.edu/groups/.

 **
 Participation and subscription information for this EDUCAUSE Constituent 
 Group discussion list can be found at http://www.educause.edu/groups/.

 **
 Participation and subscription information for this EDUCAUSE Constituent 
 Group discussion list can be found at http://www.educause.edu/groups/.




**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Anyone use CloudPath ?

[Johnson, Neil M]

We have been using Xpress connect since this summer and it has greatly reduced 
the number of Wireless Setup support calls to our help desk.

-Neil


-- 
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
Work: 319 384-0938
Mobile: 319 540-2081
Fax: 319 355-2618
E-mail: neil-john...@uiowa.edu


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Michael Dickson
Sent: Monday, November 23, 2009 9:13 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Anyone use CloudPath ?

We're considering Cloudpath XpressConnect to see if this product can 
assist with client configuration and help us achieve higher user 
adoption of our 802.1x network.

Anyone using XpressConnect successfully? Do you use it for Win and Mac? 
How is pricing determined for a campus?

We're offering 802.1x with TTLS/PAP/AES and use SecureW2 for our Windows 
users. Adoption rate over our captive portal SSID is going just ok. We 
are planning a large expansion project and want make getting on 802.1x 
as easy as possible.

Comments, advice, complaints or horror stories appreciated. Reply to me 
directly if you prefer not to air grievances publicly.

Thanks in advance,
--Mike


Michael Dickson 413.545.9639
Network Analyst Univ. of Massachusetts Amherst


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Experiences with Meru

[Johnson, Neil M]

We are currently expanding our wireless network and by fall semester we will 
have around 2100 AP's.  We have both AP 208's and AP 300's.

We have been very happy with the single channel architecture, but have had the 
same driver issues mentioned by others. Again most issues are easily resolved 
by our help desk getting drivers updated.

-Neil

--
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
Work: 319 384-0938
Mobile: 319 540-2081
Fax: 319 355-2618
E-mail: neil-john...@uiowa.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Clipperton, Ken
Sent: Wednesday, March 10, 2010 8:45 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Experiences with Meru

Richard,

We have a campus-wide Meru 802.11n wireless network in place with 802.1x as 
part of the picture. Our experience matches yours. I have believed it was our 
combination of WPA2-Enterprise and 802.1x that accounted for the inability of 
older drivers to work with our implementation. We do run a guest network that 
is not encrypted and I believe that we have not seen the same issue for those 
clients.

We urge people to use the Windows Update site using the Custom option and 
installing any wireless drivers that pop up. We keep the current Intel drivers 
on a USB memory stick that hangs next to the help desk service window. We have 
used it many times. Happily that install is extremely simple -- just click on 
one executable, wait a short time while the updated driver installs and becomes 
active.

We have found that Windows default network settings don't match our needs. Some 
students follow a short step-by-step guide. Most bring them into the help desk. 
If we weren't under 1,000 students I would definitely look into the automated 
client configuration tools that have recently been mentioned here. I wonder if 
those tools also handle driver updates.

Ken
On Wed, Mar 10, 2010 at 6:24 AM, R. Smit r.s...@hva.nlmailto:r.s...@hva.nl 
wrote:
Hello,

I have a question for other Universities who are using Meru wireless 802.11n 
networks. We are in the process of doing a Proof of Concept on Meru's 
technology of single cell architecture. We ran into a few issues and I was 
wondering how other universities are dealing with these kind of issues or maybe 
they didn't experience  any issues at all.

We noticed that clients with older drivers were unable to connect to the Meru 
network but after updating the drivers it worked fine. For example Intel 
3945ABG chipset needed the 12.x driver to connect. So the default driver in 
Microsoft Vista is out dated. We have about 40,000 students and they all have 
their own laptop. Does anyone had to deal with this kind of problems? And how 
did you manage it in a large environment?
Does anyone experience that Meru is very demanding on client configuration and 
driver and hardware versions?

Thanks.

Regards,

Richard Smit
Hogeschool van Amsterdam
University of Professional Education


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Wireless for Exams

[Johnson, Neil M]

We are getting inquiries concerning the use of the wireless network for 
computer based exams in large lecture halls.

Although we provide coverage in most of our lecture halls, our current policy 
states that given the unlicensed nature of 802.11 spectrum we can't guarantee 
network availability and performance and therefore don't recommend using the 
wireless network for this type of testing.

I was wondering how other institutions approach this.

Thanks.
-Neil


--
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
Work: 319 384-0938
Mobile: 319 540-2081
Fax: 319 355-2618
E-mail: neil-john...@uiowa.edu


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RADIUS Accounting Interval

[Johnson, Neil M]

What do you use for RADIUS accounting interval ?

We have ours set to 10 minutes in order to match our DHCP lease time and it's 
put quite a load on our RADIUS server infrastructure.

Thanks.
-Neil


--
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
Work: 319 384-0938
Mobile: 319 540-2081
Fax: 319 355-2618
E-mail: neil-john...@uiowa.edu


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses

[Johnson, Neil M]

Jaime,

I saw the exact same thing in our DHCP logs, including the hostname 
(android_977…) . Curious.

-Neil




--
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
Work: 319 384-0938
Mobile: 319 540-2081
Fax: 319 355-2618
E-mail: neil-john...@uiowa.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Jamie Savage
Sent: Monday, September 27, 2010 9:18 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses

Just went back in our logs and we had a few hits with this MAC last week.  
However, the DHCP records indicate that this one has something to do with 
Android??

Sep 22 16:01:50 x.xx.yorku.ca dhcpd: 
event=dhcp_offerloglevel=infomsg=DHCPOFFER on 192.168.100.211 to 
00:11:22:33:44:55 (android_9774d56d682e549c) via eth1 gw 192.168.100.2

The android reference here is the computer name which could have been entered 
by the user but the subsequent alpha string would indicate it's a generated 
name.

thxJ

James Savage   York University
Senior Communications Tech.   108 Steacie Building
jsav...@yorku.ca4700 Keele Street
ph: 416-736-2100 ext. 22605Toronto, Ontario
fax: 416-736-5830M3J 1P3, CANADA



From:Ingen Schenau, Jeroen van (ICTS) j.vaningensche...@utwente.nl
To:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Date:09/27/2010 10:02 AM
Subject:Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
Sent by:The EDUCAUSE Wireless Issues Constituent Group Listserv 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU




On Mon, 2010-09-27 at 09:39 -0400, Michael Dickson wrote:
 Fascinating. We have one user on campus so far with this address:

 00:11:22:33:44:55
 Vendor (reported by Airwave): CIMSYS Inc

My € 0.02: we've seen three distinct users with that MAC, over the past
7 days. Same when looking over the last 31 days.


Regards,

Jeroen van Ingen
ICT Service Centre
University of Twente, P.O.Box 217, 7500 AE Enschede, The Netherlands

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Apple and wireless connectivity issues?

[Johnson, Neil M]

We also see lots of problems with Macs being unable to obtain DHCP addresses 
properly eventually ending up with a self-assigned IP address.

Attempts to engage Apple have not been helpful.



-Neil

-- 
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
Work: 319 384-0938
Mobile: 319 540-2081
Fax: 319 355-2618
E-mail: neil-john...@uiowa.edu


 -Original Message-
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv
 [mailto:wireless-...@listserv.educause.edu] On Behalf Of Chris Brezil
 Sent: Thursday, October 07, 2010 8:28 AM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: [WIRELESS-LAN] Apple and wireless connectivity issues?
 
 Over the summer we upgraded our wireless infrastructure from all
 autonomous Cisco access points to a managed Aruba wireless environment.
 Since the start of the semester we have had issues come up that we have
 been addressing, but we are now encountering something that we never
 faced before - it seems more and more that the majority of new issues
 we are dealing come from Apple laptops and mobile devices. We have
 heard of some of the larger reported issues about Apple, such as the
 DHCP issues with the original iPad iOS. We have also done some of our
 own research on this and see Apple mentioned numerous times in regards
 to wireless connectivity issues, but we don't know if we are seeing
 this because this is what we are looking for or if because it is the
 reality of the situation.
 
 An example of this type of issue is that a student applied Apple
 updates to her computer last Friday and then could not get an IP
 address afterwards on our wireless network, though she could still use
 her wireless router at home. Calling Apple about this resulted in them
 telling us that if the computer can connect in one place but not
 another that it is our problem and not an issue with the laptop, even
 though many other Apple computers with the same version of the OS could
 connect to our network.
 
 We continue to troubleshoot and look to see if there is something that
 is about our wireless network configuration that is causing problems.
 However, we would like to see if others have experienced similar types
 of issues on their campuses. Do you see a preponderance of wireless
 issues over time relating to Apple products? If this has been the case
 for you, were you successfully able to address issues with Apple? Did
 you have to go back to your wireless vendor to fix these issues? Does
 this sound like something unique to our experience here? We look
 forward to hearing what others have experienced.
 
 Regards,
 Chris Brezil
 Assistant Vice President/IT
 The New School
 
 **
 Participation and subscription information for this EDUCAUSE
 Constituent Group discussion list can be found at
 http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Versign New Root CERT

[Johnson, Neil M]

We are also moving to Comodo via Incommon which is going to be interesting.  
Hopefully we can leverage our Cloudpath installation to rollout the changes.

-Neil



--
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
319 384-0938
neil-john...@uiowa.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Holland, Ryan C.
Sent: Monday, October 18, 2010 11:45 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Versign New Root CERT

Bruce,

We had this exact same issue! Instead of a default 1024bit certificate rooted 
in Equifax, we received a 2048bit certificate rooted in GeoTrust.

We explained that reconfiguring the tens of thousands of devices 'out there' is 
an impossibility at this time. Basically, this resulted in a lot of back and 
forth, but in the end, we leveraged the fact that Verisign had until December 
31, 2010 to comply with new regulations that forced them to the 2048bit 
offering. Thus, we were able to obtain a renewal for our certificate that would 
last another 12 months.

We are now migrating towards using Comodo through Incommon. But again, this is 
through a different root. Luckily, we are nearing a rollout of a new identity 
management solution along with a WLAN encryption upgrade; each requires 
reconfiguration on the user's part. We are leveraging these circumstances to 
roll out a configuration utility that will trust both Equifax as well as our 
new root.

Many folks will say to just use a self-signed root, but for some entities, that 
is not an option since the network engineers may not dictate the security 
policies. :-/

Good luck!

==
Ryan Holland
Network Engineer, Wireless
Office of the Chief Information Officer
The Ohio State University
614-292-9906   holland@osu.edumailto:holland@osu.edu

On Oct 18, 2010, at 12:38 PM, Bruce Boardman wrote:


We just renewed our Verisign CERTs only to find that the Verisign Root has 
changed. This wouldn't be a big deal, if it were for a web server, but since 
it's student laptops configured to accept the only the old public primary root 
it has a big impact. Verisign is saying that our only recourse is to 
reconfigure all the clients. Ouch! We are using a Cisco ACS 5.2 server for the 
Radius auth, and certification. Anyone solve this already, or have any 
suggestions about how to avoid reconfiguring all the clients.



|Bruce Boardman, Network Engineer, Syracuse University -  c  315 412-4156|
**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.


--
BEGIN-ANTISPAM-VOTING-LINKS
--

Teach CanIt if this mail (ID 1101816143) is spam:
Spam:https://antispam.osu.edu/b.php?i=1101816143m=35b1c509aa0fc=s
Not spam:https://antispam.osu.edu/b.php?i=1101816143m=35b1c509aa0fc=n
Forget vote: https://antispam.osu.edu/b.php?i=1101816143m=35b1c509aa0fc=f
--
END-ANTISPAM-VOTING-LINKS

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Versign New Root CERT

[Johnson, Neil M]

Thanks to assistance from Cloudpath tech support, we should be able to use 
XpressConnect to assist in the migration of users to the InCommon/Comodo Root 
CA.

It still isn't going to be pretty as all users will have to re-configure their 
devices before the existing cert expires.

Our current (Thawte) cert expires in July. Hopefully that's enough time to 
notify everyone.

-Neil

--
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
319 384-0938
neil-john...@uiowa.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Johnson, Neil M
Sent: Monday, November 01, 2010 12:27 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Versign New Root CERT

We are also moving to Comodo via Incommon which is going to be interesting.  
Hopefully we can leverage our Cloudpath installation to rollout the changes.

-Neil



--
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
319 384-0938
neil-john...@uiowa.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Holland, Ryan C.
Sent: Monday, October 18, 2010 11:45 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Versign New Root CERT

Bruce,

We had this exact same issue! Instead of a default 1024bit certificate rooted 
in Equifax, we received a 2048bit certificate rooted in GeoTrust.

We explained that reconfiguring the tens of thousands of devices 'out there' is 
an impossibility at this time. Basically, this resulted in a lot of back and 
forth, but in the end, we leveraged the fact that Verisign had until December 
31, 2010 to comply with new regulations that forced them to the 2048bit 
offering. Thus, we were able to obtain a renewal for our certificate that would 
last another 12 months.

We are now migrating towards using Comodo through Incommon. But again, this is 
through a different root. Luckily, we are nearing a rollout of a new identity 
management solution along with a WLAN encryption upgrade; each requires 
reconfiguration on the user's part. We are leveraging these circumstances to 
roll out a configuration utility that will trust both Equifax as well as our 
new root.

Many folks will say to just use a self-signed root, but for some entities, that 
is not an option since the network engineers may not dictate the security 
policies. :-/

Good luck!

==
Ryan Holland
Network Engineer, Wireless
Office of the Chief Information Officer
The Ohio State University
614-292-9906   holland@osu.edumailto:holland@osu.edu

On Oct 18, 2010, at 12:38 PM, Bruce Boardman wrote:

We just renewed our Verisign CERTs only to find that the Verisign Root has 
changed. This wouldn't be a big deal, if it were for a web server, but since 
it's student laptops configured to accept the only the old public primary root 
it has a big impact. Verisign is saying that our only recourse is to 
reconfigure all the clients. Ouch! We are using a Cisco ACS 5.2 server for the 
Radius auth, and certification. Anyone solve this already, or have any 
suggestions about how to avoid reconfiguring all the clients.



|Bruce Boardman, Network Engineer, Syracuse University -  c  315 412-4156|
**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.


--
BEGIN-ANTISPAM-VOTING-LINKS
--

Teach CanIt if this mail (ID 1101816143) is spam:
Spam:https://antispam.osu.edu/b.php?i=1101816143m=35b1c509aa0fc=s
Not spam:https://antispam.osu.edu/b.php?i=1101816143m=35b1c509aa0fc=n
Forget vote: https://antispam.osu.edu/b.php?i=1101816143m=35b1c509aa0fc=f
--
END-ANTISPAM-VOTING-LINKS

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Coachcomm system...

[Johnson, Neil M]

We had a similar issue with a wireless scoreboard system for the swimming pool 
in our new Recreation and Wellness center. It took out the whole 2.4 GHz band.  
Fortunately the pathways were in place so they could switch it to a wired setup.

-Neil

-- 
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
319 384-0938
neil-john...@uiowa.edu 


 -Original Message-
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv
 [mailto:wireless-...@listserv.educause.edu] On Behalf Of Rob Brenner
 Sent: Wednesday, November 17, 2010 8:55 AM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] Coachcomm system...
 
 We've run into a similar issue. I'm not sure what brand of headsets are
 used
 by our coaches, but they stomp on ch11. We basically punted and have
 alternated between channels 1 and 6 in several of our b/g locations. It
 isn't our preferred solution, but it's working for us.
 
 Rob Brenner
 Texas AM University
 
 
  -Original Message-
  From: The EDUCAUSE Wireless Issues Constituent Group Listserv
  [mailto:wireless-...@listserv.educause.edu] On Behalf Of Hector J
 Rios
  Sent: Tuesday, November 16, 2010 7:55 PM
  To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
  Subject: [WIRELESS-LAN] Coachcomm system...
 
  Our Athletic department provides communication for coaches during
  football games via wireless headsets made by a company called
 Coachcomm.
  Their systems work on the 2.4Ghz and use FHSS. Even though Coachcomm
  claims that their systems (Tempest NG) play nice with WiFi, we've
 found
  up to 50% performance degradation with our WiFi. We've gotten around
 the
  issue by being creative but I was just curious to know if anybody out
  there has run into a similar issue.
 
  Hector Rios
  Louisiana State University
 
  **
  Participation and subscription information for this EDUCAUSE
 Constituent
  Group discussion list can be found at
 http://www.educause.edu/groups/.
 
 **
 Participation and subscription information for this EDUCAUSE
 Constituent Group discussion list can be found at
 http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] 802.1x SIP Phone

[Johnson, Neil M]

My Cisco 7921 phone does...

-Neil


-- 
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
319 384-0938
neil-john...@uiowa.edu 


 -Original Message-
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv
 [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Guillaume
 Germain
 Sent: Friday, February 11, 2011 4:02 PM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] 802.1x SIP Phone
 
 I believe Cisco has 802.1x (both wired and wireless) phones that do SIP
 
 GG
 
 On Wed, Feb 9, 2011 at 11:08 AM, Peter P Morrissey ppmor...@syr.edu
 wrote:
  Has anyone come across a SIP phone that does 802.1x? I believe we had
 an
  Hitachi at one time that did this, but they don't make them anymore.
 
 
 
  Pete Morrissey
 
  ** Participation and subscription information for this
 EDUCAUSE
  Constituent Group discussion list can be found at
  http://www.educause.edu/groups/.
 
 **
 Participation and subscription information for this EDUCAUSE
 Constituent Group discussion list can be found at
 http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] WiFi on campus buses

[Johnson, Neil M]

We partnered with all our local municipal transportation services to implement 
NextBus (http://nextbus.com) route information technology.

NextBus uses GPS and 3G backhaul to provide location and arrival time 
information that is accessible by the web, SMS, and voice.

On our campus buses (Cambus) we are rolling out Wi-Fi service (it's an option 
NextBus offers).  It just went live this fall, so we don't have a lot of 
feedback yet. It will be separate SSID from our regular campus wireless service.

Our website is http://ebongo.org (Bongo is short for Bus on the go).

-Neil


-- 
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
319 384-0938
neil-john...@uiowa.edu 


 -Original Message-
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv
 [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
 Sent: Friday, March 18, 2011 9:33 AM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] WiFi on campus buses
 
 When we looked into it, the bus company wasn't interested as they can't
 do every bus and rotate the busses that get used on campus. Also, our
 commutes are pretty short in general. And... The growing number of
 smartphones does make it less interesting of an idea.
 
 -Lee Badman
 
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv
 [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Randall C Grimshaw
 [rgrim...@syr.edu]
 Sent: Friday, March 18, 2011 9:13 AM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] WiFi on campus buses
 
 There was a similar thread some time ago regarding wi-fi on the busses
 for sports teams. I was hoping that someone would chime in... but the
 gist was that there are cellular routers with more than one usb/card
 slot that provide automatic failover - and you have two (or three)
 carriers. I would think that you sort the carriers in the queue in some
 reasonable way to reduce costs/risk/load.
 
 Randy
 
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv
 [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hector J Rios
 Sent: Friday, March 18, 2011 9:07 AM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] WiFi on campus buses
 
 We were asked to look into it but never did it. I don't know of any
 other way to provide the service but to do WiFi router with a cellular
 back-haul, like you said. And just specify it is best effort.  I think
 that's the best you can do. Unless you want to beef up the cell
 coverage with DAS, but then your costs start increasing.
 
 Hector Rios
 Louisiana State University
 
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv
 [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jamie Savage
 Sent: Thursday, March 17, 2011 9:44 AM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: [WIRELESS-LAN] WiFi on campus buses
 
 Hi,
We have two main campuses with a regularly scheduled shuttle bus
 running between the two.  We've been asked to look into providing WiFi
 service on this bus.  It appears the solution is a WiFi router with a
 cellular back-haul (3G?).  If anyone is doing this I'd appreciate any
 comments as I see a number of issues..spotty cellular along the
 route (ie. service disclaimer required),, user density vs. available
 bandwidth (Netflix!!)etc.
 
 thanks in advance...J
 
 James Savage   York University
 Senior Communications Tech.   108 Steacie Building
 jsav...@yorku.camailto:jsav...@yorku.ca
 4700 Keele Street
 ph: 416-736-2100 ext. 22605Toronto, Ontario
 fax: 416-736-5830M3J 1P3, CANADA
 ** Participation and subscription information for this EDUCAUSE
 Constituent Group discussion list can be found at
 http://www.educause.edu/groups/.
 ** Participation and subscription information for this EDUCAUSE
 Constituent Group discussion list can be found at
 http://www.educause.edu/groups/.
 ** Participation and subscription information for this EDUCAUSE
 Constituent Group discussion list can be found at
 http://www.educause.edu/groups/.
 
 **
 Participation and subscription information for this EDUCAUSE
 Constituent Group discussion list can be found at
 http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] PEAP/MSCHAPv2 using Juniper SBR + AD

[Johnson, Neil M]

We are. With a little RADIATOR thrown in the middle to assign users to VLANS 
dynamically.

-Neil


--
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
319 384-0938
neil-john...@uiowa.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Holland, Ryan C.
Sent: Tuesday, March 22, 2011 2:10 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] PEAP/MSCHAPv2 using Juniper SBR + AD

Is anyone out there using 802.1X w/ PEAP/MSCHAPv2, leveraging Juniper's 
Steel-belted radius pointed to Microsoft Active Directory?

==
Ryan Holland
Network Engineer, Wireless
Office of the Chief Information Officer
The Ohio State University
614-292-9906   holland@osu.edumailto:holland@osu.edu


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Policy towards self installed AP's in dorms

[Johnson, Neil M]

These questions are  targeted at larger schools with large dorm  
populations that use EAP authentication (802.1x) on their wireless  
network.


1. What is your school's policy in regards to  students installing  
their own access points in the dorms where you have wireless service  
already available?


2. How do you inform students about your policy?

3. Do you enforce your policy?

4. Do you proactively search for access points, or do you intervene  
only when they are impacting your service?



Thanks.

Neil Johnson
The University of Iowa

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] MERU wireless

[Johnson, Neil M]

We have ~2300 APs on campus and are satisfied with the system.   
There's some functionality (VLAN pooling, Native IPv6 support) that we  
would like to see in the product.


-Neil


--
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
Work: 319 384-0938
Mobile: 319 540-2081
Fax: 319 355-2618
E-mail: neil-john...@uiowa.edu

On Apr 13, 2011, at 9:50 AM, Randy Ethridge wrote:

I just heard a pitch for MERU and it almost sounds to good. Is  
anyone running MERU and if so how do you like it and what problems  
have you run into ?


Thanks.

Randy Ethridge
Network Engineer V
Information Services
Eastern Illinois University
rlethri...@eiu.edu

Proud to say I am EIU

EIU THINKS GREEN: Before printing this e-mail think if it is necessary

** Participation and subscription information for this  
EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ 
.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] MERU wireless

[Johnson, Neil M]

Meru currently supports IPv6 in bridging only mode, so you lose some of 
Meru's proprietary traffic management features.

In testing I've had issues with SLAAC, but Illinois has not, so your mileage 
may vary. I haven't tested it since version 3.6 of their code.

Our campus is currently routing IPv6 everywhere and plans are under way to IPv6 
enable more services (we plan to participate in World IPv6 Day by enabling  
records for our Microsoft servers), so I'm getting asked every week when IPv6 
will be supported on wireless.

Meru understands that IPv6 support is a priority and they do have a roadmap for 
IPv6 support, but I think I'm under a NDA about that.

-Neil

-- 
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
319 384-0938
neil-john...@uiowa.edu 


 -Original Message-
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv
 [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Frank Bulk
 Sent: Wednesday, April 13, 2011 11:08 AM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] MERU wireless
 
 I was told by our local college last year already that Meru doesn't
 support
 IPv6 -- is that still the case?
 
 Frank
 
 -Original Message-
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv
 [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Johnson, Neil
 M
 Sent: Wednesday, April 13, 2011 10:07 AM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] MERU wireless
 
 We have ~2300 APs on campus and are satisfied with the system.
 There's some functionality (VLAN pooling, Native IPv6 support) that we
 would like to see in the product.
 
 -Neil
 
 
 --
 Neil Johnson
 Network Engineer
 Information Technology Services
 The University of Iowa
 Work: 319 384-0938
 Mobile: 319 540-2081
 Fax: 319 355-2618
 E-mail: neil-john...@uiowa.edu
 
 On Apr 13, 2011, at 9:50 AM, Randy Ethridge wrote:
 
  I just heard a pitch for MERU and it almost sounds to good. Is
  anyone running MERU and if so how do you like it and what problems
  have you run into ?
 
  Thanks.
 
  Randy Ethridge
  Network Engineer V
  Information Services
  Eastern Illinois University
  rlethri...@eiu.edu
 
  Proud to say I am EIU
 
  EIU THINKS GREEN: Before printing this e-mail think if it is
 necessary
 
  ** Participation and subscription information for this
  EDUCAUSE Constituent Group discussion list can be found at
 http://www.educause.edu/groups/
  .
 
 **
 Participation and subscription information for this EDUCAUSE
 Constituent
 Group discussion list can be found at http://www.educause.edu/groups/.
 
 **
 Participation and subscription information for this EDUCAUSE
 Constituent Group discussion list can be found at
 http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] MERU wireless

[Johnson, Neil M]

 Meru:
 - What version of code are you running

Just upgraded to 4.0-150. So far it seems fine. It resolved the administration 
interface lock ups we were seeing.

 - What style of AP's do you use

We have mix of 208's and 311's.

 - Do you use different style access points within the same air space

No. Meru doesn't recommend this. We keep an entire building as one AP type and 
our 208's and 311's are in separate ESS profiles as per Meru's recommendations. 
Yes, it makes our refresh cycle longer.

 - Do you have problems in high dense areas without using the N radio

We have 208's in our Law School Auditoriums. We had to install additional AP's 
to handle capacity, but since then no major complaints. 

We do receive complaints from our Medical School about one large auditorium 
with 208's when they try to use high bandwidth applications. Once we get more 
information on their application usage, we plan to augment coverage with 
additional AP's and channel layering.

 - What style of controllers

We started with 3000's and upgraded to 5000's. We also have three 4100's.

We still do see random AP reboot's and we have run across the slient AP issue 
others have been seeing.

We have been testing the Service Assurance Manager in our dorms and it has been 
helpful indentifying  some of the silent AP issues.

 
 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Wireless design

[Johnson, Neil M]

We use several separate subnets for wireless clients and use some RADIUS custom 
hooks (We use a combination of RADIATOR and SBR) to dynamically assign clients 
to the subnets.

Our AP's themselves our addressed using RFC1918 space on a separate VLAN routed 
out each routing hub.


-Neil

--
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu


From: Lee H Badman lhbad...@syr.edumailto:lhbad...@syr.edu
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Date: Fri, 10 Jun 2011 12:27:48 -0400
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless design

Just to chime in the topic of restricting traffic- bear in mind that 
applications like Facetime and synching things like Documents to Go between 
iPads and PCs do get impacted by what my seem like otherwise good segregation 
methodology.  This can be the source of much consternation.



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W
Sent: Friday, June 10, 2011 7:39 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless design

John,


1.   I believe most (all?) wireless systems can bridge at the AP. If you 
are using 802.1X, you would need to find some way to whitelist the AP traffic, 
though. I know that Aruba APs can run in bridged mode, but you lose some 
features because all enforcement occurs within the limited resources of the 
thin AP. It is generally preferred to tunnel the traffic back to the 
controller, when possible.

2.   Whether you can block clients talking to each other depends on your 
wireless system. I know Aruba has a built-in firewall and you can block this 
traffic. I believe Cisco depends on the network infrastructure for firewalls. 
One challenge for the system is blocking peers talking to the same AP.

3.   Roaming between APS and between buildings  is very dependent on your 
wireless system. We here at Liberty University have not yet designed our 
mobility approach. Our current focus is implementing 802.1X (finally!) and 
replacing our NAC system.

Regards,

Bruce Osborne
Wireless Network Engineer
IT Network Services

(434) 592-4229

LIBERTY UNIVERSITY
40 Years of Training Champions for Christ: 1971-2011

From: John Kaftan [mailto:jkaf...@utica.edu]
Sent: Thursday, June 09, 2011 12:35 AM
Subject: Re: Wireless design

Can that system bridge at the AP?  We are going to have a secure network and an 
open one.  The secure network will be configured with 802.1x and will just dump 
people on the local VLAN of the building.  Once we have the network fully 
secure we will be fine with this.  I like this for performance reasons.  The 
APs just become secure hubs.

We will also make sure that no clients can talk to each other on thesenetworks. 
 We will try to drive all users to the secure network.  The secure network will 
also be NAC enabled.

The open network will tunnel back to the controller and bridge there which is 
required due to the captive portal.

The only possible snag here is roaming between buildings and between 802.1xAPs. 
 I have not tested and tweaked that yet.

John



- Original Message -
From: Mike King m...@mpking.commailto:m...@mpking.com
Date: Wednesday, June 8, 2011 9:29 pm
Subject: Re: [WIRELESS-LAN] Wireless design
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU

 The real short answer is that it does not matter what the IP address of the 
 AP is, as long as it has good stable communications with the controller.


 What I personally try to do is what you are proposing, put the APs for each 
 building/floor it's own subnet.


 Good luck


 Mike
 On Wed, Jun 8, 2011 at 6:54 PM, Entwistle, Bruce 
 bruce_entwis...@redlands.edujavascript:main.compose('new','t=bruce_entwis...@redlands.edu')
  wrote:
 We will soon be migrating our wireless network from Cisco autonomous 1231 APs 
 to a combination of Cisco 3502i along with some of the existing 1231 APs 
 converted to lightweight.   As we prepare for this we are looking at how to 
 best architect the new network.The new network will cover theentire 
 campus which consists of approx 50 buildings, with each building having its’ 
 own VLAN.

 The initial idea was to install the APs so the IP address of the AP would be 
 a part of the local building VLAN.  This is the IP the AP would use to talk 
 back to the controller.  For user connections there would be two VLANs 
 created which would be accessed through a single SSID.  The users would then 
 be dynamically assigned to one of the two VLANs based on their logon 
 credentials.  Currently all users are placed on the same VLAN after 
 authentication, as our current installation 

Re: [WIRELESS-LAN] iOS devices on wireless

[Johnson, Neil M]

Even on on our wired side we have multiple L2 networks in the same dorm
building. Our dorms are substantially bigger (800+ residents). When you
only have two /16's for the entire campus and a desire not to do NAT, you
have to make compromises.

In addition, most of our dorms are right next to other academic buildings,
so we have intra-building roaming to worry about. That can result in more
complaints about connectivity issues than complaints about Bonjour not
working.

We have had some people expect to have Bonjour work between wired and
wireless networks and have had to explain how that wasn't going to happen.

-Neil

-- 
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu






On 6/23/11 1:53 PM, Jeffrey Sessler j...@scrippscollege.edu wrote:

Bruce,

I'm not sure I'm advocating large wireless networks at all... At the
minimum, ensuring a given user's devices are all in the same L2 network
doesn't change your desire to use smaller /23 subnets, it only requires
additional back-end support to ensure those devices are placed together.
Probably more work for IT staff, and potentially less efficient IP pool
use, but I'd argue it will provide a better customer experience.

Even the desire to group devices within a given residential hall together
doesn't mandate a change in the size of your subnets, although I suspect
that would depend more on the size of your housing units. Our residential
halls are 80-100 beds, so an easy fit within smaller subnets.

Jeff

 Osborne, Bruce W bosbo...@liberty.edu 6/23/2011 5:32 AM 
Jeff,

Large wireless subnets increase airtime consumed by broadcast traffic.
That is why we use a VLan pool of /23 subnets.

The clients are distributed automatically based on a hash of the mac
address  the number of subnets in the pool, so we cannot easily control
which subnet a user gets.

Changing the number of subnets in the pool recalculates everybody's
subnet too, so we make sure we have plenty of capacity.


Bruce Osborne
Wireless Network Engineer
IT Network Services
 
(434) 592-4229
 
LIBERTY UNIVERSITY
40 Years of Training Champions for Christ: 1971-2011


-Original Message-
From: Jeffrey Sessler [mailto:j...@scrippscollege.edu]
Sent: Wednesday, June 22, 2011 4:30 PM
Subject: Re: iOS devices on wireless

Bruce,

You could, by any number of technical solutions, ensure that students
within a given residential space were all on the same L2 network. That is
to say, if a given residence hall is made up of 200 students, then it's
not technically difficult to ensure all the residential wireless devices
within that area are placed in the same VLAN. Or, at a minimum, to ensure
that a user's device(s) will always be in the same L2 network so that
they can see each other. If one can't do that, then I wouldn't consider
the wireless solution to be very flexible, especially given the trend in
devices wanting/needing to talk to each other.

On my campus, students spend four years of their life in what we consider
a residential setting, and it seems only logical to me that the
experience should, to the extent possible, mimic home life. That is, it's
reasonable to me to expect a student's wireless devices to see each
other, and that they should be able to share/collaborate with the other
users within their residential hall.

I know that if I was back in college, I'd expect that level of
functionality, and If it wasn't there, I'd probably make it happen using
my own gear... exactly what you don't want happening.

Jeff


 Osborne, Bruce W bosbo...@liberty.edu 6/22/2011 4:55 AM 
We here at Liberty University have about 8000 students in our residences,
the vast majority using wireless.

That would be a *huge* L2 network.

Bruce Osborne
Wireless Network Engineer
IT Network Services
 
(434) 592-4229
 
LIBERTY UNIVERSITY
40 Years of Training Champions for Christ: 1971-2011

-Original Message-
From: Jeffrey Sessler [mailto:j...@scrippscollege.edu]
Sent: Tuesday, June 21, 2011 3:05 PM
Subject: Re: iOS devices on wireless

Mike,

I take it you are not able to reference housing data and then place all
students/student devices from the same residential hall into the same
VLAN?

Jeff

 Michael Dickson mdick...@nic.umass.edu 6/21/2011 11:18 AM 
On Jun 21, 2011, at 2:04 PM, Jeffrey Sessler wrote:

 My belief is that a student should be able to have a similar experience
when in a residential hall as they would at home. That requires
supporting everything under the sun including Bonjour.

Unfortunately our enterprise network is sufficiently different enough
that the user cannot have a similar experience as they would at home.

At home all of their devices are segregated in an L2 network. All their
neighbors devices are in their own L2 network, etc. They can browse and
discover all the devices in their house but not (hopefully) the devices
in their neighbors. Here at UMass their L2 domain is huge and includes
mostly 

Separate SSID for 5GHz band

[Johnson, Neil M]

Has anyone here considered creating a separate SSID for the 5GHz band?

The ideas is to encourage users to exclusively use 5 GHZ over 2.4.

We've implemented band-steering, but it was suggested this would insure
that users use 5GHz and not fall back to 2.4.

Thanks.

-Neil

-- 
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Separate SSID for 5GHz band

[Johnson, Neil M]

Thanks for all the feedback.

Our proposed plan would be to leave our campus wide SSID enabled on both
bands with band steering enabled, then just enable a 5GHz only SSID in the
dorms.

We figured we would call the SSID UI-Wireless-5GHz rather than Fast or
High Speed because that might set unrealistic expectations. If residents
were having issues, we would ask them if they could connect to the 5GHz
SSID and see if there was an improvement. If they can't see the SSID, we'd
recommend they upgrade their wireless device.

We are finding that Xbox and PS3 controller to console communication uses
some sort of 2.4 FHSS communication. The console is broadcasting even when
it is turned off.  We've seen -60 dBm signal strength from a single Xbox.
Get a whole building full of them among the other 2.4 stuff and we just
don't think 2.4 is going to be usable.

I doubt we could ban gaming consoles from the dorms ;-)

-Neil

-- 
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu






On 7/7/11 6:53 PM, Holland, Ryan C. holland@osu.edu wrote:

Band steering is favorable when you have similar coverage areas on both
2.4 and 5 ghz. That should be a given nowadays, however, with the
adoption of 11n. I recommend folks evaluate their RF designs first prior
to tinkering with these types of feature sets. Tune down your 2.4 so it's
similar to your 5 ghz, THEN try band-steering. Otherwise, what John
outlines will occur.

===
Ryan Holland
Ohio State

On Jul 7, 2011, at 7:22 PM, John Kaftan jkaf...@utica.edu wrote:

 We considered a 5Ghz SSID  too but declined for the same reasons that
Karl noted.  Our vendor suggested band steering.  We have only done
minimal testing with band steering but it seems promising.  I had 30
clients connected to a single AP in our testing with only 2.4 enabled.
When I turned up the 5 Ghz band with band steering enabled all clients
that were able (50%) went to 5 Ghz.  I'd like to understand what happens
when a decision needs to be made between 5 and 2.4, i.e. when 2.4 offers
a better choice due to propagation.  Would you rather connect at -90 dBm
to 5 or -70 to 2.4?
 
 I have set the min RSSI to around 10 Mb for 5 Ghz thinking that I do
not want them connecting to 5 Ghz no matter what.  That should take care
of it but I have not tested.
 
 John Kaftan
 Infrastructure Manager
 Utica College
 
 
 
 On 7/7/2011 11:16 AM, Karl Reuss wrote:
 On 7/7/2011 10:29 AM, Johnson, Neil M wrote:
 Has anyone here considered creating a separate SSID for the 5GHz band?
 
 The ideas is to encourage users to exclusively use 5 GHZ over 2.4.
 
 We've implemented band-steering, but it was suggested this would
insure
 that users use 5GHz and not fall back to 2.4.
 
 We've had something like this in place for a long time now,
 with mixed results.
 
 Our main SSID is 'umd' which is on 2.4 and 5GHz.  We also have
 a 'umd-fast' that is only on 5GHz.  The idea was that people
 with 5Hgz cards would see the umd-fast SSID and would choose
 it due to the superior sounding name.  If you couldn't
 tell your device to prefer 802.11a, umd-fast was an easy way
 to get it.
 
 Maybe we didn't do enough PR, but the -fast SSID seems to cause
 more questions and confusion than it's worth.  With band-steering
 and OSs doing a better job of selecting bands, we will probably
 decommission the -fast SSID this summer.
 
 -Karl Reuss
 
 **
 Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
 
 **
 Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
 
 
 -- 
 BEGIN-ANTISPAM-VOTING-LINKS
 --
 
 Teach CanIt if this mail (ID 1222678676) is spam:
 Spam:
https://antispam.osu.edu/b.php?i=1222678676m=ac618bf84df2c=s
 Not spam:
https://antispam.osu.edu/b.php?i=1222678676m=ac618bf84df2c=n
 Forget vote: 
https://antispam.osu.edu/b.php?i=1222678676m=ac618bf84df2c=f
 --
 END-ANTISPAM-VOTING-LINKS
 

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: Interference in dorms.

[Johnson, Neil M]

Thanks for the heads up, but all our WLAN's require 802.1X authentication which 
the Wii can't do.  We're telling users to buy the wired adapter if they want to 
connect them to the net.

-Neil

--
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu


From: Rick Coloccia coloc...@geneseo.edumailto:coloc...@geneseo.edu
Date: Thu, 21 Jul 2011 13:12:23 -0400
To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Cc: Neil Johnson neil-john...@uiowa.edumailto:neil-john...@uiowa.edu
Subject: Re: Interference in dorms.

Be careful disabling 2 mbps.  We were told at the Cisco conference in a 
wireless class just last week that the Wiis require 2mbps to successfully find 
and join the wireless network. I have not personally verified this, but the 
source is reliable...

-Rick

On 7/21/2011 12:58 PM, Johnson, Neil M wrote:
We are struggling with the same issues. We are finding that X-boxes and PS3s 
generate lots of interference (they use a proprietary 2.4 protocol between the 
joysticks and console).

This summer we've added over 100 AP to the dorms, moved several, changed our 
AP's antenna configuration, disabled 1 and 2 Mbps data rates, and are 
implementing channel layering (Meru)  to try and address the issue.

We are also planning on being more aggressive at getting rid of student 
installed wireless AP's.

We are considering adding a 5GHz only SSID in the dorms to encourage users to 
use 5 GHz ( we do have band steering enabled, but a dedicated SSID would insure 
that devices only use 5GHz and not fall back to 2.4).

We'll see what happens.

-Neil

--
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edumailto:neil-john...@uiowa.edu


From: Lay, Daniel dl...@samford.edumailto:dl...@samford.edu
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Date: Thu, 21 Jul 2011 11:16:29 -0500
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Interference in dorms.

Last year we had several students that would complain about poor wireless 
coverage in their rooms. It was usually followed by the comment that they did 
not have this problem at home or in other areas of the campus. After performing 
various test and wireless scans I am of the opinion that a good portion of 
these problems were introduced by the students themselves by bringing in 
various devices that emit 2.4 interference. I am curious about how any of you 
guys have addressed this problem and informed the students of these potential 
interferences. Have any of you added a section to orientation that discusses 
the problem of interference and did it have good results. Did any of you do a 
poster campaign with good results or did you issue a Faraday cage to each 
student to store their stuff in (yes that was a joke). I can only see this 
problem getting worse with wireless printers and game consoles that all have a 
potential to cause interference. I am open to any ideas and or suggestions. 
Thanks.

Daniel Lay
Networking Specialist
Samford University

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/. ** Participation and subscription 
information for this EDUCAUSE Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.


--
Rick Coloccia, Jr.
Network Manager
State University of NY College at Geneseo
1 College Circle, 119 South Hall
Geneseo, NY 14454
V: 585-245-5577
F: 585-245-5579

CIT will never ask for your password or other confidential information via 
email.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] 1200 Series AP's on a newer 2960s Cisco switch using POE

[Johnson, Neil M]

That's why we only buy the 12-port Power Dsine, the 24 port ones are over 
subscribed.

We are using Meru AP311's on ours.

-Neil
--
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu


From: Hanset, Philippe C phan...@utk.edumailto:phan...@utk.edu
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Date: Mon, 15 Aug 2011 19:31:06 +
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] 1200 Series AP's on a newer 2960s Cisco switch 
using POE

Ken,

(just throwing a flashing experience of our own...)
Does it flash when you connect just one AP-1200 or if you connect many AP-1200?
Switches or Midspan can only handle as much as the power supply can provide.
So if you overload the system it will flash.
We have had that problem when connecting more than 22 Aruba AP-125
to a PowerDsine 24 ports 6000 serie Midspan.

Philippe
Univ. of TN

On Aug 15, 2011, at 3:18 PM, Watters, John wrote:

We had a similar problem years ago. We use PowerDsine midspan power inserters 
for our AP power (they come in 6, 12,  24-port versions so they are cheaper 
than buying power for a whole Cisco switch or blade when only a few ports need 
power; management is also easy via a Web interface). In order for them to power 
the old 1200 APs, we had to buy a special dongle from PowerDsine to make them 
work. You may have the same issue.

Call or write offline if you have any questions about this.


-jcw image001.jpg

-
John WattersUA: OIT  205-348-3992


From:The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Taillon II, Kendall
Sent: Monday, August 15, 2011 1:57 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] 1200 Series AP's on a newer 2960s Cisco switch using POE

We are in the middle of adding new 2960s Cisco switches to are edge. When 
connecting our old 1200 series AP’s to the switch via POE, the switch interface 
 just keeps flashing. Is this because the old AP’s use the old pre-standard 
POE? Our new 1142 series AP’s connect just fine.  Is there any way to have the 
older AP’s use the newer POE through the switch port?

Ken Taillon
Network Administrator
WesleyanUniversity
Middletown, CT
860-685-5657

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] NAT Logging Storage Requirements

[Johnson, Neil M]

Any idea how many active NAT translations you have active at a given time ?

Thanks.
-Neil

-- 
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu






On 11/3/11 4:41 PM, Jason Murray jemur...@zweck.net wrote:

We have a single Linux server running rsyslog collecting all our NAT
translation logs.


We generate up to 5gb of data per hour.   This is for ALL our
firewall/NAT devices (wireless, resnet, etc).   We roll each log file
every hour.   The first 2 logs are kept uncompressed then everything
after that is gzip'ed down to a few hundred MB.

After compression storage is not that bad.  We keep around 30 days of
logs and have plenty of storage with a 1TB array.


Everything is CLI based, you need some grep, sed, awk skills to search
though the log files.   Overall this works out well in our
environment.




On Wed, Nov 2, 2011 at 11:32 AM, Johnson, Neil M neil-john...@uiowa.edu
wrote:
 We are looking at having to move our wireless net's to private address
 space and NAT/PAT ing traffic from the wireless nets to the Internet.


 What are you using to store your NAT logs (Systems, Disk space,
Database)?

 Thanks.
 -Neil

 --
 Neil Johnson
 Network Engineer
 The University of Iowa
 Phone: 319 384-0938
 Fax: 319 335-2951
 Mobile: 319 540-2081
 E-Mail: neil-john...@uiowa.edu

 **
 Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.




-- 
Jason E. Murray
jemur...@zweck.net
http://www.zweck.net/

.

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV support for instructors.

[Johnson, Neil M]

If we are going to do this, implementing static wide area bonjour entries
seems the way to go.

Thanks for the references, but the one thing I can't find is the format
for the SRV and TXT records for an Apple TV. If anyone has those I'd be
grateful for them, I have an Apple TV device in my hands now, so if
someone has a suggestion on how to reverse engineer them, I'd appreciate
it.


Thanks.
-Neil

-- 
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu






On 12/16/11 3:31 PM, Jason Healy jhe...@logn.net wrote:

On Dec 16, 2011, at 4:18 PM, Luke Jenkins wrote:

 I forgot to add background reading for anyone else crazy enough to try
to get this working:

We're crazy enough to do all our printer advertisements this way (we're
an all-Apple campus).  We publish a wide-area DNS-SD subdomain and
advertise all our printers there.  We then block all multicast
advertisements from end users to prevent people from sharing their
devices directly.  When Mac users open their printer selection box, all
of our official printers auto-populate into the list.

Haven't tried anything with AppleTVs (don't have any official ones yet),
but if the process is the same then it shouldn't be too hard to do.
We've scripted the creation of the DNS-SD domain from a central set of
config data, and it just barfs out the needed BIND files.

Happy to provide sample records if anyone is interested.

Jason

--
Jason Healy|jhe...@logn.net|   http://www.logn.net/

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Blocking Chatty protocols

[Johnson, Neil M]

We don't filter it yet, but Princeton has some pretty good pages with good 
justifications for blocking (or getting users to disable these protocols).

For example:

http://www.net.princeton.edu/filters/ssdp.html

The following link lays out the other protocols they filter.

http://www.net.princeton.edu/filters

-Neil

On Mar 13, 2012, at 7:47 AM, Kellogg, Brian D. wrote:

I’ve blocked SSDP on my LANs and WLAN for a couple years without any issues.

-Brian

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Brian David
Sent: Tuesday, March 13, 2012 8:31 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Blocking Chatty protocols

We were wondering what other schools are doing with these protocol…(SSDP, 
NetBIOS, mDNS, etc.)
I need to make the case for blocking some of these for Faculty/Staff and 
Students…I was wondering about SSDP for example..
What does it break when blocked? Any feedback would be appreciated.

Brian J David
Network Systems Engineer
Boston College

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] SSID connection order on Mac Devices

[Johnson, Neil M]

Pete,

Yes, we have seen the same behavior. Users of Apple devices will frequently get 
put back on our open setup network SSID (UI-Wireless-Setup) because it comes 
alphabetically before our production WPA2 Enterprise Network SSID 
(UI-Wireless-WPA2).  The only solution we have come up is the same (to forget 
the setup network after the user is configured).

That might change this summer if we go ahead with  plans to change our SSID's 
around.

-Neil

--
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu


From: Peter P Morrissey ppmor...@syr.edumailto:ppmor...@syr.edu
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Date: Tue, 27 Mar 2012 16:11:48 +
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] SSID connection order on Mac Devices

We have run into problems where Apple devices (apparently more mobile devices 
than laptops) appear to gravitate towards SSID’s that are on top 
alphabetically. It often confuses users who get set up for our preferred 802.1x 
network which should automatically connect and authenticate them. They wind up 
connecting to one of our other networks we use for configuration. The problem 
apparently can be remedied by going into the profiles and “forgetting” the 
network, but this is not something at all intuitive to the average user.

With Windows devices, this same network somehow starts showing up on top, and 
becomes the preferred network and it never seems to be a problem. We never hear 
complaints from Windows users whose network connection starts misbehaving with 
the cause being that they aren’t connecting to the network that they think they 
are connecting to. In fact with the Apple products, you can explicitly connect 
to your preferred network, and even while you are connected it will sometimes 
suddenly change to the network on the top of the list.

I should point out that the other difference is that these networks are also 
non-802.1x networks, so it is certainly possible that the Apple client is 
preferring it for that reason.

I’m wondering if anyone else has seen this behavior?

Pete Morrissey
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

PacketFence

[Johnson, Neil M]

I would be interested in talking to anyone about their experiences using
packetfence (http://www.packetfence.org) to register guest users on their
wireless network.

Thanks.
-Neil

-- 
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV support for instructors.

[Johnson, Neil M]

Or maybe a well known blogger could write an article about it…. :-)

-Neil

--
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu


From: Lee H Badman lhbad...@syr.edumailto:lhbad...@syr.edu
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Date: Thursday, July 5, 2012 8:56 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV support 
for instructors.

...or somehow have everyone on the Educause list sign a petition that gets 
presented to Apple- if you can gain entry into the Bubble of Blissful 
Perfection.



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] 
on behalf of jkaf...@utica.edumailto:jkaf...@utica.edu 
[jkaf...@utica.edumailto:jkaf...@utica.edu]
Sent: Thursday, July 05, 2012 9:10 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV support 
for instructors.

Has anyone tried not supporting Bonjour and directing users who complain to 
Apple?  Perhaps if we all did that it would get Apple's attention.

John Kaftan
Infrastructure Manager
Utica College

- Reply message -
From: Andy Voelker avoel...@email.wcu.edumailto:avoel...@email.wcu.edu
Date: Thu, Jul 5, 2012 8:23 am
Subject: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV support for 
instructors.
To: 
WIRELESS-LAN@listserv.educause.edumailto:WIRELESS-LAN@listserv.educause.edu

Ours completely denied the existence of a possible issue.  Of course, you could 
see in his eyes that his answer was somewhat forced...

-- Andy Voelker
Manager of Student Computing in the Technology Commons
WCU Staff Senator
Western Carolina University
Check the status of your IT requests at any time at http://help.wcu.edu/ !


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Kellogg, Brian D.
Sent: Tuesday, July 03, 2012 5:48 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV support 
for instructors.

I did and it was less productive than spitting into the wind.  They really 
don't care and have the attitude that the consumer demand will dictate others 
find solutions to their protocol deficiencies.  At least that was my 
impression.  It still befuddles me you just can't plug in a FQDN or IP address 
for Airplay to connect to.

Brian


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] 
On Behalf Of Lee H Badman [lhbad...@syr.edumailto:lhbad...@syr.edu]
Sent: Tuesday, July 03, 2012 10:15 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: You knew it was coming...Airplay/Apple TV support for instructors.

Has anyone else attempted to voice concern to their Apple reps about their 
non-business-class features and reliance on Bonjour on these gadgets? I know 
they seem to listen to no one, and given their market share likely feel like 
they don't have to. But is anyone making the attempt to get feedback to Apple?

The thought of architecting around non-standards-based toys just feels 
unpleasant.

-Curious in Syracuse



Lee H. Badman

Wireless/Network Engineer

Information Technology and Services

Adjunct Instructor, iSchool

Syracuse University

315 443-3003




-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hanset, Philippe C
Sent: Tuesday, July 03, 2012 10:03 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV support 
for instructors.

Mike,

For a one off and minimal investment, I would bring up an Open-WRT or DDRT AP 
(or any affordable AP that is capable of doing WPA2-enterprise) independent 
from your regular infrastructure and make people join a dedicated subnet for 
that room (use NAT, and WPA2-enterprise).
Connect the Apple TV to the wired port of the AP and broadcast a dedicated SSID.
With WPA2-enterprise joining your RADIUS server you can make it secure.

It is a dirty solution, electromagnetically speaking, but quick.

If the conference room has too may users for one AP, create a dedicated SSID 
just for that conference room on your existing infrastructure and terminate the 
VLAN of that SSID 

Re: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV support for instructors.

[Johnson, Neil M]

How is this for a start :-)

Whereas, we the undersigned academic and research institutions are
receiving numerous requests from our faculty, staff, and students for the
ability to utilize Airplay technology in classrooms, conference rooms, and
other locations, here by solemnly request that Apple provide support or
Airplay technology in enterprise wireless networks.

Failure to provide this support severely limits the usefulness (and
desirability) of Apple products in our institutions.

At your earliest convenience please provide us with a roadmap for support
of Airplay and related technologies in enterprise wireless environments.

Thank you.

-

-Neil

-- 
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu






On 7/5/12 1:47 PM, Watters, John john.watt...@ua.edu wrote:

I bet if you would write something up we could get signatures from just
about every college and university. Do you have time to work up a short
document that could be passed around on this list (and to others
interested in this subject)?

We need to convince (or coerce) Apple into playing nice in the enterprise
space with all of their products.



-jcw

-
John WattersUA: OIT  205-348-3992


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Thursday, July 05, 2012 1:05 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV
support for instructors.

You mean a good-looking, man-of-action blogger? Hmmm. Let me call the
agency, see if they have anyone on staff.


I was thinking more like a couple of hundred well-known institutions of
higher Ed all signing the same doc.




Lee H. Badman
Wireless/Network Engineer, ITS
Adjunct Instructor, iSchool
Syracuse University
315.443.3003

From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Johnson, Neil M
[neil-john...@uiowa.edu]
Sent: Thursday, July 05, 2012 1:23 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV
support for instructors.

Or maybe a well known blogger could write an article about it.. :-)

-Neil

--
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu


From: Lee H Badman lhbad...@syr.edumailto:lhbad...@syr.edu
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.
EDU
Date: Thursday, July 5, 2012 8:56 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.
EDU 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.
EDU
Subject: Re: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV
support for instructors.

...or somehow have everyone on the Educause list sign a petition that
gets presented to Apple- if you can gain entry into the Bubble of
Blissful Perfection.



From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.
EDU] on behalf of jkaf...@utica.edumailto:jkaf...@utica.edu
[jkaf...@utica.edumailto:jkaf...@utica.edu]
Sent: Thursday, July 05, 2012 9:10 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.E
DU
Subject: Re: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV
support for instructors.

Has anyone tried not supporting Bonjour and directing users who complain
to Apple?  Perhaps if we all did that it would get Apple's attention.

John Kaftan
Infrastructure Manager
Utica College

- Reply message -
From: Andy Voelker
avoel...@email.wcu.edumailto:avoel...@email.wcu.edu
Date: Thu, Jul 5, 2012 8:23 am
Subject: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV support
for instructors.
To: 
WIRELESS-LAN@listserv.educause.edumailto:WIRELESS-LAN@listserv.educause.
edu

Ours completely denied the existence of a possible issue.  Of course, you
could see in his eyes that his answer was somewhat forced...

-- Andy Voelker
Manager of Student Computing in the Technology Commons
WCU Staff Senator
Western Carolina University
Check the status of your IT requests at any time at http://help.wcu.edu/ !


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Kellogg, Brian D.
Sent: Tuesday, July 03, 2012 5:48 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.E
DU
Subject: Re: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV
support for instructors.

I did and it was less productive than spitting into the wind.  They
really don't care

Apple Petition (Was Re: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV support for instructors.)

[Johnson, Neil M]

I'm a little fuzzy on the specifics things to request from Apple, but here is a 
first pass):


Whereas, we the undersigned academic and research institutions are receiving 
numerous requests from our faculty, staff, and students for the ability to 
utilize Airplay technology in classrooms, conference rooms, and other 
locations, hereby solemnly request that Apple provide support for Airplay 
technology in enterprise wireless networks.


Specifically, we request the following (in order of priority):

  *   That Apple establish a way for the Apple TV (and other Airplay enabled 
devices) to be discoverable across multiple IPv4 and IPv6 subnets or lacking 
that:
  *   That Apple establish a way for the Apple TV (and other Airplay enabled 
devices) to be easily statically configured to be accessible across multiple 
IPv4 and IPv6 subnets
  *   That the Apple TV support Enterprise Wireless Encryption and 
Authentication (WPA2-Enterprise)
  *   That authentication to the Apple TV be able to utilize enterprise 
authentication services (LDAP and/or AD)

Failure to provide this support severely limits the usefulness (and 
desirability) of Apple products in our institutions.



At your earliest convenience please provide us with a roadmap for support of 
Airplay and related technologies in enterprise wireless environments.



Thank you.

--
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu


From: Watters, John john.watt...@ua.edumailto:john.watt...@ua.edu
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Date: Thursday, July 5, 2012 2:23 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV support 
for instructors.


Whereas, we the undersigned academic and research institutions are

receiving numerous requests from our faculty, staff, and students for the

ability to utilize Airplay technology in classrooms, conference rooms, and

other locations, here by solemnly request that Apple provide support or

Airplay technology in enterprise wireless networks.



Failure to provide this support severely limits the usefulness (and

desirability) of Apple products in our institutions.



At your earliest convenience please provide us with a roadmap for support

of Airplay and related technologies in enterprise wireless environments.



Thank you.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Apple Petition (Was Re: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV support for instructors.)

[Johnson, Neil M]

, a courtesy inquiry to Phillipe over whether he sees this as 
prudent list of the group is probably in order.

Say, Phillipe- do you see this as prudent use of the list?

Thanks,

Lee


Lee H. Badman
Wireless/Network Engineer, ITS
Adjunct Instructor, iSchool
Syracuse University
315.443.3003tel:315.443.3003

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] 
on behalf of Curtis K. Larsen 
[curtis.k.lar...@utah.edumailto:curtis.k.lar...@utah.edu]
Sent: Thursday, July 05, 2012 5:01 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Apple Petition (Was Re: [WIRELESS-LAN] You knew it 
was coming...Airplay/Apple TV support for instructors.)

You should add fast-roaming to the list.  No Mac or iOS device supports
fast roaming with Opportunistic Key Caching.  They can do PMK Sticky,
but it is not the same as OKC.  With Sticky, it is only fast when you
roam back to an AP you've been on, and the client can only cache up to 8
AP's.


Curtis Larsen
Wireless Network Engineer
University of Utah
801-587-1313tel:801-587-1313


On 07/05/2012 02:46 PM, Lee H Badman wrote:
 Pretty much what I was thinking (ballpark) with all Educause schools 
 individually signed on. May not amount to anything, but would in itself be 
 media fodder.

 Lee H. Badman
 Wireless/Network Engineer, ITS
 Adjunct Instructor, iSchool
 Syracuse University
 315.443.3003tel:315.443.3003
 
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
  on behalf of Johnson, Neil M 
 [neil-john...@uiowa.edumailto:neil-john...@uiowa.edu]
 Sent: Thursday, July 05, 2012 3:37 PM
 To: 
 WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: [WIRELESS-LAN] Apple Petition (Was Re: [WIRELESS-LAN] You knew it 
 was coming...Airplay/Apple TV support for instructors.)


 I'm a little fuzzy on the specifics things to request from Apple, but here is 
 a first pass):


 Whereas, we the undersigned academic and research institutions are receiving 
 numerous requests from our faculty, staff, and students for the ability to 
 utilize Airplay technology in classrooms, conference rooms, and other 
 locations, hereby solemnly request that Apple provide support for Airplay 
 technology in enterprise wireless networks.


 Specifically, we request the following (in order of priority):

*   That Apple establish a way for the Apple TV (and other Airplay enabled 
 devices) to be discoverable across multiple IPv4 and IPv6 subnets or lacking 
 that:
*   That Apple establish a way for the Apple TV (and other Airplay enabled 
 devices) to be easily statically configured to be accessible across multiple 
 IPv4 and IPv6 subnets
*   That the Apple TV support Enterprise Wireless Encryption and 
 Authentication (WPA2-Enterprise)
*   That authentication to the Apple TV be able to utilize enterprise 
 authentication services (LDAP and/or AD)

 Failure to provide this support severely limits the usefulness (and 
 desirability) of Apple products in our institutions.



 At your earliest convenience please provide us with a roadmap for support of 
 Airplay and related technologies in enterprise wireless environments.



 Thank you.

 --
 Neil Johnson
 Network Engineer
 The University of Iowa
 Phone: 319 384-0938tel:319%20384-0938
 Fax: 319 335-2951tel:319%20335-2951
 Mobile: 319 540-2081tel:319%20540-2081
 E-Mail: neil-john...@uiowa.edumailto:neil-john...@uiowa.edu


 From:Watters, 
 Johnjohn.watt...@ua.edumailto:john.watt...@ua.edumailto:john.watt...@ua.edumailto:john.watt...@ua.edu
 Reply-To: The EDUCAUSE Wireless Issues Constituent Group 
 ListservWIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Date: Thursday, July 5, 2012 2:23 PM
 To: 
 WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUWIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV support 
 for instructors.


 Whereas, we the undersigned academic and research institutions are

 receiving numerous requests from our faculty, staff, and students for the

 ability to utilize Airplay technology in classrooms, conference rooms, and

 other locations, here by solemnly request that Apple provide support or

 Airplay technology in enterprise wireless networks.



 Failure to provide this support severely limits the usefulness (and

 desirability) of Apple products in our institutions.



 At your earliest convenience

Re: [WIRELESS-LAN] Apple Petition (Was Re: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV support for instructors.)

[Johnson, Neil M]

@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] 
on behalf of Mike King [m...@mpking.commailto:m...@mpking.com]
Sent: Friday, July 06, 2012 7:47 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Apple Petition (Was Re: [WIRELESS-LAN] You knew it 
was coming...Airplay/Apple TV support for instructors.)
One more thing.

I think use of an online petition tool might help things out organizationally.

http://www.change.org/petition


there are others, that was the first Google result.

Mike

On Thu, Jul 5, 2012 at 5:12 PM, Lee H Badman 
lhbad...@syr.edumailto:lhbad...@syr.edu wrote:
So... two thoughts. Perhaps give it another week for people to chime in with 
their gripes and let the list discuss them? Then perhaps digital signatures- 
DocuSign is free and elegant.

I guess also, a courtesy inquiry to Phillipe over whether he sees this as 
prudent list of the group is probably in order.

Say, Phillipe- do you see this as prudent use of the list?

Thanks,

Lee


Lee H. Badman
Wireless/Network Engineer, ITS
Adjunct Instructor, iSchool
Syracuse University
315.443.3003tel:315.443.3003

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] 
on behalf of Curtis K. Larsen 
[curtis.k.lar...@utah.edumailto:curtis.k.lar...@utah.edu]
Sent: Thursday, July 05, 2012 5:01 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Apple Petition (Was Re: [WIRELESS-LAN] You knew it 
was coming...Airplay/Apple TV support for instructors.)

You should add fast-roaming to the list.  No Mac or iOS device supports
fast roaming with Opportunistic Key Caching.  They can do PMK Sticky,
but it is not the same as OKC.  With Sticky, it is only fast when you
roam back to an AP you've been on, and the client can only cache up to 8
AP's.


Curtis Larsen
Wireless Network Engineer
University of Utah
801-587-1313tel:801-587-1313


On 07/05/2012 02:46 PM, Lee H Badman wrote:
 Pretty much what I was thinking (ballpark) with all Educause schools 
 individually signed on. May not amount to anything, but would in itself be 
 media fodder.

 Lee H. Badman
 Wireless/Network Engineer, ITS
 Adjunct Instructor, iSchool
 Syracuse University
 315.443.3003tel:315.443.3003
 
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
  on behalf of Johnson, Neil M 
 [neil-john...@uiowa.edumailto:neil-john...@uiowa.edu]
 Sent: Thursday, July 05, 2012 3:37 PM
 To: 
 WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: [WIRELESS-LAN] Apple Petition (Was Re: [WIRELESS-LAN] You knew it 
 was coming...Airplay/Apple TV support for instructors.)


 I'm a little fuzzy on the specifics things to request from Apple, but here is 
 a first pass):


 Whereas, we the undersigned academic and research institutions are receiving 
 numerous requests from our faculty, staff, and students for the ability to 
 utilize Airplay technology in classrooms, conference rooms, and other 
 locations, hereby solemnly request that Apple provide support for Airplay 
 technology in enterprise wireless networks.


 Specifically, we request the following (in order of priority):

*   That Apple establish a way for the Apple TV (and other Airplay enabled 
 devices) to be discoverable across multiple IPv4 and IPv6 subnets or lacking 
 that:
*   That Apple establish a way for the Apple TV (and other Airplay enabled 
 devices) to be easily statically configured to be accessible across multiple 
 IPv4 and IPv6 subnets
*   That the Apple TV support Enterprise Wireless Encryption and 
 Authentication (WPA2-Enterprise)
*   That authentication to the Apple TV be able to utilize enterprise 
 authentication services (LDAP and/or AD)

 Failure to provide this support severely limits the usefulness (and 
 desirability) of Apple products in our institutions.



 At your earliest convenience please provide us with a roadmap for support of 
 Airplay and related technologies in enterprise wireless environments.



 Thank you.

 --
 Neil Johnson
 Network Engineer
 The University of Iowa
 Phone: 319 384-0938tel:319%20384-0938
 Fax: 319 335-2951tel:319%20335-2951
 Mobile: 319 540-2081tel:319%20540-2081
 E-Mail: neil-john...@uiowa.edumailto:neil-john...@uiowa.edu


 From:Watters, 
 Johnjohn.watt...@ua.edumailto:john.watt...@ua.edumailto:john.watt...@ua.edumailto:john.watt...@ua.edu
 Reply-To: The EDUCAUSE Wireless Issues Constituent Group 
 ListservWIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Date: Thursday, July 5, 2012 2:23 PM
 To: 
 WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN

Re: [WIRELESS-LAN] Apple TV/Wide Area Bonjour question

[Johnson, Neil M]

I thought it was the MAC address of the particular device, but yours is
longer than that. Curious.

(One of the reasons we didn't want to use Wide-Area Bonjour for this).

-Neil

-- 
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu






On 7/6/12 3:36 PM, Cheryl-Anne Juba cj...@umd.edu wrote:

Good afternoon --

I had a question about how you setup Wide Area Bonjour -- in your example
below you listed a dns record for _appletv-v2._tcp:

35CF2488F02660B1._appletv-v2._tcp   SRV 0 0 3689
utnet-appletv.bonjour.utexas.edu. ; Replace with unicast FQDN of target
host
35CF2488F02660B1._appletv-v2._tcp   TXT txtvers=1
hG=-06f6-4f5d-0171-0bcc51d34d14 MniT=167845888 fs=2
Name=utnet-appletv PrVs=65538 DFID=2 EiTS=1 MiTPV=196611

What is the number prefixing the ._appletv-v2._tcp?  Is that the serial
number of the unit?

Thanks for your help!

Cheryl-Anne Juba
Senior Network Engineer
Division of Information Technology
University of Maryland
301-405-3042


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Oscar Ricardo
Silva
Sent: Tuesday, December 20, 2011 7:26 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV
support for instructors.

As with many of you, I've been tasked with the same thing.  I manage the
DNS servers so initially tried it with static entries.  That didn't quite
work so I then setup another server that allowed for dynamic updates.
That didn't work either.  After basically sniffing traffic between the
Apple TV and other devices I was able to figure out the required records.
 And after that I found the magical dns-sd command:

dns-sd -Z _appletv-v2._tcp

that would spit out the exact records (in BIND format) that are needed.
  It seems that if you do a man on dns-sd you don't get all the actual
options.

Anyway, the important thing here is that I spoke with an Apple engineer
and he said Apple specifically disabled streaming to/from an Apple TV.
This was a concession they made to content providers and that no amount
of DNS records or search domains would allow the Apple TV to be
contacted/used from another network.

In case anyone is interested, here's the records I gleaned from the Apple
TV:

$ORIGIN bonjour.utexas.edu.

_airplay._tcp  PTR utnet-appletv._airplay._tcp

utnet-appletv._airplay._tcpSRV 0 0 7000
utnet-appletv.bonjour.utexas.edu. ; Replace with unicast FQDN of target
host

utnet-appletv._airplay._tcpTXT deviceid=28:E7:CF:DB:6E:E0
features=0x39f7 model=AppleTV2,1 pw=1 srcvers=120.2



_raop._tcpPTR 28E7CFDB6EE0@utnet-appletv._raop._tcp

28E7CFDB6EE0@utnet-appletv._raop._tcp  SRV 0 0 49152
utnet-appletv.bonjour.utexas.edu. ; Replace with unicast FQDN of target
host

28E7CFDB6EE0@utnet-appletv._raop._tcp   TXT txtvers=1
ch=2 cn=0,1,2,3 da=true et=0,3 md=0,1,2 pw=true sv=false
sr=44100 ss=16 tp=UDP vn=65537 vs=120.2 am=AppleTV2,1 sf=0x4



_appletv-v2._tcp  PTR 35CF2488F02660B1._appletv-v2._tcp

35CF2488F02660B1._appletv-v2._tcp   SRV 0 0 3689
utnet-appletv.bonjour.utexas.edu. ; Replace with unicast FQDN of target
host
35CF2488F02660B1._appletv-v2._tcp   TXT txtvers=1
hG=-06f6-4f5d-0171-0bcc51d34d14 MniT=167845888 fs=2
Name=utnet-appletv PrVs=65538 DFID=2 EiTS=1 MiTPV=196611



_sleep-proxy._udp PTR 70-35-60-63\032utnet-appletv._sleep-proxy._udp

70-35-60-63\032utnet-appletv._sleep-proxy._udp  SRV 0 0 55597
utnet-appletv.bonjour.utexas.edu. ; Replace with unicast FQDN of target
host

70-35-60-63\032utnet-appletv._sleep-proxy._udp  TXT 



Oscar Ricardo Silva
The University of Texas at Austin



On 12/20/2011 06:12 PM, Oscar Ricardo Silva wrote:


 Subject: Re: You knew it was coming...Airplay/Apple TV support for
 instructors.
 From: Johnson, Neil M neil-john...@uiowa.edu
 Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv
 WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Date: Mon, 19 Dec 2011 18:34:42 +
 Content-Type: text/plain
 Parts/Attachments:

 text/plain (166 lines)


 Thanks.

 Now I just have to convince our DNS admins to least try it out :-).

 I'm concerned about how scalable any solution is from a DNS (and
 device
 support) aspect.

 -Neil


**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Apple Petition

[Johnson, Neil M]

How does this sound for an update (The latest is posted on the Facebook site):


We the undersigned academic and research institutions hereby solemnly request 
that Apple provide support for Bonjour/Airplay technology in enterprise 
networks.



With an Apple client device penetration of 50% or more on the typical campus, 
this amounts to thousands of Apple client devices whose owners desire to use 
their Apple TV and other Bonjour/Airplay based devices in classrooms, 
conference rooms, and in other locations on standards-based, enterprise-secure 
networks.



Specifically, we request the following (in order of priority):



  *   That Apple establish a way for  Apple TV's (and other Bonjour/Airplay 
enabled devices) be accessible across multiple IPv4 and IPv6 sub-nets.
  *   That the Apple TV support Enterprise Wireless Encryption and 
Authentication (WPA2-Enterprise).
  *   That authentication to the Apple TV be able to utilize enterprise 
Authentication, Authorization, and Accounting (AAA) services.



Any enterprise Bonjour/Airplay solution needs to meet the following criteria:



  *   It must scale to 100's-1000's of Bonjour/Airplay enabled devices.
  *   It must work with wired and wireless networks from different vendors.
  *   It must not significantly negatively impact network traffic (wired and 
wireless).
  *   It must be easily manageable at scale.
  *   If it requires a separate hardware solution, that the solution must be 
enterprise grade (rack mountable, dual power supplies, etc.)
  *   It must be provided at a reasonable cost



Failure to provide this support severely limits the usefulness (and 
desirability) of Apple

products in our institutions.



At your earliest convenience please provide us with a road map for support of 
Bonjour/Airplay and related technologies in enterprise network environments.



Thank you.

--
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu


From: Lee H Badman lhbad...@syr.edumailto:lhbad...@syr.edu
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Date: Monday, July 9, 2012 7:08 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Apple Petition

I would also offer that the beginning narrative includes something to the 
effect of “with Apple client device penetration of 50% or more on the typical 
campus environment, amounting to thousands of Apple client devices per campus 
with the desire to use their AppleTV and other Bonjour/Airplay based devices on 
standards-based, enterprise-secure wireless networks…” sort of thing showing 
scale of issue and that we simply want the gadgets to play by standards and 
enterprise methods.


-Lee


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Voll, Toivo
Sent: Friday, July 06, 2012 1:28 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Apple Petition

Also, for me, the lack of support for WPA2-Enterprise is a head-scratcher. If 
they go through the trouble of supporting the rest of the encryption schemes, 
and obviously support it on a bunch of their other products, why randomly leave 
it out of some products? I’d prioritize that a bit more, personally.

--
Toivo Voll
Network Engineer
Information Technology Communications
University of South Florida



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Apple Petition

[Johnson, Neil M]

First, I'm not beholden to the text of the petition.  If someone has 
suggestions for improving it, or re-writing it. I'm listening.

Second, What would be the best way to collect official signatures to the 
petition ?

Thrid, should we be engaging EDUCAUSE to see if they would publish an official 
press-release ?

Thanks.

-Neil

--
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu


From: Kellogg, Brian D. bkell...@sbu.edumailto:bkell...@sbu.edu
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Date: Monday, July 9, 2012 9:33 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Apple Petition

Nice and thank you

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Monday, July 09, 2012 10:31 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: Apple Petition

Looking better. If we can get this to gel, and to the point where the majority 
of the schools sign on in a form that we can each present to our Apple reps (or 
however it gets to Apple), I have clearance to cover it for Network Computing 
Magazine for a bit of press.

-Lee

Lee H. Badman
Wireless/Network Engineer
Information Technology and Services
Adjunct Instructor, iSchool
Syracuse University
315 443-3003


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]mailto:[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]On
 Behalf Of Johnson, Neil M
Sent: Monday, July 09, 2012 10:16 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Apple Petition

How does this sound for an update (The latest is posted on the Facebook site):


We the undersigned academic and research institutions hereby solemnly request 
that Apple provide support for Bonjour/Airplay technology in enterprise 
networks.



With an Apple client device penetration of 50% or more on the typical campus, 
this amounts to thousands of Apple client devices whose owners desire to use 
their Apple TV and other Bonjour/Airplay based devices in classrooms, 
conference rooms, and in other locations on standards-based, enterprise-secure 
networks.



Specifically, we request the following (in order of priority):



  *   That Apple establish a way for  Apple TV's (and other Bonjour/Airplay 
enabled devices) be accessible across multiple IPv4 and IPv6 sub-nets.
  *   That the Apple TV support Enterprise Wireless Encryption and 
Authentication (WPA2-Enterprise).
  *   That authentication to the Apple TV be able to utilize enterprise 
Authentication, Authorization, and Accounting (AAA) services.



Any enterprise Bonjour/Airplay solution needs to meet the following criteria:



  *   It must scale to 100's-1000's of Bonjour/Airplay enabled devices.
  *   It must work with wired and wireless networks from different vendors.
  *   It must not significantly negatively impact network traffic (wired and 
wireless).
  *   It must be easily manageable at scale.
  *   If it requires a separate hardware solution, that the solution must be 
enterprise grade (rack mountable, dual power supplies, etc.)
  *   It must be provided at a reasonable cost



Failure to provide this support severely limits the usefulness (and 
desirability) of Apple

products in our institutions.



At your earliest convenience please provide us with a road map for support of 
Bonjour/Airplay and related technologies in enterprise network environments.



Thank you.
--
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edumailto:neil-john...@uiowa.edu


From: Lee H Badman lhbad...@syr.edumailto:lhbad...@syr.edu
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Date: Monday, July 9, 2012 7:08 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Apple Petition

I would also offer that the beginning narrative includes something to the 
effect of “with Apple client device penetration of 50% or more on the typical 
campus environment, amounting to thousands of Apple client devices per campus 
with the desire to use their AppleTV and other Bonjour/Airplay based devices on 
standards-based, enterprise-secure wireless networks…” sort of thing showing 
scale of issue and that we simply want the gadgets to play by standards and 
enterprise methods.


-Lee


From: The EDUCAUSE

Re: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV support for instructors.

[Johnson, Neil M]

From an administrator's perspective:

I unpack the Apple TV,  connect it to the wired network and projector, 
configure it to register with a central directory, give it a name,  enable 
authentication to the enterprise AAA service, and be done.

From a end-user's standpoint I'd like to see the following scenario:

I walk into a class room/conference room/auditorium, pull out my iPad/Mac 
Book/iPhone, connect to the wireless network with my user id and password, pull 
up a list of Airplay devices (possibly with subcategories for buildings), 
select the Airplay device I want to connect to, Authenticate to the device, and 
start mirroring my display.

Sounds simple, doesn't it.

--
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu


From: Lee H Badman lhbad...@syr.edumailto:lhbad...@syr.edu
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Date: Tuesday, July 10, 2012 8:41 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV support 
for instructors.

I have read this, and as well done of a document that it is, I'd still prefer 
not to have to adopt a new architecture and pre-share based network for one-off 
devices as opposed to having those devices work on a standards-based typical 
WLAN if there is an easier (for everyone) way.

I would encourage anyone interested in pressing the Apple with Cisco to also 
approach their CIOs to gauge their interest/support. At the encouragement of my 
own CIO who backs the initiative (assuming the petition is well-done and not 
frivolous), there will be overtures made to the CIO Educause list as well once 
the petition draft is locked in to final form.



Lee H. Badman
Wireless/Network Engineer, ITS
Adjunct Instructor, iSchool
Syracuse University
315.443.3003

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] 
on behalf of Jeffrey Sessler 
[j...@scrippscollege.edumailto:j...@scrippscollege.edu]
Sent: Monday, July 09, 2012 5:13 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV support 
for instructors.

I posted this before, but here is the Cisco Apple Bonjour Deployment Guide.  It 
contains a lot of great information as well as a method to allow use of AppleTV 
access across multiple VLANs using a single Multicast VLAN (part of VLAN 
select).

Jeff

 On Tuesday, July 03, 2012 at 6:06 AM, in message 
 CANtPpk420_nAraEeOqnC=d6ckj2ujkk+=t5_hsu0q4_jxrc...@mail.gmail.commailto:CANtPpk420_nAraEeOqnC=d6ckj2ujkk+=t5_hsu0q4_jxrc...@mail.gmail.com,
  Mike King m...@mpking.commailto:m...@mpking.com wrote:
So I have Cisco Wireless, and I've just been asked to make Airplay work in a 
conference room. We do not have multicast enable (anywhere).

Asking for details, I've been told it's only this one conference room. (I 
someone believe this, as it the only one that has a projector that get's any 
use)

Suggestions for this as a one off? I have idea's one what to do for a campus 
wide deployment, but that will take me significantly longer to deploy, and my 
boss is asking me to have this done this week.

Right now, we have a single WPA2/enterprise SSID, and the apple TV will most 
likely be wired (not required)

Mike
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Apple Petition

[Johnson, Neil M]

We looked into DNS-SD,   but with entries like this (example taken from an 
earlier e-mail from Oscar Silva at the Univ. or Texas , and confirmed by our 
own testing):


_airplay._tcp  PTR utnet-appletv._airplay._tcp



utnet-appletv._airplay._tcp SRV 0 0 7000 utnet-appletv.bonjour.utexas.edu. ; 
Replace with unicast FQDN of target host

utnet-appletv._airplay._tcp TXT deviceid=28:E7:CF:DB:6E:E0 features=0x39f7 
model=AppleTV2,1 pw=1 srcvers=120.2



_raop._tcpPTR 28E7CFDB6EE0@utnet-appletv._raop._tcp



28E7CFDB6EE0@utnet-appletv._raop._tcp SRV 0 0 49152 
utnet-appletv.bonjour.utexas.edu. ; Replace with unicast FQDN of target host

28E7CFDB6EE0@utnet-appletv._raop._tcp TXT txtvers=1 ch=2 cn=0,1,2,3 
da=true et=0,3 md=0,1,2 pw=true sv=false sr=44100 ss=16 tp=UDP 
vn=65537 vs=120.2 am=AppleTV2,1 sf=0x4



_appletv-v2._tcp  PTR 35CF2488F02660B1._appletv-v2._tcp

35CF2488F02660B1._appletv-v2._tcp   SRV 0 0 3689 utnet-

appletv.bonjour.utexas.edu. ; Replace with unicast FQDN of target host


35CF2488F02660B1._appletv-v2._tcp TXT txtvers=1 
hG=-06f6-4f5d-0171-0bcc51d34d14 MniT=167845888 fs=2 
Name=utnet-appletv PrVs=65538 DFID=2 EiTS=1 MiTPV=196611



_sleep-proxy._udp PTR 70-35-60-63\032utnet-appletv._sleep-proxy._udp



70-35-60-63\032utnet-appletv._sleep-proxy._udp SRV 0 0 55597 
utnet-appletv.bonjour.utexas.edu. ; Replace with unicast FQDN of target host

70-35-60-63\032utnet-appletv._sleep-proxy._udp  TXT 




required for every Apple TV  (and no direction from Apple on what 
entries/fields are actually required) our DNS admins  were ready with pitch 
forks and torches if we attempted saddle them with the the responsibility of 
trying to maintain records for 100's such devices (not to mention printers, 
etc.).

-Neil

--
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu


From: Garry Peirce pei...@maine.edumailto:pei...@maine.edu
Reply-To: pei...@maine.edumailto:pei...@maine.edu 
pei...@maine.edumailto:pei...@maine.edu
Date: Tuesday, July 10, 2012 10:15 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Apple Petition

I’m in support of the collective request to help enable further operational 
flexibility, although also not sure Apple will feel enough pressure to assist.

To the first item:  ‘That Apple establish a way for  Apple TV's (and other 
Bonjour/Airplay enabled devices) be accessible across multiple IPv4 and IPv6 
sub-nets.”
Isn’t this item solved to a degree by wide area DNS-SD?
If not, I assume this is left open to solve by either making it use a routable 
mcast addr or by creating some non-standard solution.

Controls will be needed to make sense of all the advertised services and 
possibly for security/privacy reasons.
I would think navigating a large Bonjour enabled subnet for a production 
service must be an ugly exercise - nevermind if enabled to pass L2 boundaries.
Who remembers those IPX service filtering ACLs?  Request #2 might soon follow 
to network vendors to be able to support Bonjour service filtering.

For production services, wide area DNS-SD seems a better tool to me, as opposed 
to using the wild west of zeroconf end device advertisements or some special 
hardware solution.  We’ve trialed it (static entries) for printing and it seems 
to work well.
This leverages our existing DNS infrastructure, allows for control of the 
advertised entries, and a uniform naming convention making it easier to 
identify the service.
One could also opt to block 224.0.0.251 altogether, if there is concern about 
unnecessary device traffic.

So in tandem to supporting this request, I’d also be interested in anyone’s 
recap of their wide area DNS-SD (WAB) environment, the services being 
advertised , how it is scaling, and any major stumbling blocks.


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Monday, July 09, 2012 4:00 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Apple Petition

Please consider this- as we get to the point where we have an agreed on 
document, say by this Friday, and we find an online petition site to use where 
individuals can sign on in whatever form that takes before we close the 
signing window and present it to Apple- are each one of us able to do so on 
behalf of our institutions or organizations? If you need to seek permission, 
now is the time. If a CIO or Director is the only one allowed to make such 
public-facing declarations on behalf of your school/or org, it would be good to 
start working the notion. Ideally, no one would overstep their position by 
jumping on this worthy endeavor.

Lee H. Badman

Re: [WIRELESS-LAN] Apple Petition

[Johnson, Neil M]

This is where I have been keeping the latest draft.

https://www.facebook.com/groups/enterpriseairplay/files/

-Neil

--
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu


From: Jesse Rink jesse-r...@wi.rr.commailto:jesse-r...@wi.rr.com
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Date: Tuesday, July 10, 2012 5:53 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Apple Petition

All this chat about the Apple Petition yet I don’t seem to find a link for it 
anywhere?  Did I miss this in past messages?  Can’t seem to locate anything..

Thanks
J


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Garry Peirce
Sent: Tuesday, July 10, 2012 10:16 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Apple Petition

I’m in support of the collective request to help enable further operational 
flexibility, although also not sure Apple will feel enough pressure to assist.

To the first item:  ‘That Apple establish a way for  Apple TV's (and other 
Bonjour/Airplay enabled devices) be accessible across multiple IPv4 and IPv6 
sub-nets.”
Isn’t this item solved to a degree by wide area DNS-SD?
If not, I assume this is left open to solve by either making it use a routable 
mcast addr or by creating some non-standard solution.

Controls will be needed to make sense of all the advertised services and 
possibly for security/privacy reasons.
I would think navigating a large Bonjour enabled subnet for a production 
service must be an ugly exercise - nevermind if enabled to pass L2 boundaries.
Who remembers those IPX service filtering ACLs?  Request #2 might soon follow 
to network vendors to be able to support Bonjour service filtering.

For production services, wide area DNS-SD seems a better tool to me, as opposed 
to using the wild west of zeroconf end device advertisements or some special 
hardware solution.  We’ve trialed it (static entries) for printing and it seems 
to work well.
This leverages our existing DNS infrastructure, allows for control of the 
advertised entries, and a uniform naming convention making it easier to 
identify the service.
One could also opt to block 224.0.0.251 altogether, if there is concern about 
unnecessary device traffic.

So in tandem to supporting this request, I’d also be interested in anyone’s 
recap of their wide area DNS-SD (WAB) environment, the services being 
advertised , how it is scaling, and any major stumbling blocks.


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Monday, July 09, 2012 4:00 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Apple Petition

Please consider this- as we get to the point where we have an agreed on 
document, say by this Friday, and we find an online petition site to use where 
individuals can sign on in whatever form that takes before we close the 
signing window and present it to Apple- are each one of us able to do so on 
behalf of our institutions or organizations? If you need to seek permission, 
now is the time. If a CIO or Director is the only one allowed to make such 
public-facing declarations on behalf of your school/or org, it would be good to 
start working the notion. Ideally, no one would overstep their position by 
jumping on this worthy endeavor.

Lee H. Badman
Wireless Architect/Network Engineer
Information Technology and Services
Adjunct Instructor, iSchool
Syracuse University
315 443-3003


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]mailto:[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]On
 Behalf Of Andy Voelker
Sent: Monday, July 09, 2012 12:44 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Apple Petition

That confuses me as well.  It is obviously built in to many other iOS devices 
(iPod Touch, iPad) and has been for some time.  Why the change?  I suspect it 
just due to the GUI difference.  If so, that’s easily fixable.

-- Andy Voelker
Manager of Student Computing in the Technology Commons
WCU Staff Senator
Western Carolina University
Check the status of your IT requests at any time at http://help.wcu.edu/ !

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]mailto:[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]On
 Behalf Of Voll, Toivo
Sent: Friday, July 06, 2012 1:28 PM
To: 

Re: [WIRELESS-LAN] Apple Petition

[Johnson, Neil M]

My concern is that certain fields appear to contain dynamic information like 
the software version (see srcvers=120.2) and other information (what does 
35CF2488F02660B1 mean ?).

The only way it seems to collect this information is to connect the device to 
local net, run Bonjour Browser or run dns-sd –Z command on a MAC and copy and 
paste results into your DNS configs.

If certain data is dynamic then, you are out of luck.

-Neil

--
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu


From: Joel Coehoorn jcoeho...@york.edumailto:jcoeho...@york.edu
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Date: Tuesday, July 10, 2012 7:22 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Apple Petition

If those entries work, and are all that is needed, then we're not far from full 
support. It seems like we could get a tool or set of scripts to automate 
creating/modifying the needed records.

Sent from my iPad

On Jul 10, 2012, at 7:11 PM, Johnson, Neil M 
neil-john...@uiowa.edumailto:neil-john...@uiowa.edu wrote:

We looked into DNS-SD,   but with entries like this (example taken from an 
earlier e-mail from Oscar Silva at the Univ. or Texas , and confirmed by our 
own testing):


_airplay._tcp  PTR utnet-appletv._airplay._tcp



utnet-appletv._airplay._tcp SRV 0 0 7000 
utnet-appletv.bonjour.utexas.eduhttp://utnet-appletv.bonjour.utexas.edu. ; 
Replace with unicast FQDN of target host

utnet-appletv._airplay._tcp TXT deviceid=28:E7:CF:DB:6E:E0 features=0x39f7 
model=AppleTV2,1 pw=1 srcvers=120.2



_raop._tcpPTR 
28E7CFDB6EE0@utnet-appletv._raop._tcpmailto:28E7CFDB6EE0@utnet-appletv._raop._tcp



28E7CFDB6EE0@utnet-appletv._raop._tcpmailto:28E7CFDB6EE0@utnet-appletv._raop._tcp
 SRV 0 0 49152 
utnet-appletv.bonjour.utexas.eduhttp://utnet-appletv.bonjour.utexas.edu. ; 
Replace with unicast FQDN of target host

28E7CFDB6EE0@utnet-appletv._raop._tcpmailto:28E7CFDB6EE0@utnet-appletv._raop._tcp
 TXT txtvers=1 ch=2 cn=0,1,2,3 da=true et=0,3 md=0,1,2 pw=true 
sv=false sr=44100 ss=16 tp=UDP vn=65537 vs=120.2 am=AppleTV2,1 
sf=0x4



_appletv-v2._tcp  PTR 35CF2488F02660B1._appletv-v2._tcp

35CF2488F02660B1._appletv-v2._tcp   SRV 0 0 3689 utnet-

appletv.bonjour.utexas.eduhttp://appletv.bonjour.utexas.edu. ; Replace with 
unicast FQDN of target host


35CF2488F02660B1._appletv-v2._tcp TXT txtvers=1 
hG=-06f6-4f5d-0171-0bcc51d34d14 MniT=167845888 fs=2 
Name=utnet-appletv PrVs=65538 DFID=2 EiTS=1 MiTPV=196611



_sleep-proxy._udp PTR 70-35-60-63\032utnet-appletv._sleep-proxy._udp



70-35-60-63\032utnet-appletv._sleep-proxy._udp SRV 0 0 55597 
utnet-appletv.bonjour.utexas.eduhttp://utnet-appletv.bonjour.utexas.edu. ; 
Replace with unicast FQDN of target host

70-35-60-63\032utnet-appletv._sleep-proxy._udp  TXT 



required for every Apple TV  (and no direction from Apple on what 
entries/fields are actually required) our DNS admins  were ready with pitch 
forks and torches if we attempted saddle them with the the responsibility of 
trying to maintain records for 100's such devices (not to mention printers, 
etc.).

-Neil

--
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edumailto:neil-john...@uiowa.edu


From: Garry Peirce pei...@maine.edumailto:pei...@maine.edu
Reply-To: pei...@maine.edumailto:pei...@maine.edu 
pei...@maine.edumailto:pei...@maine.edu
Date: Tuesday, July 10, 2012 10:15 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Apple Petition

I’m in support of the collective request to help enable further operational 
flexibility, although also not sure Apple will feel enough pressure to assist.

To the first item:  ‘That Apple establish a way for  Apple TV's (and other 
Bonjour/Airplay enabled devices) be accessible across multiple IPv4 and IPv6 
sub-nets.”
Isn’t this item solved to a degree by wide area DNS-SD?
If not, I assume this is left open to solve by either making it use a routable 
mcast addr or by creating some non-standard solution.

Controls will be needed to make sense of all the advertised services and 
possibly for security/privacy reasons.
I would think navigating a large Bonjour enabled subnet for a production 
service must be an ugly exercise - nevermind if enabled to pass L2 boundaries.
Who remembers those IPX service filtering ACLs?  Request #2 might soon follow 
to network vendors to be able to support Bonjour service filtering.

For production services, wide area DNS

Re: [WIRELESS-LAN] Apple Petition

[Johnson, Neil M]

So, even if you setup static DNS-SD records, the Airplay receiver (Apple
TV) and Airplay transmitter (iPad, iPhone, or Mac running Mountain Lion)
have to be in the same subnet.

That is the reason for the 1st request in the petition.

-Neil

-- 
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu






On 7/11/12 8:47 AM, Chris Murphy ch...@mit.edu wrote:

Honestly, if I could just enter a FQDN for an Apple TV or a printer I'd
be ecstatic.

-Chris

On Jul 11, 2012, at 9:43 AM, Danner, Mearl wrote:

 But it's still link-local and requires management of an enterprise-wide
flat VLAN architecture. No IP addresses I can see. Just the hardware
address.
 
 Don't we want something IP based similar to dynamic DNS? Microsoft
provided WINS and then Active Directory to allow their OSes to move from
local subnet broadcast based discovery. Novell used SLP when they moved
from IPX to IP.
 
 Don't we want Apple to provide us with something similar?
 
 Mearl
 
 -Original Message-
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Kellogg, Brian
D.
 Sent: Tuesday, July 10, 2012 8:03 PM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] Apple Petition
 
 I might be misunderstanding something; if so please correct me.  When I
setup a Linux MDNS server the bonjour devices all auto registered with
the DNS server so there were no entries I had to manually create.  I
used a subdomain to keep them from cluttering up the our root domain for
all bonjour devices, but I only tested with a handful of devices and
found that some devices would not query MDNS for the resource records.
 
 -Brian
 
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Johnson, Neil M
[neil-john...@uiowa.edu]
 Sent: Tuesday, July 10, 2012 8:41 PM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: Apple Petition
 
 My concern is that certain fields appear to contain dynamic information
like the software version (see srcvers=120.2) and other information
(what does 35CF2488F02660B1 mean ?).
 
 The only way it seems to collect this information is to connect the
device to local net, run Bonjour Browser or run dns-sd -Z command on a
MAC and copy and paste results into your DNS configs.
 
 If certain data is dynamic then, you are out of luck.
 
 -Neil
 
 --
 Neil Johnson
 Network Engineer
 The University of Iowa
 Phone: 319 384-0938
 Fax: 319 335-2951
 Mobile: 319 540-2081
 E-Mail: neil-john...@uiowa.edu
 
 
 From: Joel Coehoorn jcoeho...@york.edumailto:jcoeho...@york.edu
 Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE
.EDU
 Date: Tuesday, July 10, 2012 7:22 PM
 To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE
.EDU 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE
.EDU
 Subject: Re: [WIRELESS-LAN] Apple Petition
 
 If those entries work, and are all that is needed, then we're not far
from full support. It seems like we could get a tool or set of scripts
to automate creating/modifying the needed records.
 
 Sent from my iPad
 
 On Jul 10, 2012, at 7:11 PM, Johnson, Neil M
neil-john...@uiowa.edumailto:neil-john...@uiowa.edu wrote:
 
 We looked into DNS-SD,   but with entries like this (example taken from
an earlier e-mail from Oscar Silva at the Univ. or Texas , and confirmed
by our own testing):
 
 
 _airplay._tcp  PTR utnet-appletv._airplay._tcp
 
 
 
 utnet-appletv._airplay._tcp SRV 0 0 7000
utnet-appletv.bonjour.utexas.eduhttp://utnet-appletv.bonjour.utexas.edu
. ; Replace with unicast FQDN of target host
 
 utnet-appletv._airplay._tcp TXT deviceid=28:E7:CF:DB:6E:E0
features=0x39f7 model=AppleTV2,1 pw=1 srcvers=120.2
 
 
 
 _raop._tcpPTR
28E7CFDB6EE0@utnet-appletv._raop._tcpmailto:28E7CFDB6EE0@utnet-appletv._
raop._tcp
 
 
 
 
28E7CFDB6EE0@utnet-appletv._raop._tcpmailto:28E7CFDB6EE0@utnet-appletv._
raop._tcp SRV 0 0 49152
utnet-appletv.bonjour.utexas.eduhttp://utnet-appletv.bonjour.utexas.edu
. ; Replace with unicast FQDN of target host
 
 
28E7CFDB6EE0@utnet-appletv._raop._tcpmailto:28E7CFDB6EE0@utnet-appletv._
raop._tcp TXT txtvers=1 ch=2 cn=0,1,2,3 da=true et=0,3
md=0,1,2 pw=true sv=false sr=44100 ss=16 tp=UDP vn=65537
vs=120.2 am=AppleTV2,1 sf=0x4
 
 
 
 _appletv-v2._tcp  PTR 35CF2488F02660B1._appletv-v2._tcp
 
 35CF2488F02660B1._appletv-v2._tcp   SRV 0 0 3689 utnet-
 
 appletv.bonjour.utexas.eduhttp://appletv.bonjour.utexas.edu. ;
Replace with unicast FQDN of target host
 
 
 35CF2488F02660B1._appletv-v2._tcp TXT txtvers=1
hG=-06f6-4f5d-0171-0bcc51d34d14 MniT=167845888 fs=2
Name=utnet-appletv PrVs=65538 DFID=2 EiTS=1 MiTPV=196611
 
 
 
 _sleep-proxy._udp PTR 70-35-60

Re: [WIRELESS-LAN] Apple Petition- Mid-Week Sanity Check

[Johnson, Neil M]

It's just my opinion, but while asking Apple to implement OKC sounds like 
worthwhile idea, I'd like to keep the focus on Bonjour and Airplay for this 
petition.

-Neil

--
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu


From: Curtis K. Larsen (UIT-Network) 
curtis.k.lar...@utah.edumailto:curtis.k.lar...@utah.edu
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Date: Wednesday, July 11, 2012 9:05 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Apple Petition- Mid-Week Sanity Check

What is the scope of the petition?  What is the goal?  Is it only to improve 
the Airplay feature in the enterprise?  If so, the petition looks fine to me.  
If the goal is to encourage Apple to incorporate enterprise support in *all* of 
their products, then we should include more lacking enterprise features in 
other products in the petition.

I don't want to muddy the waters with the message we are sending, but in my 
opinion - as soon as you get things like Airplay working you have another big 
problem and that is that you cannot pull off a seamless roam from any Apple 
device connected to a WPA2-Enterprise SSID.  So if you are fine with telling 
those users to stay put while doing Airplay, or voice apps, etc. then no 
biggie, but if you want to support mobile real-time video/voice - these devices 
have to support a fast-roam using an Enterprise method.

Since Windows XP, microsoft supports this - it is called opportunistic key 
caching.  You can add the feature to Linux by editing the wpa_supplicant.conf 
file and adding proactive key caching.  All of the WiFi phones (Cisco, Avaya, 
Polycom) support this.  Not a single Mac or iOS device does.

Some think 802.11r is the solution - I have my doubts that Apple will ever 
incorporate 802.11r, and if they did and you turn it on, then all of your other 
non-802.11r devices on that SSID will no longer fast-roam.  ...May be something 
to consider.


Curtis Larsen
University of Utah
Wireless Network Engineer
Office 801-587-1313



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] 
on behalf of Lee H Badman [lhbad...@syr.edumailto:lhbad...@syr.edu]u
Sent: Wednesday, July 11, 2012 7:13 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Apple Petition- Mid-Week Sanity Check

Folks,

Those interested seem to agree that we’d discuss specific pain points regarding 
“those other” Apple devices like AppleTv and any AirPlay/Bonjour-dependent 
gadgets until Friday, at which point we’d firm up the petition and find a place 
to host it. Then would come signatures, and ultimately presenting it to Apple, 
possibly via each of our Apple reps.

Neil Johnson has started the companion Facebook group, and has drafted the 
early version of what everyone appears to want from Apple development in 
petition form at https://www.facebook.com/groups/enterpriseairplay with 72 
members joining thus far. (Thanks, Neil)

We have at least one CIO interested, and interested in sharing it with other 
CIOs via Educause if petition is done in a constructive, fact-based way.

We also have a bit of media coverage coming soon on the process, with 
potentially more to follow.

A lot of excellent technical discussion has been spawned during all of this, 
and as usual, the interaction has been great between list members.

All of that being said, it is worth asking:


· Is the group still feeling good about the direction this initiative 
is going in?

· Does anyone have any problems with the wording and points in the doc 
so far?

· Is everyone interested able to sign on behalf of their 
institution/organization? If not, can you get empowered or find someone who can 
sign?

· Has anyone else approached senior IT management and found interest? 
Any other CIOs game at this point?

· Any other mid-week thoughts, concerns, comments on the topic?

Regards-

Lee Badman

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Apple Petition- Mid-Week Sanity Check

[Johnson, Neil M]

Jesse,

We are looking at several options for providing a way to officially sign the 
petition.  The Facebook group was one suggestion, but since not everyone is on 
(or wants to be on)  Facebook, we'll look at something else.

Stay tuned.

Thanks.
-Neil

On Jul 11, 2012, at 6:33 PM, Jesse Rink wrote:

So for those of us without Facebook, no way of signing it?


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Wednesday, July 11, 2012 8:14 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Apple Petition- Mid-Week Sanity Check

Folks,

Those interested seem to agree that we’d discuss specific pain points regarding 
“those other” Apple devices like AppleTv and any AirPlay/Bonjour-dependent 
gadgets until Friday, at which point we’d firm up the petition and find a place 
to host it. Then would come signatures, and ultimately presenting it to Apple, 
possibly via each of our Apple reps.

Neil Johnson has started the companion Facebook group, and has drafted the 
early version of what everyone appears to want from Apple development in 
petition form at https://www.facebook.com/groups/enterpriseairplay with 72 
members joining thus far. (Thanks, Neil)

We have at least one CIO interested, and interested in sharing it with other 
CIOs via Educause if petition is done in a constructive, fact-based way.

We also have a bit of media coverage coming soon on the process, with 
potentially more to follow.

A lot of excellent technical discussion has been spawned during all of this, 
and as usual, the interaction has been great between list members.

All of that being said, it is worth asking:

• Is the group still feeling good about the direction this initiative 
is going in?
• Does anyone have any problems with the wording and points in the doc 
so far?
• Is everyone interested able to sign on behalf of their 
institution/organization? If not, can you get empowered or find someone who can 
sign?
• Has anyone else approached senior IT management and found interest? 
Any other CIOs game at this point?
• Any other mid-week thoughts, concerns, comments on the topic?

Regards-

Lee Badman

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

--
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edumailto:neil-john...@uiowa.edu




**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Our Apple Request Tracking ID

[Johnson, Neil M]

Our authorized Apple support person opened a feature request/trouble ticket for 
me. The ID is as follows:

[386504] AirPlay/Apple TV Enhancement Request

Basically we submitted a truncated version of the petition.

Feel free to quote this ID in your requests to Apple support.

-Neil

--
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

FW: [386504]Pending: Feature Requested - ER: AirPlay/Apple TV Enhancement Request

[Johnson, Neil M]

Well, Here is the response I received from Apple.  I did receive a voice-mail  
from our TAM who said he was going to follow-up via e-mail, but I haven't heard 
anything yet.

-Neil

--
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu


From: Bozorgzadeh, Amir J 
amir-bozorgza...@uiowa.edumailto:amir-bozorgza...@uiowa.edu
Date: Monday, August 6, 2012 8:05 AM
To: Neil Johnson neil-john...@uiowa.edumailto:neil-john...@uiowa.edu
Subject: FW: [386504]Pending: Feature Requested - ER: AirPlay/Apple TV 
Enhancement Request

FYI…

From: AppleCare Technical Support 
track.ik...@services.apple.commailto:track.ik...@services.apple.com
Reply-To: AppleCare Enterprise Support 
track.ik...@services.apple.commailto:track.ik...@services.apple.com
Date: Saturday, August 4, 2012 1:25 PM
To: Bozorgzadeh Amir 
amir-bozorgza...@uiowa.edumailto:amir-bozorgza...@uiowa.edu
Subject: [386504]Pending: Feature Requested - ER: AirPlay/Apple TV Enhancement 
Request


Dear Apple Customer,


Thank you for contacting AppleCare.


The information you provided has been forwarded to the appropriate engineering 
team here at Apple and the feature you requested is under consideration.  We 
continually work to improve our products and appreciate this feedback.  Since 
the feature you are requesting is not included with the products we ship today, 
we are not able to track this request as part of your annual support agreement. 
 Please feel free to let us know if you have any further feedback on this 
request.


[386504] ER: AirPlay/Apple TV Enhancement Request


If you have questions regarding currently available options that might be 
applicable for case number 386504, you may reopen the case by replying to this 
message.


Here are comments and instructions from the technical support engineer assigned 
to your case:

Support engineer comments / instructions


Issue:  Customer has feature requests regarding Apple TV and Airplay.


Status:  Forwarding information to TAM.


End of Comments / Instructions


Your AppleCare OS Support agreement expires on June 18, 2013.


In addition to fee-based support contracts, Apple offers several outstanding 
technical resources free of charge. Many Apple server customers find it 
convenient to visit Apple's support website at http://www.apple.com/support.


Sincerely,

AppleCare Enterprise Technical Support

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Wireless AP Tripods

[Johnson, Neil M]

We've had good luck with Wonder Poles 
http://www.wonderpole.com/telescopingpole.html. The only down side is the 
bases. When filled with sand can be quite heavy, but less likely to tip over.

-Neil

--
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu


From: Chuck Enfield chu...@psu.edumailto:chu...@psu.edu
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Date: Thursday, August 9, 2012 4:58 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless AP Tripods

They’re called light stands and are commonly used to support photo and video 
lighting and accessories.  They’re easy to find once you know what they’re 
called.  Just fyi, they’re not purpose-built for wireless, so you’ll have to 
figure out a way to attach the AP.  This usually isn’t difficult as most of 
these stands have a 1/4-20 or 3/8-16 stud on the end which can be adapted to 
attach to most AP mounting hardware.  I know I’ve seen tripods marketed for 
wireless site survey at Tessco  Terrawave, but they were really expensive.

FWIW, as both a wireless professional and an avid photographer, I’m a big fan 
of the Giottos 
LC325http://www.amazon.com/Giottos-LC325-4-Section-Air-cushioned-Light/dp/B000OLUM0I/ref=sr_1_1?ie=UTF8qid=1344548431sr=8-1keywords=giottos+lc325
 and use them for my studio strobes and RF site survey.  It’s well made, 
strong, stable, air-cushioned, fairly tall, collapses to a small size for its 
height, and reasonably-priced.  There are stands out there for half the price, 
but they won’t be as tall or nearly as well made.  If you don’t need the height 
and need to spend a little less, consider the Interfit COR 
750http://www.amazon.com/Interfit-COR750-Section-Damped-Stand/dp/B0024NKGIM 
or 
751http://www.amazon.com/Interfit-COR751-Section-Damped-Stand/dp/B0024NKGJ6.  
They’re not as nice as the Giottos (less stable and poor air cushioning), but 
they’ll get the job done.

Chuck Enfield
Sr. Communications Engineer
Telecommunications  Networking Services
The Pennsylvania State University
110H, USB2, UP, PA 16802
ph: 814.863.8715
fx: 814.865-3988

PS – I don’t own stock in Amazon.  I just know they carry all three models.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Reams, Lane
Sent: Thursday, August 09, 2012 5:05 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Wireless AP Tripods

I was looking to purchase some tripods to mount APs, similar to the ones used 
at CiscoLive.  Anyone know where I can find these?

[Description: Description: Description: 
http://lh3.ggpht.com/_WD-mUdH9mlk/TDDeTbj5dNI/BSk/-b3btEuc0iY/s288/IMG_0377.JPG]

Lane Reams
Manager Network Design  Engineering
Network Computing Services
Informatics Center
Vanderbilt University Medical Center
(615) 936-2677 (office)
ncs.mc.vanderbilt.edu

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

attachment: image001.jpg

Re: [WIRELESS-LAN] DHCP losing its mindŠ.

[Johnson, Neil M]

We did last fall (ISC DHCP on Dell Servers running RedHat Enterprise
Linux). Although the CPU load was fine, we were having disk I/O issues
resulting in the server not responding to requests.

- Quick Fix was to bring up DHCP on additional boxes and spread the scopes
out.
- Long term fix consisted of two parts:
  - Enabled asynchronous logging on the syslog process
  - On the DHCP servers for wireless subnets (which use a 20 minute lease
time) we put the DHCP lease file on a RAM disk (not quite in the spirit of
the DHCP RFC's, but greatly improved performance).

-Neil

-- 
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu






On 8/27/12 1:19 PM, Hanset, Philippe C phan...@utk.edu wrote:

All,

(trying to help our systems group by asking this list)

Have any of you experienced DHCP issues due to too many machines
requesting leases?

We run two ISC DHCP servers (in Active-Active mode) with 30 minutes lease
time
Running on SUN V440, no unusual I/O load, no unusual CPU load and
ethernet is fine.

DHCP is literally not responding to lease requests, on wired and on
wireless.

We were fine during the summer (with 5000 concurrent users), but we are
not now with 14,000 concurrent users.

Thanks,

Philippe 

Philippe Hanset
University of Tennessee, Knoxville
www.eduroamus.org
**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] FreeRADIUS performance question

[Johnson, Neil M]

We run RADIATOR and just had to add additional servers to handle the load.


-Neil

--
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu


From: Craig Simons craigsim...@sfu.camailto:craigsim...@sfu.ca
Reply-To: Craig Simons craigsim...@sfu.camailto:craigsim...@sfu.ca
Date: Wednesday, September 5, 2012 11:45 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] FreeRADIUS performance question

Using HiPath/Radiator Radius. Today is the first real day of classes though, so 
I would expect things to go higher.

  34 ns-ryu.its.sfu.ca
  34 ns-ryu.its.sfu.ca
  35 ns-ryu.its.sfu.ca
  36 ns-ryu.its.sfu.ca
  40 ns-ryu.its.sfu.ca
  41 ns-ryu.its.sfu.ca
  42 ns-ryu.its.sfu.ca
  45 ns-ryu.its.sfu.ca
  47 ns-ryu.its.sfu.ca
  50 ns-ryu.its.sfu.ca

Regards,
 Craig

SFU SIMON FRASER UNIVERSITY
Network Services


Craig Simons
Network and Systems Administrator

Phone: 778-782-8036
Cell: 604-649-7977
Email: craigsim...@sfu.camailto:craigsim...@sfu.ca
Twitter: simonscraighttp://www.twitter.com/simonscraig



From: Danny Eaton dannyea...@rice.edumailto:dannyea...@rice.edu
To: 
WIRELESS-LAN@listserv.educause.edumailto:WIRELESS-LAN@listserv.educause.edu
Sent: Wednesday, 5 September, 2012 09:09:47
Subject: Re: [WIRELESS-LAN] FreeRADIUS performance question

Here at Rice

-bash-3.00$ cat today | tr -s   | cut -d   -f 4 | uniq -c | sort -n |
tail -10
 65 net3
 68 net3
 72 net3
 74 net3
 74 net3
 76 net3
 76 net3
 78 net3
 82 net3
107 net3


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John Rodkey
Sent: Wednesday, September 05, 2012 10:49 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] FreeRADIUS performance question

 16 19:11:44
 18 04:36:17
 18 04:43:12
 18 05:45:12
 18 06:26:13
 18 07:22:07
 18 08:18:46
 20 01:58:49
 20 03:28:29
 23 03:46:02


On 9/5/12, Walter Reynolds wa...@umich.edumailto:wa...@umich.edu wrote:
 Ok, we all have different usage patters and number of users.  So can
 we do a quick check of what sort of authentications our servers are
 doing per second.  Yes this does not filter out failures and logs
 and.  But at least it is an idea of how we stand to compared to
others.

 cat radius.log-[DATE] | tr -s   | cut -d   -f 4 | uniq -c | sort
 -n | tail -10


 I did this for yesterday (first day of classes) and got the following.

  61 13:03:03
  62 13:01:03
  62 13:05:03
  62 14:50:11
  64 11:29:29
  64 12:50:13
  65 12:47:03
  65 12:50:08
  65 15:59:33
  68 13:02:58


 Wondering what others get.  Thanks.


 
 Walter Reynolds
 Principal Systems Security Development Engineer Information and
 Technology Services University of Michigan
 (734) 615-9438


 On Wed, Aug 22, 2012 at 7:31 PM, Gogan, James P 
 go...@email.unc.edumailto:go...@email.unc.edu
 wrote:

  A question for folks with relatively large 802.1x (greater than
 15,000 unique clients) wi-fi deployment (EAP-TTLS) with a FreeRADIUS
 infrastructure using Kerberos as the backend authentication ...

 ** **

 - how many FreeRADIUS servers do you deploy?, and

 - have you changed any of the default eap.con/radius.conf performance
 parameters/values?

 ** **

 The good news is that we've started the year with a lot more folks
 finally using the 802.1x network than the last academic year.

 The bad news is that we're getting long delays in
 connecting/authenticating -- not just a wireless issue as we're also
 getting lots of RADIUS server FAILED traps from our VPN
 concentrators throughout the day since the semester started (using
 the same RADIUS servers as the 1x wireless deployment)

 ** **

 We've also been seeing in the last three days HUGE numbers of:

 Aug 22 19:25:00 calvin radiusd[21691]: Discarding duplicate request
 from client Wireless8021XResNET port 32769 - ID: 76 due to unfinished
 request
 253745

 Aug 22 19:25:00 calvin radiusd[21691]: Discarding duplicate request
 from client Wireless8021XResNET port 32769 - ID: 140 due to
 unfinished request
 253705

 Aug 22 19:25:00 calvin radiusd[21691]: Discarding duplicate request
 from client Wireless8021XResNET port 32769 - ID: 85 due to unfinished
 request
 253758

 and 

 Aug 19 03:30:14 calvin radiusd[3507]: Login incorrect: [anonymous]
 (from client Wireless8021XResNET port 29 cli 68-a8-6d-ae-fc-5d)

 Aug 19 03:31:15 calvin radiusd[3507]: Login incorrect: [anonymous]
 (from client Wireless8021XResNET port 29 cli 28-6a-ba-6a-9d-6e)

 Aug 19 03:31:35 calvin radiusd[3507]: Login incorrect: 

Windows 7 Wireless Single Sign-On and UPN (eduroam) issue.

[Johnson, Neil M]

We are currently seeing the following issue.

1. User's laptop is configured to use SSO to connect to the wireless network 
BEFORE user logon
2. User logs in using a UPN (example: u...@uiowa.edu and connects just fine.
3. The User's wireless connection is interrupted (laptop goes to sleep, they 
turn off the wireless card and back on again, etc.)
4. User can no longer connect to wireless (Windows pops up a bubble Windows 
cannot connect to SSID).

The only solution so far is to have the user completely logout and log back 
into windows system.

It appears from our RADIUS logs that after the wireless connection drops,  
Windows reverts to using  DOMAIN\User for the wireless user name (in our case 
IOWA\user).

Anyone else seen this issue and have a solution ?

Thanks.
-Neil

--
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

University of Iowa Network Architect Position

[Johnson, Neil M]

The University of Iowa has a position open for a Network Architect to  support 
the campus wireless network (and assist with the wired network also).

More information on the position can be found at: 
https://jobs.uiowa.edu/jobSearch/pandsDetailDisplay.php?requisitionNumber=61574fromComm=Y

If you know of someone who is interested, please pass this along.

Thanks.

-Neil



--
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

FW: [mdnsext] BoF today, minuter taker and Jabber relay needed

[Johnson, Neil M]

For those interested in the Apple Bonjour/Airplay issues, Sorry for the short 
notice, but if you are interested in participating in the development  of 
mdnsext (Extensions to Bonjour protocols). Information is below.

Live audio is available and hopefully there will be jabber (XMPP) chat session. 
See the links in the forwarded message.

These are technical discussions about extensions to mDNS (Bonjour) protocols to 
allow for cross-subnet discovery of Bonjour devices.


-Neil

--
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu


From: Tim Chown t...@ecs.soton.ac.ukmailto:t...@ecs.soton.ac.uk
Date: Tuesday, November 6, 2012 9:11 AM
To: mdns...@ietf.orgmailto:mdns...@ietf.org 
mdns...@ietf.orgmailto:mdns...@ietf.org
Subject: [mdnsext] BoF today, minuter taker and Jabber relay needed

Hi,

The mdnsext BoF is today at 15:20 US Eastern Time. The agenda is below.
Slides are available here: 
https://datatracker.ietf.org/meeting/85/materials.html.
Remote participation details are here: 
http://www.ietf.org/meeting/85/remote-participation.html

Thomas and I will need someone to take minutes, and a Jabber relay - volunteers 
welcome!

Tim

Agenda: https://datatracker.ietf.org/meeting/85/agenda/mdnsext/

Extensions of the Bonjour Protocol Suite (mdnsext) BoF

TUESDAY, November 6, 2012
1520-1650 Afternoon Session II

Grand Ballroom C

=  *

* Administravia (10 mins)
  Note Well
  Agenda bashing
  (Chairs)

* Goals of the BoF (10 mins)
  NB. RFC5434, Section 1
  (Chairs)

* Use cases for Bonjour in routed networks (15 mins)
  (Stuart Cheshire)

* Requirements (25 mins)
  draft-lynn-mdnsext-requirements-00
  (Kerry Lynn)

* Open discussion (20 mins)
  Charter bashing

* Questions and Conclusion (10 mins)
  Next steps towards a WG?



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

___
mdnsext mailing list
mdns...@ietf.org
https://www.ietf.org/mailman/listinfo/mdnsext

Re: [WIRELESS-LAN] eduroam question(s)

[Johnson, Neil M]

James,

That's a cool graph. What tool(s) did you use to create it?

Thanks.

-Neil

-- 
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu






On 11/13/12 5:26 AM, James JJ Hooper jjj.hoo...@bristol.ac.uk wrote:

 -Original Message-
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv
 [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hanset,
 Philippe C
 Sent: 13 November 2012 00:35
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] eduroam question(s)

 ... We have the stats but are not publishing institution specific
 them for privacy reasons.
 http://www.eduroamus.org/node/232
 I have testimonials from Schools like UCSD and UChicago that
 immediately noticed hundreds of visitors on their campuses.
 Drexel University, for instance, had 40 eduroam users the first
 day they turned the SSID on.
 In general large institutions are amazed at how many eduroam
 visitors they have on campus.

 This said, the largest benefit is to make your campus population
 compatible with locations that heavily use
 eduroam (e.g. if your study abroad students go to Europe or
 Australia). There are places in Europe that
 make very difficult to use anything else than eduroam.

...we would probably count as one of those institutions ;)

A graph of our weekly users here/there/visitors-here is on this page:
http://www.wireless.bris.ac.uk/eduroam/#graph

eduroam is the only SSID we offer to our staff/students.

We've also got a graph that shows a monthly snapshot of where visitors
come from:
http://www.wireless.bris.ac.uk/gfx/random/eduroamvisitors.png

It's definitely true that there is a critical mass point at which point
most
places have it, users start to expect it, and usage rises rapidly.

Kind regards,
  James

-- 
James J J Hooper
Senior Network Specialist, University of Bristol
http://wireless.bristol.ac.uk
--

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Apple TV's (Again).

[Johnson, Neil M]

I've been following the traffic over on the mdnsext mailing list and there 
hasn't been any significant traffic since 11-15-2012.

While I'm all for going through the standards process to establish a long-term 
permanent fix for Bonjour/AirPlay in Enterprise environments, it will be 
probably take several months to years (if there is a solution that meets 
everyone's needs) before there is one and I need something I can use now (or at 
least in the next 3-6 months).

Simply having a way to enter the DNS name or IP address of the target Apple TV 
device seems the simplest solution.

Do we need to push Apple again as group to come up with an interim solution ?

-Neil


--
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Apple TV's (Again).

[Johnson, Neil M]

We met with our Apple SE today.  He did not have a lot of information to offer 
outside of the IETF efforts. He recommended that we provide feedback at 
http://www.apple.com/feedback/appletv.html and, if you have a developer 
account, to  file a bug report at https://bugreport.apple.com . Both of which 
we are doing. He assured us that feedback does get to the product managers FWIW.

-Neil

--
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu


From: Lee H Badman lhbad...@syr.edumailto:lhbad...@syr.edu
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Date: Wednesday, December 5, 2012 2:48 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Apple TV's (Again).

Agreed, and we’re all feeling the same pain to various levels. At the same 
time, not sure how to push Apple. By all accounts, their reaction to the 
petition was a grand slam on our part. At the same time, we still have the 
“nobody is allowed to really talk to Apple- funnel it through your SE to be 
formally blown off” situation.

Lee H. Badman
Network Architect/Wireless TME
Information Technology and Services (ITS)
Syracuse University
315 443-3003



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Johnson, Neil M
Sent: Wednesday, December 05, 2012 3:29 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Apple TV's (Again).


I've been following the traffic over on the mdnsext mailing list and there 
hasn't been any significant traffic since 11-15-2012.

While I'm all for going through the standards process to establish a long-term 
permanent fix for Bonjour/AirPlay in Enterprise environments, it will be 
probably take several months to years (if there is a solution that meets 
everyone's needs) before there is one and I need something I can use now (or at 
least in the next 3-6 months).

Simply having a way to enter the DNS name or IP address of the target Apple TV 
device seems the simplest solution.

Do we need to push Apple again as group to come up with an interim solution ?

-Neil


--
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edumailto:neil-john...@uiowa.edu

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

FW: [mdnsext] draft-lynn-mdnsext-requirements-01.txt - Bonjour Airplay Issues

[Johnson, Neil M]

FYI Posted yesterday

If you have comments or suggestions please post them to the mdnsext
mailing list.

Thanks.

-- 
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu






On 1/24/13 11:41 PM, Stuart Cheshire chesh...@apple.com wrote:

We just submitted draft-lynn-mdnsext-requirements-01.txt

http://www.ietf.org/id/draft-lynn-mdnsext-requirements-01.txt

Please review and give feedback.

The deadline is next Thursday for the IESG to decide whether to schedule
an mdnsext BoF meeting at IETF 86 in March, so any discussion before that
date is useful for helping them make their decision.

Stuart Cheshire

___
mdnsext mailing list
mdns...@ietf.org
https://www.ietf.org/mailman/listinfo/mdnsext

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

FW: [mdnsext] draft-cheshire-mdnsext-hybrid-00

[Johnson, Neil M]

Stuart Cheshire's submission for a longterm solution to mDNS (Bonjour)
issues.

Please review and submit your comments via the mdnsext mailing list:

https://www.ietf.org/mailman/listinfo/mdnsext

Thanks.
-Neil


-- 
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu






On 1/26/13 12:04 AM, Stuart Cheshire chesh...@apple.com wrote:

I have submitted a new Internet Draft that proposes a way to address the
mdnsext problem.

Please review and give feedback.

Title:  Hybrid Unicast/Multicast DNS-Based Service Discovery
Creation date:  2013-01-25
WG ID:  Individual Submission
Number of pages: 7
URL: 
http://www.ietf.org/internet-drafts/draft-cheshire-mdnsext-hybrid-00.txt
Status:  
http://datatracker.ietf.org/doc/draft-cheshire-mdnsext-hybrid
Htmlized:
http://tools.ietf.org/html/draft-cheshire-mdnsext-hybrid-00


Abstract:
  Performing DNS-Based Service Discovery using purely Multicast DNS
  allows discovery only of services present on the local link.  Using a
  very large local link with thousands of hosts improves service
  discovery, but at the cost of large amounts of multicast traffic.

  Performing DNS-Based Service Discovery using purely Unicast DNS is
  more efficient, but requires configuration of DNS Update keys on the
  devices offering the services, which can be onerous for simple
  devices like printers and network cameras.

  Hence a compromise is needed, that provides easy service discovery
  without requiring either large amounts of multicast traffic or
  onerous configuration.

Stuart Cheshire

___
mdnsext mailing list
mdns...@ietf.org
https://www.ietf.org/mailman/listinfo/mdnsext

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

FW: [mdnsext] draft-cheshire-mdnsext-hybrid-01

[Johnson, Neil M]

Stuart submitted a update to his draft already...

-Neil

-- 
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu






On 1/27/13 12:46 AM, Stuart Cheshire chesh...@apple.com wrote:

In private discussions about draft-cheshire-mdnsext-hybrid-00, it is
evident that the document is not clear about which parts of the proposal
already exist, and which are new. Accordingly, I have submitted an update
which adds this section:

http://www.ietf.org/id/draft-cheshire-mdnsext-hybrid-01.txt

4.  Implementation Status

   Some aspects of the mechanism specified in this document already
   exist in deployed software.  Some aspects are new.  This section
   outlines which aspects already exist and which are new.

4.1.  Already Implemented and Deployed

   Domain enumeration discovery by the client (the b._dns-sd._udp
   queries) is already implemented and deployed.

   Unicast queries to the indicated discovery domain is already
   implemented and deployed.

   These are implemented and deployed in Mac OS X 10.4 and later
   (including all versions of Apple iOS, on all iPhone and iPads) in
   Bonjour for Windows, and in Android 4.1 Jelly Bean (API Level 16)
   and later.

   Domain enumeration discovery and unicast querying have been used for
   several years at IETF meetings to make Terminal Room printers
   discoverable from outside the Terminal room.  When you Press Cmd-P on
   your Mac, or select AirPrint on your iPad or iPhone, and the Terminal
   room printers appear, that is because your client is doing unicast
   DNS queries to the IETF DNS servers.

4.2.  Partially Implemented

   The current APIs make multiple domains visible to client software,
   but most client UI today lumps all discovered services into a single
   flat list.  This is largely a chicken-and-egg problem.  Application
   writers were naturally reluctant to spend time writing domain-aware
   UI code when few customers today would benefit from it.  If Hybrid
   Proxy deployment becomes common, then application writers will have a
   reason to provide better UI.  Existing applications will work with
   the Hybrid Proxy, but will show all services in a single flat list.
   Applications with improved UI will group services by domain.

   The Long-Lived Query mechanism [I-D.sekar-dns-llq] referred to in
   this specification exists and is deployed, but has not been
   standardized by the IETF.  It is possible that the IETF may choose to
   standardize a different or better Long-Lived Query mechanism.  In
   that case, the pragmatic deployment approach would be for vendors to
   produce Hybrid Proxies that implement both the deployed Long-Lived
   Query mechanism [I-D.sekar-dns-llq] (for today's clients) and a new
   IETF Standard Long-Lived Query mechanism (as the future long-term
   direction).

4.3.  Not Yet Implemented

   The translating/filtering Hybrid Proxy specified in this document.
   Once implemented, such a Hybrid Proxy will immediately make wide-area
   discovery available with today's existing clients and devices.

   A mechanism to 'stitch' together multiple .local. zones so that
   they appear as one.  Such a mechanism will be specified in a future
   companion document.

Stuart Cheshire

___
mdnsext mailing list
mdns...@ietf.org
https://www.ietf.org/mailman/listinfo/mdnsext

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] About the eduroam configuration on Freeradius

[Johnson, Neil M]

We have been using eduroam as our primary SSID since the fall. We could put non 
@uiowa.edu users in a separate VLAN that appears outside our border, but the 
acutual number of non iowa users on campus is so small that it wasn't deemed 
worth the effort to setup and maintain.



Implementing eduroam as our primary SSID happened to happily conicide with 
campus encoraging users to use use...@uiowa.edumailto:use...@uiowa.edu as 
their default username in order for them to access cloud services being 
implemented in the near future.



-Neil



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Steve Bohrer 
[skboh...@simons-rock.edu]
Sent: Friday, February 15, 2013 3:13 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] About the eduroam configuration on Freeradius

On Feb 15, 2013, at 3:24 PM, Linchuan Yang 
linchuan.y...@concordia.camailto:linchuan.y...@concordia.ca wrote:

Dear All

Do you use different  radius servers for your local SSID and eduroam SSID?

Currently, we are using the same radius servers for both of SSID, and we found 
that some of our local users login with eduroam SSID inside our campus.

We want to block our local users (both 
user...@concordia.camailto:user...@concordia.ca and user123)to login with 
eduroam SSID, could you please explain how to modify the proxy.conf or other 
configuration files on Freeradius (Linux version)?


We take a different approach, and use eduroam as our primary SSID 
campus-wide. That is, all of our local users always connect to eduroam, even 
when they are not roaming. Our radius server knows they are local because they 
have our realm in their username, and we can use their other local LDAP 
attributes to put them into the proper VLAN. Our radius server also puts 
non-Simon's Rock eduroam users in to an eduroam guest VLAN. (We have an open 
SSID with instructions for connecting to eduroam, and some special case guest 
VLANs, but no other SSID for our local users).

The benefit is that our users only ever need to do one wifi config, and eduroam 
just works when they travel to other federation campuses or to EDU 
conventions and such, because it is exactly the same wifi config that they use 
every day on campus.

Steve Bohrer
Network Admin, ITS
Bard College at Simon's Rock
413-528-7645
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] About the eduroam configuration on Freeradius

[Johnson, Neil M]

We currently don't do machine authentication as we would prefer to track down 
issues to an individual user, rather than workstation.

However we have had issues using Windows 7 SSO and are looking  into options. 
They are:

  1.  A hidden SSID for machines to authenticate to.
  2.  Customizing our RADIUS server (RADIATOR) to recognize machine logins 
(HOST/workstation-name) and authenticate them separately to the eduroam SSID.

I'd be curious as to what other sites are doing, as well.

Thanks.

-Neil

--
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu


From: Osborne, Bruce W bosbo...@liberty.edumailto:bosbo...@liberty.edu
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Date: Monday, February 18, 2013 9:13 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] About the eduroam configuration on Freeradius


I have a question for those of you that are using EDUROAM as your only SSID. 
How do you handle Windows machine authentication?

Our domain computers do 802.1X machine authentication when there is not a user 
logged in. This allows the computer to authenticate the user and get their 
profile. It is also useful for remote management when a user is not logged in.

Thanks, all

Bruce Osborne
Network Engineer
IT Network Services

(434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Tristan Gulyas [mailto:tristan.gul...@monash.edu]
Sent: Saturday, February 16, 2013 8:21 AM
Subject: Re: About the eduroam configuration on Freeradius

Hi,

We have been using eduroam as our primary SSID for a number of years; users can 
simply select the network and enter their username and password, accept the 
certificate and they're good to go.  One thing we've found to be successful for 
us is to accept both just the username and username@domain to enhance usability 
but the drawback is that we will have a few eduroam configured devices that 
won't work at other institutions.

We have RADIATOR perform a lookup via LDAP to determine the class of user 
(student, staff, high school user (as we have a high school as part of our 
University campus) and return the appropriate Tunnel Group ID for AAA override.

If there is no attribute in LDAP, we place them on the guest VLAN by default, 
however, the guest VLAN and student VLANs are identical in terms of access 
control.

Tristan
---
Tristan Gulyas  
tristan.gul...@monash.edumailto:tristan.gul...@monash.edu
Wireless Network Engineer   M:  +61 403224484
eSolutions divisionP:  +61 3 9902 9092
Building 205  Monash University   3800   Australia

On 16/02/2013, at 8:55 AM, Johnson, Neil M 
neil-john...@uiowa.edumailto:neil-john...@uiowa.edu wrote:


We have been using eduroam as our primary SSID since the fall. We could put non 
@uiowa.eduhttp://uiowa.edu users in a separate VLAN that appears outside 
our border, but the acutual number of non iowa users on campus is so small that 
it wasn't deemed worth the effort to setup and maintain.


Implementing eduroam as our primary SSID happened to happily conicide with 
campus encoraging users to useuse...@uiowa.edumailto:use...@uiowa.edu as 
their default username in order for them to access cloud services being 
implemented in the near future.


-Neil

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] 
on behalf of Steve Bohrer 
[skboh...@simons-rock.edumailto:skboh...@simons-rock.edu]
Sent: Friday, February 15, 2013 3:13 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] About the eduroam configuration on Freeradius
On Feb 15, 2013, at 3:24 PM, Linchuan Yang 
linchuan.y...@concordia.camailto:linchuan.y...@concordia.ca wrote:


Dear All

Do you use different  radius servers for your local SSID and eduroam SSID?

Currently, we are using the same radius servers for both of SSID, and we found 
that some of our local users login with eduroam SSID inside our campus.

We want to block our local users (both 
user...@concordia.camailto:user...@concordia.ca and user123)to login with 
eduroam SSID, could you please explain how to modify the proxy.conf or other 
configuration files on Freeradius (Linux version)?


We take a different approach, and use eduroam as our primary SSID 
campus-wide. That is, all of our local users always connect to eduroam, even 
when they are not roaming. Our radius server knows they are local because they 
have our realm in their username, and we can use their other local LDAP 
attributes to put them into the proper VLAN. Our radius server also puts 
non-Simon's

eduroam and machine authentication

[Johnson, Neil M]

We are getting requests to do windows machine authentication on our eduroam 
SSID (just for local machines).

Is there anyone else out there doing this ?

Thanks.
-Neil

--
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edumailto:neil-john...@uiowa.edu




**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Radiator versus Freeradius

[Johnson, Neil M]

We have found RADIATOR to be very flexible and configurable. We are using it to 
implement our own version of vlan pooling since Meru doesn't have that 
feature.

One caution,  we run RADIATOR on windows servers (because we do AD 
authentication) and there is the potential for you to have performance issues.  
Radiator has many features that can be used to  get around those (We run 
multiple instances of it on one box and use the EAPBALANCE feature to load 
balance), but it takes some care and  planning.

-Neil



--
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu


From: Turner, Ryan H rhtur...@email.unc.edumailto:rhtur...@email.unc.edu
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Date: Wednesday, April 17, 2013 2:10 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Radiator versus Freeradius

We are switching to EAP-TLS for wireless authentication, and have everything in 
place with the exception of a Certificate Revocation Checking process.  We 
would prefer to use OCSP, but it appears that freeRadius isn’t supporting OCSP 
very well (it is either buggy or not feature rich).  Specifically, it would 
appear that if you don’t specify a URL (a responder override), freeRadius will 
not correctly pull the responder URL from the certificate.  Verification then 
fails, and thus the user connection will not be established.  We have multiple 
CAs, so hard coding in a single responder URL is not optimal.  The other issue, 
is that a fail open option for freeradius also doesn’t look to be officially 
supported, and is only provided via some user patch that won’t likely work when 
the code is upgraded.  A soft fail would allow users to be authenticated if a 
responder is unavailable, and presumably we can set some time out that is less 
than a user connection time out for this to occur.

With all of this preface, I have been looking for commercially supported radius 
platforms, and Radiator looks to be a really good option.  I am not entirely 
they support the above options, but have inquired.  Anyone have some good 
opinions on Radiator?

As to our actual problems, we could be messing up the config, but I don’t think 
so :)

Thanks,
Ryan Turner
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Student devices

[Johnson, Neil M]

What we will have:

UI-Wireless-Setup – Captive portal that redirects to Cloudpath XpressConnect 
setup scripts.
eduroam – We are using this as our main WP2-Enterprise connection for everyone, 
and we don't differentiate between students and staff.
attwifi (Coming soon) - For parents, guests, and prospective students, etc.  
(open to the public, don't have to pay a fee). Users will appear to be outside 
our campus border.

-Neil

--
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu


From: Adam T Ferrero a...@temple.edumailto:a...@temple.edu
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Date: Friday, May 3, 2013 11:56 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Student devices


  We have:


-  Open wireless SSID for onboarding only.  SMS text message 
credentials.  Soon to add .mobileconfig one click provisioning feature.

-  Single WPA2 enterprise SSID for student, staff, guests – Freeradius 
detects ldap attributes and steers user groups towards certain vlans which 
leads to specific access permissions (controlled by router acls and firewall 
rules).

-  eduroam – Freeradius again steers folks based upon role

  It has served us fairly well and I personally love not having an open network 
for anything besides onboarding (plus we think it meets HEOA compliance).  The 
one click provisioning should alleviate the last of the usability complaints 
(hopefully).

  Adam
  Temple University
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Wow vision veos: Will products using Miracast be an alternative?

[Johnson, Neil M]

We had a departmental IT person who insisted on trying SIX simultaneous
Miracast connected TV's in the same classroom.

According to our spectrum analyzer, Two Miracast devices chew-up 80% - 90%
of the available duty-cycle (they do this whether the display is static
(Power Point Slide) or active (You-Tube stream)).

When we got to four Miracast connections we began to have picture quality
issues, and bandwidth available for others in the area was near zero.

We talked him into using just one, and we recommended to campus that users
avoid it, but there's not much we can do to stop it.

-Neil

-- 
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu






On 5/28/13 6:54 AM, Joshua Coleman josh...@housing.ufl.edu wrote:

From my testing with a Nexus 4 and Netgear PTV-3000 using wireless and
miracast (while it may do horrible things to the sprectrum and destroy
batteries) it works fine.



Joshua Coleman | Network Infrastructure Engineer

University of Florida Department of Housing and Residence Education

PO Box 112100 | Gainesville, FL 32611-2100

office 352.392.2171 x12053 | fax 352.392.6819 | josh...@housing.ufl.edu

StrengthsQuest Top 5: Ideation, Strategic, Analytical, Adaptability,
Intellection - Find out more -
http://www.strengthsquest.com/content/141728/index.aspx

Please consider the environment before printing this email.


From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Jeff Kell
[jeff-k...@utc.edu]
Sent: Friday, May 24, 2013 11:38 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wow vision veos: Will products using Miracast
be an alternative?

On 5/24/2013 10:45 PM, Barron Hulver wrote:
 Will products using Miracast take hold and be an alternative?

 http://www.wi-fi.org/wi-fi-certified-miracast%E2%84%A2

In their FAQ...

 7.  How is Miracast related to Wi-Fi Direct?
 Wi-Fi Direct allows devices to connect directly to each other, without
 the need for a Wi-Fi
 AP, and often requiring just the push of a button. Wi-Fi Direct allows
 source and display
 devices to discover one another and provides the underlying
 device-to-device connectivity
 for Miracast.

Sounds like if you ALSO need wireless internet, you're SOL...

Jeff

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] eduroam best practices?

[Johnson, Neil M]

I plan to follow the guidelines in the UK documents also.

Some Service Providers (SP) are also not sending the Calling-Station-Id
attribute to the Identity Provider (IdP) for privacy reasons. However, the
eduroam agreement signed by eduroam-us requires participants to send this
data so that the IdP can track users' identities to track down policy
violators and to comply with national regulations.

Also Europe is moving forward with deploying RADSEC, so we need to try to
keep up with them.


On the eduroam-admins list, I offered assistance in drafting a standard (I
was basically going to base it on the UK documents), but never did receive
a response from the eduroam-us staff.

I think if acceptance of eduroam is to continue to grow, these standards
need to be developed soon. Here at Iowa, we have adopted it as our primary
802.1X SSID, so keeping eduroam moving forward is important to us.


-Neil


-- 
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu






On 5/29/13 10:18 AM, Christopher Wieringa cwier...@calvin.edu wrote:

There is a recently formed netplus-eduroam-admins listserv created by the
eduroam-US organization to discuss technical problems like this, and it
recently has been having a very similar conversation about required RADIUS
attributes, etc.  (See
https://lists.internet2.edu/sympa/info/netplus-eduroam-admins )

It does seem to me that there aren't a ton of specifics about what
exactly are
the required attributes for eduroam-US proxying to work correctly.  You
can
google search to find some recommendations from other top-level
administrators
( like eduroam-UK at
https://community.ja.net/library/janet-services-documentation/eduroamuk-te
chnical-specification
), and this is what I've been basing my deployment off of.  This is
probably
just growing pains and standards will probably be worked out over time,
especially now that eduroam-US has a few dedicated employees working on
this.

So, pasted from the URL above:

--

13. The following RADIUS attributes MUST be forwarded by participants¹
ORPSs
if present in RADIUS Access-Request, Access-Challenge, Access-Accept or
Access-Reject messages.

13.1. User-Name
13.2. Reply-Message
13.3. State
13.4. Class
13.5. Message-Authenticator
13.6. Proxy-State
13.7. EAP-Message
13.8. MS-MPPE-Send-Key
13.9. MS-MPPE-Recv-Key
13.10. Calling-Station-Id
13.11. Operator-Name
13.12. Chargeable-User-Identity

14. The following RADIUS attributes MUST be forwarded by participants¹
ORPSs
if present in RADIUS Accounting messages.

14.1. User-Name
14.2. Acct-Status-Type
14.3. Acct-Session-ID
14.4. Proxy-State
14.5. Class

-

If you are using attributes other than these, my guess is that in some
places
the attributes may be filtered out.  There also are a few attributes that
should never be passed upstream (
https://www.eduroam.org/downloads/docs/GN3-12-192_eduroam-policy-service-d
efinition_ver28_26072012.pdf
) like Tunnel-Type., Tunnel-Medium-Type., Tunnel-Private-Group-ID.

Chris

 On 5/29/2013 at 10:10 AM, Julian Y Koh kohs...@northwestern.edu
wrote:
 I will confess to tossing this out to the list without doing my regular
level 
 of research since this is officially a vacation week for me.  So if
anyone 
 wants to judge, it's fully justified in this case.  :)
 
 The basic situation is this - as we move up to a full eduroam
deployment, we

 are currently at the stage where our users can visit other eduroam
 institutions and use their NU credentials to log in.  The second and
final 
 phase will be to set up the eduroam SSID here on our campus for
visitors to

 use.  
 
 What we are experiencing with the first phase of testing is that people
are

 reporting to us that eduroam works great at some institutions but not
others. 
  Luckily for one of these locations, we were having a CIC wireless and
 networking meeting at the time, and it turned out that the host
institution

 was not sending the NAS-type RADIUS attribute, and some of the other
schools

 were actually using a check for that attribute on their end to route
the 
 authentication requests appropriately.  So that got cleared up pretty
 quickly.  But we're still getting a trickling of reports from some of
our 
 traveling users who are visiting other places that things worked for
them at

 one university but not another.
 
 So we have a couple of questions:
 
 1.) What are the best practices in terms of validating RADIUS
connections?
 
 2.) What are the best practices in terms of setting up proxying
connections,

 attributes to send, etc?
 
 3.) How prevalent of a problem is this?  It seems to me that all the
folks 
 in Europe must have solved this a while ago.  Are these just growing
pains
as 
 eduroam gains traction in the US?
 
 Thanks in advance!!!
 
 
 -- 
 Julian Y. Koh
 Acting Associate Director, Telecommunications and Network Services
 Northwestern University Information Technology (NUIT)
 
 

Re: [WIRELESS-LAN] 7Signal- anyone?

[Johnson, Neil M]

Lee,

(Off the record).

We purchased five eyes as a pilot.

The product shows a lot of promise, but we have had the following issues:

1.  Access to raw data is limited which results in the following:
  a. We found that their Radio Attach Success Rate measurement doesn't 
breakout into detail where a failure occurred (802.11 Auth, 802.11 Assoc, 
802.1x Auth, DHCP success, etc.).  We discovered that if the eye sent a probe 
request to an AP and didn't get a probe response, it considered that a failure. 
However, an AP may not send a probe response to every probe request if it is 
trying to band steer or load balance clients, but will still respond to an 
802.11 Auth request.  This led us to see skewed results.

b. Reports of high a % of 802.11 frame retry rates, did not report the total 
number of frames, so one could not determine if  a 50% retry rate meant on 1 
out 2 frames  or 5,000 out of 10,000 frames.

The 7signals folks have taken this as feedback and looking to make changes to 
correct this.

2. They are a really small company. Up until a week ago they only really had 
one technical person evaluating data and making recommendations for changes for 
all their customers.
They are adding staff to correct this.

3. They are using the linux wpa_supplicant to test 802.1X Authentication. We 
found that the supplicant doesn't always reliably work which leads to false 
radio attach errors.

4. They don't have a way to verify the operation of their eyes. We believe 
that we have a faulty antenna in one of ours eyes (if we rotate the eye, we 
get different results), but convincing them there is a problem has been 
difficult.

5. They are really hungry for sales and They seem to be focused on trying to 
get you cover your campus with eyes, but as an academic institution that is 
cost prohibitive.  They seem less interested in you purchasing a few eyes to  
place in strategic areas or to rotate between problem areas.

All in all, the ideas behind the product are a good ones, and if they can 
adjust their expectations and make some minor improvements to their data 
collection backend and GUI interface I think it can be a really useful product.

-Neil


--
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu


From: Lee H Badman lhbad...@syr.edumailto:lhbad...@syr.edu
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Date: Friday, May 31, 2013 2:25 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] 7Signal- anyone?

Hello to the group,

I know that this has been discussed before, but I’m coming back around to it. 
I’m intrigued by 7signal.com and see attractive aspects to their approach, but 
find myself struggling with:


  *   Pricing- Seems incredibly expensive



  *   What’s really being delivered- we are a CleanAir environment, so much of 
7Signal would be duplicitous in function, and so far I can’t tell all what one 
is delivering that the other leaves out



  *   What 7Signal expects you to do to optimize- there are locations where APs 
cannot be moved, there are groups of clients that you are likely not going to 
easily pin down for driver updates, etc, and only so many system settings you 
can tweak without creating other issues



  *   Deployment model- given that Eyes themselves need to be cabled, it’s not 
exactly easy in all cases to deploy them and there is no radio backhaul option


All of my cynicism aside- is anyone on the list a 7signal user? Any 
testimonials or thoughts?


Thanks very much-

Lee Badman
Syracuse University

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] 7Signal- anyone?

[Johnson, Neil M]

Whoops :-(

-Neil

--
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu


From: Johnson, Neil Johnson 
neil-john...@uiowa.edumailto:neil-john...@uiowa.edu
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Date: Monday, June 3, 2013 11:19 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] 7Signal- anyone?

Lee,

(Off the record).

We purchased five eyes as a pilot.

The product shows a lot of promise, but we have had the following issues:

1.  Access to raw data is limited which results in the following:
  a. We found that their Radio Attach Success Rate measurement doesn't 
breakout into detail where a failure occurred (802.11 Auth, 802.11 Assoc, 
802.1x Auth, DHCP success, etc.).  We discovered that if the eye sent a probe 
request to an AP and didn't get a probe response, it considered that a failure. 
However, an AP may not send a probe response to every probe request if it is 
trying to band steer or load balance clients, but will still respond to an 
802.11 Auth request.  This led us to see skewed results.

b. Reports of high a % of 802.11 frame retry rates, did not report the total 
number of frames, so one could not determine if  a 50% retry rate meant on 1 
out 2 frames  or 5,000 out of 10,000 frames.

The 7signals folks have taken this as feedback and looking to make changes to 
correct this.

2. They are a really small company. Up until a week ago they only really had 
one technical person evaluating data and making recommendations for changes for 
all their customers.
They are adding staff to correct this.

3. They are using the linux wpa_supplicant to test 802.1X Authentication. We 
found that the supplicant doesn't always reliably work which leads to false 
radio attach errors.

4. They don't have a way to verify the operation of their eyes. We believe 
that we have a faulty antenna in one of ours eyes (if we rotate the eye, we 
get different results), but convincing them there is a problem has been 
difficult.

5. They are really hungry for sales and They seem to be focused on trying to 
get you cover your campus with eyes, but as an academic institution that is 
cost prohibitive.  They seem less interested in you purchasing a few eyes to  
place in strategic areas or to rotate between problem areas.

All in all, the ideas behind the product are a good ones, and if they can 
adjust their expectations and make some minor improvements to their data 
collection backend and GUI interface I think it can be a really useful product.

-Neil


--
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edumailto:neil-john...@uiowa.edu


From: Lee H Badman lhbad...@syr.edumailto:lhbad...@syr.edu
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Date: Friday, May 31, 2013 2:25 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] 7Signal- anyone?

Hello to the group,

I know that this has been discussed before, but I’m coming back around to it. 
I’m intrigued by 7signal.com and see attractive aspects to their approach, but 
find myself struggling with:


  *   Pricing- Seems incredibly expensive



  *   What’s really being delivered- we are a CleanAir environment, so much of 
7Signal would be duplicitous in function, and so far I can’t tell all what one 
is delivering that the other leaves out



  *   What 7Signal expects you to do to optimize- there are locations where APs 
cannot be moved, there are groups of clients that you are likely not going to 
easily pin down for driver updates, etc, and only so many system settings you 
can tweak without creating other issues



  *   Deployment model- given that Eyes themselves need to be cabled, it’s not 
exactly easy in all cases to deploy them and there is no radio backhaul option


All of my cynicism aside- is anyone on the list a 7signal user? Any 
testimonials or thoughts?


Thanks very much-

Lee Badman
Syracuse University

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] RF interference from 802.11

[Johnson, Neil M]

We faced the same situation in a building with multiple tenants.
Researchers with labs didn't want wireless because they were concerned
that it would interfere with their equipment (They didn't want to spend
the money to shield the equipment) while people in the office spaces
wanted it.

The occupants were from two different colleges, so we told them they
needed to come up with a formal agreement on where they wanted wireless.
They never did, and I think we ended up putting wireless in the office
spaces eventually.

I feel your pain.

-Neil

-- 
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu






On 6/4/13 4:22 PM, Julian Y Koh kohs...@northwestern.edu wrote:

Has anyone had to deal with researchers claiming that 802.11 RF causes
interference with their laboratory experiments and apparatus?  We're
getting rumblings out of our Physics department - they are trying to
prevent APs from getting installed in their area because of what they say
are highly sensitive devices that will be adversely affected.

My personal opinion iswell, I'll withhold that for now.  Anyone gone
through this?  Thanks in advance!


-- 
Julian Y. Koh
Acting Associate Director, Telecommunications and Network Services
Northwestern University Information Technology (NUIT)

2001 Sheridan Road #G-166
Evanston, IL 60208
847-467-5780
NUIT Web Site: http://www.it.northwestern.edu/
PGP Public Key:http://bt.ittns.northwestern.edu/julian/pgppubkey.html

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Network Engineer Position at the University of Iowa

[Johnson, Neil M]

Information Technology Services (ITS) at the University of Iowa has an opening 
for a Network Engineer on the Network Services Team within Enterprise 
Infrastructure.
The position is part of a team responsible for the design, architecture, 
performance and maintenance of the entire campus data network, a critical 
enterprise 24/7 service. This includes: design of the network architecture; 
vendor selection, equipment purchase, and implementation of wired and wireless 
network equipment and tools; monitoring network health and performance; and 
troubleshooting and correcting issues. The group analyzes and makes equipment 
and service changes or enhancements to the data network and systems, as well as 
provides solutions to specific customer needs to provide a stable and reliable 
network.
This Professional  Scientific full–time position will be filled as a Network 
Engineer (PIN1). Occasional off-hours work will be required, and the team 
shares on-call duties.

Please feel free to pass this along to any qualified candidates you think would 
be interested in exploring this career opportunity.
Applications are being accepted on line at: 
https://jobs.uiowa.edu/pands/view/62971

Thanks
-Neil

--
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Prepare for the crush (again).

[Johnson, Neil M]

OS X (Mavericks) will be available ~2:00 CST today for free ….

-Neil



--
Neil Johnson
Network Engineer
The University of Iowa
Phone:  +1 319 384-0938tel:+13193840938
Fax:  +1 319 335-2951tel:+13193352951
E-Mail:  neil-john...@uiowa.edumailto:neil-john...@uiowa.edu
Lync:  neil-john...@uiowa.edusip:neil-john...@uiowa.edu


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Force Windows to send UPN

[Johnson, Neil M]

Here is what we ended up doing. Quoted from our Enterprise Client Team e-mail…..

We have had some reported issues with the Eduroam single sign on GPO. The GPO, 
called _PUBLIC-Eduroam Wireless Config, allows laptops to connect to Eduroam 
before logon as long as the UPN is used as the username – 
haw...@uiowa.edumailto:haw...@uiowa.edu. The issue occurs after the computer 
connects and logs in fine. Then while it is being used it disconnects from 
Eduroam and never reconnects. It tries to reconnect with iowa\HawkID, which 
causes the failure.

I have created a fix for this by adding a second wireless profile to the GPO 
called Eduroam Reconnect. The original profile is still there, so single sign 
on works as expected. If during regular use the machine disconnects from 
Eduroam and fails to reconnect, it falls back to Eduroam Reconnect which 
prompts for a user ID. This allows the user to type 
haw...@uiowa.edumailto:haw...@uiowa.edu and reconnect to the Wireless network 
again. If they are disconnected again, it will reconnect using this profile 
without prompting.

We have this implemented in a few places around campus, and I’d like to add it 
to the public GPO. Let me know if you have any issues or concerns. Otherwise, 
I’ll make the change at the end of the day.


It's not elegant, but it does work…


-Neil


--
Neil Johnson
Network Engineer
The University of Iowa
Phone: +1 319 384-0938tel:+13193840938
Fax: +1 319 335-2951tel:+13193352951
E-Mail: neil-john...@uiowa.edumailto:neil-john...@uiowa.edu
Lync: neil-john...@uiowa.edusip:neil-john...@uiowa.edu


From: Walter Reynolds wa...@umich.edumailto:wa...@umich.edu
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Date: Thursday, November 14, 2013 10:25 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Force Windows to send UPN

I would be interested in the answer as well.



Walter Reynolds
Principal Systems Security Development Engineer
Information and Technology Services
University of Michigan
(734) 615-9438


On Thu, Nov 14, 2013 at 10:01 AM, Tim Cappalli 
cappa...@brandeis.edumailto:cappa...@brandeis.edu wrote:
Morning,

Does anyone know of a way to force Windows to pass credentials in the UPN 
format instead of NETBIOS when using the “Automatically use Windows 
credentials” option for user authentication? Is there a group policy option to 
disable legacy NETBIOS use for authentication?

For example, my user account:

NETBIOS:USERS\cappalli
UPN:   cappa...@brandeis.edumailto:cappa...@brandeis.edu

Thanks for the help
Tim


Tim Cappalli, Network Engineer
LTS | Brandeis University
x67149 | (617) 701-7149tel:%28617%29%20701-7149
cappa...@brandeis.edumailto:cappa...@brandeis.edu

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Force Windows to send UPN

[Johnson, Neil M]

Correct.

-Neil


--
Neil Johnson
Network Engineer
The University of Iowa
Phone: +1 319 384-0938tel:+13193840938
Fax: +1 319 335-2951tel:+13193352951
E-Mail: neil-john...@uiowa.edumailto:neil-john...@uiowa.edu
Lync: neil-john...@uiowa.edusip:neil-john...@uiowa.edu


From: Tim Cappalli cappa...@brandeis.edumailto:cappa...@brandeis.edu
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Date: Monday, November 18, 2013 5:40 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Force Windows to send UPN


So you are using the single sign on feature,  not machine auth?

Thanks

Tim Cappalli, Network Engineer
LTS | Brandeis University
x67149 | (617) 701-7149
cappa...@brandeis.edumailto:cappa...@brandeis.edu

On Nov 15, 2013 10:42 AM, Johnson, Neil M 
neil-john...@uiowa.edumailto:neil-john...@uiowa.edu wrote:
Here is what we ended up doing. Quoted from our Enterprise Client Team e-mail…..

We have had some reported issues with the Eduroam single sign on GPO. The GPO, 
called _PUBLIC-Eduroam Wireless Config, allows laptops to connect to Eduroam 
before logon as long as the UPN is used as the username – 
haw...@uiowa.edumailto:haw...@uiowa.edu. The issue occurs after the computer 
connects and logs in fine. Then while it is being used it disconnects from 
Eduroam and never reconnects. It tries to reconnect with iowa\HawkID, which 
causes the failure.

I have created a fix for this by adding a second wireless profile to the GPO 
called Eduroam Reconnect. The original profile is still there, so single sign 
on works as expected. If during regular use the machine disconnects from 
Eduroam and fails to reconnect, it falls back to Eduroam Reconnect which 
prompts for a user ID. This allows the user to type 
haw...@uiowa.edumailto:haw...@uiowa.edu and reconnect to the Wireless network 
again. If they are disconnected again, it will reconnect using this profile 
without prompting.

We have this implemented in a few places around campus, and I’d like to add it 
to the public GPO. Let me know if you have any issues or concerns. Otherwise, 
I’ll make the change at the end of the day.


It's not elegant, but it does work…


-Neil


--
Neil Johnson
Network Engineer
The University of Iowa
Phone: +1 319 384-0938tel:+13193840938
Fax: +1 319 335-2951tel:+13193352951
E-Mail: neil-john...@uiowa.edumailto:neil-john...@uiowa.edu
Lync: neil-john...@uiowa.edu


From: Walter Reynolds wa...@umich.edumailto:wa...@umich.edu
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Date: Thursday, November 14, 2013 10:25 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Force Windows to send UPN

I would be interested in the answer as well.



Walter Reynolds
Principal Systems Security Development Engineer
Information and Technology Services
University of Michigan
(734) 615-9438tel:%28734%29%20615-9438


On Thu, Nov 14, 2013 at 10:01 AM, Tim Cappalli 
cappa...@brandeis.edumailto:cappa...@brandeis.edu wrote:
Morning,

Does anyone know of a way to force Windows to pass credentials in the UPN 
format instead of NETBIOS when using the “Automatically use Windows 
credentials” option for user authentication? Is there a group policy option to 
disable legacy NETBIOS use for authentication?

For example, my user account:

NETBIOS:USERS\cappalli
UPN:   cappa...@brandeis.edumailto:cappa...@brandeis.edu

Thanks for the help
Tim


Tim Cappalli, Network Engineer
LTS | Brandeis University
x67149 | (617) 701-7149tel:%28617%29%20701-7149
cappa...@brandeis.edumailto:cappa...@brandeis.edu

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] loadbalacing WPA2 802.1X traffic between controller and radius servers

[Johnson, Neil M]

We are running RADIATOR  on Windows Boxes (long story).

The boxes are configured with 6 child processes and 1 parent process.

The parent process uses AuthBy EAPBALANCE to distribute the EAP 
authentications across the child processes.

Using EAPBALANCE insures that each EAP conversation makes it to the same 
child process.

It seems to work pretty well. We could probably handle more child processes 
on the dedicated boxes we use.

The heavy lifting is done in the child processes. They share the same single 
configuration file.

The only drawback is that, on windows, you have to manually restart all 7 
processes when you change your RADIUS configuration.

Here is what the Handler section  for the parent process looks like:

Handler
AuthBy EAPBALANCE
   # Pass Client-Indentfier as a RADIUS attribute to child processes
# So that the child process knows what NAS client the request came 
from
# Useful for selecting a Handler based on NAD client

   AddToRequest OSC-Client-Identifier=%{Client:Identifier}
FailureBackoffTime 15
Host 127.0.0.1
Secret Secret
AuthPort 11812
AcctPort 11813
/Host
Host 127.0.0.1
Secret Secret
AuthPort 21812
AcctPort 21813
/Host
Host 127.0.0.1
Secret Secret
AuthPort 31812
AcctPort 31813
/Host

Host 127.0.0.1
Secret Secret
AuthPort 41812
AcctPort 41813
/Host

Host 127.0.0.1
Secret Secret
AuthPort 51812
AcctPort 51813
/Host

Host 127.0.0.1
Secret Secret
AuthPort 61812
AcctPort 61813
/Host

/AuthBy
/Handler




--
Neil Johnson
Network Engineer
The University of Iowa
Phone: +1 319 384-0938tel:+13193840938
Fax: +1 319 335-2951tel:+13193352951
E-Mail: neil-john...@uiowa.edumailto:neil-john...@uiowa.edu
Lync: neil-john...@uiowa.edusip:neil-john...@uiowa.edu


From: Kees Pronk cl.pr...@avans.nlmailto:cl.pr...@avans.nl
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Date: Friday, November 22, 2013 1:46 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] loadbalacing WPA2 802.1X traffic between controller and 
radius servers

Hello,

Any WLAN colleagues are using a loadbalacer to scale-out the auth (EAP) traffic?
Currently we use Radiator with frontend and multiple backend processes which 
works fine.
Wondering if loadbalancers can keep track of the state of an EAP authentication
At peek times we have 12K concurrent Wi-Fi devices online.

Best regards, Kees




---
Op deze e-mail zijn de volgende voorwaarden van toepassing:
The following conditions apply to this e-mail:
http://emaildisclaimer.avans.nl
---**
 Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] loadbalacing WPA2 802.1X traffic between controller and radius servers

[Johnson, Neil M]

Interesting. 

It does appear that there are issues cascading RADIATOR servers using
AuthBy EAPBALANCE because the RADIUS State attribute used to track the
EAP conversations gets mangled as the message progresses through the chain
of servers.

To make things work with the US NTLRS servers they graciously stopped
using EAPBALANCE to load balance between our servers and moved to a
traditional primary/secondary model, but obviously I can't ask everyone to
do that :-).

The RADIATOR folks recommended I try HASHBALANCE instead, but I like the
extra assurance that EAP conversations don't get broken up.

I will follow up on the RADIATOR list.

-Neil

-- 
Neil Johnson
Network Engineer
The University of Iowa
Phone: +1 319 384-0938 tel:+13193840938
Fax: +1 319 335-2951 tel:+13193352951
E-Mail: neil-john...@uiowa.edu

Lync: neil-john...@uiowa.edu sip:neil-john...@uiowa.edu






On 11/27/13 6:57 AM, Jethro R Binks jethro.bi...@strath.ac.uk wrote:

Hi Neil,

Serendipity.

Don't know if you are still subscribed to the Radiator mailing list, but
I posted something yesterday that seems to tie up to you, please review
the thread:

  http://www.open.com.au/pipermail/radiator/2013-November/019540.html

and let me know if you have any thoughts.

Jethro.



On Tue, 26 Nov 2013, Johnson, Neil M wrote:

 We are running RADIATOR on Windows Boxes (long story).
 
 The boxes are configured with 6 child processes and 1 parent
 process.
 
 The parent process uses AuthBy EAPBALANCE to distribute the EAP
 authentications across the child processes.
 
 Using EAPBALANCE insures that each EAP conversation makes it to the
same 
 child process.
 
 It seems to work pretty well. We could probably handle more child
 processes on the dedicated boxes we use.
 
 The heavy lifting is done in the child processes. They share the same
 single configuration file.
 
 The only drawback is that, on windows, you have to manually restart all
 7 processes when you change your RADIUS configuration.
 
 Here is what the Handler section for the parent process looks like:
 
 Handler
 AuthBy EAPBALANCE
# Pass Client-Indentfier as a RADIUS attribute to child processes
 # So that the child process knows what NAS client the
request came from
 # Useful for selecting a Handler based on NAD client
 
AddToRequest OSC-Client-Identifier=%{Client:Identifier}
 FailureBackoffTime 15
 Host 127.0.0.1
 Secret Secret
 AuthPort 11812
 AcctPort 11813
 /Host
 Host 127.0.0.1
 Secret Secret
 AuthPort 21812
 AcctPort 21813
 /Host
 Host 127.0.0.1
 Secret Secret
 AuthPort 31812
 AcctPort 31813
 /Host
 
 Host 127.0.0.1
 Secret Secret
 AuthPort 41812
 AcctPort 41813
 /Host
 
 Host 127.0.0.1
 Secret Secret
 AuthPort 51812
 AcctPort 51813
 /Host
 
 Host 127.0.0.1
 Secret Secret
 AuthPort 61812
 AcctPort 61813
 /Host
 
 /AuthBy
 /Handler
 
 
 
 
 --
 Neil Johnson
 Network Engineer
 The University of Iowa
 Phone: +1 319 384-0938tel:+13193840938
 Fax: +1 319 335-2951tel:+13193352951
 E-Mail: neil-john...@uiowa.edumailto:neil-john...@uiowa.edu
 Lync: neil-john...@uiowa.edusip:neil-john...@uiowa.edu
 
 
 From: Kees Pronk cl.pr...@avans.nlmailto:cl.pr...@avans.nl
 Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE
.EDU
 Date: Friday, November 22, 2013 1:46 AM
 To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE
.EDU 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE
.EDU
 Subject: [WIRELESS-LAN] loadbalacing WPA2 802.1X traffic between
controller and radius servers
 
 Hello,
 
 Any WLAN colleagues are using a loadbalacer to scale-out the auth (EAP)
traffic?
 Currently we use Radiator with frontend and multiple backend processes
which works fine.
 Wondering if loadbalancers can keep track of the state of an EAP
authentication
 At peek times we have 12K concurrent Wi-Fi devices online.
 
 Best regards, Kees
 
 
 
 
 
-
--
 Op deze e-mail zijn de volgende voorwaarden van toepassing:
 The following conditions apply to this e-mail:
 http://emaildisclaimer.avans.nl
 
-
--** Participation and subscription information for this
EDUCAUSE Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
 
 **
 Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
 
 

.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .
Jethro R Binks, Network Manager,
Information Services Directorate, University Of Strathclyde, Glasgow, UK

The University of Strathclyde is a charitable body, registered in
Scotland, number SC015263.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu

Cisco LWAP disable DNS resolver

[Johnson, Neil M]

We are testing a few Cisco LWAP's and our security office dinged us in a scan 
because they are acting as open DNS resolvers.

I can't find a way to turn that feature off. Any ideas ?

-Neil

--
Neil Johnson
Network Engineer
The University of Iowa
Phone: +1 319 384-0938tel:+13193840938
Fax: +1 319 335-2951tel:+13193352951
E-Mail: neil-john...@uiowa.edumailto:neil-john...@uiowa.edu
Lync: neil-john...@uiowa.edusip:neil-john...@uiowa.edu


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Cisco LWAP disable DNS resolver

[Johnson, Neil M]

Follow up.

Cisco has it down as a bug to be fixed in future release and recommends that we 
put an ACL in place to filter incoming DNS requests.

-Neil

--
Neil Johnson
Network Engineer
The University of Iowa
Phone: +1 319 384-0938tel:+13193840938
Fax: +1 319 335-2951tel:+13193352951
E-Mail: neil-john...@uiowa.edumailto:neil-john...@uiowa.edu
Lync: neil-john...@uiowa.edusip:neil-john...@uiowa.edu


From: Johnson, Neil Johnson 
neil-john...@uiowa.edumailto:neil-john...@uiowa.edu
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Date: Friday, January 17, 2014 12:21 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Cisco LWAP disable DNS resolver


We are testing a few Cisco LWAP's and our security office dinged us in a scan 
because they are acting as open DNS resolvers.

I can't find a way to turn that feature off. Any ideas ?

-Neil

--
Neil Johnson
Network Engineer
The University of Iowa
Phone: +1 319 384-0938tel:+13193840938
Fax: +1 319 335-2951tel:+13193352951
E-Mail: neil-john...@uiowa.edumailto:neil-john...@uiowa.edu
Lync: neil-john...@uiowa.edusip:neil-john...@uiowa.edu

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] requests for open, unauthenticated, no portal WiFi

[Johnson, Neil M]

We get requests every 3-4 months to create an open SSID for on-campus Board of 
Regents Meetings.

Our solution was to contract with ATT WiFi to provide guest access across 
campus. We advertise the attwifi  SSID on our wireless infrastructure, hand 
off layer two traffic to an appliance provided by them (for NAT'ing and/or 
tunneling) and then route the output of the appliance through our normal 
Internet connection.

We paid for the appliances up front and then pay a monthly fee to ATT. ATT 
handles all the CALEA and DMCA issues. ATT benefits because any of their 
cell-phone customers in range of the attwifi SSID automatically offload their 
wireless IP traffic to our network.

The Board of Regents IT support still complains that users have to click on a 
splash page to connect to wireless, but we are working through that :-).

-Neil


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Jeff Kell [jeff-k...@utc.edu]
Sent: Tuesday, May 20, 2014 6:47 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] requests for open, unauthenticated, no portal WiFi

We use essentially the eduroam services guidelines 
(https://www.eduroam.us/node/69) but we have bandwidth restrictions on guest 
WiFi that are not applied to actual eduroam traffic.

Jeff

On 5/20/2014 1:31 PM, Heath Barnhart wrote:
I'm using a simple ACL to restrict traffic. For VPN access we are allowing SSL 
and some well know ports used by many VPNs. My supervisor said he got the list 
from somewhere on Educause, though I never saw the actual documentation.

--
Heath Barnhart
ITS Network Administrator
Washburn University
785-670-2307




On Tue, 2014-05-20 at 12:01 +, Osborne, Bruce W (Network Services) wrote:
Heath,



What do you allow for VPN? There are several different technologies used.



Bruce Osborne

Network Engineer – Wireless Team

IT Network Services



(434) 592-4229



LIBERTY UNIVERSITY

Training Champions for Christ since 1971




From: Heath Barnhart [mailto:heath.barnh...@washburn.edu]
Sent: Monday, May 19, 2014 11:01 AM
Subject: Re: requests for open, unauthenticated, no portal WiFi




There are certain laws you might fall under if you allow open access, such as 
CALEA. We recently put in an open/unauthenticated network, but with 
restrictions. Visitors must still register there devices (thought there is no 
validation), we only allow for 3 days of access followed by a 3 day exclusion 
period, and we limit what services can be used to basic stuff like HTTP, HTTPS, 
FTP, SSH, and VPN.



--
Heath Barnhart
ITS Network Administrator
Washburn University
785-670-2307



On Thu, 2014-05-15 at 12:52 -0400, Chuck Anderson wrote:



Has anyone had to deal with administration requests for completely
open, unauthenticated WiFi with no captive port auth for guest access
to use during events or generally?  What arguments do you use against
this kind of deployment?  We are in a city and do not wish to become
the ISP for surrounding neighborhoods.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] guest wireless

[Johnson, Neil M]

We contracted with ATT to handle guests and visitors.

We advertise their SSID (attwifi) on our wireless infrastructure and then 
hand the traffic off to them via boxes called Network Management Devices (NMD) 
that they provide. They tunnel the traffic to their cloud via our Internet 
connection.

They take care of the CALEA and DMCA issues.  They benefit by offloading their 
cell customer's data traffic on to our Wifi infrastructure, so the monthly cost 
for us was very reasonable.

-Neil


--
Neil Johnson
Network Engineer
The University of Iowa
email: neil-john...@uiowa.edu
Phone: 319 394-0938

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Coehoorn, Joel 
[jcoeho...@york.edu]
Sent: Friday, September 12, 2014 9:13 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] guest wireless

I will admit to having a completely open guest network. We don't even require a 
terms of service click-through, and it's not encrypted. We do have some strict 
throttling for file sharing/p2p traffic, and I have some decent auditing 
capabilities, so I can track down violations and restrict them later if needed, 
but that's about it. We do the same throttling and auditing on the regular 
network

Our Admissions and Advancement offices *love* this: a candidate or guest comes 
on campus, and their device just works: never any 802.1x issues, never a 
problem with sponsorships or authentication. We're in a residential 
neighborhood, but I've learned not to worry about neighbors using our wifi: 
it's really a drop in the bucket. No one uses bandwidth like a college student 
uses bandwidth, and as I'm one of those who live just across the street, I can 
testify that leeching wifi from the college is a horrible personal wifi 
experience (also: before I came here and I had an hour long commute, and I can 
say that walking across the street to get to your office is *awesome*).

We do strongly encourage students/staff/faculty to use the encrypted option, 
and the vast majority do on their laptops now, and some on their phones, but 
students love the open network for things like smart TVs, blu-ray players, etc. 
They feel this makes our network *better*. We have some game consoles on the 
open network, but Residence Life encourages students to plug those into a wired 
port (even providing cat5 cables at times), and many take them up on this.

Really, the reason behind this policy is that we DO want to be a hotspot for 
any neighbors or people wandering by. We want to be part of the community, and 
welcoming to guests.

I am concerned about my CALEA exposure, but as a small school we've never had a 
request for data. This may some day force us to make a policy change, but in 
the meantime, I'd have a revolt on my hands if I ever tried to do away with the 
open SSID.





[http://www.york.edu/mvptall.jpg]


Joel Coehoorn
Director of Information Technology
York College, Nebraska
402.363.5603
jcoeho...@york.edumailto:jcoeho...@york.edu





[http://www.york.edu/Portals/0/Images/Logo/YorkCollegeLogoSmall.jpg]

The mission of York College is to transform lives through Christ-centered 
education and to equip students for lifelong service to God, family, and society

On Fri, Sep 12, 2014 at 8:49 AM, Timothy Fairlie 
fair...@rider.edumailto:fair...@rider.edu wrote:
That's interesting Heath. What's the reasoning behind the exclusion period?


On Fri, Sep 12, 2014 at 9:42 AM, Heath Barnhart 
heath.barnh...@washburn.edumailto:heath.barnh...@washburn.edu wrote:
We have an open guest network, however, you do have to register with a name, 
email, and phone number. Guests have 3 days of access followed by a 3 day 
exclusion period were the device is not allowed on the network. Access is 
restricted to HTTP, HTTPS, SMTP/POP, SSH, and most VPN. We don't throttle the 
bandwidth.


--
Heath Barnhart
ITS Network Administrator
Washburn University
785-670-2307tel:785-670-2307




On Tue, 2014-09-09 at 15:40 +, Mark Reboli wrote:
I am looking for information on what people do with guest wireless.  Do you 
have open wireless on your campus?  Do you have a password that everyone knows? 
 Do you create special passwords for groups?  Any assistance would be helpful.



Thank you



m



[Description: MU Arches]

Mark Reboli

Network/Telcom Manager

Misericordia University

(570) 674-6753tel:%28570%29%20674-6753




** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this 

RE: [WIRELESS-LAN] guest wireless

[Johnson, Neil M]

We consider not having to deal with CALEA / DMCA on our guest network worth the 
cost.

Note: we provide attwifi free-to-guest which means no one has to pay to use 
it.

-Neil

--
Neil Johnson
Network Engineer
The University of Iowa
email: neil-john...@uiowa.edu
Phone: 319 394-0938

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Lee H Badman 
[lhbad...@syr.edu]
Sent: Friday, September 12, 2014 11:33 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] guest wireless

Neil-

You’re saying ATT charges you for this? Do you charge them back for the Wi-Fi 
offload?

-Lee

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Johnson, Neil M
Sent: Friday, September 12, 2014 11:13 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] guest wireless


We contracted with ATT to handle guests and visitors.

We advertise their SSID (attwifi) on our wireless infrastructure and then 
hand the traffic off to them via boxes called Network Management Devices (NMD) 
that they provide. They tunnel the traffic to their cloud via our Internet 
connection.

They take care of the CALEA and DMCA issues.  They benefit by offloading their 
cell customer's data traffic on to our Wifi infrastructure, so the monthly cost 
for us was very reasonable.

-Neil


--
Neil Johnson
Network Engineer
The University of Iowa
email: neil-john...@uiowa.edumailto:neil-john...@uiowa.edu
Phone: 319 394-0938

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Coehoorn, Joel 
[jcoeho...@york.edu]
Sent: Friday, September 12, 2014 9:13 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] guest wireless
I will admit to having a completely open guest network. We don't even require a 
terms of service click-through, and it's not encrypted. We do have some strict 
throttling for file sharing/p2p traffic, and I have some decent auditing 
capabilities, so I can track down violations and restrict them later if needed, 
but that's about it. We do the same throttling and auditing on the regular 
network

Our Admissions and Advancement offices *love* this: a candidate or guest comes 
on campus, and their device just works: never any 802.1x issues, never a 
problem with sponsorships or authentication. We're in a residential 
neighborhood, but I've learned not to worry about neighbors using our wifi: 
it's really a drop in the bucket. No one uses bandwidth like a college student 
uses bandwidth, and as I'm one of those who live just across the street, I can 
testify that leeching wifi from the college is a horrible personal wifi 
experience (also: before I came here and I had an hour long commute, and I can 
say that walking across the street to get to your office is *awesome*).

We do strongly encourage students/staff/faculty to use the encrypted option, 
and the vast majority do on their laptops now, and some on their phones, but 
students love the open network for things like smart TVs, blu-ray players, etc. 
They feel this makes our network *better*. We have some game consoles on the 
open network, but Residence Life encourages students to plug those into a wired 
port (even providing cat5 cables at times), and many take them up on this.

Really, the reason behind this policy is that we DO want to be a hotspot for 
any neighbors or people wandering by. We want to be part of the community, and 
welcoming to guests.

I am concerned about my CALEA exposure, but as a small school we've never had a 
request for data. This may some day force us to make a policy change, but in 
the meantime, I'd have a revolt on my hands if I ever tried to do away with the 
open SSID.





[http://www.york.edu/mvptall.jpg]


Joel Coehoorn
Director of Information Technology
York College, Nebraska
402.363.5603
jcoeho...@york.edumailto:jcoeho...@york.edu



[http://www.york.edu/Portals/0/Images/Logo/YorkCollegeLogoSmall.jpg]

The mission of York College is to transform lives through Christ-centered 
education and to equip students for lifelong service to God, family, and society

On Fri, Sep 12, 2014 at 8:49 AM, Timothy Fairlie 
fair...@rider.edumailto:fair...@rider.edu wrote:
That's interesting Heath. What's the reasoning behind the exclusion period?


On Fri, Sep 12, 2014 at 9:42 AM, Heath Barnhart 
heath.barnh...@washburn.edumailto:heath.barnh...@washburn.edu wrote:
We have an open guest network, however, you do have to register with a name, 
email, and phone number. Guests have 3 days of access followed by a 3 day 
exclusion period were the device is not allowed on the network. Access is 
restricted to HTTP, HTTPS, SMTP/POP, SSH, and most VPN. We don't throttle the 
bandwidth.

--

Heath Barnhart

ITS Network Administrator

Washburn

iOS 8 drops tomorrow

[Johnson, Neil M]

We’ve add some additional bandwidth to the links between our wireless nets and 
campus in anticipation of heavy traffic tomorrow.

-Neil

-- 
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
E-Mail: neil-john...@uiowa.edu




**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey

[Johnson, Neil M]

Here is my first pass at requirements:

1. The service must prevent or discourage devices that ARE capable of using 
802.1x authentication from using the service.

2. The service should provide some sort of traceability of devices back to 
their owners.

3. The service must provide some method to deny access to an individual 
device.

4. The service must be easy enough to use that the average student can 
connect a device to the network in 10-15 minutes without requiring assistance 
from ITS.

5. The service must restrict access to only authorized University customers.

6. In the residence Halls, the service must support most the most common 
consumer devices that students might bring to campus


We are also looking at a “Device Net” for campus for other devices that may not 
do 802.1X (freezer monitors, digital signage, instrumentation, etc.).

For the residence hall device net we are thinking about blocking all access to 
campus resources and just allowing internet access.

For the campus device net we thinking about RFC 1918 space restricting the 
deivces to on campus resources only.

-- 
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
E-Mail: neil-john...@uiowa.edu



> On Sep 4, 2015, at 6:46 AM, Osborne, Bruce W (Network Services) 
> <bosbo...@liberty.edu> wrote:
> 
> What are you calling a Device Net?
> 
> We have an open SSID with a custom captive portal using the ClearPass eTIPS 
> API. 
> 
> We use this SSID for onboarding to 802.1X with Cloudpath XpressConnect 
> Wizard, registering a non-8012.1X device Endpoint in ClearPass (with AirGroup 
> device registration for Apple-TV) and for permitting non-802.1X network 
> access, blocking out internal web server & blackboard servers. If devices try 
> to go to these sites, they are redirected to Cloudpath XpressConnect Wizard.
>  
> I am leaving on vacation for a week, so it may take me a while to resond 
> further
> 
> Bruce Osborne
> Wireless Engineer
> IT Infrastructure & Media Solutions
>  
> (434) 592-4229
>  
> LIBERTY UNIVERSITY
> Training Champions for Christ since 1971
> 
> -Original Message-
> From: Johnson, Neil M [mailto:neil-john...@uiowa.edu] 
> Sent: Thursday, September 3, 2015 12:08 PM
> Subject: Re: Supporting "those other Wi-Fi devices" in the dorms- quick Survey
> 
> We are investigating a device net at UofI so,
> 
> I would be interested in hearing from anyone who has implemented a Device Net 
> with Clearpass.
> 
> Thanks.
> -Neil
> 
> -- 
> Neil Johnson
> Network Engineer
> The University of Iowa
> Phone: 319 384-0938
> Fax: 319 335-2951
> E-Mail: neil-john...@uiowa.edu
> 
> 
> 
>> On Sep 3, 2015, at 7:24 AM, Lee H Badman <lhbad...@syr.edu> wrote:
>> 
>> There is an elegance in your wisdom, Chuck.
>> 
>> 
>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Chuck Enfield
>> Sent: Wednesday, September 02, 2015 5:54 PM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the 
>> dorms- quick Survey
>> 
>> Don’t tell me.  Ignorance is bliss.  Man, am I happy!
>> 
>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of David R. Morton
>> Sent: Wednesday, September 02, 2015 5:41 PM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the 
>> dorms- quick Survey
>> 
>> Lee, 
>> 
>> Are you going to share the results of this survey as well?
>> 
>> David
>> 
>> 
>> David Morton
>> 
>> Director, Mobile Communications
>> Service Owner: Wi-Fi, Mobile & HuskyTV
>> University of Washington
>> dmor...@u.washington.edu
>> tel 206.221.7814
>> 
>> On Sep 2, 2015, at 9:50 AM, Lee H Badman <lhbad...@syr.edu> wrote:
>> 
>> As we look forward in how we service our residential spaces for Wi-Fi, I’ve 
>> put together a quick survey  on if/what other schools are doing (and not 
>> doing) for supporting the perplexing gadgets (TVs, games, entertainment 
>> dongles, etc) over Wi-Fi. Please consider contributing at
>> 
>> https://www.quicksurveys.com/s/Wc92H
>> 
>> I’ll run this for two weeks, will post just a couple more invites on each 
>> list in that period (so you know to expect a couple more… kind of advance 
>> spam warning) and will open the results page up for both lists at the end. I 
&g

Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey

[Johnson, Neil M]

We are investigating a device net at UofI so,

I would be interested in hearing from anyone who has implemented a Device Net 
with Clearpass.

Thanks.
-Neil

-- 
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
E-Mail: neil-john...@uiowa.edu



> On Sep 3, 2015, at 7:24 AM, Lee H Badman  wrote:
> 
> There is an elegance in your wisdom, Chuck.
>  
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Chuck Enfield
> Sent: Wednesday, September 02, 2015 5:54 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the 
> dorms- quick Survey
>  
> Don’t tell me.  Ignorance is bliss.  Man, am I happy!
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of David R. Morton
> Sent: Wednesday, September 02, 2015 5:41 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the 
> dorms- quick Survey
>  
> Lee, 
>  
> Are you going to share the results of this survey as well?
>  
> David
>  
>  
> David Morton
>  
> Director, Mobile Communications
> Service Owner: Wi-Fi, Mobile & HuskyTV
> University of Washington
> dmor...@u.washington.edu
> tel 206.221.7814
>  
> On Sep 2, 2015, at 9:50 AM, Lee H Badman  wrote:
>  
> As we look forward in how we service our residential spaces for Wi-Fi, I’ve 
> put together a quick survey  on if/what other schools are doing (and not 
> doing) for supporting the perplexing gadgets (TVs, games, entertainment 
> dongles, etc) over Wi-Fi. Please consider contributing at
>  
> https://www.quicksurveys.com/s/Wc92H
>  
> I’ll run this for two weeks, will post just a couple more invites on each 
> list in that period (so you know to expect a couple more… kind of advance 
> spam warning) and will open the results page up for both lists at the end. I 
> know I’m not the only one contemplating these questions. Should take minutes 
> to sail through, but decent participation could really help others in their 
> own thoughts about this challenging paradigm.
>  
>  
>  
> Thanks in advance!
>  
>  
>  
> Lee Badman | Network Architect
> Information Technology Services
> 206 Machinery Hall
> 120 Smith Drive
> Syracuse, New York 13244
> t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w its.syr.edu
> SYRACUSE UNIVERSITY
> syr.edu
>  
>  
>  
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
>  
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] It's that time of year...

[Johnson, Neil M]

Some days I’d prefer to be working with wave lengths measured in meters rather 
than centimeters ;-)

-Neil, N0SFH



-- 
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
E-Mail: neil-john...@uiowa.edu



> On Dec 3, 2015, at 6:43 AM, Jorj Bauer  wrote:
> 
> Shhh, we don't want people to find us.
> 
> 73,
> Jorj, AB3AG
> 
> 
> On 12/02/2015 02:23 PM, Patrick Campbell wrote:
>> It looks like we have a Ham among us judging from the frequency range
>> and “S” signal level instead of dBm.
>> 
>> Pat, WA3UOE
>> 
>> J. Patrick Campbell
>> Wireless System Design Specialist
>> 
>> The Pennsylvania State University
>> 
>> 110 University Support Building 2
>> 
>> University Park, PA 16802
>> 
>> Email: jp...@psu.edu 
>> 
>> Office 814-865-5888
>> Cell 814-280-7630
>> 
>> *From:*The EDUCAUSE Wireless Issues Constituent Group Listserv
>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Ian McDonald
>> *Sent:* Wednesday, December 2, 2015 2:03 PM
>> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> *Subject:* Re: [WIRELESS-LAN] It's that time of year...
>> 
>> Hi Brandon,
>> 
>> I'm pretty sure wideband noise from cheap and nasty electronics can
>> cause havoc with most telecommunications.
>> 
>> Whether fairy lights are any better or worse than anything else, I doubt
>> it, though they are very cheaply produced, and unlikely to be very well
>> designed.
>> 
>> My Cisco 837 power supply (while still powering the router quite
>> effectively) developed a S9+40 noise from 1.8MHz to 30MHz, which turned
>> out to be down to the infamous bulgy caps, so it's not down to purchase
>> price either ;)
>> 
>> Best Regards,
>> 
>> --
>> ian
>> 
>> Sent from my phone, please excuse brevity and/or misspelling.
>> 
>> 
>> 
>> *From: *Case, Brandon J 
>> *Sent: *‎02/‎12/‎2015 17:52
>> *To: *WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> 
>> *Subject: *[WIRELESS-LAN] It's that time of year...
>> 
>> The holidays are officially upon us!
>> 
>> http://gizmodo.com/can-christmas-lights-really-play-havoc-with-your-wi-fi-1745648879
>> 
>> Has anyone else gotten wind of this yet? Seems to be making the rounds here.
>> 
>> Thanks,
>> --
>> Brandon Case
>> Senior Network Engineer
>> IT Infrastructure Services
>> Purdue University
>> ca...@purdue.edu 
>> Office: (765) 49-67096
>> Mobile: (765) 421-6259
>> Fax:(765) 49-46620
>> 
>> PGP Fingerprint:
>> 99CB 02D6 983C 1E2A 015F  205C C7AA E985 A11A 1251
>> 
>> **
>> Participation and subscription information for this EDUCAUSE Constituent
>> Group discussion list can be found at http://www.educause.edu/groups/.
>> 
>> ** Participation and subscription information for this EDUCAUSE
>> Constituent Group discussion list can be found at
>> http://www.educause.edu/groups/.
>> 
>> ** Participation and subscription information for this EDUCAUSE
>> Constituent Group discussion list can be found at
>> http://www.educause.edu/groups/.
>> 
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Nyansa Voyance - thoughts?

[Johnson, Neil M]

For those of you who are Aruba shops, Do you see this as a replacement for 
Airwave? I didn’t see anything like Visual RF.

I looked at the demo, and while intriguing, at $30 per AP I’d have a hard time 
justifying the cost.

-Neil

-- 
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
E-Mail: neil-john...@uiowa.edu



> On May 26, 2016, at 6:22 AM, Osborne, Bruce W (Network Services) 
>  wrote:
> 
> I would have expected the cost to be a stopping point for management here as 
> well.
>  
> When management saw the benefits Voyance can provide, we now have plans to 
> deploy on all our wireless network instead of the limited PoC we have now.
>  
> ​
>  
> Bruce Osborne
> Wireless Engineer
> IT Network Services - Wireless
>  
> (434) 592-4229
>  
> LIBERTY UNIVERSITY
> Training Champions for Christ since 1971
>  
> From: McClintic, Thomas [mailto:thomas.mcclin...@uth.tmc.edu] 
> Sent: Wednesday, May 25, 2016 9:29 AM
> Subject: Re: Nyansa Voyance - thoughts?
>  
> Ryan,
>  
> Thank you for bringing this into the discussion. The cost turned us away from 
> it quickly. Adding a yearly line item in the budget, knowing that it will 
> grow is not easy to justify.
>  
> I hope they review the pricing model. I too am interested in any information 
> early adopters will share about actual pricing.
>  
> TJ McClintic
> Network Architect
>  
> UTHealth | The University of Texas Health Science Center at Houston
> Houston’s Health University
> 
> Communications Technology | Network Operations
> 7000 Fannin | Suite M60 | Houston, TX  77030
> 713.486.9269 netops | 713.486.2271 office
>  
>  
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Turner, Ryan H
> Sent: Wednesday, May 25, 2016 8:23 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Nyansa Voyance - thoughts?
>  
> I’m curious for those early adopters, how they were on cost.  Right now, 
> according to what they have told me, their pricing for education for 2,500 
> access points is 75,000 PER YEAR.  Now, we are going to be at 10,000 access 
> points.   You can do the math.  They have indicated a willingness to talk 
> about price, but I’m finding it hard to believe most shops are going to be 
> accommodating to that pricing level.  Please feel free to contact me off list 
> if you wish to share anything about your pricing.
>  
>  
> Ryan Turner
> Manager of Network Operations
> ITS Communication Technologies
> The University of North Carolina at Chapel Hill
>  
> r...@unc.edu
> +1 919 445 0113 Office
> +1 919 274 7926 Mobile
>  
>  
>  
>  
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Joe Rogers
> Sent: Wednesday, May 25, 2016 9:17 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Nyansa Voyance - thoughts?
>  
> 
> We also have an 'early adoption' installation at USF.  We've found the client 
> performance data the system provides and the alerts it generates to be 
> helpful and accurate.  For example, we had a fairly large dDoS attack hit our 
> network a couple months ago and the Nyansa system clearly spotted the impact 
> this had on client experience.  The baseline comparisons are useful in 
> identifying areas needing the most attention and the product's ability to 
> monitor and report on critical services like DHCP, DNS and RADIUS helps 
> identify issues which may be affecting large numbers of clients.  The Nyansa 
> team has been very responsive and receptive to suggestions for product 
> improvements.
> 
> Joe Rogers 
> Associate Director, Network Engineering 
> 
> University of South Florida – Information Technology 
> 4202 E. Fowler Avenue, SVC4010, Tampa, FL, 33620 
> j...@usf.edu | Tel: (813) 974-7369 
> http://secure-web.cisco.com/1OyTLdMH4D3_xwJnDfbPk1lQM8oX_QD92Do220QltH1CemyE-9m9moVq3qyqH1d7d0rkbx3pY4BTrpPFnre5DTmzQN0LsJXcFlY6ae3H8T0zYG8bLtw8gsvinNJAsDP1blsAMdQ4xPPXJOylWNIH8dB3D-slzowbZZSdO3OUhB0f-DxJWxXyyUPPyIM2P3bx_MXANbWRicD-jj_m-zzKYk34rhr0d7eYUgt1Fxx_VkPZsdbhVRVTtBiX45cLxbhvU/http%3A%2F%2Fwww.usf.edu%2Fit
>  | Facebook: /USF Information Technology | Twitter: @ USF_IT 
> 
> On 05/24/2016 01:01 PM, Turner, Ryan H wrote:
> All:
>  
> I was recently approached by a vendor offering a wireless analysis software 
> that combines the processing of AMON in conjunction with deep packet 
> inspection (through collectors that are looking at all the traffic coming off 
> of your controllers via SPAN or Taps).  I was impressed with what I saw.  The 
> company has apparently been in stealth mode until about 5 weeks ago, so most 
> on this list would not have heard of them.
>  
> They offer up Brandeis University as one of their early adopters.  Has anyone 
> else had a chance to look into this yet?  The website isn’t going to give you 
> a lot.  If you go to Youtube, you’ll find 

Re: [WIRELESS-LAN] eduroam ssid

[Johnson, Neil M]

eduroam should work with just about any authentication method that uses EAP 
(PEAP,TLS,TTLS) etc.

So if your are say moving to TLS (Client certificates) it should still just 
work.

-Neil

-- 
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
E-Mail: neil-john...@uiowa.edu



> On Jun 17, 2016, at 10:19 AM, Curtis K. Larsen  
> wrote:
> 
> We're beginning to run into this problem as well.  Luckily, eduroam is not 
> our primary SSID so at
> least the critical business functions continue to work fine on a separate 
> SSID.  My guess is that
> we'll end up turning eduroam off at those remote locations if problems get 
> reported.
> 
> In talking with the eduroam admin from the other institution they mentioned 
> that when this occurs
> in Europe the solution has been to change the name of the SSID.  Is this 
> really allowed?  If so,
> I'm sold!  Then we can start using our primary SSID with eduroam credentials! 
>  This is what I
> always thought eduroam should have been.  To me the value was always in the 
> universal credential
> *NOT* the SSID name.  That was always a drawback for me especially as 
> supplicants become easier to
> configure.
> 
> The other problem that we're going to run into soon is that we will be 
> phasing out PEAP on our
> main SSID to mitigate against the evil twin vulnerability, but what do we do 
> with eduroam?  I mean
> I guess you could say it is the remote institution's problem, or the user's 
> problem if they
> connect to an evil twin on your campus because they're not validating the 
> server.  But if the evil
> twin is on your campus it seems you have at least some responsibility in the 
> matter.  But as it
> stands, eduroam will leave a bit of a gaping security hole for us.
> 
> -- 
> Curtis K. Larsen
> Senior Network Engineer
> University of Utah IT/CIS
> 
> 
> 
> On Fri, June 17, 2016 7:35 am, Turner, Ryan H wrote:
>> Yes.  We have a satellite school at UNC Asheville.  Up until recently, UNC 
>> Asheville was not
>> running eduroam, and UNC Chapel Hill was the only occupant of a couple of 
>> buildings on campus.
>> UNC Asheville adopted eduroam and wanted to move into adjoining spaces.   So 
>> we were going to have
>> the situation where UNC Chapel Hill folks might attach to the wrong 
>> institution’s eduroam and
>> vice versa.  We ended up bridging the two networks together through a single 
>> link, and based on
>> realm, UNC Asheville will terminate UNC Chapel Hill folks directly to our 
>> network (through trunked
>> vlans).  It is nice, because now anywhere on UNC Asheville campus, UNC 
>> Chapel Hill folks have UNC
>> Chapel Hill IP space.  Because it made sense, we actually turned off our 
>> access points and allowed
>> UNC Asheville to provide wireless in our areas (so we wouldn’t have 
>> competing wireless).
>> 
>> 
>> Ryan Turner
>> Manager of Network Operations
>> ITS Communication Technologies
>> The University of North Carolina at Chapel Hill
>> 
>> r...@unc.edu
>> +1 919 445 0113 Office
>> +1 919 274 7926 Mobile
>> 
>> 
>> 
>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv
>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Becker, Jason
>> Sent: Thursday, June 16, 2016 11:45 PM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> Subject: [WIRELESS-LAN] eduroam ssid
>> 
>> Has anyone ran into this situation…
>> 
>> We are an eduroam participating school and have multiple buildings that are 
>> either across the road
>> or sometimes sidewalk that another University owns.  The other school is 
>> wanting to join eduroam
>> so my issue is when we are both broadcasting the same ssid in possibly the 
>> same airspace.  I have
>> a felling this is going to cause many problems as clients could bounce back 
>> and forth between
>> systems.
>> 
>> If you had to deal with this I like to hear your thoughts on it.
>> 
>> --
>> Thanks,
>> Jason Becker
>> Network Systems Engineer
>> Washington University in St. Louis
>> jbec...@wustl.edu
>> 314-935-5006
>> ** Participation and subscription information for this EDUCAUSE 
>> Constituent Group
>> discussion list can be found at
>> http://www.educause.edu/groups/.
>> 
>> **
>> Participation and subscription information for this EDUCAUSE Constituent 
>> Group discussion list can
>> be found at http://www.educause.edu/groups/.
>> 
>> 
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at