Re: Linux DHCP Proxy configuration via option 43 for Juniper MIST

2021-08-30 Thread Felix Windt
Assuming ISC DHCPd and the details from 
https://www.mist.com/wp-content/uploads/Mist_Proxy_URL_Conf.pdf, I'd think it 
would be something like this, making sure you adjust the SKUs you use:

option space MistAPs;
option MistAPs.ProxyURL code 1 = string;
if option vendor-class-identifier = "Mist AP41-US" {
vendor-option-space MistAPs;
}
if option vendor-class-identifier = "Mist AP43-US" {
vendor-option-space MistAPs;
}

subnet 192.168.0.0 netmask 255.255.255.0 {
[omitting all other options]
pool {
option MistAPs.ProxyURL "https://your-proxy-url.here;;
}
}

thx,
felix

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Kris Vangeel 

Sent: Monday, August 30, 2021 8:30 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: [WIRELESS-LAN] Linux DHCP Proxy configuration via option 43 for 
Juniper MIST


Hello



We are currently running a POC with MIST. As our APs need to pass through a 
Proxy to get to the Mist Cloud, I would like to get this configured through 
DHCP option 43. I found an example for Windows DHCP server in the Mist 
documentation but nothing for Linux.



In case anyone has this running through Linux DHCP, I would be very interested 
if you could share the relevant option 43 config.



Thanks in advance



Kris Vangeel

University of Leuven

Belgium

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


Re: [WIRELESS-LAN] Rate Limits on Guest Wi-Fi

2021-04-13 Thread Felix Windt
Three or four years ago we removed all filters, captive portals for terms of 
service, and bandwidth restrictions from our guest network. It’s now a wide 
open SSID that goes straight out to the Internet, but needs to traverse the 
same set of security tools to reach campus resources as any other connection 
initiated from the Internet. We haven’t had any issues with this whatsoever.

thx,
felix

Felix Windt
Dartmouth Network Services

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of "Curtis K. Larsen" 

Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Monday, April 12, 2021 at 7:20 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: [WIRELESS-LAN] Rate Limits on Guest Wi-Fi

Hello,

Curious to know if any have removed or recently raised the rate limit on the 
Guest Wi-Fi network at your institution, particularly large universities or 
hospitals.  If you have taken that step how is it going?  Also curious to hear 
what speeds you rate limit to if it is rate limited and how you came to that 
conclusion.

Thanks,

--
Curtis K. Larsen
Wireless Network Engineer III
The University of Utah


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=04%7C01%7Cfelix.windt%40DARTMOUTH.EDU%7Cfc7c29e74c5d47a6699308d8fe099f0d%7C995b093648d640e5a31ebf689ec9446f%7C0%7C0%7C637538664562879498%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=C6OKwk9qA%2B31SP9kF%2BQahIlJpM23Uy0KfUPGSgNHIAQ%3D=0>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


Re: [WIRELESS-LAN] WLAN onboarding

2021-04-07 Thread Felix Windt
At Dartmouth, we use the free eduroam tool to onboard our PEAP/MS-CHAPv2 
eduroam SSID, which is our only 802.1x WLAN. It works really well for us. 
Occasionally I argue for switching to EAP-TLS, at that point we’d switch to a 
tool that does the certificate provisioning.

thx,
felix

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Lee H Badman 
<00db5b77bd95-dmarc-requ...@listserv.educause.edu>
Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Wednesday, April 7, 2021 at 10:05 AM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: [WIRELESS-LAN] WLAN onboarding

Hello everyone, hope your semesters are going along smoothly and that you are 
all staying healthy. As always- this message is not an invite for vendors to 
contact me.

Looking out down our short timeline, we need to make a number of decisions 
about various aspects of our WLAN operations. One of these decision points is 
if/how to do the 802.1X onboarding after our current solution goes End of 
Everything at year’s end. To that end, I’m looking for any and all feedback on 
these questions:

- If you are using PEAP/MS-CHAP v2, what is your onboarder of choice (even if 
none, with manual config as methodology)?
-If you are doing PEAP-TLS, what is your onboarder of choice?
-Have you recently piloted any onboarders that you just hate for any reason?
-For those using eduroam as your 802.1X environment, have you found the free 
configuration tool to be reliable? Any downsides to using it at scale?

Interested in 3rd party, native, whatever.

Thanks as always,

Lee Badman

Lee Badman | Network Architect (CWNE#200)
Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   e lhbad...@syr.edu w its.syr.edu
Campus Wireless Policy: 
https://answers.syr.edu/display/network/Wireless+Network+and+Systems
SYRACUSE UNIVERSITY
syr.edu


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


Re: [WIRELESS-LAN] Wi-Fi and Covid

2021-04-01 Thread Felix Windt
If anyone is looking into doing this and is a Splunk customer and already 
throwing WiFi data from either Cisco or Aruba in there, they developed apps 
that can do more or less this. Contact tracing, cluster visualization on maps, 
and so on.
We didn’t end up going that route at all as a conscious decision to not overtly 
track students via WiFi, so I didn’t keep up on whether these were going to be 
made public or required an integration partner to configure. The demos were 
quite impressive, though, and if you already have the data set and product, 
it’s pretty much free for operation. The money is in the Splunk costs for 
keeping all that data.

Thanks,

Felix Windt
Senior Director, Network Services
Information, Technology, and Consulting
Dartmouth College
+603 646 8101

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Dan Lauing 
Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Thursday, April 1, 2021 at 3:53 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] Wi-Fi and Covid

I don't believe Wi-Fi is a good technology for this. It's nice when you can 
reuse existing overhead, but I don't think 2.4/5/6 radio is the answer. You're 
just begging for false positives.

On Thu, Apr 1, 2021 at 2:47 PM Seth Bean 
mailto:seth.b...@mcla.edu>> wrote:
We ducked this by explaining our wireless design was created for coverage, not 
security/triangulation, which is true.  Many of our buildings do not have the 
capability to do triagulation because of AP positions.  We didn't even get into 
the privacy item, which was honestly a relief.


Seth Bean
Administrator of Networks and Telecommunications
APA Union Chapter President
Massachusetts College of Liberal Arts
413.662.5022
413.663.1276

375 Church Street
North Adams,
MA 01247
“National Top Ten
Public Liberal Arts College”
2020-2021 US News & World Report

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Lee H Badman 
<00db5b77bd95-dmarc-requ...@listserv.educause.edu<mailto:00db5b77bd95-dmarc-requ...@listserv.educause.edu>>
Sent: Thursday, April 1, 2021 3:33 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Wi-Fi and Covid

CAUTION: This email originated from outside of MCLA. Do not click links or open 
attachments unless you recognize the sender and know the content is safe.


Several vendors are trying to monetize COVID… the Wi-Fi part (in my opinion) 
falls apart fairly quickly in spots when you start talking it through for 
contact tracing- and usually to do it you may have to buy things you don’t have 
to round out the system.



FWIW.



Lee Badman | Network Architect (CWNE#200)

Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244

t 315.443.3003   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu<https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fits.syr.edu%2F=04%7C01%7Cfelix.windt%40DARTMOUTH.EDU%7C8e98fe49d2c14255a65e08d8f547c18c%7C995b093648d640e5a31ebf689ec9446f%7C0%7C0%7C637529035840508099%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=rn0K4h1aKrEzlDRVSyKQO8gc7hk2onSnry2MWSYyvKQ%3D=0>

Campus Wireless Policy: 
https://answers.syr.edu/display/network/Wireless+Network+and+Systems<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fanswers.syr.edu%2Fdisplay%2Fnetwork%2FWireless%2BNetwork%2Band%2BSystems=04%7C01%7Cfelix.windt%40DARTMOUTH.EDU%7C8e98fe49d2c14255a65e08d8f547c18c%7C995b093648d640e5a31ebf689ec9446f%7C0%7C0%7C637529035840508099%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=0BrZ2MMdF0xbEVBstHEpKT8vandAaGF5OrBXf9StFAo%3D=0>

SYRACUSE UNIVERSITY
syr.edu<https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsyr.edu%2F=04%7C01%7Cfelix.windt%40DARTMOUTH.EDU%7C8e98fe49d2c14255a65e08d8f547c18c%7C995b093648d640e5a31ebf689ec9446f%7C0%7C0%7C637529035840518098%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=jWYtzoQu6nkMSvQxBmH4%2FKo598i4%2FczWajCqiv52Vkc%3D=0>



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Philippe Hanset
Sent: Thursday, April 1, 2021 3:29 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Wi-Fi and Covid



All,



Has anyone else been approached by AFCOTRA?

They have developed an algorithm to map Wireless users and Covid Contamination.

They want to use Wi-Fi logs to establish mapping of Covid Cross Contamination 
on campus.

(I guess linking MAC address to Wi-Fi triangula

Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise

2020-09-22 Thread Felix Windt
https://www.eduroam.org/configuration-assistant-tool-cat/

thx,
felix

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Patrick Mauretti 

Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Tuesday, September 22, 2020 at 3:02 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise

Okay I’ll bite.  What’s the CAT tool you mentioned?  Link?

-Patrick


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Floyd, Brad
Sent: Tuesday, September 22, 2020 3:00 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise

CAUTION: This email originated from outside of Massasoit. Do not click links or 
open attachments unless you recognize the sender and know the content is safe.

Fishel,
We have run into this on some versions of Android OS and the solution that 
works for us is to import our CA’s root certificate into the device. Once we 
import the root certificate and select it during the profile setup, the 
connection is established.
Thanks,
Brad

From: The EDUCAUSE Wireless Issues Community Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Fishel Erps
Sent: Tuesday, September 22, 2020 12:10 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise

Tim,

We use:

EAP Method = PEAP
Phase 2 = MSCHAPv2
CA Certificate = Unspecified
Identity = [username]
Password = [password]

The credentials trigger the return of a filter-ID from the RADIUS server to the 
controller, which the controller then uses to put the user into a VLAN.

Some android devices that are running version 11 no-longer have an option of 
“unspecified” under CA Certificate, and none of the other choices seem to work.



__
__


Fishel Erps,
Sr. Network & Infrastructure Engineer
School of Visual Arts
136 W 21st St., 8th Floor
New York, NY, 10011
LL: 212-592-2416
E:  fe...@sva.edu
___

Please excuse any typographical
errors as this e-mail has been sent
from my mobile device
___


On Sep 22, 2020, at 12:04, Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
 wrote:
Can you please provide some basic details?

  *   What exactly is "broken"?
  *   Which EAP method?
  *   Which credential type?
  *   How is/was the supplicant provisioned?
  *   Are only new devices affected or just upgraded devices?


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Fishel Erps 
<0030ecf871d2-dmarc-requ...@listserv.educause.edu>
Sent: Tuesday, September 22, 2020 12:02
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] Android 11 and WPA-Enterprise

Hi,

v11 seems to have broken credential authentication for RADIUS and 
WPA2-Enterprise/802.1x.

Has anyone found a workaround?


__
__


Fishel Erps,
Sr. Network & Infrastructure Engineer
School of Visual Arts
136 W 21st St., 8th Floor
New York, NY, 10011
LL: 212-592-2416
C:  347-539-6380
E:  fe...@sva.edu
___

Please excuse any typographical
errors as this e-mail has been sent
from my mobile device
___


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 

Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)

2020-04-17 Thread Felix Windt
This is off the cuff, but in the past I’ve had issues with Cisco WLCs taking 
CoAs when the Event-Timestamp attribute was present.

thx,
felix

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of "Turner, Ryan H" 

Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Friday, April 17, 2020 at 9:26 AM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)

We currently use Extreme Network Access Control.  We have had this for 14 years 
and it works very well.  We integrated it with Aruba wireless years ago, and we 
are able to send back filter IDs on the initial authentication to change roles, 
as well as issue disconnects to the user, forcing them to reauthenticate to 
their new policy (for example, a user is online and doing something bad, we 
send a disconnect message to the controllers and the user reconnects and 
authenticates with the new role).

We are now having to integrate with another institutions Cisco wireless 
controllers.  We have the authentication stuff working great.  But we are 
unable to get the disconnect/CoA to work.  We believe we have the correct 
format (xx-xx-xx-xx-xx-xx) and we are utilizing the correct port for 3587 (I 
think it is UDP 3799 off the top of my head).  We are getting back NAKs, and 
the message indicated is ‘invalid attributes’.  We aren’t sure what attributes 
to send back for the disconnect.  Obviously the other third party NACs have to 
do this correctly, but I’ve been unable to find documentation.  Extreme has 
some old documentation, but it appears wrong.  Any experts out there on this?  
Anyone willing to do a reauthentication from their NAC to their controllers and 
send us the packet trace?  If we know what attributes you are sending, that is 
likely what we need to make this work.

I’ve opened a ticket to Extreme, and I’ve asked the other institution to open a 
ticket with Cisco.  But this may get me results quicker.

Thanks!

Ryan Turner
Head of Networking
Communication Technologies | Information Technology Services
r...@unc.edu
+1 919 445 0113 (Office)
+1 919 274 7926 (Mobile)


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


Re: [WIRELESS-LAN] Implementing registration based Guest Wi-Fi

2020-02-24 Thread Felix Windt
Just for argument’s sake: why? Your users do not care about their WiFi access 
being authenticated. They don’t care about it being encrypted. From your user’s 
perspective, you’re about to make the wireless system behave worse.

Do you have an underlying reason that makes driving traffic towards the 
authenticated, encrypted wireless network a requirement, or is it for its own 
sake? If it’s the latter, you’ll have a lot of unhappy users on your hand, 
without a good reason to explain to them why that change was made.

thx,
felix

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Mangaiah Chowdary Garikapati 

Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Monday, February 24, 2020 at 4:40 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] Implementing registration based Guest Wi-Fi

Main goal is to put registration in front of unsecured Guest Wireless to help 
drive more traffic towards an authenticated secured campus wireless but 
students bring personal devices which may not be compatible with the 
registration / authentication process which is why we are enabling MAC bypass 
process on Guest wireless through Mydevices portal but encountering issues to 
make them work like before with casting / mirroring working.

Thank you,
Mangaiah Chowdary Garikapati
Project Manager
PMO | Division of Information Technology
3100 Sycamore Road | DeKalb, IL 60115
mgarikapa...@niu.edu
[125-signature]

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Rob Harris
Sent: Monday, February 24, 2020 11:32 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Implementing registration based Guest Wi-Fi

May I ask what your goals are in this change?

(to echo the other responses, Aruba Clearpass is a great choice for this, we 
use it and it does everything we need it to).


[The Culinary Institute of America]
Robert Harris
Manager – Telecom, Networks, & AV Services
Culinary Institute of America
1946 Campus Drive
Hyde Park, NY
845-451-1681
www.ciachef.edu
Food is Life
Create and Savor Yours.™

Please consider the environment before printing this e-mail.



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Mangaiah Chowdary Garikapati
Sent: Monday, February 24, 2020 11:32 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Implementing registration based Guest Wi-Fi

Hello,

At NIU, we are currently undergoing a project to move away from open access 
Guest Wireless to a registration based Guest Wireless using Cisco ISE and we 
are having following issues and any help or suggestions on these are much 
appreciated.


  1.  In the new system, devices are not able to see each other for casting 
purposes, is there any option we need to select to enable various casting and 
mirroring capabilities in the new registration based Guest Wireless?
  2.  We are also using ‘Mydevices’ portal to add devices which doesn’t have 
capabilities to register / authenticate (e.g. Chromecast, Roku etc.) but this 
is looking like a hit and miss where some devices connect immediately and some 
take at least an hour to two to be recognized and allowed to connect to the AP. 
Any suggestions why this could be happening?

Thank you,
Mangaiah Chowdary Garikapati
Project Manager
PMO | Division of Information Technology
3100 Sycamore Road | DeKalb, IL 60115
mgarikapa...@niu.edu
[125-signature]



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 

Re: [WIRELESS-LAN] Mist - Juniper Feedback

2019-12-16 Thread Felix Windt
Dartmouth is currently migrating to Mist. Happy to provide some feedback, feel 
free to reach out off-list and we can talk via email or phone.

thx,
felix

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Blake Brown 

Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Monday, December 16, 2019 at 12:49 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: [WIRELESS-LAN] Mist - Juniper Feedback

Good morning,

MHCC is looking at alternatives for our current Wi-Fi solution and one that has 
come up is Mist. Does anyone on the list have this system currently deployed 
and willing to provide some feedback on it?

Thanks,
Blake Brown
503-491-6910
Infrastructure Manager




**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

2019-09-13 Thread Felix Windt
I’d pay a fair price for an easily administered solution that lets us roll out 
PPSK in the dorms and deploy broadcast/multicast domains scoped to specific 
users.

We run eduroam and a completely open guest SSID. The open SSID has no captive 
portal, no click through terms of services, and no restrictions on Internet 
access for content or speed. That SSID bridges through to VLANs in a DMZ, and 
its only real restriction is that it can only reach proper public IP addresses 
on campus, plus 2-3 applications on private IPs that are specifically 
permitted. That’s enforced on the firewalls between campus and the DMZ.
We do see quite a lot of students on that SSID permanently. As a huge amount of 
our student applications are either cloud hosted or available on the public 
Internet, that works just fine for them. We’d prefer them on eduroam, but user 
experience trumps our preferences. The only real problem are devices such as 
Sonos sound bars, Google appliances, and other devices that will only support 
PSKs for wireless. For those we don’t have a solution right now.

Once WPA3/OWE is out and widely supported I genuinely don’t know how much we’ll 
care about where devices are. At that point it seems not just more user 
friendly but easier for IT overall to just throw reasonable security in front 
of web apps that the student and faculty population need to access, and let 
them sit on the SSID that’s easier to get on to. Administrative machines under 
central control would probably be kept on properly authenticated networks, but 
those are easier to solve if you have reasonable mass device management options.

For what it’s worth, we use the eduroam CAT tool for onboarding.

thx,

Felix Windt
Dartmouth College

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of "Rumford, Charles" 

Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Thursday, September 12, 2019 at 2:26 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

I agree that complicated onboarding is the worst from the end user perspective 
and a pain to manage.

I started designing a PPSK/MPSK design to take over our primary 802.1x network. 
The biggest hurdle I ran into with it was the randomization of MAC addresses 
for device. I've been told Android 10 has it on by default,and I know that 
windows support also. I could only see issues from a support issue coming down 
the line. O need to spend some more research time with it.

--
Charles Rumford
IT Architect
ISC Tech Services
University of Pennsylvania
OpenPGP Key ID: 0xF3D8215A
(Sent from Mobile)

From: "Enfield, Chuck" 
Sent: Thursday, September 12, 2019 14:11
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

Seconded.

And for those who think that security is more important than the user 
experience in some cases, I wouldn’t argue, but I would point out that an 
improperly configured 1x device puts the user’s credentials at risk.  802.1x 
isn’t all upside from a security perspective either.

Chuck

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jeffrey D. Sessler
Sent: Thursday, September 12, 2019 1:46 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

I’ve never been a fan of the complicated onboarding. It’s intrusive, and unlike 
any other wireless experience an individual will encounter in their life i.e. 
any other wifi-enabled location/venue.
With the growing trend of EDUs moving to SaaS and other Cloud solutions, 
wireless will be nothing but a gateway to those external services. When it’s 
easier to consume those services via one’s own unlimited-data cellular 
connection, or go to Starbucks, it may be time for us (EDU’s) to reevaluate our 
approach.

Besides a purely open network, the next-best (same?) experience to home would 
be something like PPSK or for the Cisco folks IPSK. You get something slightly 
better than an open network, but it’s PSK and all of those wonderful IoT 
devices just work. My crystal ball wish is to have that PPSK/IPSK solution then 
group that user’s devices into a private virtual home network, providing 
something that approaches their home experience.

Jeff

From: "wireless-lan@listserv.educause.edu"  
on behalf of Kurtis Olsen 
Reply-To: "wireless-lan@listserv.educause.edu" 

Date: Thursday, September 12, 2019 at 9:27 AM
To: "wireless-lan@listserv.educause.edu" 
Subject: [WIRELESS-LAN] Feasibility of an open SSID for student use

We have been receiving a lot of complaints about a complicated onboarding 
process and have been asked to look at providing an Open SSID that has little 
to no onboarding.  I see an advantage being the ease of connecting but I have 
some concerns, mainly about providing a s

Re: Cisco WLC CPU ACL

2015-12-15 Thread Felix Windt
We are running CPU ACLs both on IPv4 and IPv6. The obvious thing is that you 
want to make sure to account for all your CAPWAP sources and all your 
management stations. If you use Prime Infrastructure to manage your WLCs, 
definitely don't forget accounting for that.

Also for Prime: its ACL builder is horrible, so we kept it intentionally simple 
with the least number of ACEs (often permitting all IP traffic instead of 
branching out to protocols, for example on the dedicated networks for APs 
sourcing CAPWAP tunnels). The worst gotcha is that ACLs are submitted line by 
line, which at one point locked out Prime itself since it created something 
that didn't account for itself. The work around is to always first disable CPU 
ACLs entirely, then to submit the new ACL, double check that it's applied 
correctly, and to only then re-enable it for enforcement.

Otherwise we've had no issues whatsoever.

Hope that helps,

felix

Dartmouth


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of Dennis Xu 
Sent: Tuesday, December 15, 2015 12:03 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Cisco WLC CPU ACL

Has anyone implemented CPU ACL on Cisco WLCs and any lessons learned?

I would like to apply CPU ACLs to protect WLC dynamic interfaces and hope it 
will not break anything. :)

Thanks!

---
Dennis Xu, MASc, CCIE #13056
Analyst 3, Network Infrastructure
Computing and Communications Services(CCS)
University of Guelph

519-824-4120 Ext 56217
d...@uoguelph.ca
www.uoguelph.ca/ccs

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.