RE: [WIRELESS-LAN] Apple product antenna strength vs other?
Blake has this RSSIcompared.com <https://rssicompared.com/> website. I’m not sure if it’s being updated anymore, but you might be able to find devices for comparison…. Or measure and upload your own. Someone already mentioned making sure the clients are connecting to the same radio. If they are not on the same radio you might check Mike Albano’s clients.mikealbano.com to see if your device(s) are capable of using the 5GHz radio channel. If the apple devices are relatively modern and made for the US market, they should handle any channel the AP-225 can. *Mike Atkins * Infrastructure Architect Office of Information Technology University of Notre Dame *From:* The EDUCAUSE Wireless Issues Community Group Listserv < WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Enfield, Chuck *Sent:* Friday, June 4, 2021 12:22 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Apple product antenna strength vs other? I guess I should have answered your original question too. I’m not aware of any trend where Apple devices see a much weaker signal than comparable Windows or Android devices. An intuitive impression based on my experience is that MacBooks tend to have a couple dB weaker signal than Windows laptops. The difference in reported signal quality could be based on whether a statistic is measured or calculated and have nothing to do with the hardware. (For example, a device measures the RSSI and noise floor and calculate the SNR, or it may measure the SNR, estimate the noise floor, and calculate the RSSI. You can expect these methods to produce slightly different results in good circumstances, and wildly different results when the noise floor is very high.) Regardless of the measurements, when I’ve done side-by-side comparisons of Windows and MacBooks, they’re usually connected at the same data rate, but sometimes the MacBook is one rate lower, which is why I suspect a couple dB difference. I’d like to reiterate; this is just my impression based on multiple measurements with a small number of devices in the course of routine troubleshooting. If anybody’s experience differs, please share. You won’t get an argument from me. *From:* The EDUCAUSE Wireless Issues Community Group Listserv < WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Enfield, Chuck *Sent:* Friday, June 4, 2021 11:14 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Apple product antenna strength vs other? Along the same lines as what Lee said, you need to make sure all the client devices are connecting to the same AP and radio. I also don’t recommend relying on bars for anything. Perhaps there’s a standard for them now, but if there is I’m not aware of it. To see the connection details: - On Mac, Hold the option key while clicking the wireless icon. - On Android, download any of the myriad apps which provide network connection details. You can also enable developer options (Google the steps), then enable Wi-Fi verbose logging to see more connection details right in the wi-fi menu on your device. - On Windows, the OS reports Wi-Fi strength in % instead of dB, so I recommend an app. If you haven’t purchased any Wi-Fi diagnostic apps for Windows, then there’s a free one in the app store called Wi-Fi Analyzer that will give you the basic info. I wouldn’t trust everything in the app (it seems to think all channels are 20Mhz) but I’ve found the other basic info (channel, rssi, protocol, bssid) reliable. - Sadly, I’m not aware of how to get any useful network information from iOS devices. *From:* The EDUCAUSE Wireless Issues Community Group Listserv < WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Tim Tyler *Sent:* Friday, June 4, 2021 10:43 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Apple product antenna strength vs other? Chuck, We checked bar strength. Macs were in the 2nd out of 3 bars. PC’s were getting 4 out of 5. I didn’t check the phones. We did bandwidth testing and Macs were below 10Mb while PC’s were averaging around 150Mb. I did check Airwave for possible issues. It suggested a poor SNR value for at least one of the Macs. I didn’t know what to make of that since the PC’s were not having that issue. Health was not good. Also, the Macs would drop connections and sometimes have random difficulty in connecting. No issues with the PC’s or droids. It was basic testing at this point, but there was no doubt that Macs struggled performance wise while PC’s didn’t. I do need to go back and make sure they are all using the same AP. I did check on one Mac, but I didn’t verify it for all of them. Tim *From:* The EDUCAUSE Wireless Issues Community Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Enfield, Chuck *Sent:* Friday, June 4, 2021 9:28 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIR
Lead time for Wi-Fi gear?
What's the word on lead time for your Wi-Fi gear? We are primarily Cisco but have some Aruba and see ship times six months out. Is that what everyone else is seeing? I know some Meraki gear can be shipped within a week or so. I just wanted to get a feel from the group as to what they hear on the street. -- *Mike Atkins * Infrastructure Architect Office of Information Technology University of Notre Dame Phone: 574-631-7210 ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Outdoor WLANs?
For those of you running outdoor Wi-Fi covering public space, do you broadcast the same WLANs as in building? Do you have a specific strategy for why or why not? TLDR: Being a Northern Indiana campus, the demand for outdoor Wi-Fi during the school year has been fairly low. Last year has changed this for all of us. We face the same challenges as everyone else with cost/aesthetics vs return on investment. We are looking to provide some legit coverage this year and get out of the "temporary" outdoor setups. We are a two SSID campus with eduroam being our dot1X secure network and ND-guest being open unauthenticated Internet access only "guest" network. The question came up out of a discussion related to ensuring performance for faculty/staff/students in the public outdoor spaces but my other concern is for our Information Security group. An open guest network might be okay in a building where we can track your device down fairly quickly but outdoors might complicate this. I think the campus user expectation is both SSID's everywhere. Trying to get some thoughts from around the block. -- *Mike Atkins * Infrastructure Architect Office of Information Technology University of Notre Dame Phone: 574-631-7210 ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Re: [WIRELESS-LAN] Transitioning from older controller to new controller
You are not late at all. I certainly am. I have 8-9 e-mails for interest. I'll send out a quick survey to collect information from those that responded. I will send it to the list again to pickup others that might be interested. On Wed, Nov 11, 2020 at 3:17 PM Michael Heflin < 02002057e293-dmarc-requ...@listserv.educause.edu> wrote: > Little late but would be interested in this as we are moving from 8540's > to 9800's > > ** > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email reply. > Additional participation and subscription information can be found at > https://www.educause.edu/community > -- *Mike Atkins* Infrastructure Architect Office of Information Technology University of Notre Dame ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
RE: [WIRELESS-LAN] Client roaming
While this is not an Apple specific thread, Dan Jones’ presentation at Wireless Technology Forum on “Designing Wireless Networks for Apple” was very entertaining/helpful in explaining the Apple roaming docs he referenced. Several pointed out documented vs observed behaviors are not always the same. Pertinent to this thread, the need for MacOS to see an AP at 12 dB better than the existing connection before 5GHz roaming could be a factor. Probably not the issue at hand, but some things to consider in the docs. You should watch the presentation at WTF20.COM or when it is posted to the CWNP YouTube channel <https://www.youtube.com/user/CWNPTV>. Here are the references from @UKDanJones presentation: https://apple.co/3l4xqvs <https://support.apple.com/en-gb/HT202068> - Apple Recommended AP Settings https://apple.co/3ngM5FR <https://support.apple.com/en-gb/guide/deployment-reference-ios/iora86498d88/1/web/1> - Creating Network Names For Your Wi-Fi Networks https://apple.co/3jmbLhF <http://support.apple.com/en-us/HT203068> - About Wireless Roaming For Enterprise https://apple.co/2SdQA5F - macOS Wireless Roaming For Enterprise Customers https://apple.co/2HFn8TU <https://support.apple.com/en-us/HT202628> - Wi-Fi network roaming with 802.11k, 802.11r, and 802.11v on iOS https://bit.ly/3iLFG2K <https://www.cisco.com/c/dam/en/us/td/docs/wireless/controller/technotes/8-6/Enterprise_Best_Practices_for_iOS_devices_and_Mac_computers_on_Cisco_Wireless_LAN.pdf> - Enterprise Best Practices for iOS devices and Mac computers on Cisco Wireless LAN https://apple.co/36msKwC - Use private Wi-Fi addresses in iOS 14, iPadOS 14, and watchOS 7 https://apple.co/2GjOYVr - Connecting Apple devices to 802.1X networks https://apple.co/3cLBa1Z - Build Trust Through Better Privacy https://bit.ly/2SgyQXb - You Should Care About DHCP Option 51 https://apple.co/3jnEDWR - How To Modernize Your Captive Network Maybe it is just us, but we have lots of places where a 12dB delta is hard to achieve when designing for dual 5G radio coverage at -65 dB. Clients end up skipping an AP (or two) before actually roaming. Not to mention use case and behavior differences between laptops and mobile devices like phones and tablets. You might notice on a laptop Zoom session, maybe not with an iPhone VoWi-Fi session. Our focus was on VoWi-Fi, thinking it was the more challenging thing to tackle. Remote learning is challenging those assumptions. *Mike Atkins * Network Engineer Office of Information Technology University of Notre Dame *From:* The EDUCAUSE Wireless Issues Community Group Listserv < WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Jake Snyder *Sent:* Friday, October 9, 2020 3:33 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Client roaming On thing to keep in mind is that iOS devices start behavior poorly when they have no good option above -65. That’s the threshold they prefer 5GHz and when you combine that with “hallway design” and “band select” you are asking for a bad time. Scenario: Client doesn’t see 5GHz above -65. 2.4Ghz looks better, client tries to associate and bandselect tries to send them back. Client doesn’t think 5GHz meets its requirements, tries to associate on 2.4Ghz. Round and round they go. If you need band select for devices like iOS that prefer 5GHz, you likely don’t have enough 5GHz coverage, and trying to force them to 5GHz only results in issues. A better approach is to have at least 6db of transmit power more on 5GHz than 2.4. This makes 5GHz generally look more attractive so clients naturally pick it, band select not needed. You can easily do this with TPC min/max settings. Also keep in mind when looking at your survey reports. -65 is as measured by the device, not your fancy sidekick or aircheck. Figure you need an extra 7-10db delta to overcome the limitations of some mobiles devices. That puts you -58 to -55 as measured. Sent from my iPhone On Oct 9, 2020, at 1:08 PM, James Helzerman wrote: Best thing you can do for clients is have a 5GHz only SSID. We moved over the summer to this with our main 802.1x network and it has fixed a ton of these roaming issues and complaints of performance. Basically take the decision making out of the hands of the client, give them only one band to choose from. Band Select / steering may work but can lead to a lot of users issues as roaming can break if the client doesnt take the hint to use 5GHz. Transitions with real time applications like voice can be negatively affected. For those on our campus that have 2.4GHz only devices, we offer eduroam in both bands and have them use that then use AAA override to place them in the same network as our branded ssid giving them all the same access to resources. Our branded 802.1x, MWireless, has 95% of our user devices. -Jimmy -- James Helzerman Wireless Network Engineer U
RE: [WIRELESS-LAN] Transitioning from older controller to new controller
I’ve reached out to a few schools individually on this very topic. Would the group want to do a Zoom session on this? *Mike Atkins * Network Engineer Office of Information Technology University of Notre Dame *From:* The EDUCAUSE Wireless Issues Community Group Listserv < WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Sullivan, Don *Sent:* Friday, October 9, 2020 9:01 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* [WIRELESS-LAN] Transitioning from older controller to new controller We are in the process of upgrading our wireless from a Cisco 8510 to a Cisco 9800-80. I wanted to query those on this list who have already gone through this process about any lessons learned that would have been nice to know before transitioning your existing AP inventory that is compliant with the new hardware. I am building the configuration for the 9800 from scratch and it has been a challenge learning the new concepts for configuring this type of controller, so I was hoping to see what others have learned from the experience. Any thoughts would be appreciated. *Don Sullivan* *Network Administrator* *Technology Services* 205-726-2111 <+1205-726-2111> | office dsulli...@samford.edu LinkedIn <http://linkedin.com/in/donaldasullivan> www.samford.edu 800 Lakeshore Drive Birmingham, AL 35229 <https://maps.google.com/maps?q=800+Lakeshore+Drive,+Birmingham,+AL+35229,+US> [image: Samford Samford University Logo] ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
RE: [WIRELESS-LAN] Status of Wi-Fi 6 Client Drivers?
We deployed our ax capable APs without ax enabled for the same Intel driver issues. I wanted to test something with a flawed driver recently and noticed it is no longer available from Intel. I think Intel revamped their downloads page at the end of last year to remove all but the newest revisions of drivers. We use SecureW2 for eduroam onboarding so we can get a sense of drivers used by Windows devices. We will probably enable Wi-Fi 6 next year if the numbers continue to look good. *Mike Atkins * Infrastructure Architect Office of Information Technology University of Notre Dame Phone: 574-631-7210 .__o - _-\_<, --- (*)/'(*) *From:* The EDUCAUSE Wireless Issues Community Group Listserv < WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Nadim El-Khoury *Sent:* Wednesday, September 23, 2020 4:41 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Status of Wi-Fi 6 Client Drivers? Hi Eric, One more thing that I forgot to answer. We elected to keep Wi-Fi 6 enabled and just disabled it in the vicinity of our Technical Support Center (User Support) in the Library building. Best, Nadim On Wed, Sep 23, 2020 at 4:35 PM Floyd, Brad wrote: Eric, I have deployed almost 200 of the Aruba 530 series APs so far in the last 2-3 months. I saw, first hand, what happens with the 802.11ax enabled SSID and the flawed Intel drivers. The SSIDs don't appear to those devices. When we were discussing whether or not to deploy the ax APs vs stick with ac APs, we decided we wanted the longer remaining life span before end-of-sale / end-of-support of the APs of the ax vs the ac. The added benefit Aruba provides is that it is very simple to disable the features (just a single check box on a profile). We figure we can wait for a semester or two and schedule an attempt to re-enable the features. A driver update definitely fixes the issue, but since we are so heavily loaded with BYOD devices that we have no control over, this was a better option for us. Hopefully this helps. Thanks, Brad -Original Message- From: The EDUCAUSE Wireless Issues Community Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Kenny, Eric Sent: Wednesday, September 23, 2020 3:14 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Status of Wi-Fi 6 Client Drivers? Hi All, I know on-campus populations might not be what they usually are right now, but I was wondering if anyone has seen reports of buggy client side drivers causing issues with 802.11ax. Specifically we are using the Aruba AP-530 series AP. There were some Intel chips that had challenges a few months back, but a driver update resolved the issue. We are considering disabling the Wi-Fi6 capability of the APs to prevent issues with outdated drivers, so we’d like to hear your observations so far if this is still a real problem. Thank you, Eric Kenny Network Architect | Infrastructure Technology Services Harvard University Information Technology ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
RE: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X?
Good clarification, thanks. In previous discussions, our identity group mentioned using PKI that they use for other systems. Note to self, be careful what you ask for. *Mike Atkins * Network Engineer Office of Information Technology University of Notre Dame *From:* The EDUCAUSE Wireless Issues Community Group Listserv < WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Tim Cappalli *Sent:* Wednesday, August 19, 2020 11:34 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X? Got it. Just to clarify, a self-signed EAP server certificate should never be used. A server certificate issued by a PKI under your control is the best deployment practice (which is not the same as a self-signed certificate). tim *From: *Mike Atkins *Sent: *Wednesday, August 19, 2020 11:31 *To: *WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject: *Re: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X? Tim, We use the public certificates for users that do not use our onboarding utility. We use a public root certificate that is in pretty much all operating systems. Fortunately or unfortuanately, some operating systems still want to walk the entire chain so we onboard with the root and intermediate. Our information security group had concerns about users just accepting security prompts for certificates. Using a self-signed cert that expires far into the future sounds better each day. *Mike Atkins * Network Engineer Office of Information Technology University of Notre Dame *From:* The EDUCAUSE Wireless Issues Community Group Listserv < WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Tim Cappalli *Sent:* Wednesday, August 19, 2020 10:38 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X? If you’re already onboarding your users, why do you continue to use a public cert? A public EAP server cert should only be used when a “walk-up” enter your username/password experience is desired (of course that’s after your organization has decided that credential exposure is not a concern). Tim *From: *Mike Atkins *Sent: *Wednesday, August 19, 2020 10:34 *To: *WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject: *Re: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X? We were burnt last December by an updated cert with the same cert chain and still not trusted by some devices/operating systems. We learned documents that referenced changes to the default web browser on an operating system ended up with a modification in the operating system that matched the web browser's changed behavior. I think this is the same experience Christopher is referencing. We ended up having to re-onboard all of our devices at the very last minute. We spent more time than we should have to try to avoid onboarding devices mid-semester when our cert expired. (this happened right around finals of course) Our identity group is buying a cert to test with a month in advance. They then cancel/revoke that cert to get money back and then order the production cert. This is to best ensure we test with the right root/intermediate certificate authorities that will be on our production cert. We still lose about a week on the production cert between testing and install. Ideally, we would keep the yearly cert installation during the summer but time is against us. Mike Atkins Network Engineer Office of Information Technology University of Notre Dame -Original Message- From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Johnson, Christopher Sent: Wednesday, August 19, 2020 10:07 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X? I think it's going to "depend" on each Operating System for the 802.1X authentications being affected. The information below is more of just an FYI on what I've observed (cause I imagine someone's going to say - If I'm going through the trouble of installing a public Root CA that already exists - then why not go ahead and use a Private CA). 1. Apple specifically states "This change will affect only TLS server certificates issued from the Root CAs preinstalled with iOS, iPadOS, macOS, watchOS, and tvOS." - so that makes me wonder if you install a public Root CA via a mobile config for example for iOS - does that exempt it from the 1 year limitation then? 2. Chrome OS though (at least from the behavior I've seen) you can't install a public Root that already exists on to the OS. I don't think I would trust those "possible exceptions though". One of the annoying things I felt with Android and Chromebook for certificate management was If I go into the device and "Disable/Turn Off the certificates/Set to Not Use" - then
RE: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X?
Tim, We use the public certificates for users that do not use our onboarding utility. We use a public root certificate that is in pretty much all operating systems. Fortunately or unfortuanately, some operating systems still want to walk the entire chain so we onboard with the root and intermediate. Our information security group had concerns about users just accepting security prompts for certificates. Using a self-signed cert that expires far into the future sounds better each day. *Mike Atkins * Network Engineer Office of Information Technology University of Notre Dame *From:* The EDUCAUSE Wireless Issues Community Group Listserv < WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Tim Cappalli *Sent:* Wednesday, August 19, 2020 10:38 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X? If you’re already onboarding your users, why do you continue to use a public cert? A public EAP server cert should only be used when a “walk-up” enter your username/password experience is desired (of course that’s after your organization has decided that credential exposure is not a concern). Tim *From: *Mike Atkins *Sent: *Wednesday, August 19, 2020 10:34 *To: *WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject: *Re: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X? We were burnt last December by an updated cert with the same cert chain and still not trusted by some devices/operating systems. We learned documents that referenced changes to the default web browser on an operating system ended up with a modification in the operating system that matched the web browser's changed behavior. I think this is the same experience Christopher is referencing. We ended up having to re-onboard all of our devices at the very last minute. We spent more time than we should have to try to avoid onboarding devices mid-semester when our cert expired. (this happened right around finals of course) Our identity group is buying a cert to test with a month in advance. They then cancel/revoke that cert to get money back and then order the production cert. This is to best ensure we test with the right root/intermediate certificate authorities that will be on our production cert. We still lose about a week on the production cert between testing and install. Ideally, we would keep the yearly cert installation during the summer but time is against us. Mike Atkins Network Engineer Office of Information Technology University of Notre Dame -Original Message- From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Johnson, Christopher Sent: Wednesday, August 19, 2020 10:07 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X? I think it's going to "depend" on each Operating System for the 802.1X authentications being affected. The information below is more of just an FYI on what I've observed (cause I imagine someone's going to say - If I'm going through the trouble of installing a public Root CA that already exists - then why not go ahead and use a Private CA). 1. Apple specifically states "This change will affect only TLS server certificates issued from the Root CAs preinstalled with iOS, iPadOS, macOS, watchOS, and tvOS." - so that makes me wonder if you install a public Root CA via a mobile config for example for iOS - does that exempt it from the 1 year limitation then? 2. Chrome OS though (at least from the behavior I've seen) you can't install a public Root that already exists on to the OS. I don't think I would trust those "possible exceptions though". One of the annoying things I felt with Android and Chromebook for certificate management was If I go into the device and "Disable/Turn Off the certificates/Set to Not Use" - then all portions of the Operating System should not use those certificates regardless. However, from what I saw, even if I disable some of the Public CAs - the wireless supplicant still seems to trust them. Christopher Johnson Wireless Network Engineer Office of Technology Solutions | Illinois State University (309) 438-8444 Stay connected with ISU IT news and tips with @ISU IT Help on Facebook and Twitter -Original Message- From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Tim Tyler Sent: Wednesday, August 19, 2020 8:45 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X? [This message came from an external source. If suspicious, report to ab...@ilstu.edu<mailto:ab...@ilstu.edu >] I was told by Sertigo that all commercial certs would be affected. We just bought the last 2 year expirations we could get away with for both 802.1x and https. The reason I am told has to do with so many smaller esta
Re: [WIRELESS-LAN] Meraki at large universities
Kyle, It definitely sounds very similar. The first time you get to say "the Meraki dashboard does not let you make that kind of fine-tuning" makes you wish you could use it more often. In WLC land you might spend hundreds of hours testing and tweaking something for a small set of clients, in a small section of a building, with an obscure use caseonly to find you broke other clients. On Mon, May 11, 2020 at 6:30 PM Kyle Ragan wrote: > Mike, > > Perhaps I misspoke a bit. We don’t quite want a subnet per building like > we have now with wired. We just want something better than what we > currently get with wireless. We are most likely going to group buildings > based on geography to help reduce the roaming. We can’t do this today with > our controllers (well, it’s possible but not without significant > performance impact) and mixed AP models. To further complicate some of our > issues, we have a NAC (non-Cisco) that gets in the way sometimes when users > roam from one controller to another and refuses to let them on the > network. Our issue sounds similar to yours where our NAC thinks the client > is already connected elsewhere and won’t let them on. > > > > *From:* The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Mike Atkins > *Sent:* Monday, May 11, 2020 4:08 PM > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > *Subject:* Re: [WIRELESS-LAN] Meraki at large universities > > > > Kyle, > > James and I were discussing this earlier today. It sounds like your wired > infrastructure is the typical/traditional campus core/distribution/access, > just like us. You mentioned wanting to match your wireless subnets like > your wired subnets, per building. I would caution about the potential > layer3 roaming between buildings/subnets not only for worst-case scenario > DHCP scopes, but also the potential layer 3 roaming that could occur. We > have a lot of clients that roam from building to building even though we do > not have outdoor coverage. The user device thinks it is still connected > and does not renew DHCP. Students figure it out but it results in a less > desirable experience. If a lot of devices layer3 roaming back to anchor > APs in a building with a 1Gbps connection, it could spell trouble as well. > That does not happen as much as I would expect, but the potential is there. > > > > VoWi-Fi roaming between buildings takes a big performance hit when layer 3 > is involved. We do not officially support VoWi-Fi but our intent is to > officially support it once all of our buildings are at capacity designs. > At that point I hope we can get some outdoor coverage to fill in. > > > > I have to look this up every time this discussion comes up, here it is for > reference. > > *Meraki - Wireless Layer 3 Roaming Best Practices* > > > https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/Best_Practice_Design_-_MR_Wireless/Wireless_Layer_3_Roaming_Best_Practices > > > > > > > PS. Maybe your next-gen fabric/software-defined campus network takes all > of this off the table completely... just like IPV6! Then we will spend all > of our time dealing with multicast. > > > > > > > > > > > > On Mon, May 11, 2020 at 4:51 PM Kyle Ragan > wrote: > > At time of turn up on the new APs we understand those switch port changes > will need to be made. Fortunately, the team that turns up the AP also has > the ability to make any necessary switch config modifications. Have we > ironed that out 100%, no. Will it increase time to activate each AP, yes. > However, in our eyes it was worth it. You can follow up with me at the end > of the summer to see if I am singing the same tune! > > > > We have been struggling with our existing IP space management on the > wireless side anyway due to the geographical location of the controllers > compared to building/AP. Our main pain point here being the controllers > and which APs they could manage due to code levels. We certainly hope that > a cloud based controller will take care of this for us. This problem will > not go away until we reach 100% Meraki, which is going to take quite some > time. We see the opportunity to rectify this issue as a benefit and get > things to match to the wired side where we can map building-to-subnet(s). > > > > On the wireless side we do not map user VLANs across cores or data > centers. The way we “get away” with this is that we do not provide WiFi > coverage outdoors. So, when a user leaves a building they (most of the > time depending on RF bleed) disconnect from WiFi and reconnect in the new > building. This new bui
Re: [WIRELESS-LAN] Meraki at large universities
There are a number of Meraki MR wireless access points on the End of Support list already. Meraki - Product End-of-Life (EOL) Policy https://meraki.cisco.com/support/#policies:eol On Mon, May 11, 2020 at 6:04 PM Ricardo Stella wrote: > > If'd got a nickel every time someone would tell me I would never have to > do an upgrade or would go EOL/EOS... > > ** > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email reply. > Additional participation and subscription information can be found at > https://www.educause.edu/community > -- Mike Atkins Network Engineering -gm ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Re: [WIRELESS-LAN] Meraki at large universities
list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email reply. > Additional participation and subscription information can be found at > https://www.educause.edu/community > > > > > -- > > James Helzerman > Wireless Network Engineer > University of Michigan - ITS > > Phone: 734-615-9541 > > ** > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email reply. > Additional participation and subscription information can be found at > https://www.educause.edu/community > > ** > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email reply. > Additional participation and subscription information can be found at > https://www.educause.edu/community > -- Mike Atkins Network Engineering -gm ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
RE: [WIRELESS-LAN] Theater wifi - to have or not to have
Mary, Our goal is to cover occupied spaces indoors with a standard density deployment. We deploy high density for large auditoriums/classrooms that have a primary or significant use by the campus population. We lean on the building/venue management and department heads for “specialty” Wi-Fi needed in large stadiums/arenas/theaters where the majority of occupants are guests here for a ticketed event. In those cases we ask the venue/department to help fund the installation/maintenance because the cost that is above our typical offering. Sometimes this works, sometimes it does not. Athletics covers some of the cost for high density guest Wi-Fi in areas like basketball and football but choose not to cover high density for baseball, soccer, and Lacrosse. Hockey is likely to be the next specialty guest Wi-Fi since we have been talking about it for a long time. But again, this would be contingent on athletics funding a portion of the installation/maintenance. Our performing arts theatre was due for wireless upgrades this year. That venue choose to go with just the standard campus density deployment for the office and work spaces while turning down high density “specialty” Wi-Fi in the large auditoriums. History shows for this particular venue we end up setting up temporary Wi-Fi once a year. It is hard to fault them on choosing to not put extra money into large venue high density deployment when their customers (events) only demand “usable” Wi-Fi once a year. In this case the temporary setup is usually a couple APs and a dedicated radio/SSID. Another good example my co-worker uses is the dining halls. We cover the dining hall Wi-Fi upgrades with maintenance/upgrade funds because these are campus users. In the past the dining hall wanted little or no Wi-Fi so students would eat and get out. That has slowly changed but it is a good example that we have to keep the big picture in perspective and protect our customers from themselves. *Mike Atkins * Network Engineer Office of Information Technology University of Notre Dame *From:* The EDUCAUSE Wireless Issues Community Group Listserv < WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Bull, Mary *Sent:* Tuesday, October 22, 2019 12:34 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* [WIRELESS-LAN] Theater wifi - to have or not to have Hello all, I’m wondering if anyone here has dealt with a decision on wireless in the theaters, concert halls, or recital halls on their campus. We have a new arts complex coming on line in the next two years and there’s no clear direction from faculty on whether wireless for the audience is desirable. The previous main theater, and other currently used theaters on campus, did/do not have full connectivity for the audience (just a few aps tacked on the walls that were useless when the room was full). Facilities planning is favorable toward building it in, so I’d prefer that too, especially since it would be much harder or impossible to install if the faculty changes their mind in a few years once the building is complete. However, I’m not sure whether there is really an expectation from the audience that they should have wifi when they attend a show or concert. Has anyone dealt with this on their campus? What influenced your choice? Mary Bull William and Mary 757-221-2491 mb...@wm.edu ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
RE: [WIRELESS-LAN] Residential Wireless and Gaming
Pick your battles carefully. You can throw a lot of hardware and labor at the problem to get minimal gains. Medium contention will continue to be an issue with ax. Right now we are hoping ax adoption gives us some efficiency gains in the next 2-3 years… or more likely in 4-5 years as client hardware refreshes. I think this comes down to cost and expectation. Over the lifecycle of your cable plant, it costs more to design/install/operate a voice quality network in the dorm than using existing wired connections (or installing new.) Our student expectation is for the game to work, not that it has to work on wireless. Yes, we have surprised some students that had no idea Ethernet existed. But, the cost of an Ethernet adapter and patch cable is pretty cheap vs trying to make dorm Wi-Fi perform as well as switched Ethernet. In the dorms we offer students public IP addresses for game consoles using wired. This prevents the NAT issues with online game devices/services. Thus we get almost no complaints about game consoles on Wi-Fi…. even in the older coverage designed dorms. Our current path is to reduce switching capacity in dorms but keep offering wired connectivity as an option in the dorms. We are going from one port jack per pillow to one port per room. This year we are also piloting a few dorms with no jacks active and connecting them as needed. *Mike Atkins * Network Engineer Office of Information Technology University of Notre Dame *From:* The EDUCAUSE Wireless Issues Community Group Listserv < WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Tom Mathews *Sent:* Tuesday, September 3, 2019 9:58 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* [WIRELESS-LAN] Residential Wireless and Gaming This year we have decided to disable a substantial number of our wired drops on campus. Our studies have showed that less than 5% of the wired ports were used in an academic year in our residential spaces. For the most part we have very few complaints, except when it comes to playing server based games, such as Fortnite, Apex, Overwatch etc. The users complain of things like "lag", "Glitching" and "Rubber Banding". At quick glance, the rssi and snr shouldn't be an issue. They even state that access to campus resources and other internet activity is not an issue. We have not begun to deep dive into this issue. I am just curious if other folks have dealt with the same or similar issues with gamers on the wireless networks, and what was the fix. -- Thomas M. Mathews Network Engineer University of Dayton ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
RE: [WIRELESS-LAN] Cisco AP2800 failure rate
We have 1,300 Cisco 2802I access points installed on main campus and have not noticed any issues. If I remember correctly, our first deployment of 2802i was mid/late 2016. I think all 80 of those access points are still functioning today. We have replaced a handful but those replacements have been from water/lightning/construction damage. We are running a mix of 8.2 and 8.3 code for different parts of campus. Any chance your failed units are in a really high temperature area? (say 95+ for long periods of time) *Mike Atkins * Network Engineer Office of Information Technology University of Notre Dame Phone: 574-631-7210 .__o - _-\_<, --- (*)/'(*) *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv < WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Sam Ziadeh *Sent:* Thursday, August 16, 2018 9:30 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* [WIRELESS-LAN] Cisco AP2800 failure rate Is anyone else seeing a high rate of Cisco AP 2800 failures? Out of a batch of ~500 recently installed Aps, we have had roughly 70 fail. Some were online for a month, but some only a few days. Typically they will fail after a powercycle or loss of power. We are working with Cisco on this, but I’m curious if this is a more wide spread problem. - Sam Ziadeh Manager, Network Engineering & Architecture University Networking & Infrastructure Information Technology Services Louisiana State University (225) 578-0074 szia...@lsu.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
Re: [WIRELESS-LAN] Meraki AP connectivity to eduroam
Our radius admin would define the management subnet of the Meraki APs in our radius server configuration. ---Mike Atkins sent from phone > On Jul 27, 2018, at 3:21 AM, Mark McNeil [Staff] wrote: > > Hi everyone, > I'm wondering if someone can provide a little clarity on configuring > Meraki to connect to eduroam. The documentation states that > > " The MR's will need to be defined on the RADIUS server as RADIUS clients > (consult RADIUS server documentation to complete this step). " > > I take this to mean that I will need to define all my AP's, in my case > MR42's, in my local RADIUS. Is this correct or is there another way around > this on the Meraki. I only have 33 AP's but seems there should be another > way. > > Any help is appreciated. > > Thanks > > Mark > > -- > > Mark McNeil > Director, Network Engineering and Operations > Fordham University | Fordham IT > Tel: 718-817-3763 > Business Office: 718-817-3750 > Fax: 718-817-5775 > email: mcn...@fordham.edu > http://www.fordham.edu > _ > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
RE: [WIRELESS-LAN] Your eduroam semi-annual report
Our identity group typically manages the eduroam configuration. I was recently added to troubleshoot some very specific issues. Things I found useful are/were access to eduroam radius logs, realm testing tool, reports going back to January 2018, and a dashboard that has data going back to 2012. I do not think there is read only access but it might be worth inquiring with your admin if you do any sort of regular radius troubleshooting. (remote for your users or locally for guests) I see a timeouts (frequent no response even though packet captures show our server responded) and on our six month eduroam success rate is 69.7% I am still in the process of troubleshooting but the information is very helpful. E-mail me off list and I’ll send you our reports if you want to compare sites. *Mike Atkins * Network Engineer Office of Information Technology University of Notre Dame *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Patrick McEvilly *Sent:* Friday, July 06, 2018 8:08 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Your eduroam semi-annual report As the admin contact I was getting them but asked if we could add some internal mailing lists. In your eduroam profile they have added a “report contact” option which is working well. Patrick *From: *The EDUCAUSE Wireless Issues Constituent Group Listserv < WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of "Watters, John" < john.watt...@ua.edu> *Reply-To: *The EDUCAUSE Wireless Issues Constituent Group Listserv < WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *Date: *Friday, July 6, 2018 at 8:01 AM *To: *"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" < WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *Subject: *Re: [WIRELESS-LAN] Your eduroam semi-annual report *Resent-From: *Patrick McEvilly What person at a school receives them? I want to see ours. Thanks. Sent from my iPhone On Jul 6, 2018, at 6:40 AM, Philippe Hanset < 005cd62f91b7-dmarc-requ...@listserv.educause.edu> wrote: Yahya, These reports are provided to all IdPs and SPs in the US. ANYROAM, the operator of eduroam on behalf of Internet2 has built those reports based on the US top level RADIUS logs. Philippe Philippe Hanset, CEO ANYROAM LLC www.anyroam.net <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.anyroam.net=DwMGaQ=WO-RGvefibhHBZq3fL85hQ=NEt1bAdOCtalVd4Ws0dvlC8LeF95Hl1p6yYgtTh8luM=PXBR2nrMAcW7e0QP6NFQUP_IE0Xafm5WM3RjJzkZd3U=XSVDB6hUKN7nYCKHPRaOeBwzf5x7sKWBSgkqwF8O2yA=> www.eduroam.us <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.eduroam.us=DwMGaQ=WO-RGvefibhHBZq3fL85hQ=NEt1bAdOCtalVd4Ws0dvlC8LeF95Hl1p6yYgtTh8luM=PXBR2nrMAcW7e0QP6NFQUP_IE0Xafm5WM3RjJzkZd3U=nBExgSVb3S72y2W1z9jcHvCQu1bWmus2HEI8f-6ee_M=> On Jul 6, 2018, at 6:17 AM, Yahya M. Jaber wrote: Is this only for Idp’s who has it as primary network? Eduroam is a secondary one for us here. Best Regards, *Yahya Jaber* Sr. Wireless Engineer IT Network & Communications – Engineering Email yahya.ja...@kaust.edu.sa Office +966 (0) 12 8081237 Mobile +966 (0) 558697555 *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [ mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU ] *On Behalf Of *Turner, Ryan H *Sent:* Friday, July 6, 2018 4:03 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* [WIRELESS-LAN] Fwd: Your eduroam semi-annual report All: We have run eduroam as our primary SSID for several years. For those institutions that do not, but wonder what it might look like for those that do, I’ve included our semi annual report. Ryan Turner Senior Manager of Networking, ITS The University of North Carolina at Chapel Hill +1 919 274 7926 Mobile +1 919 445 0113 Office Begin forwarded message: ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_discuss=DwMGaQ=WO-RGvefibhHBZq3fL85hQ=NEt1bAdOCtalVd4Ws0dvlC8LeF95Hl1p6yYgtTh8luM=PXBR2nrMAcW7e0QP6NFQUP_IE0Xafm5WM3RjJzkZd3U=KgccghEwWcmyoYQF9PJhISDZh12GnlsSwyjUCpC69Rw=>. -- This message and its contents including attachments are intended solely for the original recipient. If you are not the intended recipient or have received this message in error, please notify me immediately and delete this message from your computer system. Any unauthorized use or distribution is prohibited. Please consider the environment before printing this email. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_discuss=DwMGaQ=WO-RGvefibhHBZq3fL85hQ=NEt1bAdOCtalVd4Ws0dvlC8LeF95Hl1p6yYgtTh8luM=PXBR2nrMAcW7
RE: [WIRELESS-LAN] More client weirdness
I see thanks. I do not think I’ll have time but if I can I’ll setup a 702W and see if I can repeat. If I can I’ll try to do an over the air capture. *Mike Atkins * Network Engineer Office of Information Technology University of Notre Dame *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Gray, Sean *Sent:* Tuesday, April 10, 2018 11:20 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] More client weirdness Nope, all of our 702w are in local mode. *Sean Gray* | B.Sc (Hons) Voice, Collaboration & Wireless Network Analyst ITS, University of Lethbridge *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [ mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] *On Behalf Of *Mike Atkins *Sent:* April-10-18 3:54 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] More client weirdness I was just curious, are these 702w APs in flex connect mode? *Mike Atkins * Network Engineer Office of Information Technology University of Notre Dame *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Jason Cook *Sent:* Monday, April 09, 2018 7:52 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] More client weirdness We also seen the same/similar issues on 702w, however it seems an iPad has been the biggest issue. The user moves down the hall to a 3602i and no worries, moves back to the 702w and it’s a problem. Other devices including her iPhone is fine. Strangely it seems to occur randomly (days or weeks apart), and always the same device. Rebooting the AP will resolve it, or just time! But waiting for resolution could be hours. On 8.2.164.0 -- Jason Cook Information Technology and Digital Services The University of Adelaide, AUSTRALIA 5005 Ph: +61 8 8313 4800 CRICOS Provider Number 00123M --- This email message is intended only for the addressee(s) and contains information which may be confidential and/or copyright. If you are not the intended recipient please do not read, save, forward, disclose, or copy the contents of this email. If this email has been sent to you in error, please notify the sender by reply email and delete this email and any copies or links to this email completely and immediately from your system. No representation is made that this email is free of viruses. Virus scanning is recommended and is the responsibility of the recipient. *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv < WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Gray, Sean *Sent:* Tuesday, 10 April 2018 12:36 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] More client weirdness Hi Tristan, So the problem with the specific student I mentioned seemed to resolve itself. Our latest issue, that seems to again only impact the 702w involves a couple of MacBook Air users, running either Sierra or High Sierra. A debug shows that on occasion when trying to connect to a.1x network they make it as far as the DHCP required state and then never request an IP. They hit the timeout, the WLC deletes the client and the dance begins again. Thanks Sean *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [ mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] *On Behalf Of *Tristan Gulyas *Sent:* April-08-18 8:03 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] More client weirdness Hi all, We've hit this issue as well. Ever since moving from 8.3.112.7 to 8.3.135.2. What we see: * Devices with the Killer NIC 1535 authenticate but can't pass traffic. * Apple devices will connect, pass traffic for a while, then go dead. We believe we may have seen this on a 1532 series AP as well. Debugs don't seem to give us much. 3702i, 3802i appear to be unaffected. Cheers, Tristan -- *TRISTAN GULYAS* Senior Network Engineer *Technology Services, eSolutions* Monash University 738 Blackburn Road Clayton 3168 Australia T: +61 3 9902 9092 M: +61 (0)403 224 484 E: tristan.gul...@monash.edu monash.edu On 1 Feb 2018, at 8:40 am, Gray, Sean <sean.gr...@uleth.ca> wrote: Yep, I noticed this too. Unfortunately we jumped onto 8.3.133.0 prior to the discovering of the catastrophic bug. Hopefully they publically release a fixed version soon. *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [ mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] *On Behalf Of *Kitri Waterman *Sent:* January-31-18 1:09 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] More client weirdness This sounds like a specific client issue but TAC does have
RE: [WIRELESS-LAN] More client weirdness
I was just curious, are these 702w APs in flex connect mode? *Mike Atkins * Network Engineer Office of Information Technology University of Notre Dame *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Jason Cook *Sent:* Monday, April 09, 2018 7:52 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] More client weirdness We also seen the same/similar issues on 702w, however it seems an iPad has been the biggest issue. The user moves down the hall to a 3602i and no worries, moves back to the 702w and it’s a problem. Other devices including her iPhone is fine. Strangely it seems to occur randomly (days or weeks apart), and always the same device. Rebooting the AP will resolve it, or just time! But waiting for resolution could be hours. On 8.2.164.0 -- Jason Cook Information Technology and Digital Services The University of Adelaide, AUSTRALIA 5005 Ph: +61 8 8313 4800 CRICOS Provider Number 00123M --- This email message is intended only for the addressee(s) and contains information which may be confidential and/or copyright. If you are not the intended recipient please do not read, save, forward, disclose, or copy the contents of this email. If this email has been sent to you in error, please notify the sender by reply email and delete this email and any copies or links to this email completely and immediately from your system. No representation is made that this email is free of viruses. Virus scanning is recommended and is the responsibility of the recipient. *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv < WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Gray, Sean *Sent:* Tuesday, 10 April 2018 12:36 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] More client weirdness Hi Tristan, So the problem with the specific student I mentioned seemed to resolve itself. Our latest issue, that seems to again only impact the 702w involves a couple of MacBook Air users, running either Sierra or High Sierra. A debug shows that on occasion when trying to connect to a.1x network they make it as far as the DHCP required state and then never request an IP. They hit the timeout, the WLC deletes the client and the dance begins again. Thanks Sean *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [ mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] *On Behalf Of *Tristan Gulyas *Sent:* April-08-18 8:03 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] More client weirdness Hi all, We've hit this issue as well. Ever since moving from 8.3.112.7 to 8.3.135.2. What we see: * Devices with the Killer NIC 1535 authenticate but can't pass traffic. * Apple devices will connect, pass traffic for a while, then go dead. We believe we may have seen this on a 1532 series AP as well. Debugs don't seem to give us much. 3702i, 3802i appear to be unaffected. Cheers, Tristan -- *TRISTAN GULYAS* Senior Network Engineer *Technology Services, eSolutions* Monash University 738 Blackburn Road Clayton 3168 Australia T: +61 3 9902 9092 M: +61 (0)403 224 484 E: tristan.gul...@monash.edu monash.edu On 1 Feb 2018, at 8:40 am, Gray, Sean <sean.gr...@uleth.ca> wrote: Yep, I noticed this too. Unfortunately we jumped onto 8.3.133.0 prior to the discovering of the catastrophic bug. Hopefully they publically release a fixed version soon. *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [ mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] *On Behalf Of *Kitri Waterman *Sent:* January-31-18 1:09 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] More client weirdness This sounds like a specific client issue but TAC does have warning out about any 8.3.13x code: https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html#anc9 You can request the 8.3.133.10 escalation code and also sign up for the 8.3MR4 Interim code. Best of luck, Kitri Waterman Network Architect/Engineer Enterprise Infrastructure Services (Networks) Western Washington University 360.650.4027 kitri.water...@wwu.edu *From: *The EDUCAUSE Wireless Issues Constituent Group Listserv < WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of "Gray, Sean" < sean.gr...@uleth.ca> *Reply-To: *The EDUCAUSE Wireless Issues Constituent Group Listserv < WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *Date: *Wednesday, January 31, 2018 at 10:34 AM *To: *"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" < WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *Subject: *Re: [WIRELESS-LAN] More client weirdness Hi Craig, Sorry I should have mentioned that, our WLC is a
RE: [WIRELESS-LAN] Bandwidth/Throughput/Latency Tester
We also setup a Speedtest.net (Ookla) public speed test server at Notre Dame. Our main motivation was to manage perception. We are on a state run optical network. Our speedtest.net traffic went from campus on the north end of the state, to central Indiana, to Chicago, then back to South Bend. The closest geographical Speedtest.net public server was already in our town, but due to our ISP setup there was a lot of excessive travel. The closest geographical test server did not appear to be on a fast enough link either. We unsuccessfully tried to get Speedtest.net to point our public IP space to Indianapolis speedtest.net servers to get a more accurate test results. I see Comcast and AT are able to point speedtest.net to the closest logical test server instead of closest geographical test server. We ended up installing the Speedtest.net free public server. Without the paid subscription we do not get access to detailed information on test results. Less detail was fine for us because we just needed to handle the perception issue caused by speed tests going around the state(s) to a less optimal test server. We also setup a lightweight server http://speedtest.nd.edu but found a lot of students prefer (trust) third party test results from sites they use at home. Even some faculty will use speedtest.net as a quick check prior to setting up iperf or perfsonar. It is quick and easy…. If the results look okay they move on to solving the world’s problems instead of building infrastructure to test our infrastructure. Which circles back to getting users to trust your infrastructure simply because of a test result that used to be out of our scope. Side note, HDD speed affects Ookla speedtest.net server performance. We ended up putting an NVMe drive into the old repurposed server to better serve multi gigabit connections. *Mike Atkins * Network Engineer Office of Information Technology University of Notre Dame *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Amel Caldwell *Sent:* Monday, February 26, 2018 10:59 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Bandwidth/Throughput/Latency Tester We also have an instance of the Ookla speedtest at the University of Washington. One thing I notices is for clients on private IP space, the speedtest shows a NATed IP, even though the server is on campus. This is because not everything is local. Anyway, having someone send me a screenshot or tell me their IP address is the NATed address is not that helpful. I believe we are considering an alternative when our year is up. Amel Caldwell University of Washington UW-IT Wi-Fi Network Engineer Wi-Fi Service Manager am...@uw.edu 206-543-2915 *From: *The EDUCAUSE Wireless Issues Constituent Group Listserv < WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of "Osborne, Bruce W (Network Operations)" <bosbo...@liberty.edu> *Reply-To: *The EDUCAUSE Wireless Issues Constituent Group Listserv < WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *Date: *Monday, February 26, 2018 at 4:56 AM *To: *"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" < WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *Subject: *Re: [WIRELESS-LAN] Bandwidth/Throughput/Latency Tester That is what we use. http://speedtest.liberty.edu *Bruce Osborne* *Senior Network Engineer* *Network Operations - Wireless* *(434) 592-4229* *LIBERTY UNIVERSITY* *Training Champions for Christ since 1971* *From:* Adam Forsyth [mailto:forsy...@luther.edu <forsy...@luther.edu>] *Sent:* Friday, February 23, 2018 9:53 AM *Subject:* Re: Bandwidth/Throughput/Latency Tester Isn't this: https://www.ookla.com/speedtest-custom what you asked Ookla about and were told that it doesn't exist? I ran a version of that on a local server a few years ago.I got the premium subscription for a year but ultimately decided I hadn't figured out how to get any advantage from its ability to save test results into a database. I have since moved to using https://github.com/adolfintel/speedtest (which Clemson also mentioned) because I wanted a speedtest that was HTML5 and didn't use flash, and at the time Ookla's speedtest custom required flash. It looks like maybe its also all HTML5 now so maybe I'll take a look at that again. On Tue, Feb 20, 2018 at 11:56 AM, Fishel Erps < 0030ecf871d2-dmarc-requ...@listserv.educause.edu> wrote: Hello everyone. I’m curious to find out what other universities are doing to test throughput, internally, to proof their networks. I’m looking for something that functions like Ookla’s Speedtest.net (browser-based, no required clients) , but that runs internally (I have already contacted them directly, and been told that they only provide products that are alive on the public net). As we all know, % of utilization and available throughput are not one-in-the-same, and I need a way to addr
RE: [WIRELESS-LAN] Amazon Fire Tablet Line - 802.1x Support Dropped?
I have seen dot1x issues with Android tablets that do not have the lock enabled or have it removed after Wi-Fi is configured and working. I know our onboard utility notifies the user that Screen Lock/Pin is required. Does the 802.1x option show up if screen lock is enabled? *Mike Atkins * Network Engineer Office of Information Technology University of Notre Dame *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Johnson, Christopher *Sent:* Wednesday, February 07, 2018 10:49 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* [WIRELESS-LAN] Amazon Fire Tablet Line - 802.1x Support Dropped? Good Morning, I was curious if anyone had any of the newer Amazon Fire tablets and could confirm something for me? Our support center contacted me in regards to an issue with connecting to our secure network (they were only able to see our “open network”) which matches with our some newer devices will not even display networks that they are unable to connect to – such as WPA2 Enterprise. I had suggested that they attempt to manually create the profile and was disappointed when they confirmed that “802.1x” was no longer an option on the list of security types. That’s unfortunate that their earlier generations had support, and it appears to have been removed. It’s been a few years since I’ve seen one, so no idea which generation this occurred (Fire 7 is their 7th generation). I just know the 1st and 2nd generation could connect since I got to be the one to figure it out all those years ago. *Christopher Johnson* Wireless Network Engineer AT Infrastructure Operations & Networking (ION) Illinois State University (309) 438-8444 Stay connected with ISU IT news and tips with @ISU IT Help on Facebook <https://www.facebook.com/ISUITHelp/> and Twitter <https://twitter.com/ISUITHelp> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
RE: [WIRELESS-LAN] iPhone - Incorrect Wi-Fi Password Error
I had a ticket from an IT staff member reporting the same “wrong password” or “prompted for password.” When I looked at the screen capture he provided it says “Enterprise Wi-Fi Network Do you want to continue joining this network?” Maybe not exactly the same thing but the user says it is prompting for password. The iPhone device appears to be onboarded/configured correctly. The staff member documented the time/location (as good as memory serves) for us. During the reported time we did not see anything in our logs (syslog, radius, Nyansa.) For whatever it’s worth, Prime did not report any rogue APs/SSID in this area for the timeframe in question. I am definitely curious but have not had time to do much investigation. And again, this is user reported so maybe not 100% accurate information. Since this is an IT staff person, I will ask the user to run the “Net Analyzer” tool and tell me the Wi-Fi BSSID after clicking the Okay. Unless someone knows of an IOS built in tool to tell you the associated BSSID? I tried the Airport utility but it does not show anything for me using Cisco LWAPP and no multicast. (typically use the Wi-Fi scanner part but that does not tell if the device is associated, just signal level) *Mike Atkins * Network Engineer Office of Information Technology University of Notre Dame *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Watters, John *Sent:* Monday, January 29, 2018 5:03 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] iPhone - Incorrect Wi-Fi Password Error If you do message logging from the controller, you might have luck finding entries on your log server by searching for the MAC address and/or the user name. Be sure to look in both the WLC and the RADIUS logs. *John Watters* Network Engineer, OIT, The University of Alabama *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [ mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] *On Behalf Of *Gray, Sean *Sent:* Monday, January 29, 2018 3:45 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* [WIRELESS-LAN] iPhone - Incorrect Wi-Fi Password Error Hi Everyone, I’m just wondering if anyone has experienced or heard reports of weird iPhone client behaviour. We have had a couple of reports of iPhones throwing a “Incorrect Wi-Fi Password” error when the client is trying to join a network while walking around campus. The error resolves itself quite quickly if they hit cancel on the message as the correct credentials are cached on the device. When I check the logs on our ISE server I see that the client never actually made an authentication attempt. So it may have been blacklisted on the WLC, unfortunately I don’t see a way to report on historical exclusion events. No other client devices have been reported as experiencing the same issue, and it doesn’t appear to occur in the same geographic region. So I’m thinking this is a client side problem. Thanks Sean *Sean Gray* | B.Sc (Hons) Voice, Collaboration & Wireless Network Analyst ITS, University of Lethbridge ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
RE: [WIRELESS-LAN] devices not connecting to open network
Insert Anchorman fight scene…… *Mike Atkins * Network Engineer Office of Information Technology University of Notre Dame *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Ian Lyons *Sent:* Wednesday, January 10, 2018 11:47 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] devices not connecting to open network Or a dark alley….-my preference. *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [ mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] *On Behalf Of *Lee H Badman *Sent:* Wednesday, January 10, 2018 11:35 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] devices not connecting to open network Boy, I’d love to have a contact at Nintendo to talk about this stuff with. Lee Badman (mobile) On Jan 10, 2018, at 11:29 AM, Rob Harris <robert.har...@culinary.edu> wrote: Have you modified the rf at all on those SSIDs? Are you advertising and supporting the standard rates? I’ve heard that if you limit the lower rates or don’t advertise them, some of those devices may have issues. Good luck! *Robert Harris**Manager – Telecom, Networks, & AV Services* *Culinary Institute of America* 1946 Campus Drive Hyde Park, NY 845-451-1681 www.ciachef.edu *Food is Life* *Create and Savor Yours.™* *Please consider the environment before printing this e-mail.* *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [ mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] *On Behalf Of *Tufts, Mark *Sent:* Wednesday, January 10, 2018 11:19 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* [WIRELESS-LAN] devices not connecting to open network Hi, We have some wireless devices, WiiU, Nintendo Switch, PS4 etc. not connecting to our open guest network. Laptops, phones no issue at all. The devices above will sometime connect first try but then upon additional testing on a reconnect just will not pull a DHPC address. We are an Aruba wireless shop AP 225 and 315 fails on both. Anyone else experience this issue? Thanks, Mark ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
RE: [WIRELESS-LAN] Eduroam and Govroam
Thanks Philippe, that long term explanation makes sense. Like Lee, we have students abroad. I sent a quick FYI to our Infosec team to let them know users may eventually see eduroam at new locations and reminded them proper device configuration is important. Our joke/explanation in the past had been about seeing eduroam along the toll road and that you shouldn’t join it. So much for that one. *Mike Atkins * Network Engineer Office of Information Technology University of Notre Dame *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Philippe Hanset *Sent:* Thursday, January 04, 2018 11:39 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Eduroam and Govroam Mike et al., We are starting a Govroam pilot here in the US (www.govroam.us) with local and state government and eventually federal. We don’t envision many schools adding the Govroam SSID or Government agencies adding the eduroam SSID unless there very specific use cases. On the other end by creating those two roaming communities early on we (as all of us) will be ready when Passpoint/Hotspot2.0 becomes more wide spread. Once your infrastructure supports Hotspot2.0 you will be able to add local/state/federal roaming communities to your network quite easily. Adding a roaming community to the broadcast frame of Hotspot2.0 will be so much easier than adding yet another SSID! We do not know all your use cases (gov/edu) of course, feel free to share so we can design accordingly. (please excuse our laconic govroam and anyroam websites we are in the middle of completely revamping them with useful info) and BTW, Happy New Year y’all :) Philippe Philippe Hanset, CEO www.anyroam.net www.eduroam.us +1 (865) 236-0770 GPG key id: 0xF2636F9C On Jan 4, 2018, at 8:34 AM, Mike Atkins <matk...@nd.edu <matk...@nd.edu>> wrote: Does anyone have more detail on this? More public Wi-Fi across London with Eduroam & Govroam https://wifinowevents.com/news-and-blog/public-wi-fi-across-london-eduroam-govroam/ *Mike Atkins * Network Engineer Office of Information Technology University of Notre Dame Phone: 574-631-7210 .__o - _-\_<, --- (*)/'(*) ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
Eduroam and Govroam
Does anyone have more detail on this? More public Wi-Fi across London with Eduroam & Govroam https://wifinowevents.com/news-and-blog/public-wi-fi-across-london-eduroam-govroam/ *Mike Atkins * Network Engineer Office of Information Technology University of Notre Dame Phone: 574-631-7210 .__o - _-\_<, --- (*)/'(*) ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
Degree Analytics?
Did anyone talk to Degree Analytics at Educause? Or better yet, has anyone attempted a demo yet? Our library seems interested in Degree Analytics and I’d like to have at least a little information about how the system works and what the requirements are before engaging a serious discussion with customers. Our library says they specialize in wireless networking analytics but the website makes no mention of wireless. https://www.degreeanalytics.com/ *Mike Atkins * Network Engineer Office of Information Technology University of Notre Dame Phone: 574-631-7210 .__o - _-\_<, --- (*)/'(*) ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
RE: [WIRELESS-LAN] Athletic Arena Wireless Antennas
We did a similar install in our basketball arena using an overhead catwalk. Back in 2015 this installation used the Aruba AP-228 with ANT-2X2-5314 and ANT-2X2-2314. Our basketball arena is just over 9,000 seats and 42 access points on the catwalk. This setup has performed very well for us. The 30 degree antennas allowed for a pretty tight coverage pattern. If we were deploying this solution today, we would do 5GHz only. The 5GHz only installation in our football stadium has been great. We have had a few users with 2.4GHz only devices but all of which were totally understanding. We have DAS in both areas so the users still had connectivity. Hope this helps. *Basketball Arena* Part # Description Notes AP-228 Aruba AP-228 Indoor Hardened Wireless AP, 802.11ac, 3x3:3, dual radio, 6 x RPSMA connectors Access Points AP-270-MNT-H2 AP-270-MNT-H2 Aruba 270 Series Access Flush Mount. Wall or ceiling mount Mounting Kit ANT-2X2-5314 5.15-5.9 GHz, 14 dBi, 30° x 30°, H and V polarized MIMO High-Gain Directional Panel Antenna, 2 x N-Type female connectors, Cable NOT Included. Outdoor rated. 5GHz 30 degree antenna ANT-2X2-2314 2.4 GHz, 14 dBi, 30° x 30°, H and V polarized MIMO High-Gain Directional Panel Antenna, 2 x N-Type female connectors, Cable NOT Included. Outdoor rated. 2.4GHz 30 degree antenna AFC2DL60-00 RP-SMA/M to N/F GR316 soft jumper, 60cm; used between indoor products and 7D & 1/2'' feeder Adapter RP-SMP to N ANT-CBL-2 Aruba Outdoor RF cable, 2m long, N/M to N/M flexible jumper between outdoor radio and N female connector on antennas. 2M Low Loss Cable Feel free to hit me up offline and I can get some pictures of the setup on the catwalk. Someday soon we will likely have to do our hockey arena with an overhead install. Maybe we could trade updated notes when that time comes. …… *Mike Atkins * Network Engineer Office of Information Technology University of Notre Dame Phone: 574-631-7210 .__o - _-\_<, --- (*)/'(*) *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Trinklein, Jason R *Sent:* Monday, December 11, 2017 12:14 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* [WIRELESS-LAN] Athletic Arena Wireless Antennas Hi All, We are in the process of redesigning the wireless coverage in our main athletic arena. Our deployment is constrained to the catwalks above the arena. We have selected the Aruba AP-334 for this application. Our design may be slightly under-provisioned at 35 APs for 5,100 seats (~150 users/AP). We are hoping to find a dual-band, narrow beamwidth, 4-lead panel antenna to provide sectoral wireless coverage for minimal overlap and interference. Here are some examples of antennas we are considering: - Terrawave M6040040P23D420 - L-Com/Hyperlink HG2458-13HDP-4NF - Terrwave M6140140MP1D0006 I’d like the input of anyone with wireless design experience in high density arenas of this type. What are the “gotchas” we should look out for? Your comments on our planned design would be valued, especially in view of your specific experience. Thank you, -- *Jason Trinklein* *Wireless Engineering Manager* College of Charleston 81 St. Philip Street | Office 311D | Charleston, SC 29403 trinkle...@cofc.edu | (843) 300–8009 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
RE: [WIRELESS-LAN] Radius certificate length vs. onboarding opinions
We are option 3 with 3 year certs. We were in the same boat as Craig just over a year ago. We moved to a different onboarding utility and different CA. It is a long story so feel free to hit me up offline. That said, in the future we will likely end up using both options 3 & 4 to be flexible with device/owner/use. *Mike Atkins * Network Engineer Office of Information Technology University of Notre Dame Phone: 574-631-7210 .__o - _-\_<, --- (*)/'(*) *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Craig Simons *Sent:* Monday, October 30, 2017 2:22 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* [WIRELESS-LAN] Radius certificate length vs. onboarding opinions All, I know the subject has been broached on the list a few times before, but I’m looking for informal opinions/survey about how you are deploying your Radius EAP certificates for PEAP/TTLS users (non-TLS). We use Cloudpath to onboard users, but recently went through a difficult renewal period to replace our expiring certificate. As we had configured all of our clients to “verify the server certificate” (as you should from a security perspective), we found that iOS/MacOS and Android clients did not take kindly to a new certificate being presented. This resulted in quite a few disgruntled users who couldn’t connect to WiFi as well as a shell-shocked Service Desk. To help prevent this in the future (and because we are moving to a new Radius infrastructure), what is the consensus on the following strategies: Option 1: Using a self-signed/private PKI and a 10 year cert. Onboard with "verify server certificate" enabled Option 2: Removing all traces of “verify server certificate” from OnBoard configuration and use 2-year certs from CAs Option 3: Use 2-year CA certificates, enable “verify server certificates” and educate/prepare every two years for connection issues. Option 4 (probably the best long-term answer): Move to private PKI and EAP-TLS. Opinions? *Craig Simons* Network Operations Manager Simon Fraser University | Strand Hall University Dr., Burnaby, B.C. V5A 1S6 T: 778.782.8036 | M: 604.649.7977 | www.sfu.ca/itservices ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
Apple Homepod and Airplay2?
Any developers on the list that have some insight on Airplay2 and the WiFi requirements for Apple Homepod speaker system? Since the Homepod does not have Bluetooth I'm guessing multicast is a requirement but curious if AVB or PTP is also a requirement for multiple device time sync. Probably QoS and so on.. ---Mike Atkins sent from phone ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
RE: [WIRELESS-LAN] New buildings on campus
Our wiring crew gets AutoCAD files from the architects and shares the files with networking. I have not heard of any static regarding getting copies. Our only issue is working from out of date copies because there is no notification/feedback process for remodeling. Mike Atkins Network Engineer Office of Information Technology University of Notre Dame -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Todd Hall Sent: Thursday, May 04, 2017 9:35 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] New buildings on campus When we have new buildings being constructed I am provided plans in pdf format. I'm told that the Architect/builders won't share the Autocad files. Are any of you able to get Autocad files? If so, who provides them? Do you have to justify what they are for? It would be a huge time saver for designing the wireless networks in ESS. One more thing. I'd like to thank everybody for participating in this list. It has been a fantastic resource over the years. -- Todd Hall Sr. Network Analyst Information Technology Services Mississippi State University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
RE: [WIRELESS-LAN] Cisco FlexConnect for large deployment
My co-worker typically brings up IP space management when discussing flex connect/hreap. Overprovisioning subnets for usage that may never come, or worse finding out that you under provisioned for that event you never heard of. Maybe not an issue for most or anyone. Mike Atkins Network Engineer Office of Information Technology University of Notre Dame -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Curtis, Bruce Sent: Wednesday, April 19, 2017 7:48 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Cisco FlexConnect for large deployment We have used flex connect in our Residence life buildings for many years (even back when it was called HREAP). About 4,300 students and around 500 APs. There have been some bugs which were annoying but usually there were workarounds. If you roam between Residence Life buildings the IPs for the device will change since we have different subnets in different Residence Life buildings. But the devices change IPs when they move from the Residence Life to the Main Campus (local or non-FlexConnect) and that has not caused any complaints. > On Apr 19, 2017, at 12:21 PM, Dennis Xu <d...@uoguelph.ca> wrote: > > For Cisco customers, has anyone done large deployment with FlexConnect mode APs? With the large capacity wireless controllers like 8540, all our wireless clients are going to terminate layer 3 at the same switch where the 8540 controlelr is connected to and that switch will have lots of ARP entries. The best practice for SUP720's ARP table size from Cisco is only 30k, and SUP2T can handle 100K ARP but still not sure if a single switch can serve large number of concurrent wireless users. FlexConnect has a good idea to spread wireless users across the network, but not sure if this solution is suitable for large deployment and if someone has success story with it. > > Thanks. > > Dennis Xu > University of Guelph > d...@uoguelph.ca > www.uoguelph.ca/ccs > > ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. --- Bruce Curtis bruce.cur...@ndsu.edu Certified NetAnalyst II701-231-8527 North Dakota State University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
RE: [WIRELESS-LAN] Wireless Lighting Controls - impact on Wi-Fi or Wi-Fi's impact?
I would be concerned about your campus WiFi overrunning the ZigBee operation. We have a similar situation with ZigBee probes used to monitor freezer temperatures. Campus WiFi is not heavily used in the kitchen areas so no issues to note for either side. *Mike Atkins * Network Engineer Office of Information Technology University of Notre Dame *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Williams, Jess *Sent:* Thursday, March 23, 2017 10:07 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* [WIRELESS-LAN] Wireless Lighting Controls - impact on Wi-Fi or Wi-Fi's impact? Our campus Facilities department is looking at a wireless lighting control system that uses a "Zigbee based" 2.4GHz wireless protocol. An example use case for this system is a parking garage that has 86 lights which are connected using a mesh network, however I can see it spreading indoors at some point down the road. At a minimum, I know this will raise the noise floor. Does anyone have any experience with a similar situation/technology that can share how this impacts your campus Wi-Fi or how Wi-Fi has impacted the lighting control system, etc? The product is AcuityControls XPoint Wireless lighting controls http://www.acuitybrands.com/products/controls/xpoint-wireless#e8f40e39-86a8-4d2e-9072-e8b872bce11b I'm told by the manufacturer that the default channel used is Zigbee Channel 15, which is 2.425 MHz (5MHz total channel width). The channel can be changed. Vendor says: "XPoint Wireless Mesh operate a low duty cycle, narrow band (5 MHz wide) communications at up to +18 dBm output power, whereas 2.4 GHz Wifi operates at a high duty cycle, wideband communications (typical 20 to 60 MHz wide) typically at up to +23 dBm (that’s log scale so that’s a 5 dB difference which is actually over 3x as powerful as our system). I’ve never once seen a confirmed case where our Zigbee based mesh network interfered with their Wifi." They promise it won't interfere with Wi-Fi. I'd be more comfortable with something that uses 900MHz instead of 2.4GHz. Vendor documentation: XPoint Wireless uses a low duty cycle, narrow‐band, Zigbee®‐based 2.4 GHz wireless protocol that is not known to interfere with your 2.4 GHz WiFi or other systems. The low communication duty cycle, combined with clear‐to‐send backoff capability from the IEEE802.15.4 radio, typically does not produce measurable impact to WiFi performance and is usually difficult to observe in an RF spectrum analyzer. Each XPoint Wireless Bridge and associated mesh network (typically up to 250 wireless devices) can also be programmed to use a specific Zigbee RF channel to avoid co‐channel interference with other installed 2.4 GHz equipment. Zigbee channels 11‐26, corresponding with 5 MHz‐wide frequency bands from 2.405 GHz to 2.480 GHz may be assigned to specific wireless mesh networks. The wireless communication is secured and encrypted using AES 128‐bit encryption. The network protocol includes “replay” protection, where each wireless message is uniquely encoded such that it cannot be recorded and replayed at a later time. Maximum RF power output is +18 dBm for Zigbee Channels 11‐25, 0 dBm for Channel 26. Output power is typically attenuated 2‐20 dB by LED luminaire housing. Thanks, *Jess Williams* Sr. Network Engineer, Network Engineering *University of Tennessee at Chattanooga* *Helping Students Achieve Excellence through Technology* jess-willi...@utc.edu 423-425-2372 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
RE: [WIRELESS-LAN] Cisco WLC code recommendations
Same here, I’d say five in a three month period since upgrading from 8.2.121.0 to 8.2.141.0. *Mike Atkins * Network Engineer Office of Information Technology University of Notre Dame *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Jason Cook *Sent:* Monday, March 20, 2017 2:18 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Cisco WLC code recommendations Seems similar to what we have seen, reboots may or may not fix it and has been one of the few times where if at first you fail try the exact same thing over and over…… Basically we successfully resolved all issues with shut/unshut of ports sometimes up to 5x. Haven’t noticed the issue so much during operations but some software upgrades AP’s were like that. Heaps of AP’s showing the wrong backup image, thanks for the tip, will give it a try. First noticed on 3602is’. Hasn’t been a major problem but noticable -- Jason Cook Technology Services The University of Adelaide, AUSTRALIA 5005 Ph: +61 8 8313 4800 *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [ mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] *On Behalf Of *Daniel Brisson *Sent:* Friday, 17 March 2017 5:37 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Cisco WLC code recommendations Wanted to report that we also started seeing APs lose their hostname (and some lose their entire minds) around the time we went to 8.2. I just got off the phone with one of our techs who physically rebooted an AP and I’m now waiting to see if it will come back. When the AP is in the “bad state”, it shows up as a CDP neighbor on the switch as AP.., I can ping it, but ssh and telnet sessions are refused. I just looked and noticed a bunch of my APs show *Backup SW version *as 7.3.x, where most of them correctly show a Primary of 8.2.151.0 and a Backup of 8.2.131.40. I’m going to try the “Download Backup” to one of these APs to see if it fixes that. Thanks! -dan Dan Brisson Network Engineer University of Vermont *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [ mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] *On Behalf Of *Jeffrey D. Sessler *Sent:* Thursday, March 16, 2017 1:54 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Cisco WLC code recommendations Ken, For the AP’s that have lost their name and require a reboot. Would you check the following for me? On WLC or PI, what do the problematic WAPs report as their backup software version? Typically, it should be the same as the “backup image” under commands->config boot on the controller. If it’s instead an older version e.g. 7.1.x, let me know. It’s circumstantial at this point, but I’ve noticed a pattern. - AP’s that exhibit the problem tend to also fail AP Image Pre-download (Download Primary) during code upgrades. If you make a note of these failures, those WAPs are more likely to have mental issues. - AP’s that exhibit the problem have very old (what shipped on it) code in the backup location e.g. 7.x - Issuing a AP Image Pre-download, Download Backup to these AP’s will replace the old code in the backup location. - Once the old backup image is updated, AP pre-download (Primary) now works during code upgrades, and the AP’s seem to stop losing their minds. Jeff *From: *"wireless-lan@listserv.educause.edu" < WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Ken LeCompte < lecom...@oit.rutgers.edu> *Reply-To: *"wireless-lan@listserv.educause.edu" < WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *Date: *Monday, March 13, 2017 at 12:35 PM *To: *"wireless-lan@listserv.educause.edu" < WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *Subject: *Re: [WIRELESS-LAN] Cisco WLC code recommendations We are currently running a handful of 5508s with 8.0.133.0 and have been stable for some time with around 400 APs and upwards of 1.5k clients. We also run a half dozen 5520s with 8.2.141.0 and they have been running solid with around 1k APs each and upwards of 10k clients. We do not however run anything but 2600, 3600, 2700 and 3700 APs. The only issue I have seen that I don’t understand well yet is related to some APs losing the minds during network interruptions. The APs will appear up from CDP neighbor information, but will have lost their name and will not connect to their configured primary or secondary controllers. A power cycle will often recover the AP, but not always. I believe that issue started with 8.2. Thank you. Ken -- Ken LeCompte - Consulting Telecommunications Analyst Telecommunications Division Office of Information Technology Rutgers, The State University of New Jersey Office ~ (848) 445-4823 On Mar 10, 2017, at 1:52 PM, Entwistle, Bruce <
RE: [WIRELESS-LAN] Cisco WLC code recommendations
We only have a handful of 3702i APs deployed but do not recall anything specific to that model. We moved from 8.0 to 8.2 for similar reasons though. I doubt this is related with the random disassociations but we took Lee Badman’s suggestion to turn down the client exclusion timer from 60 seconds to 5 seconds on our dot1x SSIDs. It seems to have helped incorrectly configured and/or poorly behaving clients a lot yet still provides some level of security. I would guess everyone else knows this but running 8.0, 8.2, and/or 8.3 across the same RF grouping may give you unpredictable results. Specifically 2800/3800 APs that I tried to let do auto channel width in a small area….. for that area it worked fine until an 8.0 WLC was the RF leader. At that point all of the APs on the newer controller code that supported auto channel width went to 80MHz channels. It was a quick fix but it made me think someone was messing with me for a while…… *Mike Atkins * Network Engineer Office of Information Technology University of Notre Dame *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Eric Glinsky *Sent:* Friday, March 10, 2017 2:56 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Cisco WLC code recommendations If I may add to the question, does 8.2.141.0 solve the roaming issues with Apple devices and the association issues with 3700s seen in 8.0? We’re on 8.0.121.0 and we’re experiencing delayed association/roaming, particularly on Apple devices. 8.0.140.0 improved roaming but caused devices to randomly disassociate for a minute or two at a time even during use when stationary, so we downgraded. This page shows all the Cisco TAC recommended releases. This provides more information than the designations on the software download pages. https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-TAC-Recommended-AireOS.html?cachemode=refresh *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [ mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] *On Behalf Of *Mike Atkins *Sent:* Friday, March 10, 2017 2:29 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Cisco WLC code recommendations We have been running 8.2.141 on a couple production 5508 controllers since early February and are happy so far. The update helped with some 2802 issues we had with the radios getting stuck or the APs crashing. I think it also had some improvements with the auto channel width but we had already abandoned that dream by then. *Mike Atkins * Network Engineer Office of Information Technology University of Notre Dame *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Entwistle, Bruce *Sent:* Friday, March 10, 2017 1:53 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* [WIRELESS-LAN] Cisco WLC code recommendations We are currently running version 8.0.133.0 on our Cisco 5508 controllers, as our current access points are primarily 3500s and 3600s. However we have recently purchased a batch of 2802i access points whose minimum supported version is 8.2.110.0. I was looking to the group for their recommendations on a stable version of code which will support our new 2802i access points. Thank you Bruce Entwistle Network Manager University of Redlands ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. This e-mail message is intended only for the person or entity to which it is addressed and may contain CONFIDENTIAL or PRIVILEGED material. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender and destroy all copies of the original message. If you are the intended recipient but do not wish to receive communications through this medium, please so advise the sender immediately. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
RE: [WIRELESS-LAN] Cisco WLC code recommendations
We have been running 8.2.141 on a couple production 5508 controllers since early February and are happy so far. The update helped with some 2802 issues we had with the radios getting stuck or the APs crashing. I think it also had some improvements with the auto channel width but we had already abandoned that dream by then. *Mike Atkins * Network Engineer Office of Information Technology University of Notre Dame *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Entwistle, Bruce *Sent:* Friday, March 10, 2017 1:53 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* [WIRELESS-LAN] Cisco WLC code recommendations We are currently running version 8.0.133.0 on our Cisco 5508 controllers, as our current access points are primarily 3500s and 3600s. However we have recently purchased a batch of 2802i access points whose minimum supported version is 8.2.110.0. I was looking to the group for their recommendations on a stable version of code which will support our new 2802i access points. Thank you Bruce Entwistle Network Manager University of Redlands ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
Re: [WIRELESS-LAN] WLPC in Phoenix
I'm interested as well. See you soon. ---Mike Atkins sent from phone > On Feb 13, 2017, at 5:04 AM, Norman Elton <normel...@gmail.com> wrote: > > Last year, a number of higher-ed folks got together at the Wireless > LAN Professional Conference for dinner and a productive story-swap. If > you're going this year (highly recommend!) and want to do the same, > let me know and we'll see if we can't put something together. > > Hope to see you there! > > Norman Elton > William & Mary > > ** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
RE: [WIRELESS-LAN] wild card certs and PEAP
We lost that battle long ago…… I think there was some a best practice guide that won over our networking request. In the ends the Identity group got to what we wanted with a bit more cost. The other one we lost was responding with a fail for invalid username instead of no response/timeout. L Would like to revisit that one. *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Travis Schick *Sent:* Friday, February 03, 2017 4:30 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] wild card certs and PEAP Or just install the same server cert for radius requests on all radius servers. This is being served via EAP - the client's supplicant can never automatically verify the host it is coming from anyway On Fri, Feb 3, 2017 at 1:19 PM Mike Atkins <matk...@nd.edu> wrote: Our identity management group runs our Microsoft NPS servers and I recall them calling it a multi-domain certificate. So NPS1.nd.edu, NPS2.nd.edu, NPS3.dn.edu…. and so on all present common name as NPS1.nd.edu. This keeps your client from having to trust each NPS server. *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Brian Helman *Sent:* Friday, February 03, 2017 3:32 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* [WIRELESS-LAN] wild card certs and PEAP I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our configurations in place to join eduroam. Yes, I can get a temporary cert (or beg digicert for one, since I don’t think they have an option), but we tried to use a wildcard cert that we usually use for testing of services. It generates/imports correctly and Android doesn’t appear to have an issue with it, but Win7 and Win10 don’t care for it when we try to authenticate to the wireless network. It looks like Android may be ignoring the validation or generally fine with the wildcard. The easier question is – will a wildcard cert work here? The tougher question is – if yes, um .. any good references to configure it with S2012R2? -Brian ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
RE: [WIRELESS-LAN] wild card certs and PEAP
Our identity management group runs our Microsoft NPS servers and I recall them calling it a multi-domain certificate. So NPS1.nd.edu, NPS2.nd.edu, NPS3.dn.edu…. and so on all present common name as NPS1.nd.edu. This keeps your client from having to trust each NPS server. *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Brian Helman *Sent:* Friday, February 03, 2017 3:32 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* [WIRELESS-LAN] wild card certs and PEAP I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our configurations in place to join eduroam. Yes, I can get a temporary cert (or beg digicert for one, since I don’t think they have an option), but we tried to use a wildcard cert that we usually use for testing of services. It generates/imports correctly and Android doesn’t appear to have an issue with it, but Win7 and Win10 don’t care for it when we try to authenticate to the wireless network. It looks like Android may be ignoring the validation or generally fine with the wildcard. The easier question is – will a wildcard cert work here? The tougher question is – if yes, um .. any good references to configure it with S2012R2? -Brian ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
RE: [WIRELESS-LAN] 5GHz Channel Width
For those with large deployments of 40 or 80 MHz channel use, have you heard any complaints from users having issues staying connected? (specifically older laptops and android devices) I mean issues not specific to coverage or roaming or anything like that. I noticed some strange occurrences on a few test devices that are a bit older but that could be related to something I did to the devices at some point in time. I have not done much investigation yet. I was just curious if others had some experience/observations. *Mike Atkins * Network Engineer Office of Information Technology University of Notre Dame Phone: 574-631-7210 .__o - _-\_<, --- (*)/'(*) *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Jeffrey D. Sessler *Sent:* Thursday, December 01, 2016 3:12 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] 5GHz Channel Width Our environment (residential) is about 80% Mac and I’ve not run into issues with DBS. With a dense deployment, it’s rare that there would be a reason to force a client to another AP as the number of clients per AP is very low i.e. a sticky client isn’t an issue. In less dense deployments it’s likely all radios will be at 80Mhz, making it a non-issue. If the AP placement is done well from the start, it’s hard to fathom a situation where DBS is going to make a truly bad decision. If it sees an influx of 11g clients, it’s going to reduce width. If the environment is mostly all 11n and 11ac (as it is at my university), it’s going to favor 80Mhz. In general, I favor letting the software make the decisions and only change that if I can demonstrate that it’s causing harm. *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [ mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] *On Behalf Of *Jake Snyder *Sent:* Wednesday, November 30, 2016 4:40 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] 5GHz Channel Width One things to keep in mind is that certain device manufacturers preference wider channels. Apple in the Mac OS X products for instance, will always prefer an 80MHz channel over a 40MHz channel. As well as a 40MHz channel over a 20MHz channel. Things like DBS can lead to stickier clients, as you are now mixing channel widths. This leads you to trying things like Opt-R in order to force now sticky clients to other APs, which will likely be less successful since OS X doesn’t support 802.11v. This means DEAUTH, ironically which the OS X devices don’t handle as well as their PC brethren… https://support.apple.com/en-us/HT206207 Selection criteria for band, network, and roam candidates OS X always defaults to the 5GHz band over the 2.4GHz band, as long as the RSSI for a 5GHz network is -68 dBm or better. If multiple 5GHz SSIDs meet this level, OS X chooses a network based on these criteria: 1. 802.11ac is always preferred over 802.11n or 802.11a 2. 802.11n is always preferred over 802.11a 3. 80 MHz channel width is always preferred over 40 MHz or 20 MHz 4. 40 MHz channel width is always preferred over 20 MHz All in all, I would suggest not doing DBS in OS X heavy environments. My preference is to take each building and decide whether it can be leveraged in 20, 40 or 80, and configure the whole building that way. For how to decide if you can get away with 20 vs 40 vs 80, my preference is to pick the channels you want to use, and start with a survey. Let’s say you want to enable UNII 1 and UNII 3. That’s 8x 20MHz Channels. Could i go to 40MHz? If i can get away with 4 channels, then yes. Or I could add channels until i get to the number of channels needed to maintain channels separation. This varies wildly based on density of APs in a building. Eventually you run out of channels that you can add and then must either deal with co-channel interference or drop down to a narrower width. Start with 20MHz How many channels do i need with my current design to maintain channel separation? (Survey may be necessary) Do i have twice that many channels enabled at the current channel width? If yes, increase channel width to 2x current channel width. If no, do i feel comfortable adding channels to get to twice that? If yes, add channels and increase channel width to 2x current channel width. Hope this helps Thanks Jake Snyder On Nov 30, 2016, at 12:03 PM, Jeffrey D. Sessler <j...@scrippscollege.edu> wrote: Depending on the building construction, and assuming you are using DFS channels, running 40Mhz and even 80Mhz is very likely with no downside. 5GHz does not propagate very well, so a static 20Mhz plan in anything but big open spaces is IMHO unnecessary. If you are a Cisco customer, enabling DFS (Dynamic Bandwidth Selection) is likely the best choice for maximizing the use of the 5Ghz space. DFS w
RE: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?
Bruce, We are using Microsoft Event log view for NPS/security and are also exporting security logs daily to another system that we built to massage the information in order to get stats and summarize errors. We have Microsoft System Center that I believe can be expanded to do additional reporting and alerting but we have been unsuccessful in getting the other groups to implement it. I used perfmon for a very short period when I was initially looking at way to graph rates over a 24 hour period and was quickly discouraged. I did not have a working baseline to compare to and I could not find a published spec. Our identity group opened a ticket with Microsoft and never got a solid # on rates. I believe the response was “depends on your server resources.” I was looking at success and failure rates but the problem at the time was NPS just stopped responding to the supplicant. I did not see a counter for something like that. Maybe I did not look hard enough and there is a way to calculate it. I should probably take another look if you find it useful. A typical troubleshooting scenario was “everyone in this room was disconnected!” I ask the typical question, “did everyone get disconnected at the same time.” Response is “yes!” I ask “so everyone got disconnected at the very same minute?” Response, “well no, but during the meeting most of us got disconnected.” I reply “most not everyone?.?.?…..” J You know how it goes. In the end I had to look at information far enough back that it is/was very difficult to use perfmon. *Mike Atkins * Network Engineer Office of Information Technology University of Notre Dame *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Bruce Boardman *Sent:* Wednesday, November 16, 2016 2:49 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi? Mike Regarding the Troubleshooting and debug challenges with NPS are you exporting the MS events to a log collector or using the server's native event viewer? How useful have you found the PerfMon RADIUS metrics? |Bruce Boardman, Network Engineer, Syracuse University - 315 412-4156 -- *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv < WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Mike Atkins <matk...@nd.edu > *Sent:* Wednesday, November 16, 2016 2:44 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi? Lee, We use Microsoft NPS for radius on dot1x wireless (ND-secure & eduroam.) Troubleshooting and getting debug information has been very difficult. Finding a deployment guide on expected performance/load is also impossible to find. I think configuration is absolutely key. My impression is either it works great or it does not. Dennis, I think we are doing the realm stripping you are talking about using NPS. Our identity management group has two policies configured for eduroam. The first policy says identity @nd.edu authenticate PEAP requests on the local server. The second policy says “@” forward to the two eduroam.us “servers.” There are a couple other policies for off campus users that get forwarded from eduroam.us servers. Maybe not what you are talking about but just thought I would chime in just in case. *Mike Atkins * Network Engineer Office of Information Technology University of Notre Dame Phone: 574-631-7210 .__o - _-\_<, --- (*)/'(*) *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Lee H Badman *Sent:* Wednesday, November 16, 2016 9:40 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi? Hello to the awesome group. We’ve used Cisco ACS with general satisfaction for many years as the RADIUS solution for our very, very large WLAN’s 802.1X authentication. We also have Aruba Clearpass in-house for guest wireless, and have poked around at ISE a bit. We’re weighing replacing our aging ACS environment, but as many of you know times are changing. When you shop for RADIUS, you have to wade through the fog of NAC systems because everything is getting ever more “feature rich”. For major vendors, RADIUS is just a slice of NAC now, and since everybody “is a software company!” licensing can be ugly. I’m not slamming those who find value in the many interesting features that the likes of ISE and Clearpass offer, but I also can’t help but be drawn to Microsoft NPS when I think about going forward with simple RADIUS. Way back when, we avoided Microsoft in this role as the reporting wasn’t particularly strong when it came time to troubleshoot clients. We **may** have found relief to this through Splunk, and also enjoy a robust Windows server environment st
RE: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?
Lee, We use Microsoft NPS for radius on dot1x wireless (ND-secure & eduroam.) Troubleshooting and getting debug information has been very difficult. Finding a deployment guide on expected performance/load is also impossible to find. I think configuration is absolutely key. My impression is either it works great or it does not. Dennis, I think we are doing the realm stripping you are talking about using NPS. Our identity management group has two policies configured for eduroam. The first policy says identity @nd.edu authenticate PEAP requests on the local server. The second policy says “@” forward to the two eduroam.us “servers.” There are a couple other policies for off campus users that get forwarded from eduroam.us servers. Maybe not what you are talking about but just thought I would chime in just in case. *Mike Atkins * Network Engineer Office of Information Technology University of Notre Dame Phone: 574-631-7210 .__o - _-\_<, --- (*)/'(*) *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Lee H Badman *Sent:* Wednesday, November 16, 2016 9:40 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi? Hello to the awesome group. We’ve used Cisco ACS with general satisfaction for many years as the RADIUS solution for our very, very large WLAN’s 802.1X authentication. We also have Aruba Clearpass in-house for guest wireless, and have poked around at ISE a bit. We’re weighing replacing our aging ACS environment, but as many of you know times are changing. When you shop for RADIUS, you have to wade through the fog of NAC systems because everything is getting ever more “feature rich”. For major vendors, RADIUS is just a slice of NAC now, and since everybody “is a software company!” licensing can be ugly. I’m not slamming those who find value in the many interesting features that the likes of ISE and Clearpass offer, but I also can’t help but be drawn to Microsoft NPS when I think about going forward with simple RADIUS. Way back when, we avoided Microsoft in this role as the reporting wasn’t particularly strong when it came time to troubleshoot clients. We **may** have found relief to this through Splunk, and also enjoy a robust Windows server environment staffed by absolutely brilliant MS-minded veteran admins. All that being said- is anyone using NPS as their RADIUS solution for a large secure WLAN environment? Can you share likes, dislikes, regrets, endorsements, horror stories, tales of success, etc? (Any vendor reps lurking- no, I’m not open to hearing about other RADIUS solutions. Please, no calls or emails) Kind regards- *Lee Badman* | CWNE #200 | Network Architect Information Technology Services 206 Machinery Hall 120 Smith Drive Syracuse, New York 13244 *t* 315.443.3003 * f* 315.443.4325 *e* lhbad...@syr.edu *w* its.syr.edu *SYRACUSE UNIVERSITY*syr.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Per room wireless
Our last two dorms we placed an AP in every third room staggered above and below so no client should be no more than one wall away. We were fortunate enough to get Ethernet drops for APs to every room just in case. I say fortunate but we really pushed it as insurance for the future. Coverage is great. but now we have to get better at dealing with high density. The APs were mounted above the door to reduce the chance of damage. If anyone has APs on the outer wall, we would certainly be interested in your experience. Otherwise it will likely be a test over the summer when students and their belonging are not present to give us an accurate picture. Mike Atkins Network Engineer Office of Information Technology University of Notre Dame -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Michael Blaisdell Sent: Friday, November 04, 2016 10:48 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Per room wireless How many on the list have moved to a per room model for wireless for student residence halls? Michael Blaisdell Director of Network Services IT Services Learning Commons/Library Saint Francis University 117 Evergreen Drive Loretto, PA 15940 814-472-3242 http://www.francis.edu The best way to predict the future is to invent it. Alan Kay ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Playstation 4 (PS4) Not Connecting to Wireless
Interesting observation Andy. This closely fits a similar situation where we have a new building with Cisco 2802’s running and the XOR radio is automatically disabling 2.4Ghz on several APs in a graduate student space. While the APs see neighbor APs at ~50db the clients see the ssid @ ~60db in the 2.4Ghz, but are not able to connect. Manually turning on a 2.4Ghz radio from monitor to client service enables the clients to connect. One specific device was 2.4Ghz only which pushed to manual adjustments. If anyone knows the formula for XOR radio decision it would be very helpful for our understanding of the process. We have PS4’s on campus but they typically connect to our guest network with no auth. (rate limit 8M/2M) Our help desk encourages students to use a wired connection for game consoles, especially Xbox if they need public IP address. Students can self-register devices for the wired network (Cisco Clean Access.) We often joke about it being cheaper to have a box of USB-Ethernet adapters to hand out instead of spending hours of troubleshooting one wifi device…… but seriously. *Mike Atkins * Network Engineer Office of Information Technology University of Notre Dame *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Voelker, Andy *Sent:* Thursday, September 01, 2016 10:34 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Playstation 4 (PS4) Not Connecting to Wireless We have had a few reports of PS4 problems, but as far as I can tell they are mostly because PS4's only have a 2.4GHz radio. Often the AP near them has gone into air monitor mode from too much 2.4 in the air, and the antenna on the PS4 isn't that fantastic. Plus, many students shove it in a cabinet under a TV, and that blocks even more signal. Lately I've been just activating a port for them, but I'll look into it further when I have time. Andy Voelker Davidson College -- *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv < WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Brandon Dixon < bdix...@murraystate.edu> *Sent:* Thursday, September 1, 2016 2:18:41 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Playstation 4 (PS4) Not Connecting to Wireless Tim and Danny, thanks for the responses: The SSID's for these are on an Open SSID that has a NAC backend, so 802.1x isn't actually involved in the connection process. The NAC watches for the MAC address and puts them in the appropriate VLAN. We've verified the NAC is working properly, as it's working for all other devices. We do encourage them to plug in their gaming devices, for the sake of latency and experience for the end user, but there's still some who prefer wireless. On 9/1/2016 9:46 AM, Danny Eaton wrote: > This leads me to ask - doesn't the Xbox and PS4 have wired ports? Why put all that refresh rate traffic on wireless? Why not "strongly suggest" they connect it to a wired port, leaving wireless for truly mobile devices (laptops, Macbook Air, phones, pads, etc.)? If it has a permanent power brick, plug it in. > > -Original Message- > From: The EDUCAUSE Wireless Issues Constituent Group Listserv [ mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Tim Tyler > Sent: Thursday, September 01, 2016 9:24 AM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] Playstation 4 (PS4) Not Connecting to Wireless > > Brandon, > Many games and other devices don’t support 802.1x in case that was the > network they were trying to connect to. We created an SSID that allows for > mac address authentication. We allow student to register the mac address of their non 802.1x complaint devices and connect to our SSID that supports mac > addresses (open network). We have no problems that I am aware of with PS4 > stations. >Note: We use Aruba with Clearpass. > Tim > > -Original Message- > From: The EDUCAUSE Wireless Issues Constituent Group Listserv [ mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Brandon Dixon > Sent: Thursday, September 01, 2016 8:42 AM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: [WIRELESS-LAN] Playstation 4 (PS4) Not Connecting to Wireless > > We have been seeing issues where PS4's on campus will not connect to our Aerohive wireless devices properly. Other devices such as Xbox One are working fine, it seems to be isolated to PS4 devices. We are beginning to wonder if this is an issue with Enterprise wireless AP's and I was curious, before we spend more time digging, if others are experiencing issues with > PS4 on their campus. (Apologies for the shoddy image quality) > > > -- > Brandon Dixon > Network Engineer > Info
RE: [WIRELESS-LAN] Wireless 802.1X client exclusions timeout issues
We have Cisco 8510 controllers with client exclusion enabled at the default 60 seconds. We are using Microsoft NPS for authentication. When students are on campus I only see a couple devices in the excluded clients list for each controller. We left client exclusion on our open guest SSID as well. *Mike Atkins * Network Engineer Office of Information Technology University of Notre Dame Phone: 574-631-7210 .__o - _-\_<, --- (*)/'(*) *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Jess Walczak *Sent:* Thursday, June 02, 2016 12:17 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* [WIRELESS-LAN] Wireless 802.1X client exclusions timeout issues We are experiencing the following issue and I am wondering what other folks are doing regarding expired password client exclusion blacklisting on their 802.1X WLANs. This is specifically about a Cisco environment, but others may have knowledge about it (albeit with different vendor-specific language). Client(supplicant) connects to our 802.1X WLAN(SSID) and it fails authentication 3 times because of an expired password. It is now blacklisted (for 60 seconds), during which time the client will usually then try to associate with our open WLAN, but cannot join and then retries associating with the secure WLAN once again, failing once again. I think we are mainly seeing this when a user's Active Directory password expires without their knowledge. Here is our environment: Cisco 8510 WLCs running 8.0.121.0 code Cisco ISE Version 1.4.0.253, Patch 3,5,6 There are some settings involved: 1.)"Client Exclusion Policy" (which under Security-->Wireless Protection Policy) has 6 elements, all on by default; one of these is "Maximum 802.1x-AAA Failure Attempts" which is set to "3" by default, and gives a range of "1-3". 2.)"Client Exclusion" (under WLANs-->Advanced) is set to "enabled" with a timeout of 60 seconds. The Client Exclusion Policy is a global setting, and you can enable it for each WLAN or not, and pick the timeout in seconds (or 0 seconds, which means it must be manually cleared by an admin). My questions are whether other folks are leaving this feature on, or have they shortened the timeout, or have they disabled it altogether? We have this enabled on both WLANs, even on the open one--and this wouldn't seem to matter here, and perhaps is causing the client to be unable to connect to this one as well, erroneously. The timeout of 60 seconds seems like an eternity for a wireless client, and I imagine this feature intends to prevent a massive DoS or spoofing attack, except for we've seen iPhones that can register 100's of thousands of failed login attempts in less than an hour before our wireless overhaul, and our AD servers never even broke a sweat. Is it then perhaps for the safety of the wireless controller? We've resolved this in some instances, even today, by "forgetting this network" on the client and powering it off, then finding its session in both ISE and the WLC and deleting them each, before powering the client back up. Then, it works flawlessly, once again. Because of this, it seems like this setting might be more of a nuisance than anything. Any thoughts would be appreciated. Thanks!--JW Jess Walczak Senior Network Analyst Information Technology Services jwwalc...@stthomas.edu University of St. Thomas | stthomas.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Who wifi vendors does everyone use?
Notre Dame is mostly Cisco with 2600 WAPs and now venturing into Aruba territory with just over 100 WAPs in one facility. We are listening to everyone on the list very closely as new construction and remodeling will cause us to double AP count over the next two years (football stadium is ~1000.) We do not have a dedicated WiFi engineer at this point so we are very interested in deployment and manageability concerns/issues we hear from the group. Mike Atkins Network Engineer Office of Information Technology University of Notre Dame Phone: 574-631-7210 .__o - _-\_<, --- (*)/'(*) -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Michael Hulko Sent: Friday, April 01, 2016 8:59 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Who wifi vendors does everyone use? The University of Western Ontario, Canada… Aruba with just shy of 4k APs -Mike > On Apr 1, 2016, at 8:52 AM, Case, Brandon J <ca...@purdue.edu> wrote: > > Purdue is an all-Cisco shop with about 8500 APs > > -Brandon > > -Original Message- > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Todd M. Hall > Sent: Friday, April 1, 2016 8:44 AM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] Who wifi vendors does everyone use? > > Mississippi State is Cisco with 2k APs. > > On Thu, 31 Mar 2016, Brian L. Cox wrote: > >> Date: Thu, 31 Mar 2016 15:17:10 -0500 >> From: Brian L. Cox <cox...@unk.edu> >> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv >><WIRELESS-LAN@listserv.educause.edu> >> To: WIRELESS-LAN@listserv.educause.edu >> Subject: Re: [WIRELESS-LAN] Who wifi vendors does everyone use? >> >> We are identical to Suffolk University ?.just under 1000 Aruba AP?s, >> ClearPass, Airwave and Extreme/Enterasys for wired. >> >> __ >> Brian L Cox >> Information Technology Services >> Director of Networking & IT infrastructure University of Nebraska >> Kearney >> (308)865-8176 >> >> >> >> From: The EDUCAUSE Wireless Issues Constituent Group Listserv >> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeremy Gibbs >> Sent: Thursday, March 31, 2016 2:01 PM >> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU >> Subject: Re: [WIRELESS-LAN] Who wifi vendors does everyone use? >> >> I am sort of surprised at the low number of people using Extreme >> Networks. Then again, maybe I shouldn't be. >> >> >> -- >> >> Jeremy L. Gibbs >> Sr. Network Engineer >> Utica College IITS >> On Thu, Mar 31, 2016 at 12:55 PM, Norman Mourtada >> <nmourt...@suffolk.edu<mailto:nmourt...@suffolk.edu>> wrote: >> We are all Aruba for wireless just under a 1000 APs, with Clearpass and >> Airwave and Extreme/Enterasys for wired. >> >> Norm Mourtada >> Suffolk University >> Boston, MA 02108 >> >> From: The EDUCAUSE Wireless Issues Constituent Group Listserv >> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSE >> RV.EDUCAUSE.EDU>] On Behalf Of Watters, John >> Sent: Thursday, March 31, 2016 12:44 PM >> To: >> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCA >> USE.EDU> >> Subject: Re: [WIRELESS-LAN] Who wifi vendors does everyone use? >> >> Cisco -- just under 6K APs right now. >> >> >> >> >> -jcw >> [UA Logo] >> >> John Watters The University of Alabama >> Office of Information >> Technology >> >> 205-348-3992 >> >> >> ** Participation and subscription information for this EDUCAUSE >> Constituent Group discussion list can be found at >> http://www.educause.edu/groups/. >> ** Participation and subscription information for this EDUCAUSE >> Constituent Group discussion list can be found at >> http://www.educause.edu/groups/. >> >> ** Participation and subscription information for this EDUCAUSE >> Constituent Group discussion list can be found at >> http://www.educause.edu/groups/. >> >> ** >> Participation and subscription information for this EDUCAUSE Constituent >> Group discussion list can be found at http://www.educause.edu/groups/. >> >> > > -- > Todd M. Hall > Sr. Network Analyst > Information Technology Services > M
RE: [WIRELESS-LAN] New Cisco 2800/3800 Wave 2 WAPs - thoughts on new flexible radio assignment?
I’m looking forward to the 2800/3800 AP features as we deploy new infrastructure and high density WiFi. I hopeful the external antenna model can help reduce the # of APs/licenses needed in very high density locations. The auto channel width could be nice if it works okay in our environment. Only time and testing will tell….. Not sure if multi-gig will be a factor in the coming year but we are certainly looking at it for the new Cisco and new Aruba APs. Our Aruba folks indicate two 5.2 GHz radios in the same antenna location will not work efficiently…. So we’re hoping there is some software magic to overcome physics. Needless to say I’m trying to keep my expectations low in order to be pleasantly surprised. There are a couple “No Strings Attached Show” podcasts discussing 2800/3800 and flexible radio assignment. (sponsored podcast) There is also a “Cisco Champion Radio” podcast discussing 2800/3800 features. PS. We are looking at 1810w for dorm deployment. It’s wave2 AC but still does not do clean air if you need that. *Mike Atkins * Network Engineer Office of Information Technology University of Notre Dame *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Daniel Brisson *Sent:* Tuesday, March 22, 2016 2:46 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] New Cisco 2800/3800 Wave 2 WAPs - thoughts on new flexible radio assignment? Yes, the flexible radio design is definitely interesting. I’m interested to see how it plays out in terms of shuffling clients between APs based on what radio is available. I wanted to ask…have you considered the 702W for your res halls? It really seems to be the way to go in terms of creating small cells for the myriad devices that existing in that setting. We have a new dorm going up as well and with our experience with the 3502i’s, which grants has not been bad, but I really see the benefit of going with the 702w style. -dan Dan Brisson Network Engineer University of Vermont *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [ mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] *On Behalf Of *Jeffrey D. Sessler *Sent:* Tuesday, March 22, 2016 2:27 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* [WIRELESS-LAN] New Cisco 2800/3800 Wave 2 WAPs - thoughts on new flexible radio assignment? For the Cisco shops: I recently had a briefing on the new Cisco 2800/3800 Wave 2 WAPs coming in May, and I’m pretty excited for the new flexible radio design. For those that have not read up on it, in the new models one of the two radios can dynamically move (self optimize) between 2.4 and 5 GHz depending on need (coverage/performance) or function (Serve clients, security monitoring, service assurance aka be a client, or enhanced location). Seems like Cisco is addressing one of my long standing concerns/wishes, that when designing dense deployments, that the number of 2.4 GHz radios become overkill and wasted. The new model provides for much better 5 GHz coverage (lots of WAPs running 5GHz x 2) with just enough running 2.4 GHz to handle legacy needs. It’s going to make my life much easier when designing for our residential halls. Any of the other Cisco shops excited for the new flexible radio feature? Thoughts? I have a new residence hall coming online in August so the timing is great. Jeff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Cisco AP Horizontal Mounting Bracket
Our wiring crew took a look at several of these and eventually bought a $7.99 heavy duty (white) shelf bracket from the local hardware store. The mounting plate and bracket for drop ceiling connect to the shelf bracket perfectly. We use the shelf brackets in several classroom buildings that do not have drop ceilings. So far it has worked out very well and the architect's office was okay with the aesthetics. Mike Atkins Network Engineer Office of Information Technology University of Notre Dame Phone: 574-631-7210 .__o - _-\_<, --- (*)/'(*) -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dorshimer, Michael Sent: Friday, September 11, 2015 3:21 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Cisco AP Horizontal Mounting Bracket Dan, I found these for about $50 http://www.oberonwireless.com/products/surface-mount-wall-hard-ceiling-enclosures-mounts/1109-1009-00 - Mike -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dan Brisson Sent: Friday, September 11, 2015 3:12 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Cisco AP Horizontal Mounting Bracket Just to clarify, the type of bracket shown here is what I'm looking for: http://www.terra-wave.com/shop/compact-horizontal-wall-mount-w-cover-and-universal-tbar-mounting-plate-p-3697.html?utm_source=et.ventev.com_medium=email_campaign=VA78 -dan Dan Brisson Network Engineer University of Vermont On 9/11/15 3:03 PM, Dan Brisson wrote: > I'm wondering if anyone out there can recommend a horizontal mounting > bracket for Cisco APs. Ventev TerraWave has a new model out and > Oberon has had them for a while. The TerraWave model looks good but > comes in at around $100, which is bit pricy for me. > > The ideal bracket would be able to be screwed to a standard single > gang electrical box. > > Anybody have any other recommendations? > > Thanks, > -dan > > ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Cisco Aironet Series
Same here, 2702 is our standard AP. Side note: We have a open position in networking and are looking for someone with with WiFi background. http://jobs.nd.edu:80/postings/2624 http://jobs.nd.edu/postings/2624 On Thu, Aug 6, 2015 at 9:44 AM, Hector J Rios hr...@lsu.edu wrote: I second that. We started deploying 3700’s but we quickly saw that the performance of the 2700 was comparable and the savings was worth it. So now that is our standard WAP. Hector Rios Louisiana State University *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Walter Reynolds *Sent:* Thursday, August 06, 2015 6:55 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Cisco Aironet Series For cost savings as well we are using the 2702's as the primary AP that we deploy on campus. Walter Reynolds Principal Systems Security Development Engineer Information and Technology Services University of Michigan (734) 615-9438 On Wed, Aug 5, 2015 at 8:14 PM, Tony Juarez ajua...@uchicago.edu wrote: We have started using the 2702i’s in are smaller locations, and use the 3702’s on the main campus. Tony Juarez, CCNP Wireless Senior Network Engineer - Wireless IT Services [image: banner-a-color-600100percent] 773-702-5592 (Office) 773-230-7923 (Cell) *From: *Deshong, Kenneth kdesh...@health.usf.edu *Reply-To: *The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@listserv.educause.edu *Date: *Wednesday, August 5, 2015 at 3:35 PM *To: *WIRELESS-LAN@listserv.educause.edu WIRELESS-LAN@listserv.educause.edu *Subject: *[WIRELESS-LAN] Cisco Aironet Series I have a question that I hope someone can help me with. In the hope of saving money, my boss wants me to look at a cheaper alternative to the 3702i in areas that might not need a top of the line Access Point. In my comparison, I find the Aironet 2702i to have similar specs minus the 4x4 radio. Both support 802.11ac, Client Link 3.0, CleanAir 2.0. I don’t plan on using the Modular slot . I’ve read from limited sources that say the electrons are the same, and performance is neck and neck. Can anyone debunk that? ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- *Mike Atkins * Network Engineer Office of Information Technology University of Notre Dame -Sent from gmail.nd.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Show 221 - Marriott, Wifi, + the FCC with Glenn Fleishman Lee Badman - Packet Pushers Podcast
Episode 48 of the No Strings Attached podcast covers this very well also. --- Sent from my phone. On Jan 17, 2015, at 8:44 PM, Trent Hurt trent.h...@louisville.edu wrote: http://packetpushers.net/show-221-marriott-wifi-fcc-glenn-fleishman-lee-badman/ Sent from my iPhone ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.