Re: [External] [WIRELESS-LAN] Protecting Cisco 1815w APs

[Hunter Fuller]

We haven't really had an issue with these units getting irreparably
damaged. I specifically am not aware of any user ports being damaged
ever.

We do alert when they go offline, and we do have an agreement
with Housing to bill any irreparable AP damage to the tenants. But
we've never had to do it.

I definitely recommend you get this agreement in place if possible. If
the user ripped the light fixture off the wall and smashed it, the
solution would not be to put a cage around the light fixture - ya
know? Food for thought.

--
Hunter Fuller (they)
Router Jockey
VBH M-1A
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering



On Thu, Sep 23, 2021 at 11:55 AM Gray, Sean  wrote:
>
> Hi Everyone,
>
>
>
> I hope you are all surviving another semester start up without too much pain!
>
>
>
> We have a large number of wall mounted Cisco 1815w access points on campus. 
> Lately we have noticed that the LAN ports are getting damaged and are looking 
> at way to stop people tampering with the patch cables.
>
>
>
> I’m interested to see if anyone else has experienced this problem and am 
> wondering what steps they took to protect their access points?
>
>
>
> Thanks
>
>
>
> Sean
>
>
>
> Sean Gray | B.Sc (Hons)
>
> Voice, Collaboration & Wireless Network Analyst
>
> ITS, University of Lethbridge
>
>
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [External] Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

[Hunter Fuller]

Hi Jonathan,

UAH is using an offline CA we call the "Russ CA," named affectionately
after our previous CISO. Here is how Russ created the Russ CA and signed
our eduroam cert using this CA:

$ openssl genrsa -des3 -out rootCA.key 4096
$ openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 7300 -out
rootCA.crt
$ openssl ca -create_serial -keyfile rootCA.key -cert rootCA.crt -in
input.pem -out out.crt -config ./server.cnf

Where:
 - rootCA.key becomes the Root CA private key
 - rootCA.crt becomes the Root CA cert
 - input.pem is the CSR from your RADIUS (ClearPass I guess)
 - out.crt becomes the signed cert for RADIUS

You will be asked to provide a passphrase for the Root CA key. It is
vitally important that this be kept secure and that you do not lose it.
You will be asked for information about the Root CA when you make the cert.
Give real information. It shows up on iPhones under some circumstances, at
the very least.
Do not lose the root CA key, cert, or passphrase between signings! If you
lose it, you will have to restart from nothing, and reprovision all your
users.

We are using this method for the past couple of years with no trouble.
If you have any other questions let me know.

--
Hunter Fuller (they)
Router Jockey
VBH M-1A
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering


On Tue, Aug 10, 2021 at 9:57 AM Jonathan Miller  wrote:

> Thank you all for the informative replies.  As is probably obvious, when
> we initially rolled this out, we were completely unaware of the best
> practices, and are currently working to correct that and get our
> infrastructure where it should be.
>
> We do not have an in-house PKI expert, but we are not completely
> unfamiliar with OpenSSL.  We do not currently have any internal CA as we've
> just used InCommon for all of our certificate needs.
>
> If we want to do this right, my understanding is that the process is to:
> 1.  Create a Root CA with a long-lived certificate
> 2.  Create a certificate for our ClearPass servers, signed by that Root
> CA, making sure to include the attributes listed here:
> https://wiki.geant.org/display/H2eduroam/EAP+Server+Certificate+considerations
> 3.  Apply the certificate to ClearPass and distribute our new Root CA via
> CAT or other means
>
> Would we be crazy to try to accomplish this inside of the 2 weeks that we
> have before students start to return to campus?  Any advice is appreciated,
> just trying to steer this boat away from the iceberg.
>
> Thanks,
>
> Jonathan Miller
> Senior Network Analyst
> Franklin and Marshall College
>
>
> On Mon, Aug 9, 2021 at 12:12 PM Jeffrey D. Sessler <
> j...@scrippscollege.edu> wrote:
>
>> CA’s have done nothing is fifteen plus years, so from a risk management
>> perspective, the chance of them changing course now is rather low. As to
>> future RFCs, even if that happened tomorrow, it could be a decade or more
>> before there was broad support, and more importantly, we could think about
>> enforcement.
>>
>>
>>
>> Jeff
>>
>>
>>
>>
>>
>> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
>> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Tim Cappalli
>> *Sent:* Monday, August 09, 2021 8:05 AM
>> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> *Subject:* Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New
>> Root
>>
>>
>>
>> CA policies really have nothing to do with implementations of other
>> protocols. There have been many discussions about this on this list and
>> others, and a future RFC will likely include further clarity. However, as
>> I've said in the past, RFCs do not dictate CA/B policies.
>>
>>
>>
>> If we're going to continue this discussion, we should fork a new thread
>> as it has nothing to do with the original question.
>>
>>
>>
>> tim
>> --
>>
>> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
>> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Jeffrey D. Sessler <
>> j...@scrippscollege.edu>
>> *Sent:* Monday, August 9, 2021 10:53
>> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <
>> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
>> *Subject:* Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New
>> Root
>>
>>
>>
>> Per the RFC, the certificate-using application _*MAY*_ require the EAP
>> extended key usage extension to be present. It is not a must or shall, so
>> I’m not exactly sure the problem here. Vendors have chosen against
>> requirement.
>>
>>
>>
>> The certificate-using applicat

Re: [External] Re: [WIRELESS-LAN] Apple product antenna strength vs other?

[Hunter Fuller]

If we are looking for anecdotes that more or less address the initial
question,

I use a Surface Pro 6 (Marvell wireless) and an iPhone 10S, and I do Wi-Fi
work on both. It's my experience that, if I'm in an extremely marginal
Wi-Fi situation, for instance, I am in a building that is experiencing an
outage so my devices are associated to the neighboring building, the iPhone
is much more likely to be able to squeeze a useful amount of throughput out
of a very weak signal. Usually the Surface is struggling to remain
associated, with tons of jitter and almost zero usable traffic (even ssh is
hard to use). But if I ssh from my iPhone, it's just a little jittery, and
I can do enough work to download a file or two, etc.

Basically, I can't speak to MacBooks, but every iPhone I've used seems to
have an exceptionally good antenna, Wi-Fi radio, or both.

--
Hunter Fuller (they)
Router Jockey
VBH M-1A
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering


On Fri, Jun 4, 2021 at 11:21 AM Enfield, Chuck  wrote:

> I guess I should have answered your original question too.  I’m not aware
> of any trend where Apple devices see a much weaker signal than comparable
> Windows or Android devices.  An intuitive impression based on my experience
> is that MacBooks tend to have a couple dB weaker signal than Windows
> laptops.  The difference in reported signal quality could be based on
> whether a statistic is measured or calculated and have nothing to do with
> the hardware.  (For example, a device measures the RSSI and noise floor and
> calculate the SNR, or it may measure the SNR, estimate the noise floor, and
> calculate the RSSI.  You can expect these methods to produce slightly
> different results in good circumstances, and wildly different results when
> the noise floor is very high.)  Regardless of the measurements, when I’ve
> done side-by-side comparisons of Windows and MacBooks, they’re usually
> connected at the same data rate, but sometimes the MacBook is one rate
> lower, which is why I suspect a couple dB difference.
>
>
>
> I’d like to reiterate; this is just my impression based on multiple
> measurements with a small number of devices in the course of routine
> troubleshooting.  If anybody’s experience differs, please share.  You won’t
> get an argument from
> me.
>
>
>
>
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Enfield, Chuck
> *Sent:* Friday, June 4, 2021 11:14 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] Apple product antenna strength vs other?
>
>
>
> Along the same lines as what Lee said, you need to make sure all the
> client devices are connecting to the same AP and radio.  I also don’t
> recommend relying on bars for anything.  Perhaps there’s a standard for
> them now, but if there is I’m not aware of it.  To see the connection
> details:
>
>
>
>- On Mac, Hold the option key while clicking the wireless icon.
>- On Android, download any of the myriad apps which provide network
>connection details.  You can also enable developer options (Google the
>steps), then enable Wi-Fi verbose logging to see more connection details
>right in the wi-fi menu on your device.
>- On Windows, the OS reports Wi-Fi strength in % instead of dB, so I
>recommend an app.  If you haven’t purchased any Wi-Fi diagnostic apps for
>Windows, then there’s a free one in the app store called Wi-Fi Analyzer
>that will give you the basic info.  I wouldn’t trust everything in the app
>(it seems to think all channels are 20Mhz) but I’ve found the other basic
>info (channel, rssi, protocol, bssid) reliable.
>- Sadly, I’m not aware of how to get any useful network information
>from iOS devices.
>
>
>
>
>
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Tim Tyler
> *Sent:* Friday, June 4, 2021 10:43 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] Apple product antenna strength vs other?
>
>
>
> Chuck,
>
> We checked bar strength.  Macs were in the 2nd out of 3 bars.  PC’s were
> getting 4 out of 5.  I didn’t check the phones.  We did bandwidth testing
> and Macs were below 10Mb while PC’s were averaging around 150Mb.  I did
> check Airwave for possible issues.  It suggested a poor SNR value for at
> least one of the Macs.  I didn’t know what to make of that since the PC’s
> were not having that issue.  Health was not good.
>
>   Also, the Macs would drop connections and sometimes have random
> difficulty in connecting.  No issues with the PC’s or droids.
>
>   It was b

Re: [External] [WIRELESS-LAN] Rogue ssid mitigation features

[Hunter Fuller]

We have alerting for this situation but our interpretation is that
operating the jamming feature would not be legal in the States.

--
Hunter Fuller (they)
Router Jockey
VBH M-1A
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering


On Wed, May 19, 2021 at 11:56 AM Becker, Jason  wrote:

> Is anyone using the features to disable/mitigate anyone trying to
> impersonate your own ssid's? I've been testing this on our lab Cisco gear
> and see that it works but kind of scary to push to a production hardware.
>
>
> Jason
>
>
> --
>
> The materials in this message are private and may contain Protected
> Healthcare Information or other information of a sensitive nature. If you
> are not the intended recipient, be advised that any unauthorized use,
> disclosure, copying or the taking of any action in reliance on the contents
> of this information is strictly prohibited. If you have received this email
> in error, please immediately notify the sender via telephone or return mail.
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [External] [WIRELESS-LAN] Rate Limits on Guest Wi-Fi

[Hunter Fuller]

We have 10k students and we removed the guest network rate limit in
2015. We figured we would keep an eye on "top talkers" and address
issues on a case-by-case basis, but we have had no issues of this
type, so it hasn't really come up.

--
Hunter Fuller (they)
Router Jockey
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering


On Mon, Apr 12, 2021 at 6:20 PM Curtis K. Larsen
 wrote:
>
> Hello,
>
> Curious to know if any have removed or recently raised the rate limit on the 
> Guest Wi-Fi network at your institution, particularly large universities or 
> hospitals.  If you have taken that step how is it going?  Also curious to 
> hear what speeds you rate limit to if it is rate limited and how you came to 
> that conclusion.
>
> Thanks,
>
> --
> Curtis K. Larsen
> Wireless Network Engineer III
> The University of Utah
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [External] Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

[Hunter Fuller]

That's fair, and it's why I included the bit about requiring existing
connectivity. I think in my mind, if there was a certificate involved, it
would be downloaded from the Internet once the QR code was scanned. This is
similar to what you can do with .mobileconfig files on iOS. You do have to
find a way to get the .mobileconfig file into Safari on the device, but
once you do that, the configuration process is quite streamlined. An
Android equivalent would be amazing.

--
Hunter Fuller (they)
Router Jockey
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering


On Tue, Feb 2, 2021 at 12:48 PM Tim Cappalli <
0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote:

> I can scan a QR code with embedded credentials over your shoulder
>
> (I think the newest Galaxy has 100x zoom?)
>
>
> --
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Hunter Fuller <
> 0211f6bc0913-dmarc-requ...@listserv.educause.edu>
> *Sent:* Tuesday, February 2, 2021 13:45
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject:* Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] [External]
> Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
>
> I don't follow how sending someone configuration via a QR code on our
> website, would have a different trust profile from showing instructions on
> that same website, or sending them to eduroam CAT from that website.
>
> --
> Hunter Fuller (they)
> Router Jockey
> VBH Annex B-5
> +1 256 824 5331
>
> Office of Information Technology
> The University of Alabama in Huntsville
> Network Engineering
>
>
> On Tue, Feb 2, 2021 at 12:43 PM Tim Cappalli <
> 0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote:
>
> While UX is great with QR codes, security and trust is challenging.
>
> You'll start to see more QR-based provisioning with IoT as part of Wi-Fi
> Easy Connect but those have other security layers baked on top.
>
>
>
> ------
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Hunter Fuller <
> 0211f6bc0913-dmarc-requ...@listserv.educause.edu>
> *Sent:* Tuesday, February 2, 2021 13:41
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject:* Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] android 11
> upcoming changes Feb 15th 2021
>
> I wish there was a QR schema. Even if it only worked on devices with
> another connection available (LTE, etc.) to download the config. Sigh.
>
> The closest we have right now is scanning a QR code leading to a
> .mobileconfig file on iOS.
>
> --
> Hunter Fuller (they)
> Router Jockey
> VBH Annex B-5
> +1 256 824 5331
>
> Office of Information Technology
> The University of Alabama in Huntsville
> Network Engineering
>
>
> On Tue, Feb 2, 2021 at 12:29 PM Tim Cappalli <
> 0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote:
>
> Well, again, you should be properly configuring the supplicant regardless,
> so the instructions would apply to any version of Android
>
> RE: QR, no, enterprise authentication is not supported. A supplicant
> configuration tool should always be used. The supplicant was not designed
> to be manually configured by end users (on any OS).
>
>
> --
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Michael Holden <
> mhol...@datanetworksolutions.com>
> *Sent:* Tuesday, February 2, 2021 13:16
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject:* Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
>
> We've seen much the same.
> A Pixel 2XL and a Pixel3XL fully updated, the 2XL had the Don't Validate
> option, but the Pixel3XL did not.
>
> We added the CA cert to a subpage on the guest captive portal for ease of
> access to the Wireless device, and provided some instructions for the
> devices.
> The workflow to manually add the Wireless Trust was a bit flaky too with
> Modify Settings not really working.
>
> The instruction set that appeared to work as of the current (January 2021)
> Android software release on the Pixel 3XL not tested on Pixel 4/4a/5:
>
>
>1. Download the CA cert from the ClearPass Guest Captive Portal Page
>2. Go to Settings
>3. Network & Internet
>4. Wi-Fi
>5. Wi-Fi preferences
>6. Advanced
> 

Re: [External] Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

[Hunter Fuller]

I don't follow how sending someone configuration via a QR code on our
website, would have a different trust profile from showing instructions on
that same website, or sending them to eduroam CAT from that website.

--
Hunter Fuller (they)
Router Jockey
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering


On Tue, Feb 2, 2021 at 12:43 PM Tim Cappalli <
0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote:

> While UX is great with QR codes, security and trust is challenging.
>
> You'll start to see more QR-based provisioning with IoT as part of Wi-Fi
> Easy Connect but those have other security layers baked on top.
>
>
>
> --
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Hunter Fuller <
> 0211f6bc0913-dmarc-requ...@listserv.educause.edu>
> *Sent:* Tuesday, February 2, 2021 13:41
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject:* Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] android 11
> upcoming changes Feb 15th 2021
>
> I wish there was a QR schema. Even if it only worked on devices with
> another connection available (LTE, etc.) to download the config. Sigh.
>
> The closest we have right now is scanning a QR code leading to a
> .mobileconfig file on iOS.
>
> --
> Hunter Fuller (they)
> Router Jockey
> VBH Annex B-5
> +1 256 824 5331
>
> Office of Information Technology
> The University of Alabama in Huntsville
> Network Engineering
>
>
> On Tue, Feb 2, 2021 at 12:29 PM Tim Cappalli <
> 0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote:
>
> Well, again, you should be properly configuring the supplicant regardless,
> so the instructions would apply to any version of Android
>
> RE: QR, no, enterprise authentication is not supported. A supplicant
> configuration tool should always be used. The supplicant was not designed
> to be manually configured by end users (on any OS).
>
>
> --
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Michael Holden <
> mhol...@datanetworksolutions.com>
> *Sent:* Tuesday, February 2, 2021 13:16
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject:* Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
>
> We've seen much the same.
> A Pixel 2XL and a Pixel3XL fully updated, the 2XL had the Don't Validate
> option, but the Pixel3XL did not.
>
> We added the CA cert to a subpage on the guest captive portal for ease of
> access to the Wireless device, and provided some instructions for the
> devices.
> The workflow to manually add the Wireless Trust was a bit flaky too with
> Modify Settings not really working.
>
> The instruction set that appeared to work as of the current (January 2021)
> Android software release on the Pixel 3XL not tested on Pixel 4/4a/5:
>
>
>1. Download the CA cert from the ClearPass Guest Captive Portal Page
>2. Go to Settings
>3. Network & Internet
>4. Wi-Fi
>5. Wi-Fi preferences
>6. Advanced
>7. Install Certificate
>8. Choose the Certificate downloaded in the first step
>9. Name the Certificate
>10. Connect to the Secure SSID
>   1. Change the Certificate from System Certs to the Certificate name
>   entered in the previous step
>   2. Domain to 
>   3. Identity as the username
>   4. Password as the user’s password
>   5. Connect
>11. Confirm Wireless is connected to the WPA2-Enterprise SSID
>   1. You may have to forget and add network as the Modify Setting on
>   the SSID does not appear to work properly as of January, 2021 Android
>   Software release
>
>
>
> There is a QR code that can be created for PSK networks, has anyone seen
> if this is possible for WPA2/3-Enterprise?
>
>
> --
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Tim Cappalli <
> 0194c9ecac40-dmarc-requ...@listserv.educause.edu>
> *Sent:* Tuesday, February 2, 2021 12:54
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject:* Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
>
> Screenshot please.
>
>
> --
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Walter Reynolds <
>

Re: [External] Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

[Hunter Fuller]

I wish there was a QR schema. Even if it only worked on devices with
another connection available (LTE, etc.) to download the config. Sigh.

The closest we have right now is scanning a QR code leading to a
.mobileconfig file on iOS.

--
Hunter Fuller (they)
Router Jockey
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering


On Tue, Feb 2, 2021 at 12:29 PM Tim Cappalli <
0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote:

> Well, again, you should be properly configuring the supplicant regardless,
> so the instructions would apply to any version of Android
>
> RE: QR, no, enterprise authentication is not supported. A supplicant
> configuration tool should always be used. The supplicant was not designed
> to be manually configured by end users (on any OS).
>
>
> --
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Michael Holden <
> mhol...@datanetworksolutions.com>
> *Sent:* Tuesday, February 2, 2021 13:16
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject:* Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
>
> We've seen much the same.
> A Pixel 2XL and a Pixel3XL fully updated, the 2XL had the Don't Validate
> option, but the Pixel3XL did not.
>
> We added the CA cert to a subpage on the guest captive portal for ease of
> access to the Wireless device, and provided some instructions for the
> devices.
> The workflow to manually add the Wireless Trust was a bit flaky too with
> Modify Settings not really working.
>
> The instruction set that appeared to work as of the current (January 2021)
> Android software release on the Pixel 3XL not tested on Pixel 4/4a/5:
>
>
>1. Download the CA cert from the ClearPass Guest Captive Portal Page
>2. Go to Settings
>3. Network & Internet
>4. Wi-Fi
>5. Wi-Fi preferences
>6. Advanced
>7. Install Certificate
>8. Choose the Certificate downloaded in the first step
>9. Name the Certificate
>10. Connect to the Secure SSID
>   1. Change the Certificate from System Certs to the Certificate name
>   entered in the previous step
>   2. Domain to 
>   3. Identity as the username
>   4. Password as the user’s password
>   5. Connect
>11. Confirm Wireless is connected to the WPA2-Enterprise SSID
>   1. You may have to forget and add network as the Modify Setting on
>   the SSID does not appear to work properly as of January, 2021 Android
>   Software release
>
>
>
> There is a QR code that can be created for PSK networks, has anyone seen
> if this is possible for WPA2/3-Enterprise?
>
>
> --
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Tim Cappalli <
> 0194c9ecac40-dmarc-requ...@listserv.educause.edu>
> *Sent:* Tuesday, February 2, 2021 12:54
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject:* Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
>
> Screenshot please.
>
>
> --
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Walter Reynolds <
> wa...@umich.edu>
> *Sent:* Tuesday, February 2, 2021 12:46
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject:* Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
>
> Can someone explain something to me?
>
> I have a Pixel 3 that I did a factory rest on.  Next I did all the updates
> needed and it is running Android 11.  The build number is RQ1A.210205.004
> which includes the latest security patch for the phone.
>
> When I go to configure a WPA2 Enterprise network I still have the "Don't
> validate" option.
>
> What am I missing here?
>
> 
> Walter Reynolds
> Network Architect
> Information and Technology Services
> University of Michigan
> (734) 615-9438
>
>
> On Tue, Feb 2, 2021 at 8:51 AM Hurt,Trenton W. 
> wrote:
>
> LOL if it’s working now on those android 11 devices as is then I guess it
> is.  And if it’s not well then Feb 15th I guess will be fun
>
> Trent Hurt
>
> University of Louisville
>
> --
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Tim Cappalli <
> 0194c9ecac40-dmarc-requ...@li

Re: [External] Re: [WIRELESS-LAN] Android 11 and Cert Verification

[Hunter Fuller]

On Tue, Oct 13, 2020 at 1:26 PM Fishel Erps
<0030ecf871d2-dmarc-requ...@listserv.educause.edu> wrote:
> So the issue with advance certificate onboarding is that it requires a 
> process in advance that most students would have issues with.

I just want to make sure you understand that the alternative is the
ability to impersonate the user on the network with little effort.
Did you select "Do not validate" on your Android device? Then as long
as I am within a few feet of you, or have line of sight, I can get
your AD password. That's it!
How? I can just broadcast an SSID with the same name as your
institution's network, and use a directional antenna to ensure I am
the loudest AP so you will try to associate to me. My certificate is
totally bunk, but your device doesn't care, so it will just blast your
AD password directly to my laptop.
We don't even have to be on your campus for me to do this. And, I
don't even have to know your username, you will provide me with that
too, without your knowledge or intervention.

> It doesn’t work well with BYOD clients that have dynamic VLAN placement based 
> on returned filter-IDs from a RADIUS/NPS server.

This hasn't been our experience. We place users based on their
username. However, we are using PEAP.

> Most vendors walk you through a quick and dirty setup of NPS for 802.1x auth 
> and VLAN placement, and therefore, they are interested in simple auth at the 
> expense of security.  However, with Android 11 (and possibly a bit further 
> back), that bypass of “don’t validate”, etc, isn’t an option.

I am guessing this is deliberate.

I get the temptation to not validate, I do. Android has the worst
onboarding options of any mainstream OS right now, and it's
embarrassing they haven't fixed it. But this is a step in the right
direction, painful as it might be.


--
Hunter Fuller (they)
Router Jockey
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [External] Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise

[Hunter Fuller]

Fishel,

I'm no Tim, but I do have a fairly in-depth understanding of the
mechanics at work regarding 802.1X server certificates, and my number
is in my signature.

--
Hunter Fuller (they)
Router Jockey
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering

On Wed, Sep 23, 2020 at 8:13 AM Fishel Erps
<0030ecf871d2-dmarc-requ...@listserv.educause.edu> wrote:
>
> Tim,
>
> Do you have a few minutes for a phone call?  Could you please send me a 
> number where I can reach you?
>
>
>
> __
> __
>
> Fishel Erps,
> Sr. Network & Infrastructure Engineer
> School of Visual Arts
> 136 W 21st St., 8th Floor
> New York, NY, 10011
> LL: 212-592-2416
> C:  347-539-6380
> E:  fe...@sva.edu
> ___
>
> Please excuse any typographical
> errors as this e-mail has been sent
> from my mobile device
> ___
>
>
> On Sep 23, 2020, at 09:09, Tim Cappalli 
> <0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote:
>
> 
> You should avoid using a public CA issued web server certificates for an EAP 
> server identity wherever possible.
>
> But to directly answer your question, yes, you'd select Use System 
> Certificates and set the subject name.
>
> 
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  on behalf of Tariq Adnan 
> <01e6b38f57b3-dmarc-requ...@listserv.educause.edu>
> Sent: Tuesday, September 22, 2020, 22:04
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise
>
> Hi Tim,
>
>
>
> How about choosing “use system certificate”, provided the CA cert is a valid 
> public cert (QuoVadis CA) and in default certificate store of Android?
>
>
>
> Thanks,
>
>
>
>
>
>
>
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  On Behalf Of Fishel Erps
> Sent: Wednesday, 23 September 2020 5:17 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise
>
>
>
> Tim,
>
>
>
> Thank you.  This was extremely helpful.
>
>
>
>
>
> __
> __
>
>
> Fishel Erps,
>
> Sr. Network & Infrastructure Engineer
>
> School of Visual Arts
>
> 136 W 21st St., 8th Floor
>
> New York, NY, 10011
>
> LL: 212-592-2416
>
> E:  fe...@sva.edu
> ___
>
>
> Please excuse any typographical
>
> errors as this e-mail has been sent
>
> from my mobile device
>
> ___
>
>
>
>
>
> On Sep 22, 2020, at 15:13, Tim Cappalli 
> <0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote:
>
> 
>
> Fishel - as an aside, if the configuration guidance to users has been to 
> ignore the EAP server identity or configure their devices to not validate it 
> and the credential used for Wi-Fi is their primary password, I highly 
> recommend you issue an organization-wide password reset as all of those 
> credentials may have been compromised.
>
>
>
>
>
> 
>
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  on behalf of Felix Windt 
> 
> Sent: Tuesday, September 22, 2020 15:10
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise
>
>
>
> https://www.eduroam.org/configuration-assistant-tool-cat/
>
>
>
> thx,
>
> felix
>
>
>
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  on behalf of Patrick Mauretti 
> 
> Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 
> 
> Date: Tuesday, September 22, 2020 at 3:02 PM
> To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
> Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise
>
>
>
> Okay I’ll bite.  What’s the CAT tool you mentioned?  Link?
>
>
>
> -Patrick
>
>
>
>
>
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  On Behalf Of Floyd, Brad
> Sent: Tuesday, September 22, 2020 3:00 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise
>
>
>
> CAUTION: This email originated from outside of Massasoit. Do not click links 
> or open attachments unless you recognize the sender and know the content is 
> safe.
>
>
>
> Fishel,
>
> We have run into this on some versions of Android OS and the solution that 
> works for

Re: [External] Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise

[Hunter Fuller]

Tim,

We use CAT but we had to develop those instructions because CAT on
Android is very, very difficult for non-technical users. I guess we
will have to revise them.

Unfortunately it does not appear that the OP's institution is a member
of eduroam, so CAT won't help them in any case.

--
Hunter Fuller (they)
Router Jockey
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering

On Tue, Sep 22, 2020 at 1:22 PM Tim Cappalli
<0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote:
>
> You can only install a CA from inside the Settings now to prevent users from 
> unintentionally installing a malicious root.
>
> Assuming you don't have a commercial supplicant provisioning platform, why 
> not just use the CAT tool?
>
> tim
> 
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  on behalf of Hunter Fuller 
> 
> Sent: Tuesday, September 22, 2020 14:15
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Android 11 and 
> WPA-Enterprise
>
> Try these instructions. We had one Android 11 user report that they
> work. You will obviously need a copy of your institution's
> certificate.
>
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fuah.teamdynamix.com%2FTDClient%2F2075%2FPortal%2FKB%2FArticleDet%3FID%3D84342data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C7a6227f7cbbf452acf5208d85f238224%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637363953684306020sdata=2NjMMbhReWpbYGQk3pN6xNF%2BsxHpUnDSm1RTm5reIxQ%3Dreserved=0
>
> --
> Hunter Fuller (they)
> Router Jockey
> VBH Annex B-5
> +1 256 824 5331
>
> Office of Information Technology
> The University of Alabama in Huntsville
> Network Engineering
>
> On Tue, Sep 22, 2020 at 12:10 PM Fishel Erps
> <0030ecf871d2-dmarc-requ...@listserv.educause.edu> wrote:
> >
> > Tim,
> >
> > We use:
> >
> > EAP Method = PEAP
> > Phase 2 = MSCHAPv2
> > CA Certificate = Unspecified
> > Identity = [username]
> > Password = [password]
> >
> > The credentials trigger the return of a filter-ID from the RADIUS server to 
> > the controller, which the controller then uses to put the user into a VLAN.
> >
> > Some android devices that are running version 11 no-longer have an option 
> > of “unspecified” under CA Certificate, and none of the other choices seem 
> > to work.
> >
> >
> >
> >
> > __
> > __
> >
> > Fishel Erps,
> > Sr. Network & Infrastructure Engineer
> > School of Visual Arts
> > 136 W 21st St., 8th Floor
> > New York, NY, 10011
> > LL: 212-592-2416
> > E:  fe...@sva.edu
> > ___
> >
> > Please excuse any typographical
> > errors as this e-mail has been sent
> > from my mobile device
> > ___
> >
> >
> > On Sep 22, 2020, at 12:04, Tim Cappalli 
> > <0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote:
> >
> > 
> > Can you please provide some basic details?
> >
> > What exactly is "broken"?
> > Which EAP method?
> > Which credential type?
> > How is/was the supplicant provisioned?
> > Are only new devices affected or just upgraded devices?
> >
> > 
> > From: The EDUCAUSE Wireless Issues Community Group Listserv 
> >  on behalf of Fishel Erps 
> > <0030ecf871d2-dmarc-requ...@listserv.educause.edu>
> > Sent: Tuesday, September 22, 2020 12:02
> > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> > Subject: [WIRELESS-LAN] Android 11 and WPA-Enterprise
> >
> > Hi,
> >
> > v11 seems to have broken credential authentication for RADIUS and 
> > WPA2-Enterprise/802.1x.
> >
> > Has anyone found a workaround?
> >
> >
> >
> > __
> > __
> >
> > Fishel Erps,
> > Sr. Network & Infrastructure Engineer
> > School of Visual Arts
> > 136 W 21st St., 8th Floor
> > New York, NY, 10011
> > LL: 212-592-2416
> > C:  347-539-6380
> > E:  fe...@sva.edu
> > ___
> >
> > Please excuse any typographical
> > errors as this e-mail has been sent
> > from my mobile device
> > ___
> >
> > **
> > Replies to EDUCAUSE Community Group emails are sent to the entire community 
> > list. If 

Re: [External] Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise

[Hunter Fuller]

Try these instructions. We had one Android 11 user report that they
work. You will obviously need a copy of your institution's
certificate.

https://uah.teamdynamix.com/TDClient/2075/Portal/KB/ArticleDet?ID=84342

--
Hunter Fuller (they)
Router Jockey
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering

On Tue, Sep 22, 2020 at 12:10 PM Fishel Erps
<0030ecf871d2-dmarc-requ...@listserv.educause.edu> wrote:
>
> Tim,
>
> We use:
>
> EAP Method = PEAP
> Phase 2 = MSCHAPv2
> CA Certificate = Unspecified
> Identity = [username]
> Password = [password]
>
> The credentials trigger the return of a filter-ID from the RADIUS server to 
> the controller, which the controller then uses to put the user into a VLAN.
>
> Some android devices that are running version 11 no-longer have an option of 
> “unspecified” under CA Certificate, and none of the other choices seem to 
> work.
>
>
>
>
> __
> __
>
> Fishel Erps,
> Sr. Network & Infrastructure Engineer
> School of Visual Arts
> 136 W 21st St., 8th Floor
> New York, NY, 10011
> LL: 212-592-2416
> E:  fe...@sva.edu
> ___
>
> Please excuse any typographical
> errors as this e-mail has been sent
> from my mobile device
> ___
>
>
> On Sep 22, 2020, at 12:04, Tim Cappalli 
> <0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote:
>
> 
> Can you please provide some basic details?
>
> What exactly is "broken"?
> Which EAP method?
> Which credential type?
> How is/was the supplicant provisioned?
> Are only new devices affected or just upgraded devices?
>
> 
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  on behalf of Fishel Erps 
> <0030ecf871d2-dmarc-requ...@listserv.educause.edu>
> Sent: Tuesday, September 22, 2020 12:02
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> Subject: [WIRELESS-LAN] Android 11 and WPA-Enterprise
>
> Hi,
>
> v11 seems to have broken credential authentication for RADIUS and 
> WPA2-Enterprise/802.1x.
>
> Has anyone found a workaround?
>
>
>
> __
> __
>
> Fishel Erps,
> Sr. Network & Infrastructure Engineer
> School of Visual Arts
> 136 W 21st St., 8th Floor
> New York, NY, 10011
> LL: 212-592-2416
> C:  347-539-6380
> E:  fe...@sva.edu
> ___
>
> Please excuse any typographical
> errors as this e-mail has been sent
> from my mobile device
> ___
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [External] [WIRELESS-LAN] 2.4Ghz channel designations

[Hunter Fuller]

What does "less than the delays from protocols" mean?

The only protocol at work here is 802.11, right? The one that can
dodge same-channel interference but can NOT dodge spillover from
adjacent channels?

Am I missing something?

--
Hunter Fuller (they)
Router Jockey
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering


On Wed, Aug 26, 2020 at 11:13 AM John Rodkey  wrote:
>
> For many years I have consistently used channels 1, 6, and 11 as 
> non-overlapping channels wherever 2.4Ghz is deployed.  I have a consultant 
> who is suggesting using all 11 channels in our high density dorm situations, 
> arguing that  signal interference will affect throughput less than the delays 
> from protocols where the 3 channels are within hearing distance of each other.
>
> This doesn't make sense to me.  If you in your situation have found using all 
> 11 channels to be an effective solution vs the 3 channel non-overlapping 
> approach, could you explain to me why you made that choice, and what your 
> on-the-ground experience is with this configuration?
>
> Thank you!
>
> John Rodkey
> Director of Servers and Networks
> Westmont College
>
> Verification: Unsure if this is a legitimate email to an email list? Make 
> sure it is recorded at https://my.westmont.edu/it_emails
>
>
> "God-fearing faith... is neither brash nor foolhardy and does not tempt God." 
> - Martin Luther
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [External] Re: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X?

[Hunter Fuller]

Every day I am more and more thankful that we migrated off of InCommon for
dot1X. We slid right under the door for all this Apple stuff. Life has
never been better on our private CA.

On Wed, Aug 19, 2020 at 08:42 Andrew Gallo <
01d1fb3cd70a-dmarc-requ...@listserv.educause.edu> wrote:

> Thanks Tim-
>
> Good point on the non-public CA.
>
> For the record, here's Apple's announcement:
> https://support.apple.com/en-us/HT211025
>
> I'm also going to ask over on the InCommon cert-users list.
>
> Thanks
>
>
>
>
> On 8/19/2020 9:33 AM, Tim Cappalli wrote:
> > Google’s announcement was for Chrome so it is not clear whether there
> will be a change in Android.
> >
> > Apple’s announcement is system-wide on macOS and iOS.
> >
> > But keep in mind it does not apply to non-public CAs, which are the only
> trust chains that should be used for EAP.
> >
> > tim
> >
> > 
> > From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of
> Andrew Gallo
> > Sent: Wednesday, August 19, 2020 09:28
> > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> > Subject: [WIRELESS-LAN] New certificate expiration for certificates
> affecting 802.1X?
> >
> > Does anyone know if the new, shorter certificate expiration for TLS that
> > Apple announced (and Google is following) will affect 802.1X
> authentication?
> >
> > Thanks
> > --
> > 
> > Andrew Gallo
> > The George Washington University
> >
> >
> > **
> > Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
> >
> > **
> > Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
> >
>
> --
> 
> Andrew Gallo
> The George Washington University
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
>
-- 

--
Hunter Fuller (they)
Router Jockey
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [External] Re: [WIRELESS-LAN] MAC Randomization, a step further...

[Hunter Fuller]

Ryan,

We have a flag you can set that will hide you from the UAH directory and
cause us to never reveal that you're a student ("FERPA hold"). One can
assume that privacy-conscious students might set this flag. By that metric,
12% of our students are privacy-conscious.

HTH

--
Hunter Fuller (they)
Router Jockey
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering


On Thu, Aug 6, 2020 at 6:03 PM Turner, Ryan H 
wrote:

> Personally this just doesn’t resonate to me.  How many students care about
> privacy concerns every time they sign up for the latest social data mining
> app?
>
> Ryan Turner
> Head of Networking, ITS
> The University of North Carolina at Chapel Hill
> +1 919 274 7926 Mobile
> +1 919 445 0113 Office
>
> On Aug 6, 2020, at 3:36 PM, Tim Cappalli <
> 0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote:
>
> 
>
> Sure, everyone has their motives for privacy. But tracking a device by MAC
> address across networks is a huge and very real issue. Think about
> everywhere you see the XFINITY SSID. Every Comcast cable modem in the
> country broadcasts it. What a massive tracking domain if you have it saved
> on your phone. Those are the things Google and Apple are trying to prevent.
> Has really nothing to do with their own internal platform operation.
>
>
>
> That is why just setting a MAC per-SSID doesn’t cut it. But as per usual,
> the networking industry didn’t take this seriously 5+ years ago and OS
> vendors now have to back out of privacy preserving changes or face
> ridiculous (and IMO unnecessary) backlash.
>
>
>
> tim
>
>
>
> *From: *The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Date: *Thursday, August 6, 2020 at 15:26
> *To: *WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject: *Re: [WIRELESS-LAN] MAC Randomization, a step further...
>
> Our lawyers tell me that we’re responsible for takedowns by virtue of it
> being on our network.  If the content is on host we manage we would just
> remove the content, but If it’s not our host, which is usually the case,
> then we have to remove the host from the network.
>
>
>
> FWIW, I’m not losing sleep over the liability issue.  We’re not putting
> the MAC auth genie back in the bottle any time soon, so the university is
> just going to live with that risk until we have a better option.  Besides,
> since we got a border firewall, takedowns have become really rare.  I’m
> more concerned about providing a quality connection and support experience
> for our users and getting compromised devices off the network.  The point
> of my original comment wasn’t really to debate DMCA, but to challenge Tim’s
> objection to disabling privacy settings.  There are good reasons to disable
> them for our networks on a per SSID basis, and if our users want to use the
> MAC auth network in the res halls, that’s what they’ll have to do.
>
>
>
> I also find it ironic that Apple and Google pretend to care about our
> privacy.  What they care about is our perception of their products.  If
> they actually cared about our privacy they would collect far less of our
> data than they do.  I’m not offended by it, but my position is
> fundamentally the same as theirs – if you’re unwilling to sacrifice your
> privacy, don’t use our stuff.
>
>
>
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Jeffrey D. Sessler
> *Sent:* Thursday, August 06, 2020 2:36 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] MAC Randomization, a step further...
>
>
>
> Chuck,
>
>
>
> What DMCA requirements do you speak of?  As an ISP there is very little we
> technically have to do, but many EDU’s go above and beyond the
> requirements.  We have far more requirements if copyrighted information is
> being hosted on systems we own, but when it’s an end-user, there are little
> to no obligations, and if MAC address randomization makes it impossible,
> then there is nothing more one has to do under the DMCA.
>
>
>
> Jeff
>
>
>
> *From: *The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Date: *Thursday, August 6, 2020 at 7:52 AM
> *To: *WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject: *Re: [WIRELESS-LAN] MAC Randomization, a step further...
>
> How can we fulfill DMCA requirements when we can’t even identify a device,
> let alone the user?  If you want to remain anonymous, use a different
> network.
>
&g

Re: [External] Re: [WIRELESS-LAN] securew2 root ca radius server cert change

[Hunter Fuller]

TL;DR: Everything Ryan said applies to PEAP too.

We have extensive experience on the PEAP front. We used to run an
InCommon certificate, and devices prompted to verify. (Windows, Macs,
and iPhones use a different store to verify 802.1X certs, so no cert
chain is trusted out of the box - there is no cert you could provide
to make them happy.) So we migrated to a long-validity private CA that
our CISO manipulates using openssl(1), and we distribute the CA using
eduroam CAT. All is well in the world.

--
Hunter Fuller (they)
Router Jockey
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering

On Wed, May 27, 2020 at 1:53 PM Philippe Hanset
<005cd62f91b7-dmarc-requ...@listserv.educause.edu> wrote:
>
> Somewhat related to this thread, if you are planning to switch to EAP-TLS, 
> please consider using ECC (Elliptic Curve Cryptography, small certs) 
> Certificates.
> They make EAP-TLS much more compatible when authentications cross many 
> network devices ( related MTU size issues), especially if you do not control 
> those devices.
> We have had many failed authentications on eduroam with EAP-TLS (using 2048 
> bits certs) due to MTU mismatch on network devices across the entire 
> federation.
>
> Best,
>
> Philippe
>
> Philippe Hanset, CEO
> www.anyroam.net
> Operator of eduroam-US
> +1 (865) 236-0770
>
> On May 27, 2020, at 8:16 AM, Turner, Ryan H  wrote:
>
> My guidance is for properly onboarded TLS devices.   It doesn’t apply to PEAL 
> or anything else.  Actually, that does bring a wrinkle into my previous 
> email.  If PEAP and TLS both exist, I am going to guess there will be more 
> prompts or issues with a private CA (perhaps)
>
> Ryan Turner
> Head of Networking, ITS
> The University of North Carolina at Chapel Hill
> +1 919 274 7926 Mobile
> +1 919 445 0113 Office
>
> On May 26, 2020, at 8:21 PM, Hurt,Trenton W.  
> wrote:
>
> 
> I’m also doing unmanned eap peap (yes I know all the security reasons against 
> this)  if I don’t use public signed ca will byod devices be able to connect 
> via eap peap with that private cert?
>
> Trent Hurt
>
> University of Louisville
>
> 
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  on behalf of Turner, Ryan H 
> 
> Sent: Tuesday, May 26, 2020 8:10 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] securew2 root ca radius server cert change
>
>
> CAUTION: This email originated from outside of our organization. Do not click 
> links, open attachments, or respond unless you recognize the sender's email 
> address and know the contents are safe.
>
> You are likely totally hosed.  In fact, you should consider abandoning public 
> CAs entirely when you re-do this.   Through-out the years, I’ve counseled a 
> lot of schools about TLS deployments, and I cautioned strongly against using 
> public CAs for this exact reason.  You have no control, and your CA can 
> totally hose you, as you can see.
>
>
>
> There is no way around this if the CA will not cooperate.   You should talk 
> to your active directory folks.  They should spin up a new offline private CA 
> root, then intermediary, then issue your RADIUS servers from the 
> intermediary.  The expiration should be many years.
>
>
>
> OR, you can utilize SecureW2 and their online CA to generate RADIUS server 
> certificates.  In any event, get off the public CAs.
>
>
>
> Ryan
>
>
>
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  On Behalf Of Hurt,Trenton W.
> Sent: Tuesday, May 26, 2020 5:36 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] securew2 root ca radius server cert change
>
>
>
> I have both eap peap and eap tls setup and working.  My radius server cert is 
> going to expire soon.  I have received new one from public ca.  It works fine 
> for eap peap clients.  But for my existing eap tls clients they all fail auth 
> when I switch to this new updated rad cert.  I see that my public ca has 
> issued this new cert using different root ca then my old one ()the one that 
> is install/config on my securew2 app in the cloud.  Securew2 has told me that 
> users will have to onboard again once I change the cert on clearpass and 
> update the cloud app since public ca changed root ca on cert chain.  I asked 
> my public ca if they could reissue using the other root ca so my eap tls 
> clients will still work once I do the change.  They have told me that 
> shouldn’t need reissue as the old root ca (one tls clients currently use) 
> because my new cert root ca is cross signed by the old root ca.  They told me 
> that I

Re: [WIRELESS-LAN] Ex: Re: [WIRELESS-LAN] neighbors 'jamming' 2.4GHz spectrum

[Hunter Fuller]

Chuck, that all makes sense, but I don't think the earlier quote would
bother the FCC. I'm talking about this one that David provided:

"Personal wireless access points, network switches, and routers are
not permitted on campus as they can interfere with the functioning of
the campus network."

This seems pretty enforceable, and it clearly doesn't have to do with
unlicensed spectrum, because network switches and wired routers are
prohibited by this quote, even though they don't have anything to do
with Wi-Fi.

It seems Draconian to me, but it also seems safe to enforce, for
Universities that have passed such a policy. But as some have
mentioned, this is the WIRELESS-LAN list, rather than the LAWYER list,
so of course I'm just speculating.

--
Hunter Fuller
Router Jockey
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering

On Wed, Jan 29, 2020 at 12:53 PM Enfield, Chuck  wrote:
>
> The difference between Mi-Fi and sandwiches is that there's no Federal 
> Sandwich Commission claiming exclusive authority to regulate sandwiches.  Our 
> institutions are free to pass policies consistent with the law, but it's 
> clear from this thread that we don’t know precisely what the law allows in 
> this case.
>
>
>
> Here's the relevant excerpt from Penn State’s policy manual:
>
>
>
> The University also reserves the right to control and/or manage use of the 
> frequency spectrum within the boundaries of all University locations. 
> Individuals of the University are required to report transmitting devices and 
> their characteristics to University officials, if so requested. The 
> University reserves the right to require those units or individuals found to 
> have such devices that interfere or are suspected to interfere with operation 
> of centrally managed University systems, to discontinue use of such devices, 
> and, if necessary, to remove them from University property.
>
>
>
> I have concerns about this policy that would keep me from trying to enforce 
> it:
>
>
>
> The University must manage the spectrum assigned to it, but I'm pretty sure 
> the FCC controls the spectrum and that the unlicensed spectrum isn’t ours to 
> manage.
> Who are these university officials that can request reporting?  I have no 
> reason to think I or my staff are among them, but perhaps we are.
> I suspect the University can ban categories of devices from campus as it sees 
> fit, including RF transmitters.  If instead of making this about spectrum we 
> just banned RF transmitters of any kind, or even specific kinds, we could 
> probably get away with it.  But we’re on much shakier ground if we allow such 
> devices and choose to selectively prohibit them based on what we deem to be 
> adverse effects on the spectrum associated with their legal use.  That’s a 
> backhanded way of controlling the unlicensed spectrum and I don’t think the 
> FCC will like it.
>
>
>
> Nevertheless, if concern #2 was addressed I’d be willing to attempt 
> enforcement.  Our Office of General Counsel is responsible for making sure 
> our policies are legal – not me.
>
>
>
> Chuck Enfield
>
> Manager, Wireless & Cellular
>
> Penn State IT
>
> 119L USB2, UP, PA 16802
>
> Office: 814.863.8715
>
>
>
> -Original Message-
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  On Behalf Of Hunter Fuller
> Sent: Wednesday, January 29, 2020 12:22 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Ex: Re: [WIRELESS-LAN] neighbors 'jamming' 2.4GHz 
> spectrum
>
>
>
> I'm not sure everyone is really speaking the same language here.
>
>
>
> If my University passed a policy that said students can't have sandwiches on 
> campus, that would be enforceable and they could even be subject to 
> disciplinary committee if they brought a sandwich to campus.
>
>
>
> If you replace a sandwich with a Mi-Fi device, I'm not sure how that's any 
> different.
>
>
>
> That being said, we do not have such a policy - just one forbidding them from 
> connecting their routers and such to our network. That's fine for us, and we 
> just try to educate people - 90% of the time it works every time.
>
>
>
> --
>
> Hunter Fuller
>
> Router Jockey
>
> VBH Annex B-5
>
> +1 256 824 5331
>
>
>
> Office of Information Technology
>
> The University of Alabama in Huntsville
>
> Network Engineering
>
>
>
> On Wed, Jan 29, 2020 at 9:52 AM Jake Snyder  wrote:
>
> >
>
> > Unfortunately, aside from talking to the person there isn’t much you can 
> > do.  The person in question isn’t “jamming,” they are using spectrum

Re: [WIRELESS-LAN] Ex: Re: [WIRELESS-LAN] neighbors 'jamming' 2.4GHz spectrum

[Hunter Fuller]

I'm not sure everyone is really speaking the same language here.

If my University passed a policy that said students can't have
sandwiches on campus, that would be enforceable and they could even be
subject to disciplinary committee if they brought a sandwich to
campus.

If you replace a sandwich with a Mi-Fi device, I'm not sure how that's
any different.

That being said, we do not have such a policy - just one forbidding
them from connecting their routers and such to our network. That's
fine for us, and we just try to educate people - 90% of the time it
works every time.

--
Hunter Fuller
Router Jockey
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering

On Wed, Jan 29, 2020 at 9:52 AM Jake Snyder  wrote:
>
> Unfortunately, aside from talking to the person there isn’t much you can do.  
> The person in question isn’t “jamming,” they are using spectrum and 
> completely entitled to do so.
>
> Simplistically, you can prevent devices the university owns from connecting 
> to it. Beyond that, you venture into the grey area.
>
> Best course is to go talk to the person, educate them, and hope they are 
> reasonable. realistically, you cause as much impact to them as they do to you.
>
> Sent from my iPhone
>
> On Jan 29, 2020, at 8:22 AM, Dom Colangelo  
> wrote:
>
> 
>
> I came across this 2015 article on the Marriot penalty and subsequent FCC 
> public notice – there’s a lot of grey area as it relates with higher 
> education, and it seems many are forming their own interpretations.
>
>
>
> -
>
> 
> Dom Colangelo
>
> Systems Engineer
>
> Omada Technologies
>
> Cell: (617)-446-3945
>
> dcolang...@omadatechnologies.com
>
>
>
>
>
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  On Behalf Of Michael Holden
> Sent: Wednesday, January 29, 2020 10:07 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Ex: Re: [WIRELESS-LAN] neighbors 'jamming' 2.4GHz 
> spectrum
>
>
>
> Aruba gives the following warning when doing containment / deauth
>
>
>
> The Federal Communications Commission ("FCC") and some third parties have 
> alleged that, under certain circumstances, use of containment functionality 
> violates 47 U.S.C. Section 333 and/or other FCC rules, regulations or 
> policies. Before using any containment functionality, you should determine 
> whether your intended use is allowed under the applicable rules, regulations 
> and policies. Aruba shall not be liable for any claims, sanctions, or other 
> direct, indirect, special, consequential or incidental damages related to 
> your use of containment functionality.
>
>
>
>
>
>
>
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  On Behalf Of Julian Y Koh
> Sent: Wednesday, January 29, 2020 9:50 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Ex: Re: [WIRELESS-LAN] neighbors 'jamming' 2.4GHz 
> spectrum
>
>
>
> On Jan 29, 2020, at 08:38, Coehoorn, Joel  wrote:
>
>
>
> I don't know about that. The enforcement example that stands out to me is 
> Marriott was not allowed to use the fine print when you get a room to 
> prohibit hot spots, interfering or not, and they paid a hefty fine because of 
> it.
>
>
>
> The details are a little hazy with the passage of time, but IIRC the Marriott 
> case was special because they were using the active rogue disassociation 
> features of their wireless network to intentionally knock people off of any 
> SSIDs other than the ones that they were operating.  So that goes beyond 
> simply radiating on a channel.
>
>
>
> Corrections/clarifications welcome as always! :)
>
>
> --
>
> Julian Y. Koh
>
> Associate Director, Telecommunications and Network Services
>
> Northwestern Information Technology
>
>
>
> 2020 Ridge Avenue #331
>
> Evanston, IL 60208
>
> +1-847-467-5780
>
> Northwestern IT Web Site: <http://www.it.northwestern.edu/>
>
> PGP Public Key: <https://bt.ittns.northwestern.edu/julian/pgppubkey.html>
>
>
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply on

Re: [WIRELESS-LAN] [WIRELESS-LAN] Google Home Different SSIDs

[Hunter Fuller]

Tim et. al.,

I had occasion to try this. It works, in that the Home connects to Wi-Fi,
but it still keeps doing the pulsing lights thing, and if you say "okay
Google," it responds "Your Google Home isn't set up yet."

Is there another workaround for this, maybe?

--
Hunter Fuller
Router Jockey
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering


On Mon, Dec 16, 2019 at 6:29 PM Cappalli, Tim (Aruba)  wrote:

> If you just close the Home app while the Home/Chromecast is attempting
> to connect, it will connect successfully. Wait about 60 seconds before
> opening the Home app again.
>
>
>
> *From: *The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Date: *Saturday, December 14, 2019 at 12:11 PM
> *To: *WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject: *Re: [WIRELESS-LAN] [External] [WIRELESS-LAN] Google Home
> Different SSIDs
>
> I appreciate all the responses, I thought I was going crazy! Like other's
> have said, I'm curious to know if anyone has found a clever way to setup
> these up without putting them on the same network temporarily. For now,
> that seems to be our work around.
>
>
>
> Thanks,
>
> Robert Schneider
>
>
>
> On Dec 13, 2019, at 10:23 AM, Tim Tyler  wrote:
>
> 
>
> * External Email *
>
>
>
> Yep, that is exactly what we have had to do sometimes.  Get both devices
> including the 802.1x device on the same SSID and then after all is working
> move the 802.1x back to the preferred SSID.  Sort of a pain.   Many vendors
> don’t care about layer 3 solutions.
>
> Tim
>
>
>
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Norton, Thomas
> (Network Operations)
> *Sent:* Thursday, December 12, 2019 3:09 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] [External] [WIRELESS-LAN] Google Home
> Different SSIDs
>
>
>
> Hey there,
>
>
>
> We do the same thing at LU, but on two separate vlans utilizing Aruba
> airgroup. Unfortunately, Google in their wonderless glory made it a
> dependency for initial setup, and baked it into the app.
>
>
>
> To my knowledge there is no away around it, as it requires seeing the
> devices on the same SSID before finalizing configuration.  I would love to
> hear if anyone has figured a way around it as well. I attempted to reach
> out to our google rep with no avail.
>
>
>
> Once configured, you can move the handset to a separate ssid/network.
>
> *T.J. Norton*
>
> *Wireless Network Architect*
> *Network Operations*
>
> *Office: (434) 592-6552 <(434)%20592-6552> *
>
>
>
>
>
> *Liberty University  |  Training Champions for Christ since 1971*
>
>
>
> On Dec 12, 2019, at 2:37 PM, Robert Schneider 
> wrote:
>
> 
> --
>
> [ EXTERNAL EMAIL: Do not click any links or open attachments unless you
> know the sender and trust the content. ]
> --
>
> Hi All,
>
>
>
> We keep our smart devices and student networks on two separate SSIDs. The
> backend is the same network and hands out the same IPs. Recently, the
> Google Home app doesn't seem to want to complete the setup until it sees
> that the phone and Google Home Mini are on the same SSID. I can't see that
> we're blocking anything, so I'm at a lost of what to do next.
>
>
>
> Is anyone else experiencing a similar issue? If not, any tips to get this
> to work? We have an Aruba wireless environment.
>
>
> * Robert Schneider*
>
> Network Engineer
> Information Technology | Rollins College
> 407.628.6380 | rschnei...@rollins.edu
>
>
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
> <https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=02%7C01%7Crschneider%40ROLLINS.EDU%7C4894ef99f4b8408bebcc08d77fe06569%7Cb8e8d71a947d41dd81dd8401dcc51007%7C0%7C0%7C637118474078726298=s8ebFyHpIA%2BHF%2Fa4Qo%2Bgck1SUSCDdcyvHPmgyRg0Pq4%3D=0>
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> A

Re: [WIRELESS-LAN] Theater wifi - to have or not to have

[Hunter Fuller]

There was never any question, we have always offered wireless in these
locations. However, none of ours are old enough for the word
"historic" to be involved, so we have it pretty easy.

--
Hunter Fuller
Router Jockey
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering

On Tue, Oct 22, 2019 at 11:44 AM Bull, Mary  wrote:
>
> Hello all,
>
>
>
> I’m wondering if anyone here has dealt with a decision on wireless in the 
> theaters, concert halls, or recital halls on their campus. We have a new arts 
> complex coming on line in the next two years and there’s no clear direction 
> from faculty on whether wireless for the audience is desirable. The previous 
> main theater, and other currently used theaters on campus, did/do not have 
> full connectivity for the audience (just a few aps tacked on the walls that 
> were useless when the room was full). Facilities planning is favorable toward 
> building it in, so I’d prefer that too, especially since it would be much 
> harder or impossible to install if the faculty changes their mind in a few 
> years once the building is complete. However, I’m not sure whether there is 
> really an expectation from the audience that they should have wifi when they 
> attend a show or concert.
>
>
>
> Has anyone dealt with this on their campus? What influenced your choice?
>
>
>
> Mary Bull
>
> William and Mary
>
> 757-221-2491
>
> mb...@wm.edu
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] Aruba - Going from PEAP to TLS

[Hunter Fuller]

It's not just TLS. At this point it's clear that the Android
developers don't care at all about wireless security, whether via TLS,
PEAP, or anything except PSK.
There has been minimal improvement in Android 9 and above, 5+ years
after everyone else got it right. But by and large, Google fights you
the entire time you are trying to provide a secure wireless experience
to their users.

--
Hunter Fuller
Router Jockey
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering

On Wed, Sep 25, 2019 at 9:56 AM Jonathan Oakden  wrote:
>
> All great advice from Ryan.
>
> We use Ruckus Cloudpath for our onboarding.
>
> When TLS works it’s great. It’s mostly shoddy implementations on OS’s that 
> give problems. That’s why Android forms the bulk of the issues. If Google 
> ever get that sorted it will be an enormous help. Windows became a lot easier 
> and more reliable from the launch of W10.
>
>
>
> Jonathan Oakden
>
> Loughborough University
>
>
>
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  on behalf of "Turner, Ryan H" 
> 
> Reply to: The EDUCAUSE Wireless Issues Community Group Listserv 
> 
> Date: Wednesday, 25 September 2019 at 14:58
> To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
> Subject: Re: [WIRELESS-LAN] Aruba - Going from PEAP to TLS
>
>
>
> I can’t speak to the Clearpass, but you should spend more time validating the 
> onboarding process so that it is smooth.  That is going to be your issue.  
> The setup won’t take long, but a poorly designed user experience will hurt 
> you.  I am going to assume you will use SecureW2s cloud PKI.  We are going to 
> be switching that that from an AD private PKI.  Don’t be silly with 
> certificate lengths or hashes.  2048 length with SHA256 works fine.  No need 
> to do anything more and risk client support issues (in my opinion).
>
>
>
> You should stand up a test onboarding SSID (if you are going to have one) and 
> get people to go through the process before production and get feedback.  
> Utilize the documentation other schools have built (wifi.unc.edu).  If you 
> haven’t used an onboarding SSID to date, then you have a lot of work just to 
> make that work well.  Realize that Android devices are going to be 75% of 
> your issues.  The other operating systems are pretty easy and straightforward 
> (OSX is the second runner for issues).  iOS and windows are a breeze.
>
>
>
> Good luck and welcome to the TLS club
>
>
>
>
>
> Ryan Turner
>
> Head of Networking
>
> The University of North Carolina at Chapel Hill
>
> +1 919 445 0113 Office
>
> +1 919 274 7926 Mobile
>
> r...@unc.edu
>
>
>
>
>
>
>
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  On Behalf Of Christopher Brizzell
> Sent: Wednesday, September 25, 2019 8:57 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] Aruba - Going from PEAP to TLS
>
>
>
> In what should have been done long ago, we would like to move off of our 
> EAP-PEAP and onto EAP-TLS.
>
>
>
> Most likely we will be going with SecureW2 to help with that process.
>
>
>
> I’d like to hear from anyone who may have done this with Aruba OS and 
> Clearpass, so as to avoid any pitfalls and look for advice on the best way to 
> proceed.
>
>
>
> Thank You.
>
>
>
> Chris Brizzell
>
> Assistant Director of Network and Technical Services and Network Administrator
>
> Skidmore College
>
> cbriz...@skidmore.edu
>
> 518-580-5994
>
>
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] WiFi failures due to eduroam profiles

[Hunter Fuller]

We have had this kind of difficulty. Our standard toolbox is:

 - Linux/Android: Forget the network and rerun CAT
 - Windows: "netsh wlan profile delete name=eduroam" as admin and rerun CAT
 - iPhone/Mac: Delete profile via preferences and rerun CAT

--
Hunter Fuller
Router Jockey
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering

On Fri, Sep 20, 2019 at 2:47 PM Aaron Abitia  wrote:
>
> Hello all, Aaron from Cal Poly, San Luis Obispo here...
>
>
> We just went all eduroam and turned off our primary branded dot1x SSID, which 
> featured Aruba Clearpass EAP-TLS Onboarding of devices. Because Onboarding is 
> now gone, my question is about the eduroam CAT tool…I believe reasons for 
> using it would be to mitigate man-in-the-middle attacks, to get rid of the 
> red “Not Verified” iOS message and to otherwise insulate the user from 
> manually accepting our RADIUS certificate.
>
>
> However, I’m wondering about usability once our users leave our campus.  We 
> have seen users here from other universities who are unable to connect to 
> eduroam, and we find that they are running a profile from their home 
> university, though we’re not sure if its the eduroam CAT tool or another 
> installer.  Once we remove their profile, they are able to get on eduroam.  I 
> believe that if an organization is using a profile and that profile lists the 
> RADIUS server(s) from that organization for the eduroam connection, the user 
> may or may not be dead until that profile is removed, depending on what’s in 
> the profile; if all that’s in the profile is the organization’s RADIUS 
> servers, the user should still work here, but if there’s other elements in 
> that profile, the user could fail, which we’ve seen, but I’m trying to 
> identify what precisely in the profile could cause the failure to connect.  
> Would anyone have any insight into this?
>
>
> We have many other eduroam users from other organizations that work fine 
> here, presumably because no profile is being used and the user has just 
> manually connected at home and here at our school. I would also be interested 
> in hearing about the eduroam CAT tool from anyone using it, or other config 
> tools used by anyone and the reasons for it, beyond what I’ve mentioned above.
>
>
> Many thanks.
>
>
> --
> Aaron Abitia
> Network Analyst
> Enterprise Information Systems, Networks
> Information Technology Services
> Cal Poly State University
> Tel: 805.756.1295
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] Chromebook

[Hunter Fuller]

I'd like to also note that Chromebook hardware has little in common
with Android devices. Most of them are much closer to a PC in
architecture. So they are unlikely to share a wireless chip with the
typical Android device.

--
Hunter Fuller
Router Jockey
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering

On Tue, Sep 17, 2019 at 11:52 AM Bryan Ward  wrote:
>
> Chromebooks also are not Android.  They run Chrome OS / Chromium OS.
>
>
>
> --
>
> Bryan Ward
>
> Network Engineer
>
> Dartmouth College Network Services
>
> 603-646-2245
>
> bryan.w...@dartmouth.edu
>
>
>
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  On Behalf Of Lee H Badman
> Sent: Tuesday, September 17, 2019 12:52 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Chromebook
>
>
>
> I would try to get the exact device types that are problematic, and stick 
> with the same OS version where trouble is happening. There is just too much 
> variety here.
>
> Lee Badman (mobile)
>
>
> On Sep 17, 2019, at 12:48 PM, Gray, Sean  wrote:
>
> Hi Folks,
>
>
>
> We are getting reports of 802.1x connectivity issues from Android based 
> devices. So in order to perform a little testing we are thinking about buying 
> a Chromebook. Does anyone have any recommendations? We are a Cisco shop, 
> running a 5520 WLC on code version 8.8.111.
>
>
>
> Thanks
>
>
>
> Sean
>
>
>
> Sean Gray | B.Sc (Hons)
>
> Voice, Collaboration & Wireless Network Analyst
>
> ITS, University of Lethbridge
>
>
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] Performance improvements from hallway to in-room

[Hunter Fuller]

Sometimes I wonder if we're the only campus that doesn't get that type
of thing. We used to have a few "can you turn off this LED" before we
just turned all of them off by default.

--
Hunter Fuller
Router Jockey
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering

On Thu, Sep 5, 2019 at 3:26 PM Christopher Brizzell
<0113a07d9d59-dmarc-requ...@listserv.educause.edu> wrote:
>
> Just be ready for some amount of backlash from an angry/ignorant parent. 
> Every year (including yesterday) we have parents contact us saying we needed 
> to remove all APs from bedrooms because of the health risk to the students 
> living in those spaces.
>
>
>
> Thank you for the information, however. Any amount of proof to help solidify 
> our decision helps.
>
>
>
>
>
> Chris Brizzell
>
> Assistant Director of Network and Technical Services and Network Administrator
>
> Skidmore College
>
> cbriz...@skidmore.edu
>
> 518-580-5994
>
>
>
>
>
>
>
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  On Behalf Of Turner, Ryan H
> Sent: Thursday, September 5, 2019 1:43 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] Performance improvements from hallway to in-room
>
>
>
> All:
>
>
>
> We all know that moving from hallway deployments to in-room deployments pays 
> dividends.  This summer we started doing some re-cabling work on smaller 
> dorms to move from hallway to in-room.   We also went away from Aruba higher 
> performance APs to the hospitality APs for these locations.  Even though the 
> AP cost is significantly less, the cabling costs made this move a premium 
> option.  Nonetheless, thanks to data provided to us from Nyansa Voyance, we 
> are able to clearly demonstrate to Housing that these funds were well spent.  
> After the changes, these dorms went from some of the worst performing 
> locations on campus to some of the best.  When you look at the graphs below, 
> the Y axis is percentage of users that are affected by poor wifi performance 
> (I believe Nyansa measures this as clients that experience a 25% retransmit 
> rate from the AP to client).  With Nyansa, it determines behavior on usage 
> level.  So when you see the dashed line, it means that usage was below or 
> above the threshold during that time frame.  I picked the usage level that 
> would show the most complete picture, but going from low/medium/high all show 
> the same improvement levels.
>
>
>
> Carmichael:
>
>
>
>
>
> Lewis:
>
>
>
> Everett:
>
>
>
> Ryan Turner
>
> Head of Networking
>
> The University of North Carolina at Chapel Hill
>
> +1 919 445 0113 Office
>
> +1 919 274 7926 Mobile
>
> r...@unc.edu
>
>
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] Wireless Only in Student Housing?

[Hunter Fuller]

d, and advice.
>>
>>
>>
>> Thank you,
>>
>>
>>
>> Dan
>>
>> --
>>
>> Daniel Wurst
>>
>> Network Engineer
>>
>> Denison University
>>
>> wur...@denison.edu
>>
>> 740-587-6229 <(740)%20587-6229>
>>
>>
>>
>> ** Participation and subscription information for this EDUCAUSE
>> Constituent Group discussion list can be found at
>> http://www.educause.edu/discuss
>> <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fdiscuss=02%7C01%7Ccae104%40psu.edu%7C29aa1f2f55434c294dbe08d609edbf3e%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C636707314064004541=Yjm0L%2F8op8LyN4rYwvz6WBMvuoNhgZDDXTmV17ZLvXs%3D=0>.
>>
>>
>> ****** Participation and subscription information for this EDUCAUSE
>> Constituent Group discussion list can be found at
>> http://www.educause.edu/discuss
>> <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fdiscuss=02%7C01%7Ccae104%40psu.edu%7C29aa1f2f55434c294dbe08d609edbf3e%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C636707314064004541=Yjm0L%2F8op8LyN4rYwvz6WBMvuoNhgZDDXTmV17ZLvXs%3D=0>.
>>
>> ** Participation and subscription information for this EDUCAUSE
>> Constituent Group discussion list can be found at
>> http://www.educause.edu/discuss.
>>
>> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> --

--
Hunter Fuller
Network Engineer
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] eduroam ssid on RTS

[Hunter Fuller]

Makes perfect sense, thanks for clarifying!

On Mon, Aug 20, 2018 at 10:43 AM Philippe Hanset <
005cd62f91b7-dmarc-requ...@listserv.educause.edu> wrote:

> Hunter,
>
> You are correct.
> I was comparing 802.1X without a Web portal (A  la eduroam) to a Web based
> SSID with a portal and a timeout.
> (which is what I have seen in buses with Wi-Fi very often)
> Many OSes will not switch your Internet routing in your phone to Wi-Fi
> unless access to the Internet is detected.
> The unfortunate Splash page, in this case, could be the saving grace to
> unwanted “join” while the bus is moving along.
>
> I guess for this particular case, it might be a “good” idea to have a
> splash page for eduroam :(
>
> Wi-Fi doesn’t seem to be a good idea for this kind of Mobile Connectivity
> in a urban area  (it seems fine for a  highway, or a rural area)
>
> There was another famous story like that with a Campus in London located
> right above the subway… and believe it or not, the campus AP next to the
> subway
> would seen tons of authentications every time a train was stopping,
> depleting DHCP leases on the guest network. Same problem, different moving
> targets :)
>
> Philippe
>
> Philippe Hanset, CEO
> www.anyroam.net
> www.eduroam.us
> +1 (865) 236-0770 <(865)%20236-0770>
>
> GPG key id: 0xF2636F9C
>
> On Aug 17, 2018, at 5:21 PM, Hunter Fuller  wrote:
>
> On Fri, Aug 17, 2018 at 2:45 PM Philippe Hanset <
> 005cd62f91b7-dmarc-requ...@listserv.educause.edu> wrote:
>
>> I wouldn't use 802.1X for that project, and that is coming from the
>> eduroam guys :(
>>
>> if using 802.1X (eduroam or local) in the bus… even people with decent
>> data plans that could use their own will automatically join your hotspot
>> since Wi-Fi is usually preferred by devices, making it
>> not so usable for the people who really need it. Those people will have
>> to manually disable Wi-Fi to force their device on LTE.
>>
>
> Philippe - I'm not sure about the association between 802.1X and this
> problem. Seems to me like any popular SSID would have the same issue, no?
> If it is a bus full of students, they would all automatically associate,
> 802.1X or not, right?
> --
>
> --
> Hunter Fuller
> Network Engineer
> VBH Annex B-5
> +1 256 824 5331 <(256)%20824-5331>
>
> Office of Information Technology
> The University of Alabama in Huntsville
> Systems and Infrastructure
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> --

--
Hunter Fuller
Network Engineer
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] eduroam ssid on RTS

[Hunter Fuller]

On Fri, Aug 17, 2018 at 2:45 PM Philippe Hanset <
005cd62f91b7-dmarc-requ...@listserv.educause.edu> wrote:

> I wouldn't use 802.1X for that project, and that is coming from the
> eduroam guys :(
>
> if using 802.1X (eduroam or local) in the bus… even people with decent
> data plans that could use their own will automatically join your hotspot
> since Wi-Fi is usually preferred by devices, making it
> not so usable for the people who really need it. Those people will have to
> manually disable Wi-Fi to force their device on LTE.
>

Philippe - I'm not sure about the association between 802.1X and this
problem. Seems to me like any popular SSID would have the same issue, no?
If it is a bus full of students, they would all automatically associate,
802.1X or not, right?
-- 

--
Hunter Fuller
Network Engineer
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Issues with Windows 10

[Hunter Fuller]

Tim,

I verified the behavior you mentioned, on my iPhone running iOS 11. I found
a co-worker who still has iOS 10, and that is where I was remembering that
behavior from. I had no idea it had changed, so thank you for the heads up
- we will need to update our documentation.

-hf

On Tue, Jul 31, 2018 at 7:59 PM Cappalli, Tim (Aruba Security) 
wrote:

> “Not Trusted” is always shown on iOS if the supplicant is not configured.
> It has nothing to do with public root trust.
>
>
>
> macOS has split EAP trust vs system trusted CAs when displaying the prompt.
>
>
>
>
>
> *From: *The EDUCAUSE Wireless Issues Constituent Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Hunter Fuller <
> hf0...@uah.edu>
> *Reply-To: *The EDUCAUSE Wireless Issues Constituent Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Date: *Tuesday, July 31, 2018 at 8:50 PM
> *To: *"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject: *Re: [WIRELESS-LAN] Issues with Windows 10
>
>
>
> Because Macs and iPhones allow you to manually verify the certificate
> hash, which is easier and equally secure to a supplicant utility, so we
> also support that avenue for configuration. However, if you don't have a
> public-CA-signed certificate, they display the words "Not Trusted" in red
> bold letters during the certificate verification process.
>
> On Tue, Jul 31, 2018 at 5:30 PM Cappalli, Tim (Aruba Security) <
> t...@hpe.com> wrote:
>
> Just curious, for those running a supplicant configuration utility, why
> are you using a public CA-signed EAP server certificate?
>
>
> On 7/31/18, 4:21 PM, "The EDUCAUSE Wireless Issues Constituent Group
> Listserv on behalf of Charles Rumford"  on behalf of charl...@isc.upenn.edu> wrote:
>
> On 07/31/2018 04:18 PM, Michael Dickson wrote:
> > Hi Charles,
> >
> >
> > What do you mean by "we ended up configuring all of the intermediate
> certs"? Do
> > you mean you are now pushing all certs down to the client during the
> JoinNow
> > process?
>
> Yes. We ended up, just for Windows, pushing all of certs down to the
> clients. It
> was the only way we could get the profile to work.
>
> >
> >
> > We are also running EAP-TTLS/PAP with JoinNow with a cross-signed
> double
> > intermediate cert. I haven't heard of any issues yet but want to get
> in front of
> > any that might crop up..
> >
> >
> > Thanks,
> > Mike
> >
> > Michael Dickson
> > Network Engineer
> > Information Technology
> > University of Massachusetts Amherst
> > 413-545-9639 <(413)%20545-9639>
> > michael.dick...@umass.edu
> > PGP: 0x16777D39
> >
> >
> >
> >
> 
> > *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv
> >  on behalf of Charles Rumford
> > 
> > *Sent:* Tuesday, July 31, 2018 12:24 PM
> > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> > *Subject:* Re: [WIRELESS-LAN] Issues with Windows 10
> >
> > On 07/30/2018 01:09 PM, Turner, Ryan H wrote:
> >> From SecureW2:
> >>
> >> The issue is noticed when the RADIUS server cert is signed by
> AddTrust External CA Root (Cross signed by USERTrust RSA Certification
> Authority) and with the recent windows 10 update. We are looking into this
> and should be able to provide you an update.
> >>
> >
> > We ended up configuring all of the intermediate certs, and it solved
> the problem.
> >
> >
> > --
> > Charles Rumford
> > Senior Network Engineer
> > ISC Tech Services
> > University of Pennsylvania
> > OpenPGP Key ID: 0x173F5F3A (2018/07/05)
> >
> >
> > **
> > Participation and subscription information for this EDUCAUSE
> Constituent Group
> > discussion list can be found at http://www.educause.edu/discuss.
> >
> > ** Participation and subscription information for this
> EDUCAUSE
> > Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
> >
>
>
> --
> Charles Rumford
> Senior Network Engineer
> ISC Tech Services
> University of Pennsylvania
> OpenPGP Key ID: 0x173F5F3A (2018/07/05)
>
> **
> Participation

Re: [WIRELESS-LAN] Issues with Windows 10

[Hunter Fuller]

Because Macs and iPhones allow you to manually verify the certificate hash,
which is easier and equally secure to a supplicant utility, so we also
support that avenue for configuration. However, if you don't have a
public-CA-signed certificate, they display the words "Not Trusted" in red
bold letters during the certificate verification process.

On Tue, Jul 31, 2018 at 5:30 PM Cappalli, Tim (Aruba Security) 
wrote:

> Just curious, for those running a supplicant configuration utility, why
> are you using a public CA-signed EAP server certificate?
>
>
> On 7/31/18, 4:21 PM, "The EDUCAUSE Wireless Issues Constituent Group
> Listserv on behalf of Charles Rumford"  on behalf of charl...@isc.upenn.edu> wrote:
>
> On 07/31/2018 04:18 PM, Michael Dickson wrote:
> > Hi Charles,
> >
> >
> > What do you mean by "we ended up configuring all of the intermediate
> certs"? Do
> > you mean you are now pushing all certs down to the client during the
> JoinNow
> > process?
>
> Yes. We ended up, just for Windows, pushing all of certs down to the
> clients. It
> was the only way we could get the profile to work.
>
> >
> >
> > We are also running EAP-TTLS/PAP with JoinNow with a cross-signed
> double
> > intermediate cert. I haven't heard of any issues yet but want to get
> in front of
> > any that might crop up..
> >
> >
> > Thanks,
> > Mike
> >
> > Michael Dickson
> > Network Engineer
> > Information Technology
> > University of Massachusetts Amherst
> > 413-545-9639 <(413)%20545-9639>
> > michael.dick...@umass.edu
> > PGP: 0x16777D39
> >
> >
> >
> >
> 
> > *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv
> >  on behalf of Charles Rumford
> > 
> > *Sent:* Tuesday, July 31, 2018 12:24 PM
> > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> > *Subject:* Re: [WIRELESS-LAN] Issues with Windows 10
> >
> > On 07/30/2018 01:09 PM, Turner, Ryan H wrote:
> >> From SecureW2:
> >>
> >> The issue is noticed when the RADIUS server cert is signed by
> AddTrust External CA Root (Cross signed by USERTrust RSA Certification
> Authority) and with the recent windows 10 update. We are looking into this
> and should be able to provide you an update.
> >>
> >
> > We ended up configuring all of the intermediate certs, and it solved
> the problem.
> >
> >
> > --
> > Charles Rumford
> > Senior Network Engineer
> > ISC Tech Services
> > University of Pennsylvania
> > OpenPGP Key ID: 0x173F5F3A (2018/07/05)
> >
> >
> > **
> > Participation and subscription information for this EDUCAUSE
> Constituent Group
> > discussion list can be found at http://www.educause.edu/discuss.
> >
> > ** Participation and subscription information for this
> EDUCAUSE
> > Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
> >
>
>
> --
> Charles Rumford
> Senior Network Engineer
> ISC Tech Services
> University of Pennsylvania
> OpenPGP Key ID: 0x173F5F3A (2018/07/05)
>
> **
> Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
>
>
> **
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/discuss.
>
> --

--
Hunter Fuller
Network Engineer
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Your eduroam semi-annual report

[Hunter Fuller]

EDUCAUSE.EDU" <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject: *Re: [WIRELESS-LAN] Your eduroam semi-annual report
> *Resent-From: *Patrick McEvilly 
>
>
>
> What person at a school receives them? I want to see ours.
>
>
>
> Thanks.
>
> Sent from my iPhone
>
>
> On Jul 6, 2018, at 6:40 AM, Philippe Hanset <
> 005cd62f91b7-dmarc-requ...@listserv.educause.edu> wrote:
>
> Yahya,
>
>
>
> These reports are provided to all IdPs
>
> and SPs in the US. ANYROAM, the operator of eduroam on behalf of Internet2
> has built those reports based on the US top level RADIUS logs.
>
>
>
> Philippe
>
> Philippe Hanset, CEO
>
> ANYROAM LLC
>
> www.anyroam.net
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.anyroam.net=DwMGaQ=WO-RGvefibhHBZq3fL85hQ=NEt1bAdOCtalVd4Ws0dvlC8LeF95Hl1p6yYgtTh8luM=PXBR2nrMAcW7e0QP6NFQUP_IE0Xafm5WM3RjJzkZd3U=XSVDB6hUKN7nYCKHPRaOeBwzf5x7sKWBSgkqwF8O2yA=>
>
> www.eduroam.us
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.eduroam.us=DwMGaQ=WO-RGvefibhHBZq3fL85hQ=NEt1bAdOCtalVd4Ws0dvlC8LeF95Hl1p6yYgtTh8luM=PXBR2nrMAcW7e0QP6NFQUP_IE0Xafm5WM3RjJzkZd3U=nBExgSVb3S72y2W1z9jcHvCQu1bWmus2HEI8f-6ee_M=>
>
>
> On Jul 6, 2018, at 6:17 AM, Yahya M. Jaber 
> wrote:
>
> Is this only for Idp’s who has it as primary network? Eduroam is a
> secondary one for us here.
>
>
>
>
>
> Best Regards,
>
>
>
> *Yahya Jaber*
>
> Sr. Wireless Engineer
>
> IT Network & Communications – Engineering
>
>
>
> Email yahya.ja...@kaust.edu.sa
>
> Office +966 (0) 12 8081237
>
> Mobile +966 (0) 558697555
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [
> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> ] *On Behalf Of *Turner, Ryan H
> *Sent:* Friday, July 6, 2018 4:03 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* [WIRELESS-LAN] Fwd: Your eduroam semi-annual report
>
>
>
> All:
>
>
>
> We have run eduroam as our primary SSID for several years.  For those
> institutions that do not, but wonder what it might look like for those that
> do, I’ve included our semi annual report.
>
> Ryan Turner
>
> Senior Manager of Networking, ITS
>
> The University of North Carolina at Chapel Hill
>
> +1 919 274 7926 Mobile
>
> +1 919 445 0113 Office
>
>
> Begin forwarded message:
>
>
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_discuss=DwMGaQ=WO-RGvefibhHBZq3fL85hQ=NEt1bAdOCtalVd4Ws0dvlC8LeF95Hl1p6yYgtTh8luM=PXBR2nrMAcW7e0QP6NFQUP_IE0Xafm5WM3RjJzkZd3U=KgccghEwWcmyoYQF9PJhISDZh12GnlsSwyjUCpC69Rw=>
> .
>
>
> --
>
> This message and its contents including attachments are intended solely
> for the original recipient. If you are not the intended recipient or have
> received this message in error, please notify me immediately and delete
> this message from your computer system. Any unauthorized use or
> distribution is prohibited. Please consider the environment before printing
> this email.
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_discuss=DwMGaQ=WO-RGvefibhHBZq3fL85hQ=NEt1bAdOCtalVd4Ws0dvlC8LeF95Hl1p6yYgtTh8luM=PXBR2nrMAcW7e0QP6NFQUP_IE0Xafm5WM3RjJzkZd3U=KgccghEwWcmyoYQF9PJhISDZh12GnlsSwyjUCpC69Rw=>
> .
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_discuss=DwMGaQ=WO-RGvefibhHBZq3fL85hQ=NEt1bAdOCtalVd4Ws0dvlC8LeF95Hl1p6yYgtTh8luM=PXBR2nrMAcW7e0QP6NFQUP_IE0Xafm5WM3RjJzkZd3U=KgccghEwWcmyoYQF9PJhISDZh12GnlsSwyjUCpC69Rw=>
> .
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_discuss=DwMGaQ=WO-RGvefibhHBZq3fL85hQ=NEt1bAdOCtalVd4Ws0dvlC8LeF95Hl1p6yYgtTh8luM=PXBR2nrMAcW7e0QP6NFQUP_IE0Xafm5WM3RjJzkZd3U=KgccghEwWcmyoYQF9PJhISDZh12GnlsSwyjUCpC69Rw=>
> .
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
>
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> --

--
Hunter Fuller
Network Engineer
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Question regarding the support of WiFi Calling and texting

[Hunter Fuller]

>
> --
>
> Vikki Cutrone
>
> Network Administrator
>
> Vassar College, Box 13
>
> 124 Raymond Ave
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__maps.google.com_-3Fq-3D124-2BRaymond-2BAve-250D-2BPoughkeepsie-2C-2BNY-2B12604-26entry-3Dgmail-26source-3Dg=DwMFaQ=6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ=rYfqH_8oTvcXxRxUI3x3m3Y7Nwgir7tnuoGbdZsrUM4=V-B23RpM6-AN3SouKSAIckW0yrCFMe91rn8n1_wMwSk=DgYQwyycgrZ77ZFlzelZE00z6cRj5AThKQQp6jyQ0JI=>
>
> Poughkeepsie, NY 12604
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__maps.google.com_-3Fq-3D124-2BRaymond-2BAve-250D-2BPoughkeepsie-2C-2BNY-2B12604-26entry-3Dgmail-26source-3Dg=DwMFaQ=6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ=rYfqH_8oTvcXxRxUI3x3m3Y7Nwgir7tnuoGbdZsrUM4=V-B23RpM6-AN3SouKSAIckW0yrCFMe91rn8n1_wMwSk=DgYQwyycgrZ77ZFlzelZE00z6cRj5AThKQQp6jyQ0JI=>
> -0013
>
>
>
> 845-437-7231
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_discuss=DwMFaQ=6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ=rYfqH_8oTvcXxRxUI3x3m3Y7Nwgir7tnuoGbdZsrUM4=V-B23RpM6-AN3SouKSAIckW0yrCFMe91rn8n1_wMwSk=_bdSDCV5pjPNEdyRnfFFT5QTsxObKPLQ9M3MveBVoGE=>.
>
>
>
>
>
> --
>
> This message and its contents including attachments are intended solely
> for the original recipient. If you are not the intended recipient or have
> received this message in error, please notify me immediately and delete
> this message from your computer system. Any unauthorized use or
> distribution is prohibited. Please consider the environment before printing
> this email.
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_discuss=DwMFaQ=6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ=rYfqH_8oTvcXxRxUI3x3m3Y7Nwgir7tnuoGbdZsrUM4=V-B23RpM6-AN3SouKSAIckW0yrCFMe91rn8n1_wMwSk=_bdSDCV5pjPNEdyRnfFFT5QTsxObKPLQ9M3MveBVoGE=>.
>
>
>
>
>
>
> --
>
> Vikki Cutrone
>
> Network Administrator
>
> Vassar College, Box 13
>
> 124 Raymond Ave
> <https://maps.google.com/?q=124+Raymond+Ave+Poughkeepsie,+NY+12604+%3Chttps://urldefense.proofpoint.com/v2/url?u%3Dhttps-3A__maps.google.com_-3Fq-3D124-2BRaymond-2BAve-250D-2BPoughkeepsie-2C-2BNY-2B12604-26entry-3Dgmail-26source-3Dg%26d%3DDwMFaQ%26c%3D6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ%26r%3DrYfqH_8oTvcXxRxUI3x3m3Y7Nwgir7tnuoGbdZsrUM4%26m%3DV-B23RpM6-AN3SouKSAIckW0yrCFMe91rn8n1_wMwSk%26s%3DDgYQwyycgrZ77ZFlzelZE00z6cRj5AThKQQp6jyQ0JI%26e%3D%3E=gmail=g>
>
> Poughkeepsie, NY 12604
> <https://maps.google.com/?q=124+Raymond+Ave+Poughkeepsie,+NY+12604+%3Chttps://urldefense.proofpoint.com/v2/url?u%3Dhttps-3A__maps.google.com_-3Fq-3D124-2BRaymond-2BAve-250D-2BPoughkeepsie-2C-2BNY-2B12604-26entry-3Dgmail-26source-3Dg%26d%3DDwMFaQ%26c%3D6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ%26r%3DrYfqH_8oTvcXxRxUI3x3m3Y7Nwgir7tnuoGbdZsrUM4%26m%3DV-B23RpM6-AN3SouKSAIckW0yrCFMe91rn8n1_wMwSk%26s%3DDgYQwyycgrZ77ZFlzelZE00z6cRj5AThKQQp6jyQ0JI%26e%3D%3E=gmail=g>
> -0013
>
>
>
> 845-437-7231
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_discuss=DwMFaQ=6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ=rYfqH_8oTvcXxRxUI3x3m3Y7Nwgir7tnuoGbdZsrUM4=V-B23RpM6-AN3SouKSAIckW0yrCFMe91rn8n1_wMwSk=_bdSDCV5pjPNEdyRnfFFT5QTsxObKPLQ9M3MveBVoGE=>.
>
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_discuss=DwMFaQ=6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ=rYfqH_8oTvcXxRxUI3x3m3Y7Nwgir7tnuoGbdZsrUM4=V-B23RpM6-AN3SouKSAIckW0yrCFMe91rn8n1_wMwSk=_bdSDCV5pjPNEdyRnfFFT5QTsxObKPLQ9M3MveBVoGE=>.
>
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> --

--
Hunter Fuller
Network Engineer
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Two RF Questions

[Hunter Fuller]

We currently won't even touch 40MHz as we like having the ability to solve
problems by throwing more APs at them.

On Mon, Sep 25, 2017 at 2:28 PM Chuck Enfield <chu...@psu.edu> wrote:

> 1.  Enable it in places to check for radar events.  If you get few,
> then yes.  Client devices are almost fully capable now.  Hidden SSID’s are
> the only issue.  Some clients don’t probe on DFS channels, and will only
> respond to beacons.  Make sure 2.4 is usable for the small number of
> incompatible devices.
>
> 2.  No.  Don’t even consider 40MHz unless you’re using almost all the
> DFS channels, but even then you’ll probably have to disable it in some high
> density areas.
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *David Blahut
> *Sent:* Monday, September 25, 2017 3:17 PM
>
>
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* [WIRELESS-LAN] Two RF Questions
>
>
>
> Greetings,
>
> I have two hopefully simple RF related questions:
>
> 1.  Should I enable the extended UNII-2 channels campus wide?
>
> 2.  Should I enable 40Mhz channel width campus wide?
>
> In other words what are you doing on your campus and what is the "best
> practice?
>
>
>
> Our wireless infrastructure:
>
>
>
> 3 Cisco 5508s running 8.2.141.0
>
>
>
> 20 - 3800 APs
>
> 368 - 3700 APs
>
> 414 - 3600 APs
>
> 8 - 3500 APs
>
> 7 - 1810 APs
>
> 32 - 1142 APs
>
>
>
> Prime 3.1.0
>
>
>
> Thanks for your input.
>
> David
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> --

--
Hunter Fuller
Network Engineer
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] EAP-TLS

[Hunter Fuller]

These risks have proven easier to swallow for us. When we have trouble, we
blacklist the username. So far, that has been effective.

On Tue, Aug 15, 2017 at 12:59 Jeffrey D. Sessler <j...@scrippscollege.edu>
wrote:

> “Our campus isn't comfortable with an open ESSID without verifying the
> identity of the user, so that's the value of eduroam - identity.”
>
>
>
> How exactly have you verified the identity of the user? Is it blind trust
> that other EDUs verify and manage identity in the same fashion that your
> campus does? A device that shows up with an account that grants access to
> eduroam is not verification of the person’s identity.
>
>
>
> There are EDUs out there that hand out free (and unverified or lightly
> verified) accounts to their local public, parents, guests, and so on with
> no questions asked. The person fills in a basic online form and they are
> granted an account with limited rights – typically including Library and
> WIFi access. How many of those accounts also work on eduroam?
>
>
>
> It could be interesting to look at the global eduroam data to see just how
> often accounts show up in multiple places simultaneously.
>
>
>
> Jeff
>
>
>
> *From: *"wireless-lan@listserv.educause.edu" <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Hunter Fuller <
> hf0...@uah.edu>
> *Reply-To: *"wireless-lan@listserv.educause.edu" <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Date: *Tuesday, August 15, 2017 at 7:54 AM
> *To: *"wireless-lan@listserv.educause.edu" <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject: *Re: [WIRELESS-LAN] EAP-TLS
>
>
>
> Our campus isn't comfortable with an open ESSID without verifying the
> identity of the user, so that's the value of eduroam - identity.
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> --

--
Hunter Fuller
Network Engineer
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] EAP-TLS

[Hunter Fuller]

ent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
>     >
>
> > ** Participation and subscription information for this
> EDUCAUSE Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> >
>
> > ** Participation and subscription information for this
> EDUCAUSE Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> >
>
> > ** Participation and subscription information for this
> EDUCAUSE Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> >
>
>
>
> ---
>
> Bruce Curtis bruce.cur...@ndsu.edu
>
> Certified NetAnalyst II701-231-8527
>
> North Dakota State University
>
>
>
>
>
> **
>
> Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
>
>
> **
>
> Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
>
>
> **
>
> Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
>
>
> **
>
> Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> --

--
Hunter Fuller
Network Engineer
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Cisco Code Version

[Hunter Fuller]

Yeah, it's intriguing to say the least. I will be testing in the lab.
But on a more relevant note, we are not even on 8.5 at all in production.
So... this is "pie in the sky" for us, for now.

On Sun, Aug 6, 2017 at 11:09 AM Ciesinski, Nick <ciesi...@uww.edu> wrote:

> I think it may be possible but there are a few hurdles to get over.  Cisco
> is using the catch all RADIUS attribute cisco-av-pair for the IPSK which
> means the return value has to be formatted a certain way and not just
> returning a PSK.
>
>
> You first need to return a value of psk-mode=ascii which is easy since its
> the same for every device.  Then you need to return the actual PSK
> formatted as psk=.  I have never seen a option within ISE (nor
> ACS from my remembrance) to be able to build a value; it's ether all
> manually typed in or all gotten from another source.  This would mean
> actually storing "psk=" as a attribute value in your
> AD. Obviously not that hard to do if you are already writing your own
> interface to get items into AD in the first place.
>
>
> What I am unsure about is the ability to actually send back a value you
> get from AD in the RADIUS return result.  While in ISE I can choose a AD
> attribute from the selection criteria I don't know if it will actually send
> the value for the particular user/device or just the attribute name from
> AD.  I have seen ISE allow you to select things like AD:Objectname but
> instead of it returning a value it returns "AD:Objectname".  It's been
> years since I have used ACS but recall it working similar when building
> your rules and return results.
>
>
> It is worth testing in a lab to see what it will actually return, if its
> the actual value from AD i'd say your good to go.
>
>
> Nick
>
>
> ------
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Hunter Fuller <
> hf0...@uah.edu>
> *Sent:* Friday, August 4, 2017 4:59 PM
>
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] Cisco Code Version
> You're right, I had misread that.
>
> Upon reading it that way, though, isn't that fine too? The person's device
> reports its MAC, and then ACS or any other RADIUS just responds with that
> MAC's owner's assigned PSK. If the device's MAC isn't known, we just
> respond with an empty or garbage PSK to prevent them authenticating.
>
> On Fri, Aug 4, 2017 at 4:13 PM Ciesinski, Nick <ciesi...@uww.edu> wrote:
>
>> I think your going to have the same problem with ACS as there is with
>> ISE.  The controller does not send the PSK the user used to the RADIUS
>> server for verification/validation.  Instead the RADIUS server will send
>> back the PSK value the user/device should be using and the WLC does the
>> verification/validation based on that return value.
>>
>> Nick
>>
>> On Aug 4, 2017, at 4:02 PM, Hunter Fuller <hf0...@uah.edu> wrote:
>>
>> Yep - we use Cisco ACS, backed with AD. Should be able to just add
>> another rule to our ruleset, then configure iPSK on the controllers. Then
>> it would check the PSK against AD, as the machine password for the machine
>> account. (We already make machine accounts for registered MACs of game
>> consoles, etc.)
>>
>> On Wed, Aug 2, 2017 at 7:31 PM Joachim Tingvold <joac...@tingvold.com>
>> wrote:
>>
>>> On 1 Aug 2017, at 17:33, Ciesinski, Nick wrote:
>>> > While WLC 8.5 did add IPSK it is probably safe to say its rather
>>> > worthless for most at this time.  For those who have used ISE if you
>>> > watch the video on how they make IPSK work it isn’t feasible to give
>>> > each of your users their own PSK key to connect to wireless.  The
>>> > current implementation within ISE required no feature additions to ISE
>>> > to make it work.  All they do is have a rule to classify a device
>>> > and/or user and then send a particular PSK value that it should be
>>> > using.  This is a 100% manual process  for each device and/or user as
>>> > nothing is baked into ISE to have a user register their account or
>>> > device(s) and be presented a PSK to use.
>>>
>>> IPSK *and* ISE might be "worthless" when combined, but IPSK in it self
>>> is not (even in it's current implementation). The limitations you're
>>> talking about is purely with ISE, and not IPSK.
>>>
>>> We use ClearPass, and we can easily query an SQL-server with MAC<->PSK
>>> mappings, yielding unique PSKs based on MAC-adresses. 

Re: [WIRELESS-LAN] Cisco Code Version

[Hunter Fuller]

You're right, I had misread that.

Upon reading it that way, though, isn't that fine too? The person's device
reports its MAC, and then ACS or any other RADIUS just responds with that
MAC's owner's assigned PSK. If the device's MAC isn't known, we just
respond with an empty or garbage PSK to prevent them authenticating.

On Fri, Aug 4, 2017 at 4:13 PM Ciesinski, Nick <ciesi...@uww.edu> wrote:

> I think your going to have the same problem with ACS as there is with
> ISE.  The controller does not send the PSK the user used to the RADIUS
> server for verification/validation.  Instead the RADIUS server will send
> back the PSK value the user/device should be using and the WLC does the
> verification/validation based on that return value.
>
> Nick
>
> On Aug 4, 2017, at 4:02 PM, Hunter Fuller <hf0...@uah.edu> wrote:
>
> Yep - we use Cisco ACS, backed with AD. Should be able to just add another
> rule to our ruleset, then configure iPSK on the controllers. Then it would
> check the PSK against AD, as the machine password for the machine account.
> (We already make machine accounts for registered MACs of game consoles,
> etc.)
>
> On Wed, Aug 2, 2017 at 7:31 PM Joachim Tingvold <joac...@tingvold.com>
> wrote:
>
>> On 1 Aug 2017, at 17:33, Ciesinski, Nick wrote:
>> > While WLC 8.5 did add IPSK it is probably safe to say its rather
>> > worthless for most at this time.  For those who have used ISE if you
>> > watch the video on how they make IPSK work it isn’t feasible to give
>> > each of your users their own PSK key to connect to wireless.  The
>> > current implementation within ISE required no feature additions to ISE
>> > to make it work.  All they do is have a rule to classify a device
>> > and/or user and then send a particular PSK value that it should be
>> > using.  This is a 100% manual process  for each device and/or user as
>> > nothing is baked into ISE to have a user register their account or
>> > device(s) and be presented a PSK to use.
>>
>> IPSK *and* ISE might be "worthless" when combined, but IPSK in it self
>> is not (even in it's current implementation). The limitations you're
>> talking about is purely with ISE, and not IPSK.
>>
>> We use ClearPass, and we can easily query an SQL-server with MAC<->PSK
>> mappings, yielding unique PSKs based on MAC-adresses. This SQL DB could
>> be fed via whatever systems that already exists (CMDB or whatnot), or
>> you could spend an hour making a simple web-frontend.
>>
>> The only thing holding us back upgrading to 8.5 "right away" (only to
>> get IPSK) is the same concern Lee has; not touching it until MR3 or
>> similar, purely for stability reasons (-:
>>
>> --
>> Joachim
>>
>> **
>> Participation and subscription information for this EDUCAUSE Constituent
>> Group discussion list can be found at http://www.educause.edu/discuss.
>>
> --
>
> --
> Hunter Fuller
> Network Engineer
> VBH Annex B-5
> +1 256 824 5331 <(256)%20824-5331>
>
> Office of Information Technology
> The University of Alabama in Huntsville
> Systems and Infrastructure
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> --

--
Hunter Fuller
Network Engineer
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Cisco Code Version

[Hunter Fuller]

Yep - we use Cisco ACS, backed with AD. Should be able to just add another
rule to our ruleset, then configure iPSK on the controllers. Then it would
check the PSK against AD, as the machine password for the machine account.
(We already make machine accounts for registered MACs of game consoles,
etc.)

On Wed, Aug 2, 2017 at 7:31 PM Joachim Tingvold <joac...@tingvold.com>
wrote:

> On 1 Aug 2017, at 17:33, Ciesinski, Nick wrote:
> > While WLC 8.5 did add IPSK it is probably safe to say its rather
> > worthless for most at this time.  For those who have used ISE if you
> > watch the video on how they make IPSK work it isn’t feasible to give
> > each of your users their own PSK key to connect to wireless.  The
> > current implementation within ISE required no feature additions to ISE
> > to make it work.  All they do is have a rule to classify a device
> > and/or user and then send a particular PSK value that it should be
> > using.  This is a 100% manual process  for each device and/or user as
> > nothing is baked into ISE to have a user register their account or
> > device(s) and be presented a PSK to use.
>
> IPSK *and* ISE might be "worthless" when combined, but IPSK in it self
> is not (even in it's current implementation). The limitations you're
> talking about is purely with ISE, and not IPSK.
>
> We use ClearPass, and we can easily query an SQL-server with MAC<->PSK
> mappings, yielding unique PSKs based on MAC-adresses. This SQL DB could
> be fed via whatever systems that already exists (CMDB or whatnot), or
> you could spend an hour making a simple web-frontend.
>
> The only thing holding us back upgrading to 8.5 "right away" (only to
> get IPSK) is the same concern Lee has; not touching it until MR3 or
> similar, purely for stability reasons (-:
>
> --
> Joachim
>
> **
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/discuss.
>
-- 

--
Hunter Fuller
Network Engineer
VBH Annex B-5
+1 256 824 5331 <(256)%20824-5331>

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] New Crazy Wireless Devices

[Hunter Fuller]

We saw a surge of these after the 2015 holiday season. Like other gaming
devices, we MAC whitelist, and recommend that the users use wired if
possible. Haven't seen much trouble out of them.

On Mon, Jul 31, 2017 at 3:39 PM Peter P Morrissey <ppmor...@syr.edu> wrote:

> Wondering if anyone has noticed any new trends in popular wireless devices
> that we might expect returning students to want to connect in their
> residences when they return?
>
>
>
> Not being a gamer, this one was new to me. It apparently streams games on
> running on your laptop to your TV over a WiFi connection and also provides
> input for controllers. Seems like something that could use up a bit of
> bandwidth. The good news is that it appears to support 11ac.
>
>
>
> http://store.steampowered.com/app/353380/Steam_Link/
>
>
>
> Pete Morrissey
>
>
>
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> --

--
Hunter Fuller
Network Engineer
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] eduroam AUP question

[Hunter Fuller]

I am ready to assign our good fortune to luck. I was wondering where we had
been using up all our good luck, and this must be it.

Back on topic, our general network AUP, referenced in our handbook, notes
that one must accept the eduroam AUP in order to use that service.

On Fri, Jul 14, 2017 at 1:12 PM Oliver, Jeff <jeff.oli...@uleth.ca> wrote:

> You must have smarter PhD’s 
>
>
>
> Cheers,
>
> Jeff
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Hunter Fuller
> *Sent:* Friday, July 14, 2017 12:10 PM
>
>
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] eduroam AUP question
>
>
>
> But, when you say to advise them, "when you need access to trusted
> resources when off campus, please use the VPN" - that's the same advice we
> give them. There's no difference in that advice just because their home
> network is eduroam.
>
>
>
> We emphasize the difference just as you did - "when you are not at UAH,
> use VPN." The difference in network names doesn't really come up, in my
> experience.
>
>
>
> On Fri, Jul 14, 2017 at 1:07 PM Oliver, Jeff <jeff.oli...@uleth.ca> wrote:
>
> While that may be true, it does not address the social aspect of the
> implementation.
>
>
>
> Even if we were to configure the SSID in the back so that my users connect
> internally when they use eduroam on my campus and external users get
> connected to whatever network and services I configure for the externals,
> it leads to a support issue. Trying to support my users when they go off
> campus and suddenly do not have access to some service that they need
> without a VPN poses a problem. The very fact that not all institutions have
> different implementations of what they allow creates this dichotomy of how
> eduroam works from a layer 7/8 perspective. If I required my own users to
> VPN when on campus, well let’s say that it would not go well for me.
>
>
>
> Much simpler to have an on-campus (preferred network) for when they are at
> home and eduroam configured on their client for when they are not. And then
> say when you need access to trusted resources when off campus, please use
> the VPN. Regardless of what the network is – eduroam, starbucks, home.
>
>
>
>
>
> Cheers,
>
> Jeff
>
>
>
> ---
>
>
>
> Jeffrey L. Oliver
>
> Manager, Network and Telecommunications
>
> Information Technology Services
>
> The University of Lethbridge
>
> 4401 University Drive, Lethbridge, Alberta, T1K 3M4
>
>
>
> Tel: 403.329.5162 <(403)%20329-5162>
>
> Mob: 403.315.4461 <(403)%20315-4461>
>
>
>
> URI:   jeff.oli...@uleth.ca
>
> Web:http://www.uleth.ca/information-technology/
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Frans Panken
> *Sent:* Friday, July 14, 2017 11:58 AM
>
>
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] eduroam AUP question
>
>
>
>
>
> eduroam uses WPA2-enterprise (= RADIUS). A fundamental component of RADIUS
> is a client's validation of the RADIUS server's identity. As a consent to
> the supplicant, the user must check that identity. The authentication
> ALWAYS occurs end-to-end, at every institution you visit. Your OS stores
> the server’s certificate. Your supplicant will ask you to validate another
> RADIUS server when the certificate does not match. That is when all bells
> and whistles should go off. Part of a user’s lessons of ICT, next to
> checking the certificate in a browser.
>
> The exception for user’s/client’s validation is Android but the eduroam
> community fixed that with the CAT tool.
>
> -Frans
>
>
>
>
>
> *From: *The EDUCAUSE Wireless Issues Constituent Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of "Oliver, Jeff" <
> jeff.oli...@uleth.ca>
> *Reply-To: *The EDUCAUSE Wireless Issues Constituent Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Date: *Friday, 14 July 2017 at 19:47
> *To: *"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject: *Re: [WIRELESS-LAN] eduroam AUP question
>
>
>
> Seconded.
>
>
>
>
>
> Cheers,
>
> Jeff
>
>
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [
> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] *On Behalf Of *Jeffrey D. Sessler
> *Sent:* Friday, July 14, 2017 11:30 AM

Re: [WIRELESS-LAN] eduroam AUP question

[Hunter Fuller]

en lured into trusting eduroam no matter where they go – to
> me that’s a bad design. You now have to tell your users two stories i.e.
> When on campus trust eduroam, when off campus, best use a VPN or else.
> That’s simply poor user implementation since the user will likely forget
> the “or else” part.
>
>
>
> In keeping eduroam as a “guest” network, you tell users one story. When on
> campus, use the “MyCollege” SSID, and when traveling, use eduroam and a VPN
> client. The user now has a clear understanding of how to trust eduroam.
>
>
>
> Jeff
>
>
>
> *From: *"wireless-lan@listserv.educause.edu" <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of "Davis, Kevin" <
> keda...@davidson.edu>
> *Reply-To: *"wireless-lan@listserv.educause.edu" <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Date: *Friday, July 14, 2017 at 10:15 AM
> *To: *"wireless-lan@listserv.educause.edu" <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject: *Re: [WIRELESS-LAN] eduroam AUP question
>
>
>
> With modern network architecture, it’s fairly easy and I would argue a
> preferred design to use “eduroam” as the SSID for everything, while on the
> back end segmenting your students/faculty/staff to access levels and
> experience identical to whatever “MyCollege” SSID you had before.
>
>
>
> No impact to them functionally; easy to implement; reduces SSIDs for you;
> helps users recognize and trust eduroam when they travel; and their devices
> roam automatically in the future.
>
>
>
> Kevin
>
>
>
>
>
>
>
> *From: *The EDUCAUSE Wireless Issues Constituent Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Elizabeth Shannon <
> esh...@ksu.edu>
> *Reply-To: *The EDUCAUSE Wireless Issues Constituent Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Date: *Friday, July 14, 2017 at 12:54 PM
> *To: *"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject: *Re: [WIRELESS-LAN] eduroam AUP question
>
>
>
> Not that I am disagreeing with Jeff, but is the intent of the eduroam
> network simply as a guest network. I see many benefits of eduroam, but I
> would like to understand the intent of eduroam, so that our constituents
> have a more consistent experience as they utilize eduroam. We have guests
> on our campus, but we have no way of easily finding a guest and having a
> conversion with them if necessary. With eduroam, I can contact the host
> institution and they can decide if they are going to allow their user to
> continuing the use of eduroam. If we truly need to speak with the user,
> they can facilitate our interaction with the user. Perhaps, I am in the
> minority. Thanks.
>
>
>
> --
>
> Elizabeth Shannon, CIPT
>
> Kansas State University
>
> Information Security and Compliance
>
> 785.532.2540 <(785)%20532-2540>
>
>
>
>
>
> *From: *The EDUCAUSE Wireless Issues Constituent Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of "Jeffrey D. Sessler" <
> j...@scrippscollege.edu>
> *Reply-To: *The EDUCAUSE Wireless Issues Constituent Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Date: *Friday, July 14, 2017 at 11:29 AM
> *To: *"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject: *Re: [WIRELESS-LAN] eduroam AUP question
>
>
>
> As eduroam is really a guest network, I would never make it the primary
> network for my users. Best to treat/deploy it is as a slightly better
> version of the WiFi you can get at Starbucks or McDonalds.
>
>
>
> Jeff
>
>
>
> *From: *"wireless-lan@listserv.educause.edu" <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Michael Davis <
> da...@udel.edu>
> *Reply-To: *"wireless-lan@listserv.educause.edu" <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Date: *Friday, July 14, 2017 at 8:14 AM
> *To: *"wireless-lan@listserv.educause.edu" <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject: *Re: [WIRELESS-LAN] eduroam AUP question
>
>
>
> Seems to me that it's much easier now to just forget eduroam, remove it
> from campus, and go back to our
> branded Wifi.
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> --

--
Hunter Fuller
Network Engineer
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] eduroam AUP question

[Hunter Fuller]

stion
>
>
>
> As eduroam is really a guest network, I would never make it the primary
> network for my users. Best to treat/deploy it is as a slightly better
> version of the WiFi you can get at Starbucks or McDonalds.
>
>
>
> Jeff
>
>
>
> *From: *"wireless-lan@listserv.educause.edu" <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Michael Davis <
> da...@udel.edu>
> *Reply-To: *"wireless-lan@listserv.educause.edu" <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Date: *Friday, July 14, 2017 at 8:14 AM
> *To: *"wireless-lan@listserv.educause.edu" <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject: *Re: [WIRELESS-LAN] eduroam AUP question
>
>
>
> Seems to me that it's much easier now to just forget eduroam, remove it
> from campus, and go back to our
> branded Wifi.
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> --

--
Hunter Fuller
Network Engineer
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Consumer devices - SSID or AP blocking/excluding

[Hunter Fuller]

k Engineering & Operations
>
> *T *303 492 2193 <(303)%20492-2193>
>
> *C* 720 934 2565 <(720)%20934-2565>
>
> [image: tmb_logo]
>
>
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> --

--
Hunter Fuller
Network Engineer
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

[Hunter Fuller]

Curtis,

That makes sense. But, if a user set up an evil twin on your campus, it
would not matter, because you are using EAP-TLS, right? So you're not
vulnerable to the attack where a user's credentials might be exposed.

If they wanted to exploit some other flaw that can be exploited via evil
twin, they could still do it to your branded network.

It is also possible that I am totally misinformed on this, because we run
PEAP, so it's a totally different beast with different mitigations.

On Fri, Apr 28, 2017 at 10:17 AM Curtis K. Larsen <curtis.k.lar...@utah.edu>
wrote:

> I guess it boils down to an attacker being less likely to setup a fake
> AP/evil twin on the property of an institution that does not support PEAP
> vs. one that does.
>
> -Curtis
>
> 
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Hunter Fuller <
> hf0...@uah.edu>
> Sent: Friday, April 28, 2017 8:51 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Eduroam adoption (and migration process)
>
> I'm still not sure I follow.
>
> It sounds like, in your current config, you have your constituents use
> EAP-TLS, and cannot use PEAP. Meanwhile your visitors use whatever their
> home institution offers.
>
> If you ran with only the eduroam ESSID, you could run with the same
> config. Your constituents are unable to use PEAP, and must use EAP-TLS home
> and abroad. At the same time, your visitors continue to use whatever their
> home institution offers. This is a viable config.
>
> I understand keeping two ESSIDs for branding though of course. We were
> lucky as we didn't have branded ESSIDs before eduroam either. So it was no
> loss to move to eduroam.
>
> On Fri, Apr 28, 2017 at 09:41 Curtis K. Larsen <curtis.k.lar...@utah.edu
> <mailto:curtis.k.lar...@utah.edu>> wrote:
> My point is not that eduroam mandates a given EAP type.  My point is that
> if a given EAP type presents a vulnerability to users that will come into
> my institution's property but I allow it anyway so that another
> institution's configuration will be compatible - then I have surrendered a
> better security stance to facilitate that compatibility.  This is because
> the SSID is the same.
>
> On the other hand, if I have a unique university SSID - I can easily
> choose the EAP type and thus mitigate the vulnerability more fully - this
> is now easy to do with various onboarding tools.  With HS 2.0 the roaming
> agreements can still be in place and we don't care about the SSID.  To me
> that sounds like the best of both worlds.
>
> -Curtis
>
> 
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Cappalli, Tim (Aruba
> Security) <t...@hpe.com<mailto:t...@hpe.com>>
> Sent: Friday, April 28, 2017 3:54 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Subject: Re: [WIRELESS-LAN] Eduroam adoption (and migration process)
>
> Can you elaborate on this comment?
>
> “whereas with eduroam we were kind of locked-in to the PEAP model.”
>
> Eduroam is EAP agnostic.
>
>
>
>
> On 4/27/17, 10:57 PM, "The EDUCAUSE Wireless Issues Constituent Group
> Listserv on behalf of Curtis K. Larsen" <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of curtis.k.lar...@utah.edu
> <mailto:curtis.k.lar...@utah.edu>> wrote:
>
> We also use eduroam and a university SSID and one benefit I've seen is
> that when our CISO decided to deprecate PEAP due to the "fake AP/MITM -
> exposed password" issue and favor EAP-TLS - we could easily control our own
> destiny with our own SSID whereas with eduroam we were kind of locked-in to
> the PEAP model.  Lesser security will often result when universal
> compatibility is the goal.  I mean we could force our own users to use
> EAP-TLS at home and abroad but in my opinion we could not truly say that
> we've done everything possible to mitigate the PEAP vulnerability while
> still propping up a PEAP SSID org-wide even if PEAP only ends up being used
> by visitors.
>
> We currently offer long-term EAP-TLS connections on our university
> SSID to any guest willing to provide an SMS number (Cloudpath Feature).  It
> turns out that the SMS-capable phone carrying population is much larger
> than those with eduroam credentials so far, and phone numbers are possibly
> more valuable to administrators than AD credentials of participating
> institutions in resolving issues.  In my 

Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

[Hunter Fuller]

ity's network and telecomm status @
> https://itsnoc.slustatus.org<
> https://urldefense.proofpoint.com/v2/url?u=https-3A__itsnoc.slustatus.org=DwMGaQ=Pk_HpaIpE_jAoEC9PLIWoQ=irT60-I-yL1W4SGW22eq3Q=vrfhAYIG4zroOXqPTrUhCb7g4hr6Wt-NQisdrXkWUHQ=KCyLt_h1P3rSbXGkeDWSTXPbzZASDeMcsh7xr1Get9Y=
> >
>
>
>
>
>
> ** Participation and subscription information for this
> EDUCAUSE Constituent Group discussion list can be found at
> http://www.educause.edu/discuss<
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_discuss=DwMGaQ=Pk_HpaIpE_jAoEC9PLIWoQ=irT60-I-yL1W4SGW22eq3Q=vrfhAYIG4zroOXqPTrUhCb7g4hr6Wt-NQisdrXkWUHQ=1pf_ZCgI_Y6HRtJNqQYJ8wM9xuPA8XsEUyPm9z_3mbo=
> >.
> ** Participation and subscription information for this
> EDUCAUSE Constituent Group discussion list can be found at
> http://www.educause.edu/discuss<
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_discuss=DwMGaQ=Pk_HpaIpE_jAoEC9PLIWoQ=irT60-I-yL1W4SGW22eq3Q=vrfhAYIG4zroOXqPTrUhCb7g4hr6Wt-NQisdrXkWUHQ=1pf_ZCgI_Y6HRtJNqQYJ8wM9xuPA8XsEUyPm9z_3mbo=
> >.
>
>
>
> --
> John Heartlein | Manager - ITS Infrastructure Operations | Saint Louis
> University<http://www.slu.edu/>
> 3545 Lindell Boulevard, The Marvin and Harlene Wool Center | T
> 314-977-5025
>
>  [Image removed by sender. www.slu.edu] <http://www.slu.edu/>
> Do you like our work? Let us know @
> http://www.slu.edu/its/about-its/its-recognition
> Check the University's network and telecomm status @
> https://itsnoc.slustatus.org
>
>
>
>
>
> ** Participation and subscription information for this
> EDUCAUSE Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this
> EDUCAUSE Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this
> EDUCAUSE Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this
> EDUCAUSE Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
>
> **
> Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
>
>
>
> **
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/discuss.
>
> **
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/discuss.
>
-- 

--
Hunter Fuller
Network Engineer
VBRH Annex B-1
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

[Hunter Fuller]

Just like Brian mentioned, we sort users based on their attributes. If you
are staff, and you connect to eduroam, you end up on the staff network.

Those who didn't go that route, but instead kept the other ESSID for
separation, what did you find were the shortcomings were with the
attribute-based method? (Are we about to regret doing this, is really what
I'm asking.)

On Tue, Apr 25, 2017 at 1:10 PM Stephen Belcher 
wrote:

> That is the same situation with WVU. We maintain WVU.Encrypted for
> faculty, staff and students. We treat those users as “on campus”.
>
> We treat WVU.Guest and Eduroam as “off campus".
>
>
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Fligor, Debbie
> Sent: Monday, April 24, 2017 4:38 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Eduroam adoption (and migration process)
>
> I can’t speak for the campuses you named, but we have not switched to
> eduroam as our main SSID, and we have no current plans to. I’m sure someone
> is happy about the branding somewhere, but it’s also for technical reasons.
> Eduroam, like our guest wireless, is routed outside our campus border
> firewall. When you are on our campus's IllinoisNet SSID you are on the
> campus side of the border firewall and have more access to campus resources
> than you do when you are on the eduroam SSID or our IllinoisNet_Guest
> SSID.  Our campus network design has very little internal firewalling - the
> majority of the protection for offices, labs, classrooms, wireless, and
> anything other than University-wide Admin applications is the border
> firewall. So putting guests on the outside, and faculty, staff and students
> on the inside is important.
>
> Additionally the firewall for the eduroam network is set up to allow the
> minimum ports required by the eduroam agreement, so that when our faculty,
> staff and students test that something works on eduroam before they travel,
> they are reasonably well guaranteed it will work on any eduroam net
> anywhere. With our change from Meru/Radiator to Aruban/Clearpass last
> summer, it’s likely that it would be much simpler to drop eduroam users
> that are local onto a “different” version of eduroam that was on the campus
> side of the border firewall, but then the user experience on eduroam here
> would not be the same experience as if they were at a different site
> providing eduroam. Both in what ports were allowed in/out of the eduroam
> network and much more importantly how connections to campus resources
> function for networks off-campus. We want users to have a consistent
> experience with how eduroam works for their use cases, regardless of
> whether they are on our campus or somewhere else.
>
>
> To answer the other questions, we currently have 3 non-eduroam SSIDs
>
> our main SSID that is inside the campus board firewalls is 802.1x we have
> an open guest SSID that uses the Clearpass guest captive portal system we
> have a devices SSID that is MAC auth but I believe this one is being phased
> out in favor of using features in ClearPass to do something similar. This
> is mostly for gaming consoles and the things that really can’t do 802.1x.
>
>
> It’s been quite a few years since I ran the wireless network on our
> campus, but I believe I’ve got the current technical details correct, Chuck
> can correct me if I got anything wrong.
>
>
> --
> -debbie
> Debbie Fligor, n9dn   Lead Network Engineer @ Univ. of Il at
> Urbana-Champaign
> email: fli...@illinois.edu
>
>
>
> > On Apr 24, 2017, at 14:18, Marcelo Maraboli 
> wrote:
> >
> > I would like to thank all who responded.
> >
> > Everybody who responded is making EduRoam their main SSID
> > deprecating their old SSID (MAC or .1x).
> >
> > I still wonder why Universities like MIT,Harvard,Stanford and Berkeley
> > only use Eduroam as a secondary SSID and still keep their main SSID.
> > The only thing I can think of is branding.
> >
> >
> >
> > thanks.
> >
> >
> > On 4/20/17 6:16 PM, Marcelo Maraboli wrote:
> >> Hello everyone.
> >>
> >> We are finally adopting EduROAM in our University and we currently have
> one
> >> SSID with MAC-based authentication, so moving to EduROAM is also a
> 802.1x upgrade
> >> for us as well.
> >>
> >> Would you be so kind to respond a couple of questions?:
> >>
> >>
> >> If you adopted EduROAM as your primary SSID:
> >> - Did you leave an SSID for legacy devices ? (What AUTH mechanism for
> this SSID?)
> >> - How did you "force-move" your users to EdoROAM from your old SSID ?
> >>
> >> If you added EduROAM as just another SSID:
> >> - why not adopt EduROAM as your primary SSID ?  (Branding or no
> interest? )
> >> - Is your primary SSID also 802.1x o MAC-based ?
> >> - if 802.1x, why have 2 SSIDs with 802.1x ?
> >>
> >>
>
>
>
>
>
>
>
>
>
>
>
>
> **
> Participation and subscription information for 

Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

[Hunter Fuller]

On Thu, Apr 20, 2017 at 4:30 PM Marcelo Maraboli 
wrote:

> - Did you leave an SSID for legacy devices ? (What AUTH mechanism for this
> SSID?)
>

Our "UAH Get Connected" ESSID is wide open, and will assist users with
connecting to eduroam. It also doubles as our legacy/gaming/streaming
device ESSID.


> - How did you "force-move" your users to EdoROAM from your old SSID ?
>

We are in the process of doing this. We've publicly given warning about
moving to eduroam for about a year via email and usual advertisement
channels. Later this year, our legacy ESSIDs will be turned off.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Dorm Wireless Authentication

[Hunter Fuller]

Your replies have addressed what I was asking wrt security concerns. Thanks
for the detail.

On Tue, Mar 28, 2017 at 9:34 AM Lee H Badman  wrote:

> We don’t see a lot of bad coming out of the gadgets. If a laptop lands on
> that network- which is still security monitored- and does something bad,
> odds are extremely high that the device has also been used on the secure
> network because that’s where anything to do with campus is done. Our logs
> are rich, so it’s easy to correlate same device on multiple networks. If
> “bad” happens and we truly can’t find them period in logs for identity,
>  the degree of “bad” drives what happens next. But we have worked through
> every scenario we could think of and derived procedural answers that work
> for us.
>
>
>
> -Lee
>
>
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Bucklaew, Jerry
> *Sent:* Tuesday, March 28, 2017 10:22 AM
>
>
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] Dorm Wireless Authentication
>
>
>
> How do you track them down when they do something bad?
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [
> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> ] *On Behalf Of *Lee H Badman
> *Sent:* Tuesday, March 28, 2017 10:18 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] Dorm Wireless Authentication
>
>
>
> Absolutely no device restrictions. No preshare. Get on and go. But zero
> campus access, that requires using the authenticated network.
>
>
>
> *Lee Badman* | Network Architect
>
> Adjunct Instructor | CWNE #200
> Information Technology Services
> 206 Machinery Hall
> 120 Smith Drive
> Syracuse, New York 13244
>
> *t* 315.443.3003 <(315)%20443-3003>  * f* 315.443.4325 <(315)%20443-4325>
> *e* lhbad...@syr.edu *w* its.syr.edu
>
> *SYRACUSE UNIVERSITY*
> syr.edu
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [
> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> ] *On Behalf Of *Thomas Carter
> *Sent:* Tuesday, March 28, 2017 10:04 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] Dorm Wireless Authentication
>
>
>
> Is it restricted to only “gadgets and games”, or is it used for laptops as
> well? A majority of the services our students use are Internet facing also,
> so Internet-only access would still give them access to the services they
> need.
>
>
>
> I assume there is an authenticated SSID also?
>
> *Thomas Carter*
> Network & Operations Manager / IT
>
> *Austin College*
> 900 North Grand Avenue
> Sherman, TX 75090
>
> Phone: 903-813-2564 <(903)%20813-2564>
> www.austincollege.edu
>
> [image: image001.gif]
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [
> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> ] *On Behalf Of *Lee H Badman
> *Sent:* Tuesday, March 28, 2017 8:23 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] Dorm Wireless Authentication
>
>
>
> After kicking tires on leading classification engines and weighing
> solution dollars and support costs, we opted to pilot a wide open "gadget
> and games" SSID in the dorms that only have Internet access for all the
> oddballs. With almost a full year in, it's been very well used and received
> and we've been able to answer all of our own security questions that anyone
> would be contemplating. I think we'll be moving forward with this model.
>
> Lee Badman (mobile)
>
>
> On Mar 28, 2017, at 7:48 AM, Osborne, Bruce W (Network Operations) <
> bosbo...@liberty.edu> wrote:
>
> Here is another vote for ClearPass with Aruba wireless.
>
>
>
> When an Apple TV is registered, it is also registered as an AirGroup
> personal device so the owner’s 802.1X Apple device can use AirPlay to
> display content on the device. We also use Aruba’s Dynamic Multicast
> Optimization to provide multicast IPTV over wireless.
>
>
>
>
>
> *Bruce Osborne*
>
> *Senior Network Engineer*
>
> *Network Operations - Wireless*
>
>  *(434) 592-4229 <(434)%20592-4229>*
>
> *LIBERTY UNIVERSITY*
>
> *Training Champions for Christ since 1971*
>
>
>
> *From:* Robert Spellman [mailto:rsp...@bates.edu ]
> *Sent:* Monday, March 27, 2017 9:33 AM
> *Subject:* Re: Dorm Wireless Authentication
>
>
>
> We use Aruba Clearpass, and have two SSID's on campus, one which is
> 802.1X, and the other open, doing MAC based authentication.  Clearpass
> allows users to register their own devices for MAC authentication by
> logging into the Clearpass guest portal.  Students can register devices for
> a year, while guests can register devices for 2 days.
>
>
>
> Rob
>
>
>
> Robert Spellman
>
> Bates College
>
> Information and Library Services
>
>
>
> On Mon, Mar 27, 2017 at 9:16 AM, Chris Brezil 
> wrote:
>
> Good morning everyone,
>

Re: [WIRELESS-LAN] Dorm Wireless Authentication

[Hunter Fuller]

How do you handle security concerns, DMCA, and law enforcement requests for
this ESSID?

On Tue, Mar 28, 2017 at 8:23 AM Lee H Badman  wrote:

After kicking tires on leading classification engines and weighing solution
dollars and support costs, we opted to pilot a wide open "gadget and games"
SSID in the dorms that only have Internet access for all the oddballs. With
almost a full year in, it's been very well used and received and we've been
able to answer all of our own security questions that anyone would be
contemplating. I think we'll be moving forward with this model.

Lee Badman (mobile)

On Mar 28, 2017, at 7:48 AM, Osborne, Bruce W (Network Operations) <
bosbo...@liberty.edu> wrote:

Here is another vote for ClearPass with Aruba wireless.



When an Apple TV is registered, it is also registered as an AirGroup
personal device so the owner’s 802.1X Apple device can use AirPlay to
display content on the device. We also use Aruba’s Dynamic Multicast
Optimization to provide multicast IPTV over wireless.





*Bruce Osborne*

*Senior Network Engineer*

*Network Operations - Wireless*

 *(434) 592-4229 <(434)%20592-4229>*

*LIBERTY UNIVERSITY*

*Training Champions for Christ since 1971*



*From:* Robert Spellman [mailto:rsp...@bates.edu ]
*Sent:* Monday, March 27, 2017 9:33 AM
*Subject:* Re: Dorm Wireless Authentication



We use Aruba Clearpass, and have two SSID's on campus, one which is 802.1X,
and the other open, doing MAC based authentication.  Clearpass allows users
to register their own devices for MAC authentication by logging into the
Clearpass guest portal.  Students can register devices for a year, while
guests can register devices for 2 days.



Rob



Robert Spellman

Bates College

Information and Library Services



On Mon, Mar 27, 2017 at 9:16 AM, Chris Brezil  wrote:

Good morning everyone,

We are planning a larger scale roll out of wireless in our dorms. Currently
we mainly just cover some of the common areas and students for the most
part bring in their own routers. As most folks can appreciate, this has
caused years of technical problems and is also not seen as great customer
service.

On our main campus wifi, we have people authenticate using 802.1x radius
authentication using their university username and password. We have some
concerns about doing this in the dormitories however. We know that students
bring all sorts of consumer grade devices that require network access into
their rooms, such as Apple TV, Amazon Echos, etc. Many of these devices
will not work with username and password authentication and we are not
looking to Mac exclude these devices on the network, given the overhead of
setting this up. So we are looking possibly at doing WPA Personal with a
passphrase that would be given to students.

What are others doing? Has this come up as an issue for any of you?

Best,

Chris


-- 

CHRIS BREZIL
*ASSISTANT VICE PRESIDENT, ENTERPRISE OPERATIONS*
INFORMATION TECHNOLOGY 

71 FIFTH AVENUE, 9th FLOOR, NEW YORK, NY 10003
brez...@newschool.edu

 |  212.229.5300
x4512 <(212)%20229-5300>

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/discuss.



** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/discuss.

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] 2.4 vs 5

[Hunter Fuller]

Also, I think saying that students "save $30 on the laptop buying it with
just the 2.4 radio" implies an unrealistic degree of involvement in the
technical aspects of buying a new computer. If people thought this way, I
think we would see this problem less often, because everyone loves fast
Internet connections. But those selling the computers are, more than
likely, unable to articulate the benefits of the 5GHz card, if they even
know which computers have them at all.

On Tue, Mar 7, 2017 at 11:43 AM Wyatt Schill  wrote:

> Certainly not an option for us, being a community college means a lot of
> low income students.  Possibly why I still see several handfuls of iPhone 4
> phones (circa 2010) on my wifi.  Lots of 2.4 only devices, and I don’t see
> that changing for a while.
>
>
>
>
>
>
>
> Wyatt Schill
>
> Senior Network Engineer
>
> CCNP–R : CCNA-Security
>
> Green River College
>
> 12401 SE 320th St. Auburn, WA 98092
>
>
>
>
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Danny Eaton
> *Sent:* Tuesday, March 7, 2017 7:20 AM
>
>
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] 2.4 vs 5
>
>
>
> I see so many IoT devices that are 2.4 only; as well as the students save
> $30 on the laptop buying it with just the 2.4 radio (but it’s 802.11n!)
> that many of them come that way as well.  We’re testing a “Rice Owls” (dual
> band) and a “Rice Owls 5 GHz” (uhm, 5 GHz only, of course) in limited
> areas, and so far, the results are positive.
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [
> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> ] *On Behalf Of *Coehoorn, Joel
> *Sent:* Monday, March 06, 2017 10:45 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] 2.4 vs 5
>
>
>
> We still have a lot of devices (especially low-end smartphones) that only
> have 2.4 radios.
>
>
>
>
> Joel Coehoorn
> Director of Information Technology
> 402.363.5603 <(402)%20363-5603>
> *jcoeho...@york.edu *
>
> *Please contact helpd...@york.edu  for technical
> assistance.*
>
>
>
> The mission of York College is to transform lives through
> Christ-centered education and to equip students for lifelong service to
> God, family, and society
>
>
>
> On Mon, Mar 6, 2017 at 10:42 AM, Oliver, Jeff 
> wrote:
>
> Folks, just wondering how many PSI’s have successfully turned off your 2.4
> and gone 5GHz only? And how much blowback?
>
>
>
>
>
> Cheers,
>
> Jeff
>
>
>
> ---
>
>
>
> Jeffrey L. Oliver
>
> Manager, Network and Telecommunications
>
> Information Technology Services
>
> The University of Lethbridge
>
> 4401 University Drive, Lethbridge, Alberta, T1K 3M4
>
>
>
> Tel: 403.329.5162 <(403)%20329-5162>
>
> Mob: 403.315.4461 <(403)%20315-4461>
>
>
>
> URI:   jeff.oli...@uleth.ca
>
> Web:http://www.uleth.ca/information-technology/
>
>
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
>
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> !DSPAM:109,58bd91fa151615915915629!
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] 2.4 vs 5

[Hunter Fuller]

Yes, we are attempting this strategy, but so far the rejoicing has been
more limited than one might hope. Will let everyone know if that changes.

On Mon, Mar 6, 2017 at 21:10 Ian Lyons <ily...@rollins.edu> wrote:

> My $.02
>
> You need both bands.  Build out your network for 5.0 ghz range circles
> around an AP (with some over lap) using a program to map out the wifi space
> and turn off extraneous 2.4 radios
>
> Balance is achieved, users can connect on almost every device and there
> will be rejoicing  in the land.
>
> Okay, maybe not the last part.
>
> Ian Lyons
> Network Engineer
> Rollins College
>
> Get Outlook for Android
>
> --
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Jake Snyder <
> jsnyde...@gmail.com>
> *Sent:* Monday, March 6, 2017 9:20:11 PM
>
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] 2.4 vs 5
> One thing I like in your design is the 5GHz only and dual band.  So many
> people try a 5GHz only and a 2.4Ghz only and it backfires on them.
>
>
>
> Sent from my iPhone
>
> On Mar 6, 2017, at 3:17 PM, Jason Cook <jason.c...@adelaide.edu.au> wrote:
>
> We have a dedicated 5ghz SSID but it’s in addition to our standard which
> is not ideal… too many SSID’s doing the same thing
>
> So our dot1x auth’s are
>
> UofA (2.4&5)
>
> UofA 5ghz (5 only)
>
> eduroam (2.4 & 5)
>
>
>
> We still see plenty of brand new devices on 2.4 only and I was helping a
> student recently who grabbed an old laptop out of hard rubbish. So we are
> stuck with making them work but in doing so we see 5ghz capable devices
> sitting on 2.4 which isn’t so good. The extra SSID was fired up as a test
> and worked, so got stuck there but we  still don’t classify it under our
> production since it’s poorly named.
>
>
>
> For end of year I’m proposing the removal of “UofA 5ghz” and making “UofA”
> a 5ghz only SSID with eduroam covering both 5 and 2.4. Our users get the
> same service on eduroam anyway as they would on our branded SSID(ip
> connectivity wise).
>
>
>
> A few years back I posted a discussion about this where we were
> considering something similar but having a 2.4ghz only network as
> UofA-legacy or the 5ghz network as UofA-Premium etc. since the current
> “UofA 5ghz” is technical and users don’t know what it means.  We never got
> to a point where we were fully happy with the plan but in general we
> preferred the idea that if your 2.4ghz only you go on something called
> legacy to help drive the idea that they would ideally not use such a
> device.
>
>
>
>
>
> --
>
> Jason Cook
>
> Technology Services
>
> The University of Adelaide, AUSTRALIA 5005
>
> Ph: +61 8 8313 4800
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [
> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] *On Behalf Of *Casey Feskens
> *Sent:* Tuesday, 7 March 2017 4:58 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] 2.4 vs 5
>
>
>
> We are currently using a 5GHz only SSID (as well as 2.4) and have been
> trying to encourage students to use it. We recently conducted a survey of
> wireless performance and asked questions about why people were using 2.4
> networks vs. 5GHz. A surprising number of students replied that their
> devices could not see the 5GHz SSID.
>
>
>
> On Mon, Mar 6, 2017 at 10:18 AM, Hunter Fuller <hf0...@uah.edu> wrote:
>
> Similarly, we haven't looked at it. You can walk into Best Buy today and
> walk out with a brand new laptop with no 5GHz wireless.
>
>
>
> On Mon, Mar 6, 2017 at 12:13 PM Jeffrey D. Sessler <
> j...@scrippscollege.edu> wrote:
>
> I don’t think there is a way to get away from 2.4 yet in EDU. For example,
> while most would install high-density 5GHz in every residential room, it’s
> likely cost-prohibitive to accomplish the same in hallways and other areas
> that devices transit but don’t linger. As such, 2.4 is still important for
> “in flight” devices.
>
>
>
> Jeff
>
>
>
> *From: *"wireless-lan@listserv.educause.edu" <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of "Oliver, Jeff" <
> jeff.oli...@uleth.ca>
> *Reply-To: *"wireless-lan@listserv.educause.edu" <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Date: *Monday, March 6, 2017 at 8:42 AM
> *To: *"wireless-lan@listserv.educause.edu" <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject: *[WIRELESS-LAN] 2.4 vs 5
>
>
&

Re: [WIRELESS-LAN] 2.4 vs 5

[Hunter Fuller]

Similarly, we haven't looked at it. You can walk into Best Buy today and
walk out with a brand new laptop with no 5GHz wireless.

On Mon, Mar 6, 2017 at 12:13 PM Jeffrey D. Sessler 
wrote:

> I don’t think there is a way to get away from 2.4 yet in EDU. For example,
> while most would install high-density 5GHz in every residential room, it’s
> likely cost-prohibitive to accomplish the same in hallways and other areas
> that devices transit but don’t linger. As such, 2.4 is still important for
> “in flight” devices.
>
>
>
> Jeff
>
>
>
> *From: *"wireless-lan@listserv.educause.edu" <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of "Oliver, Jeff" <
> jeff.oli...@uleth.ca>
> *Reply-To: *"wireless-lan@listserv.educause.edu" <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Date: *Monday, March 6, 2017 at 8:42 AM
> *To: *"wireless-lan@listserv.educause.edu" <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject: *[WIRELESS-LAN] 2.4 vs 5
>
>
>
> Folks, just wondering how many PSI’s have successfully turned off your 2.4
> and gone 5GHz only? And how much blowback?
>
>
>
>
>
> Cheers,
>
> Jeff
>
>
>
> ---
>
>
>
> Jeffrey L. Oliver
>
> Manager, Network and Telecommunications
>
> Information Technology Services
>
> The University of Lethbridge
>
> 4401 University Drive, Lethbridge, Alberta, T1K 3M4
>
>
>
> Tel: 403.329.5162 <(403)%20329-5162>
>
> Mob: 403.315.4461 <(403)%20315-4461>
>
>
>
> URI:   jeff.oli...@uleth.ca
>
> Web:http://www.uleth.ca/information-technology/
>
>
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] SSID names

[Hunter Fuller]

Our upcoming onboarding SSID is "UAH Get Connected" and our 802.1X is
"eduroam".

On Tue, Feb 21, 2017 at 14:36 Jim Stasik <jsta...@mc3.edu> wrote:

> Hello, I have been encouraged by one of our governance bodies to consider
> renaming our wireless SSIDs to better match the network names to the
> function of the networks behind them.  I don’t get it, but maybe I am a
> little too close to it.  We don’t have any residential on our campuses so
> have just two primary SSIDs in use on our campus (as well as eduRoam).  One
> is named Public and is our onboarding/guest network.  The other is our
> authenticated/secure network which we call MC3Waves and is for all
> students, staff, faculty and administrators, with 802.1x on the back end to
> steer the end user to the appropriate role.  We have had these network
> around for as long as I can remember (15 years maybe).  I am curious how
> others are naming and separating the SSIDs in their environment?
>
>
>
> Thanks in advance,
>
>
>
> Jim Stasik
>
> Director of Enterprise Infrastructure Services
>
> Montgomery County Community College
>
> jsta...@mc3.edu
>
> 215.641.6678
>
>
>
>
>
> --
>
> Montgomery County Community College is proud to be designated as an
> Achieving the Dream Leader College for its commitment to student access and
> success.
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> --

--
Hunter Fuller
Network Engineer
VBRH Annex B-1
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] In room WIFI - second example

[Hunter Fuller]

I imagine they are happy because they continue to pay for the connection
from the other ISP.

I also imagine they are happy because I stayed in those same dorms in
2010-2012, had a connection from Knology, and ran my own AP. Worked fine
for me. I'm sure there were a bunch of people in Network Services cursing
me... the same ones I work with now. (Maybe they're still cursing me, for
different reasons. Who knows.)

On Tue, Feb 21, 2017 at 06:39 Osborne, Bruce W (Network Operations) <
bosbo...@liberty.edu> wrote:

> 1are they really happy or do they know they have nobody to blame but
> themselves for poor choices?
>
>
>
> Just another thought.
>
>
>
>
>
> *Bruce Osborne*
>
> *Senior Network Engineer*
>
> *Network Operations - Wireless*
>
>
>
>  *(434) 592-4229*
>
>
>
> *LIBERTY UNIVERSITY*
>
> *Training Champions for Christ since 1971*
>
>
>
> *From:* Hunter Fuller [mailto:hf0...@uah.edu]
> *Sent:* Monday, February 20, 2017 1:53 PM
> *Subject:* Re: In room WIFI - second example
>
>
>
> Bruce,
>
>
>
> I have had this mindset for a long time, but I've been questioning it
> recently.
>
> Due to a political situation I won't bother going into, our dorm residents
> are able to purchase internet connections from wideopenwest or Comcast.
> They set up their own APs and some of our dorms are rogue nightmares. We've
> made a heavy push to 5GHz to combat this.
>
>
>
> But it made me wonder... what is up with this? These students set up the
> cheapest APs they can find at Best Buy, blasting at 10 watts of power
> on 2GHz, right next to 3 other students doing the same thing. All students
> are happy with their comcast connection and wireless performance. Meanwhile
> UAH invests thousands upon thousands into enterprise wireless and it simply
> cannot operate under those conditions...?
>
> It just makes me wonder, is all...
>
>
>
> On Mon, Feb 20, 2017 at 07:06 Osborne, Bruce W (Network Operations) <
> bosbo...@liberty.edu> wrote:
>
> My first thought is this.
>
> Are these boxes centrally managed? It appears you are using WPA2-Personal.
> If so, it would be a pain to need to revisit each box every year to change
> the PSK.
> How is channel coordination happening to minimize interference?
> How will you handle misbehaving devices DOSing the network while
> minimizing the impact to roommates?
> How are you steering clients to use 5GHz for better performance?
>
> There are reasons there are Enterprise wireless systems with enterprise
> encryption options.
>
> -Original Message-
> From: Michael Blaisdell [mailto:mblaisd...@francis.edu]
> Sent: Sunday, February 19, 2017 8:52 PM
> Subject: In room WIFI - second example
>
> I had posted to the group a few months ago about WAPs in each dorm room.
> I received a number of comments that were very insightful.  Most agreed
> that channel plan in the 2.4 would be next to impossible and the best plan
> would be to turn off maybe every other radio and turn back the power. As
> for 5.8 I believe we agreed that channel width should be a minimum because
> we are not going for speed, we are going to coverage.
>
> I am back at the table with another twist.  I have been testing Microtik
> HAP AC lite boxes with 4 10/100 ports and both 2.4 and 5.8 radios.  I also
> have the box setup as a router for their room.  I think we can call it a
> DAN.  Dorm Area Network.  The students in the room share a common DHCP
> server and have NAT access to the campus LAN.  This allows the students to
> add devices in their rooms as they need to without affecting the network.
> The HAP also has two way firewall config so I can block all the ports and
> services I would normally but I can do it at the end point.  I guess the
> dorms are running like an individual household and I am the ISP.
>
> Each room has a unique SSID and authentication.
>
> This is just a test in a few locations at this point but it has worked
> great.
>
> I am looking for feedback like last time.   Please feel free to cut hard
> and deep if necessary.  Security issues could be my biggest issues.
>
> Thanks
>
>
>
> Michael Blaisdell
> Director of Network Services
> IT Services
> Learning Commons/Library
> Saint Francis University
> 117 Evergreen Drive
> Loretto, PA  15940
> 814-472-3242
> http://www.francis.edu
> The best way to predict the future is to invent it. Alan Kay
>
> **
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/discuss.
>
> **
> Participation and subscription information for this EDUCAUSE Constituent
> Gro

Re: [WIRELESS-LAN] In room WIFI - second example

[Hunter Fuller]

Bruce,

I have had this mindset for a long time, but I've been questioning it
recently.
Due to a political situation I won't bother going into, our dorm residents
are able to purchase internet connections from wideopenwest or Comcast.
They set up their own APs and some of our dorms are rogue nightmares. We've
made a heavy push to 5GHz to combat this.

But it made me wonder... what is up with this? These students set up the
cheapest APs they can find at Best Buy, blasting at 10 watts of power
on 2GHz, right next to 3 other students doing the same thing. All students
are happy with their comcast connection and wireless performance. Meanwhile
UAH invests thousands upon thousands into enterprise wireless and it simply
cannot operate under those conditions...?
It just makes me wonder, is all...

On Mon, Feb 20, 2017 at 07:06 Osborne, Bruce W (Network Operations) <
bosbo...@liberty.edu> wrote:

> My first thought is this.
>
> Are these boxes centrally managed? It appears you are using WPA2-Personal.
> If so, it would be a pain to need to revisit each box every year to change
> the PSK.
> How is channel coordination happening to minimize interference?
> How will you handle misbehaving devices DOSing the network while
> minimizing the impact to roommates?
> How are you steering clients to use 5GHz for better performance?
>
> There are reasons there are Enterprise wireless systems with enterprise
> encryption options.
>
> -Original Message-
> From: Michael Blaisdell [mailto:mblaisd...@francis.edu]
> Sent: Sunday, February 19, 2017 8:52 PM
> Subject: In room WIFI - second example
>
> I had posted to the group a few months ago about WAPs in each dorm room.
> I received a number of comments that were very insightful.  Most agreed
> that channel plan in the 2.4 would be next to impossible and the best plan
> would be to turn off maybe every other radio and turn back the power. As
> for 5.8 I believe we agreed that channel width should be a minimum because
> we are not going for speed, we are going to coverage.
>
> I am back at the table with another twist.  I have been testing Microtik
> HAP AC lite boxes with 4 10/100 ports and both 2.4 and 5.8 radios.  I also
> have the box setup as a router for their room.  I think we can call it a
> DAN.  Dorm Area Network.  The students in the room share a common DHCP
> server and have NAT access to the campus LAN.  This allows the students to
> add devices in their rooms as they need to without affecting the network.
> The HAP also has two way firewall config so I can block all the ports and
> services I would normally but I can do it at the end point.  I guess the
> dorms are running like an individual household and I am the ISP.
>
> Each room has a unique SSID and authentication.
>
> This is just a test in a few locations at this point but it has worked
> great.
>
> I am looking for feedback like last time.   Please feel free to cut hard
> and deep if necessary.  Security issues could be my biggest issues.
>
> Thanks
>
>
>
> Michael Blaisdell
> Director of Network Services
> IT Services
> Learning Commons/Library
> Saint Francis University
> 117 Evergreen Drive
> Loretto, PA  15940
> 814-472-3242
> http://www.francis.edu
> The best way to predict the future is to invent it. Alan Kay
>
> **
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/discuss.
>
> **
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/discuss.
>
-- 

--
Hunter Fuller
Network Engineer
VBRH Annex B-1
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Student Gaming behind NAT

[Hunter Fuller]

I'm interested in why you would separate it into a different VRF.

Anyway, we have gotten rid of NAT on Resnet and it is amazing. We are
piloting the same situation on wireless. Do it as soon as you can get away
with it. You will get fewer tickets. There is less info to chase down about
issues. Students will stop asking you how to change their NAT type because
it will always be Open. You will sleep better at night. You will find a $20
bill in a pair of pants you hadn't worn in a while. Etc.

Seriously, it's the best. Your firewall and ACLs will protect your
constituents, because that's what they're designed to do, y'know?


On Tue, Feb 14, 2017 at 10:52 AM Voelker, Andy 
wrote:

We’re having increasing problems with newer games operating on a 1:1 NAT in
our residence halls.  Some of these games have a dozen port entries per
platform (Xbox, PS4, PC) and after all that the games still aren’t acting
reliably.  We’re using a Palo Alto firewall, which carries application
signatures for SOME games, but not that many.  I’m finding myself spending
too much time on this, yet not able to dedicate enough to get to a good
solution.  I’m interested to hear how others are handling this (since I’m
new to operating this type of service).



Little background info:  We have a device SSID with a WPA2-PSK that dumps
onto the student network, which carries some network permissions but
relatively few.  A potential solution would be to stop NATing addresses,
provide a public IPs to the device network, and segment them into an
off-campus-only VRF.  However, students are starting to interact with their
consoles using their PC’s and mobile devices, which would not work in this
model.  By this I mean screen-casting, live streaming, etc.  I suspect that
need will grow.  Also other “things” that use the device network like
Chromecast, Sonos, Google Home, WiFi lights, etc would be useless unless we
wrote firewall rules that allowed each and every one of these protocols.
Many of these rely on mDNS, DIAL, etc though.  Not easy.





I covet your thoughts.  Thanks in advance.



​

Andy Voelker

Network Administrator and IT Infrastructure Team Lead

Davidson College


** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] wild card certs and PEAP

[Hunter Fuller]

Are you sure you have no SAN? In my experience, it is almost impossible to
get a cert issued by one of the big issuers that has zero SANs. If you
request a single domain cert, you get a cert with one SAN, which is the
same as the domain you requested. (There is also, of course, a CN
containing that domain.) To see an example of this, you can look at
https://sso.uah.edu/ - we have a single-domain cert here, and then one SAN
that is the same as the CN: http://i.imgur.com/2d2CqUu.png

During our testing we discovered that some Windows platforms required this
SAN to be there, but we had somehow gotten a cert issued without that SAN
present, and this was not acceptable. (I wish I remembered which Windows
version.)

I think this is only likely to trip people up if they ask for a cert with
CN "domain0" and SANs "domain1, domain2, domain3". Our issuer did not
provide one with that implicit "domain0" SAN, and that's what Windows
balked at. But of course that doesn't affect people who are requesting
single-domain certs.

On Mon, Feb 6, 2017 at 7:00 AM Osborne, Bruce W (Network Operations) <
bosbo...@liberty.edu> wrote:

> We use SANs on our RADIUS certificate so we can use the same certificate
> for https on those servers.
>
> I agree with Tim, though. SANs are not needed and we have run our RADIUS
> certificate for several years on multiple servers without any SANs.
>
>
>
>
>
> *Bruce Osborne*
>
> *Senior Network Engineer*
>
> *Network Operations - Wireless*
>
>
>
>  *(434) 592-4229*
>
>
>
> *LIBERTY UNIVERSITY*
>
> *Training Champions for Christ since 1971*
>
>
>
> *From:* Cappalli, Tim (Aruba) [mailto:t...@hpe.com]
> *Sent:* Friday, February 3, 2017 4:46 PM
> *Subject:* Re: wild card certs and PEAP
>
>
>
> For an EAP server certficiate, you do not need SANs for every server. You
> can do something generic like “network-login.domain.edu” and put that
> cert on every box.
>
>
>
> The SANs will never be referenced and will just add significant cost.
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [
> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] *On Behalf Of *Hunter Fuller
> *Sent:* Friday, February 3, 2017 16:38
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] wild card certs and PEAP
>
>
>
> Yes. Ours is a cert with CN eduroam.uah.edu and SANs eduroam.uah.edu,
> acs01.uah.edu, acs02.uah.edu, etc... All servers present the same cert.
>
>
>
> On Fri, Feb 3, 2017 at 15:19 Mike Atkins <matk...@nd.edu> wrote:
>
> Our identity management group runs our Microsoft NPS servers and I recall
> them calling it a multi-domain certificate.  So NPS1.nd.edu, NPS2.nd.edu,
> NPS3.dn.edu…. and so on all present common name as NPS1.nd.edu.   This
> keeps your client from having to trust each NPS server.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Brian Helman
>
> *Sent:* Friday, February 03, 2017 3:32 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>
>
> *Subject:* [WIRELESS-LAN] wild card certs and PEAP
>
>
>
> I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our
> configurations in place to join eduroam.  Yes, I can get a temporary cert
> (or beg digicert for one, since I don’t think they have an option), but we
> tried to use a wildcard cert that we usually use for testing of services.
> It generates/imports correctly and Android doesn’t appear to have an issue
> with it, but Win7 and Win10 don’t care for it when we try to authenticate
> to the wireless network.  It looks like Android may be ignoring the
> validation or generally fine with the wildcard.
>
>
>
> The easier question is – will a wildcard cert work here?
>
> The tougher question is – if yes, um .. any good references to configure
> it with S2012R2?
>
>
>
> -Brian
>
>
>
>
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> --
>
>
> --
> Hunter Fuller
> Network Engineer
> VBRH Annex B-1
> +1 256 824 5331 <(256)%20824-5331>
>
> Office of Information Technology
> The University of Alabama in Huntsville
> Systems and Infrastructure
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group di

Re: [WIRELESS-LAN] wild card certs and PEAP

[Hunter Fuller]

Oh, whoops! I'm sorry, I should've mentioned this. We got the SANs because,
due to the way our certs are issued, there is no additional cost. Then we
use it for the web interface on the servers also.
The eduroam.uah.edu value is used as you describe. Technically that's the
only one you need. But it has to be a CN as well as a SAN for windows to
like it.

On Fri, Feb 3, 2017 at 15:45 Cappalli, Tim (Aruba) <t...@hpe.com> wrote:

> For an EAP server certficiate, you do not need SANs for every server. You
> can do something generic like “network-login.domain.edu” and put that cert
> on every box.
>
>
>
> The SANs will never be referenced and will just add significant cost.
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Hunter Fuller
> *Sent:* Friday, February 3, 2017 16:38
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] wild card certs and PEAP
>
>
>
> Yes. Ours is a cert with CN eduroam.uah.edu and SANs eduroam.uah.edu,
> acs01.uah.edu, acs02.uah.edu, etc... All servers present the same cert.
>
>
>
> On Fri, Feb 3, 2017 at 15:19 Mike Atkins <matk...@nd.edu> wrote:
>
> Our identity management group runs our Microsoft NPS servers and I recall
> them calling it a multi-domain certificate.  So NPS1.nd.edu, NPS2.nd.edu,
> NPS3.dn.edu…. and so on all present common name as NPS1.nd.edu.   This
> keeps your client from having to trust each NPS server.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Brian Helman
>
> *Sent:* Friday, February 03, 2017 3:32 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>
>
> *Subject:* [WIRELESS-LAN] wild card certs and PEAP
>
>
>
> I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our
> configurations in place to join eduroam.  Yes, I can get a temporary cert
> (or beg digicert for one, since I don’t think they have an option), but we
> tried to use a wildcard cert that we usually use for testing of services.
> It generates/imports correctly and Android doesn’t appear to have an issue
> with it, but Win7 and Win10 don’t care for it when we try to authenticate
> to the wireless network.  It looks like Android may be ignoring the
> validation or generally fine with the wildcard.
>
>
>
> The easier question is – will a wildcard cert work here?
>
> The tougher question is – if yes, um .. any good references to configure
> it with S2012R2?
>
>
>
> -Brian
>
>
>
>
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> --
>
>
> --
> Hunter Fuller
> Network Engineer
> VBRH Annex B-1
> +1 256 824 5331
>
> Office of Information Technology
> The University of Alabama in Huntsville
> Systems and Infrastructure
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> --

--
Hunter Fuller
Network Engineer
VBRH Annex B-1
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] wild card certs and PEAP

[Hunter Fuller]

Yes. Ours is a cert with CN eduroam.uah.edu and SANs eduroam.uah.edu,
acs01.uah.edu, acs02.uah.edu, etc... All servers present the same cert.

On Fri, Feb 3, 2017 at 15:19 Mike Atkins <matk...@nd.edu> wrote:

> Our identity management group runs our Microsoft NPS servers and I recall
> them calling it a multi-domain certificate.  So NPS1.nd.edu, NPS2.nd.edu,
> NPS3.dn.edu…. and so on all present common name as NPS1.nd.edu.   This
> keeps your client from having to trust each NPS server.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Brian Helman
>
> *Sent:* Friday, February 03, 2017 3:32 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>
>
> *Subject:* [WIRELESS-LAN] wild card certs and PEAP
>
>
>
> I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our
> configurations in place to join eduroam.  Yes, I can get a temporary cert
> (or beg digicert for one, since I don’t think they have an option), but we
> tried to use a wildcard cert that we usually use for testing of services.
> It generates/imports correctly and Android doesn’t appear to have an issue
> with it, but Win7 and Win10 don’t care for it when we try to authenticate
> to the wireless network.  It looks like Android may be ignoring the
> validation or generally fine with the wildcard.
>
>
>
> The easier question is – will a wildcard cert work here?
>
> The tougher question is – if yes, um .. any good references to configure
> it with S2012R2?
>
>
>
> -Brian
>
>
>
>
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
> ****** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> --

--
Hunter Fuller
Network Engineer
VBRH Annex B-1
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] wild card certs and PEAP

[Hunter Fuller]

We fought this for a while. A wild card will never work for Windows clients
as they require the common name to also be a service alt name. A wild card
won't meet this.

On Fri, Feb 3, 2017 at 14:32 Brian Helman <bhel...@salemstate.edu> wrote:

> I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our
> configurations in place to join eduroam.  Yes, I can get a temporary cert
> (or beg digicert for one, since I don’t think they have an option), but we
> tried to use a wildcard cert that we usually use for testing of services.
> It generates/imports correctly and Android doesn’t appear to have an issue
> with it, but Win7 and Win10 don’t care for it when we try to authenticate
> to the wireless network.  It looks like Android may be ignoring the
> validation or generally fine with the wildcard.
>
>
>
> The easier question is – will a wildcard cert work here?
>
> The tougher question is – if yes, um .. any good references to configure
> it with S2012R2?
>
>
>
> -Brian
>
>
>
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> --

--
Hunter Fuller
Network Engineer
VBRH Annex B-1
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] XBox One Session Timeout

[Hunter Fuller]

Gotcha. We do not use this timeout setting in our current configuration.
Our Xboxes are moving to an open ESSID anyway. Sorry that answer is not
very helpful.

On Thu, Jan 19, 2017 at 10:23 Mccormick, Kevin <ke-mccorm...@wiu.edu> wrote:

> With Cisco the Session Timeout is to disassociate the device to cause new
> encryption keys to be generated. I believe the default is every 1800
> seconds or 30 minutes.
>
> The SSID they are using for streaming devices is secured using WPA2 PSK
> and MAC filtered.
>
>
>
> On Thu, Jan 19, 2017 at 10:18 AM, Hunter Fuller <hf0...@uah.edu> wrote:
>
> I haven't run into this.
>
> I'm curious what a "session timeout" is in this context. (Session with
> what?)
> Also, what is the wireless system involved? And how are you doing auth?
>
> On Thu, Jan 19, 2017 at 10:16 Mccormick, Kevin <ke-mccorm...@wiu.edu>
> wrote:
>
> I have received a complaint that an XBox One was disconnecting from
> wireless. Every 30 minutes.
>
> I increased the Session Timeout from 1800 to 3600 seconds and the customer
> said the disconnects are now every hour. Clearly the session timeout is
> part of the issue, but why the XBox One is not re-associating quickly. This
> is the only device out of several thousand students living in the dorms.
>
> I am wondering if anyone else has ran in to this issue with the XBox One.
> I was also considering increasing the session timeout and implementing a 30
> or 60 minute idle timeout. Has anyone done this for streaming SSIDs or have
> other suggestions?
>
> --
> Kevin McCormick
> Network Administrator
> University Technology - Western Illinois University
> ke-mccorm...@wiu.edu | (309) 298-1335 <3092981335> | Morgan Hall 106b
> Connect with uTech: Website <http://www.wiu.edu/utech> | Facebook
> <https://www.facebook.com/uTechWIU> | Twitter
> <https://twitter.com/WIU_uTech>
>
>
>
>
>
> **
>
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/discuss.
>
>
>
>
>
> **
>
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/discuss.
>
>
>
>
>
>
> --
> Kevin McCormick
> Network Administrator
> University Technology - Western Illinois University
> ke-mccorm...@wiu.edu | (309) 298-1335 <3092981335> | Morgan Hall 106b
> Connect with uTech: Website <http://www.wiu.edu/utech> | Facebook
> <https://www.facebook.com/uTechWIU> | Twitter
> <https://twitter.com/WIU_uTech>
>
>
>
>
>
> **
>
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/discuss.
>
>
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] XBox One Session Timeout

[Hunter Fuller]

I haven't run into this.

I'm curious what a "session timeout" is in this context. (Session with
what?)
Also, what is the wireless system involved? And how are you doing auth?

On Thu, Jan 19, 2017 at 10:16 Mccormick, Kevin  wrote:

> I have received a complaint that an XBox One was disconnecting from
> wireless. Every 30 minutes.
>
> I increased the Session Timeout from 1800 to 3600 seconds and the customer
> said the disconnects are now every hour. Clearly the session timeout is
> part of the issue, but why the XBox One is not re-associating quickly. This
> is the only device out of several thousand students living in the dorms.
>
> I am wondering if anyone else has ran in to this issue with the XBox One.
> I was also considering increasing the session timeout and implementing a 30
> or 60 minute idle timeout. Has anyone done this for streaming SSIDs or have
> other suggestions?
>
> --
> Kevin McCormick
> Network Administrator
> University Technology - Western Illinois University
> ke-mccorm...@wiu.edu | (309) 298-1335 <3092981335> | Morgan Hall 106b
> Connect with uTech: Website  | Facebook
>  | Twitter
> 
>
>
>
>
>
> **
>
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/discuss.
>
>
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Xbox 360 connection issues? - Aruba

[Hunter Fuller]

Danny - I agree, but I find it challenging to purchase microwaves, space
heaters, etc. Any advice?

On Thu, Jan 12, 2017 at 09:45 Danny Eaton  wrote:

> I’ve always said – and will continue to say – if it has a power cord, then
> it should have an Ethernet cord, too.
>
>
>
>
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Dan Lauing
> *Sent:* Thursday, January 12, 2017 8:41 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] Xbox 360 connection issues? - Aruba
>
>
>
> For what it's worth, we no longer accommodate those particular xbox 360
> models (it's not all 360s). Also, we run Aerohive.
>
>
>
> I tell them to plug in and in dorms where we don't have ethernet, I
> suggest running through their laptops.
>
>
>
> On Thu, Jan 12, 2017 at 6:33 AM, Osborne, Bruce W (Network Operations) <
> bosbo...@liberty.edu> wrote:
>
> Hey, Jon!
>
>
>
> We saw an issue with the newer 360s & AP-225 where we needed to enable
> some lower data rates to get a reliable connection.  We had 12mbit minimum
> rates for 2.4GHz & 5GHz.
>
>
>
> We saw issues when we performed packet captures during attempts to
> associate. We had Aruba evaluate our issue on Case 1940381.
>
>
>
> It looks like we needed to permit 2.4 basic rate of 5.5 even though we do
> not transmit at that rate. Partial configs below (wmm information missing
> since that is network dependent).
>
>
>
> Not working:
>
>
>
> wlan ssid-profile "Liberty-Wireless"
>
>essid "Liberty-Wireless"
>
>a-basic-rates 12
>
>a-tx-rates 12 18 24 36 48 54
>
>g-basic-rates 5 12
>
>g-tx-rates 12 18 24 36 48 54
>
>g-beacon-rate 12
>
>a-beacon-rate 12
>
>
>
> Working:
>
> wlan ssid-profile "Liberty-Wireless"
>
>essid "Liberty-Wireless"
>
>a-basic-rates 12
>
>a-tx-rates 12 18 24 36 48 54
>
>g-basic-rates 5 12ß   Note the difference here
>
>g-tx-rates 12 18 24 36 48 54
>
>g-beacon-rate 12
>
>a-beacon-rate 12
>
>
>
>
>
>
>
> *Bruce Osborne*
>
> *Senior Network Engineer*
>
> *Network Operations - Wireless*
>
>
>
>  *(434) 592-4229*
>
>
>
> *LIBERTY UNIVERSITY*
>
> *Training Champions for Christ since 1971*
>
>
>
> *From:* Jonathan Waldrep [mailto:wald...@vt.edu]
> *Sent:* Wednesday, January 11, 2017 9:34 AM
> *Subject:* Re: Xbox 360 connection issues? - Aruba
>
>
>
>  We've seen where 1st gen 360s (with a USB wireless adapter) will not
> connect. The error message and research indicated that it will not connect
> if there is more than one BSSID to choose from. It is definitely one of the
> more absurd things I've run across.
>
>
>
>  We don't have any history with trying to connect to older models to know
> if this made any difference (we're using 225/224s and 215/214s in the
> residential halls). Newer 360s seem to connect just fine.
>
>
> --
>
> Jonathan Waldrep
>
> Network Engineer
>
> Network Infrastructure and Services
>
> Virginia Tech
>
>
>
> On Wed, Jan 11, 2017 at 9:26 AM, Williams, Jess 
> wrote:
>
> I'm reaching out to see if anyone has experienced issues with Xbox 360s
> not connecting to Aruba AP 215s or 225s?  There aren't any issues with the
> 360s connecting to AP 105s.
>
>
>
> Jess Williams
>
> University of Tennessee at Chattanooga
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
>
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
>
>
>
>
> --
>
>
>
> *dan b. lauing ii*
>
> *Wireless Network Administrator*
>
> *Mississippi College*
>
>
>
>
>
> *CONFIDENTIALITY STATEMENT:*
>
> This communication may contain confidential information.  If you are not
> the intended recipient or if you are not authorized to receive this
> communication, please notify and return the message to the sender, *then
> delete this communication including any attachments*.  Unauthorized
> reviewing, forwarding, copying, distributing or using this information is
> strictly prohibited.
>
>
>
>
>
>
>
>
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> !DSPAM:109,58779583257291783721195!
>
>
> **
>
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/discuss.
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] High-Density Lecture Halls

[Hunter Fuller]

Echoing Lee - Your co channel issues are not surprising. Our 300 seat
lecture hall sees 500 clients during a typical class. We have two 2GHz
radios and four 5GHz radios active in this environment. Can you turn off /
remove some radios?

On Tue, Nov 22, 2016 at 09:35 Zoltan Toth  wrote:

> Hello,
>
> Thanks for your response.
>
>
> We are currently running our Wi-Fi environment on HP 860 Wi-Fi Controller
> configured for high availability failover, with approx. 92 access points of
> the model HP 460 and 466 and 560 spread across the campus. The campus is
> separated into 3 floors with 3 high density areas namely lecture hall 1
> with a seating capacity of 250 with about 400 connections (10 model 560
> APs) and lecture hall 2 with a seating capacity of 197 (6 model 560 APs)
> and a general hall with seating capacity for 200 (4 model 466APs). We have
> a 10 GB backbone an all switches and a 500MB internet connection. We are
> running PRTG to monitor the bandwidth consumption at the backbone and
> internet level and do not see any bottlenecks.
>
>
> We have conducted a Wi-Fi survey and have their report which mentioned
> co-channel interference in the 2.4Ghz band. According to the survey the
> Wi-Fi signal coverage seems to be present in most of the campus areas.
>
> In order to minimize the co-channel interference, we have implemented the
> following:
>
> 1- Removed 40 Mhz and 80 MHz bandwidth modes and set everything to 20 Mhz.
> 2- Removed G on all our access points.
> 3- Implemented band steering.
> 4- We are now in the process of manually adjusting the 2.4 Ghz channels on
> each AP so the neighboring APs do not have the same channel. In some cases,
> we turn off the 2.4 Ghz completely.
>
>
> Would you please comment on the following?
>
> 1- With the current hardware that we have is it advisable to proceed on
> this route and configure the 2.4 Ghz manually?
> 2- Should we completely disable 2.4 Ghz support? Is it a norm for high
> density areas?
> 3- Should we look to change hardware/ or vendor in order to have a
> seamless environment. Should we just limit the change to the high density
> areas or should we just change it overall.
> 4- Is a single channel solution for the lecture halls advisable? Have you
> experience a mix of single/multi-channel environment? How do they perform?
>
> Zoltan
> __
> Zoltan Toth - Manager, IT Infrastructure
> Canadian Memorial Chiropractic College
>
>
>
>
>
>
> On 2016-11-18, 11:11 AM, "The EDUCAUSE Wireless Issues Constituent Group
> Listserv on behalf of Lee H Badman"  on behalf of lhbad...@syr.edu> wrote:
>
> >Hi Zoltan,
> >
> >I'm assuming you're asking about wireless infrastructure and not client
> devices? If so, I would say it's more about proper design than any
> different technology.
> >
> >Also assuming that the lecture halls are in the mix with adjacent areas
> that also part of the overall WLAN environment, you're generally limited to
> what your current vendor (and code) support as opposed to trying to run
> islands of different technology from Vendor B in the middle of Vendor A
> WLAN.
> >
> >Which brings us back to design. In a perfect world, you'd have some sense
> of what type of client devices are likely to be in those rooms, how many
> active at a time, and what they might be doing. For modern APs, you might
> service 200-300 "people" with 2-3 APs with captive antennas spaced and
> oriented properly (depending on room layout), or you may need double that
> with extremely low power and directional antennas.
> >
> >So... the answer is "it depends", as with all things wireless.
> >
> >Regards-
> >
> >Lee
> >
> >Lee Badman | CWNE #200 | Network Architect
> >
> >Information Technology Services
> >206 Machinery Hall
> >120 Smith Drive
> >Syracuse, New York 13244
> >t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w its.syr.edu
> >SYRACUSE UNIVERSITY
> >syr.edu
> >
> >
> >-Original Message-
> >From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Zoltan Toth
> >Sent: Friday, November 18, 2016 9:47 AM
> >To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> >Subject: [WIRELESS-LAN] High-Density Lecture Halls
> >
> >What technologies do you use for high density areas like Lecture Halls
> for about 200-300 people?
> >
> >__
> >Zoltan Toth - Manager, IT Infrastructure
> >Canadian Memorial Chiropractic College
> >
> >
> >This communication together with any attachments is for the exclusive and
> confidential use of the addressee(s). Any other distribution, use or
> reproduction without the sender’s prior consent is unauthorized and
> strictly prohibited. If you have received this message in error, please
> notify the sender immediately and delete or shred the message without
> making any copies.
> >
> >**
> >Participation and subscription information for this 

Re: [WIRELESS-LAN] edroam as main 802.1x ssid

[Hunter Fuller]

We are moving in this direction. We will have eduroam and one wide-open
ESSID for connection instructions and non-dot1X devices.

On Thursday, November 10, 2016, Becker, Jason <jbec...@wustl.edu> wrote:

> We're getting ready to reduce the number of ssid that we have across
> Campus and one idea is to use edroam as our main 802.1x secure ssid.  Is
> anyone else doing this and if so how is it going?
>
>
>
>
> Thanks,
>
> Jason
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at http://www.educause.edu/
> groups/.
>
>

-- 

--
Hunter Fuller
Network Engineer
VBRH Annex B-1
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Wireless to Wired Bridge

[Hunter Fuller]

I am using old Aironet 1131s for this. Convert them to autonomous and use
the 5GHz radio to associate. It is 802.11a, but this is fine for most
devices. If it needs higher bandwidth we urge the user to get a drop. (Our
residence halls have full wired coverage, so we are not running into this
issue there.)

On Fri, Sep 16, 2016 at 3:29 PM Robert Viou  wrote:

> Cisco access points are capable of configuring as a Workgroup bridge.
> I am using a 702W AP as it has wired ports to give locations wired access
> when there are no wired ports available.
> First need to convert a capwap AP into an autonomous AP and set it up to
> connect as a client to another AP, can be a capwap AP or another autonomous
> AP.
> Only one of the radios can be in wireless bridge mode. I chose the 5GHz
> radio.
>
> Here is a doc to use EAP-TLS to authenticate the AP, not complete but it
> does outline most of it.
> Can also set it up using WPA2 preshared key.
>
> http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/100864-wgb-eap-tls-cuwn.html
>
>
> http://www.cisco.com/c/en/us/support/docs/wireless/aironet-1200-series/68472-configure-wgb-00.html
>
>
> AP(config)#eap profile EAP
> AP(config)#method ?
>   fast  EAP-FAST method allowed
>   gtc   EAP-GTC method allowed
>   leap  EAP-LEAP method allowed
>   md5   EAP-MD5 method allowed
>   mschapv2  EAP-MSCHAPV2 method allowed
>   peap  EAP-PEAP method allowed
>   tls   EAP-TLS method allowed
>
>
>
>
>
>
> Robert Viou
> NORTH DAKOTA STATE UNIVERSITY
>
>
>
>
>
>
>
>
>
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Joachim Tingvold
> Sent: Thursday, September 15, 2016 9:21 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Wireless to Wired Bridge
>
> On 15 Sep 2016, at 14:49, Adam Forsyth wrote:
> > Does anyone have a good wireless to wired bridge that they recommend
> > to students to purchase when they have a wired only device that they
> > wish they could connect in a wireless only residence hall?
>
> For wired-to-wireless, we’ve had great success with “HP 501 Wireless
> Client Bridge” [1][2]. It has 802.11ac and supports 802.1X (including
> EAP-TLS). It can also be powered via PoE, but since we usually connect it
> directly to wired devices, we usually just power it with the included PSU.
> Not relevant for your use case, but it also has RS232-to-IP, which is
> useful for technical and/or medical equipment.
>
> It’s a bit pricey, but totally worth it for our use case.
>
>
> [1]
> <
> http://www8.hp.com/us/en/products/networking-wireless/product-detail.html?oid=6372587
> >
> [2]
> <
> http://h20565.www2.hpe.com/hpsc/doc/public/display?sp4ts.oid=6604155=en_US=emr_na-c04035081
> >
>
> --
> Joachim
>
> **
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/groups/.
>
> **
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/groups/.
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Disabling LEDs on APs

[Hunter Fuller]

GT - I ran into this problem because I used my phone to troubleshoot multi
mode optical links, but then I got a phone with an IR filter on the rear
camera. I discovered that the front camera still does not have the IR
filter, at least on an iPhone 6S. Hope that helps.

On Tuesday, September 6, 2016, GT Hill <g...@gthill.com> wrote:

> Here’s an AWESOME idea (if I do say so myself). Vendors could put an
> infrared status light in their APs. Of course not visible to the naked eye
> BUT, if you get an older phone etc, it will see IR lights (many newer
> phones have IR filters). Point your phone camera to the IR source and
> you’ll see the blinking lights. Mic drop.
>
> GT
>
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> <javascript:_e(%7B%7D,'cvml','WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU');>> on
> behalf of James Helzerman <jarh...@umich.edu
> <javascript:_e(%7B%7D,'cvml','jarh...@umich.edu');>>
> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> <javascript:_e(%7B%7D,'cvml','WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU');>>
> Date: Tuesday, September 6, 2016 at 10:13 AM
> To: <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> <javascript:_e(%7B%7D,'cvml','WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU');>>
> Subject: Re: [WIRELESS-LAN] Disabling LEDs on APs
>
> We disable all the LEDs in residence halls on our Cisco APs.  It hasnet
> caused us much of a problem troubleshooting, you have the ability flash or
> turn on individual lights if needed in case you have to identify an AP.
>
> -Jimmy
> University of Michigan
>
> On Tue, Sep 6, 2016 at 10:03 AM, Julian Y Koh <kohs...@northwestern.edu
> <javascript:_e(%7B%7D,'cvml','kohs...@northwestern.edu');>> wrote:
>
>> On Tue Sep 06 2016 08:57:08 CDT, Lee H Badman <lhbad...@syr.edu
>> <javascript:_e(%7B%7D,'cvml','lhbad...@syr.edu');>> wrote:
>> >
>> > First-world problems… Curious if others have gone down this road in
>> Residence Halls. We’re not really being asked to, but are considering
>> wholesale disabling LEDs on our Cisco APs in the dorms as a quality of life
>> step. Has this caused anyone any pain when it comes to not being able to
>> see the colors on the AP as status indication? Have you actually had
>> requests to disable the LEDs? Overall experience with accommodating or
>> denying the request?
>> >
>>
>> I can't remember the exact sequence of how all the conversations went,
>> but when we did a redesign to start moving the APs into the residence hall
>> rooms, we turned off the lights on those units.  I think we got a couple of
>> reports where residents were wondering if the APs were working, but overall
>> not a big deal.
>>
>>
>> --
>> Julian Y. Koh
>> Associate Director, Telecommunications and Network Services
>> Northwestern Information Technology
>>
>> 2001 Sheridan Road #G-166
>> Evanston, IL 60208
>> +1-847-467-5780
>> Northwestern IT Web Site: <http://www.it.northwestern.edu/>
>> PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html>
>>
>>
>>
>>
>>
>>
>>
>>
>> **
>> Participation and subscription information for this EDUCAUSE Constituent
>> Group discussion list can be found at http://www.educause.edu/groups/.
>>
>>
>
>
> --
> James Helzerman
> Wireless Network Engineer
> University of Michigan - ITS Communications Systems and Data Centers
> Phone: 734-615-9541
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at http://www.educause.edu/
> groups/.
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at http://www.educause.edu/
> groups/.
>
>

-- 

--
Hunter Fuller
Network Engineer
VBRH Annex B-1
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Do you have POE everywhere?

[Hunter Fuller]

As of 2012, every AP on campus was plugged into a PoE port. As of 2016,
every port on campus is a PoE port, not just on the switches that have APs
plugged in.

On Wednesday, August 31, 2016, Todd M. Hall <t...@msstate.edu> wrote:

> Do you have POE in every location or are there some small locations that
> still use injectors?
>
> If you have some injectors left, I have a few questions.
>
> 1.  How reliable are they?
> 2.  Are your injectors made by your wireless vendor?
> 3.  Do you have a way to monitor how often your APs reboot?
>
> The reason I'm asking is that I just discovered that we have some APs that
> are rebooting frequently and they are all in locations that still have
> injectors.  I expanded some home-grown code and started graphing AP uptime
> as well as lwapp/capwap uptime. (Found issues with lwapp/capwap uptime in a
> few locations as well)
>
>
> --
> Todd M. Hall
> Sr. Network Analyst
> Information Technology Services
> Mississippi State University
> t...@msstate.edu
> 662-325-9311 (phone)
>
> **
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/groups/.
>


-- 

--
Hunter Fuller
Network Engineer
VBRH Annex B-1
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] New Universal Cisco APs being shipped

[Hunter Fuller]

What in the world? Is there no way to push it from the controller?

--
Hunter Fuller
Network Engineer
VBRH Annex B-1
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure


On Thu, Jun 9, 2016 at 2:42 PM, Becker, Jason <jbec...@wustl.edu> wrote:
> I just deployed 60 of the AIR-AP3702I-UXK9’s in a new building.  The new
> universal AP being shipped do not work right out of the box.  They connect
> back to the controller but are not working because it does not know its
> country of origin.
>
> You’ll need to download an app to your smartphone to configure the AP and
> then as long as this AP is in the same air space it will push the config out
> to the other universal Aps.  Also the smartphone needs to connect to a
> secure network off of this AP.  On this network the WLAN has a option of
> Universal AP Admin Support under the advanced tab that needs to be checked.
>
>
> Here are some good links…
> https://www.youtube.com/watch?v=hAUxWsvEO5M
> https://www.cisco.com/c/en/us/td/docs/wireless/access_point/ux-ap/guide/uxap-mobapp-g.html
>
>
>
>
> --
> Thanks,
> Jason Becker
> Network Systems Engineer
> Washington University in St. Louis
> jbec...@wustl.edu
> 314-935-5006
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Servers on Guest Networks

[Hunter Fuller]

We are looking at giving users the option to use a wide-open ESSID for
their Xboxes. The user would register the MAC, and we would put them
into a wide-open-inbound area with public addresses, for the best
experience. But we would limit some outgoing stuff (Google, our LMS,
etc.) to try to nudge people toward eduroam (our 802.1X solution).
None of this is in production but it's the direction I think we are
leaning when we discontinue our legacy PSK ESSIDs.

--
Hunter Fuller
Network Engineer
VBRH Annex B-1
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure


On Tue, Jun 7, 2016 at 6:34 PM, Curtis K. Larsen
<curtis.k.lar...@utah.edu> wrote:
> Hello,
>
> We're looking at a default deny inbound and possibly opening ports as 
> required later on the guest wireless network.  If you have already done this 
> I am curious to know what you and your user community defined as being 
> required on the guest network.
>
> I think primary drivers might include devices that are not capable of 
> WPA2-Enterprise *and* needing to run a service.  Google cloud printers come 
> to mind, someone also mentioned multi-player Xbox?  Do you have other 
> examples or use cases for allowing services like http/https from the internet 
> to your guest wireless network?  If so, please share.
>
> Thanks,
>
> Curtis
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Turning off 2.4 on a select SSID?

[Hunter Fuller]

On Thu, Apr 7, 2016 at 7:31 AM, Chris Adams (IT) <chris.ad...@ung.edu> wrote:
> PS: I’m sure some of the Xirrus guys are chuckling at this conversation as
> Xirrus has been well known for having large SDR arrays for many years now J

I'm sure. :) One of our highest density areas has a couple of 8-radio
Xirrus units to serve a room of 250 students. We are running 2x2GHz
radios, 5x5GHz radios, and 1 monitor mode radio in these units. The
performance is great and we typically see a lot of 5GHz clients when
the room is "fully loaded." I have attached an example.

This is definitely in contrast with what we see generally on campus,
as people move all around all the time, we see closer to 50/50, or
maybe 40/60 toward 5GHz.

As far as 5GHz radios in close proximity within the same unit - I
don't worry about it much. We generally just let auto channel take
care of it and we seem to be fine.

--
Hunter Fuller
Network Engineer
VBRH Annex B-1
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Who wifi vendors does everyone use?

[Hunter Fuller]

We are a mixed Cisco and Xirrus shop.
Jason, you may be glad to know that, in new XMS and AOS releases,
Xirrus has moved from saying "IAP" to saying "radio" like everyone
else on the planet always has. :)

--
Hunter Fuller
Network Engineer
VBRH Annex B-1
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure


On Wed, Mar 30, 2016 at 1:48 PM, Trinklein, Jason R <trinkle...@cofc.edu> wrote:
> The College of Charleston runs Xirrus with 700 “Arrays” and nearly 4,000
> “IAPs”.
> --
> Jason Trinklein
> Wireless Engineering Manager
> College of Charleston
> 81 St. Philip Street | Office 311D | Charleston, SC 29403
> trinkle...@cofc.edu | Office - (843) 300-8009
>
> From: "Schuette, David" <schue...@msudenver.edu>
> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Date: Wed, 30 Mar 2016 15:08:04 +
> To: <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Subject: [WIRELESS-LAN] Who wifi vendors does everyone use?
>
> MSU Denver is an Aerohive shop
>
>
>
> Sent from my Verizon Wireless 4G LTE smartphone
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Interesting Wireless Client Device- Has Anyone Had to Support This One Yet?

[Hunter Fuller]

We had one of those on campus for a couple of days. We whitelisted it
by MAC address (no dot1X at the time, so it used one of our PSK
networks) and it used our existing infrastructure with no issues. We
are a Cisco shop.

--
Hunter Fuller
Network Engineer
VBRH Annex B-1
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure


On Mon, Jan 25, 2016 at 12:03 PM, Lee H Badman <lhbad...@syr.edu> wrote:
> https://suitabletech.com/beam-plus/
>
> Manual is attached (if it makes it through). Wondering your experiences.
>
> -Lee
>
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Interesting Wireless Client Device- Has Anyone Had to Support This One Yet?

[Hunter Fuller]

The device was behind a *one-to-one* NAT... not a many-to-one
("PAT"/"IP masquerading").

--
Hunter Fuller
Network Engineer
VBRH Annex B-1
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure


On Mon, Jan 25, 2016 at 12:12 PM, Lee H Badman <lhbad...@syr.edu> wrote:
> Thanks, Hunter.
>
> We're going to be behind a NAT- is that how you ran?
>
> -Lee
>
>
>
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hunter Fuller
> Sent: Monday, January 25, 2016 1:07 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Interesting Wireless Client Device- Has Anyone 
> Had to Support This One Yet?
>
> We had one of those on campus for a couple of days. We whitelisted it
> by MAC address (no dot1X at the time, so it used one of our PSK
> networks) and it used our existing infrastructure with no issues. We
> are a Cisco shop.
>
> --
> Hunter Fuller
> Network Engineer
> VBRH Annex B-1
> +1 256 824 5331
>
> Office of Information Technology
> The University of Alabama in Huntsville
> Systems and Infrastructure
>
>
> On Mon, Jan 25, 2016 at 12:03 PM, Lee H Badman <lhbad...@syr.edu> wrote:
>> https://suitabletech.com/beam-plus/
>>
>> Manual is attached (if it makes it through). Wondering your experiences.
>>
>> -Lee
>>
>>
>> ** Participation and subscription information for this EDUCAUSE
>> Constituent Group discussion list can be found at
>> http://www.educause.edu/groups/.
>
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.
>
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Cisco Small Cell Solution

[Hunter Fuller]

For what it's worth - my Nexus 4's battery life *improved* with Wi-Fi
turned on. I assume this was due to reduced activity on the HSDPA radio.


--
Hunter Fuller
Network Engineer
VBRH Annex B-1
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

On Tue, Nov 17, 2015 at 12:55 PM, Frans Panken <frans.pan...@surfnet.nl>
wrote:

> I agree with Jeremy. For an operator, small cell may mean WiFi or usage of
> high frequencies (e.g., LTE on 2,6Ghz band) in densed city areas. WiFi
> calling is not restricted to the iphone6 that has it build-in (does not
> require an app but only 5% of the perople own one); it is also offered by
> apps (e.g. SpectrumMax) that allow  users to be reached by their phone
> number while they are connected to WiFi. They probably target prepaid
> users. The challenge is battery. If these apps demand WiFi to be active all
> the time to be reachable, the day may end earlier than the battery of your
> phone lasts.
> -Frans
>
> Op 17/11/15 om 17:49 schreef Jeremy Gibbs:
>
> I believe WiFi calling will be the future and these "small cell" systems
> will be phased out.  I know a network engineer at AT and they are really
> pushing the WiFi calling for these situations.
>
>
>
>
> On Tue, Nov 17, 2015 at 11:28 AM, Smith, Todd <todd.sm...@camc.org> wrote:
>
>> Hello,
>>
>> I know that there are many Cisco wireless networks on this list and I
>> wanted to see if anyone is using the Small Cell Solution with their
>> existing Cisco wireless network.  Here at the Charleston Area Medical
>> Center, we are an Extreme shop and have been happy with it for years, but
>> increasing cellular issues and outright refusal of wireless carriers to
>> participate in a DAS has let us few choices.
>>
>> One partial solution was discussed on the list, a couple of weeks ago
>> under the topic of Wi-Fi Calling.  This is another approach which is
>> possibly replace our existing wireless network with a combined
>> Wi-Fi/Cellular system.  I am asking the list if anyone is currently running
>> such a solution and how it works for them, both the good and the bad.
>>
>> I will summarize for the list if respondents want to remand anonymous,
>> but I am looking to try to get some honest feedback on what will probably
>> be a difficult install.  Even if it works perfectly, none of my network
>> management solutions and purchase/service agreements will work and it would
>> all be brand new.  Brand new is not a show-stopper but it is also not
>> trivial either.
>>
>> Todd
>>
>>
>>
>> ==
>>
>> CONFIDENTIALITY NOTICE: The information contained in this
>> message may
>> be privileged and confidential. If this e-mail contains protected
>> health information, you are hereby notified that any dissemination,
>> distribution or copying of this communication is strictly prohibited,
>> except as permitted by law. If you have received this communication in
>> error, please notify the sender immediately by replying to this message
>> and deleting it from your computer. Thank you.
>>
>> **
>> Participation and subscription information for this EDUCAUSE Constituent
>> Group discussion list can be found at http://www.educause.edu/groups/.
>>
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> <http://www.educause.edu/groups/>http://www.educause.edu/groups/.
>
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] How to handle Wi-Fi Calling?

[Hunter Fuller]

This thread prompted me to take a look at my phone's Wi-Fi calling
settings. (I have T-Mobile.) It also asked me for an E911 address.

This terrifies me.

What are the chances that I will be calling 911 from home, as compared to
some other random place where I might have Wi-Fi?...



--
Hunter Fuller
Network Engineer
VBRH Annex B-1
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

On Fri, Oct 16, 2015 at 2:50 PM, Smith, Todd <todd.sm...@camc.org> wrote:

> Christopher,
>
> Those are some great answers and I apperciate the input!
>
> 1) Has the call drop percentage improved as the service is maturing?
> 2) 65Kbps is much better then I was expecting, so that it good.  Do you
> notice many spikes in bandwidth as the call is in progress?
> 3) Do you have a splash page or captive portal on your open wireless?
> Does that interfere with AT Wi-Fi calling in your experience?
> 4) I agree that E911 is going to be a serious issue.  On AT Wi-Fi
> calling FAQ, the user has to specify a location that they would normally be
> using Wi-Fi Calling for E911 purposes.  It is also going to try to get
> location information from the Wi-Fi networks to locate the call, but it
> will default back to stored location as a last result.
>
> Thanks
>
> Todd
>
>
>
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv [
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Howard, Christopher [
> christopher-how...@utc.edu]
> Sent: Friday, October 16, 2015 3:34 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] How to handle Wi-Fi Calling?
>
>
> I'm honestly not surprised to hear that they are going to push wifi
> calling and nothing else.  They want to drop all cellular service other
> than data, long term, in my opinion.
>
>
> I have AT myself, and ran the iOS 9 beta from the beginning, which got
> me early access to AT wifi calling.  Needless to say, it has not been a
> pleasant experience.  Calls drop all the time.
>
>
> For our wireless we have not had to do anything.  Calls just work without
> opening inbound ports (we don't limit much going outbound).  My calls run
> about 65kbps.
>
>
> The pain point is something you've already mentioned - roaming.  If at any
> time you roam from wifi to cell and there is no VoLTE service in your area,
> the call dies.  We apparently don't have VoLTE in Chattanooga, TN.  If I
> stay in my office I can usually hold a call, and roaming from AP to AP is
> sometimes ok.  Sometimes the roam between APs is enough to drop the call.
> I've also noticed that if I get more than 2 cell bars, the phone will want
> to go off of wifi calling on its own.  Even at home where I only have 1 AP
> and can be sitting 15 feet from it, I'll drop calls because my phone
> decided to roam back to cell during a live call.
>
>
> To directly answer your questions:
> 1. I don't plan on doing anything special.  We have enough free bandwidth
> to handle a large number of 65kbps calls.
> 2. Mine have been 65kbps or there about.
> 3. We run both frequencies, but my phone tends to stay 5ghz.  I don't
> think we would change anything to support wifi calling.
> 4. I'm not sure how we will get this across other than to let our helpdesk
> know what to tell people when they call in about it.  We'll be looking into
> this more I'm sure.
> 5. I'm a little surprised that carriers are being allowed to run calls
> over end user networks.  911 is a big deal, and if our wifi is up enough
> that the phone can do wifi calling, but there are issues going on to
> prevent calls, who gets blamed here?  In an emergency, it's too much to
> troubleshoot what's going on and figure out that you have to cut off your
> wireless to get a call through.  As far as I know, there's nothing we have
> to do in terms of uptime or anything.
>
> -Christopher
>
> ==
>
> CONFIDENTIALITY NOTICE: The information contained in this
> message may
> be privileged and confidential. If this e-mail contains protected
> health information, you are hereby notified that any dissemination,
> distribution or copying of this communication is strictly prohibited,
> except as permitted by law. If you have received this communication in
> error, please notify the sender immediately by replying to this message
> and deleting it from your computer. Thank you.
>
> **
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/groups/.
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Any familiarity with WT-BAC-IP Gateway in high-density wi-fi environment

[Hunter Fuller]

1,7,13 are the correct channels in other countries where the channels go up
to 14. We only get 11 of them in these parts. :)

-- 
Hunter Fuller
OIT

Sent from my phone.
On Sep 3, 2015 7:17 AM, "Gogan, James Patrick" <go...@email.unc.edu> wrote:

> Does anyone have any experience with the attached devices (utilizes an
> 802.15.4 mesh -- of course, it uses the 2.4GHz spectrum --- why wouldn't it
> use the 2.4GHz spectrum  geez …..) in an environment with a full wi-fi
> deployment (and a lot of devices that still use 802.11g)?
>
>
>
> I have little confidence that the vendor knows whereof they speak when
> they say things like:  "Wi-Fi 802.11b & g have three primary
> non-overlapping channels of operation (802.11 ch: 1, 7, 13)." 7 and
> 13?   really???
>
>
>
> -- Jim Gogan / ITS / University of North Carolina at Chapel Hill
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Lab Computers and wireless

[Hunter Fuller]

We are currently testing this with Active Directory fronted by
freeradius. There is a single ESSID. User logs in to the 802.1X
prompt, freeradius authenticates the user, then connects via LDAP to
the AD and looks at group membership. This determines the VLAN
override ID that is sent to our wireless controller.

--
Hunter Fuller
Network Engineer
VBRH M-9B
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

I am part of the UAH Safe Zone LGBTQIA support network:
http://www.uah.edu/student-affairs/safe-zone


On Tue, Sep 1, 2015 at 3:22 PM, Paul Crittenden
<paul.critten...@simpson.edu> wrote:
> We are predominately a Meru shop. We have a staff and a student SSID and a 
> Windows Radius server for authentication.  To complicate this we have lab 
> laptops which both students and staff need to be able to log into. Currently 
> we have no way to prevent students from connecting to our staff wireless and 
> staff to student and still allow both students and staff to connect to lab 
> laptops.
>
> We have been charged to find out how other institutions are handling this and 
> what best practices they are using for this situation.
>
> Thanks in advance for any insight you may be able to offer.
>
>
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] WiFi Service Level Agreement

[Hunter Fuller]

in residential areas, I could see potential problems with students'
APs overrunning the institution's APs. But I haven't seen that level
of disruption from the occasional rogue in an academic or
administrative area.

If we spec a room for putting 50 students in it, I feel pretty
confident that we can shrug off a handful of rogue APs in that same
space. We will take a small performance hit - but I haven't witnessed
this causing an actual denial of service to any of our customers.

Of course I can't speak for everyone, and I don't know that I would
lay out an SLA saying wireless will be up 99.999% of the time or
anything, but it just doesn't seem as fragile as one might think
initially. Maybe it's 5GHz, maybe it's our more recent high density
deployments, maybe it's Maybelline. I don't know. I do have a high
level of confidence in it these days though, based upon what I see.

--
Hunter Fuller
Network Engineer
VBRH M-9B
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

I am part of the UAH Safe Zone LGBTQIA support network:
http://www.uah.edu/student-affairs/safe-zone


On Wed, Aug 26, 2015 at 9:18 AM, Thomas Carter
tcar...@austincollege.edu wrote:
 I do not have the same confidence in wireless as I do wired. There is no 
 control over the airwaves like there is over physical cabling, and some 
 interference cannot be dealt with (like visitor's mobile hotspots).

 Thomas Carter
 Network and Operations Manager
 Austin College
 903-813-2564

 -Original Message-
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hunter Fuller
 Sent: Tuesday, August 25, 2015 5:40 PM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] WiFi Service Level Agreement

 On Tue, Aug 25, 2015 at 11:10 AM, Chuck Enfield chu...@psu.edu wrote:
 If so, why would we focus on saying, wireless might not work.
 It's not helpful to us or our users.  A much more constructive
 approach would be to tell faculty to plan for when wireless doesn't
 work - to have a back-up plan for that iPad app, to download the
 PowerPoint presentation before class begins instead of during class,
 to plug into a wired connection if that's an option, etc..

 The way I read this, it seems to imply a lack of confidence in the service. 
 Since our wireless and wired infrastructures are separate to some degree, 
 it's possible that a wireless connection would not work - but it's just as 
 likely that a wired drop would not work, too.
 Therefore, I'd estimate that I am equally confident in both services.

 Maybe if it was phrased differently, like make sure to test wired and 
 wireless ahead of time, in case one fails - but I see wireless and wired as 
 equals.

 Just my two cents.

 **
 Participation and subscription information for this EDUCAUSE Constituent 
 Group discussion list can be found at http://www.educause.edu/groups/.

 **
 Participation and subscription information for this EDUCAUSE Constituent 
 Group discussion list can be found at http://www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] WiFi Service Level Agreement

[Hunter Fuller]

On Tue, Aug 25, 2015 at 11:10 AM, Chuck Enfield chu...@psu.edu wrote:
 If so, why would we focus on saying, wireless might not work.
 It's not helpful to us or our users.  A much more constructive approach
 would be to tell faculty to plan for when wireless doesn't work - to have
 a back-up plan for that iPad app, to download the PowerPoint presentation
 before class begins instead of during class, to plug into a wired
 connection if that's an option, etc..

The way I read this, it seems to imply a lack of confidence in the
service. Since our wireless and wired infrastructures are separate to
some degree, it's possible that a wireless connection would not work -
but it's just as likely that a wired drop would not work, too.
Therefore, I'd estimate that I am equally confident in both services.

Maybe if it was phrased differently, like make sure to test wired and
wireless ahead of time, in case one fails - but I see wireless and
wired as equals.

Just my two cents.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Exclusive 2.4 Ghz and 5 Ghz SSIDs

[Hunter Fuller]

In some areas of campus I have enabled a sort of band-steering. Our
multi-radio Xirrus units will attempt to load balance across their 8
radios.  I am running 2x2GHz radios, 5x5GHz radios, and 1 radio in
monitor mode. When I turn this setting on, the AP will attempt to
steer the client away from highly-utilized radios and toward
underutilized ones. When I turned this on, those units moved from
almost entirely 2GHz clients to having approximately half and half
2GHz and 5GHz..

--
Hunter Fuller
Network Engineer
VBRH M-9B
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

I am part of the UAH Safe Zone LGBTQIA support network:
http://www.uah.edu/student-affairs/safe-zone


On Wed, Aug 12, 2015 at 6:39 PM, Jeremy Gibbs jlgi...@utica.edu wrote:
 Does anyone employ band-steering?  When we enabled it, we saw a massive jump
 of users connecting at 5ghz. Obviously if the client doesn't support 5ghz or
 it just prefers 2.4 because of various factors it can stay on 2.4. I have
 only seen it improve throughput for everyone. Any opinions on this?  We are
 an extreme network shop, but our wireless is the enterasys (chantry)
 solution with new 3825i 3x3.


 On Wednesday, August 12, 2015, Jeffrey D. Sessler j...@scrippscollege.edu
 wrote:

 Single SSID – anything else just adds confusion for the end-user. Then
 again, I was recently visited a spot where they had a different SSID for
 every building. :)

 Thinking more about this…

 If residence halls (academic buildings too) are well designed around 5 GHz
 and use in-room AP placement, the issues with 2.4 tend to melt away (or you
 can ignore them), with clients only falling back to 2.4 when they transition
 outside of a building.

 If you’re a Cisco shop (I assume Aruba has something similar), their
 automatic RRM (radio resource management) and TPC (Transmit Power Control)
 tend to result in very tiny cells where there is a lot of 2.4 radios talking
 (which is a good thing - tiny cells).  Of course, this can be really
 problematic if the AP layout design is not-optimal such as in a typically
 budget-driven “down the center of the hallway” methods of deployment where
 adjacent AP’s tend to have clear line-of-sight of each other. In cases such
 as these, the reduction in radio output to reduce AP channel overlap can
 result in client connection troubles i.e. The clients are probably behind
 fire–proof metal clad doors, brick walls, etc. Coupled with coverage hole
 detection (where AP power is increased for client connectivity), you now
 have an environment that’s in constant chaos, where someone has to do a lot
 of manual adjusting of AP radios or disable the auto-adjusting.

 On the other hand, if AP layout is optimal where you’re deploying AP’s
 in-room, lower on the wall, avoiding line-of-sight, etc. then you get the
 benefit of the room’s construction (doors, floors, walls, what inside the
 walls, bed, desks, etc.). All of which help promote small cell isolation and
 reduce the number of adjacent neighbor AP’s you’ll see, resulting in less
 2.4 GHz channel overlap.

 Now then, the same issues can crop up in 5 GHz, but it doesn’t propagate
 as far, so if you're using the in-room deployment method, it’s likely not as
 big of an issue even in dense deployments. That said, if you do have dense 5
 GHz deployments, Cisco’s 8.1 code introduces 5 GHz dynamic channel-width
 allocation, somewhat eliminating the issue by dynamically moving between 20,
 40, and 80 MHz channels.

 In my opinion, 2.4 GHz is slowly marching to its demise, and I’m focusing
 all of my attention on 5 GHz. We have the luxury of of a robust Mac
 population (~80% of the students), and Apple laptops and desktops have long
 since had access to 5GHz, so I’m not sure how much effort should be put into
 maintaining 2.4 if it’s ultimately only being used by old phones, devices
 that move little data, or have alternative data paths such as cellular, why
 expend a lot of effort on it?

 Jeff



 From: wireless-lan@listserv.educause.edu on behalf of Stephen Oglesby
 Reply-To: wireless-lan@listserv.educause.edu
 Date: Wednesday, August 12, 2015 at 9:41 AM
 To: wireless-lan@listserv.educause.edu
 Subject: Re: [WIRELESS-LAN] Exclusive 2.4 Ghz and 5 Ghz SSIDs

 Paul,

 We're an Aruba shop and, as Bruce of Liberty mentioned, for dense
 deployments we turn 2.4 ghz radios off on every other AP (typically edge of
 building APs). Our main performance issues were due to interference and
 channel utilization on the 2.4 ghz spectrum. We attempted reducing 2.4 ghz
 (20 mhz channel)  transmit power but still had issues.

 I also agree with keeping to the simplicity of a single SSID if at all
 possible.  I can't imagine the number of issues that would be reported to me
 simply because the user exited the ideal range for 5ghz spectrum. Our
 student and staff networks support a wide range of client wireless cards,
 antenna configurations, and spectrum

Re: [WIRELESS-LAN] PoE Issue, Cisco Switches- Let's Poll The Audience!

[Hunter Fuller]

I haven't seen something exactly like this before, but one time,
clear int gig0/1 (or whatever) solved a power issue on a 3560G PoE
with an oddball camera. Your mileage may vary.

--
Hunter Fuller
Network Engineer
VBRH M-9B
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

I am part of the UAH Safe Zone LGBTQIA support network:
http://www.uah.edu/student-affairs/safe-zone


On Tue, Aug 11, 2015 at 10:47 AM, Lee H Badman lhbad...@syr.edu wrote:
 We’re also going through TAC on this, but I’d like to see if anyone else is
 seeing similar in their Cisco switching environment and might have
 perspective to share.

 We have an odd, seemingly spontaneous condition where  PoE stops working on
 a port or two, with only switch reboot bringing it back. Most recent switch:
 WS-C3560X-48 on 15.0(2)SE7.

 Problem/discovery flow:


 One AP out of several on switch goes down
 Access switch, “show power inline” shows problem AP port has lost it’s PoE
 detection signature and is only showing IEEE PD
 All other AP ports are fine
 For problem port, remove PoE (Power Inline Never) then restore PoE (Power
 Inline Auto)- Port now dead, will not come back -also do shut/no shut,makes
 no difference to condition
 No error disable on port. No obvious reason for switch being out.
 Show environment/post commands reveal no issues with switch power or power
 controller
 Only a reboot restores PoE to problem port


 Seeing the same sort of condition on PoE camera ports as well- seems very
 much to be a pure switch issue, nothing to do with AP version/model in this
 case.

 Does this ring familiar for anyone?

 Regards,

 Lee Badman




 ** Participation and subscription information for this EDUCAUSE
 Constituent Group discussion list can be found at
 http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Outdoor PoE

[Hunter Fuller]

Jeez, we need to get this.

One time, a lightning strike hit a piece of PoE equipment connected to
an access layer switch, which was connected to another switch via
copper... popped the GBIC in the uplink port, then two SFPs in the
next-hop switch, traversed a stack cable, went to two MORE switches
and popped THEIR SFPs... somehow we didn't lose any switches though!

http://i.imgur.com/iFRVRat.jpg


--
Hunter Fuller
Network Engineer
VBRH M-9B
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

I am part of the UAH Safe Zone LGBTQIA support network:
http://www.uah.edu/student-affairs/safe-zone


On Thu, Aug 6, 2015 at 8:24 AM, Hector J Rios hr...@lsu.edu wrote:
 For those doing outdoor wireless, here are two products we have purchased
 that we have found very useful:





 Microsemi Outdoor PoE Surge Protector PD-OUT/SP11

 http://www.newegg.com/Product/Product.aspx?Item=17B-00A5-1nm_mc=KNC-GoogleAdwords-PCcm_mmc=KNC-GoogleAdwords-PC-_-pla-_-Surveillance+Accessories-_-17B-00A5-1gclid=CIOKgobGlMcCFQmNaQodJ_0C0Qgclsrc=aw.ds





 Microsemi PowerDsine 9001GO - PoE injector - 30 Watt

 http://www.cdw.com/shop/products/Microsemi-PowerDsine-9001GO-PoE-injector-30-Watt/2578417.aspx?cm_cat=GoogleBasecm_ite=2578417cm_pla=NA-NA-PWD_NEcm_ven=ShoppingFeedsef_id=VLgjcQAABAHVQD8U:20150806132234:sgclid=CKyxxczGlMcCFQgtaQodCO8PhQ





 Regards,



 Hector Rios

 Louisiana State University



 ** Participation and subscription information for this EDUCAUSE
 Constituent Group discussion list can be found at
 http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Wi-Fi Sense (Windows 10)

[Hunter Fuller]

Totally unacceptable.

It's like MS missed one of the main points of PSKs (as opposed to
non-encrypted networks) - to keep people out.

--
Hunter Fuller
Network Engineer
VBRH M-9B
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

I am part of the UAH Safe Zone LGBTQIA support network:
http://www.uah.edu/student-affairs/safe-zone


On Sun, Jun 21, 2015 at 9:45 AM, James Andrewartha
jandrewar...@ccgs.wa.edu.au wrote:
 Has anyone tried out Wi-Fi Sense in Windows 10 yet? It's a feature that lets
 you share PSKs with your Facebook and Skype friends, although they don't get
 to see it. The only way to opt-out as a network operator is to include
 _optout in the SSID, or use 802.1x.


 Given you can run netsh wlan show profile name=SSID key=clear I wonder how
 it will interact with Aerohive Private PSK and Ruckus Dynamic PSK which give
 each user their own individual PSKs per-device.


 http://www.reddit.com/r/sysadmin/comments/3aam8m/because_i_really_want_my_clients_wpa_keys_shared/


 --

 James Andrewartha
 Network  Projects Engineer
 Christ Church Grammar School
 Claremont, Western Australia
 Ph. (08) 9442 1757
 Mob. 0424 160 877
 ** Participation and subscription information for this EDUCAUSE
 Constituent Group discussion list can be found at
 http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Wi-Fi Sense (Windows 10)

[Hunter Fuller]

Our student/faculty/staff network keys are not for authorization;
however, we have some one-off event networks and such with PSKs that
we would rather not be publicly known as soon as we set them. I just
hope we can move to dot1x/guest accounts for those purposes fast
enough to avoid this.

We are planning on doing dot1x over wired and wireless connections, so
that will be our solution that will work in both places.

--
Hunter Fuller
Network Engineer
VBRH M-9B
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

I am part of the UAH Safe Zone LGBTQIA support network:
http://www.uah.edu/student-affairs/safe-zone


On Sun, Jun 21, 2015 at 3:48 PM, Joel Coehoorn jcoeho...@york.edu wrote:
 I don't know. It seems like encryption and authorization are really two
 different things that wifi networks have historically conflated.

 For our network, I'd really like a better user-friendly (ie, not .1x) option
 that provides good encryption, but assumes you are authorized by default.
 Any authorization or policy enforcement should take place at a different
 level, so it can include wired connections, too.

 I haven't looked at the implementation details, but if done correctly, this
 has the potential to solve an issue with large PSK networks, such that I
 could use a Win10 machine to seed the key, without the normal weakness that
 anyone who knows the key can decrypt anyone else's traffic.

 Of course, the devil is in the details, and I found it unlikely that the key
 sharing mechanism will be adequately secure, or even if it is, that enough
 device types will support this fast enough to make it a reasonable option.
 
 From: Hunter Fuller
 Sent: ‎6/‎21/‎2015 3:08 PM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] Wi-Fi Sense (Windows 10)

 Totally unacceptable.

 It's like MS missed one of the main points of PSKs (as opposed to
 non-encrypted networks) - to keep people out.

 --
 Hunter Fuller
 Network Engineer
 VBRH M-9B
 +1 256 824 5331

 Office of Information Technology
 The University of Alabama in Huntsville
 Systems and Infrastructure

 I am part of the UAH Safe Zone LGBTQIA support network:
 http://www.uah.edu/student-affairs/safe-zone


 On Sun, Jun 21, 2015 at 9:45 AM, James Andrewartha
 jandrewar...@ccgs.wa.edu.au wrote:
 Has anyone tried out Wi-Fi Sense in Windows 10 yet? It's a feature that
 lets
 you share PSKs with your Facebook and Skype friends, although they don't
 get
 to see it. The only way to opt-out as a network operator is to include
 _optout in the SSID, or use 802.1x.


 Given you can run netsh wlan show profile name=SSID key=clear I wonder
 how
 it will interact with Aerohive Private PSK and Ruckus Dynamic PSK which
 give
 each user their own individual PSKs per-device.



 http://www.reddit.com/r/sysadmin/comments/3aam8m/because_i_really_want_my_clients_wpa_keys_shared/


 --

 James Andrewartha
 Network  Projects Engineer
 Christ Church Grammar School
 Claremont, Western Australia
 Ph. (08) 9442 1757
 Mob. 0424 160 877
 ** Participation and subscription information for this EDUCAUSE
 Constituent Group discussion list can be found at
 http://www.educause.edu/groups/.

 **
 Participation and subscription information for this EDUCAUSE Constituent
 Group discussion list can be found at http://www.educause.edu/groups/.
 ** Participation and subscription information for this EDUCAUSE
 Constituent Group discussion list can be found at
 http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] FW: [WIRELESS-LAN] Outdoor APs

[Hunter Fuller]

On Tue, May 12, 2015 at 12:54 PM, Howard, Christopher 
christopher-how...@utc.edu wrote:

  3. They didn't want to run cable from the lights back to our network and
 instead wanted to use EPB (our local ISP) fiber to just give them an IP on
 the internet and we could just open our firewall to let them in.


This is an interesting idea, but... surely it would have been more
expensive... would EPB deep discount this or something? One fiber run per
lamp post?? Seems like it would be outlandishly expensive, not to mention
impossible to maintain...

Now if they could have let you use their fiber plant to get back to your
network, maybe... but would even THAT have saved money? Cable isn't free...

I know this was a scrapped plan, but it intrigues me nonetheless.

--
Hunter Fuller
Network Engineer
VBRH M-9B
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

I am part of the UAH Safe Zone LGBTQIA support network:
http://www.uah.edu/student-affairs/safe-zone

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] AW: [WIRELESS-LAN] To provide (wireless) service, or not to provide (wireless) service...

[Hunter Fuller]

That sounds extremely painful. I cannot imagine deploying a solution that
97+% of laptops cannot use directly.

-- 
Hunter Fuller
OIT

Sent from my phone.
On May 13, 2015 8:25 AM, Brian Helman bhel...@salemstate.edu wrote:

  I have a little more information to provide now.  I absolutely
 appreciate that it will be extremely tempting to respond with biased
 opinions.  I don’t think there is anything that can be said that I haven’t
 already expressed to my team.  However, that will not help me write up my
 recommendation.  So that being said, feel free to chime in with tangible
 reasons to do this or not…



 Apparently, our president heard that some schools are investigating
 purchasing bulk data contracts with mobile (“cellular”) carriers for data.
 The idea is, we would stop providing 802.11g/n/ac wireless in the residence
 halls and instead provide students with the abilities to register their
 devices with the mobile carrier to use 4G/LTE data.  The University will
 pay for this.



 Pros:

 No wireless (802.11) to purchase, support

 Reduced POE requirements on switches

 No wireless driver/configuration mismatches problems to support



 Cons:

 Is mobile wireless signal available everywhere inside the buildings?
 Costs to improve signal.

 What speeds are available (what range of speeds)?  Is it by user or
 aggregate?

 How is congestion handled?

 What devices – mobile phones only?  Hotspots to provide access to
 non-cellular devices (e.g wifi-only tablets; laptops)

 More Ethernet ports needed for devices that previously depended on wireless

 What provider(s)?

 Support shifted from “device to institutional wifi” to “device to myfi” or
 “devide to 3rd party”

 Cost per user, per GB?



 What else?



 If you know of any institutions who have attempted this (I have heard MIT
 is looking at it, but we aren’t MIT), please let me know.



 By the way, the background here is .. we installed our 802.11n network ~5
 years ago and haven’t had any commitment to fund it since.  So now we are
 trying to deal with capacity (BYOD) issues that didn’t exist 5 years ago
 while upgrading to 11ac.  Of course, it’s not a 1:1 swap of equipment since
 we’d be migrating from 2.4GHz to 2.4+5GHz.  That puts the costs for
 forklift upgrades pretty high (did I mention I’ve been unsuccessfully
 asking for funding for 3 years?).



 I believe this can all best be summarized with a simple .. Oy.



 -Brian











 *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
 WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Jerkan, Kristijan
 *Sent:* Sunday, May 03, 2015 12:34 PM
 *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 *Subject:* [WIRELESS-LAN] AW: [WIRELESS-LAN] To provide (wireless)
 service, or not to provide (wireless) service...



 As a public institution in the EDU sector we always had a byod policy in
 our dorm network, specifically including „anything You want to connect to
 the port in Your room“.



 Parameters:

 -5k+ dorm rooms (1.8k the largest segment, 20 the smallest)

 -120km radius

 -at least one (mostly two) RJ45 port per room (cat5-7 to the switch, fiber
 afterwards)

 -10/100MBit ports (deliberatly did not go for 1GBit at the edge)

 -no additional accounting, just dhcp with opt82

 -public ips behind reflexive acl (no shaping, etc.)

 -uplink via the federal research network

 -service neutral (whoever wants to can use a DSL provider also/instead and
 may use the inhouse cable from their basement to their room for it)

 -one service number (fixed number, forwarded to five cellphones – whoever
 picks up first wins)

 -managed by ~10 students (pro bono, but with a couple of incentives)



 That beeing said, here are a few points why this works for us and is not
 generally applicable:

 -people have to work together to archive common goals (state, local,
 university and dorm administration – technical and administrative staff)

 -it does not take much to put a service neutral CAT cable into every room
 while they are beeing built/renovated instead of a cheaper telephone cable,
 but it does take a joint effort and common goals

 -to every dorm room there is a rent/contract, so we know who is „behind“
 it and can make one specific person liable (opt82)

 -there are only single-bed rooms (this is a cultural thing and different
 than in the US, I guess noone around here would even rent a shared room)

 -almost no dorms are adjacent to the classrooms/labs (seamless wireless
 coverage/services wouldn’t be possible anyway)

 -in order to find enough students (5 for the core team) who will do the
 occasionally needed actual work without payment, a balance between demands
 and incentives is important



 Effect:

 -very low capex and extremly low opex for the dorm network [numbers only
 off list]

 -very limited support calls (maybe 2/week; maybe 10-20 during the
 move-in-phase, mostly students from the states asking about the
 non-existant login/pw)

 -no need to worry about deprication

Re: [WIRELESS-LAN] Roaming

[Hunter Fuller]

We have a single Student Wireless VLAN for all of campus.

We have 25 pools that are all /23s and one legacy pool that is a /21.

Leases expire after 160 minutes.

Students can seamlessly roam all over campus as long as they stay
within coverage. (We are still working on fleshing out our outdoor
coverage, but there are certain paths you can walk and make it across
the entire campus already, I believe.)

We are doing NAT. 10.4.0.0/16 (where the /23 pools live) is PATted out
using our firewall. The firewall logs lines when it builds
translations (like translated this port on this IP internally to this
port on this IP externally). If an abuse report includes the port
number, we grep our logs for the port numbers, find the internal
address, and check who was logged in from that address. If the report
does not include port number, it isn't enough information, so we don't
do anything unless there is some other identifying factor.

--
Hunter Fuller
Network Engineer
VBRH M-9B
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

I am part of the UAH Safe Zone LGBTQIA support network:
http://www.uah.edu/student-affairs/safe-zone


On Tue, May 5, 2015 at 10:19 AM, Legge, Jeffry jgle...@radford.edu wrote:
 Currently we allow roaming over our entire campus. Some buildings have their
 own vlan while others do not. Each year we have more devices and thus our
 DHCP pools are stressed. We are looking at changing our network design and
 giving each building their own vlan and larger DHCP pools. We currently have
 a class B IPV4 internet addresses and will move to NAT. When students are
 abusing copyright etc. we are given an IP address and asked to determine who
 is doing the abusing. As students roam they could end up with multiple IP
 addresses and Natting will complicate the ability to find these abusers  I
 am curious about the following.



 Do y’all have one vlan per building?



 How large are you DHCP pools?



 What is the pool expiration time?



 Do you allow roaming over entire campus, per building or what?



 How do y’all find these abusers?



 Any thoughts will be appreciated.



 -Jeff Legge

 Radford University

 540-250-5224





 ** Participation and subscription information for this EDUCAUSE
 Constituent Group discussion list can be found at
 http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Wi-Fi Location tracking Success or Failure

[Hunter Fuller]

John,

Not sure what standard spitting distance is, but that seems like fairly
good resolution. Maybe the distance I can spit is lower than average,
however.

-- 
Hunter Fuller
OIT

Sent from my phone.
On Apr 22, 2015 8:12 AM, Cosgrove, John jcosgr...@hmc.psu.edu wrote:

  I am still at the starting edge and that is one of my questions as
 well.  There are a lot of cases where I can see that getting a device in
 “spitting distance”  pardon the expression would be very useful in many
 cases.  There are cases where they need more specific location resolution
 and that may require some other technology other than Wi-Fi.



 I can see at this point use cases for Tags, People, and patients.  And I
 now each of these can also break down further.  I am starting to have these
 specific conversations with users.



 I am just trying to get example of real people deploying a location
 service in their institution and see how it turned out.  Vendors want to
 Sell Sell Sell….



 JC





 *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
 WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Luke Jenkins
 *Sent:* Tuesday, April 21, 2015 6:28 PM
 *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 *Subject:* Re: [WIRELESS-LAN] Wi-Fi Location tracking Success or Failure



 Two big questions that will shape the discussion: what level of resolution
 are you expecting, and are you interested in location information for
 client devices (people) or tags (equipment)?



 -Luke



 =-=-=-=-=-=-=-=-=-=-=-=

 Luke Jenkins
 Network Engineer
 Weber State University





 On Tue, Apr 21, 2015 at 7:13 AM, Cosgrove, John jcosgr...@hmc.psu.edu
 wrote:

 Has anyone out here been involved in any Wi-Fi location tracking
 projects?  Not only looking for the successes but interested in the
 failures.



 So many vendor videos to watch to see how this is “better than sliced
 bread”.



 I have over the course of time been involved with discussions from staff
 about the need to have a system to do this but nobody have really been
 successful in communication what they really need and how this information
 will manifest to some work improvement.



 We are a University Hospital so this is the main driver for location
 tracking.



 Feel free to respond off line if you like.  Especially failures if you
 don’t wish to air that here.



 Thanks to all for the great information and experiences found here.



 John Cosgrove

 Wireless Staff Specialist

 Penn State Hershey Medical Center

 Penn State College of Medicine

 jcosgr...@hmc.psu.edu





 ** Participation and subscription information for this EDUCAUSE
 Constituent Group discussion list can be found at
 http://www.educause.edu/groups/.







 ** Participation and subscription information for this EDUCAUSE
 Constituent Group discussion list can be found at
 http://www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] 802.11ac AP Deployment

[Hunter Fuller]

Depending on how you are running the cable, you could run it to each room,
but with the possibility of pulling it back to put APs in hallways instead,
or to reposition. If you have drop ceilings you can leave like 10ft service
loop to allow freedom of moving them within the rooms. Etc, etc. These
might allow you to defer the decision, or to change your mind later based
on real life results.

I tend in this direction because two of our Resnet buildings have proven to
be interesting with regards to wireless penetration and performance. I
wish we had left some flexibility in those cases.

-- 
Hunter Fuller
OIT

Sent from my phone.
On Apr 6, 2015 6:42 PM, Peter P Morrissey ppmor...@syr.edu wrote:

 Since cabling tends to have a 15-20 year life cycle, and can be expensive
 and disruptive to install, why not just run a cable to each room while you
 have the opportunity? Then you can use your survey tools to decide where to
 place the AP's. This gives you the option of reconfiguring down the road if
 that doesn't work out. It also gives you the option of adding more density
 if necessary. There will be multiple generations of wireless technology
 during the lifetime of the cable and the agility added by the additional
 cable could come in handy.

 Pete Morrissey

 -Original Message-
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
 WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Doug Burke
 Sent: Monday, April 06, 2015 7:29 PM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: [WIRELESS-LAN] 802.11ac AP Deployment

 All,

 Last year we cabled our campus classrooms and administrative offices with
 CAT6a preparing for the deployment of Wav 2 802.11ac. We are about to begin
 Phase II of the cabling project in our residence halls and we are looking
 for input from others on whether to plan for one AP per room or trust our
 survey tools. I expect most of you will say it depends and we understand
 the complexities of building construction. We have deployed 70 Wav 1 APs as
 a Proof of Concept (POC) testing them in different types of building
 construction but would like to hear other's experiences in particular to
 residence halls. Thank you for your help.

 Douglas Burke
 Senior Director '13 MSEL, BSBA
 Network Infrastructure Systems  Services University of San Diego

 **
 Participation and subscription information for this EDUCAUSE Constituent
 Group discussion list can be found at http://www.educause.edu/groups/.

 **
 Participation and subscription information for this EDUCAUSE Constituent
 Group discussion list can be found at http://www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] troubleshooting wireless issues

[Hunter Fuller]

One time, on Yik Yak, I saw the comment, Student5 forever obtaining
IP address (Student5 is our student wireless network). I was amused
and somewhat delighted to see someone else reply, If only there was
some email address for reporting these things, like helpd...@uah.edu
or something.

--
Hunter Fuller
Network Engineer
VBRH M-9B
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

I am part of the UAH Safe Zone LGBTQIA support network:
http://www.uah.edu/student-affairs/safe-zone


On Thu, Apr 2, 2015 at 4:59 PM, Jordan, Fred fmjor...@fsu.edu wrote:
 Seems some students have made references to problems with our campus
 wireless on both reddit and also YikYak.
 Some of our younger support personnel who frequent both have responded on
 both platforms.
 Not high volume by any means, but at least one more way to make direct
 contact and the interaction is viewed by other students.
 And I agree that students just don't open tickets or call the Service Desk.
 Fred

 On Apr 2, 2015, at 5:33 PM, Sullivan, Don dsulli...@samford.edu wrote:

 That’s a really good question. It sounds like we are in the same predicament
 as your school. Like you, we tend to be more reactive when we observe issues
 with wireless ourselves (APs disassociating, etc.) or someone taking the
 time to report an issue (we are even monitoring twitter for complaints).  If
 someone has a magic bullet, I sure would be interested in hearing about it.

 Don Sullivan
 Network Administrator
 Samford University
 205-726-2111

 From: The EDUCAUSE Wireless Issues Constituent Group Listserv
 [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Alexander, David
 Sent: Thursday, April 02, 2015 3:10 PM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: [WIRELESS-LAN] troubleshooting wireless issues

 I’d like to know what other schools are doing to proactively troubleshoot
 wireless issues on your campus.

 Our network team does a great job of troubleshooting end user wireless
 connectivity issues when a customer calls the Service Desk to report an
 issue, but end users don’t like to call our Service Desk to report issues.
 Because of this, end users assume our network sucks or they try their own
 workarounds (eg. using cellular data, etc.).

 What level of success do you have with customers contacting your Service
 Desk about connectivity issues?  Do you do anything to proactively find out
 if customers are having connectivity issues?

 It seems like a lot of the issues are on the client side (eg. updating
 Surface Pro drivers, applying a Mac fix, etc.).  What approaches are you
 using to communicate about device specific issues?

 I’d appreciate any feedback you have on how you are approaching this issue
 on your campus to improve end user experience with your wireless network.

 Thanks,
 Dave
 ** Participation and subscription information for this EDUCAUSE
 Constituent Group discussion list can be found at
 http://www.educause.edu/groups/.
 ** Participation and subscription information for this EDUCAUSE
 Constituent Group discussion list can be found at
 http://www.educause.edu/groups/.


 ** Participation and subscription information for this EDUCAUSE
 Constituent Group discussion list can be found at
 http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] 1GBE as a bottleneck to APs?

[Hunter Fuller]

I mean...

For the time being, we've only got 10 Gbit/s leaving the campus, and
we have serious difficulty coming anywhere close to saturating it.
We're not a huge campus.

I don't see us needing this for a long time.

--
Hunter Fuller
Network Engineer
VBRH M-9B
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

I am part of the UAH Safe Zone LGBTQIA support network:
http://www.uah.edu/student-affairs/safe-zone


On Tue, Mar 24, 2015 at 9:37 AM, Hinson, Matthew P
matthew.hin...@vikings.berry.edu wrote:
 I’ve seen a few articles here and there regarding possible solutions for
 “the gigabit bottleneck” as it pertains to .11ac access points. Said
 solutions include Cisco’s forthcoming protocols for 2.5G and 5G over CAT5
 cabling as well as LACP’ing two gigabit ports per switch and AP as some
 vendors suggest...



 My question for the group is: Has anyone actually seen a throughput issue
 using gigabit to the edge? Certainly your distribution layer gear could be a
 limitation if it’s not specced correctly, but I’ve just never seen a
 situation where I’ve wished for more than 1000BASE-T to an AP. Our fastest
 802.11ac access points can “only” hit 600-700mbit/s real TCP throughput, and
 that’s in ideal, almost laboratory conditions.



 Thoughts?



 Thank you!

 Matthew Hinson

 Network Operations

 ** Participation and subscription information for this EDUCAUSE
 Constituent Group discussion list can be found at
 http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] netflix question

[Hunter Fuller]

We actually seem to see a statistically significant amount of Netflix from
non Resnet buildings! Hmm...

-- 
Hunter Fuller
OIT

Sent from my phone.
On Mar 19, 2015 10:57 AM, Jonn Martell j...@martell.ca wrote:


 Dual networks.  The premise is that the student pay a fee for connectivity
 and should get to enjoy the same level of service they would get off
 campus.   Ideally the two networks could use each other's unused bandwidth
 but I never looked into that.

 Since Netflix appears to be the biggest issue, you might want to review on
 how to get Netflix closer to your residences. See
 https://openconnect.itp.netflix.com/  When you talk to them, classify
 yourself as an ISP for Resnet (which you are).

 Fortunately, no residences at my current campus so it's not something I
 have to deal with :-)

 Jonn Martell
 Director of Technical Operations
 FDU Vancouver Campus


 On Thu, Mar 19, 2015 at 8:46 AM, Alexander, David alexa...@ohio.edu
 wrote:

  I wanted to know if Netflix has been a problem for other schools,
 specifically those with large residential campuses.



 We’ve seen usage on our campus grow a lot over the past few years, and
 our response has been to implement a bandwidth cap on Netflix from 8 am to
 10 pm.  This pretty much makes Netflix unusable during the day.  When we
 lift the bandwidth cap at night, Netflix takes up around 40% of our total
 traffic.



 I’m curious if other schools are dealing with Netflix bandwidth issues
 and what solutions you have implemented that allows students to enjoy
 Netflix without impacting the usability of the network.



 Thanks,

 Dave
  ** Participation and subscription information for this EDUCAUSE
 Constituent Group discussion list can be found at
 http://www.educause.edu/groups/.




 --
 --
  ** Participation and subscription information for this EDUCAUSE
 Constituent Group discussion list can be found at
 http://www.educause.edu/groups/.



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] WLC 5508 Reboots- 8.0.110.0 Code

[Hunter Fuller]

Wait, seriously? ALL of the version 8 code that has been released,
currently has a bug that will randomly reload the controller for no reason?

...


--
Hunter Fuller
Network Engineer
VBRH M-9B
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

I am part of the UAH Safe Zone LGBTQIA support network:
http://www.uah.edu/student-affairs/safe-zone

On Wed, Mar 18, 2015 at 10:47 AM, Linchuan Yang linchuan.y...@concordia.ca
wrote:

  Dear Lee



 We had the same issue. And Cisco engineer suggested to downgrade to
 version 7 because all of the codes in version 8 have this bug. We are
 waiting for an update that they solve this bug in version 8.



 Have a nice day.​

 Linchuan Yang (Antony)

 Wireless Networking Analyst
 Network Assessment and Integration,
 IITS-Concordia University
 Tel: (514)848-2424 ext. 7664







 *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
 WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Lee H Badman
 *Sent:* March-18-15 9:53 AM
 *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 *Subject:* [WIRELESS-LAN] WLC 5508 Reboots- 8.0.110.0 Code



 Sigh… just kick me.



 Our latest Cisco WLAN fun comes in the form of 5508 spontaneous reboots on
 8.0.110.0 code. Has anyone else on the list experienced this?



 I do find this Support Community thread:
 https://supportforums.cisco.com/discussion/12411926/wlc-5508-automatically-restarting-twice-week#comment-10362606



 And this related bug: https://tools.cisco.com/bugsearch/bug/CSCuq74491



 Have had one reboot today, and found that another had done so last week
 quick enough where monitoring and alerting didn’t catch it. Now going
 through all of them to see if there might have been others missed.



 TAC case open and I see that 8.0.110.0 is no longer available to download,
 with 8.0.115.0 “recommended”.



 -Lee Badman







 Lee Badman

 Wireless/Network Architect

 ITS, Syracuse University

 315.443.3003

 (Blog: http://wirednot.wordpress.com)







 ** Participation and subscription information for this EDUCAUSE
 Constituent Group discussion list can be found at
 http://www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Looking for interest among Wi-Fi professionals

[Hunter Fuller]

I would much prefer a mailing list, but would use it regardless.

-- 
Hunter Fuller
OIT

Sent from my phone.
On Mar 18, 2015 12:49 PM, Lee H Badman lhbad...@syr.edu wrote:

  This is not meant to self-promote, apologies if it seems that way.
 Looking for interest on whether those on the list would get value out of a
 potential new wireless-oriented discussion board, as described here:


 *https://wirednot.wordpress.com/2015/03/18/hey-wireless-professionals-would-you-use/*
 https://wirednot.wordpress.com/2015/03/18/hey-wireless-professionals-would-you-use/

 Won’t hurt my feelings either way, but could be kind of valuable if you
 picture it widely used.

 Regards-

 Lee Badman



  ** Participation and subscription information for this EDUCAUSE
 Constituent Group discussion list can be found at
 http://www.educause.edu/groups/.



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Looking for interest among Wi-Fi professionals

[Hunter Fuller]

I know I have just been assuming Aruba people have no issues, since I never
see them on the list! ;)

It would be nice to have some sort of context/insight into the grand scheme
of things, rather than just Ciscoland.


--
Hunter Fuller
Network Engineer
VBRH M-9B
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

I am part of the UAH Safe Zone LGBTQIA support network:
http://www.uah.edu/student-affairs/safe-zone

On Wed, Mar 18, 2015 at 3:17 PM, Chuck Enfield chu...@psu.edu wrote:

 I asked exactly that question just a few weeks ago, but I didn’t use this
 list.  Between Airheads and more intimate peer groups, I don’t usually
 raise those questions here.  FWIW, I’ve also been asked this question
 off-list by people from other edu’s.



 To be honest, I’m interested to hear whether or not people think this is
 the best venue for vendor-specific issues.  I sometimes feel like I spend
 too much time deleting Cisco posts on this list.  While I’ve never thought
 it was inappropriate to discuss those things here, it is why I tend to take
 Aruba issues to forums where I know the other participants use Aruba.  On
 the other hand, there are plenty of people from Aruba shops on this list
 that may not a have access to the forums I use and would benefit from
 seeing the discussion here.  So, should I be posting Aruba-specific
 questions and comments on this list, or should that stay on Airheads?



 Chuck Enfield

 Manager, Wireless Systems  Engineering

 Telecommunications  Networking Services

 The Pennsylvania State University

 110H, USB2, UP, PA 16802

 ph: 814.863.8715

 fx: 814.865.3988



 *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
 WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Osborne, Bruce W
 (Network Services)
 *Sent:* Wednesday, March 18, 2015 3:42 PM
 *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 *Subject:* Re: [WIRELESS-LAN] Looking for interest among Wi-Fi
 professionals



 I could be useful IF it is not dominated with Cisco Wi-Fi issues. Although
 Cisco is the largest vendor, they must have the most issues.

 When was the last time people were asking whether to upgrade to a GA
 version of ArubaOS?, for instance?





 *Bruce Osborne*

 *Wireless Engineer*

 *IT Infrastructure  Media Solutions*



 *(434) 592-4229 %28434%29%20592-4229*



 *LIBERTY UNIVERSITY*

 *Training Champions for Christ since 1971*



 *From:* Lee H Badman [mailto:lhbad...@syr.edu lhbad...@syr.edu]
 *Sent:* Wednesday, March 18, 2015 1:49 PM
 *Subject:* Looking for interest among Wi-Fi professionals



 This is not meant to self-promote, apologies if it seems that way. Looking
 for interest on whether those on the list would get value out of a
 potential new wireless-oriented discussion board, as described here:




 https://wirednot.wordpress.com/2015/03/18/hey-wireless-professionals-would-you-use/



 Won’t hurt my feelings either way, but could be kind of valuable if you
 picture it widely used.



 Regards-



 Lee Badman







 ** Participation and subscription information for this EDUCAUSE
 Constituent Group discussion list can be found at
 http://www.educause.edu/groups/.

 ** Participation and subscription information for this EDUCAUSE
 Constituent Group discussion list can be found at
 http://www.educause.edu/groups/.
 ** Participation and subscription information for this EDUCAUSE
 Constituent Group discussion list can be found at
 http://www.educause.edu/groups/.



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Cisco 702W APs

[Hunter Fuller]

We have deployed several other types of Cisco APs one per room in our
particularly tough buildings and no ones smashed them yet. The more
frequent destruction location is, by far, the gym.

-- 
Hunter Fuller
OIT

Sent from my phone.
On Mar 18, 2015 4:04 PM, Mattson III, Ken V. kenmatt...@creighton.edu
wrote:

  Yes, this first one will be one AP per room. Furniture smashing is a
 concern to Res Life and us. The APs permanent location will be mostly
 shielded from furniture smashing. I will post some pictures and update
 periodically about the smashing part.



 Kenneth V. Mattson III
 Director - Network and Data
 DoIT
 Creighton University
 402-280-2743
 402-981-1140

 A password is like a toothbrush:
 Choose a good one, change it regularly and don't share it.



 *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
 WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Alan Nord
 *Sent:* Wednesday, March 18, 2015 3:32 PM
 *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 *Subject:* Re: [WIRELESS-LAN] Cisco 702W APs



 We are looking to do the same.  We have two main issues that need to be
 worked out before moving forward - 1) NAC vendor needs to support changing
 VLANs on the AP, and 2) how do we deploy them so they don't get smashed by
 furniture/students?



 What is your deployment plan?  1 AP per room or something else?



 On Wed, Mar 18, 2015 at 3:25 PM, Mattson III, Ken V. 
 kenmatt...@creighton.edu wrote:

  We are about to embark on covering a Res Hall with 99% 702W APs. Are
 there any lessons learned from others out there? If our pilot works well we
 intend on this being the cookie cutter as we move forward.



 Kenneth V. Mattson III
 Director - Network and Data
 DoIT
 Creighton University
 402-280-2743
 402-981-1140

 A password is like a toothbrush:
 Choose a good one, change it regularly and don't share it.







 --

 Alan Nord, CCNA

 Infrastructure Manager
 Information Technology Services
 Macalester College
 1600 Grand Avenue
 St. Paul, MN 55105

 ** Participation and subscription information for this EDUCAUSE
 Constituent Group discussion list can be found at
 http://www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] HP is reportedly trying to buy Aruba Networks

[Hunter Fuller]

Well, I don't know why Cisco is different, but they seem to be; Cisco
wireless gear doesn't care what switch it runs on, as far as I'm
aware, as long as it can get its dot3af power from it.

On Mon, Mar 2, 2015 at 8:52 AM, Turner, Ryan H rhtur...@email.unc.edu wrote:
 Well, let's be fair...  Every wireless vendor that runs a switching line is 
 going to try to get you to run their switches.  Why would Cisco be any 
 different than HP.


--
Hunter Fuller
Network Engineer
VBRH M-9B
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

I am part of the UAH Safe Zone LGBTQIA support network:
http://www.uah.edu/student-affairs/safe-zone

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] HP is reportedly trying to buy Aruba Networks

[Hunter Fuller]

Ah, gotcha. I do sincerely hope that it doesn't matter - I would be
really disappointed if we started seeing vendor lock-in between APs
and switches, for example. But for now, as you say, it seems we are
safe from this.

--
Hunter Fuller
Network Engineer
VBRH M-9B
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

I am part of the UAH Safe Zone LGBTQIA support network:
http://www.uah.edu/student-affairs/safe-zone


On Mon, Mar 2, 2015 at 3:39 PM, Turner, Ryan H rhtur...@email.unc.edu wrote:
 I didn't make my point clearly, enough.  I am saying that it probably won't 
 matter that you don't run HP switches, just like it doesn't matter than you 
 may not run cisco switches...  And that I suspect every company that has 
 products in both switching and wireless is going to temp you, one way or the 
 other, to converging to a single vendor.  I was simply saying this is nothing 
 new or different, and that in the end, probably won't matter.

 Ryan H Turner
 Senior Network Engineer
 The University of North Carolina at Chapel Hill
 CB 1150 Chapel Hill, NC 27599
 +1 919 445 0113 Office
 +1 919 274 7926 Mobile

 -Original Message-
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hunter Fuller
 Sent: Monday, March 02, 2015 4:37 PM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] HP is reportedly trying to buy Aruba Networks

 Well, I don't know why Cisco is different, but they seem to be; Cisco 
 wireless gear doesn't care what switch it runs on, as far as I'm aware, as 
 long as it can get its dot3af power from it.

 On Mon, Mar 2, 2015 at 8:52 AM, Turner, Ryan H rhtur...@email.unc.edu wrote:
 Well, let's be fair...  Every wireless vendor that runs a switching line is 
 going to try to get you to run their switches.  Why would Cisco be any 
 different than HP.


 --
 Hunter Fuller
 Network Engineer
 VBRH M-9B
 +1 256 824 5331

 Office of Information Technology
 The University of Alabama in Huntsville
 Systems and Infrastructure

 I am part of the UAH Safe Zone LGBTQIA support network:
 http://www.uah.edu/student-affairs/safe-zone

 **
 Participation and subscription information for this EDUCAUSE Constituent 
 Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Annual Exercise in Frustration: Printers that do wireless 1x?

[Hunter Fuller]

MAC auth, PSK, and extremely restrictive network access (i.e., no access to
campus resources) here... Doesn't seem like there's much else to be done.
What else is there to key on...?

Definitely not an ideal situation...

-- 
Hunter Fuller
OIT

Sent from my phone.
On Feb 15, 2015 9:41 PM, Tristan Gulyas tristan.gul...@monash.edu wrote:

 Hi all,

 This particular issue in general (devices that don’t do enterprise 802.1X)
 is starting to cause is pain with residential customers (on-campus
 accommodation) and students wishing to use practically any device they
 bring on campus with our network.  We’re starting to see other Internet of
 Things devices that only talk WiFi (eg, washing machines, other smart
 connected devices).

 I have made it *very clear* to our wireless vendor that we need a
 solution for this (per-device / per-group PSK would be perfect) as we do
 not wish to create a dozen SSIDs just for this purpose.

 What are other organisations doing to tackle this?  MAC auth plus PSK is
 still not secure enough for our tastes.

 Cheers,
 Tristan



 *Tristan Gulyas*
 Senior Network Engineer (Wireless)
 Network Operations
 eSolutions | Monash University
 738 Blackburn Road Clayton 3800
 www.monash.edu | tristan.gul...@monash.edu





 On 13 Feb 2015, at 6:00 am, Lee H Badman lhbad...@syr.edu wrote:

 This is a good for a yearly laugh, so let me throw it out there:

 Has anyone found- and confirmed through actual use- any enterprise
 WLAN-capable printers or print servers that work with 802.1x WLAN security?

 Thanks-

 Lee Badman

 Lee Badman
 Wireless/Network Architect
 ITS, Syracuse University
 315.443.3003
 (Blog: *http://wirednot.wordpress.com* http://wirednot.wordpress.com/)



 ** Participation and subscription information for this EDUCAUSE
 Constituent Group discussion list can be found at
 http://www.educause.edu/groups/.



 ** Participation and subscription information for this EDUCAUSE
 Constituent Group discussion list can be found at
 http://www.educause.edu/groups/.



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Annual Exercise in Frustration: Printers that do wireless 1x?

[Hunter Fuller]

On the other hand, if your printer is using more bandwidth than is
provided by dot11g, you might have bigger problems :)

--
Hunter Fuller
Network Engineer
VBRH M-9B
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

I am part of the UAH Safe Zone LGBTQIA support network:
http://www.uah.edu/student-affairs/safe-zone


On Thu, Feb 12, 2015 at 1:22 PM, Hinson, Matthew P
matthew.hin...@vikings.berry.edu wrote:
 Yeah, I configured a Ricoh something-or-another last semester that claimed
 to do dot1X, but I didn’t believe it. We already had a PSK network out there
 and we put it on that. I should mention that it took two of our techs plus
 the vendor sending a rep out and wasting hours of time to get it to accept a
 simple PSK connection.



 Oh, and did I mention that this is a brand new unit (as of 4 months ago) and
 it only supports 802.11a/b/g… K



 From: The EDUCAUSE Wireless Issues Constituent Group Listserv
 [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hector J Rios
 Sent: Thursday, February 12, 2015 2:17 PM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] Annual Exercise in Frustration: Printers that do
 wireless 1x?



 I was recently working on an HP laser Pro 200 that does have 802.1X support,
 but couldn’t tell you if it works reliably. I was also impressed to see that
 it comes, along with other models, with IPv6 support.



 Hector Rios

 Louisiana State University



 From: The EDUCAUSE Wireless Issues Constituent Group Listserv
 [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
 Sent: Thursday, February 12, 2015 1:00 PM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: [WIRELESS-LAN] Annual Exercise in Frustration: Printers that do
 wireless 1x?



 This is a good for a yearly laugh, so let me throw it out there:



 Has anyone found- and confirmed through actual use- any enterprise
 WLAN-capable printers or print servers that work with 802.1x WLAN security?



 Thanks-



 Lee Badman



 Lee Badman

 Wireless/Network Architect

 ITS, Syracuse University

 315.443.3003

 (Blog: http://wirednot.wordpress.com)







 ** Participation and subscription information for this EDUCAUSE
 Constituent Group discussion list can be found at
 http://www.educause.edu/groups/.

 ** Participation and subscription information for this EDUCAUSE
 Constituent Group discussion list can be found at
 http://www.educause.edu/groups/.

 ** Participation and subscription information for this EDUCAUSE
 Constituent Group discussion list can be found at
 http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.