I'm not too familiar with how Aruba handles arps, does it do proxy arp? I have
seen Apple devices go to sleep before all broadcast/multicast traffic is sent
by the AP, although that was 5 years ago. So I can believe that a behaviour
change could cause increased ARPs if the devices aren't seeing
Microsoft note this behaviour and have some sort of workaround in their NPS MFA
extension:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension#radius-protocol-behavior-and-the-nps-extension
Really though, doing MFA for RADIUS is a square peg in a round
Which is great and I agree with but Android went and made it really hard to
onboard a private CA and so now people are going back to public certs for EAP
to lower their support burden.
Sent from my Galaxy
Original message
From: Tim Cappalli
eboot. I haven't seen that since going to 8.7.1.3 40 days ago so I
think it's fixed. This one was more of a problem since clients would try
to connect and fail and not try another AP, so it actually caused
ongoing outages.
We also have a 375 and 377 but they've been fine.
Thanks,
--
James Andrewart
Printing has auth, any decent screen mirrorring solution requires a PIN, plus
airgroup or similar to limit by location.
Sent from my Galaxy
Original message
From: Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: 16/4/21 22:22 (GMT+08:00)
To:
what speeds you rate limit to if it is rate
> limited and how you came to that conclusion.
There was a talk on this at WLPC Phoenix 2019 about this
https://wlanprofessionals.com/the-netflix-effect-on-guest-wi-fi-jim-palmer-wlpc-phoenix-2019/
--
James Andrewartha
Network & Projects Eng
by it). Microsoft
isn’t helping because there’s no cloud RADIUS (NPS is explicitly not supported
in Azure). It’s the responsibility of vendors to provide accessible tools for
security.
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australi
is only on Pixel devices, is that because no
others have Android 11 or because only Google is implementing it?
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
From: The EDUCAUSE Wireless Issues Commu
I disagree, but OWE or SAE with a captive portal then? At least I can use
modern authentication methods like hardware keys and TOTP with a browser.
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160
Why couldn't Google add trust-on-first-use to Android like Apple has with iOS
and macOS, and Microsoft has in Windows?
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
From: The EDUCAUSE Wire
without any band selection on the APs.
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
On 10/10/20 3:32 am, Jake Snyder wrote:
> On thing to keep in mind is that iOS devices start behavior poor
bout how much progress I was expecting when this all kicked off.
Thanks,
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
**
Replies to EDUCAUSE Community Group emails are sent to the entire
that vendors (both client and wifi
infrastructure) should make EAP-TLS easier to deploy.
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
**
Replies to EDUCAUSE Community Group emails
rosoft supported agent that does device-specific TTLS-PAP like
you suggest?
Also https://www.securew2.com/blog/pitfalls-of-eap-ttls-pap/ is the top
google result for [TTLS-PAP], admittedly it's about user credentials not
device credentials but it's still a risk.
--
James Andrewartha
Network &
On 21/7/20 5:21 am, Tim Cappalli wrote:
> Passpoint solves all of these issues.
Where is the vendor support for it? Autopilot white glove doesn't even
support wireless networks at all.
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Austr
Id for the Cisco WLC/Edit.../RFC 3576
Configuration, and then what Manage RFC 3576 Configurations... has. I
have this, which has the correct port:
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
***
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
On 10/1/20 5:01 pm, James Andrewartha wrote:
> Hi all,
>
> I read this thread with some trepidation, since we're just finishing
> up
200 Surface Pro 7s with Intel AX201 chipsets which I'll hopefully
Thanks,
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
On 10/1/20 12:15 am, Turner, Ryan H wrote:
> We’ve been an Aru
ment under warranty.
I'm not aware of any blog posts about it, this comes from the #apple-tv
channel on the MacAdmins Slack https://macadmins.herokuapp.com/
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160
they are reasonably manageable now. Just don’t get the 4K version, if they get
stuck in an app and lose their connection to the MDM you have to RMA them.
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
On
/center/content/CiscoSecurityAdvisory/cisco-sa-20180516-dna
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
<WIREL
of those can trust multiple CAs for a given SSID. On
iOS we don't push out wireless config, but we were going to reprovision
the remaining ones anyway at the end of this year so that's fine.
Thanks,
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Wes
o a new Radius
>> infrastructure), what is the consensus on the following strategies:
>>
>>
>>
>> Option 1: Using a self-signed/private PKI and a 10 year cert. Onboard
>> with "verify server certificate" enabled
>>
>>
>>
&
How did you measure the 35% improvement?
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
600Mbps on a single AP is impressive, is that with a 40MHz or 80MHz channel?
What sort of client mix is generating that much traffic?
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
ient Support
No
And it needs a whole ‘nother controller (APIC-EM) with supported switches
http://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/application-policy-infrastructure-controller-enterprise-module/datasheet-c78-739052.html
and WLC (8540, 5520, 3504 only).
--
James Andrewa
that overlaps with Nyansa
so I won’t be investigating that. Also because my budget is capital-focused
currently which means I need physical items to stick asset tags on, and 11ac
Wave 2 APs don’t excite me at all (the only MU-MIMO capable device on campus is
my personal phone).
Thanks,
--
James
5GHz AC Access Point
[snip]
> I didn't post the link to the data sheet but is listed on the site.
Is it actually available yet? The only in-wall AP I see on the ubnt.com
is the 2.4GHz-only one.
Thanks,
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Clarem
:
Apple AirPort Express with firmware version 7.4.1 or 7.4.2[3]
Apple AirPort Extreme with firmware version 7.4.1 or 7.4.2[3]
Apple AirPort Time Capsule[3]
Apple TV (all generations)
Computers running Mac OS X Snow Leopard act as a Bonjour sleep proxy
server when Internet sharing is enabled
Thanks
address. What sort of
devices are the ones stealing the IP addresses?
For us, the solution was to statically (via DHCP) assign IPs to the
Apple TVs.
Thanks,
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 042
interference, and will allow better AP positioning.
Yes, you do need to run an extra cable (although not if you’re already using
dual-radio APs with 2.4GHz turned off), and it’ll still use a full AP license,
but at least give us that option *gets off hobby horse*.
--
James Andrewartha
Network
s
significantly cheaper, and there’s hardly any MU-MIMO clients yet, Apple
devices in particular.
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
**
Participation and subscription information f
ponses to the
> clients request unless promiscuous mode is enabled. which then isn't a fair
> test of what the laptop did or did not hear.
My baseline hardware was a 15" Mid-2012 rMBP running 10.9.5, which is
only 11n capable. When rebooted into 10.11 it also exhibits the probl
% of the ARP packets of the second laptop in my testing, depending
on the load.
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
From: The EDUCAUSE Wireless Issues Constit
ple, radar://26488949 if anyone has any
contacts to escalate it. The fastest resolution we've had for any Apple
bug is 3 years, so I don't expect this to be fixed any time soon.
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Aus
d with an 11g protection rate of 11Mbps. Setting that to
2Mbps and the client could talk fine.
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
**
Participation and subscription information for
start of the year but I was getting a lot of radar
alerts so went back to 20MHz and non-DFS in 5GHz.
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
**
Participation and subscription in
It's not Cisco, but applying an ACL on the controller to block access to the
local subnet might work:
https://community.extremenetworks.com/extreme/topics/block_mu_to_mu_traffic_ap_filter_rule
Sent from my Samsung device
Original message
From: Oliver Elliott
show profile name=SSID key=clear I wonder how it
will interact with Aerohive Private PSK and Ruckus Dynamic PSK which give each
user their own individual PSKs per-device.
http://www.reddit.com/r/sysadmin/comments/3aam8m/because_i_really_want_my_clients_wpa_keys_shared/
--
James Andrewartha
, and
our Mac sysadmin is on holidays so I can't ask him either. I'm pretty
sure we have a bug open with Apple, and we didn't even have to pay $800
for the privilege. Personally I'm on 10.10.3 and can confirm it's very
annoying, we're waiting for a fix before upgrading our fleet of laptops.
--
James
/white_paper_c11-713103.html#_Toc383047848
http://chimera.labs.oreilly.com/books/123401739/ch03.html#medium_access_procedures
http://chimera.labs.oreilly.com/books/123401739/ch05.html#section-channel-selection
--
James Andrewartha
Network Projects Engineer
Christ Church Grammar School
where the ac clients are going to be as we go through our
3 year refresh cycle.
--
James Andrewartha
Network Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
**
Participation and subscription information for this EDUCAUSE
init.ess.apple.com (found via
wireshark) before activation would succeed. We're using Extreme
(Enterasys) NAC and wifi, which allows DNS whitelisting.
--
James Andrewartha
Network Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
even log anything when those packets are received, although
they are noted at the kernel layer.
So it still looks broken, and like it’s a supplicant issue to me. Has anyone
else tried it out?
Thanks,
--
James Andrewartha
Network Projects Engineer
Christ Church Grammar School
Claremont, Western
.
[1]
http://www.cisco.com/c/en/us/products/collateral/wireless/aironet-3600-series/white_paper_c11-713103.html
--
James Andrewartha
Network Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
**
Participation and subscription
, they don't work with
Apple Configurator or an third-party MDM.
--
James Andrewartha
Network Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
**
Participation and subscription information for this EDUCAUSE Constituent Group
know, it made sense when iPads only had
20Mhz/1SS 802.11n).
Which vendors offer 5GHz-only APs? Particularly with 802.11ac being 5GHz
only and performing best at short ranges, it seems like a great way to
provide fill-in coverage and performance, as well as staying within 803.3af.
--
James
that in to
connect to it.
Not necessarily a PIN:
http://gigaom.com/2014/06/26/chromecast-will-use-ultrasonic-sounds-to-pair-your-tv-with-your-friends-phones/
--
James Andrewartha
Network Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
Actually, a little further reading and I can see PacketFence does allow inline
enforcement, at which point you have the full power of iptables available to
you.
--
James Andrewartha
Network Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob
seeing Bonjour instability (you try telling a teacher to
plug into a cable after using AirPlay last year), which may be caused by
too much broadcast/multicast traffic or possibly just Bonjour not
handlins seeing queries from devices on different VLANs.
--
James Andrewartha
Network Projects Engineer
ones). WPA2-PSK (unless you use
a dynamic PSK like Ruckus) also means all authenticated clients can
decrypt everyone else's traffic which isn't great for security.
--
James Andrewartha
Network Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424
-on-enterprise-wireless-networks/
So the app advertises the Airplay service over the network, but only the
device it's running on sees the advertisement because you have multicast
disabled?
--
James Andrewartha
Network Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph
others to
use it, e.g. for shared residences?
Thanks,
--
James Andrewartha
Network Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
**
Participation and subscription information for this EDUCAUSE Constituent Group
only display from their app. If
we were happy with that, our projectors (Epson) have their own app
available now. For us, being a K-12 school that only has Apple devices,
the Apple TV is a no brainer given its price.
--
James Andrewartha
Network Projects Engineer
Christ Church Grammar School
-84E05E343FFA
--
James Andrewartha
Network Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
**
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu
.
Some vendors have APs with radios that can work on either 2.4 or 5GHz.
Meru and Xirrus are the ones that come to mind, I can't remember if any
other vendors offer that.
--
James Andrewartha
Network Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob
in spite of all their other wireless issues.
The vendor information I've seen says that 4 spatial streams will debut
with 802.11ac Phase 2 in 2015, along with MU-MIMO (which will be really
worthwhile for us with plenty of 1SS mobile devices).
--
James Andrewartha
Network Projects Engineer
Christ
/data_sheet_c78-729421.html
They almost got it into a 802.3af power budget, except it runs in 3x3:3
MIMO instead of 4x4:3 which shouldn't make too much of a difference.
--
James Andrewartha
Network Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160
are
eventually responding - it just takes a long time in some cases.
I've upped my RADIUS timeout to 30 seconds (from 15), I'll see if that
has any effect.
--
James Andrewartha
Network Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
strength the OS perceives for each BSSID (sorted by RSSI so long as your
SSIDs have no spaces):
/System/Library/PrivateFrameworks/Apple80211.framework/Resources/airport
-s | sort -rnk3
--
James Andrewartha
Network Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08
.
Worst case (in a .edu setting I guess it might be common, you'll need to NAT
the clients if they connect to apple to the same outside IP as the server)
You can have multiple caching servers - but even a single mac mini can
offload quite a bit of you outside networks.
--
James Andrewartha
) involves sshing in to the AP (they run Linux).
For the price, you could pick up a three pack and have a play yourself.
I've sent you my thoughts about other vendors in the past, so I won't
repeat myself.
--
James Andrewartha
Network Projects Engineer
Christ Church Grammar School
Claremont
fails.
I haven't really looked at the new range of thick APs like Meraki or
Aerohive, so can't comment on their architecture.
--
James Andrewartha
Network Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
**
Participation
). This is mostly only a
problem when I'm doing testing an iPad with our NAC, I spoke to our
vendor (Enterasys) and they've noticed it as well.
--
James Andrewartha
Network Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
up, the wireless tech is important, but so are all the parts that
surround it too, so work out what else you want from the wireless first.
I'm not sure if I should post this to the list as we're a K-12 school,
not a university. If you have any other questions, let me know.
--
James Andrewartha
management, mainly targeted at small deployments from what I can
tell.
--
James Andrewartha
Network Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
**
Participation and subscription information for this EDUCAUSE
know how you control who can do
that, or if they can.
--
James Andrewartha
Network Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
**
Participation and subscription information for this EDUCAUSE Constituent Group
with some hackery. Obviously a well-engineerd product beats
general hacks any day.
--
James Andrewartha
Network Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
**
Participation and subscription information for this EDUCAUSE
68 matches
Mail list logo
