Re: [WIRELESS-LAN] WPA3/OWE as campus solution?

[Philippe Hanset]

Yesterday, I was eating at a restaurant in Greenville, SC (Gorgeous town BTW). 
My cellular connection was very poor inside that restaurant and
the App that I was using needed more throughput. So, I decided to hunt for the 
restaurant Wi-Fi. I turned on my VPN and picked from a giant list of SSIDs an 
Open Network
that looked like the name of the restaurant. True story, they actually had an 
unrestricted Open Wi-Fi.

That experience reminded me of this post and that the main reason why I like 
WP2/3-enterprise is more for me as a User than for me as an Operator.
When I travel, 802.1X authenticates my relation with the Wi-Fi via the RADIUS 
infrastructure certificate (if my device doesn’t barf this Wi-Fi is federated!)
and hopefully I can trust that Wi-Fi and get some decent amount of Mbps.

Philippe

Philippe Hanset, CEO
www.anyroam.net





> On Apr 16, 2021, at 12:46 PM, Jeffrey D. Sessler  
> wrote:
> 
> I’m all for the connection experience being as simple as possible. We subject 
> our casual users to often extreme onboarding measures when they’ll never 
> experience this outside of their 4-years, or even outside the college 
> community.
>  
> If we consider the forward march to SaaS and other aaS products in higher 
> education, in the not so distant future, we’ll run almost nothing on-campus. 
> Wireless will just be a commodity connection-point out to a bunch of Internet 
> services. If an end user can “do what they need” at the myriad wifi hotspot 
> locations in the US e.g. starbucks, then we shouldn’t need to ask them to 
> jump through more hoops just because they are on a college campus.  Is there 
> such a thing as wireless elitism?
>  
> Perhaps the challenge with wireless is that it’s still a service owned and 
> managed by IT? If the governance was customer focused, with goals centered on 
> community experience vs enterprise risk, perhaps a happy medium could be 
> reached between what the consumer of the service desires, and what those 
> managing it can provide?
> If my facilities director told me that the water spigot I wanted installed in 
> my building required a pass-code or onboarding before use, I’d consider them 
> crazy. After all, my home version requires a simple turn of the handle.  When 
> I look at what lengths some of us have gone with our college wifi, I wonder 
> if the pass-code water spigot is far off.  
>  
> Jeff
>  
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  On Behalf Of Lee H Badman
> Sent: Friday, April 16, 2021 8:29 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution?
>  
> All good input- again, just thinking free here... thanks for playing the game.
> 
> Lee Badman (mobile)
> 
> 
> On Apr 16, 2021, at 11:07 AM, David Logan  <mailto:tarheeldav...@gmail.com>> wrote:
> 
> 
> So - truly thinking out loud...   
>  
> 1. To Tim's point on lack of identity, the unstated requirement that could be 
> chosen to be fulfilled or not - there would need to be post-connect, 
> post-activity monitoring such that "bad activity" could be detected, 
> mitigated, prevented.  Anybody and any device within throw range of the WLAN 
> could connect and do whatever they want, within the bounds of monitoring and 
> enforcement at L2/L3/L7.  IRL - none of your doors have locks, but you could 
> choose to implement security cameras if someone you don't know comes in to 
> take the TV.  
>  
> 2.  It certainly suggests creating "network segments of one" to ensure that 
> the ability for a bad actor with a connected device cannot recon nor exploit 
> the other local connected devices, systems, apps, protocols.   Suggests all 
> local traffic would have to be firewalled or proxied, or else the "network 
> segment of one" architecture is unenforceable.
>  
> 2a.   OR - it suggests a "don't care what happens between non-IT sanctioned 
> systems" - i.e. if a bad actor on a moderately sized broadcast domain/subnet 
> co-opts an attached non-IT device (like a smart TV) and "does something bad" 
> - that's OK.  This then suggests that consequences of consumer IT product 
> vendors implementing poor embedded software systems/exploitable protocols 
> would trickle down to the end-user and back out to the consumer IT vendor.   
>  
> 2b.  Also suggests that if the local network segments are not policed using 
> firewalls of some sort, then the local IT-managed systems (if there ARE any) 
> - definitely need to be up to date on patch management and support and 
> vendor-product-software security.
>  
> -- Dave
>  
>  
> On Fri, Apr 16, 2021 at 10:33 AM Lee H Badman 
> <00db5b77bd95-dmarc-requ...@listserv.educause.edu 
> <mai

Re: [WIRELESS-LAN] WLAN onboarding

[Philippe Hanset]

Lee,

Based on your timeframe you might also want to consider the new development 
that is done in Europe called “geteduroam”.
https://www.geteduroam.app
It is App based and will feed from CAT but it is based on EAP-TLS or on 
EAP-TTLS/PEAP if preferred.

So you could start with CAT  and username/password (CAT allows you to provision 
eduroam and other SSIDs as well) and evolve later to EAP-TLS.

Philippe


Philippe Hanset, CEO
www.anyroam.net
Operator of eduroam-US
+1 (865) 236-0770






> On Apr 7, 2021, at 10:05 AM, Lee H Badman 
> <00db5b77bd95-dmarc-requ...@listserv.educause.edu> wrote:
> 
> Hello everyone, hope your semesters are going along smoothly and that you are 
> all staying healthy. As always- this message is not an invite for vendors to 
> contact me.
>  
> Looking out down our short timeline, we need to make a number of decisions 
> about various aspects of our WLAN operations. One of these decision points is 
> if/how to do the 802.1X onboarding after our current solution goes End of 
> Everything at year’s end. To that end, I’m looking for any and all feedback 
> on these questions:
> 
> - If you are using PEAP/MS-CHAP v2, what is your onboarder of choice (even if 
> none, with manual config as methodology)?
> -If you are doing PEAP-TLS, what is your onboarder of choice?
> -Have you recently piloted any onboarders that you just hate for any reason?
> -For those using eduroam as your 802.1X environment, have you found the free 
> configuration tool to be reliable? Any downsides to using it at scale?
>  
> Interested in 3rd party, native, whatever.
>  
> Thanks as always,
>  
> Lee Badman
>  
> Lee Badman | Network Architect (CWNE#200)
> 
> Information Technology Services
> (NDD Group)
> 206 Machinery Hall
> 120 Smith Drive
> Syracuse, New York 13244
> 
> t 315.443.3003   e lhbad...@syr.edu <mailto:lhbad...@syr.edu> w its.syr.edu
> Campus Wireless Policy: 
> https://answers.syr.edu/display/network/Wireless+Network+and+Systems 
> <https://answers.syr.edu/display/network/Wireless+Network+and+Systems>
> SYRACUSE UNIVERSITY
> syr.edu
> 
>  
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community <https://www.educause.edu/community>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] Wi-Fi and Covid

[Philippe Hanset]

26d20fc6439f21b008d8f547c2d9%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637529036839945739%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0=TD8k2v%2FWy05TnWTtnrykxO6Iw5kNx4AtVbPGcInwtXM%3D=0>
> SYRACUSE UNIVERSITY
> syr.edu 
> <https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsyr.edu%2F=04%7C01%7Cjpb%40buffalo.edu%7C52b426d20fc6439f21b008d8f547c2d9%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637529036839955696%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0=vgfKqmouND1obqb8J3wgEgzLwdykRmdzx6iexSUZXyE%3D=0>
>  
> 
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Philippe Hanset
> Sent: Thursday, April 1, 2021 3:29 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Subject: [WIRELESS-LAN] Wi-Fi and Covid
> 
>  
> 
> All,
> 
>  
> 
> Has anyone else been approached by AFCOTRA?
> 
> They have developed an algorithm to map Wireless users and Covid 
> Contamination.
> 
> They want to use Wi-Fi logs to establish mapping of Covid Cross Contamination 
> on campus.
> 
> (I guess linking MAC address to Wi-Fi triangulation)
> 
>  
> 
> Neat Idea!
> 
>  
> 
> Philippe
> 
>  
> 
> Philippe Hanset, AFO
> 
> www.anyroam.net 
> <https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.anyroam.net%2F=04%7C01%7Cjpb%40buffalo.edu%7C52b426d20fc6439f21b008d8f547c2d9%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637529036839955696%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0=Do6fm1jQPlu51aOkReZ6Qlw%2BF1%2BgLuPiW1D5DfNKQNk%3D=0>
>  
> 
>  
> 
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community 
> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=04%7C01%7Cjpb%40buffalo.edu%7C52b426d20fc6439f21b008d8f547c2d9%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637529036839965647%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0=exYLEPEai4%2FBGNQlKJizVCmp7Nk37xCiKIVohePKQBc%3D=0>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community 
> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=04%7C01%7Cjpb%40buffalo.edu%7C52b426d20fc6439f21b008d8f547c2d9%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637529036839965647%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0=exYLEPEai4%2FBGNQlKJizVCmp7Nk37xCiKIVohePKQBc%3D=0>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community 
> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=04%7C01%7Cjpb%40buffalo.edu%7C52b426d20fc6439f21b008d8f547c2d9%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637529036839965647%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0=exYLEPEai4%2FBGNQlKJizVCmp7Nk37xCiKIVohePKQBc%3D=0>
> 
>  
> --
> <~WRD.jpg>
>  
> dan b. lauing ii | CWNE #402
> Wireless Network Engineer
> Mississippi College
>  
> 
>  
> CONFIDENTIALITY STATEMENT:  
> This communication may contain confidential information.  If you are not the 
> intended recipient or if you are not authorized to receive this 
> communication, please notify and return the message to the sender, then 
> delete this communication including any attachments.  Unauthorized reviewing, 
> forwarding, copying, distributing or using this information is strictly 
> prohibited.
>  
>  
>  
>  
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
>

Wi-Fi and Covid

[Philippe Hanset]

All,

Has anyone else been approached by AFCOTRA?
They have developed an algorithm to map Wireless users and Covid Contamination.
They want to use Wi-Fi logs to establish mapping of Covid Cross Contamination 
on campus.
(I guess linking MAC address to Wi-Fi triangulation)

Neat Idea!

Philippe

Philippe Hanset, AFO
www.anyroam.net





**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

The star is wireless

[Philippe Hanset]

Season's greetings to all :)







Philippe Hanset, CEO
www.anyroam.net
Operator of eduroam-US







**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Android 11 and Cert Verification

[Philippe Hanset]

It might have been mentioned on this list before.
With this one, repetition might not be a bad idea…

[PSA] Android 11's December security update will remove the ability to disable 
EAP server cert validation

https://www.reddit.com/r/networking/comments/j7ero1/psa_android_11s_december_security_update_will/


Best,

Philippe

Philippe Hanset, CEO
www.anyroam.net
Operator of eduroam-US






**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] [External] [WIRELESS-LAN] 2.4Ghz channel designations

[Philippe Hanset]

He might mean: let the smart system pick any of the 11 available channels not 
just 3 statically defined by you?
In other words: allow the algorithm of the vendor to do its work in the 
non-overlapping design.

Just trying to save him :)

Philippe Hanset, CEO
www.anyroam.net
Operator of eduroam-US

> On Aug 26, 2020, at 12:24 PM, Hunter Fuller  wrote:
> 
> What does "less than the delays from protocols" mean?
> 
> The only protocol at work here is 802.11, right? The one that can
> dodge same-channel interference but can NOT dodge spillover from
> adjacent channels?
> 
> Am I missing something?
> 
> --
> Hunter Fuller (they)
> Router Jockey
> VBH Annex B-5
> +1 256 824 5331
> 
> Office of Information Technology
> The University of Alabama in Huntsville
> Network Engineering
> 
> 
> On Wed, Aug 26, 2020 at 11:13 AM John Rodkey  wrote:
>> 
>> For many years I have consistently used channels 1, 6, and 11 as 
>> non-overlapping channels wherever 2.4Ghz is deployed.  I have a consultant 
>> who is suggesting using all 11 channels in our high density dorm situations, 
>> arguing that  signal interference will affect throughput less than the 
>> delays from protocols where the 3 channels are within hearing distance of 
>> each other.
>> 
>> This doesn't make sense to me.  If you in your situation have found using 
>> all 11 channels to be an effective solution vs the 3 channel non-overlapping 
>> approach, could you explain to me why you made that choice, and what your 
>> on-the-ground experience is with this configuration?
>> 
>> Thank you!
>> 
>> John Rodkey
>> Director of Servers and Networks
>> Westmont College
>> 
>> Verification: Unsure if this is a legitimate email to an email list? Make 
>> sure it is recorded at https://my.westmont.edu/it_emails
>> 
>> 
>> "God-fearing faith... is neither brash nor foolhardy and does not tempt 
>> God." - Martin Luther
>> 
>> **
>> Replies to EDUCAUSE Community Group emails are sent to the entire community 
>> list. If you want to reply only to the person who sent the message, copy and 
>> paste their email address and forward the email reply. Additional 
>> participation and subscription information can be found at 
>> https://www.educause.edu/community
> 
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X?

[Philippe Hanset]

As Tim mentioned, PEAP is fine and actually  in my opinion the most OS friendly 
EAP method (I define friendly as no complicated installer required and no EAP 
fragmentation issues) as long as you use a non sensitive password. But who does 
that ? and that is what hurts PEAP. There are now Wifi hacking kits designed to 
collect passwords for WPA enterprise .Canada has been pushing for their eduroam 
partners to use CAT to mitigate the problem since CAT enforces the certificate 
pinning and prevents users from accepting « anything » when presented with a 
fake certificate. 

We implemented campus wide WEP at University of Tennessee back in 2000. Worst 
idea ever. Our CiO absolutely wanted security and we got the Lucent per user 
per session encryption. OS support fell apart. Worst idea ever. We then did MAC 
address registration using our home grown netreg... that worked flawlessly for 
more than 10 years. We tried in the meantime 802.1X with the Odyssey client 
(from Funk back then). Thank goodness we kept it as a pilot within the IT 
department! Then slowly but surely OSes started to get their act together with 
EAP-TTLS (not in Windows for quite a while if you remember). Now we finally 
have PEAP working fine everywhere but we screw it up by using sensitive 
passwords, and EAP-TLS is the golden standard but requires a heavy duty 
installer. Something tells me that it will eventually get better. (just wait 20 
years :)

Philippe 

Philippe Hanset, CEO
ANYROAM LLC
www.anyroam.net
www.eduroam.us
+1 (865) 236-0770

On Aug 19, 2020, at 1:38 PM, Jeffrey D. Sessler  wrote:


For a student population that will only be with the institution for 4 years, 
and then spend the next 60 years using WiFi options with lower barriers and 
potentially a little more risk, are EDU’s getting it wrong? Are we too focused 
on something with low risk while ignoring other higher risk issues? At the 
point one needs complicated provisioning tools, your userbase sees only 
barriers, and then wonders why the other 99% of places they frequent don’t 
require such inconveniences.
 
The key is a _realistic_ risk assessment. There are plenty of examples outside 
of technology e.g. the lock on your doors, where it’s a given there are no 
silver bullets and we choose based on risk vs cost.  Do you spend thousands of 
dollars to put Bowley locks on your doors, or accept that in most situations, 
the $20 kwickset locks are good enough?  As a bad actor, why would I spend time 
trying to compromise a WiFi network, when it’s far easier to send your 
organization phishing emails? Phishing can be done remotely and exploit the 
greatest weakest (humans).  A successful phish/compromise and I’m well past the 
front door, the expensive locks, and enjoying a beer from your refrigerator.
 
According to by eduroam guest reports, PEAP still dominates everything else at 
89.7% vs 8.3% for EAP-TLS and 1.97% for EAP-TTLS. I don’t know that I’d call 
that legacy, and while it does have weakness, how would one compare it to an 
institution that may not have the best security controls around their 
provisioning tools? A compromise of one’s provisioning tool, say because of 
admins using weak passwords and/or no MFA, may present a higher security risk 
than the use of PEAP.
 
Jeff
 
 
From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Tim Cappalli
Sent: Wednesday, August 19, 2020 9:43 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] New certificate expiration for certificates 
affecting 802.1X?
 
My old colleagues likely won’t be happy with me saying this, but given the 
industry changes, I think you should collectively pressure NAC vendors to make 
device provisioning part of the core product without the need for additional 
licensing (at least for EDU).
 

 
 
From: Tim Tyler
Sent: Wednesday, August 19, 2020 12:39
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] New certificate expiration for certificates 
affecting 802.1X?
 
Yes, I always find this conversation to be interesting.  There are many 
institutions that can’t afford an on-boarding solution.   Hence, the certs 
usually get ignored since most configurations are manual or semi-automatic.  
And my thought is that mac address registration would eliminate the 
vulnerability of user’s credentials via network authentication.  So this is 
something I keep thinking might be better than 802.1x if certs are going to get 
ignored anyways. 
  But the recent conversation on mac addresses potentially becoming dynamic 
will make me strongly hesitate on this thought.
Tim
 
 
From: The EDUCAUSE Wireless Issues Community Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Tim Cappalli
Sent: Wednesday, August 19, 2020 11:27 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] New certificate expiration for certificates 
affecting 802.1X?
 
Correct, some versions of operating systems do not support a self-signed EAP

Re: [WIRELESS-LAN] Openroaming - anyone connected?

[Philippe Hanset]

I forgot to finish one line

-I want eduroam for privileged access and other guests get free open-access 
with less resources. I will just use WPA3 Wi-Fi protected access for 
Open-Access, no hassle, encryption, no complicated roaming needed.

> On Aug 17, 2020, at 1:19 PM, Philippe Hanset 
> <005cd62f91b7-dmarc-requ...@listserv.educause.edu> wrote:
> 
> Why not indeed ?
> 
> If I go back to my WLAN manager hat I would think:
> -Not everyone has an account with a commercial provider (and even if I do, my 
> kids do not)
> -I would like to give a different style of access to the EDU community in 
> General (I do not want thousands of lines of domains in my RADIUS 
> filters…this domain OK, this domain less OK, etc…)
> -Privacy is always a concern (Open-Roaming is in the hands of commercial 
> companies (WBA voting members). Internet2 and eduroam Policies are very 
> protective of the EDU users for privacy purposes.
> -I have a small school and I’m not ready with Radsec and CUI (required for 
> Open-Roaming). Please give a gateway that does no force me to upgrade yet, I 
> do not have the budget, or the expertise.
> -I want eduroam for privilege access otherwise 
> 
> On the ANYROAM front, as Tim Cappalli Highlighted, Open-Roaming is not a 
> federation by itself. Everyone will still need an interconnection to join 
> Open-Roaming (not a standard BTW, a Cisco initiative that the WBA inherited).
> ANYROAM will be one of them, and there will be many others.
> 
> The same goes for Identities: you can have one from a school, or/and one from 
> an Internet or Phone provider. What if you want a neutral one that is not 
> related to a paid for service (School, Phone Company, Broadband …)
> Just like email that used to be connected to a service in its early stage, 
> there is a need for neutral provisioning (Hotmail, Gmail, etc.. did that for 
> email, there might be the same need for Wi-Fi access).
> 
> Time will tell :)
> 
> Philippe
> 
> Philippe Hanset, CEO
> www.anyroam.net <http://www.anyroam.net/>
> Operator of eduroam-US
> +1 (865) 236-0770
> 
> 
> 
>> On Aug 17, 2020, at 11:56 AM, Jeffrey D. Sessler > <mailto:j...@scrippscollege.edu>> wrote:
>> 
>> Why not the other way around, and standardize on OpenRoaming, and have 
>> everything else become a member of it? Do we still need eduroam at that 
>> point? Do we care if the client device is using their ATT, Spectrum, or 
>> college credentials?
>>  
>> I’m reminded that in EDU we often fix problems nobody cared much about at 
>> the time e.g. eduroam, but as the world matures, and there are perhaps 
>> better alternatives, why not get out of the business?  There are costs to 
>> operate eduroam, and if it’s no longer strategic or different from other 
>> services e.g.OpenRoaming, why not put those resources into something that is 
>> strategic and a differentiator?  Why wouldn’t Internet2 and its members 
>> focus on adoption of OpenRoaming rather than a new and possibly duplicative 
>> service like anyroam? 
>>  
>> Jeff
>>  
>>  
>>  
>> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>> > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Philippe Hanset
>> Sent: Sunday, August 16, 2020 7:20 PM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
>> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
>> Subject: Re: [WIRELESS-LAN] Openroaming - anyone connected?
>>  
>> At least for the US, we plan to have an Open-Roaming gateway at ANYROAM.
>> We became member of the WBA for that purpose back in May 2020.
>>  
>> The idea is to simplify connectivity for schools:  you have one connection 
>> with ANYROAM, and all your roaming traffic 
>> is sorted by us (Open-Roaming, eduroam, Govroam, …). No need to be turn your 
>> school’s RADIUS server into a complex gateway. 
>>  
>> We are working on a document that we will post at anyroam.net 
>> <http://anyroam.net/> in a few weeks.
>>  
>> Thanks,
>>  
>> Philippe
>>  
>> Philippe Hanset, CEO
>> www.anyroam.net <http://www.anyroam.net/>
>> Operator of eduroam-US
>> +1 (865) 236-0770
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> On Aug 16, 2020, at 9:19 PM, Phill Solomon 
>> <0150915d379b-dmarc-requ...@listserv.educause.edu 
>> <mailto:0150915d379b-dmarc-requ...@listserv.educause.edu>> wrote:
>>  
>> Hello all,
>>  
>> One of the items on the radar for us is OpenRoaming, is there anyone 
>> connected, or looking into connecting?
>>  
>> And if you are

Re: [WIRELESS-LAN] Openroaming - anyone connected?

[Philippe Hanset]

Why not indeed ?

If I go back to my WLAN manager hat I would think:
-Not everyone has an account with a commercial provider (and even if I do, my 
kids do not)
-I would like to give a different style of access to the EDU community in 
General (I do not want thousands of lines of domains in my RADIUS filters…this 
domain OK, this domain less OK, etc…)
-Privacy is always a concern (Open-Roaming is in the hands of commercial 
companies (WBA voting members). Internet2 and eduroam Policies are very 
protective of the EDU users for privacy purposes.
-I have a small school and I’m not ready with Radsec and CUI (required for 
Open-Roaming). Please give a gateway that does no force me to upgrade yet, I do 
not have the budget, or the expertise.
-I want eduroam for privilege access otherwise 

On the ANYROAM front, as Tim Cappalli Highlighted, Open-Roaming is not a 
federation by itself. Everyone will still need an interconnection to join 
Open-Roaming (not a standard BTW, a Cisco initiative that the WBA inherited).
ANYROAM will be one of them, and there will be many others.

The same goes for Identities: you can have one from a school, or/and one from 
an Internet or Phone provider. What if you want a neutral one that is not 
related to a paid for service (School, Phone Company, Broadband …)
Just like email that used to be connected to a service in its early stage, 
there is a need for neutral provisioning (Hotmail, Gmail, etc.. did that for 
email, there might be the same need for Wi-Fi access).

Time will tell :)

Philippe

Philippe Hanset, CEO
www.anyroam.net
Operator of eduroam-US
+1 (865) 236-0770



> On Aug 17, 2020, at 11:56 AM, Jeffrey D. Sessler  
> wrote:
> 
> Why not the other way around, and standardize on OpenRoaming, and have 
> everything else become a member of it? Do we still need eduroam at that 
> point? Do we care if the client device is using their ATT, Spectrum, or 
> college credentials?
>  
> I’m reminded that in EDU we often fix problems nobody cared much about at the 
> time e.g. eduroam, but as the world matures, and there are perhaps better 
> alternatives, why not get out of the business?  There are costs to operate 
> eduroam, and if it’s no longer strategic or different from other services 
> e.g.OpenRoaming, why not put those resources into something that is strategic 
> and a differentiator?  Why wouldn’t Internet2 and its members focus on 
> adoption of OpenRoaming rather than a new and possibly duplicative service 
> like anyroam? 
>  
> Jeff
>  
>  
>  
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Philippe Hanset
> Sent: Sunday, August 16, 2020 7:20 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Subject: Re: [WIRELESS-LAN] Openroaming - anyone connected?
>  
> At least for the US, we plan to have an Open-Roaming gateway at ANYROAM.
> We became member of the WBA for that purpose back in May 2020.
>  
> The idea is to simplify connectivity for schools:  you have one connection 
> with ANYROAM, and all your roaming traffic 
> is sorted by us (Open-Roaming, eduroam, Govroam, …). No need to be turn your 
> school’s RADIUS server into a complex gateway. 
>  
> We are working on a document that we will post at anyroam.net 
> <http://anyroam.net/> in a few weeks.
>  
> Thanks,
>  
> Philippe
>  
> Philippe Hanset, CEO
> www.anyroam.net <http://www.anyroam.net/>
> Operator of eduroam-US
> +1 (865) 236-0770
> 
> 
> 
> 
> 
> 
> 
> On Aug 16, 2020, at 9:19 PM, Phill Solomon 
> <0150915d379b-dmarc-requ...@listserv.educause.edu 
> <mailto:0150915d379b-dmarc-requ...@listserv.educause.edu>> wrote:
>  
> Hello all,
>  
> One of the items on the radar for us is OpenRoaming, is there anyone 
> connected, or looking into connecting?
>  
> And if you are connected are you using it as an extension for students / 
> staff or just for visitors.?
>  
> Thanks in advance,
>  
> Kind regards,
>  
> Phill Solomon
> Senior Network Engineer
> IS - AV & Networks
> ICT Infrastructure Services, eSolutions
> Planned Leave: NA
>  
> 
>  
> Deakin University
> 301 Burwood Highway, Burwood
> VIC 3125, Australia.
> ( Phone: +61 3 924 46069 
> : E-mail: phill.solo...@deakin.edu.au 
> <mailto:phill.solo...@deakin.edu.au>
>  
> Deakin University CRICOS Provider Code 00113B
>  
> Important Notice: The contents of this email are intended solely for the 
> named addressee and are confidential; any unauthorised use, reproduction or 
> storage of the contents is expressly prohibited. If you have received this 
> email in error, please delete it and any attachments imm

Re: [WIRELESS-LAN] Openroaming - anyone connected?

[Philippe Hanset]

At least for the US, we plan to have an Open-Roaming gateway at ANYROAM.
We became member of the WBA for that purpose back in May 2020.

The idea is to simplify connectivity for schools:  you have one connection with 
ANYROAM, and all your roaming traffic 
is sorted by us (Open-Roaming, eduroam, Govroam, …). No need to be turn your 
school’s RADIUS server into a complex gateway. 

We are working on a document that we will post at anyroam.net in a few weeks.

Thanks,

Philippe

Philippe Hanset, CEO
www.anyroam.net
Operator of eduroam-US
+1 (865) 236-0770






> On Aug 16, 2020, at 9:19 PM, Phill Solomon 
> <0150915d379b-dmarc-requ...@listserv.educause.edu> wrote:
> 
> Hello all,
>  
> One of the items on the radar for us is OpenRoaming, is there anyone 
> connected, or looking into connecting?
>  
> And if you are connected are you using it as an extension for students / 
> staff or just for visitors.?
>  
> Thanks in advance,
>  
> Kind regards,
>  
> Phill Solomon
> Senior Network Engineer
> IS - AV & Networks
> ICT Infrastructure Services, eSolutions
> Planned Leave: NA
>  
> 
>  
> Deakin University
> 301 Burwood Highway, Burwood
> VIC 3125, Australia.
> ( Phone: +61 3 924 46069 
> : E-mail: phill.solo...@deakin.edu.au 
> <mailto:phill.solo...@deakin.edu.au>
>  
> Deakin University CRICOS Provider Code 00113B
>  
> Important Notice: The contents of this email are intended solely for the 
> named addressee and are confidential; any unauthorised use, reproduction or 
> storage of the contents is expressly prohibited. If you have received this 
> email in error, please delete it and any attachments immediately and advise 
> the sender by return email or telephone.
> Deakin University does not warrant that this email and any attachments are 
> error or virus free.
>  
> 
> Important Notice: The contents of this email are intended solely for the 
> named addressee and are confidential; any unauthorised use, reproduction or 
> storage of the contents is expressly prohibited. If you have received this 
> email in error, please delete it and any attachments immediately and advise 
> the sender by return email or telephone.
> 
> Deakin University does not warrant that this email and any attachments are 
> error or virus free.
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community <https://www.educause.edu/community>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] MAC Randomization, a step further...

[Philippe Hanset]

About EAP-TLS blocking ...
You do not need to revoke a cert (too painful indeed for operator and user). 
Chad wrote a hook for the Anyroam service that identifies the certificate’s 
fingerprint. So If a device misbehaves, you can just block the device via the 
certificate’s fingerprint. With one certificate per device, you end up with the 
same as a SIM card (or the good ol MAC address :)

Philippe Hanset, CEO
ANYROAM LLC
www.anyroam.net
www.eduroam.us
+1 (865) 236-0770

On Aug 6, 2020, at 11:29 AM, Turner, Ryan H  wrote:


The other issue comes in with blocking devices.  On open networks/PSK networks, 
this will make isolating bad devices really difficult.  We have relied on MAC 
address blocks for over a decade.  They work very well.  Yes, you can get a 
determined individual that can get past/change their MAC address.  But that is 
going to be a tiny fraction of cases, and MAC blocking is an effective way of 
blocking a bad device.
 
We require registration for our PSK network.  So the private MAC addresses will 
be blocked effectively there.  But we haven’t required registration on eduroam 
(our primary), because we have identity in the certificate.  We chose not to 
use OCSP (but we can), but if we revoke a cert, we have to also block the user 
from getting another certificate (2 steps, instead of one, which is why we have 
stayed with MAC blocking).  We could require folks to register for eduroam, but 
that is such a nasty thing to do to the users.   Gr.  Not an easy fix.
 
Ryan
 
From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Enfield, Chuck
Sent: Thursday, August 6, 2020 11:14 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...
 
I’ll also add that identity is what makes a private network private.  Yes, you 
can check identity at connection time then throw it away and still remain 
private, but that’s never been an option for us when designing services with 
our risk, legal and info security departments.
 
From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Julian Y Koh
Sent: Thursday, August 06, 2020 10:59 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...
 
On Aug 6, 2020, at 09:51, Enfield, Chuck  wrote:
 
How can we fulfill DMCA requirements when we can’t even identify a device, let 
alone the user?  If you want to remain anonymous, use a different network.
 
IANAL, and I don’t even play one on TV, but my admittedly old understanding of 
the DMCA is that it’s not necessarily mandating that you have to be able to 
identify every single device on your network.  Indeed, some institutions’ 
responses to DMCA notices has been that they don’t have the necessary 
information to be able to take action.  So IMO, assuming (which is dangerous) 
that I’m correct, that if MAC randomization puts an undue burden and/or large 
obstacles on your ability to track down a device/user and cut it off from the 
network, the DMCA alone shouldn’t be seen as a mandate to try to disable MAC 
randomization.  

-- 
Julian Y. Koh
Associate Director, Telecommunications and Network Services
Northwestern Information Technology
 
2020 Ridge Avenue #331
Evanston, IL 60208
+1-847-467-5780
Northwestern IT Web Site: <http://www.it.northwestern.edu/>
PGP Public Key: <https://bt.ittns.northwestern.edu/julian/pgppubkey.html>
 
**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community
**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] MAC Randomization, a step further...

[Philippe Hanset]

For local users with 802.1X you can disable username authentication and for 
roaming users with 802.1X, Hopefully CUI (Chargeable User Identity) will become 
more mainstream and you can block by CUI (Needs to be supported in RADIUS).
 MAC address was never designed to identify, but we all found it very useful 
for that purpose :)... time to change !

Philippe Hanset, CEO
ANYROAM LLC
www.anyroam.net
www.eduroam.us
+1 (865) 236-0770

On Aug 6, 2020, at 11:03 AM, Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote:


And you can continue to do that with the randomized MAC and tell them you took 
action against the device identifier that was presented at the time in 
question. Nothing changes in that regard 
 
Julian’s response is my understanding as well.
 
From: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Thursday, August 6, 2020 at 11:00
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...

We could always take down a device by MAC address.  It was weak, but it allowed 
us to say we did something.
 
From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Tim Cappalli
Sent: Thursday, August 06, 2020 10:55 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...
 
Not sure how this really changes anything if you never had a strong user 
identity in the first place.
 
 
From: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Thursday, August 6, 2020 at 10:51
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...

How can we fulfill DMCA requirements when we can’t even identify a device, let 
alone the user?  If you want to remain anonymous, use a different network.
 
From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Tim Cappalli
Sent: Thursday, August 06, 2020 10:45 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...
 
Yikes. I hope network operators are not asking users to disable user privacy 
protections. That is a slippery slope.
 
tim
 
From: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Thursday, August 6, 2020 at 10:40
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...

Was sent this link yesterday, might help some.
 
https://community.cisco.com/t5/security-documents/random-mac-address-how-to-deal-with-it-using-ise/ta-p/4049321
 
 
Blake Brown
Infrastructure Manager - MHCC
 
 
From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Norman Elton 

Sent: Thursday, August 6, 2020 5:48 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...
 
External Email

>> I have heard that on the latest beta that came out Tuesday the randomization 
>> will only happen once per SSID and not change as well.
 
Oh? We will definitely be testing that. Can you share your source? My phone is 
still on Beta 3, and I don't have an update available for Beta 4 yet. I suppose 
I have to wait for my ticket to ride.
 
Thanks for the tip,
 
Norman
 
On Thu, Aug 6, 2020 at 6:55 AM Walter Reynolds  wrote:
I have heard that on the latest beta that came out Tuesday the randomization 
will only happen once per SSID and not change as well.


Walter Reynolds
Network Architect
Information and Technology Services
University of Michigan
(734) 615-9438
 
On Wed, Aug 5, 2020, 9:09 PM Norman Elton  wrote:
>> Depending on your tolerance for the disruption you could implement a network 
>> access policy blocking access to the
>> range of local MAC's and intercept with a captive portal with instructions 
>> on how to turn this off. However, I can't imagine
>> this being sustainable.
 
Newer Androids use the same MAC address range for their randomization 
algorithm. Unlike iOS; however, their MAC address is randomized once per SSID, 
and doesn't change over time. We already see a large number of private mac 
addresses on our campus, I anecdotally confirmed a handful of them are Android 
users, and confirmed the MAC remains consistent.
 
Long story short, if you're looking to restrict randomized MAC addresses, or 
even report on their usage, you'll find more than just iOS users :-/
 
There is a fine line between "troubleshooting" and "tracking". Unfortunately, 
preventing malicious tracking is going to impact our helpful troubleshooting. 
As an EAP-TLS campus, we're going to attempt to de-dupe the randomized MAC 
addresses using the certificate serial number. This way, if someone calls on 
Monday to complain about a problem on Saturday, at least we have someplace to 
start.
 
Norman
 
 
On Mon, Aug 3, 2020 at 10:28 AM John Turner  wrote:
Update on my testing. 
 
I created an 802.1X network and connected my ios14 phon

Re: [WIRELESS-LAN] WIRELESS-LAN Digest - 20 Jul 2020 to 21 Jul 2020 - Special issue (#2020-88)

[Philippe Hanset]

Passpoint solves some issues (less SSIDs, encryption, instant access) and then 
it brings other issues like Privacy and authentication pains
(certificate expiration, loss of credentials)

Philippe Hanset, CEO
www.anyroam.net
Operator of eduroam-US
+1 (865) 236-0770






> On Jul 20, 2020, at 9:42 PM, Tim Cappalli 
> <0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote:
> 
> There has been an exponential increase in Passpoint rollouts in the past 18 
> months, on both the network infrastructure side as well as clients.
>  
> Ping your vendor. The more people talk about it (and ask for it), the faster 
> it will be adopted and rolled out.
>  
> tim 
>  
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
> Date: Monday, July 20, 2020 at 21:39
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
>  <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
> Subject: Re: [WIRELESS-LAN] WIRELESS-LAN Digest - 20 Jul 2020 to 21 Jul 2020 
> - Special issue (#2020-88)
> 
> Passpoint solves all of these issues.
>  
> Tim
>  
> Count me in the fan bucket when widely deployed.  But when will that be I 
> wonder?  MAC rotation increases in a few months.
>  
> I recognize institutions have different relations with their guests.  For 
> ours the friction/intrusiveness of onboarding processes was considered too 
> high a cost.  I know I would not want to run another institutions software on 
> my device to onboard it to their Wi-Fi (and for some it is prohibited).
>  
> 
> --
> William Green, Director of Networking and Telecommunications
> The University of Texas at Austin | ITS | 512-475-9295 | 
> gr...@austin.utexas.edu <mailto:gr...@austin.utexas.edu>
>  
>  
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community 
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C2f177296fb1f47384b1f08d82d16e18f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637308923599961934=0%2Fq5Ff6NyB4BJsDwgUfnlLrCG5IJ22QrPvx6U2fNB48%3D=0>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community <https://www.educause.edu/community>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] securew2 root ca radius server cert change

[Philippe Hanset]

Somewhat related to this thread, if you are planning to switch to EAP-TLS, 
please consider using ECC (Elliptic Curve Cryptography, small certs) 
Certificates.
They make EAP-TLS much more compatible when authentications cross many network 
devices ( related MTU size issues), especially if you do not control those 
devices.
We have had many failed authentications on eduroam with EAP-TLS (using 2048 
bits certs) due to MTU mismatch on network devices across the entire federation.

Best,

Philippe

Philippe Hanset, CEO
www.anyroam.net
Operator of eduroam-US
+1 (865) 236-0770

> On May 27, 2020, at 8:16 AM, Turner, Ryan H  wrote:
> 
> My guidance is for properly onboarded TLS devices.   It doesn’t apply to PEAL 
> or anything else.  Actually, that does bring a wrinkle into my previous 
> email.  If PEAP and TLS both exist, I am going to guess there will be more 
> prompts or issues with a private CA (perhaps) 
> 
> Ryan Turner
> Head of Networking, ITS
> The University of North Carolina at Chapel Hill
> +1 919 274 7926 Mobile
> +1 919 445 0113 Office
> 
>> On May 26, 2020, at 8:21 PM, Hurt,Trenton W.  
>> wrote:
>> 
>> 
>> I’m also doing unmanned eap peap (yes I know all the security reasons 
>> against this)  if I don’t use public signed ca will byod devices be able to 
>> connect via eap peap with that private cert? 
>> 
>> Trent Hurt
>> 
>> University of Louisville
>> 
>> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>>  on behalf of Turner, Ryan H 
>> 
>> Sent: Tuesday, May 26, 2020 8:10 PM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> Subject: Re: [WIRELESS-LAN] securew2 root ca radius server cert change
>>  
>> CAUTION: This email originated from outside of our organization. Do not 
>> click links, open attachments, or respond unless you recognize the sender's 
>> email address and know the contents are safe.
>> You are likely totally hosed.  In fact, you should consider abandoning 
>> public CAs entirely when you re-do this.   Through-out the years, I’ve 
>> counseled a lot of schools about TLS deployments, and I cautioned strongly 
>> against using public CAs for this exact reason.  You have no control, and 
>> your CA can totally hose you, as you can see.
>>  
>> There is no way around this if the CA will not cooperate.   You should talk 
>> to your active directory folks.  They should spin up a new offline private 
>> CA root, then intermediary, then issue your RADIUS servers from the 
>> intermediary.  The  expiration should be many years.
>>  
>> OR, you can utilize SecureW2 and their online CA to generate RADIUS server 
>> certificates.  In any event, get off the public CAs.
>>  
>> Ryan
>>  
>> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>>  On Behalf Of Hurt,Trenton W.
>> Sent: Tuesday, May 26, 2020 5:36 PM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> Subject: [WIRELESS-LAN] securew2 root ca radius server cert change
>>  
>> I have both eap peap and eap tls setup and working.  My radius server cert 
>> is going to expire soon.  I have received new one from public ca.  It works 
>> fine for eap peap clients.  But for my existing eap tls clients they all 
>> fail auth when I switch to this new updated rad cert.  I see that my public 
>> ca has issued this new cert using different root ca then my old one ()the 
>> one that is install/config on my securew2 app in the cloud.  Securew2 has 
>> told me that users will have to onboard again once I change the cert on 
>> clearpass and update the cloud app since public ca changed root ca on cert 
>> chain.  I asked my public ca if they could reissue using the other root ca 
>> so my eap tls clients will still work once I do the change.  They have told 
>> me that shouldn’t need reissue as the old root ca (one tls clients currently 
>> use) because my new cert root ca is cross signed by the old root ca.  They 
>> told me that I should be able to use this new one but I still cant seem to 
>> get things working correctly.  Anyone who is using securew2 had issues like 
>> this with root ca changing and clients forced to reonboard?  Im not really 
>> pki person so if there is some way I could  chain these or something.  Just 
>> looking for way to update the rad cert on servers and not have to force all 
>> my onboard clients to have to go thru that process once I make the change.
>>  
>>  
>> **
>> Replies to EDUCAUSE Community Group emails are sent to the entire community 
>> list. If you want to reply only to the person who sent the message, copy and 
>> paste th

Recent GNU-TLS patch, no more support for SHA-1, aargh!

[Philippe Hanset]

All,

We has been struggling with a recent patch from Ubuntu that broke encrypted 
connections
between some of our internal servers.

Long story short: Ubuntu now uses GNU-TLS and the latest security patch has 
removed support for SHA-1.
Error messages in Ubuntu or in LDAP were not explicit enough to make it obvious.

Some of you may face this issue between RADIUS and LDAP (still used quite a bit 
for 802.1X).
This issue will most likely affect internally issued infrastructure 
certificates!

Fix: Do not patch GNU-TLS (is this a good idea?) or recreate your ROOT CA to 
support SHA-2 family

Hope this helps. Chad (ANYROAM’s CTO) pulled whatever hairs he had left on this 
one, so we felt like sharing :)

If you have more info on this, please share.

Philippe

Philippe Hanset, CEO
www.anyroam.net
Operator of eduroam-US
+1 (865) 236-0770

GPG key id: 0xF2636F9C







**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] Wi-Fi Guest/Visitor Network

[Philippe Hanset]

Hello Craig,

Thanks for your comments.
Our main philosophy with the ANYROAM guest system is security and simplicity 
(no password-only certs, one config per device for one year).
ANYROAM-guest can also be enabled per institution (opt-in) (unlike eVA unless 
you customize at the NRO level),
Most importantly you get one Certificate per year and (hopefully ;) that 5 
minutes of painful configuration can be used at many locations many times for 
that one year!
Both eVA and ANYROAM have the advantage of being one identifier good at many 
locations, which differs from vendor based Guest Access. Probably a good thing 
in a town with many campuses,
but not so advantageous in a more rural setup, unless local shops adopt the 
eduroam SSID or RCOI (we have a good example of this at Blacksburg Virginia,
where a local ISP has adopted eduroam and ANYROAM across town…really nice!…6000 
eduroamers every day going in local shops!!!)

With the emergence of Hotspot2.0 and the various RCOI the Guest Access 
Discussion will take some interesting turn for sure. We are  preparing our 
eduroam-NRO software
platform to handle some of those challenges.. to be continued :)

Best,

Philippe

Philippe Hanset, CEO
www.anyroam.net
Operator of eduroam-US
+1 (865) 236-0770

GPG key id: 0xF2636F9C


> On Jan 9, 2020, at 1:39 PM, Craig Simons  wrote:
> 
> Philippe,
>  
> I’ve looked at the ANYROAM material, and also the CANARIE run “eVA” 
> initiative (https://www.canarie.ca/identity/eduroam/eduroam-visitor-access/ 
> <https://www.canarie.ca/identity/eduroam/eduroam-visitor-access/>) which is 
> along the same lines here in Canada. The advantage of using either of these 
> two systems is that they are already up and running, have some measure of 
> support attached to them, and are free. However, we do have a great deal of 
> capability with our Aruba ClearPass platform, which depending on how we 
> design our guest/visitor service might be administratively easier from a 
> “single pane of glass” perspective.
>  
> But I must say, for those without an existing guest management platform, 
> ANYROAM (and eVA) should definitely be given consideration.
>  
> Thanks for your feedback!
> Craig
>  
> Craig Simons
> Network Operations Manager
> Simon Fraser University | Water Tower 224
>  University Dr., Burnaby, B.C. V5A 1S6
> T: 778.782.8036 | M: 604.649.7977 | www.sfu.ca/itservices 
> <http://www.sfu.ca/itservices>
>  
> 
>  
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>  <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Philippe Hanset 
> <005cd62f91b7-dmarc-requ...@listserv.educause.edu 
> <mailto:005cd62f91b7-dmarc-requ...@listserv.educause.edu>>
> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>  <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
> Date: Wednesday, January 8, 2020 at 1:37 PM
> To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>  <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
> Subject: Re: [WIRELESS-LAN] Wi-Fi Guest/Visitor Network
>  
> Hello Craig, 
>  
> Have you tested the ANYROAM guest service ?
> (It’s free and runs on the eduroam SSID … specifically designed for parents 
> etc… same functionality as eduroam but relies on phone number for 
> authentication)
> About 40-50 schools use it.
> https://www.anyroam.net/node/6808 <https://www.anyroam.net/node/6808>
>  
>  
> You can check the way it works at www.anyroam.net <http://www.anyroam.net/> 
> …under ANYROAM :)
>  
> Let me know if you have questions,
>  
> Philippe
>  
>  
> Philippe Hanset, CEO
> www.anyroam.net <http://www.anyroam.net/>
> Operator of eduroam-US
> +1 (865) 236-0770
> 
> GPG key id: 0xF2636F9C
> 
>  
>  
> 
> 
> On Jan 8, 2020, at 3:41 PM, Craig Simons  <mailto:craigsim...@sfu.ca>> wrote:
>  
> Fellow peers, 
>  
> Simon Fraser University is planning on deploying a guest network to 
> supplement our existing eduroam service. We are anticipating this service to 
> be used by parents, short term contractors, and the general public. 
> Obviously, we are mindful of how opening up our networks to a wider range of 
> users may present security and support challenges despite the benefits it 
> brings. To gain a better understanding from those who’ve perhaps done this 
> before, I’ve created a very short survey. I would greatly appreciate if you 
> would consider taking 3-4 minutes of your time to have a look (even if your 
> institution doesn’t have a guest network!). I am hoping your experiences will 
> help shape how we approach the design of the service.
>  
> After a week or two I will summarize the results and post to the group, so 
> the

Re: [WIRELESS-LAN] Wi-Fi Guest/Visitor Network

[Philippe Hanset]

Hello Craig,

Have you tested the ANYROAM guest service ?
(It’s free and runs on the eduroam SSID … specifically designed for parents 
etc… same functionality as eduroam but relies on phone number for 
authentication)
About 40-50 schools use it.
https://www.anyroam.net/node/6808


You can check the way it works at www.anyroam.net <http://www.anyroam.net/> 
…under ANYROAM :)

Let me know if you have questions,

Philippe


Philippe Hanset, CEO
www.anyroam.net
Operator of eduroam-US
+1 (865) 236-0770

GPG key id: 0xF2636F9C




> On Jan 8, 2020, at 3:41 PM, Craig Simons  wrote:
> 
> Fellow peers,
> 
> Simon Fraser University is planning on deploying a guest network to 
> supplement our existing eduroam service. We are anticipating this service to 
> be used by parents, short term contractors, and the general public. 
> Obviously, we are mindful of how opening up our networks to a wider range of 
> users may present security and support challenges despite the benefits it 
> brings. To gain a better understanding from those who’ve perhaps done this 
> before, I’ve created a very short survey. I would greatly appreciate if you 
> would consider taking 3-4 minutes of your time to have a look (even if your 
> institution doesn’t have a guest network!). I am hoping your experiences will 
> help shape how we approach the design of the service.
> 
> After a week or two I will summarize the results and post to the group, so 
> the more the merrier! 
> 
> https://www.surveymonkey.com/r/8CV82TV 
> <https://www.surveymonkey.com/r/8CV82TV>
> 
> Thanks!
> 
> Craig Simons
> Network Operations Manager
> 
> Simon Fraser University | Strand Hall
>  University Dr., Burnaby, B.C. V5A 1S6
> T: 778.782.8036 | M: 604.649.7977
> 
>
> SFU   SIMON FRASER UNIVERSITY
> IT SERVICES
> 
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community <https://www.educause.edu/community>








**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] Theater wifi - to have or not to have

[Philippe Hanset]

I designed a bunch of auditorium and theaters’  Wi-Fi during my days at Univ. 
of TN.

If you do it, do it well, or don't do it at all. Otherwise it will cost you in 
support/complaints/reputation.

And get with the sound system people of those large venues before you lay your 
spectrum!


Philippe

Philippe Hanset, CEO
www.anyroam.net
Operator of eduroam-US
+1 (865) 236-0770

GPG key id: 0xF2636F9C


> On Oct 22, 2019, at 3:08 PM, Coehoorn, Joel  wrote:
> 
> Add one counter-opinion. I tend to believe you **WILL** want coverage here, 
> and probably very soon; it's just what modern students expect.  But at the 
> same time, this can be a very costly project just because "someone will need 
> it someday".
> 
> **DO** add the switching and network drops to support the APs you'll need to 
> provide coverage. That part will be fairly cheap now, but grossly more 
> expensive afterwards. And **DO** have a bid in front of project planners to 
> handle the AP purchase, licensing, and installation. It's likely they'll make 
> the jump...
> 
> ... but let those stakeholders make the decision.
> 
> We had a project recently where we raised some funds to install new bleachers 
> and do a cosmetic refresh (paint and carpet) in a gym. I suggested that while 
> the old bleachers were gone was a good time to improve wifi support in the 
> building and gave a cost estimate to the project planners. They opted to do 
> the wifi updates, but it was their decision.
> 
> 
> Joel Coehoorn
> Director of Information Technology
> 402.363.5603
> jcoeho...@york.edu <mailto:jcoeho...@york.edu>
> 
> Please contact helpd...@york.edu <mailto:helpd...@york.edu> for technical 
> assistance.
> 
> The mission of York College is to transform lives through Christ-centered 
> education and to equip students for lifelong service to God, family, and 
> society
> 
> 
> On Tue, Oct 22, 2019 at 1:36 PM Johnson, Christopher  <mailto:cbjo...@ilstu.edu>> wrote:
> Put it in while you can indeed to what Michael said. And funny point about 
> the “student expectation at times is unrealistic” as my co-worker overheard a 
> girl saying recently the “Wi-Fi” sucks, when her friend asked her why, it was 
> because it drops off under a 4 direction walk-way under-pass beneath an 
> intersection….
> 
>  
> 
> Christopher Johnson
> 
> Wireless Network Engineer
> 
> AT Infrastructure Operations & Networking (ION)
> 
> Illinois State University
> 
> (309) 438-8444
> 
> Stay connected with ISU IT news and tips with @ISU IT Help on Facebook 
> <https://www.facebook.com/ISUITHelp/> and Twitter 
> <https://twitter.com/ISUITHelp>
> From: Johnson, Christopher 
> Sent: Tuesday, October 22, 2019 1:33 PM
> To: The EDUCAUSE Wireless Issues Community Group Listserv 
>  <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
> Subject: RE: [WIRELESS-LAN] Theater wifi - to have or not to have
> 
>  
> 
> Same situation as with what Thomas Carter ran into.
> 
>  
> 
> We ran into the same situation a few years ago -> currently have one AP in 
> the concert hall seating area and one in the theatre seating area (the 
> concert hall AP is up in the cat-walk and does a surprisingly good amount of 
> coverage/reflection around the area down below) -> because the rooms are used 
> for more that just theatre/performances – sometimes for classes and others 
> for important presentations/presenters. We were asked by a couple individuals 
> “can we just say no to Wifi” in those area during campus upgrade. We did add 
> several additional APs in the atrium area for where students study and the 
> back-stage areas for performers when taking their breaks. It was ultimately 
> decided no additional density due to cost (new work in old work).
> 
>  
> 
> To the point about “distractions during performances and 
> presentations/“people would be using devices instead of watching the 
> performances” -> we got complaints again about Wi-Fi in the concert hall – 
> and one of the IT folks brought up a very good and interesting point “I think 
> several around me were more distracted by continual efforts to get a good 
> connection because that is what the expectation is these days.  And the rest 
> were just flipped over to cell probably without knowing it.”
> 
>  
> 
> Christopher Johnson
> 
> Wireless Network Engineer
> 
> AT Infrastructure Operations & Networking (ION)
> 
> Illinois State University
> 
> (309) 438-8444
> 
> Stay connected with ISU IT news and tips with @ISU IT Help on Facebook 
> <https://www.facebook.com/ISUITHelp/> and Twitter 
> <https://twitter.com/ISUITHelp>
> From: The EDUCAUSE Wir

Re: [WIRELESS-LAN] eduroam ssid on RTS

[Philippe Hanset]

Hunter,

You are correct.
I was comparing 802.1X without a Web portal (A  la eduroam) to a Web based SSID 
with a portal and a timeout.
(which is what I have seen in buses with Wi-Fi very often)
Many OSes will not switch your Internet routing in your phone to Wi-Fi unless 
access to the Internet is detected. 
The unfortunate Splash page, in this case, could be the saving grace to 
unwanted “join” while the bus is moving along.

I guess for this particular case, it might be a “good” idea to have a splash 
page for eduroam :(

Wi-Fi doesn’t seem to be a good idea for this kind of Mobile Connectivity in a 
urban area  (it seems fine for a  highway, or a rural area)

There was another famous story like that with a Campus in London located right 
above the subway… and believe it or not, the campus AP next to the subway
would seen tons of authentications every time a train was stopping, depleting 
DHCP leases on the guest network. Same problem, different moving targets :) 

Philippe

Philippe Hanset, CEO
www.anyroam.net
www.eduroam.us
+1 (865) 236-0770

GPG key id: 0xF2636F9C


> On Aug 17, 2018, at 5:21 PM, Hunter Fuller  wrote:
> 
> On Fri, Aug 17, 2018 at 2:45 PM Philippe Hanset 
> <005cd62f91b7-dmarc-requ...@listserv.educause.edu 
> <mailto:005cd62f91b7-dmarc-requ...@listserv.educause.edu>> wrote:
> I wouldn't use 802.1X for that project, and that is coming from the eduroam 
> guys :(
> 
> if using 802.1X (eduroam or local) in the bus… even people with decent data 
> plans that could use their own will automatically join your hotspot since 
> Wi-Fi is usually preferred by devices, making it
> not so usable for the people who really need it. Those people will have to 
> manually disable Wi-Fi to force their device on LTE.
> 
> Philippe - I'm not sure about the association between 802.1X and this 
> problem. Seems to me like any popular SSID would have the same issue, no? If 
> it is a bus full of students, they would all automatically associate, 802.1X 
> or not, right? 
> -- 
> 
> --
> Hunter Fuller
> Network Engineer
> VBH Annex B-5
> +1 256 824 5331
> 
> Office of Information Technology
> The University of Alabama in Huntsville
> Systems and Infrastructure
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss <http://www.educause.edu/discuss>.
> 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] eduroam ssid on RTS

[Philippe Hanset]

Nancy,

A few more thoughts about your project ...

This can be useful for:

-foreign visitors, because most of them do not have data plans in the US, or if 
they do it is quite expensive
(when I went to a conference in Ireland I was pleased to have free Wi-Fi in 
buses)
-Poorly covered areas where that bus becomes the only decent connectivity 
available 
 (so, if this is the case, make sure to pick a LTE/4G provider that has great 
coverage, great throughput, and large data quotas :)

If the bus crosses mostly urban areas with nice coverage and your students have 
on average really good cellular data plans, it might be wasteful!
Do you have a large population of Foreign Students/Faculty?

I wouldn't use 802.1X for that project, and that is coming from the eduroam 
guys :(

if using 802.1X (eduroam or local) in the bus… even people with decent data 
plans that could use their own will automatically join your hotspot since Wi-Fi 
is usually preferred by devices, making it
not so usable for the people who really need it. Those people will have to 
manually disable Wi-Fi to force their device on LTE.

Also, while the bus is driving around town, even people outside the bus will 
join it (the nature of 802.1X).
This could be a mess!

Philippe

Philippe Hanset, CEO
www.anyroam.net
www.eduroam.us
+1 (865) 236-0770

GPG key id: 0xF2636F9C







> On Aug 17, 2018, at 3:24 PM, Watson,Nancy A  wrote:
> 
> ​Thank for your reply.  I do want to know how others are doing this and if it 
> was successful.  We are concerned about overage charges and the quality of 
> the wireless vs  using their cellphone 4G connection. 
> 
> Nancy
> 
> 
>  Nancy Watson   
>  Engineer, Network Services - UFIT
>   
>  nwat...@ufl.edu <mailto:nwat...@ufl.edu>, (352) 273-1057 
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>  <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Osborne, Bruce W 
> (Network Operations) mailto:bosbo...@liberty.edu>>
> Sent: Friday, August 17, 2018 7:27 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Subject: Re: [WIRELESS-LAN] eduroam ssid on RTS
>  
> We are an Aruba shop. For several years we have been using Aruba’s remote 
> access points on athletic highway coaches with a 4G backhaul through the 
> vendor installed cradlepoint router. The APs also support 4G USB sticks 
> though. The main issues in our case initially was bandwidth overage charges.  
>  
> We are not an EDUROAM customer but the APs terminate over an IPsec tunnel to 
> our controllers like they are on campus. I know this is not the Cisco 
> solution you were looking for.
>  
> Bruce Osborne
> Senior Network Engineer
> Network Operations - Wireless
>  
>  (434) 592-4229
>  
> LIBERTY UNIVERSITY
> Training Champions for Christ since 1971
>  
> From: Watson,Nancy A [mailto:nwat...@ufl.edu <mailto:nwat...@ufl.edu>] 
> Sent: Thursday, August 16, 2018 8:10 AM
> Subject: eduroam ssid on RTS
>  
> ​I am involved in a joint project with RTS to run eduroam on  the city buses 
> that pass through our campus to service the students.  We are currently a 
> Cisco Shop and I was curious if anyone has done anything like this with Cisco 
> or any other vendor.
>  
> Thanks,
> Nancy
>  Nancy Watson   
>  Engineer, Network Services - UFIT
>   
>  nwat...@ufl.edu <mailto:nwat...@ufl.edu>, (352) 273-1057 
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss 
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_discuss=DwMGaQ=pZJPUDQ3SB9JplYbifm4nt2lEVG5pWx2KikqINpWlZM=5m0TS3W2T7dsnU68pTm1ng=-LVTU90EfbLD4a-RmeEq5fh0fMzsqEDRnU_6dwUJEzM=CCWjDf2GvDqbq0QZBzwAlolCPLxgvdprfb0lH_-y82Y=>.
>  
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss 
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_discuss=DwMGaQ=pZJPUDQ3SB9JplYbifm4nt2lEVG5pWx2KikqINpWlZM=5m0TS3W2T7dsnU68pTm1ng=-LVTU90EfbLD4a-RmeEq5fh0fMzsqEDRnU_6dwUJEzM=CCWjDf2GvDqbq0QZBzwAlolCPLxgvdprfb0lH_-y82Y=>.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss <http://www.educause.edu/discuss>.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] eduroam ssid on RTS

[Philippe Hanset]

Hello Nancy,

eduroam in a bus, this is exciting! 

3 things that come to my mind as far as eduroam is concerned for your design:

1) Not helpful, more of a heads up:  The connector agreement with Internet2  
asks to not connect Wi-Fi networks that you don't own/control (in this case you 
are running the APs, so it is complicated).
The main intention of that statement in the contract is to make sure that you 
can access logs in case of abuse/DMCA and that those logs are respected as far 
as privacy of users is concerned (GDPR etc…), and that locations
don’t start connecting everyone and anyone in the neighborhood or beyond.
So, when you connect infrastructure make sure that it is or it stays under your 
control and ownership.

2) If you want to remove the responsibility of connecting those 
experiments/unusual infrastructure connect them directly to us (ANYROAM). 
Anyone connecting their Wi-Fi  as SP-only (Service Provider Only, your Wi-Fi 
only) incurs no charge. The other beauty of connecting directly to us, we will 
send you usage reports about the bus independently from UFL.
This said, in your case, because so many students of UFL will be on that bus, 
it makes more sense to connect it to your own RADIUS servers for latency and 
shortest path. So much for 1) and 2) …but I had to explain the reasoning :)

3) So, if  you decide that you prefer to handle this locally, no problem, we 
can still send you independent reports! If you are interested in that feature 
(we are developing this feature right now), stamp your requests coming from the 
bus with a different operator-name. You can do this either in your Wi-Fi 
controllers or your RADIUS servers. Stamp it with 1bus.ufl.edu 
<http://1bus.ufl.edu/> (basically 1*.ufl.edu <http://ufl.edu/>). 1flu.edu 
<http://1flu.edu/> is your main Operator-Name.

This idea of stamping with a sub-realm in the Operator-name is the same for all 
eduroam operators in the US. If you want to differentiate various service 
locations in your reports, you will be able to do this in the future.
It will appear in your Bar chart as a bar with different colors withing the bar 
for each sub-Operator (so don't have too many or it will be unreadable!).

If you have cool eduroam locations that you have enabled please share with us.
(e.g. in the town of Blacksburg, VA, next to Virginia tech, a local ISP (GoGig) 
has turned eduroam on across town. We have seen a peak usage of 7800 devices in 
a day…amazing!)

Hope this helps,

Philippe

Philippe Hanset, CEO
www.anyroam.net
www.eduroam.us
+1 (865) 236-0770

GPG key id: 0xF2636F9C






> On Aug 16, 2018, at 8:09 AM, Watson,Nancy A  wrote:
> 
> ​I am involved in a joint project with RTS to run eduroam on  the city buses 
> that pass through our campus to service the students.  We are currently a 
> Cisco Shop and I was curious if anyone has done anything like this with Cisco 
> or any other vendor.
> 
> Thanks,
> Nancy
>  Nancy Watson   
>  Engineer, Network Services - UFIT
>   
>  nwat...@ufl.edu <mailto:nwat...@ufl.edu>, (352) 273-1057 
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss <http://www.educause.edu/discuss>.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Your eduroam semi-annual report

[Philippe Hanset]

Ok, Stephanie is already on it  :)

As a last request, please update your Contact Info at www.eduroam.us 
<http://www.eduroam.us/>. Our main task this last week has been
to chase many of the eduroam peers and beg them to update their info (s 
many bounced email addresses)

Thanks,

Philippe




> On Jul 6, 2018, at 12:24 PM, Philippe Hanset 
> <005cd62f91b7-dmarc-requ...@listserv.educause.edu> wrote:
> 
> Jerry,
> 
> Thanks for the feedback. 
> We have been digesting these reports for about a year now and rejects per MAC 
> was on our agenda.
> 
> We had two issues with that one: 
> -Storing failed authentications is really overwhelming for our Top Level 
> Servers (we might have storage issues .. there is a lot of nasty stuff in 
> those failed attempts :)
> -Calling-Station-ID (MAC address) is not always reliable…some of you don't 
> send it, and some have different formats for the same MAC address (if you 
> have two Wi-Fi vendors on campus)
> 
> But, with all the feedback we will look into it again.
> 
> As a request to all of you, please make sure that you send Calling-Station-ID 
> (it is actually required).
> 
> Thanks,
> 
> Philippe
> 
> 
> Philippe Hanset, CEO
> 
>> On Jul 6, 2018, at 11:47 AM, Bucklaew, Jerry > <mailto:j...@buffalo.edu>> wrote:
>> 
>> Philippe,
>>  
>>I like the reports, but as people have pointed out the errors are 
>> concerning.  It might be good to quantify the errors to unique macs instead 
>> of just failures.  You have unique users authenticated and then 
>> authenticated percentage.  But is that the percentage of total request vs 
>> total failures or unique macs that have succeeded vs unique mac that have 
>> failed?  If our guess is correct, the failure percentage will be high (ours 
>> is around 20% for our users and 30% for guest)  for total request vs 
>> failures, but should be relatively low for total unique request vs unique 
>> failures.  Maybe that would be a stat worth adding?
>>  
>>  
>>  
>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>> > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Philippe Hanset
>> Sent: Friday, July 6, 2018 11:34 AM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
>> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
>> Subject: Re: [WIRELESS-LAN] Your eduroam semi-annual report
>>  
>> All,
>>  
>> When we designed the reports we had two main goals in mind:
>> 1)  Quantitative data (how many, and where), both as SP and IDP
>> 2) Qualitative data (is my service ok), both as IDP and SP
>>  
>> Many of you like the reports and also many have asked to have comparisons 
>> with other schools especially for “rejects”.
>>  
>> We cannot reveal other schools’ data without their consent,
>> but I have asked Stephanie(our data specialist) to work on graphs showing 
>> the distribution of errors (eg: 7 schools are at 0% success rate, 10 at 10%, 
>> etc…) also integrating into the stats the size of schools.
>> She will be brainstorming some of this in the coming weeks  and post it on 
>> the eduroam.us <http://eduroam.us/> website
>>  
>> Just looking roughly at data as an IDP and SP you should be around 60+ % 
>> Bear in mind that you cannot control poorly configured users coming to your 
>> campus as an SP.
>> As an IDP you can definitely check your stats and optimize your user’s 
>> configuration (to a point!).
>>  
>> In summary as an SP you have very little control, as an IDP you have a lot 
>> more!
>>  
>> Philippe
>>  
>> Philippe Hanset, CEO
>> www.anyroam.net <http://www.anyroam.net/>
>> www.eduroam.us <http://www.eduroam.us/>
>> +1 (865) 236-0770
>> 
>> GPG key id: 0xF2636F9C
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> On Jul 6, 2018, at 11:00 AM, Mike Atkins > <mailto:matk...@nd.edu>> wrote:
>>  
>> Our identity group typically manages the eduroam configuration.  I was 
>> recently added to troubleshoot some very specific issues.  Things I found 
>> useful are/were access to eduroam radius logs, realm testing tool, reports 
>> going back to January 2018, and a dashboard that has data going back to 
>> 2012.  I do not think there is read only access but it might be worth 
>> inquiring with your admin if you do any sort of regular radius 
>> troubleshooting.  (remote for your users or locally for guests)  I see a 
>> timeouts (frequent no response even though packet captures show our server 
>> responded) and on our six month

Re: [WIRELESS-LAN] Your eduroam semi-annual report

[Philippe Hanset]

Jerry,

Jerry,

Thanks for the feedback. 
We have been digesting these reports for about a year now and rejects per MAC 
was on our agenda.

We had two issues with that one: 
-Storing failed authentications is really overwhelming for our Top Level 
Servers (we might have storage issues .. there is a lot of nasty stuff in those 
failed attempts :)
-Calling-Station-ID (MAC address) is not always reliable…some of you don't send 
it, and some have different formats for the same MAC address (if you have two 
Wi-Fi vendors on campus)

But, with all the feedback we will look into it again.

As a request to all of you, please make sure that you send Calling-Station-ID 
(it is actually required).

Thanks,

Philippe


Philippe Hanset, CEO

> On Jul 6, 2018, at 11:47 AM, Bucklaew, Jerry  wrote:
> 
> Philippe,
>  
>I like the reports, but as people have pointed out the errors are 
> concerning.  It might be good to quantify the errors to unique macs instead 
> of just failures.  You have unique users authenticated and then authenticated 
> percentage.  But is that the percentage of total request vs total failures or 
> unique macs that have succeeded vs unique mac that have failed?  If our guess 
> is correct, the failure percentage will be high (ours is around 20% for our 
> users and 30% for guest)  for total request vs failures, but should be 
> relatively low for total unique request vs unique failures.  Maybe that would 
> be a stat worth adding?
>  
>  
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>  <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Philippe Hanset
> Sent: Friday, July 6, 2018 11:34 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Subject: Re: [WIRELESS-LAN] Your eduroam semi-annual report
>  
> All,
>  
> When we designed the reports we had two main goals in mind:
> 1)  Quantitative data (how many, and where), both as SP and IDP
> 2) Qualitative data (is my service ok), both as IDP and SP
>  
> Many of you like the reports and also many have asked to have comparisons 
> with other schools especially for “rejects”.
>  
> We cannot reveal other schools’ data without their consent,
> but I have asked Stephanie(our data specialist) to work on graphs showing the 
> distribution of errors (eg: 7 schools are at 0% success rate, 10 at 10%, 
> etc…) also integrating into the stats the size of schools.
> She will be brainstorming some of this in the coming weeks  and post it on 
> the eduroam.us <http://eduroam.us/> website
>  
> Just looking roughly at data as an IDP and SP you should be around 60+ % 
> Bear in mind that you cannot control poorly configured users coming to your 
> campus as an SP.
> As an IDP you can definitely check your stats and optimize your user’s 
> configuration (to a point!).
>  
> In summary as an SP you have very little control, as an IDP you have a lot 
> more!
>  
> Philippe
>  
> Philippe Hanset, CEO
> www.anyroam.net <http://www.anyroam.net/>
> www.eduroam.us <http://www.eduroam.us/>
> +1 (865) 236-0770
> 
> GPG key id: 0xF2636F9C
> 
> 
> 
> 
> 
> 
> 
> On Jul 6, 2018, at 11:00 AM, Mike Atkins  <mailto:matk...@nd.edu>> wrote:
>  
> Our identity group typically manages the eduroam configuration.  I was 
> recently added to troubleshoot some very specific issues.  Things I found 
> useful are/were access to eduroam radius logs, realm testing tool, reports 
> going back to January 2018, and a dashboard that has data going back to 2012. 
>  I do not think there is read only access but it might be worth inquiring 
> with your admin if you do any sort of regular radius troubleshooting.  
> (remote for your users or locally for guests)  I see a timeouts (frequent no 
> response even though packet captures show our server responded) and on our 
> six month eduroam success rate is 69.7%  I am still in the process of 
> troubleshooting but the information is very helpful.  E-mail me off list and 
> I’ll send you our reports if you want to compare sites.
>  
>  
>  
>  
>  
> Mike Atkins 
> Network Engineer
> Office of Information Technology
> University of Notre Dame
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Patrick McEvilly
> Sent: Friday, July 06, 2018 8:08 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Subject: Re: [WIRELESS-LAN] Your eduroam semi-annual report
>  
> As the admin contact I was getting them but asked if we could add some 
> internal mailing lists.  In your eduro

Re: [WIRELESS-LAN] Your eduroam semi-annual report

[Philippe Hanset]

All,

When we designed the reports we had two main goals in mind:
1)  Quantitative data (how many, and where), both as SP and IDP
2) Qualitative data (is my service ok), both as IDP and SP

Many of you like the reports and also many have asked to have comparisons with 
other schools especially for “rejects”.

We cannot reveal other schools’ data without their consent,
but I have asked Stephanie(our data specialist) to work on graphs showing the 
distribution of errors (eg: 7 schools are at 0% success rate, 10 at 10%, etc…) 
also integrating into the stats the size of schools.
She will be brainstorming some of this in the coming weeks  and post it on the 
eduroam.us <http://eduroam.us/> website

Just looking roughly at data as an IDP and SP you should be around 60+ % 
Bear in mind that you cannot control poorly configured users coming to your 
campus as an SP.
As an IDP you can definitely check your stats and optimize your user’s 
configuration (to a point!).

In summary as an SP you have very little control, as an IDP you have a lot more!

Philippe

Philippe Hanset, CEO
www.anyroam.net
www.eduroam.us
+1 (865) 236-0770

GPG key id: 0xF2636F9C






> On Jul 6, 2018, at 11:00 AM, Mike Atkins  wrote:
> 
> Our identity group typically manages the eduroam configuration.  I was 
> recently added to troubleshoot some very specific issues.  Things I found 
> useful are/were access to eduroam radius logs, realm testing tool, reports 
> going back to January 2018, and a dashboard that has data going back to 2012. 
>  I do not think there is read only access but it might be worth inquiring 
> with your admin if you do any sort of regular radius troubleshooting.  
> (remote for your users or locally for guests)  I see a timeouts (frequent no 
> response even though packet captures show our server responded) and on our 
> six month eduroam success rate is 69.7%  I am still in the process of 
> troubleshooting but the information is very helpful.  E-mail me off list and 
> I’ll send you our reports if you want to compare sites.
>  
>  
>  
>  
>  
> Mike Atkins 
> Network Engineer
> Office of Information Technology
> University of Notre Dame
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Patrick McEvilly
> Sent: Friday, July 06, 2018 8:08 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Subject: Re: [WIRELESS-LAN] Your eduroam semi-annual report
>  
> As the admin contact I was getting them but asked if we could add some 
> internal mailing lists.  In your eduroam profile they have added a “report 
> contact” option which is working well.
>  
> Patrick
>  
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>  <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of "Watters, John" 
> mailto:john.watt...@ua.edu>>
> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>  <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
> Date: Friday, July 6, 2018 at 8:01 AM
> To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" 
>  <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
> Subject: Re: [WIRELESS-LAN] Your eduroam semi-annual report
> Resent-From: Patrick McEvilly  <mailto:patrick_mcevi...@harvard.edu>>
>  
> What person at a school receives them? I want to see ours. 
>  
> Thanks. 
> 
> Sent from my iPhone
> 
> On Jul 6, 2018, at 6:40 AM, Philippe Hanset 
> <005cd62f91b7-dmarc-requ...@listserv.educause.edu 
> <mailto:005cd62f91b7-dmarc-requ...@listserv.educause.edu>> wrote:
> 
> Yahya,
>  
> These reports are provided to all IdPs
> and SPs in the US. ANYROAM, the operator of eduroam on behalf of Internet2 
> has built those reports based on the US top level RADIUS logs. 
>  
> Philippe 
> 
> Philippe Hanset, CEO
> ANYROAM LLC
> www.anyroam.net 
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.anyroam.net=DwMGaQ=WO-RGvefibhHBZq3fL85hQ=NEt1bAdOCtalVd4Ws0dvlC8LeF95Hl1p6yYgtTh8luM=PXBR2nrMAcW7e0QP6NFQUP_IE0Xafm5WM3RjJzkZd3U=XSVDB6hUKN7nYCKHPRaOeBwzf5x7sKWBSgkqwF8O2yA=>
> www.eduroam.us 
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.eduroam.us=DwMGaQ=WO-RGvefibhHBZq3fL85hQ=NEt1bAdOCtalVd4Ws0dvlC8LeF95Hl1p6yYgtTh8luM=PXBR2nrMAcW7e0QP6NFQUP_IE0Xafm5WM3RjJzkZd3U=nBExgSVb3S72y2W1z9jcHvCQu1bWmus2HEI8f-6ee_M=>
> 
> On Jul 6, 2018, at 6:17 AM, Yahya M. Jaber  <mailto:yahya.ja...@kaust.edu.sa>> wrote:
> 
> Is this only for Idp’s who has it as primary network? Eduroam is a secondary 
> one for us here.
>  
>  
> Be

Re: [WIRELESS-LAN] Your eduroam semi-annual report

[Philippe Hanset]

Yahya,

These reports are provided to all IdPs
and SPs in the US. ANYROAM, the operator of eduroam on behalf of Internet2 has 
built those reports based on the US top level RADIUS logs. 

Philippe 

Philippe Hanset, CEO
ANYROAM LLC
www.anyroam.net
www.eduroam.us

> On Jul 6, 2018, at 6:17 AM, Yahya M. Jaber  wrote:
> 
> Is this only for Idp’s who has it as primary network? Eduroam is a secondary 
> one for us here.
>  
>  
> Best Regards,
>  
> Yahya Jaber 
> Sr. Wireless Engineer
> IT Network & Communications – Engineering
>  
> Email yahya.ja...@kaust.edu.sa
> Office +966 (0) 12 8081237
> Mobile +966 (0) 558697555
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Turner, Ryan H
> Sent: Friday, July 6, 2018 4:03 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] Fwd: Your eduroam semi-annual report
>  
> All:
>  
> We have run eduroam as our primary SSID for several years.  For those 
> institutions that do not, but wonder what it might look like for those that 
> do, I’ve included our semi annual report. 
> 
> Ryan Turner
> Senior Manager of Networking, ITS
> The University of North Carolina at Chapel Hill
> +1 919 274 7926 Mobile
> +1 919 445 0113 Office
> 
> Begin forwarded message:
>  
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> 
> This message and its contents including attachments are intended solely for 
> the original recipient. If you are not the intended recipient or have 
> received this message in error, please notify me immediately and delete this 
> message from your computer system. Any unauthorized use or distribution is 
> prohibited. Please consider the environment before printing this email.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] [SPF:Probably_Forged] Re: [WIRELESS-LAN] Eduroam - 3 questions

[Philippe Hanset]

Rita,

We wrote about this very concern in our FAQ
You can find it at https://www.incommon.org/eduroam/faq.html#q1

We are actually missing a very important aspect in our FAQ the was highlighted 
by Hunter, Chuck, and others.
If you only run eduroam as Identity Provider (IDP) your users have no way to 
configure devices before they travel.

On the help desk side of things, if you do not run eduroam as an Service 
Provider (SP) on your campus you will most likely end up
with many help desk calls from your own users trying to figure out how to 
configure various devices. Many of them may be in different time zones
which will generate a lot of frustration for all.

If you turn eduroam as a Service Provider your help desk should get many hits 
since eduroam requires users to first contact their home institution first in 
case of problem.


Best,

Philippe

Philippe Hanset, CEO
www.anyroam.net
www.eduroam.us
+1 (865) 236-0770

GPG key id: 0xF2636F9C






> On Apr 19, 2018, at 11:13 AM, Chuck Anderson <c...@wpi.edu> wrote:
> 
> We onboard both eduroam and WPI-Wireless with EAP-TLS certs via CloudPath.  
> It doesn't matter which one our own clients connect to, since they provide 
> the same access to our own users.  Guests get a different VLAN when they 
> connect to our local eduroam SP.
> 
> We haven't yet gone down the path of retiring our "vanity" SSID.
> 
> On Thu, Apr 19, 2018 at 09:18:11AM -0400, Christina Klam wrote:
>> Like many of you, we started with three campus wide SSIDs: a vanity/branded 
>> WPA2-Enterprise, a branded open guest, and eduroam.  At the end of the first 
>> year, we reduced to just eduroam and our guest.  By using the domain portion 
>> in the username (use...@domain.edu), radius assigns users to specific VLANs. 
>>  If they are not from @ias.edu, they get assigned to a "guest permission 
>> leveled" VLAN which only has access to the Internet and some specific campus 
>> devices (like projectors).  If they are from @ias.edu, they are given 
>> greater privileges on campus like access to library resources.  
>> 
>> 
>> In terms of help desk calls, we received fewer once we de-cluttered our SSID 
>> space.   If we were to do this again, we would just start with just eduroam 
>> and guest.  
>> 
>> BTW:  Everyone should use the same spelling of eduroam.  There are no 
>> capital letters in the SSID.  
>> 
>> --Christina Klam
>> 
>> - Original Message -
>> From: "Alexandre Adao" <alexandre.a...@morgan.edu>
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> Sent: Wednesday, April 18, 2018 11:42:04 PM
>> Subject: Re: [WIRELESS-LAN] Eduroam - 3 questions
>> 
>> 1- Currently, we have SSID's MSU-Secure, Guest-Users and EduRoam. We may
>> move forward to one or two SSID's later one.  Our Radius are not configured
>> as connector.
>> 
>> 2. The EduRoam deployment is not that difficulty. It depends what type of
>> Radius Server you are using.
>> 
>> 3. To minimize the Help Desk calls, ensure that the student/Faculty
>> authenticate EduRoam with their full e-mail address (account
>> xxx@domain.edu), locally. Because it will be the same credentials
>> format when they are visiting other educational entities.
>> 
>> --Alex Adao
>> 
>> 
>> 
>> On Wed, Apr 18, 2018 at 9:19 PM, Davis, Kevin <keda...@davidson.edu> wrote:
>> 
>>> I just wanted to say “ditto” to what Chuck said, but with an underscore: I
>>> would recommend you consider the value of making eduroam your primary
>>> campus SSID.  Just having it on campus doesn’t ensure anyone will use it or
>>> understand what it means.  (“If I have DavidsonSecure or eduroam, why would
>>> I ever want ‘roaming’ if I could be on the Davidson network?”). OTOH, if
>>> it’s the network they use daily, they’re always ready to use it.
>>> 
>>> A number of colleges have moved away from vanity-named SSIDs to having
>>> eduroam as their main or only wifi network on campus. Davidson is moving in
>>> that direction this summer, retiring our legacy SSID, and we are by no
>>> means an early mover on this.
>>> 
>>> Kevin
>>> 
>>> --
>>> Kevin Davis
>>> Deputy CIO & Director, Core Services
>>> Davidson College Technology & Innovation (T)
>>> 
>>> 
>>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv <
>>> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of "Enfield III, Charles
>>> Albert" <cae...@psu.edu>
>>> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv <
&

Re: [WIRELESS-LAN] GDPR

[Philippe Hanset]

Not that I would ever promote such an insane measure:
Block IP addresses from the EU to Universities that do not comply!

foreign brains and out of state tuition are motors of our US-edu economy and 
richness, can we afford to lose this?

We did something similar with FATCA, pressuring banks all over the world to 
report customers with US addresses to the IRS… and it worked!
The measure was: if you don't comply you can’t deal with US financial 
instruments, which most banks use!

Diplomacy!

Philippe



> On Apr 6, 2018, at 2:03 PM, Daniel Brisson <dbris...@uvm.edu> wrote:
> 
> I’m very interested to see how this 1) gets enforced and 2) litigated.  My 
> curiousity comes from the practicality of enforcing anything to do with your 
> example #1 from below.
>  
> -dan
>  
> — 
>  
> Dan Brisson
> Network Engineer
> University of Vermont
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Philippe Hanset 
> <005cd62f91b7-dmarc-requ...@listserv.educause.edu 
> <mailto:005cd62f91b7-dmarc-requ...@listserv.educause.edu>>
> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
> Date: Friday, April 6, 2018 at 1:55 PM
> To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
> Subject: Re: [WIRELESS-LAN] GDPR
>  
> Lee,  <>
>  
> We have to follow GDPR closely due to the eduroam/Govroam/ANYROAM 
> implications.
>  
> Some of the logic behind GDPR is based on the location of the person whether 
> EU Citizen or not. 
> GDPR applies to all EU Citizens but also to visitors of the EU, and also to 
> EU Citizens when using remote services outside of the EU
> (e.g. a EU Citizen signing for a Facebook account located on servers in the 
> US is a GDPR case)
>  
> Some edu examples:
> 1) A EU student registering for school in a US school while being physically 
> in Europe is a GDPR case!
> 2) A US student registering for classes while being physically in the EU for 
> an institution located in the EU (whether the institution is EU or US 
> ownership) falls under GDPR.
>  
> And then each of us has to look if we are  Processor or Controller of the 
> Data (or both!) and apply rules accordingly.
>  
> Philippe
>  
> Philippe Hanset, CEO
> www.anyroam.net <http://www.anyroam.net/>
> www.eduroam.us <http://www.eduroam.us/>
> +1 (865) 236-0770
> 
> GPG key id: 0xF2636F9C
> 
> 
> 
> On Apr 6, 2018, at 12:52 PM, Lee H Badman <lhbad...@syr.edu 
> <mailto:lhbad...@syr.edu>> wrote:
>  
> Interesting- I couldn’t tell if rules were different between EU residents vs 
> visitors. I’m sure a lot of campus legal departments/lawyers are busy right 
> now trying to figure it all out. I’ll be curious to see how operations for US 
> colleges abroad are specifically impacted from the network and IT 
> perspectives.
>  
> Lee Badman | Network Architect 
> 
> Certified Wireless Network Expert (#200)
> Information Technology Services
> 206 Machinery Hall
> 120 Smith Drive
> Syracuse, New York 13244
> 
> t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu 
> <mailto:lhbad...@syr.edu> w its.syr.edu <http://its.syr.edu/>
> SYRACUSE UNIVERSITY
> syr.edu <http://syr.edu/>
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Caston Thomas
> Sent: Friday, April 06, 2018 10:46 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Subject: Re: [WIRELESS-LAN] GDPR
>  
> My understanding is that GDPR will apply to students & faculty visiting the 
> EU on school related events (internships, foreign studies, conferences, 
> trips), alumni traveling on behalf of the school.  Logins & online activity 
> from individuals in the EU will fall under GDPR.  Logs will have to be purged 
> or sanitized.  For corporate entities, the cap on penalties is up to 4% of 
> revenue.  I am uncertain if that same amount applies to non-profit or 
> educational institutions.
>  
> I am, by no means, an authority, on the subject, so fire away if I’ve written 
> anything that is inaccurate.  But a close friend of mine has published a book 
> on the topic.  If there’s a high degree of interest, I can ping him for a 
> good link or synopsis on GDPR 

Re: [WIRELESS-LAN] GDPR

[Philippe Hanset]

Lee,

We have to follow GDPR closely due to the eduroam/Govroam/ANYROAM implications.

Some of the logic behind GDPR is based on the location of the person whether EU 
Citizen or not. 
GDPR applies to all EU Citizens but also to visitors of the EU, and also to EU 
Citizens when using remote services outside of the EU
(e.g. a EU Citizen signing for a Facebook account located on servers in the US 
is a GDPR case)

Some edu examples:
1) A EU student registering for school in a US school while being physically in 
Europe is a GDPR case!
2) A US student registering for classes while being physically in the EU for an 
institution located in the EU (whether the institution is EU or US ownership) 
falls under GDPR.

And then each of us has to look if we are  Processor or Controller of the Data 
(or both!) and apply rules accordingly.

Philippe

Philippe Hanset, CEO
www.anyroam.net <http://www.anyroam.net/>
www.eduroam.us <http://www.eduroam.us/>
+1 (865) 236-0770

GPG key id: 0xF2636F9C


> On Apr 6, 2018, at 12:52 PM, Lee H Badman <lhbad...@syr.edu> wrote:
> 
> Interesting- I couldn’t tell if rules were different between EU residents vs 
> visitors. I’m sure a lot of campus legal departments/lawyers are busy right 
> now trying to figure it all out. I’ll be curious to see how operations for US 
> colleges abroad are specifically impacted from the network and IT 
> perspectives.
>  
> Lee Badman | Network Architect 
> 
> Certified Wireless Network Expert (#200)
> Information Technology Services
> 206 Machinery Hall
> 120 Smith Drive
> Syracuse, New York 13244
> 
> t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu 
> <mailto:lhbad...@syr.edu> w its.syr.edu <http://its.syr.edu/>
> SYRACUSE UNIVERSITY
> syr.edu <http://syr.edu/>
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Caston Thomas
> Sent: Friday, April 06, 2018 10:46 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Subject: Re: [WIRELESS-LAN] GDPR
>  
> My understanding is that GDPR will apply to students & faculty visiting the 
> EU on school related events (internships, foreign studies, conferences, 
> trips), alumni traveling on behalf of the school.  Logins & online activity 
> from individuals in the EU will fall under GDPR.  Logs will have to be purged 
> or sanitized.  For corporate entities, the cap on penalties is up to 4% of 
> revenue.  I am uncertain if that same amount applies to non-profit or 
> educational institutions.
>  
> I am, by no means, an authority, on the subject, so fire away if I’ve written 
> anything that is inaccurate.  But a close friend of mine has published a book 
> on the topic.  If there’s a high degree of interest, I can ping him for a 
> good link or synopsis on GDPR for educational institutions in the US.
>  
> Caston
>  
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Lee H Badman
> Sent: Friday, April 6, 2018 8:17 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Subject: [WIRELESS-LAN] GDPR
>  
> Worthy of posting on both lists, apologies to those who will see it twice.
> 
>  
> 
> Anyone feel like sharing what you've changed or are thinking about related to 
> GDPR if you have network operations in Europe? The new regs go into effect 
> May 25.
> 
>  
> 
> -Lee
> 
>  
> 
> Lee Badman | Network Architect | CWNE #200
> Information Technology Services
> 206 Machinery Hall
> 120 Smith Drive
> Syracuse, New York 13244
> t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu 
> <mailto:lhbad...@syr.edu> w its.syr.edu <http://its.syr.edu/>
> SYRACUSE UNIVERSITY
> syr.edu <http://syr.edu/>
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found 
> athttp://www.educause.edu/discuss <http://www.educause.edu/discuss>.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found 
> athttp://www.educause.edu/discuss <http://www.educause.edu/discuss>.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss <http://www.educause.edu/discuss>.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Eduroam and Govroam

[Philippe Hanset]

Mike et al.,

We are starting a Govroam pilot here in the US (www.govroam.us) with local and 
state government and eventually federal.
We don’t envision many schools adding the Govroam SSID or Government agencies 
adding the eduroam SSID unless there very specific use cases.
On the other end by creating those two roaming communities early on we (as all 
of us) will be ready when Passpoint/Hotspot2.0 becomes more wide spread.
Once your infrastructure supports Hotspot2.0 you will be able to add 
local/state/federal roaming communities to your network quite easily.
Adding a roaming community to the broadcast frame of Hotspot2.0 will be so much 
easier than adding yet another SSID!

We do not know all your use cases (gov/edu) of course, feel free to share so we 
can design accordingly.

(please excuse our laconic govroam and anyroam websites we are in the middle of 
completely revamping them with useful info)

and BTW, Happy New Year y’all :)

Philippe

Philippe Hanset, CEO
www.anyroam.net
www.eduroam.us
+1 (865) 236-0770

GPG key id: 0xF2636F9C






> On Jan 4, 2018, at 8:34 AM, Mike Atkins <matk...@nd.edu> wrote:
> 
> Does anyone have more detail on this?
>  
> More public Wi-Fi across London with Eduroam & Govroam
> https://wifinowevents.com/news-and-blog/public-wi-fi-across-london-eduroam-govroam/
>  
> <https://wifinowevents.com/news-and-blog/public-wi-fi-across-london-eduroam-govroam/>
>  
>  
>  
>  
> Mike Atkins 
> Network Engineer
> Office of Information Technology
> University of Notre Dame
> Phone: 574-631-7210
>  
>  
>    .__o
>- _-\_<,
>---  (*)/'(*)
>  
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss <http://www.educause.edu/discuss>.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Radius certificate length vs. onboarding opinions

[Philippe Hanset]

All,

We love option 4 but it has its issues...and on that note let me share (with 
his permission) a tidbit from Curtis Larsen from University of Utah
sent to the eduroam-admins list about EAP-TLS and firewalls/load balancer. 
Make a mental note for the future ;-), it took us a while to discover that 
problem: Fragmentation, fragmentation, fragmentation.

Best,

Philippe

Philippe Hanset
www.anyroam.net <http://www.anyroam.net/>

--
From Curtis:

We resolved this today working with our Firewall team but I wanted to thank 
Chad with Anyroam support for helping with the pcaps and suggesting a look at 
fragmentation initially.

It turns out our problem had to do with how fragmented packets are handled by 
our border firewalls and our chosen load-balancing method on the respective 
port-channel interfaces.  The key is that we needed to balance these RADIUS 
sessions/transactions on source/dest. IP alone instead of including the TCP/UDP 
port as well.  The problem did not occur with PEAP MSCHAPv2 tests because the 
packets never fragmented and thus all had the same UDP port number and all got 
marked as the same session/transaction and sent out the same interface.  
Sometimes we got lucky and all EAP-TLS packets needed for a single 
authentication went the same way and it worked but often packets went different 
ways and the fragments were not able to be marked as part of the same 
session/transaction and that is when my server got half of the packets.

Curtis K. Larsen
Senior Wi-Fi Network Engineer
University of Utah IT/CIS
Office 801-587-1313
--

> On Oct 30, 2017, at 4:19 PM, Mike Atkins <matk...@nd.edu> wrote:
> 
> We are option 3 with 3 year certs.  We were in the same boat as Craig just 
> over a year ago.  We moved to a different onboarding utility and different 
> CA.  It is a long story so feel free to hit me up offline.  That said, in the 
> future we will likely end up using both options 3 & 4 to be flexible with 
> device/owner/use.
>  
>  
>  
> Mike Atkins 
> Network Engineer
> Office of Information Technology
> University of Notre Dame
> Phone: 574-631-7210
>  
>  
>    .__o
>- _-\_<,
>---  (*)/'(*)
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Craig Simons
> Sent: Monday, October 30, 2017 2:22 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Subject: [WIRELESS-LAN] Radius certificate length vs. onboarding opinions
>  
> All,
>  
> I know the subject has been broached on the list a few times before, but I’m 
> looking for informal opinions/survey about how you are deploying your Radius 
> EAP certificates for PEAP/TTLS users (non-TLS). We use Cloudpath to onboard 
> users, but recently went through a difficult renewal period to replace our 
> expiring certificate. As we had configured all of our clients to “verify the 
> server certificate” (as you should from a security perspective), we found 
> that iOS/MacOS and Android clients did not take kindly to a new certificate 
> being presented. This resulted in quite a few disgruntled users who couldn’t 
> connect to WiFi as well as a shell-shocked Service Desk. To help prevent this 
> in the future (and because we are moving to a new Radius infrastructure), 
> what is the consensus on the following strategies:
>  
> Option 1: Using a self-signed/private PKI and a 10 year cert. Onboard with 
> "verify server certificate" enabled
>  
> Option 2: Removing all traces of “verify server certificate” from OnBoard 
> configuration and use 2-year certs from CAs
>  
> Option 3: Use 2-year CA certificates, enable “verify server certificates” and 
> educate/prepare every two years for connection issues.
>  
> Option 4 (probably the best long-term answer): Move to private PKI and 
> EAP-TLS.
>  
> Opinions?
>  
> Craig Simons
> Network Operations Manager
> 
> Simon Fraser University | Strand Hall
>  University Dr., Burnaby, B.C. V5A 1S6
> T: 778.782.8036 | M: 604.649.7977 | www.sfu.ca/itservices 
> <http://www.sfu.ca/itservices>
> 
> 
>  
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss <http://www.educause.edu/discuss>. 
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss <http://www.educause.edu/discuss>.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Big flaw in WPA2

[Philippe Hanset]

The flaw in WPA2 doesn’t put accounts at risk since that is done with EAP over 
an encrypted TLS tunnel. It it the access to the network and the encryption 
over the air for the regular internet traffic that can be tempered with.

Philippe
www.anyroam.net

> On Oct 17, 2017, at 4:49 AM, Osborne, Bruce W (Network Operations) 
>  wrote:
> 
> No, the solution is EAP-TLS with individual device certificates.
>  
>  
>  
> 
> Bruce Osborne
> Senior Network Engineer
> Network Operations - Wireless
>  (434) 592-4229
> 
> LIBERTY UNIVERSITY
> 
> Training Champions for Christ since 1971
> 
>  
> From: Tim Tyler [mailto:ty...@beloit.edu] 
> Sent: Monday, October 16, 2017 9:57 AM
> Subject: Re: Big flaw in WPA2
>  
> This brings up an issue where I have philosophically wondered if mac address 
> authentication isn’t better than 802.11x (wpa2).  The reason isn’t because it 
> guards the network better.  But if one does get hacked at the point of 
> accessing the network, the consequences are way less.  One isn’t giving a way 
> the keys to their other accounts.   I know some institutions do use mac 
> address authentication as their primary access method.   It is difficult for 
> institutions that can’t afford pricey on-boarding solutions to manage 
> certificate lock downs.   Hence, man in the middle attacks become prevalent 
> as well.
>   We already use mac address authentication for devices that won’t support 
> 802.1x.  I keep wondering now if I shouldn’t make that our primary solution 
> someday.  I am curious as to what others think. 
>  
> Tim
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Turner, Ryan H
> Sent: Monday, October 16, 2017 6:51 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] Big flaw in WPA2
>  
> 
> https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/
> 
> Ryan Turner
> Manager of Network Operations, ITS
> The University of North Carolina at Chapel Hill
> +1 919 274 7926 Mobile
> +1 919 445 0113 Office
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Fwd: [mobility] time for WPA3?

[Philippe Hanset]

All,

In light of the WPA2 exploit, I want to share an email exchange that I had with 
a colleague.
Basically at the minimum disable 802.11r
> 
>> On 10-16-17 18:21, Philippe Hanset wrote:
>> So is it correct to state the following:
>> 1) WPA2 is vulnerable 
> 
> Well, it wasn't properly implemented; so implementations are vulnerable.
> 
>> 2) Firmware patches should fix infrastructure side and device side
> 
> ... and quite some have them available already, and/or you disable 11r
> for now,
> 
>> 3) Unpatched infrastructure will put all devices at risk
> 
> Yes and no; you can mitigate the risks by disabling 802.11r, and the
> risk with eg. patched devices is that you could decrypt traffic from the
> network to a client.
> 
>> 4) Unpatched devices will be at risk when joining any infrastructure but 
>> will not risk the integrity of patched infrastructure.
> 
> Unpatched clients will have the risk of having their data decrypted, or
> (in the case of mostly Android) have no encryption at all for their
> upstream data.
> 
> 
Philippe Hanset
www.eduroam.us
www.anyroam.net
> 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] eduroam AUP, revisit

[Philippe Hanset]

Darren,

> 
> In Europe, there is also an optional configuration tool called Eduroam CAT 
> developed by GÉANT – this tool installs/configures Eduroam profiles on 
> different devices but includes a section where the user must agree to the AUP 
> before they can proceed with the install.
>  

eduroam CAT is available to all eduroam institutions around the world, not just 
Europe.


Philippe

Philippe Hanset, CEO
www.anyroam.net
www.eduroam.us
+1 (865) 236-0770

GPG key id: 0xF2636F9C






> We also provide some documentation in printed and electronic format in the 
> form of a handbook that is given to arriving students. The handbook includes 
> a section about acceptable use of I.T. and what their responsibilities are. 
> You could, and I think some organisations do, prompt users to accept the AUP 
> when they login to the organisation Intranet for the first time and then have 
> it send them an email to confirm they have accepted the AUP.
>  
> I’m sure there could be a situation where someone could connect to Eduroam 
> without ever seeing the Eduroam AUP – but generally they will have seen an 
> AUP at some point if they have been issued with some credentials by the 
> organisation. There will be a lot of duplicate policies between an 
> organisation and Eduroam.
>  
>  
> Darren.
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Lee H Badman
> Sent: 11 September 2017 17:56
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@listserv.educause.edu>
> Subject: [WIRELESS-LAN] eduroam AUP, revisit
>  
> Sorry to rehash a topic like this, but throwing the net out there again after 
> only getting one reply (Thanks, Marcello). How are you who participate in 
> eduroam as IDPs (Identity Providers)  making “reasonable effort” to inform 
> your users about their responsibilities when visiting other campuses and 
> using eduroam?
>  
> Thanks-
>  
> Lee
>  
> Lee Badman | Network Architect 
> 
> Certified Wireless Network Expert (#200)
> Information Technology Services
> 206 Machinery Hall
> 120 Smith Drive
> Syracuse, New York 13244
> t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu 
> <mailto:lhbad...@syr.edu> w its.syr.edu <http://its.syr.edu/>
> SYRACUSE UNIVERSITY
> syr.edu <http://syr.edu/>
>  
>  
>  
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss <http://www.educause.edu/discuss>.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss <http://www.educause.edu/discuss>.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] eduroam- "reasonable efforts to acknowledge the AUP"?

[Philippe Hanset]

Lee,

The text in the agreement is intended to ask IDPs (Identity Providers) to 
inform their users about their responsibilities when visiting other campuses 
and using eduroam. SP (Service Providers) do not have to inform users.

Phillippe
ANYROAM

> On Sep 1, 2017, at 4:23 PM, Lee H Badman  wrote:
> 
> Thanks, Marcelo. Is in line with all I can  come up with as well short of 
> ruining it with some ugly redirect.
> Lee Badman | Network Architect 
> 
> Certified Wireless Network Expert (#200)
> Information Technology Services
> 206 Machinery Hall
> 120 Smith Drive
> Syracuse, New York 13244
> 
> t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w its.syr.edu
> SYRACUSE UNIVERSITY
> syr.edu
> 
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Marcelo Maraboli
> Sent: Friday, September 01, 2017 3:58 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] eduroam- "reasonable efforts to acknowledge the 
> AUP"?
>  
> Hello Lee
> 
> We just published in our IT web page (mainly to our users) that IF you
> use eduroam elsewhere, you are subject to the AUP of that University and
> it is __your__ duty to search/ask for it and read it.
> 
> We simply educate our own users.
> 
> 
> best regards,
> 
> On 9/1/17 3:43 PM, Lee H Badman wrote:
> For those of you participating in eduroam, I’m struggling a bit with the new 
> agreement from I2. Has anyone tried to figure out what I2 expects as far as 
> eduroam schools somehow communicating AUP to users as they move from school 
> to school?
>  
> Regards,
>  
> Lee Badman
>  
> Lee Badman | Network Architect 
> 
> Certified Wireless Network Expert (#200)
> Information Technology Services
> 206 Machinery Hall
> 120 Smith Drive
> Syracuse, New York 13244
> t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w its.syr.edu
> SYRACUSE UNIVERSITY
> syr.edu
>  
>  
>  
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
>  
> -- 
> Marcelo Maraboli Rosselott
> Subdirector de Redes y Seguridad
> Dirección de Informática
> Pontificia Universidad Católica de Chile
> http://informatica.uc.cl/
> --
> Campus San Joaquín, Av. Vicuña Mackenna 4860, Macul
> Santiago, Chile
> Teléfono: (56) 22354 1341
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] EAP-TLS

[Philippe Hanset]

I just realized that I gave a +1 for EAP-TLS
(and yes, it give a +1 for Open Networks ;-)

That contaminated laptop might force the remote IDP to block the user acoount! 
With PEAP, that will also block that user from using a smart phone as a backup 
plan.
With EAP-TLS, the remote IDP could just revoke the certificate of the laptop!

We also see a big + for EAP-TLS at campuses that have strong password renewal 
policies.
Every 6 months or so, after the password change  802.1X devices will fail, and 
supplicants are terrible at letting users know that the password is the culprit!

Philippe

Philippe Hanset, CEO
www.anyroam.net
www.eduroam.us
+1 (865) 236-0770

GPG key id: 0xF2636F9C






> On Aug 15, 2017, at 11:38 AM, Philippe Hanset <phan...@anyroam.net> wrote:
> 
> Ian,
> 
> Definitely black list the MAC first, then contact either us (eduroam.us 
> <http://eduroam.us/>) or the local campus (abuse@realm)
> or you could even contact the user directly since the majority of users have 
> their email as an outer identity.
> (assuming that the malware is not preventing the user from checking email 
> …but hopefully their uncontaminated smart phone
> is on eduroam too ;-)
> 
> How does a user from 2000 miles away register on a network that requires a 
> phone number?
> They need a International plan? (costly, but getting cheaper!)
> How do you contact a user from 2000 miles away that is visiting your campus 
> and for whom you have an International number? You place an International 
> call?
> You could send a text (we face that same dilemma with the ANYROAM service) 
> but not all IT  shops have International texting easily accessible.
> 
> We have had a few of those in the past and honestly, there isn’t any perfect 
> solution!
> 
> Philippe
> 
> Philippe Hanset, CEO
> www.anyroam.net <http://www.anyroam.net/>
> www.eduroam.us <http://www.eduroam.us/>
> +1 (865) 236-0770
> 
> GPG key id: 0xF2636F9C
> 
> 
> 
>> On Aug 15, 2017, at 10:57 AM, Ian Lyons <ily...@rollins.edu 
>> <mailto:ily...@rollins.edu>> wrote:
>> 
>> What is the process if  X user (EduRoam) has a lot of malware and is sharing 
>> it on your network.  But home institution is 2000 miles away…
>>  
>> Black list MAC and call it a day?  Notify eduroam?  Home institution?  
>> Geiger-Counter person and tell them?
>>  
>> My guest account requires active phone number for user to get on the network.
>>  
>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
>> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Hunter Fuller
>> Sent: Tuesday, August 15, 2017 10:54 AM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
>> <mailto:WIRELESS-LAN@listserv.educause.edu>
>> Subject: Re: [WIRELESS-LAN] EAP-TLS
>>  
>> Our campus isn't comfortable with an open ESSID without verifying the 
>> identity of the user, so that's the value of eduroam - identity. 
>>  
>> On Tue, Aug 15, 2017 at 10:47 Jeffrey D. Sessler <j...@scrippscollege.edu 
>> <mailto:j...@scrippscollege.edu>> wrote:
>> Couple of comments:
>> 
>>  
>> 
>> eduroam – using your point of “…most users can access what they want 
>> off-campus…”, what long-term value is there to eduroam? IMHO – not at lot. 
>> Back in the day, this would facilitate quick access for a visiting educator 
>> who may be collaborating with someone locally and needing access to local 
>> resources. Today, in age of cloud-based collaboration platforms and access 
>> from anywhere, how important is eduroam over an open wifi network? With few 
>> exceptions, all the visitor needs is Internet access. eduroam doesn’t add 
>> value here, but does add complexity to manage. 
>> Location data – Yeah, this can have some value, but at least here, our 
>> emergency management moved to mobile-based applications that allow the user 
>> to opt-in to being tracked with the addition of panic-button-like services. 
>> I tend to shy away from using location-based services within WiFi where 
>> life-safety is involved. It can be a wonderful tool, until it doesn’t work 
>> that one-time management believes it should. In other words, finding a 
>> missing AV cart is different than a missing person.
>> Jeff
>> 
>>  
>> 
>> On 8/14/17, 7:23 PM, "The EDUCAUSE Wireless Issues Constituent Group 
>> Listserv on behalf of Jason Cook" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
>> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of 
>> jason.c...@adelaide.edu.au <mailto:jason.c...@adelaide.edu.au>> wrote:

Re: [WIRELESS-LAN] EAP-TLS

[Philippe Hanset]

Ian,

Definitely black list the MAC first, then contact either us (eduroam.us 
<http://eduroam.us/>) or the local campus (abuse@realm)
or you could even contact the user directly since the majority of users have 
their email as an outer identity.
(assuming that the malware is not preventing the user from checking email …but 
hopefully their uncontaminated smart phone
is on eduroam too ;-)

How does a user from 2000 miles away register on a network that requires a 
phone number?
They need a International plan? (costly, but getting cheaper!)
How do you contact a user from 2000 miles away that is visiting your campus and 
for whom you have an International number? You place an International call?
You could send a text (we face that same dilemma with the ANYROAM service) but 
not all IT  shops have International texting easily accessible.

We have had a few of those in the past and honestly, there isn’t any perfect 
solution!

Philippe

Philippe Hanset, CEO
www.anyroam.net <http://www.anyroam.net/>
www.eduroam.us <http://www.eduroam.us/>
+1 (865) 236-0770

GPG key id: 0xF2636F9C



> On Aug 15, 2017, at 10:57 AM, Ian Lyons <ily...@rollins.edu> wrote:
> 
> What is the process if  X user (EduRoam) has a lot of malware and is sharing 
> it on your network.  But home institution is 2000 miles away…
>  
> Black list MAC and call it a day?  Notify eduroam?  Home institution?  
> Geiger-Counter person and tell them?
>  
> My guest account requires active phone number for user to get on the network.
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Hunter Fuller
> Sent: Tuesday, August 15, 2017 10:54 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@listserv.educause.edu>
> Subject: Re: [WIRELESS-LAN] EAP-TLS
>  
> Our campus isn't comfortable with an open ESSID without verifying the 
> identity of the user, so that's the value of eduroam - identity. 
>  
> On Tue, Aug 15, 2017 at 10:47 Jeffrey D. Sessler <j...@scrippscollege.edu 
> <mailto:j...@scrippscollege.edu>> wrote:
> Couple of comments:
> 
>  
> 
> eduroam – using your point of “…most users can access what they want 
> off-campus…”, what long-term value is there to eduroam? IMHO – not at lot. 
> Back in the day, this would facilitate quick access for a visiting educator 
> who may be collaborating with someone locally and needing access to local 
> resources. Today, in age of cloud-based collaboration platforms and access 
> from anywhere, how important is eduroam over an open wifi network? With few 
> exceptions, all the visitor needs is Internet access. eduroam doesn’t add 
> value here, but does add complexity to manage. 
> Location data – Yeah, this can have some value, but at least here, our 
> emergency management moved to mobile-based applications that allow the user 
> to opt-in to being tracked with the addition of panic-button-like services. I 
> tend to shy away from using location-based services within WiFi where 
> life-safety is involved. It can be a wonderful tool, until it doesn’t work 
> that one-time management believes it should. In other words, finding a 
> missing AV cart is different than a missing person.
> Jeff
> 
>  
> 
> On 8/14/17, 7:23 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
> on behalf of Jason Cook" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of 
> jason.c...@adelaide.edu.au <mailto:jason.c...@adelaide.edu.au>> wrote:
> 
>  
> 
> This is a good topic, we are slowly moving towards a preferred EAP-TLS 
> from PEAP-MChapv2 but not current date to force and perhaps never. The points 
> made about why do we bother at all though are pretty relevant, most users can 
> access what they want off-campus from whatever network they want, and VPN for 
> more restricted access. So a properly segmented internal network providing 
> appropriate access would be fine. *PSK/ open networks are theoretically ok.
> 
> 
> 
> At this point we are still confident that dot1x based auth is still the 
> best way to go for users accessing our wifi, though this discussion has 
> certainly opened my eyes a lot.
> 
> 
> 
> 
> 
> There's a couple of other reasons though why dot1x (which ever method) 
> does have advantages to us. This may not be relevant to all, and there maybe 
> better/other ways.
> 
> 
> 
> eduroam will break down via other methods, so you'll still need to manage 
> a dot1x service no matter what. Then you have still have calls to SD because 
> the service is now different when you want to use 

Re: [WIRELESS-LAN] EAP-TLS

[Philippe Hanset]

> On Aug 15, 2017, at 10:47 AM, Jeffrey D. Sessler <j...@scrippscollege.edu> 
> wrote:
> 
> Couple of comments:
>  
> eduroam – using your point of “…most users can access what they want 
> off-campus…”, what long-term value is there to eduroam? IMHO – not at lot. 
> Back in the day, this would facilitate quick access for a visiting educator 
> who may be collaborating with someone locally and needing access to local 
> resources. Today, in age of cloud-based collaboration platforms and access 
> from anywhere, how important is eduroam over an open wifi network? With few 
> exceptions, all the visitor needs is Internet access. eduroam doesn’t add 
> value here, but does add complexity to manage.


I will not argue against Open WiFi networks… I miss them big time !
(and I’m not talking about those pesky ones that make you watch an 
advertisement and/or shut off after 30 minutes)

eduroam was created in Europe because many states have non-competitive 
requirements for Internet Access.
A state provided resource cannot always be shared with the general public in 
many countries, and eduroam is an acceptable solution to their regulators.
If I remember well some states in the US (or even Local Gov) have similar 
requirements.

With the other various legal requirements that we face in the US (DMCA, CALEA, 
…) it seems that eduroam answers at least a few of them
and allows schools to give instant access to visiting Faculty/Staff/Students 
without having to bug those users for local sponsored accounts.

Which CIO will let you have an Open WiFi today? 
For a campus in a rural environment, why not. For a campus in a populated city, 
you better hone your bandwidth contract skills,
and the user experience will most likely suffer. 

Rural or not, I still would like an eduroam flag on the map for Antartica  ;-)

Philippe

Philippe Hanset, CEO
www.anyroam.net
www.eduroam.us
+1 (865) 236-0770

GPG key id: 0xF2636F9C









**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] EDUROAM PROBLEM RE: [WIRELESS-LAN] Any Stetson University Network Folks on the List? Live problem in progress

[Philippe Hanset]

Lee,

To clarify, no eduroam connector is being interrupted due to lack of eduroam 
agreement signature yet.
I did see some hickups with Stetson’s RADIUS servers connectivity to TLRS1 and 
TLRS2 in the last few days which might explain the connectivity issues with 
their users!

Philippe


Philippe Hanset, CEO
www.anyroam.net
www.eduroam.us
+1 (865) 236-0770

GPG key id: 0xF2636F9C






> On Aug 15, 2017, at 10:09 AM, Lee H Badman <lhbad...@syr.edu> wrote:
> 
> To close the loop-  This was a case of Stetson needing to re-up their eduroam 
> agreement. 
> 
> Lee
> 
> Lee Badman (mobile)
> 
> On Aug 14, 2017, at 12:18 PM, Lee H Badman <lhbad...@syr.edu 
> <mailto:lhbad...@syr.edu>> wrote:
> 
>> Thanks, Darren. I just went through our eduroam logs, and this seems to be 
>> multiple Stetson users without exception and not really anyone else. Hoping 
>> they can see something on their end soon.
>>  
>> Lee Badman | Network Architect 
>> 
>> Certified Wireless Network Expert (#200)
>> Information Technology Services
>> 206 Machinery Hall
>> 120 Smith Drive
>> Syracuse, New York 13244
>> 
>> t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu 
>> <mailto:lhbad...@syr.edu> w its.syr.edu <http://its.syr.edu/>
>> SYRACUSE UNIVERSITY
>> syr.edu <http://syr.edu/>
>>  
>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
>> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Stobbs, Darren
>> Sent: Monday, August 14, 2017 12:15 PM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
>> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
>> Subject: Re: [WIRELESS-LAN] EDUROAM PROBLEM RE: [WIRELESS-LAN] Any Stetson 
>> University Network Folks on the List? Live problem in progress
>>  
>> Hi Lee,
>>  
>>  
>> I have seen something like this before.
>>  
>> It was related to incoming or outgoing RADIUS attribute filtering – possibly 
>> due to a typo or a character that has not been correctly escaped in the 
>> filter as you often have to use a backslash as an escape character.
>>  
>>  
>> Darren.
>>  
>>  
>>  
>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
>> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Lee H Badman
>> Sent: 14 August 2017 16:12
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
>> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
>> Subject: [WIRELESS-LAN] EDUROAM PROBLEM RE: [WIRELESS-LAN] Any Stetson 
>> University Network Folks on the List? Live problem in progress
>>  
>> I’ll throw this out there for anyone who may be familiar with similar- all 
>> users from one school are getting this
>>  
>> Aug 14 11:01:10 eduroam2 CSCOacs_Failed_Attempts 850928 2 1 
>> NetworkDeviceName=Faraday London, NetworkDeviceGroups=Device Type:All Device 
>> Types, NetworkDeviceGroups=Location:All 
>> Locations,ServiceSelectionMatchedRule=eduroam user from off campus, 
>> Response={RadiusPacketType=AccessReject; Reply-Message=No response for 
>> @ad.stetson.edu <http://ad.stetson.edu/>\, Reject from eduroam-US.; 
>> }
>>  
>> The  is me. We’re seemingly getting no response from the home 
>> school’s RADIUS servers, and I’ve not seen that leading “\” before. Lots of 
>> other successful eduroam schools on in our environment though. 
>>  
>> Does this ring bells for anyone? Thankfully, we’ve had many years of zero 
>> problems with eduroam to date.
>>  
>> -Lee
>>  
>>  
>>  
>> Lee Badman | Network Architect 
>> 
>> Certified Wireless Network Expert (#200)
>> Information Technology Services
>> 206 Machinery Hall
>> 120 Smith Drive
>> Syracuse, New York 13244
>> 
>> t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu 
>> <mailto:lhbad...@syr.edu> w its.syr.edu <http://its.syr.edu/>
>> SYRACUSE UNIVERSITY
>> syr.edu <http://syr.edu/>
>>  
>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
>> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Lee H Badman
>> Sent: Monday, August 14, 2017 10:55 AM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
>> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
>> Subject: [WIRELESS-LAN] Any Stetson University Network Folks on the List? 
>> Live problem in progress
>>  
>> If anyone from Stetson University is around, ple

Re: [WIRELESS-LAN] Solar Power AP Setup

[Philippe Hanset]

Jimmy,

We did such a project many years ago for a Gazebo fed through a point to point 
from a building.
It even worked at night during the winter (Latitude: Tennessee).

Here is a link with photos of the equipment.
The solar Panels have a Voltage of 12V and most APs these days can take 12V 
(our project was based on a Proxim AP-4000 that required 5V, hence the voltage 
converter).
So: solar panel 12V, AP 12V, Lead Battery 12V…all you need is a regulator 
between the Solar Panel and the battery!

https://flic.kr/ps/QgoiX

Philippe


Philippe Hanset, CEO
www.anyroam.net
www.eduroam.us
+1 (865) 236-0770

GPG key id: 0xF2636F9C






> On Jul 26, 2017, at 12:21 PM, James Helzerman <jarh...@umich.edu> wrote:
> 
> Hi.  Thanks unfortunately this is a solar research project and solar is a 
> required component.  Additionally the UM owned lighting has a single photo 
> sensor on a nearby building that provides power to the lights.  Even with 
> intermittent power charging the batteries at night will work, the concept we 
> are looking at is solar based.  Call it being green :)
> 
> -Jimmy
> 
> On Wed, Jul 26, 2017 at 11:02 AM, Mike King <m...@mpking.com 
> <mailto:m...@mpking.com>> wrote:
> Just another comment that solar might not be the best application.
> I see in the archives you run Cisco.
> 
> Cisco has a whole line of outdoor Mesh AP's, that mount on streetlgihts, and 
> tap the power from the streetlight.  You unscrew the solar eye (the thing 
> that turns the light off during the day) plug in the streetlight tap, and 
> then plug the solar eye back into the tap.  
> Picture:
> http://www.cisco.com/c/dam/en/us/td/i/21-30/280001-29/281001-282000/281939.eps/_jcr_content/renditions/281939.jpg
>  
> <http://www.cisco.com/c/dam/en/us/td/i/21-30/280001-29/281001-282000/281939.eps/_jcr_content/renditions/281939.jpg>
> Taken from page:
> http://www.cisco.com/c/en/us/td/docs/wireless/access_point/1550/installation/guide/1550hig/1550_ch2.html#36695
>  
> <http://www.cisco.com/c/en/us/td/docs/wireless/access_point/1550/installation/guide/1550hig/1550_ch2.html#36695>
> 
> There are a few that have been up for almost 10 years now around my place.
> Google street view:
> https://www.google.com/maps/@41.989591,-70.9755743,3a,75y,19.01h,99.29t/data=!3m6!1e1!3m4!1sB2yFva3dugadtFxyzEkoRg!2e0!7i13312!8i6656
>  
> <https://www.google.com/maps/@41.989591,-70.9755743,3a,75y,19.01h,99.29t/data=!3m6!1e1!3m4!1sB2yFva3dugadtFxyzEkoRg!2e0!7i13312!8i6656>
> 
> We pay a rental fee to the power company to "rent" they're street lamp, and 
> it includes power.
> 
> 
> 
> On Wed, Jul 26, 2017 at 7:24 AM, Osborne, Bruce W (Network Operations) 
> <bosbo...@liberty.edu <mailto:bosbo...@liberty.edu>> wrote:
> We have not done bus stops but we have a couple of battery powered mobile 
> packs using Aruba RAP-155 with cellular backhaul. We aimed for 10 hour 
> battery life. In reality, the laptops people were using ran out of battery 
> before the mobile pack. These were originally designed with Aruba RAP-5WN on 
> 2.4 GHz. This is a 12 volt system
> 
>  
> 
> We also have several highway coach buses using Aruba RAP-3 connected to the 
> router & cellular backhaul in the bus. Our main caution is to be sure to pick 
> an appropriate data plan. A bus full of athletes can burn through a lot of 
> data! This uses an inverter in the bus but I believe the RAP-3s we are using 
> are 48 volt.
> 
>  
> 
> Both systems set up an  IPsec Tunnel across the Internet to our wireless 
> controller.
> 
>  
> 
> Bruce Osborne
> 
> Senior Network Engineer
> 
> Network Operations - Wireless
> 
>  (434) 592-4229 <tel:(434)%20592-4229>
> LIBERTY UNIVERSITY
> 
> Training Champions for Christ since 1971
> 
>  
> 
> From: James Helzerman [mailto:jarh...@umich.edu <mailto:jarh...@umich.edu>] 
> Sent: Tuesday, July 25, 2017 3:33 PM
> Subject: Solar Power AP Setup
> 
>  
> 
> Has anyone used or currently have any access points powered by solar panels?  
> I am looking at doing a few proof of concepts at some bus stops to try and 
> provide connectivity for those waiting for the bus.  I am interested with the 
> following particular questions but please add any comments or suggestions you 
> may have.
> 
>  
> 
> Questions:
> 
>  
> 
> What make/model solar system do you have?
> 
>  
> 
> What APs and antennas are you using?
> 
>  
> 
> What are the power ratings of the solar system (12v, 48v, 120v, wattage, 
> etc.)?
> 
>  
> 
> How does the AP connect to the power such as a power injector running 120v, 
> direct connect via DC, DC-to-DC con

Re: [WIRELESS-LAN] eduroam AUP question

[Philippe Hanset]

All,

The AUP is for your own users to inform them about the rules of eduroam before 
they travel. The intent is certainly not for a splash page for eduroam guests 
coming on campus since it will hamper the concept of automatic connectivity to 
the SSID. 

Thank you,

Philippe

Philippe Hanset
anyroam.net


> On Jul 11, 2017, at 5:10 PM, Knutson, Ryan <ryan.knut...@sdstate.edu> wrote:
> 
> It does not appear they strictly enforce this, but we do have a splash page 
> in front of our eduroam for this purpose.  I believe the spirit of the 
> statement is to incorporate if possible, but that is my assumption.
>  
> Ryan Knutson
> Assistant Vice President for Technology
>  
> Division of Technology & Security
> Morrill 208, Box 2201
> Brookings, SD 57007
> Phone: 605-688-4988
>  
> www.sdstate.edu
> 
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Elizabeth Shannon
> Sent: Tuesday, July 11, 2017 3:56 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] eduroam AUP question
>  
> Section 3.3.7 of the Internet2 eduroam connector Agreement, states “Connector 
> used reasonable efforts to ensure that such employee or Student IdP User 
> acknowledged the AUP”.  I would like to know other institutions are meeting 
> this requirement. We offered K-State branded SSIDs, eduroam, and Guest; users 
> do not have to acknowledge terms of service or accept an AUP. Thanks.
>  
> -- 
> Elizabeth Shannon, CIPT
> Kansas State University
> Information Security and Compliance
> 785.532.2540
>  
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

[Philippe Hanset]

At least with carriers you will know for sure that you have not expectation of 
privacy. 

> http://clark.com/technology/how-opt-out-verizons-super-cookie-tracking/



>  Apr 28, 2017, at 8:12 PM, Jeffrey D. Sessler <j...@scrippscollege.edu> wrote:
> 
> Philippe,
>  
> This statement, “each user that uses eduroam has a verified affiliation with 
> a University/College somewhere in the world” while sort of true, is also 
> meaningless. They are numerous universities out there that grant identities 
> to anyone in their local community for the sake of services like the library 
> and wireless.  There is certainly a loose affiliation, but that in no way 
> means the university has vetted that person or would attest to anything more 
> than they filled out a form i.e. the fact that they have credentials doesn’t 
> in any way add to the “eduroam is vastly superior” claim.
>  
> Trust – Sure, we need to trust each other, and that’s why we have mechanisms 
> to do so such as federation. That’s only one part of the trust, and in the 
> case of eduroam, what requirements are there concerning how client data will 
> be handled as it terminates and transverses a participating college’s 
> network? A campus is free to record all activity, from DNS records, URLs, 
> flows, etc. And that’s the rub with eduroam. A member of my community has 
> knowledge of our AUP and what we collect as part of normal network operation. 
> When they auto-roam to another campus’ eduroam, there is no disclosure as to 
> how it operates. The user falsely assumes it’s the same as the home campus.
>  
> As for Passpoint/HT2.0, with its wider adoption, it will be interesting to 
> see if universities accomplish this via eduroam or/and via affiliations with 
> existing cellular or network providers, especially if there is a way to 
> monetize the university’s wifi network. I’d rather get paid by Verizon for 
> allowing a student’s Verizon cell phone access to our network, then to 
> provide that service for free via eduroam.
>  
> Jeff
>  
> From: "wireless-lan@listserv.educause.edu" 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Philippe Hanset 
> <phan...@anyroam.net>
> Reply-To: "wireless-lan@listserv.educause.edu" 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Date: Friday, April 28, 2017 at 2:51 PM
> To: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Subject: Re: [WIRELESS-LAN] Eduroam adoption (and migration process)
>  
>  
> On Apr 28, 2017, at 3:49 PM, Jeffrey D. Sessler <j...@scrippscollege.edu> 
> wrote:
>  
> Philippe,
>  
> I’m not arguing the “convenience factor” or OTA encryption, which eduroam 
> certainly provides, just that users (and universities advocating for it) 
> shouldn’t blindly trust it any more, or less, than any other guest network. 
>  
>  
> Jeff,
>  
> eduroam is authenticated and each user that uses eduroam has a verified 
> affiliation with a University/College somewhere in the world. Each NRO signs 
> an agreement, and each NRO makes
> each school agree to RADIUS logs holding and other privacy features. How is 
> this “little behind it”?
>  
> eduroam is vastly superior to other guest networks, unless you require direct 
> identification with an ID at the help desk to join Wi-Fi (and even IDs can be 
> very fake).
>  
> The same way that schools trust other directory services with Shibboleth or 
> even transcripts, at one point we have to rely on the fact that other members 
> of our community are on a acceptable standard
> that we can relate to make our lives easier and save time for all of us.
>  
> We do not ask schools to make it the primary SSID, most decide that it makes 
> more sense. It is simpler to make users be ready to travel and reduces SSID 
> confusion.
> As I mentioned earlier, users still need to me reminded that eduroam allows 
> them to connect around the world. Having eduroam as the main SSID is not 
> sufficient.
>  
> Having a local secure SSID is still very useful especially when there are 
> potential eduroam conflicts due to schools’ proximity.
> But this will soon be a moot point when Passpoint/HT2.0 becomes predominant.
> You will be able to welcome many roaming communities on your network and even 
> set your own preference for your clients to avoid
> "SSID conflicts" when same SSIDs advertised by different locations conflict 
> with each other (the client will always prefer the network from its own 
> school)
>  
> Philippe
>  
>  
>  
>  
>  
>  
>  
> 
> 
>  
> You touch on my concern with this statement, “Most Schools tend to give more 
> privileges/bandwidth to eduroam because 

Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

[Philippe Hanset]

Curtis et al.,

You can mitigate the PEAP/EAP-TTLS password issue by using an installer.

In the case of CAT (cat.eduroam.org , free to eduroam 
connectors), a profile will be created that will lock the infrastructure 
certificate.
If a user is presented with a fake eduroam SSID, nothing will happen, no 
certificate option will be presented.

You can push the privacy and security one step further by enforcing the outer 
identity as anonymous@domain (an option in the CAT installer).
Then in your RADIUS only accept outer identities of the form anonymous@domain 
for your school (probably only available in FreeRADIUS and RADIATOR). This will 
give privacy for your users when they travel
and also prevent them from entering manually their own credentials, unless they 
can manually configure their 802.1X supplicant with the outer identity of 
anonymous@domain.
At this point, it is a user trying to be hacked ;-)

Also, even EAP-TLS doesn’t prevent a user from manually selecting an evil twin 
SSID.
If a user from a school is not configured for an SSID at all on an EAP-TLS 
campus and decides to manually select an SSID,
that user will be prompted for username and password. If that SSID is an evil 
twin, credentials will be captured. 
We have seen at UTK all kinds of passwords coming by on our valid 
WPA2-enterprise SSIDs, including  Google and others.
Check your RADIUS logs, it’s amazing!

Even with EAP-TLS, a good amount of education, every year, is still the best!

Philippe





> On Apr 28, 2017, at 4:16 PM, Curtis K. Larsen  
> wrote:
> 
> It matters to your PEAP user that might lose his credentials while connecting 
> to our network on our property even though he was told it was a "secure" 
> connection.  I'm talking about preventing the attack to the degree possible 
> by not providing a service that incorporates the vulnerable component in the 
> first place.  
> 
> I'm simply saying that before we added eduroam to our collection of ESSID's - 
> we did not have to worry about that specific issue because we controlled the 
> whole service end-to-end.  We've been running eduroam for like 5-6 years but 
> with that eduroam ESSID - there are additional ramifications.  Yes an EAP-TLS 
> issue could arise but if/when it does I can change all of the service 
> (including the EAP type used) for my own ESSID where my reach only extends so 
> far with eduroam.
> 
> Also, 5-6 years ago I was not aware of a non-eduroam method to allow guests 
> to quickly provision for EAP-TLS, but now I am.  It is easy to provision 
> guests off the street with EAP-TLS connections today and I can reach a much 
> larger portion of the population than has eduroam credentials (at least so 
> far).
> 
> Thanks,
> 
> Curtis
> 
> 
> 
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>  on behalf of Hunter Fuller 
> 
> Sent: Friday, April 28, 2017 12:39 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Eduroam adoption (and migration process)
> 
> Curtis,
> 
> That makes sense. But, if a user set up an evil twin on your campus, it would 
> not matter, because you are using EAP-TLS, right? So you're not vulnerable to 
> the attack where a user's credentials might be exposed.
> 
> If they wanted to exploit some other flaw that can be exploited via evil 
> twin, they could still do it to your branded network.
> 
> It is also possible that I am totally misinformed on this, because we run 
> PEAP, so it's a totally different beast with different mitigations.
> 
> On Fri, Apr 28, 2017 at 10:17 AM Curtis K. Larsen 
> > wrote:
> I guess it boils down to an attacker being less likely to setup a fake 
> AP/evil twin on the property of an institution that does not support PEAP vs. 
> one that does.
> 
> -Curtis
> 
> 
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> >
>  on behalf of Hunter Fuller >
> Sent: Friday, April 28, 2017 8:51 AM
> To: 
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Eduroam adoption (and migration process)
> 
> I'm still not sure I follow.
> 
> It sounds like, in your current config, you have your constituents use 
> EAP-TLS, and cannot use PEAP. Meanwhile your visitors use whatever their home 
> institution offers.
> 
> If you ran with only the eduroam ESSID, you could run with the same config. 
> Your constituents are unable to use PEAP, and must use EAP-TLS home and 
> abroad. At the same time, your visitors continue to use whatever their home 
> institution offers. This is a viable config.
> 
> I understand keeping two ESSIDs for branding though of course. 

Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

[Philippe Hanset]

> On Apr 28, 2017, at 3:49 PM, Jeffrey D. Sessler <j...@scrippscollege.edu> 
> wrote:
> 
> Philippe,
>  
> I’m not arguing the “convenience factor” or OTA encryption, which eduroam 
> certainly provides, just that users (and universities advocating for it) 
> shouldn’t blindly trust it any more, or less, than any other guest network. 


Jeff,

eduroam is authenticated and each user that uses eduroam has a verified 
affiliation with a University/College somewhere in the world. Each NRO signs an 
agreement, and each NRO makes
each school agree to RADIUS logs holding and other privacy features. How is 
this “little behind it”?

eduroam is vastly superior to other guest networks, unless you require direct 
identification with an ID at the help desk to join Wi-Fi (and even IDs can be 
very fake).

The same way that schools trust other directory services with Shibboleth or 
even transcripts, at one point we have to rely on the fact that other members 
of our community are on a acceptable standard
that we can relate to make our lives easier and save time for all of us.

We do not ask schools to make it the primary SSID, most decide that it makes 
more sense. It is simpler to make users be ready to travel and reduces SSID 
confusion.
As I mentioned earlier, users still need to me reminded that eduroam allows 
them to connect around the world. Having eduroam as the main SSID is not 
sufficient.

Having a local secure SSID is still very useful especially when there are 
potential eduroam conflicts due to schools’ proximity.
But this will soon be a moot point when Passpoint/HT2.0 becomes predominant.
You will be able to welcome many roaming communities on your network and even 
set your own preference for your clients to avoid
"SSID conflicts" when same SSIDs advertised by different locations conflict 
with each other (the client will always prefer the network from its own school)

Philippe








>  
> You touch on my concern with this statement, “Most Schools tend to give more 
> privileges/bandwidth to eduroam because it is acommunity of trust.” 
>  
> eduroam should in no way be considered “…a community of trust” as there is 
> little behind it to guarantee as such. In promoting it across EDUs, and 
> making it the primary SSID, universities are certainly making it appear as if 
> it is to those using it, but it’s an illusion. No matter how it’s painted, at 
> the end of the day it’s still an unregulated, multi-ISP, guest network.
>  
> I’m not arguing against broadcasting eduroam (which my campus does), or its 
> convenience for guests, just don’t hold it up as something it’s not.
>  
> Jeff
>  
>  
> From: "wireless-lan@listserv.educause.edu 
> <mailto:wireless-lan@listserv.educause.edu>" 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@listserv.educause.edu>> on behalf of Philippe Hanset 
> <phan...@anyroam.net <mailto:phan...@anyroam.net>>
> Reply-To: "wireless-lan@listserv.educause.edu 
> <mailto:wireless-lan@listserv.educause.edu>" 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@listserv.educause.edu>>
> Date: Friday, April 28, 2017 at 11:14 AM
> To: "wireless-lan@listserv.educause.edu 
> <mailto:wireless-lan@listserv.educause.edu>" 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@listserv.educause.edu>>
> Subject: Re: [WIRELESS-LAN] Eduroam adoption (and migration process)
>  
>  
> Jeff,
> 
> 
>  
> Why do I say this?
> · Organization - A university can’t assume and/or guarantee that 
> “eduroam” is administered at another campus in the same way that it is at 
> home. There is no guarantee of privacy, be it the data collected during 
> authentication/authorization, or information being sent/received by the 
> client while traversing the other organization’s network. There is no 
> guarantee user data won’t be sold, studied, or otherwise used as the 
> organization terminating the client’s connection sees fit. eduroam is a name 
> only. 
> · User – Assumption that “eduroam” away from their home campus is the 
> same as “eduroam” at another organization. Assumption that there is the same 
> level of data security, privacy, or other safeguards/guarantees as provided 
> at home. Assumption that the same resources are available. Assumption 
> “eduroam’ out in the world is superior than connecting to an open network.
>  
>  
> Connecting to eduroam is superior to connecting to an open network for at 
> least 4 reasons:
> (other may add to the pile)
>  
> 1-No wasted time “hunting” for an SSID that who knows what it is in a list 
> that is larger every day (especially for Urban Campuses)
> 2 -If the network is accepting your RADIUS infrastr

Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

[Philippe Hanset]

carriers might be an issue, but we suffer the same 
with our Cellphones already.
Privacy and Net Neutrality is at stake every day.

Hope this helps,

Philippe

Philippe Hanset, CEO
www.anyroam.net
www.eduroam.us
+1 (865) 236-0770

GPG key id: 0xF2636F9C







> Jeff
>  
>  
> From: "wireless-lan@listserv.educause.edu 
> <mailto:wireless-lan@listserv.educause.edu>" 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@listserv.educause.edu>> on behalf of Marcelo Maraboli 
> <marcelo.marab...@uc.cl <mailto:marcelo.marab...@uc.cl>>
> Organization: UC
> Reply-To: "wireless-lan@listserv.educause.edu 
> <mailto:wireless-lan@listserv.educause.edu>" 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@listserv.educause.edu>>
> Date: Thursday, April 20, 2017 at 2:16 PM
> To: "wireless-lan@listserv.educause.edu 
> <mailto:wireless-lan@listserv.educause.edu>" 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@listserv.educause.edu>>
> Subject: [WIRELESS-LAN] Eduroam adoption (and migration process)
>  
> Hello everyone.
> 
> We are finally adopting EduROAM in our University and we currently have one
> SSID with MAC-based authentication, so moving to EduROAM is also a 802.1x 
> upgrade
> for us as well.
> 
> Would you be so kind to respond a couple of questions?:
> 
> 
> If you adopted EduROAM as your primary SSID:
> - Did you leave an SSID for legacy devices ? (What AUTH mechanism for this 
> SSID?)
> - How did you "force-move" your users to EdoROAM from your old SSID ?
> 
> If you added EduROAM as just another SSID:
> - why not adopt EduROAM as your primary SSID ?  (Branding or no interest? )
> - Is your primary SSID also 802.1x o MAC-based ?
> - if 802.1x, why have 2 SSIDs with 802.1x ? 
> 
> 
> thank you all,
> 
> -- 
> Marcelo Maraboli Rosselott
> Subdirector de Redes y Seguridad
> Dirección de Informática
> Pontificia Universidad Católica de Chile
> http://informatica.uc.cl/ <http://informatica.uc.cl/>
> --
> Campus San Joaquín, Av. Vicuña Mackenna 4860, Macul
> Santiago, Chile
> Teléfono: (56) 22354 1341
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found 
> athttp://www.educause.edu/discuss <http://www.educause.edu/discuss>.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss <http://www.educause.edu/discuss>.
> 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

[Philippe Hanset]

All,

I recently did a presentation to the business school at University of 
Tennessee. UT uses eduroam as the only secure SSID. They all knew about 
eduroam. And when I asked the audience of 60 or so students how many knew that 
it works seamlessly around the world, only 3 students raised their hands! 
Professors knew about it but not students. In your outreach campaign/material 
please  make sure to emphasize the roaming aspect. It is seems to be easily 
forgotten over time.

Thanks,

Philippe

Philippe Hanset
www.anyroam.net
www.eduroam.us

> On Apr 24, 2017, at 12:11 PM, Trinklein, Jason R <trinkle...@cofc.edu> wrote:
> 
> We are in the process of migrating to eduroam as our primary SSID also. We 
> introduced eduroam to our campus in August 2016. Our original college-branded 
> secure wireless network was already 802.1x, so we don’t need to worry about 
> supporting legacy devices by holding back a legacy SSID. We did some 
> advertising in multiple school publications when eduroam was first turned on, 
> but we still only saw 1-2% of our users on eduroam.
>  
> We are migrating from our college-branded SSID to eduroam for a few reasons:
> - The two networks are functionally identical since we are using dynamic VLAN 
> assignment
> - We can clean up wireless SSID broadcast packets by reducing the SSID count
> - Migration to a single eduroam SSID seems to be the trend in higher education
> - Ensures that the college community is in a position to take advantage of 
> eduroam, since without its wide adoption in this manner, few people would 
> know it was there.
>  
> We have a 9 step approach for migrating to eduroam:
> 1.   Notify IT personnel and helpdesk about the change
> 2.   Update onboarding tools to onboard to eduroam instead of 
> college-branded SSID
> 3.   Creation of eduroam informational website, videos, and tutorials
> 4.   Campus-wide poster advertisement campaign
> 5.   Campus-wide email advertisement campaign
> 6.   Captive portal on college-branded SSID notifying users of upcoming 
> change
> 7.   Stop broadcast of college-branded SSID
> 8.   Captive portal on college-branded SSID with no internet access, 
> notifying users they must switch to eduroam
> 9.   Disable the college-branded SSID
>  
> We expect to reach step 9 by December-January, so it’s a 10 month 
> transitional plan. Hopefully it introduces the least amount of confusion and 
> interruption to wireless service and experience.
>  
> Our current challenges are supporting Active-Directory member computers on 
> eduroam, since the domain username doesn’t comply with eduroam username 
> formatting requirements (with the appended @domain.edu). First, the 
> FreeRADIUS server dumps any authentications without @domain.edu, and domain 
> systems’ machine accounts authenticate with a host/systemname format. I 
> introduced conditionals in the FreeRADIUS configuration to allow 
> authentication if the username begins with host/. This allows uncached user 
> logins from Windows by allowing the machine to associate with eduroam, 
> pre-login. Presently, we’re working on getting Mac domain-joined systems to 
> work correctly, since they try to join the wireless network with the same 
> username of the person who logged in, which often lacks the @domain.edu 
> appendage. We are investigating script options to programmatically remediate 
> the issue instead of relying on workforce re-education on login procedure.
>  
> -- 
> Jason Trinklein
> Wireless Engineering Manager
> College of Charleston
> 81 St. Philip Street | Office 311D | Charleston, SC 29403
> trinkle...@cofc.edu | (843) 300–8009
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Marcelo Maraboli 
> <marcelo.marab...@uc.cl>
> Organization: UC
> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Date: Thursday, April 20, 2017 at 5:16 PM
> To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Subject: [WIRELESS-LAN] Eduroam adoption (and migration process)
>  
> Hello everyone.
> 
> We are finally adopting EduROAM in our University and we currently have one
> SSID with MAC-based authentication, so moving to EduROAM is also a 802.1x 
> upgrade
> for us as well.
> 
> Would you be so kind to respond a couple of questions?:
> 
> 
> If you adopted EduROAM as your primary SSID:
> - Did you leave an SSID for legacy devices ? (What AUTH mechanism for this 
> SSID?)
> - How did you "force-move" your users to EdoROAM from your old SSID ?
> 
> If you added EduROAM as just another SSID:
> - why n

Re: [WIRELESS-LAN] EDUROAM Service Fees Thoughts

[Philippe Hanset]

All,

Trying to clarify here ...

The eduroam annual fee is included in the Internet2 membership, for members. 
Non-members are charged a fee of 10 cents per student (IPEDS data) with a 
minimum of $400. The one time fee is only applied if you request
a change to the contract (which is being reviewed “as we speak” by many schools 
to make it as compliant as possible).

https://www.incommon.org/eduroam/subscribe.html

We (ANYROAM and Internet2) have been announcing since March 2014 that a fee for 
eduroam was coming. Every connector has been informed about this fee starting 
in March 2014 and has been asked to acknowledge
this coming fee. Internet2 is only charging back for 2016, not for any other 
year. 
This fee is designed to make the service sustainable. Since 2012, Internet2 and 
ANYROAM have been sponsoring and supporting the service without any fee and 
from 2009 till 2012 we (employees of ANYROAM) 
have supported the service from University of Tennessee.

Thank you for your support of eduroam for all these years,

Philippe

Philippe Hanset
www.anyroam.net
+1 (865) 236-0770

GPG key id: 0xF2636F9C






> On Apr 5, 2017, at 5:27 PM, Chuck Anderson <c...@wpi.edu> wrote:
> 
> My understanding is that there are no recurring fees for Internet2
> members, just a one-time registration fee.
> 
> On Wed, Apr 05, 2017 at 09:21:08PM +, McClintic, Thomas wrote:
>> Good Afternoon,
>> 
>> We have not yet implemented EDUROAM, but began looking into it as it was 
>> part of our Internet2 subscription. It now appears that they have changed 
>> the service to have an annual fee, plus price per enrolled student.
>> 
>> Our feelings are that implementing now with an added fee does not seem 
>> likely. We have done without the service this long and our faculty/students 
>> are not using it, so no disconnect of services for them.
>> 
>> I wanted to know others feeling on the subject. Do you plan to continue with 
>> the service given the prorate charged back of 2016? Are you segmenting 
>> campus visitors from other institutions away from your users, and could this 
>> not be accomplished with a guest network? Do you feel the cost of the 
>> service is reasonable given the use your institution has?
>> 
>> Thank you for any responses!
>> 
>> TJ McClintic
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/discuss.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] SSID names

[Philippe Hanset]

Rodolfo et al.,

I should have pointed out some statistics on my previous post.
If you look at www.eduroam.us > members > eduroam-US Statistics, scroll down to 
preferred SSID (or https://www.eduroam.us/node/5)
You will see that out of the institutions that have reported their status, 162 
out of about 450 :( , 34% are using eduroam as their preferred SSID.
We cannot tell if institutions are using eduroam as their main SSID unless they 
report it on our website!

All, If you run eduroam for you campus, please please please head to eduroam.us 
to update your status (admin login, edit, miscellaneous info). It helps the 
entire community to know what other schools do.

Thank you,

Philippe

Philippe Hanset, CEO
www.anyroam.net
www.eduroam.us
+1 (865) 236-0770

GPG key id: 0xF2636F9C






> On Feb 21, 2017, at 6:33 PM, Rodolfo Nunez <rnu...@barnard.edu> wrote:
> 
> We have to SSID:
> Barnard Secure
> Barnard Guest
> 
> I think they are self explanatory but I could be wrong. I like the idea of 
> just using eduroam (instead of secure) but I don't see that "trending".
> 
> Rodolfo
> 
> -- 
> Rodolfo Nunez
> Director, IT Infrastructure
> Barnard College, Columbia University
> 212-854-1319 <>
> rnu...@barnard.edu <mailto:rnu...@barnard.edu>
> www.barnard.edu/bcit <http://www.barnard.edu/bcit>
> On Tue, Feb 21, 2017 at 5:45 PM, Philippe Hanset <phan...@anyroam.net 
> <mailto:phan...@anyroam.net>> wrote:
> I plead guilty.
> 
> When I was at University of Tennessee, we turned eduroam on (back in 2005-06) 
> and did very little to inform the community.
> Classic Technologists believing that the service was so awesome that users 
> would look into this formidable extra SSID with this beautiful self 
> explanatory name. Yeah right!
> Many years later we informed the community (news, email etc,,,), and very few 
> people joined it anyway. Most of them were confused between UT-WPA2 and 
> eduroam.
> 
> This summer UTK reduced their SSIDs to just two (big Bravo to the IT group): 
> UT-Open (MAC address Auth and Guests) and eduroam. There is little need to 
> advertise eduroam or explain why there are two secure SSIDs.
> It just works, users are enabled for millions of Access-Points in one setup. 
> Most of the filtering for local users VS visitors is done via domains and 
> VLANs.
> 
> As Jonathan pointed out: ask you users. 
> 
> Philippe
> 
> 
> Philippe Hanset, CEO
> www.anyroam.net <http://www.anyroam.net/>
> www.eduroam.us <http://www.eduroam.us/>
> +1 (865) 236-0770 <tel:(865)%20236-0770>
> 
> GPG key id: 0xF2636F9C
> 
> 
> 
> 
> 
> 
>> On Feb 21, 2017, at 5:23 PM, Jonathan Waldrep <wald...@vt.edu 
>> <mailto:wald...@vt.edu>> wrote:
>> 
>> 1. eduroam: primary wireless network
>> 2. VirginiaTech: captive portal / mac auth for everything else:
>> - Guest (sponsored and self sponsored)
>> - web auth for affiliates
>> - registered devices that don't do .1x
>> - onboarding to eduroam
>> 
>> We decided that a 2 SSIDs setup was the clearest approach. You can 
>> communicate far more in a web page (captive portal) than in an SSID. Also, 
>> if all choices are a correct one, then users are more likely to choose a 
>> correct choice.
>> 
>> Because of the many roles of the secondary network, it was better to 
>> communicate who was providing the network rather than the role of the 
>> network.
>> 
>> Regardless of what you or your governance bodies think is a good SSID, ask 
>> your users. Send out a survey with a list of possible networks and ask them 
>> which one they would be most likely to choose, which one they most easily 
>> associate with the institution, and which one they trust the most. We did 
>> this, and the answer was clear.
>> 
>> --
>> Jonathan Waldrep
>> Network Engineer
>> Network Infrastructure and Services
>> Virginia Tech
>> 
>> On Tue, Feb 21, 2017 at 4:06 PM, Adam T Ferrero <a...@temple.edu 
>> <mailto:a...@temple.edu>> wrote:
>> 
>>   These have served us pretty well.  We only have a mac auth SSID in our 
>> residence halls.  Occasionally it would be useful to have it everywhere but 
>> we don't currently.
>> 
>> TUsecurewirelessWPA2 enterprise which gives different access levels 
>> (staff, student, guest)
>> TUguestwireless Open for onboarding (SMS text credentials)
>> eduroam Guest like access for anyone
>> 
>>   Adam
>> 
>> -Original Message-
>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>> [mailto

Re: [WIRELESS-LAN] SSID names

[Philippe Hanset]

I plead guilty.

When I was at University of Tennessee, we turned eduroam on (back in 2005-06) 
and did very little to inform the community.
Classic Technologists believing that the service was so awesome that users 
would look into this formidable extra SSID with this beautiful self explanatory 
name. Yeah right!
Many years later we informed the community (news, email etc,,,), and very few 
people joined it anyway. Most of them were confused between UT-WPA2 and eduroam.

This summer UTK reduced their SSIDs to just two (big Bravo to the IT group): 
UT-Open (MAC address Auth and Guests) and eduroam. There is little need to 
advertise eduroam or explain why there are two secure SSIDs.
It just works, users are enabled for millions of Access-Points in one setup. 
Most of the filtering for local users VS visitors is done via domains and VLANs.

As Jonathan pointed out: ask you users. 

Philippe


Philippe Hanset, CEO
www.anyroam.net
www.eduroam.us
+1 (865) 236-0770

GPG key id: 0xF2636F9C






> On Feb 21, 2017, at 5:23 PM, Jonathan Waldrep <wald...@vt.edu> wrote:
> 
> 1. eduroam: primary wireless network
> 2. VirginiaTech: captive portal / mac auth for everything else:
> - Guest (sponsored and self sponsored)
> - web auth for affiliates
> - registered devices that don't do .1x
> - onboarding to eduroam
> 
> We decided that a 2 SSIDs setup was the clearest approach. You can 
> communicate far more in a web page (captive portal) than in an SSID. Also, if 
> all choices are a correct one, then users are more likely to choose a correct 
> choice.
> 
> Because of the many roles of the secondary network, it was better to 
> communicate who was providing the network rather than the role of the network.
> 
> Regardless of what you or your governance bodies think is a good SSID, ask 
> your users. Send out a survey with a list of possible networks and ask them 
> which one they would be most likely to choose, which one they most easily 
> associate with the institution, and which one they trust the most. We did 
> this, and the answer was clear.
> 
> --
> Jonathan Waldrep
> Network Engineer
> Network Infrastructure and Services
> Virginia Tech
> 
> On Tue, Feb 21, 2017 at 4:06 PM, Adam T Ferrero <a...@temple.edu 
> <mailto:a...@temple.edu>> wrote:
> 
>   These have served us pretty well.  We only have a mac auth SSID in our 
> residence halls.  Occasionally it would be useful to have it everywhere but 
> we don't currently.
> 
> TUsecurewirelessWPA2 enterprise which gives different access levels 
> (staff, student, guest)
> TUguestwireless Open for onboarding (SMS text credentials)
> eduroam Guest like access for anyone
> 
>   Adam
> 
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Michael Dickson
> Sent: Tuesday, February 21, 2017 4:02 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Subject: Re: [WIRELESS-LAN] SSID names
> 
> eduroam  (our only 802.1x offering)
> UMASS  (open, CP, primarily for guests)
> UMASS-DEVICES  (MAC auth'd device support for non-802.1x capable devices, as 
> allowed by policy)
> 
> Mike
> 
> Michael Dickson
> Network Analyst
> Information Technology
> University of Massachusetts Amherst
> 413-545-9639 
> michael.dick...@umass.edu <mailto:michael.dick...@umass.edu>
> PGP: 0x16777D39
> 
> 
> On 2017-02-21 15:36, Jim Stasik wrote:
> > Hello, I have been encouraged by one of our governance bodies to
> > consider renaming our wireless SSIDs to better match the network names
> > to the function of the networks behind them.  I don’t get it, but
> > maybe I am a little too close to it.  We don’t have any residential on
> > our campuses so have just two primary SSIDs in use on our campus (as
> > well as eduRoam).  One is named Public and is our onboarding/guest
> > network.  The other is our authenticated/secure network which we call
> > MC3Waves and is for all students, staff, faculty and administrators,
> > with 802.1x on the back end to steer the end user to the appropriate
> > role.  We have had these network around for as long as I can remember
> > (15 years maybe).  I am curious how others are naming and separating
> > the SSIDs in their environment?
> >
> > Thanks in advance,
> >
> > Jim Stasik
> >
> > Director of Enterprise Infrastructure Services
> >
> > Montgomery County Community College
> >
> > jsta...@mc3.edu <mailto:jsta...@mc3.edu>
> >
> > 215.641.6678 
> >

Re: [WIRELESS-LAN] In room WIFI - second example

[Philippe Hanset]

I completely agree with the 802.11n approach.
With this approach though, be mindful of the EOL (End Of Life).
That same software that makes that hardware so awesome is also the ultimate 
control mechanism.

Philippe

> On Feb 21, 2017, at 11:08 AM, GT Hill <g...@gthill.com> wrote:
> 
> I’m sure I’m probably going against the grain here, but if I had to choose, 
> I’d buy used 11n APs from an enterprise manufacturer before I’d go 11ac from 
> a “cheaper” manufacturer. Number one, virtually any environment you have will 
> be served just fine with 11n. 
> 
> And to further make my point, the difference between 11ac and 11n for a dorm 
> in wall AP is virtually nothing. Max of 2x2:2, no one should be using 80 or 
> 160 MHz channels (11ac) and MU-MIMO (11ac) basically doesn’t exist in 2x2:2 
> so 11ac (wave 1 or wave 2) features are basically nonexistent or useless in 
> this environment. 
> 
> If I had budget and could afford 11ac, sure, its the way to go. But if I’m on 
> a budget, used or discount enterprise 11n hardware will give you great 
> performance. 
> 
> And one more thing; there is absolutely a major difference in performance 
> between a true enterprise manufacturer and an entry level system. In my 
> previous life I ran the team that’s entire job was to test gear to see what 
> the limits of APs really were. The more that cheaper gear is pushed (client 
> count, data transfer, etc.) the more they would fail under those loads. 
> 
> GT
> 
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Thomas Carter 
> <tcar...@austincollege.edu <mailto:tcar...@austincollege.edu>>
> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
> Date: Tuesday, February 21, 2017 at 8:47 AM
> To: <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
> Subject: Re: [WIRELESS-LAN] In room WIFI - second example
> 
> Sorry for the comment spam. I think my ideal is for someone like Aruba, 
> Cisco, etc to have lower cost options that can be mixed in with the better 
> APs.  I want those for the high capacity locations like classrooms, etc and 
> the lower cost options for low usage areas, better density for dorms, etc.
>  
> Thomas Carter
> Network & Operations Manager / IT
> Austin College
> 900 North Grand Avenue 
> Sherman, TX 75090
> Phone: 903-813-2564
> www.austincollege.edu <http://www.austincollege.edu/>
> 
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Philippe Hanset
> Sent: Tuesday, February 21, 2017 9:21 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Subject: Re: [WIRELESS-LAN] In room WIFI - second example
>  
> Thomas et al.,
>  
> For people looking for creative/more affordable systems (not discussing all 
> the drawbacks etc ;-), you could also look at Benu Networks.
> http://benu.net/solutions/ <http://benu.net/solutions/>
>  
> It seems to be based on White Label APs with Open Source code and centrally 
> managed offering.
> (I met their CTO at a conference and it seemed pretty interesting, but I have 
> never tested)
>  
> Has anyone on the list investigated this system?
>  
> Philippe
>  
> Philippe Hanset, CEO
> www.anyroam.net <http://www.anyroam.net/>
> www.eduroam.us <http://www.eduroam.us/>
> +1 (865) 236-0770
>  
>  
>  
> On Feb 21, 2017, at 10:12 AM, Thomas Carter <tcar...@austincollege.edu 
> <mailto:tcar...@austincollege.edu>> wrote:
>  
> Yes, or in some cases, no budget cuts but increased requirements/demands for 
> wireless.
> Thomas Carter
> Network & Operations Manager / IT
> Austin College
> 900 North Grand Avenue 
> Sherman, TX 75090
> Phone: 903-813-2564
> www.austincollege.edu <http://www.austincollege.edu/>
> 
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Ian Lyons
> Sent: Tuesday, February 21, 2017 8:53 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@listserv.educause.edu>
> Subject: Re: [WIRELESS-LAN] In room WIFI - second example
>  
> A better way to ask the question (perhaps?):
>  
> Your budget was cut in half but your requirements of installing/having AC 
> Wireless was not cha

Re: [WIRELESS-LAN] In room WIFI - second example

[Philippe Hanset]

Thomas et al.,

For people looking for creative/more affordable systems (not discussing all the 
drawbacks etc ;-), you could also look at Benu Networks.
http://benu.net/solutions/ <http://benu.net/solutions/>

It seems to be based on White Label APs with Open Source code and centrally 
managed offering.
(I met their CTO at a conference and it seemed pretty interesting, but I have 
never tested)

Has anyone on the list investigated this system?

Philippe

Philippe Hanset, CEO
www.anyroam.net <http://www.anyroam.net/>
www.eduroam.us <http://www.eduroam.us/>
+1 (865) 236-0770



> On Feb 21, 2017, at 10:12 AM, Thomas Carter <tcar...@austincollege.edu> wrote:
> 
> Yes, or in some cases, no budget cuts but increased requirements/demands for 
> wireless.
> Thomas Carter
> Network & Operations Manager / IT
> Austin College
> 900 North Grand Avenue 
> Sherman, TX 75090
> Phone: 903-813-2564
> www.austincollege.edu <http://www.austincollege.edu/>
> 
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Ian Lyons
> Sent: Tuesday, February 21, 2017 8:53 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@listserv.educause.edu>
> Subject: Re: [WIRELESS-LAN] In room WIFI - second example
>  
> A better way to ask the question (perhaps?):
>  
> Your budget was cut in half but your requirements of installing/having AC 
> Wireless was not changed?
>  
> Simple answer is something has to give.   I understand your pain.
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Thomas Carter
> Sent: Tuesday, February 21, 2017 9:50 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Subject: Re: [WIRELESS-LAN] In room WIFI - second example
>  
> In the example I used below, there wasn’t an FTE to eliminate. There is no 
> way that Meraki, Aerohive, and Ruckus can be cheaper, especially when TCO is 
> concerned. That annual license/controller cost for Meraki and Aerohive 
> wouldn’t be there.
>  
> I guess I’m not making my point well. It seems like most of the responses 
> assume there is enough budget for a top tier solution and this is just about 
> not spending all of it. Imagine your budget for wireless was cut in half. 
> What would you do? 
> Thomas Carter
> Network & Operations Manager / IT
> Austin College
> 900 North Grand Avenue 
> Sherman, TX 75090
> Phone: 903-813-2564
> www.austincollege.edu 
> <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.austincollege.edu%2F=02%7C01%7Cilyons%40ROLLINS.EDU%7Cd7de358c1cef494f5cbf08d45a68ee6a%7Cb8e8d71a947d41dd81dd8401dcc51007%7C0%7C0%7C636232854208154442=fRj0Ny06vnlMGanBNTm8Gz8qwYgaEtNN4zo%2BfxYHits%3D=0>
> 
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Jeffrey D. Sessler
> Sent: Monday, February 20, 2017 3:52 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Subject: Re: [WIRELESS-LAN] In room WIFI - second example
>  
> In the k-12 space, Cisco Meraki, Aerohive, and Ruckus continue to be the big 
> players even in small districts, with others, including Ubiquiti, not making 
> much of a dent. Those solutions also tend to come in at or lower than 
> Ubiquiti.
>  
> One of the drivers for solutions such as Meraki is that from management’s 
> perspective, the cloud-based platform and extensive support channel means you 
> don’t need all those expensive FTE’s to run it, while at the same time 
> gaining many of the enterprise features you care most about. The reduction of 
> even a single FTE costing say $100K per year including benefits purchases a 
> whole lot of additional wireless hardware.
>  
> Jeff 
>  
> From: "wireless-lan@listserv.educause.edu 
> <mailto:wireless-lan@listserv.educause.edu>" 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Thomas Carter 
> <tcar...@austincollege.edu <mailto:tcar...@austincollege.edu>>
> Reply-To: "wireless-lan@listserv.educause.edu 
> <mailto:wireless-lan@listserv.educause.edu>" 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
> Date: Monday, February 20, 2017 at 12:08 PM
> To: "wireless-lan@listserv.educause.edu 
> <mailto:wireless-lan@listser

Re: [WIRELESS-LAN] Windows 10 eduroam EAP/TLS adding "host/" before username in RADIUS request?

[Philippe Hanset]

Lee,

Let me give the official cost of eduroam:

The cost of eduroam in the US is 10 cents per student per year with a minimum 
of $400 (Number of students reported at National Center for Education 
Statistics, under IPEDS, total student).
The amount is charged to the institution.
https://nces.ed.gov/ipeds/Home/UseTheData

For Internet2 members, eduroam is included with the Internet2 membership 
(different than Internet2 connectors!)
http://www.internet2.edu/communities-groups/members/higher-education/


Philippe


Philippe Hanset, CEO
www.anyroam.net
www.eduroam.us

GPG key id: 0xF2636F9C






> On Feb 2, 2017, at 7:52 AM, Lee H Badman <lhbad...@syr.edu> wrote:
> 
> Got me curious, Bruce. What costs are associated with Eduroam?
> 
> Lee
> 
> Lee Badman
> Network Architect/Wireless TME
> Syracuse University
> 315.443.3003
> 
> -Original Message- 
> From: Osborne, Bruce W (Network Operations) [bosbo...@liberty.edu 
> <mailto:bosbo...@liberty.edu>]
> Received: Thursday, 02 Feb 2017, 7:41
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@listserv.educause.edu> 
> [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@listserv.educause.edu>]
> Subject: Re: [WIRELESS-LAN] Windows 10 eduroam EAP/TLS adding "host/" before 
> username in RADIUS request?
> 
> We do not use Eduroam (too expensive) but we use RADIUS EAP/PEAP MSCHAPv2 for 
> both machine & user authentication. <>
>  
> I have only seen the host/  prefix from our OSX clients, not Windows. Perhaps 
> EAP/TLS is different?
>  
>  
> Bruce Osborne
> Senior Network Engineer
> Network Operations - Wireless
>  
>  (434) 592-4229
>  
> LIBERTY UNIVERSITY
> Training Champions for Christ since 1971
>  
> From: Cappalli, Tim (Aruba) [mailto:t...@hpe.com <mailto:t...@hpe.com>] 
> Sent: Wednesday, February 1, 2017 8:17 PM
> Subject: Re: Windows 10 eduroam EAP/TLS adding "host/" before username in 
> RADIUS request?
>  
> Sounds like the client is configured for computer authentication, not user. 
> You can change this in the supplicant configuration.
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Watters, John
> Sent: Wednesday, February 1, 2017 16:51
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Subject: Re: [WIRELESS-LAN] Windows 10 eduroam EAP/TLS adding "host/" before 
> username in RADIUS request?
>  
> Let me ask our RADIUS folks about this tomorrow. I'll post whatever I find 
> out.
>  
>  
> ==
> -jcw
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@listserv.educause.edu>] on behalf of Scot Colburn 
> [colb...@ucar.edu <mailto:colb...@ucar.edu>]
> Sent: Wednesday, February 01, 2017 5:55 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Subject: [WIRELESS-LAN] Windows 10 eduroam EAP/TLS adding "host/" before 
> username in RADIUS request?
> 
> Is anybody else seeing Windows 10 prepending "host/" to eduroam usernames in 
> EAP/TLS auth? 
>  
> We've had trouble getting our Windows 10 machines authenticating onto our 
> eduroam SSID using EAP/TLS. We seem to have two outcomes, neither of which 
> work:
> 1) if we create a "Manual Profile" then no authentication traffic ever hits 
> the RADIUS server.
> 2) if we do NOT create a manual profile then an authentication request does 
> hit the RADIUS server, but with "host/" prepended to the hostname. Our RADIUS 
> server rejects the authentication with "host/" prepended; I imagine a roaming 
> user would have often have the same issue.
>  
> I have a theory: The eduroam auth requires a "realm" to be appended to the 
> username so eduroam service-providers and federated RADIUS servers know to 
> proxy a roaming RADIUS auth to the correct server. In our case, we append 
> "@ucar.edu <http://ucar.edu/>" to the username. Maybe that "@ucar.edu 
> <http://ucar.edu/>"  is provoking Windows10 to prepend the "host/" prefix.  
> Authentication to our internal SSID without the "@ucar.edu 
> <http://ucar.edu/>" is working normally.
>  
> Any clues?
>  
> I think we can build a workaround to rewrite the username on the RADIUS 
> server, but that won't help our roaming eduroam EAP/TLS users if other 
> eduroam service-providers are having the same issue.
>  
> Scot Colburn
> Net

Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

[Philippe Hanset]

Lee,

Radiator is not open source (you can buy support) but it works more smoothly on 
Unix (you can operate it on Windows).

Philippe


> On Nov 16, 2016, at 4:34 PM, Lee H Badman <lhbad...@syr.edu> wrote:
> 
> Thanks, Phillipe. For a number of reasons we’re trying to steer away from 
> open source on this.
>  
> Lee Badman | CWNE #200 | Network Architect 
> 
> Information Technology Services
> 206 Machinery Hall
> 120 Smith Drive
> Syracuse, New York 13244
> 
> t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w its.syr.edu
> SYRACUSE UNIVERSITY
> syr.edu
> 
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Philippe Hanset
> Sent: Wednesday, November 16, 2016 12:58 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?
>  
> Lee,
>  
> Not speaking from using NPS but from having to help Institutions using NPS:
>  
> It is a very “stiff” environment, and Microsoft does not want to listen to 
> the eduroam community’s requests (not just US, but worldwide)
>  
> No REALM stripping
> No Server Status (that one is killing us. We have to implement all kinds of 
> timers to make sure that servers are responding…when the standard has a built 
> in mechanism)
> No support for RadSec ever mentioned.
>  
> If I were a large University with in house expertise I would do FreeRADIUS 
> 3.0 or Radiator (or more NAC oriented solutions if you need that)
>  
> Philippe
>  
> Philippe Hanset, CEO
> www.anyroam.net
> www.eduroam.us
> GPG key id: 0xF2636F9C
> 
> 
> 
> 
> 
>  
> On Nov 16, 2016, at 9:40 AM, Lee H Badman <lhbad...@syr.edu> wrote:
>  
> Hello to the awesome group.
>  
> We’ve used Cisco ACS with general satisfaction for many years as the RADIUS 
> solution for our very, very large WLAN’s 802.1X authentication. We also have 
> Aruba Clearpass in-house for guest wireless, and have poked around at ISE a 
> bit. We’re weighing replacing our aging ACS environment, but as many of you 
> know times are changing. When you shop for RADIUS, you have to wade through 
> the fog of NAC systems because everything is getting ever more “feature 
> rich”. For major vendors, RADIUS is just a slice of NAC now, and since 
> everybody “is a software company!” licensing can be ugly. I’m not slamming 
> those who find value in the many interesting features that the likes of ISE 
> and Clearpass offer, but I also can’t help but be drawn to Microsoft NPS when 
> I think about going forward with simple RADIUS.
>  
> Way back when, we avoided Microsoft in this role as the reporting wasn’t 
> particularly strong when it came time to troubleshoot clients. We *may* have 
> found relief to this through Splunk, and also enjoy a robust Windows server 
> environment staffed by absolutely brilliant MS-minded veteran admins. 
>  
> All that being said- is anyone using NPS as their RADIUS solution for a large 
> secure WLAN environment? Can you share likes, dislikes, regrets, 
> endorsements, horror stories, tales of success, etc? 
>  
>  
> (Any vendor reps lurking- no, I’m not open to hearing about other RADIUS 
> solutions. Please, no calls or emails)
>  
>  
> Kind regards-
>  
> Lee Badman | CWNE #200 | Network Architect 
> 
> Information Technology Services
> 206 Machinery Hall
> 120 Smith Drive
> Syracuse, New York 13244
> t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w its.syr.edu
> SYRACUSE UNIVERSITY
> syr.edu
>  
>  
>  
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
>  
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

[Philippe Hanset]

Lee,

Not speaking from using NPS but from having to help Institutions using NPS:

It is a very “stiff” environment, and Microsoft does not want to listen to the 
eduroam community’s requests (not just US, but worldwide)

No REALM stripping
No Server Status (that one is killing us. We have to implement all kinds of 
timers to make sure that servers are responding…when the standard has a built 
in mechanism)
No support for RadSec ever mentioned.

If I were a large University with in house expertise I would do FreeRADIUS 3.0 
or Radiator (or more NAC oriented solutions if you need that)

Philippe

Philippe Hanset, CEO
www.anyroam.net
www.eduroam.us
GPG key id: 0xF2636F9C






> On Nov 16, 2016, at 9:40 AM, Lee H Badman <lhbad...@syr.edu> wrote:
> 
> Hello to the awesome group.
>  
> We’ve used Cisco ACS with general satisfaction for many years as the RADIUS 
> solution for our very, very large WLAN’s 802.1X authentication. We also have 
> Aruba Clearpass in-house for guest wireless, and have poked around at ISE a 
> bit. We’re weighing replacing our aging ACS environment, but as many of you 
> know times are changing. When you shop for RADIUS, you have to wade through 
> the fog of NAC systems because everything is getting ever more “feature 
> rich”. For major vendors, RADIUS is just a slice of NAC now, and since 
> everybody “is a software company!” licensing can be ugly. I’m not slamming 
> those who find value in the many interesting features that the likes of ISE 
> and Clearpass offer, but I also can’t help but be drawn to Microsoft NPS when 
> I think about going forward with simple RADIUS.
>  
> Way back when, we avoided Microsoft in this role as the reporting wasn’t 
> particularly strong when it came time to troubleshoot clients. We *may* have 
> found relief to this through Splunk, and also enjoy a robust Windows server 
> environment staffed by absolutely brilliant MS-minded veteran admins. 
>  
> All that being said- is anyone using NPS as their RADIUS solution for a large 
> secure WLAN environment? Can you share likes, dislikes, regrets, 
> endorsements, horror stories, tales of success, etc? 
>  
>  
> (Any vendor reps lurking- no, I’m not open to hearing about other RADIUS 
> solutions. Please, no calls or emails)
>  
>  
> Kind regards-
>  
> Lee Badman | CWNE #200 | Network Architect 
> 
> Information Technology Services
> 206 Machinery Hall
> 120 Smith Drive
> Syracuse, New York 13244
> t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu 
> <mailto:lhbad...@syr.edu> w its.syr.edu <http://its.syr.edu/>
> SYRACUSE UNIVERSITY
> syr.edu <http://syr.edu/>
>  
>  
>  
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/ <http://www.educause.edu/groups/>.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Outsourcing ResNet wireless and wired networks

[Philippe Hanset]

Brian,

Each school has existing strength that you might not want to outsource.
(existing commodity internet access, help desk, cable plant, Firewalls, …)
When you mention Wired and Wireless, will this be completely independent from 
main campus
or will it be connected to your existing core network?

A few item to consider:

-Ownership of cable plant (wireless lasts 5 years, cables last 20 years or more)
-QoS
-SLA (response time, help desk options, incident handling)
-Data Privacy (authentications and traffic)
-Policies 
-Cost of changes (you want an extra SSID)
-Access to system ( a user has problems on campus but never in Residence, you 
want to compare)
-Access to building for contractor, access to bedrooms (at UTK we had to have 
an opposite gender escort to access residence)

Outsourcing is a loaded word ;-)
Why don’t you do an RFI or RFQ first then based on responses do an RFP.

Philippe

Philippe Hanset
www.eduroam.us <http://www.eduroam.us/>
www.anyroam.net <http://www.anyroam.net/>







> On Nov 14, 2016, at 10:41 AM, Thomas Carter <tcar...@austincollege.edu> wrote:
> 
> While we haven’t outsourced operations, as a small school we have often 
> leaned on the expertise of vendors in RFPs. For example, “here are the floor 
> plans, how would you put wireless here and why would you do it that way?” It 
> also gives additional viewpoints you might not have considered. On one 
> project we even took the best ideas from multiple vendors and created a v2 of 
> the RFP (this possibility was stated in the original RFP). They’ve 
> (hopefully) done this other places and may be able to tell you what works and 
> what doesn’t.
>  
> You might need to think through the non-technical things that could be big 
> issues. As a small campus, most of our policies are built around an 
> assumption that no major functions like this are outsourced, so policies 
> would probably have to change (e.g. outside vendors have to be escorted in 
> residential buildings by an employee). Another thing to consider is access - 
> if the vendor has access to residential buildings, should their employees go 
> through background checks? Can you essentially say “we don’t want that 
> employee on campus”? What about number of employees – for example, our 
> internal policy is individual employees can go in public spaces of 
> residential halls (within certain hours of the day), but at least 2 must be 
> together for private spaces (rooms, apartments, etc).
>  
> I’m sure you realize this, but don’t forget your own employees in all of 
> this. Even just a feasibility study can affect moral in your department ( 
> outsourcing = layoffs to many ). I went through this on an almost annual 
> basis in the corporate world to justify our existence; lots of communication 
> helps.
> Thomas Carter
> Network & Operations Manager / IT
> Austin College
> 900 North Grand Avenue 
> Sherman, TX 75090
> Phone: 903-813-2564
> www.austincollege.edu <http://www.austincollege.edu/>
> 
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Lee H Badman
> Sent: Monday, November 14, 2016 9:16 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@listserv.educause.edu>
> Subject: Re: [WIRELESS-LAN] Outsourcing ResNet wireless and wired networks
>  
> Brian-
>  
> If you’re outsourcing the entire operation, it sounds like much of what 
> you’re trying to specify is best left to the vendors that would bid. Many of 
> them are far from new to this and would come with their own proposed 
> approaches. I can see specifying:
>  
> · basic density/coverage requirements including ISP links and minimum 
> .11 tech to use
> · a list of “these are not allowed” kinda constraints (hallway 
> designs. External antennas, etc)
> · elements of campus policy that have to be met
> · basic SLA for monitoring and response
>  
> and then let them propose to you what they have to offer. Otherwise the level 
> of detail you are trying to hit sounds more like you are making up policy as 
> you go in the RFP, telling them not just what you need but explicitly how to 
> do it, and more looking for someone to be your contract workers than to be an 
> autonomous third party that owns the responsibility and system.
>  
> Just my two cents. I don’t envy you on this.
>  
> -Lee
>  
> Lee Badman | CWNE #200 | Network Architect 
> 
> Information Technology Services
> 206 Machinery Hall
> 120 Smith Drive
> Syracuse, New York 13244
> 
> t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu 
> <mailto:lhbad...@syr.edu> w its.syr.edu <http://its.syr.ed

Re: [WIRELESS-LAN] TLS Onboarding Vendors

[Philippe Hanset]

Jeff, 

I agree with you. My ultimate model would be even open WiFi everywhere with 
bullet proof applications and a set bandwidth per user (and locations agreeing 
on IP roaming).

While I'm writing this I'm waiting for my son at a free public electric car 
charging station. Out of 6 parking places one is taken by an electric car and 
all others are non-electric cars using the slots because it is close to the 
sport facility Enforcement is no where to be seen (quite amazing BTW on a 
campus ;-). Human nature! 

Network engineers need and like a few control knobs to control chaos. MAC 
addresses do not seem to be enough anymore.

At the moment WPA2-enterprise seems to fit a certain need and as EAP-TLS 
becomes better supported in OSes many of us have bitten the PKI bullet without 
too much pain.

I see EAP-TLS as a soft SIM card for Wifi. Very powerful and unlike a SIM card, 
it doesn't need to be controlled by a specific provider.

Philippe
www.eduroam.us

> On Nov 1, 2016, at 6:31 PM, Jeffrey D. Sessler  
> wrote:
> 
> I think the distinction between enterprise and residential blurred with the 
> advent of SaaS and the cloud. No longer did an employee need to be “at the 
> office” to enter their hours worked in the time and attendance system, or as 
> an administrator, you no longer had to run the accounting application from 
> your office computer. It’s difficult for me to name anything we’re doing here 
> now that isn’t some form of web-based SaaS model, where the expectation is 
> that an employee (baring overtime rules) can access these systems from any 
> location. If an employee can access these systems from Starbucks for the 16 
> hours a day they aren’t at work, what’s the point of WPA2-ent for the other 
> 8? 
> 
> I’m of the mindset that WAP2-Enterprise may in fact be an endangered species. 
> I think most will come to accept that something like PPSK is “good enough”. 
> Users don’t want significant barriers to getting access to what they need, 
> and once those barriers reach a certain level, the user will absolutely find 
> alternatives i.e. I’ve visited many colleges where it was easier to use my 
> MiFi hotspot then to be forced thru a cumbersome on-boarding system where 
> there are restrictions be it on services available or data rates.
> 
> Taken to the extreme. At the point you no longer have a local data center and 
> everything is SaaS, can an argument for WPA2-ent still be made? 
> 
> Jeff
> 
> On 11/1/16, 3:03 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
> on behalf of Curtis K. Larsen"  of curtis.k.lar...@utah.edu> wrote:
> 
>Well, I think users in general expect that when they connect to the 
> "Secure" wireless network - it is both encrypted, and they are not being 
> impersonated.  If not, maybe you could allow them to opt-out after accepting 
> the risk.  Often these are the same credentials that staff use to login and 
> set the direct deposit for their paycheck, credentials faculty use to post 
> grades, and students use to add/drop classes.  The business could also 
> opt-out if they are willing to accept the risk.  But as the Enterprise 
> Wireless Engineer you should at least make everyone aware that with PPSK 
> there are still risks.  Also, I just think one of these standards was 
> intended to be mostly for residential purposes and the other for mostly 
> enterprise purposes.  When you look at federated authentication as in eduroam 
> or hotspot 2.0, etc. WPA2-Ent. just seems to fit better long-term.  In short, 
> I think the difficult/expensive parts of PKI/EAP-TLS have recently become a 
> lot easier and I think they'll continue to do so.
> 
>-Curtis
> 
>
>From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>  on behalf of Chuck Enfield 
> 
>Sent: Tuesday, November 1, 2016 2:54 PM
>To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors
> 
>"If we can agree that most applications today (including ones that involve
>FERPA or PII) are web-based (let’s toss in cloud too), and a user can 
> access
>them from any location including at home on a PSK protected SSID (or
>cellular connection, or open network at Starbucks), does forcing WPA2-Ent 
> at
>the campus actually result in reduced risk?  Is there cost justification 
> for
>the infrastructure (staff, hardware, software) necessary to implement
>EAP-TLS (or alternatives)?"
> 
>Where's the like button?  FWIW, I still like enterprise encryption and
>authentication for keeping people off of my network.  I's nevertheless
>useful to remind ourselves of precisely what the value is, and it's not
>protecting the data.
> 
>Chuck
> 
>-Original Message-
>From: The EDUCAUSE Wireless Issues Constituent Group Listserv
>  

Re: [WIRELESS-LAN] TLS Onboarding Vendors

[Philippe Hanset]

>  
> WPA2-enterprise (eduroam or not) has three main benefits and a cool side 
> effect:
> 
> 1) You know who is on, one user at a time.
>  
> How do you know this? You know that the device is using a particular user’s 
> id/pass and/or was on-boarded using their account. You have no way to verify 
> that the device belongs to the actual owner. One could make the same claim of 
> PPSK (I know who you are based on your PPSK passphrase), but just like 
> WPA2-ent, there is nothing to prevent another user from on-boarding a device 
> for a friend.

If needed be you can find the user behind the authentication. And since we are 
also talking about EAP-TLS you can lock the profile to a specific device. No 
sharing. In this particular case EAP-TLS is ideal to prevent credentials 
sharing.

> 
> 2) the user knows what network it is (since the infrastructure certificate is 
> verified)
> 
> It’s been demonstrated over and over that most users will simply click past 
> prompts, even when the prompt clearly shows something is wrong i.e. a user 
> presented with a bad certificate is likely to just accept it (or disable the 
> verification of the cert).

If you use profile based authentication, not letting users configure by just 
entering username/password when selecting the SSID (e.g. using the CAT tool or 
other profile creation apps) the infrastructure certificate cannot be bypassed 
easily. Or use EAP- TLS to totally prevent any risk.
>  
> 3) It’s automatic..no pesky portal to deal with
>  
> This is also a case for PPSK and/or an open network.

Of course, with my little bias toward roaming I should ask: how do you roam 
with PPSK? ;-)

How does PPSK size up for large campuses? I seem to remember from this list 
that beyond a certain number of users there are some limitations.

And finally with WPA2-ent you can separate users based on domains if you wish 
to do so ( e.g. @students.domain VS @faculty.domain)

I'm sure that PPSK has great applications for specific cases but it doesn't 
have the overall breadth of WPA2-enterprise. 

Philippe
www.eduroam.us
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] TLS Onboarding Vendors

[Philippe Hanset]

WPA2-enterprise (eduroam or not) has three main benefits and a cool side effect:

1) You know who is on, one user at a time
2) the user knows what network it is (since the infrastructure certificate is 
verified)
3) It’s automatic..no pesky portal to deal with

and the cool benefit is encryption over the air!

EAP-TLS has an edge over PEAP etc..  because you don’t use sensitive passwords 
for a thing as simple as joining a network.
And you can revoke/manage one device at a time…not revoke a password that 
controls everything in your University life.

If you want to try EAP-TLS and you are using eduroam, here is an easy way:
Head to www.eduroam.us <http://www.eduroam.us/> and login as admin. Turn on 
“enable ANYROAM”. 
This will allow ANYROAM identities just for your campus.
Then head to http://anyroam.cloupath.net <http://anyroam.cloupath.net/> to be 
configured to join ANYROAM (it is using your existing eduroam SSID).
When you are done, erase the ANYROAM profile because it will take over your 
existing eduroam config on your device.
Go back to www.eduroam.us <http://www.eduroam.us/> and turn “enable ANYROAM” 
off when you are done, or leave it on as a cloud based guest access!
BTW, any guest can use this if you decide to!

Philippe

Philippe Hanset
www.eduroam.us <http://www.eduroam.us/>
> On Nov 1, 2016, at 4:54 PM, Chuck Enfield <chu...@psu.edu> wrote:
> 
> "If we can agree that most applications today (including ones that involve 
> FERPA or PII) are web-based (let’s toss in cloud too), and a user can access 
> them from any location including at home on a PSK protected SSID (or 
> cellular connection, or open network at Starbucks), does forcing WPA2-Ent at 
> the campus actually result in reduced risk?  Is there cost justification for 
> the infrastructure (staff, hardware, software) necessary to implement 
> EAP-TLS (or alternatives)?"
> 
> Where's the like button?  FWIW, I still like enterprise encryption and 
> authentication for keeping people off of my network.  I's nevertheless 
> useful to remind ourselves of precisely what the value is, and it's not 
> protecting the data.
> 
> Chuck
> 
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
> Sent: Tuesday, November 01, 2016 4:41 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors
> 
> Curtis,
> 
> If we can agree that most applications today (including ones that involve 
> FERPA or PII) are web-based (let’s toss in cloud too), and a user can access 
> them from any location including at home on a PSK protected SSID (or 
> cellular connection, or open network at Starbucks), does forcing WPA2-Ent at 
> the campus actually result in reduced risk?  Is there cost justification for 
> the infrastructure (staff, hardware, software) necessary to implement 
> EAP-TLS (or alternatives)?
> 
> Our Admissions process starts with getting Common App (filled out by 
> student/parents at home on a website and includes a lot of sensitive info), 
> that data feeds into Slate (another cloud-based Admissions package), then 
> feeds into financial-aid and the SiS (again web-based for the users). The 
> bulk of the PII/FERPA items have then been collected outside of the college 
> envirnoment, from connections that may have Starbucks level of protection. 
> I’m 
> trying to see the justification of WPA2-Ent, but it’s a hard sell – sure, I 
> know there can be advantages, but are they necessary and/or justified? Is 
> PPSK good enough for everyone. Is it good enough for students and their 
> devices?
> 
> Jeff
> 
> On 11/1/16, 8:56 AM, "The EDUCAUSE Wireless Issues Constituent Group 
> Listserv on behalf of Curtis K. Larsen" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> on behalf of curtis.k.lar...@utah.edu> wrote:
> 
>I personally would *not* prefer PPSK for devices that are WPA2-Ent. 
> (EAP-TLS) capable.  PPSK has a nice niche in the IoT device category for 
> devices that do not support WPA2-Ent. (EAP-TLS) in my opinion, and we'll be 
> anxious to use it there when our vendor delivers ...but the same 
> vulnerabilities around a regular WPA2-PSK are still there (de-auths, brute 
> forcing).  So, for IoT in student housing (game consoles, and roku devices 
> that only do PSK) maybe PPSK is the appropriate new level of security 
> because sensitive data is unlikely, but for the most common devices (Phone, 
> Laptop, Tablet, etc.) where users are more likely to access and transmit 
> FERPA, PHI, etc. WPA2-Enterprise with EAP-TLS seems more appropriate.  From 
> what I can tell it is probably easier to implement EAP-TLS than PPSK amongst 
> the fully-managed port

Re: [WIRELESS-LAN] Outsourced ResNet

[Philippe Hanset]

Brian,

Food for thoughts...

How is the over-subscription to the commodity Internet keeping up with Wi-Fi 
these days?

Most services are in the cloud and it seems that Internet Commodity could be 
the limiting factor rather than wave1 or wave2 or even staying with 802.11n.

Is it worth worrying about 802.11ac wave 1 or wave 2 when your Wi-Fi is so much 
more capable than your campus uplink?
(or is it?)

When we talked about 802.11g VS 802.11n there were huge differences between the 
two.
Is it still the case between wave 1 and wave 2?

Software support lifecycle seems to be the main determining factor in Wi-Fi 
infrastructure upgrades.
So, rather than Wave1 VS Wave2, we should maybe consider vendors with longer 
software lifecycle support.

Also, many of us upgraded from 802.11n to 802.11ac building-wide and even 
campus-wide because n and ac didn’t play well together.
How do Wave1 and Wave 2 play together?

Philippe

Philippe Hanset
www.eduroam.us <http://www.eduroam.us/>
www.anyroam.net <http://www.anyroam.net/>




> On Aug 5, 2016, at 12:01 PM, Jeffrey D. Sessler <j...@scrippscollege.edu 
> <mailto:j...@scrippscollege.edu>> wrote:
> 
> There are few problems I see with this line of thinking.
>  
> a)  This is the same argument people made when 802.11n arrived i.e. Stick 
> with 802.11g as it’s less expensive, proven, and there are hardly any 11n 
> clients. For those of us who jumped on the cutting edge, we road an explosive 
> wave of 11n clients and all the benefits of being prepared for it. Others 
> that stuck to 11g no doubt regretted their decision.
> b)  If there is a cost difference between Wave 1 and 2 it’s because the 
> manufacture knows Wave 1 is dead, and they are more than happy to get that 
> inventory cleared out. You’ve just purchased on the declining edge of that 
> technology’s life-cycle.
> c)  Life-cycle. If your AP life-cycle is say five years (or longer), a 
> Wave 1 AP is already a couple of years into its eventual EOS/EOL with the 
> vendor. This means you could get four years out and it’s no longer supported 
> by current controller code. By purchasing at the leading-edge, you’re many 
> more years from having to deal with that scenario.
>  
> Jeff
>  
>  
> From: "wireless-lan@listserv.educause.edu 
> <mailto:wireless-lan@listserv.educause.edu>" 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@listserv.educause.edu>> on behalf of James Andrewartha 
> <jandrewar...@ccgs.wa.edu.au <mailto:jandrewar...@ccgs.wa.edu.au>>
>  
> Right now I would still buy mid-range Wave 1 APs, because the pricing is 
> significantly cheaper, and there’s hardly any MU-MIMO clients yet, Apple 
> devices in particular.
>  
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/ <http://www.educause.edu/groups/>.

> On Aug 5, 2016, at 12:01 PM, Jeffrey D. Sessler <j...@scrippscollege.edu> 
> wrote:
> 
> There are few problems I see with this line of thinking.
>  
> a)  This is the same argument people made when 802.11n arrived i.e. Stick 
> with 802.11g as it’s less expensive, proven, and there are hardly any 11n 
> clients. For those of us who jumped on the cutting edge, we road an explosive 
> wave of 11n clients and all the benefits of being prepared for it. Others 
> that stuck to 11g no doubt regretted their decision.
> b)  If there is a cost difference between Wave 1 and 2 it’s because the 
> manufacture knows Wave 1 is dead, and they are more than happy to get that 
> inventory cleared out. You’ve just purchased on the declining edge of that 
> technology’s life-cycle.
> c)  Life-cycle. If your AP life-cycle is say five years (or longer), a 
> Wave 1 AP is already a couple of years into its eventual EOS/EOL with the 
> vendor. This means you could get four years out and it’s no longer supported 
> by current controller code. By purchasing at the leading-edge, you’re many 
> more years from having to deal with that scenario.
>  
> Jeff
>  
>  
> From: "wireless-lan@listserv.educause.edu 
> <mailto:wireless-lan@listserv.educause.edu>" 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@listserv.educause.edu>> on behalf of James Andrewartha 
> <jandrewar...@ccgs.wa.edu.au <mailto:jandrewar...@ccgs.wa.edu.au>>
>  
> Right now I would still buy mid-range Wave 1 APs, because the pricing is 
> significantly cheaper, and there’s hardly any MU-MIMO clients yet, Apple 
> devices in particular.
>  
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/ <http://www.educause.edu/groups/>.
> 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Turning off 2.4 on a select SSID?

[Philippe Hanset]

Quite interesting. Thank you. While listening to the explanation of attenuation 
related to the proximity of the two radios
within a same AP I thought “Bad for sensors, but isn’t it what we actually want 
in high density deployment like an auditorium?”.
So, maybe running two radios withing one AP at 5 GHz in an auditorium would 
reduce the signal and accomplish the small cells pattern that we want.
Just thinking out loud here! Has someone tried this?

Philippe

Philippe Hanset
www.anyroam.net
www.eduroam.us

GPG key id: 0xF2636F9C






> On Jun 30, 2016, at 8:23 AM, Kees Pronk <cl.pr...@avans.nl> wrote:
> 
> All,
>  
> Little kick at the discussion from a while ago:
> There is a YouTube video now from 7signal in which dual 5GHz radio setup is 
> discussed: https://youtu.be/6eueR3PYXlA <https://youtu.be/6eueR3PYXlA> (from 
> 11:30 in the video). Pretty interesting!
>  
> BR, Kees
>  
> Van: Kees Pronk 
> Verzonden: donderdag 7 april 2016 13:45
> Aan: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@listserv.educause.edu>
> Onderwerp: RE: [WIRELESS-LAN] Turning off 2.4 on a select SSID?
>  
> Hi Chris,
>  
> “you could in theory double the airtime available”
>  
> I would be interested in your actual experience with this. Now that a few 
> vendors have taken this approach and others stay away from this.
>  
> Arguments in favor of 5/5 you will find these abundant on the vendors 
> marketing pages, but how about :
> Extra COGS (band pass filters etc), extra complexity with your channels plans 
> (need a lot of separation between the 5/5 radios), you must enable DFS 
> channels on every AP but what about false positive radar detects? What about 
> the 2 radio’s  ‘deafening’ each other while trying so send/receive at the 
> same time.
>  
> Please keep us posted and maybe others testing with this
> 1.   Innovation
> 2.   Marketing gimmick
> (pick one ;-)
>  
> Best regards, Kees
>  
> Van: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] Namens Larry Dougher
> Verzonden: donderdag 7 april 2016 03:11
> Aan: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Onderwerp: Re: [WIRELESS-LAN] Turning off 2.4 on a select SSID?
>  
> Thanks Chris!
> 
> Larry Dougher
> Chief Information Officer
> Information Technology Services <http://its.wsesu.net/>
> Windsor Southeast Supervisory Union <http://wsesu.net/>
> 127 State Street, Windsor, VT 05089
> Email <mailto:ldoug...@wsesu.net> | Google+ <http://goo.gl/gEAdt> | Twitter 
> <http://twitter.com/larrydougher> | LinkedIn 
> <http://www.linkedin.com/in/larrydougher> | 802.674.8336
> 
>  
> On Wed, Apr 6, 2016 at 2:45 PM, Chris Adams (IT) <chris.ad...@ung.edu 
> <mailto:chris.ad...@ung.edu>> wrote:
> Larry,
>  
> We have deployed 802.11ac WAPs in many locations, but only have 80mhz 
> channels enabled sparingly around campus. My hope is that by having the SDR 
> option, we could configure 2x 5ghz radios with either 20Mhz or 40Mhz 
> channels, logically operating as 2 WAPs. Our wireless use case is primarily 
> for internet access – we just don’t have a need for true wave1/2 802.11ac 
> throughputs at this time.
>  
> To see true Wave2 throughputs, I believe the client WNIC would need to be 
> upgraded. If we could operate 2 “logical” 5ghz WAPs from a single unit for a 
> small increase in price, I think this is where our greatest benefit would be 
> at this time as you could in theory double the airtime available.
>  
> This is based on several assumptions I am making – I have not gotten my hands 
> on the new AP250 yet but I am actively looking to do so.
>  
> http://boundless.aerohive.com/blog/Designing-WLANS-What-If-we-could-double-our-airtime-at-5-GHz.html
>  
> <http://boundless.aerohive.com/blog/Designing-WLANS-What-If-we-could-double-our-airtime-at-5-GHz.html>
>  
>  
> Thanks,
>  
> Chris Adams
>  
> Director, Network & Telecom Services
> Division of Information Technology
> University of North Georgia
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Larry Dougher
> Sent: Wednesday, April 6, 2016 2:28 PM
> 
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Subject: Re: [WIRELESS-LAN] Turning off 2.4 on a select SSID?
>  
> Chris,
>  
> I have a question about the AP250, but may be a question about MU-MIMO more 
> generally.  So, all things

Re: [WIRELESS-LAN] student residential routers?

[Philippe Hanset]

Hector, All,

Your question about SMS gateway and a previous thread about “less SSIDs” 
reminds me to inform this community about a pilot project
that we have implemented for eduroam connected schools.
The eduroam SSID doesn’t handle ALL guests, so we have created a pilot project 
to allow eduroam enabled schools
to independently handle their non-education guests onto the eduroam SSID using 
SMS and EAP-TLS certificate per guest device.
(it doesn’t break the eduroam trust fabric since each school opts-in). Similar 
initiatives are going on in other eduroam countries (Japan, Netherlands, …).

How to test this?
Go to www.eduroam.us and authenticate as Admin. Under “administration” pick 
“enable ANYROAM”.
This will allow your school to welcome guests onto your eduroam SSID with 
EAP-TLS certificates in the form "unique-h...@pilot.anyroam.net”
Since the REALM is always the same, you can assign these guests to any 
VLAN/subnet that you deem appropriate.

How to get an ANYROAM certificate/profile? go to http://anyroam.cloudpath.net. 
The certificate is good for one year so that guests don’t have to constantly 
have to be configured. You can test this briefly for yourself as an admin and 
turn it off when you desire. Be careful though, the profile will take over your 
existing eduroam config,
so you will have to delete the ANYROAM profile and re-install yours.
(you submit your phone number, you then get an SMS with a unique pwd, you then 
get automatically configured with an EAP-TLS-eduroam profile with an outer 
identity of the form unique-h...@pilot.anyroam.net)

We hope that the side effect of this service will be to easily handle secure 
guests access for schools with less SSIDs used, and also to promote the spread 
of the eduroam SSID beyond the campus.
(a coffee shop could now support the eduroam SSID and welcome students, 
faculty, staff, and users with ANYROAM identities). 
More features will come later on … stay tuned!

Let us know if you have questions,

Philippe

Philippe Hanset
www.eduroam.us
www.anyroam.net




> On Jun 27, 2016, at 2:28 PM, Hector J Rios <hr...@lsu.edu> wrote:
> 
> Any recommendations on an SMS gateway service? We are implementing ClearPass 
> and we want our sponsors to have the ability to send credentials via text. I 
> know about leveraging SMTP, but I’m interested in that option. 
>  
> Regards, 
>  
> Hector Rios
> Louisiana State University
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/ <http://www.educause.edu/groups/>.
> 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] eduroam ssid

[Philippe Hanset]

Curtis,

Your comments made me think of a work around to make PEAP a little better with 
CAT!

Indeed EAP-TLS is by far the best way to avoid MiTM attacks, but for 
institutions not willing to deal with EAP-TLS (cost of installer etc…),
Here is what one can do with CAT to promote the usage of the installer:

In the CAT installer you can specify a fixed outer-identity (same for everyone) 
either of anonymous@realm or *@realm (* being a long string…but be 
careful some OSes do not accept this, but they all accept anonymous)
You can then configure your home RADIUS server to only accept requests of the 
form anonymous@realm or *@realm and not accept username@realm.

Users trying to configure manually will not succeed and will have to use the 
CAT tool and be configured properly with a locked infrastructure certificate.

Some crafty people might end up guessing the outer identity (by sniffing 
packets), but hopefully those ones are smart enough to know not to accept evil 
twins RADIUS certs.

This is not 100%, but it can definitely help!

Philippe
www.eduroam.us


> On Jun 20, 2016, at 8:03 PM, Curtis K. Larsen  
> wrote:
> 
> The PEAP vulnerability is only mitigated by requiring EAP-TLS and disabling 
> PEAP.  (It may help a
> little to recommend the CAT tool or similar, but not much)  We've recommended 
> similar tools for 9
> years - I know the take rates - they aren't great.  Why?  Because it is 
> optional.
> 
> All I am pointing out is that one cannot say that they have completely 
> mitigated 100% the PEAP
> vulnerability while still running eduroam.  I can say that for my primary 
> SSID.
> 
> Thanks,
> 
> Curtis
> 
> 
> On Mon, June 20, 2016 5:19 pm, Jeremy Mooney wrote:
>> How would you plan to mitigate for your users at remote institutions if
>> they're not verifying the certificate? It seems you can only prevent at at
>> the IdP side of your radius infrastructure, and your clients can only trust
>> they're talking to that server by verifying the certificate. If they don't
>> verify the certificate, anyone can claim to be your server and just allow
>> PEAP without you ever seeing the traffic. Technically that's also the case
>> locally (someone else stands up an AP) and you could at most maybe see it
>> happened but not block it (at least without going into the legal minefield
>> of active rogue mitigation).
>> 
>> I'd think that the best you can hope for (without solving the problem of
>> users falling for phishing/MitM in general) is just only allowing EAP-TLS
>> so any client with a working config for your institution won't use PEAP,
>> but that doesn't require blocking PEAP on the SP side.
>> 
>> 
>> On Mon, Jun 20, 2016 at 5:00 PM, Curtis K. Larsen 
>> wrote:
>> 
>>> It's done on the RADIUS server, that's kind of my point.  You have a
>>> service in your environment
>>> that may pose risk to some and you can't control it.
>>> 
>>> I can mitigate the PEAP vulnerability for our users on campus, and our
>>> users at remote
>>> institutions, but I cannot mitigate that same vulnerability for another
>>> institutions' users on my
>>> campus.
>>> 
>>> -Curtis
>>> 
>>> 
>>> On Mon, June 20, 2016 3:50 pm, Chuck Enfield wrote:
 How would you disable PEAP on the eduroam SSID?  I've never noticed a
 setting for that.
 
 -Original Message-
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv
 [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Curtis K.
>>> Larsen
 Sent: Monday, June 20, 2016 5:19 PM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] eduroam ssid
 
 Yes it does work.  That's the problem - PEAP is vulnerable to Evil Twin
 attacks so we are disabling PEAP.  Doing that on eduroam would break all
 institutions that still offer it.  Leaving it enabled exposes users at
>>> our
 institution.
 
 -Curtis
 
 
 From: Johnson, Neil M [neil-john...@uiowa.edu]
 Sent: Monday, June 20, 2016 2:52 PM
 To: Curtis K. Larsen
 Cc: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] eduroam ssid
 
 eduroam should work with just about any authentication method that uses
 EAP (PEAP,TLS,TTLS) etc.
 
 So if your are say moving to TLS (Client certificates) it should still
 just work.
 
 -Neil
 
 --
 Neil Johnson
 Network Engineer
 The University of Iowa
 Phone: 319 384-0938
 Fax: 319 335-2951
 E-Mail: neil-john...@uiowa.edu
 
 
 
> On Jun 17, 2016, at 10:19 AM, Curtis K. Larsen
  wrote:
> 
> We're beginning to run into this problem as well.  Luckily, eduroam is
> not our primary SSID so at least the critical business functions
> continue to work fine on a separate SSID.  My guess is that we'll end up
 turning eduroam off at those remote locations 

Re: [WIRELESS-LAN] eduroam ssid

[Philippe Hanset]

David,

To clarify,
eduroam is not a standard, but a trust fabric to roam between research and 
education institutions. eduroam requires  IEEE 802.1X (which is a well used 
standard at many institutions for WLAN and sometimes LAN security) to operate 
which in turn can run on multiple different EAP methods. EAP-TTLS, PEAP, 
EAP-TLS, EAP-PWD,… can all be used with eduroam.  All these methods have their 
issues and schools pick them based on what suits them best for their 
requirements and their environment.

Hope this helps,

Philippe
www.eduroam.us


> On Jun 20, 2016, at 8:59 PM, Schuette, David  wrote:
> 
> Reading everyone comments about edu-roam has me believing it is an old 
> standard which needs to be updated for today's security needs.
> 
> 
> 
> Sent from my Verizon 4G LTE smartphone
> 
> 
>  Original message 
> From: "Curtis K. Larsen"  > 
> Date: 6/20/16 6:04 PM (GMT-07:00) 
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
>  
> Subject: Re: [WIRELESS-LAN] eduroam ssid 
> 
> The PEAP vulnerability is only mitigated by requiring EAP-TLS and disabling 
> PEAP.  (It may help a
> little to recommend the CAT tool or similar, but not much)  We've recommended 
> similar tools for 9
> years - I know the take rates - they aren't great.  Why?  Because it is 
> optional.
> 
> All I am pointing out is that one cannot say that they have completely 
> mitigated 100% the PEAP
> vulnerability while still running eduroam.  I can say that for my primary 
> SSID.
> 
> Thanks,
> 
> Curtis
> 
> 
> On Mon, June 20, 2016 5:19 pm, Jeremy Mooney wrote:
> > How would you plan to mitigate for your users at remote institutions if
> > they're not verifying the certificate? It seems you can only prevent at at
> > the IdP side of your radius infrastructure, and your clients can only trust
> > they're talking to that server by verifying the certificate. If they don't
> > verify the certificate, anyone can claim to be your server and just allow
> > PEAP without you ever seeing the traffic. Technically that's also the case
> > locally (someone else stands up an AP) and you could at most maybe see it
> > happened but not block it (at least without going into the legal minefield
> > of active rogue mitigation).
> >
> > I'd think that the best you can hope for (without solving the problem of
> > users falling for phishing/MitM in general) is just only allowing EAP-TLS
> > so any client with a working config for your institution won't use PEAP,
> > but that doesn't require blocking PEAP on the SP side.
> >
> >
> > On Mon, Jun 20, 2016 at 5:00 PM, Curtis K. Larsen  > >
> > wrote:
> >
> >> It's done on the RADIUS server, that's kind of my point.  You have a
> >> service in your environment
> >> that may pose risk to some and you can't control it.
> >>
> >> I can mitigate the PEAP vulnerability for our users on campus, and our
> >> users at remote
> >> institutions, but I cannot mitigate that same vulnerability for another
> >> institutions' users on my
> >> campus.
> >>
> >> -Curtis
> >>
> >>
> >> On Mon, June 20, 2016 3:50 pm, Chuck Enfield wrote:
> >> > How would you disable PEAP on the eduroam SSID?  I've never noticed a
> >> > setting for that.
> >> >
> >> > -Original Message-
> >> > From: The EDUCAUSE Wireless Issues Constituent Group Listserv
> >> > [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> >> > ] On Behalf Of Curtis K.
> >> Larsen
> >> > Sent: Monday, June 20, 2016 5:19 PM
> >> > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> >> > 
> >> > Subject: Re: [WIRELESS-LAN] eduroam ssid
> >> >
> >> > Yes it does work.  That's the problem - PEAP is vulnerable to Evil Twin
> >> > attacks so we are disabling PEAP.  Doing that on eduroam would break all
> >> > institutions that still offer it.  Leaving it enabled exposes users at
> >> our
> >> > institution.
> >> >
> >> > -Curtis
> >> >
> >> > 
> >> > From: Johnson, Neil M [neil-john...@uiowa.edu 
> >> > ]
> >> > Sent: Monday, June 20, 2016 2:52 PM
> >> > To: Curtis K. Larsen
> >> > Cc: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> >> > 
> >> > Subject: Re: [WIRELESS-LAN] eduroam ssid
> >> >
> >> > eduroam should work with just about any authentication method that uses
> >> > EAP (PEAP,TLS,TTLS) etc.
> >> >
> >> > So if your are say moving to TLS (Client certificates) it should still
> >> > just work.
> >> >
> >> > -Neil
> >> >
> >> > --
> >> > Neil Johnson
> >> > Network Engineer
> >> > The University of Iowa
> >> > Phone: 319 384-0938
> >> > Fax: 319 335-2951
> >> > E-Mail: neil-john...@uiowa.edu 
> >> >
> >> >
> >> >
> >> >> On Jun 17, 2016, at 10:19 AM, Curtis K. 

Re: [WIRELESS-LAN] eduroam ssid

[Philippe Hanset]

Jeremy,


You can still help your users with PEAP (and that will help at remote locations 
or on campus as well) by forcing them to on-board their original eduroam config 
via an installer (e.g. CAT or a commercial one).
With Operating Systems using profiles you can lock the config so that users 
won’t be able to authenticate if the RADIUS infrastructure certificate is 
incorrect (case of MiTM attacks).
Now, if the user has the ability to delete the installed profile and to 
manually join eduroam there is nothing to prevent that.

This “locking” mechanism of the infrastructure certificate  is a feature of 
automatic installers  that network operators tend to overlook.
We often have eduroam operators telling us that they don’t need to use CAT 
(cat.eduroam.org, it’s free!) since OSes are doing such a good job at prompting 
users
for credentials. True, but those same OSes are not good at preventing MiTM 
attacks.

Philippe
www.eduroam.us



> On Jun 20, 2016, at 7:19 PM, Jeremy Mooney  wrote:
> 
> How would you plan to mitigate for your users at remote institutions if 
> they're not verifying the certificate? It seems you can only prevent at at 
> the IdP side of your radius infrastructure, and your clients can only trust 
> they're talking to that server by verifying the certificate. If they don't 
> verify the certificate, anyone can claim to be your server and just allow 
> PEAP without you ever seeing the traffic. Technically that's also the case 
> locally (someone else stands up an AP) and you could at most maybe see it 
> happened but not block it (at least without going into the legal minefield of 
> active rogue mitigation).
> 
> I'd think that the best you can hope for (without solving the problem of 
> users falling for phishing/MitM in general) is just only allowing EAP-TLS so 
> any client with a working config for your institution won't use PEAP, but 
> that doesn't require blocking PEAP on the SP side.
> 
> 
> On Mon, Jun 20, 2016 at 5:00 PM, Curtis K. Larsen  > wrote:
> It's done on the RADIUS server, that's kind of my point.  You have a service 
> in your environment
> that may pose risk to some and you can't control it.
> 
> I can mitigate the PEAP vulnerability for our users on campus, and our users 
> at remote
> institutions, but I cannot mitigate that same vulnerability for another 
> institutions' users on my
> campus.
> 
> -Curtis
> 
> 
> On Mon, June 20, 2016 3:50 pm, Chuck Enfield wrote:
> > How would you disable PEAP on the eduroam SSID?  I've never noticed a
> > setting for that.
> >
> > -Original Message-
> > From: The EDUCAUSE Wireless Issues Constituent Group Listserv
> > [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> > ] On Behalf Of Curtis K. Larsen
> > Sent: Monday, June 20, 2016 5:19 PM
> > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> > 
> > Subject: Re: [WIRELESS-LAN] eduroam ssid
> >
> > Yes it does work.  That's the problem - PEAP is vulnerable to Evil Twin
> > attacks so we are disabling PEAP.  Doing that on eduroam would break all
> > institutions that still offer it.  Leaving it enabled exposes users at our
> > institution.
> >
> > -Curtis
> >
> > 
> > From: Johnson, Neil M [neil-john...@uiowa.edu 
> > ]
> > Sent: Monday, June 20, 2016 2:52 PM
> > To: Curtis K. Larsen
> > Cc: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> > 
> > Subject: Re: [WIRELESS-LAN] eduroam ssid
> >
> > eduroam should work with just about any authentication method that uses
> > EAP (PEAP,TLS,TTLS) etc.
> >
> > So if your are say moving to TLS (Client certificates) it should still
> > just work.
> >
> > -Neil
> >
> > --
> > Neil Johnson
> > Network Engineer
> > The University of Iowa
> > Phone: 319 384-0938 
> > Fax: 319 335-2951 
> > E-Mail: neil-john...@uiowa.edu 
> >
> >
> >
> >> On Jun 17, 2016, at 10:19 AM, Curtis K. Larsen
> > > wrote:
> >>
> >> We're beginning to run into this problem as well.  Luckily, eduroam is
> >> not our primary SSID so at least the critical business functions
> >> continue to work fine on a separate SSID.  My guess is that we'll end up
> > turning eduroam off at those remote locations if problems get reported.
> >>
> >> In talking with the eduroam admin from the other institution they
> >> mentioned that when this occurs in Europe the solution has been to
> >> change the name of the SSID.  Is this really allowed?  If so, I'm
> >> sold!  Then we can start using our primary SSID with eduroam
> >> credentials!  This is what I always thought eduroam should have been.
> >> To me the value was always in the universal credential
> >> *NOT* the SSID name.  That was always 

Re: [WIRELESS-LAN] eduroam ssid

[Philippe Hanset]

Chuck, everyone,

Do not disable PEAP or EAP-TTLS on the eduroam SSID.
You can turn off PEAP or EAP-TTLS for your own users of course if you decide to 
support mainly EAP-TLS (on your RADIUS server), but do not do that for eduroam 
guests/visitors.

Thanks,

Philippe

Philippe Hanset
www.eduroam.us
www.anyroam.net



> On Jun 20, 2016, at 5:50 PM, Chuck Enfield <chu...@psu.edu> wrote:
> 
> How would you disable PEAP on the eduroam SSID?  I've never noticed a
> setting for that.
> 
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Curtis K. Larsen
> Sent: Monday, June 20, 2016 5:19 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] eduroam ssid
> 
> Yes it does work.  That's the problem - PEAP is vulnerable to Evil Twin
> attacks so we are disabling PEAP.  Doing that on eduroam would break all
> institutions that still offer it.  Leaving it enabled exposes users at our
> institution.
> 
> -Curtis
> 
> 
> From: Johnson, Neil M [neil-john...@uiowa.edu]
> Sent: Monday, June 20, 2016 2:52 PM
> To: Curtis K. Larsen
> Cc: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] eduroam ssid
> 
> eduroam should work with just about any authentication method that uses
> EAP (PEAP,TLS,TTLS) etc.
> 
> So if your are say moving to TLS (Client certificates) it should still
> just work.
> 
> -Neil
> 
> --
> Neil Johnson
> Network Engineer
> The University of Iowa
> Phone: 319 384-0938
> Fax: 319 335-2951
> E-Mail: neil-john...@uiowa.edu
> 
> 
> 
>> On Jun 17, 2016, at 10:19 AM, Curtis K. Larsen
> <curtis.k.lar...@utah.edu> wrote:
>> 
>> We're beginning to run into this problem as well.  Luckily, eduroam is 
>> not our primary SSID so at least the critical business functions 
>> continue to work fine on a separate SSID.  My guess is that we'll end up
> turning eduroam off at those remote locations if problems get reported.
>> 
>> In talking with the eduroam admin from the other institution they 
>> mentioned that when this occurs in Europe the solution has been to 
>> change the name of the SSID.  Is this really allowed?  If so, I'm 
>> sold!  Then we can start using our primary SSID with eduroam 
>> credentials!  This is what I always thought eduroam should have been.  
>> To me the value was always in the universal credential
>> *NOT* the SSID name.  That was always a drawback for me especially as 
>> supplicants become easier to configure.
>> 
>> The other problem that we're going to run into soon is that we will be 
>> phasing out PEAP on our main SSID to mitigate against the evil twin 
>> vulnerability, but what do we do with eduroam?  I mean I guess you 
>> could say it is the remote institution's problem, or the user's 
>> problem if they connect to an evil twin on your campus because they're 
>> not validating the server.  But if the evil twin is on your campus it
> seems you have at least some responsibility in the matter.  But as it
> stands, eduroam will leave a bit of a gaping security hole for us.
>> 
>> --
>> Curtis K. Larsen
>> Senior Network Engineer
>> University of Utah IT/CIS
>> 
>> 
>> 
>> On Fri, June 17, 2016 7:35 am, Turner, Ryan H wrote:
>>> Yes.  We have a satellite school at UNC Asheville.  Up until 
>>> recently, UNC Asheville was not running eduroam, and UNC Chapel Hill
> was the only occupant of a couple of buildings on campus.
>>> UNC Asheville adopted eduroam and wanted to move into adjoining spaces.
> So we were going to have
>>> the situation where UNC Chapel Hill folks might attach to the wrong 
>>> institution's eduroam and vice versa.  We ended up bridging the two 
>>> networks together through a single link, and based on realm, UNC 
>>> Asheville will terminate UNC Chapel Hill folks directly to our 
>>> network (through trunked vlans).  It is nice, because now anywhere on 
>>> UNC Asheville campus, UNC Chapel Hill folks have UNC Chapel Hill IP
> space.  Because it made sense, we actually turned off our access points
> and allowed UNC Asheville to provide wireless in our areas (so we wouldn't
> have competing wireless).
>>> 
>>> 
>>> Ryan Turner
>>> Manager of Network Operations
>>> ITS Communication Technologies
>>> The University of North Carolina at Chapel Hill
>>> 
>>> r...@unc.edu<mailto:r...@unc.edu>
>>> +1 919 445 0113 Office
>>> +1 919 274 7926 Mobile
>>> 
>>> 
>>&

Re: [WIRELESS-LAN] eduroam ssid

[Philippe Hanset]

Jason et al.,

https://www.eduroam.org/wp-content/uploads/2016/05/eduroam_Compliance_Statement_v1_0.pdf

The compliance statement doesn’t require a specific frequency. So, if you want 
to turn 2.4 GHz off, nothing prevents you to do so for eduroam.
eduroam doesn’t try to regulate local decisions too much, but enough to provide 
standardization and a consistent user experience (if 2.4 GHz is not supported
the SSID won’t show up at all for 2.4 GHz users!…but the dot on the map might 
still confuse them a bit). On the other hand, you have to pass all EAP methods.
So Curtis discussion on the evil twin and preventing this to happen can be done 
for IDPs but not for SPs (an SP must pass all EAP conversations).
If you fear man in middle for password based EAP methods, using the CAT tool 
can help in that respect since it forces the installation of the RADIUS 
infrastructure certificate.
Nothing beats EAP-TLS of course since the password is not involved except 
during the initial EAP-TLS on-boarding (can you MiTM the initial on-boarding? 
;-)

The same applies to the conflicting eduroam SSID. If you read the compliance 
statement you can create an “eduroam-” SSID.
It is really not advised, as Jason mentioned, to run a different name since it 
breaks the “instant connectivity” and creates much confusion for users (and 
Help Desk calls!).
We always promote agreements between the two neighboring institutions (exchange 
VLANs, Wi-Fi controllers collaboration when same brand is involved, IP 
Mobility, ...). 

PassPoint/HotSpot2.0 should address some of these concerns of neighboring SSIDs 
since preferences can be given to different networks.


Best,

Philippe

Philippe Hanset
www.eduroam.us
www.anyroam.net


> On Jun 19, 2016, at 8:53 PM, Jason Cook <jason.c...@adelaide.edu.au> wrote:
> 
> Yeah we have had this problem at a few different levels... sorry for the long 
> response
> 
> Initially we had AARNET (the Australian national operator) sharing our floor, 
> so we managed to experience the issue first hand. At that stage we got 
> approval to change our SSID to resolve the issue. "eduroam-UofA" was chosen 
> and our normal ssid is "UofA". To be honest this is not an ideal solution, 
> and at the time (and probably still) is not actually allowed. It brakes the 
> idea of eduroam simply working, the plan is you configure your device once 
> and you can then go to any participating institution around the world, turn 
> your device on and away you go. Having a different SSID means more support 
> requests for you and the home institution when it doesn't just work.  At the 
> time (2007) the usage wasn't as high so it wasn't a huge issue. though 
> supplicants tended be troublesome to configure.  A few years later AARnet 
> offices moved and we wanted to be standard so we are back to "eduroam" SSID. 
> 
> It's not all over though, we have multiple institutions (3) around us 
> offering eduroam including buildings 15m away, and a new medical precinct is 
> being built that will potentially end up with 5 different institutions in an 
> area. Finally something on the back burner is the our city wireless offering 
> eduroam So the future will get interesting. But onto the current 
> situation. To be honest at this point we haven't had too many issues recently 
> with users hopping between SSID's in their offices. Likely the fact we don't 
> recommend eduroam as the users primary SSID would be the primary reason. We 
> did  have a few calls on the close buildings years back, however coverage was 
> done differently and it wasn't un-common in non-dense installs to sometimes 
> see higher signal from neighbouring buildings in some rooms. But with denser 
> deployments and more consistent signal provision you rarely see neighbouring 
> buildings with higher signal In addition for eduroam visitors as a 
> workaround they can use our "UofA" SSID, don't remember this ever being 
> required but it does work. eduroam  participation "requires" that SSID but as 
> far as I'm aware doesn’t stop you from also offering it on others, or even 
> wired dot1x for that matter. 
> 
> Likely we'll never go to eduroam as the only SSID for the many neighbours 
> reason as well as it's good to have your branding in the air. You can also 
> have issues like Curtis is mentioning where you want to change something for 
> security or other reasons but may be restricted by eduroam policy. I don't 
> think eduroam would approve of disabling 2.4ghz completely for example. 
> Our national document is being reviewed but currently states WPA-TKIP is 
> required..HAHAHA. Don't think so.
> 
> Finally we and other insinuations have wireless installs in our hospitals, 
> recently the hospitals have provided blanket wireless coverage and 
> in

Re: [WIRELESS-LAN] Turning off 2.4 on a select SSID?

[Philippe Hanset]

Chris,

The Wi-Fi deployment is definitely a big part of the equation but so it the 
“sticky client”. I’m writing this email just above a nice dual band 
Access-Point with an observed RSSI of -55dBm on my Macbook Pro,
and I’m on 2.4 GHz :(  (I started my journey far away from that same AP…)

Philippe

Philippe Hanset
www.anyroam.net
www.eduroam.us
+1 (865) 236-0770

GPG key id: 0xF2636F9C






> On Apr 7, 2016, at 10:43 AM, Chris Adams (IT) <chris.ad...@ung.edu> wrote:
> 
> Phillipe,
> 
> I would suggest that it’s not always an issue of the client not supporting 
> 5ghz, but rather that some deployments are not conducive to good 5ghz 
> propagation – we’ve all seen WAPs in hallways between classrooms before. In 
> my experience, clients that associate to 2.4ghz are doing so due to lack of 
> good 5ghz signal, and less so due to client radios.
> 
> Thanks,
> 
> Chris Adams, CISSP
> 
> Director, Network & Telecom Services
> Division of Information Technology
> University of North Georgia
> 
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Philippe Hanset
> Sent: Thursday, April 7, 2016 10:37 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@listserv.educause.edu>
> Subject: Re: [WIRELESS-LAN] Turning off 2.4 on a select SSID?
> 
> My ears have been burning…
> 
> I understand Hector's comment about the spirit of eduroam, but like Ryan I 
> have also be tempted in the past to only support 5 GHz in certain areas
> because 2.4 GHz was becoming too much of a pain (e.g. Dormitories).  The 
> eduroam Compliance Statement requires 802.11, no frequency mentioned.
> 
> eduroam users with 2.4GHz devices will just not see the available SSID if a 
> school decides to only offer it at 5 GHz in certain locations.
> In a sense it is no different than schools only offering eduroam in certain 
> locations.
> 
> Now, if the entire eduroam SSID for all locations at the school is on 5 GHz, 
> it might be challenging.
> 
> But how many clients REALLY can’t support 5 GHz?
> The stats showing 2.4 GHz VS 5 GHz usage can be deceiving. Is it a client 
> with both radios and a poor selection of spectrum,
> or is it really 2.4 Ghz only capable devices? It seems that the best way to 
> know if 5 GHz only is fine for your community is to “just do it”.
> 
> I checked cheap laptops at BestBuy and under specifications you find 
> “Wireless-AC” or “Wireless-B, G, N". No reference to the type of radio.
> Those darn marketing people, they will get you every time.
> 
> Philippe
> 
> Philippe Hanset
> www.anyroam.net <http://www.anyroam.net/>
> www.eduroam.us <http://www.eduroam.us/>
> +1 (865) 236-0770
> 
> GPG key id: 0xF2636F9C
> 
> 
> 
> 
> 
> 
> On Apr 7, 2016, at 10:04 AM, Turner, Ryan H <rhtur...@email.unc.edu 
> <mailto:rhtur...@email.unc.edu>> wrote:
> 
> I don't think so.  I think anytime a university enforces a uniform policy 
> that applies to all folks, it shouldn't be an issue.  Of course, we are a 
> long way from actually doing this.  We'll involve Phillipe if we move forward.
> 
> Sent from Outlook Mobile <https://aka.ms/qtex0l>
> 
> 
> 
> 
> On Thu, Apr 7, 2016 at 7:01 AM -0700, "Hector J Rios" <hr...@lsu.edu 
> <mailto:hr...@lsu.edu>> wrote:
> 
> I would go back to Jason's comment and reference eduroam's policy. I 
> personally think that only allowing 5GHz on eduroam goes against the spirit 
> the global availability of eduroam. My 2 cents.
> 
> Hector Rios
> Louisiana State University
> 
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Matthew Newton
> Sent: Thursday, April 07, 2016 8:54 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@listserv.educause.edu>
> Subject: Re: [WIRELESS-LAN] Turning off 2.4 on a select SSID?
> 
> On Thu, Apr 07, 2016 at 01:27:04PM +, Joseph M. Karam wrote:
> > We offer 2.4 and 5 GHz service.  When we have conflicts, we work with
> > departments to give them a channel in the 2.4 GHz space, then we take
> > that channel out of our central infrastructure.
> > So, for example we gave engineering channel 6 for all of their labs,
> > and we took that out of our central infrastructure.  So far it has
> > worked well and we can play together nicely
> 
> What do you do after you've given the last remaining free 2.4Ghz channel to 
> the third department that requests one an

Re: [WIRELESS-LAN] Turning off 2.4 on a select SSID?

[Philippe Hanset]

My ears have been burning…

I understand Hector's comment about the spirit of eduroam, but like Ryan I have 
also be tempted in the past to only support 5 GHz in certain areas
because 2.4 GHz was becoming too much of a pain (e.g. Dormitories).  The 
eduroam Compliance Statement requires 802.11, no frequency mentioned.

eduroam users with 2.4GHz devices will just not see the available SSID if a 
school decides to only offer it at 5 GHz in certain locations.
In a sense it is no different than schools only offering eduroam in certain 
locations. 

Now, if the entire eduroam SSID for all locations at the school is on 5 GHz, it 
might be challenging.

But how many clients REALLY can’t support 5 GHz?
The stats showing 2.4 GHz VS 5 GHz usage can be deceiving. Is it a client with 
both radios and a poor selection of spectrum,
or is it really 2.4 Ghz only capable devices? It seems that the best way to 
know if 5 GHz only is fine for your community is to “just do it”.

I checked cheap laptops at BestBuy and under specifications you find 
“Wireless-AC” or “Wireless-B, G, N". No reference to the type of radio.
Those darn marketing people, they will get you every time.
 
Philippe

Philippe Hanset
www.anyroam.net
www.eduroam.us
+1 (865) 236-0770

GPG key id: 0xF2636F9C






> On Apr 7, 2016, at 10:04 AM, Turner, Ryan H <rhtur...@email.unc.edu> wrote:
> 
> I don't think so.  I think anytime a university enforces a uniform policy 
> that applies to all folks, it shouldn't be an issue.  Of course, we are a 
> long way from actually doing this.  We'll involve Phillipe if we move 
> forward.  
> 
> Sent from Outlook Mobile <https://aka.ms/qtex0l>
> 
> 
> 
> On Thu, Apr 7, 2016 at 7:01 AM -0700, "Hector J Rios" <hr...@lsu.edu 
> <mailto:hr...@lsu.edu>> wrote:
> 
> I would go back to Jason's comment and reference eduroam's policy. I 
> personally think that only allowing 5GHz on eduroam goes against the spirit 
> the global availability of eduroam. My 2 cents.
> 
> Hector Rios
> Louisiana State University
> 
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Matthew Newton
> Sent: Thursday, April 07, 2016 8:54 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@listserv.educause.edu>
> Subject: Re: [WIRELESS-LAN] Turning off 2.4 on a select SSID?
> 
> On Thu, Apr 07, 2016 at 01:27:04PM +, Joseph M. Karam wrote:
> > We offer 2.4 and 5 GHz service.  When we have conflicts, we work with 
> > departments to give them a channel in the 2.4 GHz space, then we take 
> > that channel out of our central infrastructure.
> > So, for example we gave engineering channel 6 for all of their labs, 
> > and we took that out of our central infrastructure.  So far it has 
> > worked well and we can play together nicely
> 
> What do you do after you've given the last remaining free 2.4Ghz channel to 
> the third department that requests one and you've got none left for 
> yourselves?
> 
> And presumably Engineering have lots of CCI because all of their APs are on 
> the same frequency?
> 
> Not critcising, just trying to understand! :)
> 
> Matthew
> 
> 
> --
> Matthew Newton, Ph.D. <m...@le.ac.uk <mailto:m...@le.ac.uk>>
> 
> Systems Specialist, Infrastructure Services, I.T. Services, University of 
> Leicester, Leicester LE1 7RH, United Kingdom
> 
> For IT help contact helpdesk extn. 2253, <ith...@le.ac.uk 
> <mailto:ith...@le.ac.uk>>
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/ 
> <http://www.educause.edu/groups/>.
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/ 
> <http://www.educause.edu/groups/>.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/ <http://www.educause.edu/groups/>.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Who wifi vendors does everyone use?

[Philippe Hanset]

Our institution has millions of APs, all brands and bugs represented. Thank you 
all.

Philippe
www.edruoam.us

> On Apr 1, 2016, at 8:30 AM, Chuck Enfield  wrote:
> 
> Penn State, about 10,000 Aruba APs.
> 
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of River R. Perry
> Sent: Thursday, March 31, 2016 10:55 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Who wifi vendors does everyone use?
> 
> St. Edwards University in Austin, Texas uses an Extreme solution roughly
> 600 APs 
> 
> River Rock
> 
>> On Mar 31, 2016, at 9:51 PM, Reyes, Esteban 
> wrote:
>> 
>> Lake Forest College also uses Cisco, about 400 APs (wave 2 capable as
> well)
>> 
>> Esteban
>> 
>> Sent from my iPhone
>> 
>>> On Mar 31, 2016, at 9:14 PM, Barrett, Bruce  wrote:
>>> 
>>> The Community College of Rhode Island is Cisco with 500 APs ( wave 2
> capable).
>>> 
>>> Bruce
>>> 
>>> Sent from my iPad
>>> 
 On Mar 31, 2016, at 8:27 PM, "David LaPorte"  wrote:
 
 MIT is Cisco as well, a shade under 6k APs.
 
 
 
 
> On 3/31/16, 6:34 PM, "The EDUCAUSE Wireless Issues Constituent Group
> Listserv on behalf of Patrick McEvilly"
>  patrick_mcevi...@harvard.edu> wrote:
> 
> Harvard is a Cisco shop with about 6500 APs.
> 
> Patrick McEvilly
> Harvard University
> 
> 
>> On 3/31/16 4:42 PM, Sullivan, Ryan wrote:
>> Same for UCSD - Cisco -- just under 6K APs right now.
>> 
>> Ryan Sullivan
>> 
>> 
> --
> --
>> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv
> [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
>> on behalf of Watters, John [john.watt...@ua.edu]
>> *Sent:* Thursday, March 31, 2016 9:44 AM
>> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> *Subject:* Re: [WIRELESS-LAN] Who wifi vendors does everyone use?
>> 
>> Cisco -- just under 6K APs right now.
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> -jcw
> UA Logo
>> 
>> *_
> 
>> _*
>> 
>> John Watters   The University of Alabama
>> 
>> Office of Information
> Technology
>> 
>> 205-348-3992
>> 
>> 
>> 
>> ** Participation and subscription information for this
> EDUCAUSE Constituent Group discussion
>> list can be found at http://www.educause.edu/groups/
>> 
>  ps_=CwMFAw=WO-RGvefibhHBZq3fL85hQ=e5s-FEqiSci1utohhmEZbsmAZvjxyM8Ajm
> FW66dISHc=AAilX-Cj7TFxs-YUbSlZnTzB75L2Kofi2PdBTBCVsTk=AoQdqF22o7Hw-I-C
> Q3If5nVKGM2nKqY0muxzEFpfZA0=>.
>> 
>> 
>> ** Participation and subscription information for this
> EDUCAUSE Constituent Group discussion
>> list can be found at http://www.educause.edu/groups/
>> 
>  ps_=CwMFAw=WO-RGvefibhHBZq3fL85hQ=e5s-FEqiSci1utohhmEZbsmAZvjxyM8Ajm
> FW66dISHc=AAilX-Cj7TFxs-YUbSlZnTzB75L2Kofi2PdBTBCVsTk=AoQdqF22o7Hw-I-C
> Q3If5nVKGM2nKqY0muxzEFpfZA0=>.
> 
> **
> Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
 
 **
 Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>>> 
>>> **
>>> Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>> 
>> **
>> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/groups/.
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/groups/.
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Eduroam Radius Server

[Philippe Hanset]

Vikki,

The eduroam-US team will help you as much as possible during the entire process.
We have self service configuration tools and testing tools at www.eduroam.us 
that you will be able to access once you join.
Also there is an eduroam admin list (netplus-eduroam-adm...@internet2.edu) that 
you can join to ask specific questions if you are stuck. The eduroam admins on 
that list
are really great at helping other admins.
If you haven’t done so yet, please read the peering overview document at 
https://www.eduroam.us/node/2007

Finally, the wireless-lan@educause list is yet another great resource to find 
help …as you just did!

FreeRADIUS should be easy to configure… where it can get complicated is the 
relation between FreeRADIUS and your directory services.

Best,

Philippe

Philippe Hanset
www.anyroam.net
www.eduroam.us
+1 (865) 236-0770

GPG key id: 0xF2636F9C






> On Mar 11, 2016, at 9:40 AM, Vikki Cutrone <vicutr...@vassar.edu> wrote:
> 
> Hello All-  
> 
> We are going down the Eduroam path and most of the information available  for 
> configuration is pretty comprehensive.Two Questions- We are planning our 
> radius server as Debian 7 Wheezy with FreeRadius.  Are their any gotcha's 
> that anyone can share?  Also, is there anyone using this configuration for 
> Eduroam that could possibly help me if I get stuck?  I am much more familiar 
> with the wireless controller end of the house.  Thank You!!
> 
> -- 
> Vikki Cutrone
> Network Administrator
> Vassar College, Box 13
> 124 Raymond Ave
> Poughkeepsie, NY 12604-0013
>  
> 845-437-7231
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/ <http://www.educause.edu/groups/>.
> 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Welcome to Bring-Your-Own-Access | EdTech Magazine

[Philippe Hanset]

When we did the campus wide Wi-Fi at University of Tennessee back in 2001, we 
decided to not cover student housing.
A few years later an inspired CIO, under the pressure of the student body, 
asked to provide Wi-Fi in the lobby of each student housing property.
For two years our help desk was flooded with complaints of Wi-Fi not working in 
the bedrooms … where we never actually provided coverage!
The SSID branding was extremely confusing with students naming their private 
Wi-Fi with the same name as the campus Wi-Fi. 
The following year, a budget was provided to carpet cover all dormitories with 
Wi-Fi.

My advice would be either:

-Provide a great Wi-Fi well controlled all over the places, or
-Provide a half baked Wi-Fi and you will either end up disconnecting it or 
finding a magic budget to move to a fully baked solution, or
-Do not provide Wi-Fi at all

As Lee mentioned, there is no practical in-between.

Philippe

Philippe Hanset
www.anyroam.net
www.eduroam.us
+1 (865) 236-0770

GPG key id: 0xF2636F9C






> On Mar 11, 2016, at 9:11 AM, Lee H Badman <lhbad...@syr.edu> wrote:
> 
> Agreed- you either totally surrender the space to an unsupported (as in ZERO 
> support) network circus paradigm, or you manage it. There is no practical and 
> realistic in-between.
> 
> Lee Badman | Network Architect (CWNA, CWSP, Mobility+)
> Information Technology Services
> 206 Machinery Hall
> 120 Smith Drive
> Syracuse, New York 13244
> t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w its.syr.edu
> SYRACUSE UNIVERSITY
> syr.edu
> 
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Frank Sweetser
> Sent: Friday, March 11, 2016 8:38 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Welcome to Bring-Your-Own-Access | EdTech Magazine
> 
> You can put me squarely in the "hell no!" camp on this one.  We already have 
> enough problems as it is with printers camping on channel 7, and devices 
> where 
> the off button just hides the SSID while still keeping the radio powered up 
> and operating.  I can only imagine the fun and games that would be involved 
> in 
> troubleshooting that kind of heterogeneous, uncoordinated RF soup.
> 
> Frank Sweetser fs at wpi.edu|  For every problem, there is a solution that
> Manager of Network Operations   |  is simple, elegant, and wrong.
> Worcester Polytechnic Institute |   - HL Mencken
> 
> On 03/10/2016 09:10 PM, Trent Hurt wrote:
>> Any folks looking to adopt bring your own access policies?
>> 
>> 
>> http://edtechmagazine.com/higher/article/2015/12/welcome-bring-your-own-access
>> 
>> 
>> Sent from my iPhone
>> **
>> Participation and subscription information for this EDUCAUSE Constituent 
>> Group discussion list can be found at http://www.educause.edu/groups/.
>> 
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the headaches?

[Philippe Hanset]

Mike,

What is the view of your legal department with a federated
identity like eduroam or an guest identity in the cloud like ANYROAM. These 
systems provide a point of contact in case of abuse and can in the end find the 
responsible user.

Would that be satisfactory?

Yesterday I announced on the eduroam-US admin list that
the Smithsonian Museums are carrying the eduroam SSID.
I was in DC for a meeting and tested it out. Between 10 and 20 Mbps down and 
6-14 Mbps up. Even though Carriers are increasing their quotas, it was nice to 
join automagically 
an encrypted network with no afterthoughts on "will this video destroy my 
monthly allowance" ;-)


Best,

Philippe

Philippe Hanset
www.eduroam.us

> On Mar 1, 2016, at 12:31 PM, Mike Cunningham <mike.cunning...@pct.edu> wrote:
> 
> Talk to your campus legal office before opening your wifi to the world. We 
> asked ours about this and were strongly advised against it. Contracting with 
> a local telecom company to provide free wifi would be better. A college or 
> university is not an ISP like a Verizon or AT or Comcast is. If someone is 
> abusing the campus network you’re responsible for their action. If law 
> enforcement comes knocking on your door asking about network traffic 
> originating from you campus you need to be able to point to a person or at 
> least a room and say “there”. If it was a guest on campus for a short period 
> of time you still need to be able to identify who that guest was. At least 
> that is the interpretation of current law according to our legal office.
>  
> Mike Cunningham
> Pennsylvania College of Technology
>  
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of David R. Morton
> Sent: Tuesday, March 01, 2016 12:21 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Self-registered MAC device bypass- worth the 
> headaches?
>  
> Joel, thanks for the detailed reply. I agree that Personal PSK is an 
> interesting idea, but it may fall apart at scale (we see 200k+ devices per 
> week), security, implementation or other burdens. My thoughts about on 
> boarding, user name as part of the credential/password have been along the 
> same lines as yours. While we wouldn’t put all of their devices on the same 
> VLAN, I would see them being able to access their printers, chrome cast, 
> AppleTV, etc. The later is already possible using something like ClearPass 
> and AirGroup. 
>  
> We’ve been engaged in some conversations with our vendor about how to solve 
> this problem, but so far there isn’t anything to report. 
>  
> As an aside, we are also keeping an eye on MAC randomization and how this 
> might impact systems based on MAC for authentication and other headaches.
>  
> David
>  
>  
>  
>  
>  
> 
> David Morton
> Director, Mobile Communications
> Service Owner: Wi-Fi, Mobile & HuskyTV
> University of Washington
> dmor...@u.washington.edu
> tel 206.221.7814
>  
> On Mar 1, 2016, at 9:02 AM, Coehoorn, Joel <jcoeho...@york.edu> wrote:
>  
> Ruckus supports a PPSK variant, as well.
>  
> I'm just gonna put this out there. I have this idea in my head for an ideal 
> wifi service. It starts with personal pre-shared key (PPSK), but it's 
> something I don't believe is possible yet with any vendor.
>  
> Step one is to create a unique key prefix for each user, effectively 
> embedding a username value (the prefix) into the same field as the 
> key/password. The prefix would be as short as possible, perhaps as small as 
> three characters, in order to keep entry into devices simple. The purpose of 
> this prefix is to allow users to choose their own wifi password, while still 
> ensuring that each PSK value is unique and identifiable to a given user. If 
> we don't value allowing users to choose their own wifi passwords, we could 
> instead generate and assign them, and just map back the assigned key to the 
> user.. but I believe there is value in this.
>  
> Users would onboard by first connecting to a portal available via 
> open/limited ssid to claim their key. They would have to log in with their 
> traditional username/password. The portal would then prompt them for a key 
> suffix (their wifi password), and then show them the complete key (prefix + 
> suffix), which would be registered with our system. It would also have 
> options to show them history for devices authenticated using their key, 
> expire an old/create a new key using the same prefix, and other typical 
> account management options. Once created, that key could be used with 
> anything that supports traditional PSK connections. 
>  
> One important feature that I'd like to see as part

Re: [WIRELESS-LAN] User and/or Location-based Content Restriction

[Philippe Hanset]

Way back when, I used to think that teachers were completely responsible for 
classroom management,
and students were responsible for their future. When I was in college, some 
people were reading novels in class.
Meanwhile, my kids became teenagers, went on to college,
and discovered the new 21st century Heroine: Netflix.
This stuff is stronger than most people’s will power!

As an IT person, I would say leave the Network alone.

As a parent, I will say leave the network alone but monitor (amount/user/time 
of day/class) users' behavior when it comes to Video Distraction and 
have guidance offices talk to “addicts". A school is in the business of 
education and teaching kids how to deal with modern
media could definitely be part of the curriculum. 
A vicious side effect of monitoring “TV” viewing during class will be a silent 
evaluation of teachers!
One stone two birds!

Best,

Philippe 


Philippe Hanset
www.anyroam.net
www.eduroam.us
+1 (865) 236-0770

GPG key id: 0xF2636F9C






> On Feb 9, 2016, at 8:25 AM, Lee H Badman <lhbad...@syr.edu> wrote:
> 
> To me, the whole thing is a losing game, and takes responsibility for their 
> own actions away from the students. I teach as well- you want to watch 
> Netflix in my class? Have at it. But the grade you get is the grade you get. 
> There is no extra credit, no second chances to make up for bad behavior. The 
> other part of that, as a frequent student, is that some faculty members are 
> just boring and frozen in the 70s. Technology shouldn't be called upon to 
> make up for their deficiencies. Might be different in K-12, but if these 
> folks want to pay big $$ to not pay attention... well, this is America, baby.
> 
> One curmudgeon's opinion. 
> 
> 
> 
> Lee Badman | Network Architect (CWNA, CWSP, Mobility+)
> Information Technology Services
> 206 Machinery Hall
> 120 Smith Drive
> Syracuse, New York 13244
> t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w its.syr.edu
> SYRACUSE UNIVERSITY
> syr.edu
> 
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Case, Brandon J
> Sent: Monday, February 08, 2016 2:28 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] User and/or Location-based Content Restriction
> 
> Is anyone exploring or able to suggest good options for rate limiting or 
> preventing access to random content services? This idea was posed to me today 
> from up the chain with the goal of limiting certain students' ability to 
> access certain services for a certain time, potentially only from a certain 
> location. Yep.
> 
> As an example: Student A has a class in room 2 of building Z from 8:30 to 
> 9:20 M, W and F. The goal would be to prevent (or severely hinder the ability 
> of) student A watching Netflix from 8:30 to 9:20 M, W and F while they're in 
> room 2 of building Z. Outright blocking of access to Netflix during that 
> timeframe for student A regardless of location has also been discussed. I've 
> already provided a plethora of possible pitfalls to any of these types of 
> approaches and the associated administrative overhead they could incur but am 
> being asked for answers all the same. 
> 
> Yes, this does definitely wade into the treacherous waters of technological 
> solutions to what are really social problems (and I know has been discussed 
> on this list in the past) however, I'm charged with providing some form of an 
> answer up the chain and so I turn to you all for comments, insight and 
> cautionary tales.
> 
> We're an all-Cisco shop with a healthy ISE deployment so my focus is there 
> with AAA override for ACLs, dynamic VLAN assignments, AVC profiles and QoS 
> profiles. Any solution I've thought of so far feels too much like a blunt 
> object though.
> 
> Thanks,
> --
> Brandon Case
> Senior Network Engineer
> IT Infrastructure Services
> Purdue University
> ca...@purdue.edu
> Office: (765) 49-67096
> Mobile: (765) 421-6259
> Fax:(765) 49-46620
> 
> PGP Fingerprint:
> 99CB 02D6 983C 1E2A 015F  205C C7AA E985 A11A 1251
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RF Capture... to see your users!

[Philippe Hanset]

In elementary school my friend and I always talked about those famous glasses 
to see through clothing!
The article below mentions different use cases of course.

http://www.csail.mit.edu/RF_capture


…. our Wi-Fi networks might soon have new features ;-)


Philippe

Philippe Hanset
www.eduroam.us
**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Cloudpath-Ruckus...

[Philippe Hanset]

Here is a statement from Cloudpath about the direction of the company:

> 
> ---
> To be certain, Cloudpath will remain available as a multi-vendor product
> with a vision unchanged from what we have laid out over the last nine years.
> I continue to lead the Cloudpath team, the roadmap continues unchanged, and
> the entire Cloudpath team is excited to have at our disposal the increased
> reach and resources of Ruckus while staying true to our roots of delivering
> best-of-breed, standards-based security technologies.  Cloudpath will be at
> ACUTA and Educause next week.  I personally will be speaking at ACUTA on the
> 28th and will be at Educause on the 29th.  If attending either, please stop
> by the Cloudpath booth with any questions you have (or drop me an email).  
> 
> Kevin Koster
> Cloudpath Networks, now a Ruckus company
> 
> 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Measuring User Experience

[Philippe Hanset]

Matthew,

Here are a few ideas (assuming that your Wi-Fi system/Trouble Ticket system 
allows you to poll that kind of data)

-HELP DESK: % of Help Desk trouble tickets related to Wireless, and type of 
problem
-BANDWIDTH: How is your bandwidth to the Internet doing? (% Utilization, are 
you limited for the Wi-Fi side?)
-AP LOAD: What is your campus wide ratio of user/AP (theoretical campus ratio : 
maximum unique users per day/total number of APs, Distribution ratio: What do 
you observe in your system, and how many APs are not within your own
 requirements…)
-AP DENSITY: What is your average dBm ? what do you consider to be your 
requirement and what % of  users on APs are/are not within that limit
-AP QUALITY: Then move to Jorj suggestion of measuring re-auth etc…

Any other limiting factor like DHCP capacity (number of IPs)
and finally, ease of configuration (number of trouble tickets related to 
configuration issues)

Philippe

Philippe Hanset
www.eduroam.us


> On Oct 22, 2015, at 7:04 AM, Williams, Matthew <mwill...@kent.edu> wrote:
> 
> I have been instructed that I need determine a metric that reasonably 
> guestimates the end user experience of our wireless networks, without 
> procuring a system(s) that does it.  I readily admit that my head kind of 
> exploded when this directive was given.  Have any of you done this exercise 
> or have any ideas/formulas to try to calculate something like this?  Thanks 
> for any ideas that you care to share.
>  
> Respectfully, 
>  
> Matthew Williams
> Manager, Network and Telecommunications Services
> Kent State University
> Office: (330) 672-7246
> Mobile: (330) 469-0445 
>  
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/ <http://www.educause.edu/groups/>.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Ruckus has purchased Cloudpath

[Philippe Hanset]

Or if you only care about 802.1X automatic configuration (and not about all the 
features of device management that come with Cloudpath and others)
you can use the free configuration tool from cat.eduroam.org (definitely not as 
good as Cloudpath, but good enough for many of us ..and it does support your 
local SSID in addition to eduroam)

Philippe

Philippe Hanset
www.eduroam.us

> On Oct 22, 2015, at 11:02 AM, Coehoorn, Joel <jcoeho...@york.edu> wrote:
> 
> Best case scenario: Ruckus' awesome Dynamic PSK feature gets rolled into 
> Cloudpath for the rest of us and the pricing comes down in an effort to use 
> CloudPath to eventually sway customers towards Ruckus hardware. Worst case: 
> Cloudpath effectively goes Ruckus-only, leaving us to move to either 
> Secure-W2, Cisco ISE, or Aruba ClearPass.
> 
> 
> 
> 
> Joel Coehoorn
> Director of Information Technology
> 402.363.5603
> jcoeho...@york.edu <mailto:jcoeho...@york.edu>
> 
> 
> The mission of York College is to transform lives through Christ-centered 
> education and to equip students for lifelong service to God, family, and 
> society
> 
> On Thu, Oct 22, 2015 at 9:58 AM, Frank Sweetser <f...@wpi.edu 
> <mailto:f...@wpi.edu>> wrote:
> Well that's... interesting.
> 
> Anyone heard any rumors about what their roadmap might be?  These 
> acquisitions of an independent service by a larger portfolio company rarely 
> seem to well for customers of the independent service if you're not also a 
> customer of the large one.
> 
> Frank Sweetser fs at wpi.edu <http://wpi.edu/>|  For every problem, there 
> is a solution that
> Manager of Network Operations   |  is simple, elegant, and wrong.
> Worcester Polytechnic Institute |   - HL Mencken
> 
> On 10/22/2015 10:43 AM, Lee H Badman wrote:
> FYI.
> *Lee Badman*| Network Architect
> Information Technology Services
> 206 Machinery Hall
> 120 Smith Drive
> Syracuse, New York 13244
> *t* 315.443.3003  *f* 315.443.4325  *e* 
> _lhbadman@syr.edu_
> <mailto:lhbad...@syr.edu <mailto:lhbad...@syr.edu>> *w* its.syr.edu 
> <http://its.syr.edu/>
> *SYRACUSE UNIVERSITY
> *syr.edu <http://syr.edu/>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/ <http://www.educause.edu/groups/>.
> 
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/ 
> <http://www.educause.edu/groups/>.
> 
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/ <http://www.educause.edu/groups/>.
> 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Ruckus has purchased Cloudpath

[Philippe Hanset]

Just to clarify, CAT (cat.eduroam.org) is mostly designed for PEAP and 
EAP-TTLS. 
You could use it for EAP-TLS but it doesn’t tie to a PKI (that part of the code 
is missing)

Support for EAP-TTLS for Windows XP-VISTA-7 was interrupted this year after 
SecureW2 asked CAT to stop using its code.

But new version of MacOS do not support EAP-TTLS, so it seems that EAP-TTLS 
might really disappear anyway!
(if you want to support PEAP in a non Microsoft environment, you can read this: 
https://www.eduroam.us/node/97)

Philippe

Philippe Hanset
www.eduroam.us


> On Oct 22, 2015, at 11:14 AM, Philippe Hanset <phan...@anyroam.net> wrote:
> 
> Or if you only care about 802.1X automatic configuration (and not about all 
> the features of device management that come with Cloudpath and others)
> you can use the free configuration tool from cat.eduroam.org 
> <http://cat.eduroam.org/> (definitely not as good as Cloudpath, but good 
> enough for many of us ..and it does support your local SSID in addition to 
> eduroam)
> 
> Philippe
> 
> Philippe Hanset
> www.eduroam.us <http://www.eduroam.us/>
>> On Oct 22, 2015, at 11:02 AM, Coehoorn, Joel <jcoeho...@york.edu 
>> <mailto:jcoeho...@york.edu>> wrote:
>> 
>> Best case scenario: Ruckus' awesome Dynamic PSK feature gets rolled into 
>> Cloudpath for the rest of us and the pricing comes down in an effort to use 
>> CloudPath to eventually sway customers towards Ruckus hardware. Worst case: 
>> Cloudpath effectively goes Ruckus-only, leaving us to move to either 
>> Secure-W2, Cisco ISE, or Aruba ClearPass.
>> 
>> 
>> 
>> 
>> Joel Coehoorn
>> Director of Information Technology
>> 402.363.5603
>> jcoeho...@york.edu <mailto:jcoeho...@york.edu>
>> 
>> 
>> The mission of York College is to transform lives through Christ-centered 
>> education and to equip students for lifelong service to God, family, and 
>> society
>> 
>> On Thu, Oct 22, 2015 at 9:58 AM, Frank Sweetser <f...@wpi.edu 
>> <mailto:f...@wpi.edu>> wrote:
>> Well that's... interesting.
>> 
>> Anyone heard any rumors about what their roadmap might be?  These 
>> acquisitions of an independent service by a larger portfolio company rarely 
>> seem to well for customers of the independent service if you're not also a 
>> customer of the large one.
>> 
>> Frank Sweetser fs at wpi.edu <http://wpi.edu/>|  For every problem, 
>> there is a solution that
>> Manager of Network Operations   |  is simple, elegant, and wrong.
>> Worcester Polytechnic Institute |   - HL Mencken
>> 
>> On 10/22/2015 10:43 AM, Lee H Badman wrote:
>> FYI.
>> *Lee Badman*| Network Architect
>> Information Technology Services
>> 206 Machinery Hall
>> 120 Smith Drive
>> Syracuse, New York 13244
>> *t* 315.443.3003  *f* 315.443.4325  *e* 
>> _lhbad...@syr.edu <mailto:lhbad...@syr.edu>_
>> <mailto:lhbad...@syr.edu <mailto:lhbad...@syr.edu>> *w* its.syr.edu 
>> <http://its.syr.edu/>
>> *SYRACUSE UNIVERSITY
>> *syr.edu <http://syr.edu/>
>> ** Participation and subscription information for this EDUCAUSE
>> Constituent Group discussion list can be found at
>> http://www.educause.edu/groups/ <http://www.educause.edu/groups/>.
>> 
>> 
>> **
>> Participation and subscription information for this EDUCAUSE Constituent 
>> Group discussion list can be found at http://www.educause.edu/groups/ 
>> <http://www.educause.edu/groups/>.
>> 
>> ** Participation and subscription information for this EDUCAUSE 
>> Constituent Group discussion list can be found at 
>> http://www.educause.edu/groups/ <http://www.educause.edu/groups/>.
>> 
> 
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/ <http://www.educause.edu/groups/>.
> 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] eduroam

[Philippe Hanset]

Mike,

Any institution involved in Research or education can participate in eduroam. 
The business model
is 10 cents per enrolled student with
a minimum of $400. If you are an Internet2 member it is included in your 
membership.

You can check more at www.eduroam.us


Thanks,

Philippe Hanset
www.eduroam.us

> On Sep 25, 2015, at 6:46 PM, Mike Cunningham <mike.cunning...@pct.edu> wrote:
> 
> Does anyone know for sure if a college that is not part of Internet2 can  
> still participate in eduroam or is have an Internet2 link a requirement?
>  
> Thanks
> Mike Cunningham
> VP of Information Technology Services/CIO
> Pennsylvania College of Technology
>  
>  
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Eduroam authentication question with AD

[Philippe Hanset]

Dennis,

I can think of two solutions:

1) Put a RADIUS server that is capable of stripping REALMs in front of your ACS 
5.x server (e.g. FreeRADIUS)
(this will also help you with other features in the future that FreeRADIUS 
tends to integrate and ACS doesn’t)

2) add to AD a second UPN (@uogelph.ca <http://uogulph.ca/>) 


Philippe Hanset
www.eduroam.us
www.anyroam.net



> On Sep 3, 2015, at 4:23 PM, Dennis Xu <d...@uoguelph.ca> wrote:
> 
> We have one issue with eduroam and AD authentication. We authenticate eduroam 
> users to Active Directory using PEAP-mschap-v2. The issue relies at our AD 
> domain name which is a sub domain called cfs.uoguelph.ca. If users try to 
> login with username use...@uoguelph.ca, the authentication will fail as the 
> domain name does not match. We had to strip the "@uoguelph.ca" suffix on our 
> ACS 4.2 to make it work but the same suffix stripping functionality does not 
> exist in ACS 5.x so we have to find other alternatives. I would to know if it 
> is a common issue in universities that the AD domain does not match the main 
> domain? If you have the same issue, what are your solutions? Thanks.
> 
> ---
> Dennis Xu, MASc, CCIE #13056
> Analyst 3, Network Infrastructure
> Computing and Communications Services(CCS)
> University of Guelph
> 
> 519-824-4120 Ext 56217
> d...@uoguelph.ca 
> www.uoguelph.ca/ccs
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] LTE over Wi-Fi spectrum sets up industry-wide fight over interference

[Philippe Hanset]

Frans,

Unfortunately LTE is a 3GPP protocol (proprietary and designed for efficiency 
of spectrum usage) 
and 802.11 is an IEEE protocol (general public, sloppy is accepted ;-).
I recently attended a conference on Wi-Fi organized by commercial providers.
Most of the presentations were about “how to capitalize Wi-Fi”, not just 
Wi-Fi-offload, but cash loading with Wi-Fi. 
I get it, they have to make money, it’s their first duty to their shareholders 
… but I like my “wireless freedom” and I’ll fight for it.
When I switch from cellular to Wi-Fi I feel more relaxed as far as what I can 
do.
I can watch a video online without having to worry about my monthly quota.
Also, the sharing of Wi-Fi (visitor access) is decided by the local people who 
operate it. 
So, it is not so much about interferences and efficiency but rather about an 
insidious invasion of a spectrum that is available
for the people not for mega large operators.

LTE moving in 5 GHz feels like Wal-Mart moving in a local Farmers Market!
They might even sell the same tomatoes grown by the same local people, but the 
small guys do not decide how it’s done.

One day T-Mobile will knock on your door and propose to operate your wireless 
network with LTE only.
(Our University used to have its own bakery and people loved it…then Aramark 
moved in ;-). 

Some schools like this model, some don’t.
We need to make sure that the choice stays available.

Philippe

Philippe Hanset
www.anyroam.net



 On Aug 28, 2015, at 4:21 AM, Frans Panken frans.pan...@surfnet.nl wrote:
 
 My observations:  the current pre-standard product suite that use the 
 LTE-protocol on the 5Gh band are targeting indoor, not outdoor.
 
 All marketing and communications on LTE and 5Ghz band is around mobile 
 operators and their need for spectrum. From a technical perspective, I must 
 admit that LTE is a more efficient protocol than Wi-Fi is. So, in addition to 
 preventing that operators ruin the spectrum at our Wi-Fi facilities we should 
 also knock on the doors of our Wi-Fi vendors and asking them how they 
 integrate LTE-U (or another flavour) in their Wi-Fi product offering for our 
 benefits. Frankly speaking, I do not care whether the radio communication 
 uses Wi-Fi, LTE or what ever protocol as long as it does its job well and 
 efficiently. 
 
 -Frans
 
 
 
 Brian Helman schreef op 28/08/15 om 03:42:
 Mike,
 
 I was just about to post the same quote, and I looked down and saw it in 
 your post.  
 
 How viable is 5GHz in this situation?  I mean, we've now rolled out two AC 
 buildings.  The signals go through 1 wall fine, but 2 walls or a single 
 outside wall and the signal is non-existent.  If they won't be allowed to 
 crank it up to 11, is it useful?  What am I missing?
 
 -Brian
 '
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
 mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Mike King 
 [m...@mpking.com mailto:m...@mpking.com]
 Sent: Thursday, August 27, 2015 8:08 PM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
 mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] LTE over Wi-Fi spectrum sets up industry-wide 
 fight over interference
 
 
 Quote from the article:
 T-Mobile wrote. Qualcomm said its testing 
 http://apps.fcc.gov/ecfs/document/view?id=60001104452 shows that Wi-Fi 
 access points often have better throughput when sharing a channel with LTE-U 
 than when sharing a channel with another Wi-Fi access point.
 
 Here's my comment: 
 We'll duh.   Two AP's on the same channel is something we try to avoid, 
 because It's Bad®.  How about comparing throughput of an AP with no 
 interference (Cause that's what we call two AP's on the same channel), and a 
 AP with LTE-U on the same channel.
 
 Mike
 
 
 On Thu, Aug 27, 2015 at 5:49 PM, Coehoorn, Joel jcoeho...@york.edu 
 mailto:jcoeho...@york.edu wrote:
 The good news is that LTE-U still has the same power limitations as other 
 unlicensed uses. Telecom companies won't be able to easily provision an 
 LTE-U tower every 30 meters within our campus, limiting their ability to 
 cause interference. 
 
 Instead, I see them mostly using this fill coverage gabs by selling wifi 
 routers with an LTE-U service built-in for rural and other underserved 
 areas. Additionally, I see them using this to try to push their backhaul 
 costs onto other providers. A Verizon could get a Cox to help foot their 
 transit bill by selling their special routers to customers at just below 
 their cost. Consumers would buy these routers because they are cheaper, and 
 suddenly Verizon gets some free spectrum in that area and can manage 
 things so the call terminates at the Verizon location nearest the other end 
 of the conversation.
 
 The biggest risk on our end is probably having students bringing routers 
 with this ability into their residences, but we can deal with that the same 
 way we've always done... well, almost, depending on how the whole Mariott

Re: [WIRELESS-LAN] LTE over Wi-Fi spectrum sets up industry-wide fight over interference

[Philippe Hanset]

We can now combine three threads that we have had over the summer on this list
5 GHz, Containment, and the LTE-U controversy (this thread just started)

LTE-U and Jamming…will my Wi-Fi equipment provider enable LTE-U “containment” 
and as a University/College how can I prevent LTE-U from interfering
with my 5GHz deployment.

Oh boy…

Philippe

Philippe Hanset
www.eduroam.us



 On Aug 27, 2015, at 2:55 PM, Hinson, Matthew P 
 matthew.hin...@vikings.berry.edu wrote:
 
 Source: 
 http://arstechnica.com/information-technology/2015/08/verizon-and-t-mobile-join-forces-in-fight-for-wi-fi-airwaves/#p3
  
 http://arstechnica.com/information-technology/2015/08/verizon-and-t-mobile-join-forces-in-fight-for-wi-fi-airwaves/#p3
  
 It was only a matter of time.
  
 Thank you!
 Matthew Hinson
 Supervisor, Network Operations
 ** Participation and subscription information for this EDUCAUSE 
 Constituent Group discussion list can be found at 
 http://www.educause.edu/groups/ http://www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] 6-month follow-up to Marriott/FCC Wifi blocking stories

[Philippe Hanset]

Lee,

I just read your Open Letter. Good work. Thank you.

One question that I have for future reference is:
“What constitutes blocking?”

You mention White Noise or Frame manipulation…
What if building owners have frequency blocking material as part of the design 
of the building.
This could be considered passive blocking as opposed to white noise or frame 
manipulation but it is blocking regardless. 
We might want to know the FCC point of view on this before we create “wave free 
classrooms”!

Best,

Philippe

Philippe Hanset
www.eduriam.us



 On Aug 20, 2015, at 10:16 AM, Lee H Badman lhbad...@syr.edu wrote:
 
 I'm trying to get the FCC's attention on this:
 
 https://wirednot.wordpress.com/2015/08/19/an-open-letter-to-the-fcc/ 
 https://wirednot.wordpress.com/2015/08/19/an-open-letter-to-the-fcc/​
 
 -Lee
 
 Lee H. Badman
 Network Architect/Wireless TME
 ITS, Syracuse University
 315.443.3003
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
 mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of Mike King 
 m...@mpking.com mailto:m...@mpking.com
 Sent: Wednesday, August 19, 2015 9:01 PM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
 mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] 6-month follow-up to Marriott/FCC Wifi blocking 
 stories
  
 I know it's two weeks later, but Smart Holdings just got smacked by the FCC 
 for the same thing. (Which is probably why you were asking)
 
 http://gizmodo.com/its-about-damn-time-fcc-says-convention-centers-cant-b-1724805719?dfp_pp_ab=ondfp_desktop_three=offutm_expid=66866090-43.E9Bjfd6NTuSlXJewu2e_Ig.1utm_referrer=https%3A%2F%2Fwww.google.com%2F
  
 http://gizmodo.com/its-about-damn-time-fcc-says-convention-centers-cant-b-1724805719?dfp_pp_ab=ondfp_desktop_three=offutm_expid=66866090-43.E9Bjfd6NTuSlXJewu2e_Ig.1utm_referrer=https%3A%2F%2Fwww.google.com%2F
 
 On Thu, Aug 6, 2015 at 10:30 AM, Bob Brown bbr...@nww.com 
 mailto:bbr...@nww.com wrote:
 I’m looking to follow up on a series of stories we ran in late 2014/early 
 2015 
 http://www.networkworld.com/article/2879142/wireless/fcc-still-has-ton-of-explaining-to-do-on-wi-fi-blocking-rules.html
  on the Marriott Wifi blocking issue. To refresh, the FCC fined Marriott for 
 blocking a Wifi hotspot (or hotspots) at one of its hotel convention centers. 
  The incident sparked quite a bit of discussion on this listserv, as 
 university/college network pros wondered whether their own Wifi 
 management/security practices would now be considered legit and whether the 
 products they were using could still be used. 
 
 *I’ve followed up with Marriott, whose CIO kicked me over to public 
 relations, which naturally declined to comment. 
 *The hospitality industry trade group had said at the time of the 
 FCC/Marriott decisions that it was going to launch a cybersecurity task force 
 to study this topic further, but they haven’t responded to my inquiries, so 
 I’m not sure whether such a task force was formed and if so, whether it has 
 accomplished anything. 
 *The FCC has been unresponsive on this matter entirely. 
 *I’ve contacted WLAN vendors that I spoke to for some of the original 
 articles to see if anything has changed on their end since the start of the 
 year and they haven’t had much to say so far. 
 
 So, based on all this, I don’t have much of an update to write about at this 
 point…perhaps exactly what these parties would like.
 
 But, I’m also wondering if any of you who were trying to figure out earlier 
 this year what the FCC decision/Marriott response meant to you, have taken 
 any new approaches to managing/security Wifi on your campuses. If so, and 
 you’d be willing to share your story, please touch base (or feel free to 
 share with the listserv if appropriate).
 
 Regards,
 
 Bob Brown
 Online Executive Editor, News
 T: 508.766.5418 tel:508.766.5418 
 LinkedIn http://www.linkedin.com/in/bobbrownboston | Twitter: @alphadoggs 
 https://twitter.com/alphadoggs | Facebook profile 
 https://www.facebook.com/NetworkWorld | Google + profile 
 https://plus.google.com/104712908618368674642/posts | Instagram 
 http://instagram.com/nwwinstagram
  
 NETWORK WORLD
 492 Old Connecticut Path | PO Box 9002 | Framingham, MA 01701-9002
 NetworkWorld.com http://www.networkworld.com/ | Media Kit 
 http://www.networkworldmediakit.com/ | Conferences  Events 
 http://events.networkworld.com/
 An IDG Enterprise http://www.idgenterprise.com/ Brand
 
 ** Participation and subscription information for this EDUCAUSE 
 Constituent Group discussion list can be found at 
 http://www.educause.edu/groups/ http://www.educause.edu/groups/.
 
 ** Participation and subscription information for this EDUCAUSE 
 Constituent Group discussion list can be found at 
 http://www.educause.edu/groups/ http://www.educause.edu/groups/.
 ** Participation and subscription information for this EDUCAUSE 
 Constituent Group discussion list can be found

Re: [WIRELESS-LAN] 6-month follow-up to Marriott/FCC Wifi blocking stories

[Philippe Hanset]

We need to wait on an unfortunate school to be sued by a student due to Mi-Fi 
blocking in a Residential Property

-Student:

I pay rent, I can do whatever I want in my room

-School:

We provide “free” Wi-FI to all rooms and the interferences are becoming 
unmanageable
to a point where we have more trouble tickets than packets being successfully 
sent or received.
We had to do something.

-Lawyers:

Either way, we will cash on this!

-FCC:

 So, we have an Interferer being interfered by another interferer. Could Scott 
Adams please give us some wisdom on this


Philippe

Philippe Hanset



 On Aug 20, 2015, at 10:40 AM, Lee H Badman lhbad...@syr.edu wrote:
 
 It's a good point, and there was a bit of chatter on this on Twitter. The FCC 
 has left the whole thing way too open-ended given the popularity of Wi-Fi, 
 and a lot of topics bleed over on to each other.
 
 I'd be surprised if they responded in any way- the preference seems to be to 
 ambush users with fines.
 
 
 Lee H. Badman
 Network Architect/Wireless TME
 ITS, Syracuse University
 315.443.3003
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
 mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of Philippe Hanset 
 phan...@anyroam.net mailto:phan...@anyroam.net
 Sent: Thursday, August 20, 2015 10:34 AM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
 mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] 6-month follow-up to Marriott/FCC Wifi blocking 
 stories
  
 Lee,
 
 I just read your Open Letter. Good work. Thank you.
 
 One question that I have for future reference is:
 “What constitutes blocking?”
 
 You mention White Noise or Frame manipulation…
 What if building owners have frequency blocking material as part of the 
 design of the building.
 This could be considered passive blocking as opposed to white noise or frame 
 manipulation but it is blocking regardless. 
 We might want to know the FCC point of view on this before we create “wave 
 free classrooms”!
 
 Best,
 
 Philippe
 
 Philippe Hanset
 www.eduriam.us http://www.eduriam.us/
 
 
 
 On Aug 20, 2015, at 10:16 AM, Lee H Badman lhbad...@syr.edu 
 mailto:lhbad...@syr.edu wrote:
 
 I'm trying to get the FCC's attention on this:
 
 https://wirednot.wordpress.com/2015/08/19/an-open-letter-to-the-fcc/ 
 https://wirednot.wordpress.com/2015/08/19/an-open-letter-to-the-fcc/​
 
 -Lee
 
 Lee H. Badman
 Network Architect/Wireless TME
 ITS, Syracuse University
 315.443.3003
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
 mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of Mike King 
 m...@mpking.com mailto:m...@mpking.com
 Sent: Wednesday, August 19, 2015 9:01 PM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
 mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] 6-month follow-up to Marriott/FCC Wifi blocking 
 stories
  
 I know it's two weeks later, but Smart Holdings just got smacked by the FCC 
 for the same thing. (Which is probably why you were asking)
 
 http://gizmodo.com/its-about-damn-time-fcc-says-convention-centers-cant-b-1724805719?dfp_pp_ab=ondfp_desktop_three=offutm_expid=66866090-43.E9Bjfd6NTuSlXJewu2e_Ig.1utm_referrer=https%3A%2F%2Fwww.google.com%2F
  
 http://gizmodo.com/its-about-damn-time-fcc-says-convention-centers-cant-b-1724805719?dfp_pp_ab=ondfp_desktop_three=offutm_expid=66866090-43.E9Bjfd6NTuSlXJewu2e_Ig.1utm_referrer=https%3A%2F%2Fwww.google.com%2F
 
 On Thu, Aug 6, 2015 at 10:30 AM, Bob Brown bbr...@nww.com 
 mailto:bbr...@nww.com wrote:
 I’m looking to follow up on a series of stories we ran in late 2014/early 
 2015 
 http://www.networkworld.com/article/2879142/wireless/fcc-still-has-ton-of-explaining-to-do-on-wi-fi-blocking-rules.html
  on the Marriott Wifi blocking issue. To refresh, the FCC fined Marriott for 
 blocking a Wifi hotspot (or hotspots) at one of its hotel convention 
 centers.  The incident sparked quite a bit of discussion on this listserv, 
 as university/college network pros wondered whether their own Wifi 
 management/security practices would now be considered legit and whether the 
 products they were using could still be used. 
 
 *I’ve followed up with Marriott, whose CIO kicked me over to public 
 relations, which naturally declined to comment. 
 *The hospitality industry trade group had said at the time of the 
 FCC/Marriott decisions that it was going to launch a cybersecurity task 
 force to study this topic further, but they haven’t responded to my 
 inquiries, so I’m not sure whether such a task force was formed and if so, 
 whether it has accomplished anything. 
 *The FCC has been unresponsive on this matter entirely. 
 *I’ve contacted WLAN vendors that I spoke to for some of the original 
 articles to see if anything has changed on their end since the start of the 
 year and they haven’t had much to say so far. 
 
 So, based on all this, I don’t have much of an update to write about at this 
 point

Re: [WIRELESS-LAN] Exclusive 2.4 Ghz and 5 Ghz SSIDs

[Philippe Hanset]

Paul,

Dorm design is an animal of itself and each school has its own set of 
challenges based on 
locations and policies. As much as I agree that 2.4 GHz and 5 GHz shouldn’t be 
on separate SSIDs for main campus,
I have really changed my mind for dormitories. Those buildings are really micro 
houses stacked on top of each other
with people bringing anything and everything they want which is quite different 
than academic buildings. We all spend our summers designing
the best coverage that we can for those residential areas, and as soon as 
students move in, the interference in 2.4 GHz makes our entire effort look
pointless in the eyes of the complaining student who is actually partly 
responsible for the problem.
So, in dormitories only, I would have the regular set of SSIDs that the campus 
provides plus and extra 5 GHz only called something like 
residential-preferred.
But I wouldn’t use “fast” or “5GHz” in the SSID name.

Best,

Philippe


Philippe Hanset
www.eduroam.us



 On Aug 11, 2015, at 4:22 PM, Paul Sedy rps...@masters.edu wrote:
 
 Hello everyone,
  
 We are a Cisco shop and have, up until now, employed a single SSID for 
 students, supporting both 2.4 Ghz and 5Ghz connections.  During this summer, 
 we have been working to develop sufficient AP density to ensure good 5Ghz 
 cells throughout our dorms.  In the past, we have seen numerous instances of 
 poorer performance on the 2.4 Ghz spectrum, but up to this point, have relied 
 on the client to make the decision between these two options.  
  
 We are thinking of deploying two separate SSIDs, a 5Ghz network and a 2.4 Ghz 
 network, that are exclusive in order to promote a better experience for the 
 students with devices capable of 5Ghz connectivity.  We would probably use 
 the original SSID name with an appended (5 Ghz) or (2.4 Ghz).
  
 Are any of you currently employing this type of configuration and how well 
 has it worked for you?
  
 We would appreciate any insights that anyone might have.
  
 Paul Sedy
 The Master’s College
 Director of IT Operations
 21726 Placerita Canyon Rd, Santa Clarita, CA 91321
 661.362.2340 | rps...@masters.edu mailto:rps...@masters.edu** 
 Participation and subscription information for this EDUCAUSE Constituent 
 Group discussion list can be found at http://www.educause.edu/groups/ 
 http://www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] eduroam Advertising

[Philippe Hanset]

I always make a point to interview students and faculty about eduroam during my 
travels or in my town if the opportunity arises

These interviewees are from eduroam enabled Universities and Colleges from 
around the world and are rarely aware of the service.
My last interview was with a Canadian student from McGill who spent one month 
traveling European Cities
…she was bummed to learn on her way back home in line at the airport that she 
missed on that great opportunity considering that free Wi-FI
hotspots are not always easy to find. Now she knows !

IT departments turn eduroam on and the communication to the University 
community is highly variable depending on the school.
I know that Clemson University uses eduroam as their primary secure SSID and 
did a massive information campaign. As a result we saw a lot of Clemson
authentications in our logs showing that the Clemson Community used the service 
when traveling.

What is the right approach to inform the community about eduroam? (here are 
potential suggestions)

-Include a paragraph in the “orientation” material (my son did his school 
orientation last month and was puzzled that the Wireless section had nothing on 
eduroam and its roaming benefit)
-Let the study abroad office know about eduroam and advertise for the service 
in that office
-Do a mass email (not always popular and will have to be repeated until eduroam 
becomes part of the knowhow)
-Include it in the University media (also needs to be repeated until it becomes 
part of the knowhow)

What else?

The most successful approach that we have seen is using eduroam as primary SSID 
but not every school is willing or ready to do so, and even in that case the 
communication
about the roaming aspect has to be done properly!

Once you enable eduroam for your campus, definitely ask your communication 
department if they can help you spread the word.
(there is some customizable material for your school at www.eduroam.org 
http://www.eduroam.org/…click on Media  Logo (left hand side)

 Best,

Philippe

Philippe Hanset
www.eduroam.us



 On Jul 22, 2015, at 8:16 AM, Lee H Badman lhbad...@syr.edu wrote:
 
 Branding. “Orange” is deeply embedded in our University culture. With dozens 
 of thousands of wireless clients on the network daily, AirOrange SSID is one 
 more facet of that culture. Eduroam is there for those who need it 
 (single-digit percentage of all users), and they tend to find it just fine. 
 Our travelers also have no issue using eduroam when away, and our branded 
 SSID when home.
  
  
 -Lee
  
 Lee Badman | Network Architect
 
 Information Technology Services
 206 Machinery Hall
 120 Smith Drive
 Syracuse, New York 13244
 
 t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu 
 mailto:lhbad...@syr.edu w its.syr.edu http://its.syr.edu/
 SYRACUSE UNIVERSITY
 syr.edu http://syr.edu/
  
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
 mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Oliver Elliott
 Sent: Wednesday, July 22, 2015 3:54 AM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
 mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] eduroam Advertising
  
 It would be interesting to hear why you wouldn't make eduroam your primary 
 SSID, is it technical reasons or one of branding?
  
 On 21 July 2015 at 20:39, Lee H Badman lhbad...@syr.edu 
 mailto:lhbad...@syr.edu wrote:
 Similar here. No desire to move to eduroam as primary SSID, but it’s getting 
 fair amount of use with communications efforts.
  
 Lee Badman | Network Architect
 
 Information Technology Services
 206 Machinery Hall
 120 Smith Drive
 Syracuse, New York 13244
 
 t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu 
 mailto:lhbad...@syr.edu w its.syr.edu http://its.syr.edu/
 SYRACUSE UNIVERSITY
 syr.edu http://syr.edu/
  
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
 mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Wang, Yu
 Sent: Tuesday, July 21, 2015 1:37 PM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
 mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] eduroam Advertising
  
 When we rolled out eduroam, our ITS PR Team published the news in 
 university’s newsletter ‘State’.
  
 http://unicomm.fsu.edu/documents/state/state-2014-03-31.pdf 
 http://unicomm.fsu.edu/documents/state/state-2014-03-31.pdf
  
 ITS put up webpages for eduroam:
  
 http://its.fsu.edu/Network/NetworkMainCampus/WiFi/eduroam 
 http://its.fsu.edu/Network/NetworkMainCampus/WiFi/eduroam
  
  
 ITS also made an announcement to university’s mailing list, nolenet:
  
 ===Copy of announcement 
 email==
 image001.png
 
 In March 2014, Information Technology Services (ITS) joined eduroam, a free, 
 secure, worldwide Internet access service that allows members to easily 
 connect their mobile device to Wi-Fi when visiting other

Re: [WIRELESS-LAN] eduroam Advertising

[Philippe Hanset]

William,

eduroam already has a Roaming Consortium OUI registered with IEEE, so 
potentially
it is ready. Interoperability and readiness of campuses and equipment might 
take some time though.

Indeed, PassPoint/HotSpot2.0 (802.11u is now part of 802.11) will address SSID 
related issues!

Best,

Philippe

Philippe Hanset
www.anyroam.net



 On Jul 22, 2015, at 9:24 PM, Green, William C gr...@austin.utexas.edu wrote:
 
 Philippe,
 
 What is the support status of eduroam and 802.11u?
 
 That might address some SSID related issues.
 
 
 
 --
 William C. Green  e-mail:  gr...@austin.utexas.edu
 Director, Networking and Telecommunications   phone:   +1 512-475-9295
 ITS (Information Technology Services) fax: +1 512-471-2449
 University of Texas
 1 University Station Stop C3800
 Austin, TX  78712
 
 **
 Participation and subscription information for this EDUCAUSE Constituent 
 Group discussion list can be found at http://www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] eduroam Advertising

[Philippe Hanset]

Hello Matt,

Good question! (and hard to deal with)

We have encountered 3 ways so far (if anyone has others, please share) to deal 
with the eduroam SSID overlap issue.
(some refer to this overlap issue as “The Russell Square Problem” in previous 
eduroam presentations)

1) Have a SSID in the form eduroam-* (as Jason Cook highlighted in his 
response). It is accepted by the eduroam consortium
but it is neither pretty nor convenient or expandable (read: multiple 
profiles on devices, user confusion, and as Jason mentioned it doesn’t work 
well beyond one or two exceptions)

2) Share VLANs between institutions

3) Use IP Mobility solutions (many available, some proprietary, some standard)

2) and 3) require quite a bit of work in the background but generate a better 
user experience than 1)


Philippe

Philippe Hanset
www.eduroam.us



 On Jul 22, 2015, at 10:07 AM, Nocifore,Matthew m...@drexel.edu wrote:
 
 Excellent message Philippe.  Thanks. 
 
 Always many factors to consider when selecting or changing a primary ssid. If 
 you are considering eduroam as your primary ssid, you may want to consider if 
 you have any campus borders that might currently or in the future hear 
 eduroam from nearby rf neighbors.  Certainly more of an issue in urban 
 environments.
 
 In Philadelphia, Drexel University and University of Pennsylvania share an 
 urban campus border where we hear each others radios.  Both institutions also 
 lease space in a University City Science Center complex (kind of like a colo 
 facility for science and innovation)  and we have identified spaces where 
 building occupants can bounce between eduroam networks from each institution. 
  
 
 Lets just say joint management of such issues is easier and perhaps a less 
 urgent priority when your primary campus ssid isn't impacted by the overlap. 
 :-)
 
 Maybe Philippe has some good stories for us about multi-campus eduroam 
 collaborations!
 
 
 On Jul 22, 2015 (Wed), at 9:29 AM, Philippe Hanset wrote:
 
 I always make a point to interview students and faculty about eduroam during 
 my travels or in my town if the opportunity arises
 
 These interviewees are from eduroam enabled Universities and Colleges from 
 around the world and are rarely aware of the service.
 My last interview was with a Canadian student from McGill who spent one 
 month traveling European Cities
 …she was bummed to learn on her way back home in line at the airport that 
 she missed on that great opportunity considering that free Wi-FI
 hotspots are not always easy to find. Now she knows !
 
 IT departments turn eduroam on and the communication to the University 
 community is highly variable depending on the school.
 I know that Clemson University uses eduroam as their primary secure SSID and 
 did a massive information campaign. As a result we saw a lot of Clemson
 authentications in our logs showing that the Clemson Community used the 
 service when traveling.
 
 What is the right approach to inform the community about eduroam? (here are 
 potential suggestions)
 
 -Include a paragraph in the “orientation” material (my son did his school 
 orientation last month and was puzzled that the Wireless section had nothing 
 on eduroam and its roaming benefit)
 -Let the study abroad office know about eduroam and advertise for the 
 service in that office
 -Do a mass email (not always popular and will have to be repeated until 
 eduroam becomes part of the knowhow)
 -Include it in the University media (also needs to be repeated until it 
 becomes part of the knowhow)
 
 What else?
 
 The most successful approach that we have seen is using eduroam as primary 
 SSID but not every school is willing or ready to do so, and even in that 
 case the communication
 about the roaming aspect has to be done properly!
 
 Once you enable eduroam for your campus, definitely ask your communication 
 department if they can help you spread the word.
 (there is some customizable material for your school at www.eduroam.org 
 http://www.eduroam.org/…click on Media  Logo (left hand side)
 
  Best,
 
 Philippe
 
 Philippe Hanset
 www.eduroam.us http://www.eduroam.us/
 
 
 ** Participation and subscription information for this EDUCAUSE 
 Constituent Group discussion list can be found at 
 http://www.educause.edu/groups/ http://www.educause.edu/groups/.
 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Copper Cable Field Terminations for Access Points

[Philippe Hanset]

I remember arguing with cabling crews about that exact issue:

ME: I  want to have the RJ-45 connector crimped on the cable for two reasons: 
-It saves money (on one jack and one patch cable, that’s about $10 per AP)
-It prevents patch cable theft (not huge but very annoying especially in 
Residence Halls)

CABLING CREW:  we want to terminate on a jack because:
-It is a pain to terminate a RJ-45 connector on the cable (unless new connector 
designs exist) and the money saved in equipment is wasted in labor
-We cannot properly label the circuit on a cable but we can do it on a jack

In the end, they won the argument.

Some may argue that terminating on a Jack also gives the option to add a longer 
patch cable if needed,
but we always left a service loop anyway!



Philippe Hanset
www.eduroam.us



 On May 14, 2015, at 1:05 PM, Mark H. Wehrle weh...@isc.upenn.edu wrote:
 
 Good afternoon all,
 
 We are faced with some challenges in upgrading our access points in our 
 residence halls this summer. Our existing installation has access points wall 
 mounted and we terminate Cat5E cable on a Cat5E type biscuit jack on the wall 
 near where the access point is mounted. From there we place a short cable 
 from the jack to the access point. In current state, this makes for easier 
 troubleshooting to decipher cable versus AP problems, however it's understood 
 that there could be other problems associated with multiple termination 
 points etc. In our current project, we are looking install access points with 
 internal antennas and we are looking to move these to ceiling mounts in 
 most/all of these rooms where we can. We made this choice because we've found 
 that some students will vary the positions of antennas, which have impacted 
 RF coverage and we have added more access points in some areas to compensate 
 (we cannot easily get into student rooms to inspect access points).
 
 The question I was asked before we move these jacks is whether we should save 
 costs and time by just making a field termination of the Cat5E cable with an 
 RJ45 connector crimped right on the cable then plug this cable directly into 
 the access point and avoid the biscuit jack and short station cable. I'm 
 wondering if anyone is doing this, was doing this and stopped, plans to do 
 this etc? Does this present any problems like bad mechanical connection 
 problems etc?
 
 Thanks for your feedback.
 
 --Mark Wehrle   Phone: (215) 898-9664
Technical Director, ISC Network  Telecom Operations  Fax: (215) 
 898-9348
University of Pennsylvania
3401 Walnut Suite 221a   
 Email:weh...@isc.upenn.edu mailto:weh...@isc.upenn.edu
Phila. PA 19104-6228
  
 ** Participation and subscription information for this EDUCAUSE 
 Constituent Group discussion list can be found at 
 http://www.educause.edu/groups/.
 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] AW: [WIRELESS-LAN] To provide (wireless) service, or not to provide (wireless) service...

[Philippe Hanset]

Lee,

All you need is a Smart-Phone with a HotSpot feature and a very large Data 
Quota.
(I assume that’s what schools thinking about switching to LTE have in mind!)
You can then do WPA2-PSK between your phone and your TV, your Game Console, ...

Mongolians don’t have wireless in the plains, but they do have goats ...

Philippe

Philippe Hanset
www.anyroam.net



 On May 13, 2015, at 10:59 AM, Lee H Badman lhbad...@syr.edu wrote:
 
 Does the carrier guarantee capacity at this scale? And does it matter that no 
 game systems, TVs, etc can play any more? And… students have to use two 
 distinct technologies depending on where they are on campus, and probably 
 have to VPN in for certain operations from the dorm to campus?
  
 This sounds like an absolute goat rope (I believe Mongolians have another 
 term for it).
  
 Lee Badman
 Wireless/Network Architect
 ITS, Syracuse University
 315.443.3003
 (Blog: http://wirednot.wordpress.com http://wirednot.wordpress.com/) 
  
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
 mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]On Behalf Of Brian Helman
 Sent: Wednesday, May 13, 2015 9:25 AM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
 mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] AW: [WIRELESS-LAN] To provide (wireless) service, 
 or not to provide (wireless) service...
  
 I have a little more information to provide now.  I absolutely appreciate 
 that it will be extremely tempting to respond with biased opinions.  I don’t 
 think there is anything that can be said that I haven’t already expressed to 
 my team.  However, that will not help me write up my recommendation.  So that 
 being said, feel free to chime in with tangible reasons to do this or not…
  
 Apparently, our president heard that some schools are investigating 
 purchasing bulk data contracts with mobile (“cellular”) carriers for data.  
 The idea is, we would stop providing 802.11g/n/ac wireless in the residence 
 halls and instead provide students with the abilities to register their 
 devices with the mobile carrier to use 4G/LTE data.  The University will pay 
 for this.
  
 Pros:
 No wireless (802.11) to purchase, support
 Reduced POE requirements on switches
 No wireless driver/configuration mismatches problems to support
  
 Cons:
 Is mobile wireless signal available everywhere inside the buildings?  Costs 
 to improve signal.
 What speeds are available (what range of speeds)?  Is it by user or aggregate?
 How is congestion handled?
 What devices – mobile phones only?  Hotspots to provide access to 
 non-cellular devices (e.g wifi-only tablets; laptops)
 More Ethernet ports needed for devices that previously depended on wireless
 What provider(s)?
 Support shifted from “device to institutional wifi” to “device to myfi” or 
 “devide to 3rd party”
 Cost per user, per GB?  
  
 What else?
  
 If you know of any institutions who have attempted this (I have heard MIT is 
 looking at it, but we aren’t MIT), please let me know.
  
 By the way, the background here is .. we installed our 802.11n network ~5 
 years ago and haven’t had any commitment to fund it since.  So now we are 
 trying to deal with capacity (BYOD) issues that didn’t exist 5 years ago 
 while upgrading to 11ac.  Of course, it’s not a 1:1 swap of equipment since 
 we’d be migrating from 2.4GHz to 2.4+5GHz.  That puts the costs for forklift 
 upgrades pretty high (did I mention I’ve been unsuccessfully asking for 
 funding for 3 years?).
  
 I believe this can all best be summarized with a simple .. Oy.
  
 -Brian
  
  
  
  
  
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
 mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]On Behalf Of Jerkan, Kristijan
 Sent: Sunday, May 03, 2015 12:34 PM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
 mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: [WIRELESS-LAN] AW: [WIRELESS-LAN] To provide (wireless) service, or 
 not to provide (wireless) service...
  
 As a public institution in the EDU sector we always had a byod policy in our 
 dorm network, specifically including „anything You want to connect to the 
 port in Your room“.
  
 Parameters: 
 -5k+ dorm rooms (1.8k the largest segment, 20 the smallest)
 -120km radius
 -at least one (mostly two) RJ45 port per room (cat5-7 to the switch, fiber 
 afterwards)
 -10/100MBit ports (deliberatly did not go for 1GBit at the edge)
 -no additional accounting, just dhcp with opt82
 -public ips behind reflexive acl (no shaping, etc.)
 -uplink via the federal research network
 -service neutral (whoever wants to can use a DSL provider also/instead and 
 may use the inhouse cable from their basement to their room for it)
 -one service number (fixed number, forwarded to five cellphones – whoever 
 picks up first wins)
 -managed by ~10 students (pro bono, but with a couple of incentives)
  
 That beeing said, here are a few points why

Re: [WIRELESS-LAN] AW: [WIRELESS-LAN] To provide (wireless) service, or not to provide (wireless) service...

[Philippe Hanset]

So the Cellular industry is having seminars and investing big on Wi-Fi offload 
and some schools are considering LTE offload,
what an irony. 

At the end of the day the cost of providing 1 byte over LTE is much higher than 
the cost 1 byte over Wi-Fi.
(DAS, Microcell, MacroTower, all more expensive than Wi-Fi…and much more 
complicated as far as contracting is concerned)

Before doing anything I would first analyze the average monthly bandwidth need 
of a student and then do a comparison between
Wi-Fi cost over 5-8 years VS LTE cost (with comparable quality of service). 

And BTW, why do we all need to upgrade to 802.11ac? (802.11n  seems perfectly 
fine to me)
Because premature EOL is coming upon us?

On another note, having a low capacity/expensive Data Wireless in residence 
halls might have interesting side effects:

-Students will watch their shows in class rather at night
-Students will start reading books again in their rooms
-Students will hang around campus late at night just to have Wi-Fi access (do 
you plan to shutdown campus Wi-Fi after hours ? ;-)
-Students will meet in hallways and talk to each other rather using Social Media
-No need to filter peer-to-peer in residence halls, no one can afford to 
download anything

But here my main concern…how will you enable eduroam on Cellular? ;-)

Philippe

Philippe Hanset
www.eduroam.us



 On May 13, 2015, at 9:24 AM, Brian Helman bhel...@salemstate.edu wrote:
 
 I have a little more information to provide now.  I absolutely appreciate 
 that it will be extremely tempting to respond with biased opinions.  I don’t 
 think there is anything that can be said that I haven’t already expressed to 
 my team.  However, that will not help me write up my recommendation.  So that 
 being said, feel free to chime in with tangible reasons to do this or not…
  
 Apparently, our president heard that some schools are investigating 
 purchasing bulk data contracts with mobile (“cellular”) carriers for data.  
 The idea is, we would stop providing 802.11g/n/ac wireless in the residence 
 halls and instead provide students with the abilities to register their 
 devices with the mobile carrier to use 4G/LTE data.  The University will pay 
 for this.
  
 Pros:
 No wireless (802.11) to purchase, support
 Reduced POE requirements on switches
 No wireless driver/configuration mismatches problems to support
  
 Cons:
 Is mobile wireless signal available everywhere inside the buildings?  Costs 
 to improve signal.
 What speeds are available (what range of speeds)?  Is it by user or aggregate?
 How is congestion handled?
 What devices – mobile phones only?  Hotspots to provide access to 
 non-cellular devices (e.g wifi-only tablets; laptops)
 More Ethernet ports needed for devices that previously depended on wireless
 What provider(s)?
 Support shifted from “device to institutional wifi” to “device to myfi” or 
 “devide to 3rd party”
 Cost per user, per GB?  
  
 What else?
  
 If you know of any institutions who have attempted this (I have heard MIT is 
 looking at it, but we aren’t MIT), please let me know.
  
 By the way, the background here is .. we installed our 802.11n network ~5 
 years ago and haven’t had any commitment to fund it since.  So now we are 
 trying to deal with capacity (BYOD) issues that didn’t exist 5 years ago 
 while upgrading to 11ac.  Of course, it’s not a 1:1 swap of equipment since 
 we’d be migrating from 2.4GHz to 2.4+5GHz.  That puts the costs for forklift 
 upgrades pretty high (did I mention I’ve been unsuccessfully asking for 
 funding for 3 years?).
  
 I believe this can all best be summarized with a simple .. Oy.
  
 -Brian
  
  
  
  
  
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
 mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]On Behalf Of Jerkan, Kristijan
 Sent: Sunday, May 03, 2015 12:34 PM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
 mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: [WIRELESS-LAN] AW: [WIRELESS-LAN] To provide (wireless) service, or 
 not to provide (wireless) service...
  
 As a public institution in the EDU sector we always had a byod policy in our 
 dorm network, specifically including „anything You want to connect to the 
 port in Your room“.
  
 Parameters: 
 -5k+ dorm rooms (1.8k the largest segment, 20 the smallest)
 -120km radius
 -at least one (mostly two) RJ45 port per room (cat5-7 to the switch, fiber 
 afterwards)
 -10/100MBit ports (deliberatly did not go for 1GBit at the edge)
 -no additional accounting, just dhcp with opt82
 -public ips behind reflexive acl (no shaping, etc.)
 -uplink via the federal research network
 -service neutral (whoever wants to can use a DSL provider also/instead and 
 may use the inhouse cable from their basement to their room for it)
 -one service number (fixed number, forwarded to five cellphones – whoever 
 picks up first wins)
 -managed by ~10 students (pro bono, but with a couple of incentives)
  
 That beeing

Re: [WIRELESS-LAN] [WIRELESS-LAN] To provide (wireless) service, or not to provide (wireless) service...

[Philippe Hanset]

Matthew,

I didn’t mean that 802.11ac is not better than 802.11n in many aspects, but 
more that many of us could live many more years with 802.11n
and be quite fine especially if cost is an issue.

Thanks,

Philippe

Philippe Hanset
www.anyroam.net



 On May 13, 2015, at 10:38 AM, Williams, Matthew mwill...@kent.edu wrote:
 
 Philippe, 
  
 I see value in 802.11ac running on 40MHz channels.  It still plays nice with 
 N and the performance, though negligible, is still better. 
  
 The biggest complaint that I have about AC is that management hears the sales 
 pitch about how awesome it is at 80MHz and how it will solve all of our 
 problems and they decree that it will be so.  In reality it will only make 
 things worse for us.  We still run APs down the hall at full power 
 (predecessor’s decision on the power) and we have an Airport less than 5 
 miles away.  We completed that phase of the upgrade in December… we’ve been 
 trying to fix problems ever since.  
  
 Just my 2 cents.
  
 Respectfully,
  
 Matthew Williams
 IT Manager, Wireless
 Kent State University
 Office: (330) 672-7246
 Mobile: (330) 469-0445
  
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
 mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]On Behalf Of Philippe Hanset
 Sent: Wednesday, May 13, 2015 10:21 AM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
 mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] AW: [WIRELESS-LAN] To provide (wireless) service, 
 or not to provide (wireless) service...
  
 So the Cellular industry is having seminars and investing big on Wi-Fi 
 offload and some schools are considering LTE offload,
 what an irony. 
  
 At the end of the day the cost of providing 1 byte over LTE is much higher 
 than the cost 1 byte over Wi-Fi.
 (DAS, Microcell, MacroTower, all more expensive than Wi-Fi…and much more 
 complicated as far as contracting is concerned)
  
 Before doing anything I would first analyze the average monthly bandwidth 
 need of a student and then do a comparison between
 Wi-Fi cost over 5-8 years VS LTE cost (with comparable quality of service). 
  
 And BTW, why do we all need to upgrade to 802.11ac? (802.11n  seems perfectly 
 fine to me)
 Because premature EOL is coming upon us?
  
 On another note, having a low capacity/expensive Data Wireless in residence 
 halls might have interesting side effects:
  
 -Students will watch their shows in class rather at night
 -Students will start reading books again in their rooms
 -Students will hang around campus late at night just to have Wi-Fi access (do 
 you plan to shutdown campus Wi-Fi after hours ? ;-)
 -Students will meet in hallways and talk to each other rather using Social 
 Media
 -No need to filter peer-to-peer in residence halls, no one can afford to 
 download anything
  
 But here my main concern…how will you enable eduroam on Cellular? ;-)
  
 Philippe
  
 Philippe Hanset
 www.eduroam.us http://www.eduroam.us/
  
  
  
 On May 13, 2015, at 9:24 AM, Brian Helman bhel...@salemstate.edu 
 mailto:bhel...@salemstate.edu wrote:
  
 I have a little more information to provide now.  I absolutely appreciate 
 that it will be extremely tempting to respond with biased opinions.  I don’t 
 think there is anything that can be said that I haven’t already expressed to 
 my team.  However, that will not help me write up my recommendation.  So that 
 being said, feel free to chime in with tangible reasons to do this or not…
  
 Apparently, our president heard that some schools are investigating 
 purchasing bulk data contracts with mobile (“cellular”) carriers for data.  
 The idea is, we would stop providing 802.11g/n/ac wireless in the residence 
 halls and instead provide students with the abilities to register their 
 devices with the mobile carrier to use 4G/LTE data.  The University will pay 
 for this.
  
 Pros:
 No wireless (802.11) to purchase, support
 Reduced POE requirements on switches
 No wireless driver/configuration mismatches problems to support
  
 Cons:
 Is mobile wireless signal available everywhere inside the buildings?  Costs 
 to improve signal.
 What speeds are available (what range of speeds)?  Is it by user or aggregate?
 How is congestion handled?
 What devices – mobile phones only?  Hotspots to provide access to 
 non-cellular devices (e.g wifi-only tablets; laptops)
 More Ethernet ports needed for devices that previously depended on wireless
 What provider(s)?
 Support shifted from “device to institutional wifi” to “device to myfi” or 
 “devide to 3rd party”
 Cost per user, per GB?  
  
 What else?
  
 If you know of any institutions who have attempted this (I have heard MIT is 
 looking at it, but we aren’t MIT), please let me know.
  
 By the way, the background here is .. we installed our 802.11n network ~5 
 years ago and haven’t had any commitment to fund it since.  So now we are 
 trying to deal with capacity (BYOD) issues that didn’t exist 5 years ago

Re: [WIRELESS-LAN] FW: [WIRELESS-LAN] Outdoor APs

[Philippe Hanset]

John,

It looks like if your University selected GlobalGreenLightning
you really don't have a choice as to which AP vendor you can use.

http://www.globalgreenlighting.com/technology 
http://www.globalgreenlighting.com/technology

To do this, we have merged cutting-edge, low-energy lighting with an 
industry-leading wireless control system”

So the Ruckus AP is actually a requirement.

Am I reading this wrong?

Philippe

Philippe Hanset
www.eduroam.us



 On May 12, 2015, at 1:54 PM, Howard, Christopher christopher-how...@utc.edu 
 wrote:
 
 They are based out of Chattanooga so of course we have had discussions with 
 them.  We decided against APs in lights for a number of reasons.  
 
 1. We are an Aruba shop.  We want a seamless roaming experience for our users 
 and feel that multiple vendor networks would hinder that.  We also have 1 
 wireless admin for the entire campus and don't have the manpower to manage a 
 separate wireless network.
 2. They wanted to put security cameras on the lights as well.  Since we use 
 separate vlans for cameras and APs, we would need a switch.  However, the 
 only switch they would put in the light was unmanageable.
 3. They didn't want to run cable from the lights back to our network and 
 instead wanted to use EPB (our local ISP) fiber to just give them an IP on 
 the internet and we could just open our firewall to let them in.
 
 Needless to say, our lights are strictly for lighting.
 
 Christopher Howard
 Senior Network Engineer
 University of Tennessee at Chattanooga
 
 Helping Students Achieve Excellence through Technology
 
 christopher-how...@utc.edu mailto:christopher-how...@utc.edu
 423-425-1773
 
 
 From: Watters, John john.watt...@ua.edu mailto:john.watt...@ua.edu
 Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
 mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Date: Tuesday, May 12, 2015 at 12:53 PM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
 mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
 WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
 mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: [WIRELESS-LAN] FW: [WIRELESS-LAN] Outdoor APs
 
  
 I do have a number of Cisco 1142 APs that I could play with.
  
 I don't even see how any AP can be mounted in the glass globe. Surely they 
 are not just set inside leaning against the inside of the globe.
  
 Does anyone use exterior lighting by GlobalGreenLighting with wireless APs in 
 each device?
  
  
  
  
 -jcw  
 image002.jpg
   

 John Watters   The University of Alabama
 Office of Information 
 Technology
 205-348-3992
  
 From: Philippe Hanset [mailto:phan...@anyroam.net 
 mailto:phan...@anyroam.net] 
 Sent: Tuesday, May 12, 2015 11:43 AM
 To: Watters, John
 Subject: Re: [WIRELESS-LAN] Outdoor APs
  
 John,
  
 When I was at UTK we installed  APs outdoor in PVC electrical boxes in the 
 sun and they “survived”
 the elements for at least 4 years. We felt comfortable doing this because we 
 used recycled APs or “cheap APs” that would have
 not wasted State funds had it failed miserably. At least request from the 
 assistant CIO to stress test a unit before going in production.
  
 Don’t you have older 802.11n Cisco APs that you could use for a sample 
 configuration?
  
 Philippe
  
 Philippe Hanset
 www.anyroam.net http://www.anyroam.net/
  
  
  
 On May 12, 2015, at 12:29 PM, Lee H Badman lhbad...@syr.edu 
 mailto:lhbad...@syr.edu wrote:
  
 I guess that would be my first concern- why mixing systems? Are the Ruckus 
 just supposed to be workgroup bridges in this case or actual client serving 
 APs? I'm guessing anything could be cobbed together, but this sounds wonky. 
 Also, heat has to be a concern in the light globe, no?
  
 Lee H. Badman
 Network Architect/Wireless TME
 ITS, Syracuse University
 315.443.3003
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
 mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of Watters, John 
 john.watt...@ua.edu mailto:john.watt...@ua.edu
 Sent: Tuesday, May 12, 2015 12:23 PM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
 mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] Outdoor APs
  
 No. We are a Cisco shop.
  
  
  
  
 -jcw  
 image004.jpg
   

 John Watters   The University of Alabama
 Office of Information 
 Technology
 205-348-3992
  
 From: The EDUCAUSE

Re: [WIRELESS-LAN] FW: [WIRELESS-LAN] Outdoor APs

[Philippe Hanset]

The documentation from the website mentions SENSUS USA, FCC-Licensed spectrum
At the same time, John Watters is being asked to investigate Ruckus APs 
Zoneflex T300 (mentioned in his original email) to be installed in LED lights.
In a second email from John the brand GlobalGreenLightning is being mentioned.

So the sentence “industry leading wireless control system” made me mix Ruckus 
and SENSUS USA.

But now I’m curious… is the whole lightning system wirelessly controlled by 
SENSUS USA and in addition
there is room to add Wi-Fi?  (Does it have to be Ruckus?)

Chris Howard, since you are in Chattanooga and so is GGL (and I’m at least 100 
miles away from you in Knoxville),
could you tell us more?

Sorry about this mess,

Philippe

Philippe Hanset
www.eduroam.us



 On May 12, 2015, at 2:42 PM, Jason Watts jwa...@pratt.edu wrote:
 
 
 On May 12, 2015, at 2:26 PM, Philippe Hanset phan...@anyroam.net 
 mailto:phan...@anyroam.net wrote:
 
 John,
 
 It looks like if your University selected GlobalGreenLightning
 you really don't have a choice as to which AP vendor you can use.
 
 http://www.globalgreenlighting.com/technology 
 http://www.globalgreenlighting.com/technology
 
 To do this, we have merged cutting-edge, low-energy lighting with an 
 industry-leading wireless control system”
 
 So the Ruckus AP is actually a requirement.
 
 Am I reading this wrong?
 
 Philippe,
 
 Where on the page you linked is Ruckus even mentioned? I read that page as 
 talking about the lighting control system which it says runs on a licensed 
 band using technology licensed from Sensus. Probably some lower frequency 
 non-wifi stuff. I don’t see Ruckus mentioned on that page unless I’m missing 
 something.
 
 Jason Watts | Senior Network Administrator
 
 PRATT INSTITUTE
 
 
 
 
 
 Philippe
 
 Philippe Hanset
 www.eduroam.us http://www.eduroam.us/
 
 
 
 On May 12, 2015, at 1:54 PM, Howard, Christopher 
 christopher-how...@utc.edu mailto:christopher-how...@utc.edu wrote:
 
 They are based out of Chattanooga so of course we have had discussions with 
 them.  We decided against APs in lights for a number of reasons.  
 
 1. We are an Aruba shop.  We want a seamless roaming experience for our 
 users and feel that multiple vendor networks would hinder that.  We also 
 have 1 wireless admin for the entire campus and don't have the manpower to 
 manage a separate wireless network.
 2. They wanted to put security cameras on the lights as well.  Since we use 
 separate vlans for cameras and APs, we would need a switch.  However, the 
 only switch they would put in the light was unmanageable.
 3. They didn't want to run cable from the lights back to our network and 
 instead wanted to use EPB (our local ISP) fiber to just give them an IP on 
 the internet and we could just open our firewall to let them in.
 
 Needless to say, our lights are strictly for lighting.
 
 Christopher Howard
 Senior Network Engineer
 University of Tennessee at Chattanooga
 
 Helping Students Achieve Excellence through Technology
 
 christopher-how...@utc.edu mailto:christopher-how...@utc.edu
 423-425-1773
 
 
 From: Watters, John john.watt...@ua.edu mailto:john.watt...@ua.edu
 Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
 mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Date: Tuesday, May 12, 2015 at 12:53 PM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
 mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
 WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
 mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: [WIRELESS-LAN] FW: [WIRELESS-LAN] Outdoor APs
 
  
 I do have a number of Cisco 1142 APs that I could play with.
  
 I don't even see how any AP can be mounted in the glass globe. Surely they 
 are not just set inside leaning against the inside of the globe.
  
 Does anyone use exterior lighting by GlobalGreenLighting with wireless APs 
 in each device?
  
  
  
  
 -jcw
   image002.jpg
 
  
 John Watters   The University of Alabama
 Office of Information 
 Technology
 205-348-3992
  
 From: Philippe Hanset [mailto:phan...@anyroam.net 
 mailto:phan...@anyroam.net] 
 Sent: Tuesday, May 12, 2015 11:43 AM
 To: Watters, John
 Subject: Re: [WIRELESS-LAN] Outdoor APs
  
 John,
  
 When I was at UTK we installed  APs outdoor in PVC electrical boxes in the 
 sun and they “survived”
 the elements for at least 4 years. We felt comfortable doing this because 
 we used recycled APs or “cheap APs” that would have
 not wasted State funds had it failed miserably. At least request from the 
 assistant CIO to stress test a unit before going in production.
  
 Don’t you have older 802.11n Cisco APs that you could use for a sample 
 configuration

Re: [WIRELESS-LAN] To provide (wireless) service, or not to provide (wireless) service...

[Philippe Hanset]

 
  
 -No institutional wireless.  Let the students bring in their own AP’s


Assuming that you still mean “in the dorms”, I highly advise against that. We 
used to have institutional Wi-Fi
on campus(Unive of TN, Knoxville)  and none in the res halls … a support 
nightmare because students will still call your helps desk…
in the end you are still the one providing the network port, so they will call 
you even if their Wi-Fi doesn’t work.

 -Some kind of managed service (wireless as a service) with 802.11

If your school doesn’t have the initial capital to upgrade, that is not a bad 
idea. But it is still more expensive (long term) than managing the Wi-Fi 
yourself,
unless you have difficulties finding Network Engineers with Wi-Fi in their 
resumé.

 -Some kind of institutionally owned/leased mobile wireless (e.g we provide 
 our own 4G)

Two things to worry about: Data Quota, coverage in buildings

I actually do that to my kids at home when they tend to watch too much 
multimedia…they have their own LTE/4G quota
and I block their devices on the home Wi-F when it gets out of hands. It 
actually works because they prefer to keep their data quota for Social Media 
Related traffic
rather than videos. Would it work at the scale of a school? 

A major drawback: If your rental properties don’t provide adequate Internet 
Access, you might experience a drop in rentals.



 -Hybrid

What hybrid are you thinking about? A Prius?


 -Continue with 802.11n 2.4GHz and fill in holes as they pop up

Do you have problems with the current state of the network? Is your community 
not satisfied?
Could you enable filters to limit Wireless Bandwidth hogs?
Can you live another 2 years and patch during that period, then upgrade ?


And finally:
I now have a rising College Freshmen and I’m offended by the current cost of 
college
(yes, having to look now at the other side of the fence is enlightening).
No matter what, please find a solution that will help reduce tuition ;-)

Philippe

Philippe Hanset
www.eduroam.us


  
 I’m not going to put my thoughts up here just yet.  These are the 
 options/thoughts as presented by the levels above me.
  
 Let the discussion begin….
  
  
  
  
 
 Brian Helman, M.Ed |  Director, ITS/Networking Services | (: 978.542.7272
 Salem State University, 352 Lafayette St., Salem Massachusetts 01970
 GPS: 42.502129, -70.894779
  
 ** Participation and subscription information for this EDUCAUSE 
 Constituent Group discussion list can be found at 
 http://www.educause.edu/groups/ http://www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Outdoor wireless emergency VoIP phone recommendation

[Philippe Hanset]

About four years ago, the IT department at UTK was asked to provide temporary 
Wi-Fi outdoor coverage
in a parking lot to support online payments for the Volapalooza event!
The cost of an outdoor rated AP was a definite show stopper for the student 
committee’s budget.
So we improvised a PVC electric box completely sealed and we stuck an Aruba 
AP-105 in it connected with Cat5, thinking that
it would last for the week end and perish from its natural electronic death 
during the summer from extreme temperatures (the box is exposed to the sun
from about 10 am till 1 pm). It was an experiment. We don’t have the extreme 
temperatures of Houston, but Knoxville-TN does have its fair share of extreme 
temperatures.
I pass by the AP on a regular basis, and it’s still spewing 802.11 frames at a 
decent rate! A testimony to the resilience of electronics!


Philippe Hanset
www.anyroam.net



 On Apr 22, 2015, at 9:09 AM, Danny Eaton dannyea...@rice.edu wrote:
 
 A few years ago we looked into putting APs either on top, or just inside the 
 Code Blue phones with external antennas – the problem we had was that the 
 APs, with a NEMA rated box would be U-G-L-Y on top of the pole, and if inside 
 the pole with external antennas the temperature, humidity and rainfall here 
 in Houston would have them lasting not very long.
 
 
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
 mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jason Cook
 Sent: Tuesday, April 21, 2015 8:40 PM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
 mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] Outdoor wireless emergency VoIP phone 
 recommendation
 
 We'll be on this path shortly as we are currently replacing our MD110 with 
 Cisco CUCM. Personally I would stay away from wireless for emergency phones 
 as you are bringing in more points of failure and not to mentioned unlicensed 
 spectrum for emergencies. Plus you’ll need power to these points unless you 
 want to rely on battery/solar…. Which again seems risky for emergencies.  
 
 Our plan has been to either keep an MD110 unit in place (at least on the main 
 campus) and/or use the cisco voice gateways or ATAs, and/or bring in PSTN’s 
 directly from a provider. It will depend on cons/pros and costs once we start 
 designing that part. Though I think Philippe’s comment below is pretty 
 interesting(or awesome), get it cabled with cat 5/6 and install a wireless 
 AP, for the phone either wired VOIP or an extra cable for an analogue service.
 
 
 --
 Jason Cook
 The University of Adelaide, AUSTRALIA 5005
 Ph: +61 8 8313 4800
 
 ** Participation and subscription information for this EDUCAUSE 
 Constituent Group discussion list can be found at 
 http://www.educause.edu/groups/ http://www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: [WIRELESS-LAN] Outdoor wireless emergency VoIP phone recommendation

[Philippe Hanset]

University of Tennessee, Knoxville has more than 60 of these code blue phones 
all over campus.
I always thought “Too bad we didn’t synchronize an effort with the Telephone 
Services Department
to locate outdoor Wi-Fi in it”. Those emergency phones have power and cat5 
running to them!

Philippe Hanset
www.eduroam.us



 On Apr 21, 2015, at 12:16 PM, Aaron Lamey ala...@cbu.edu wrote:
 
 I use analog products from this company:
 
 http://codeblue.com/solution/help-points/ 
 http://codeblue.com/solution/help-points/
 
 They have some wireless SIP ones, but I’ve never used one. Has anyone on the 
 list ever used their SIP products with Cisco CallManager?
 
 image001.png
 Aaron Lamey
 Director of Network and Telecommunications
 Christian Brothers University
 650 East Parkway South
 Memphis, TN  38104
 
 (901) 321- 3480
 ala...@cbu.edu mailto:ala...@cbu.edu
 www.cbu.edu http://www.cbu.edu/
 
 The information contained in this message and or attachments is intended
 only for the person or entity to which it is addressed and may contain
 confidential and/or privileged material. Any review, retransmission,
 dissemination or other use of, or taking of any action in reliance upon,
 this information by persons or entities other than the intended recipient
 is prohibited. If you received this in error, please contact the sender and
 delete the material from any system and destroy any copies.
 
 
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
 mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Edward Ip
 Sent: Tuesday, April 21, 2015 11:06 AM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
 mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: [WIRELESS-LAN] Outdoor wireless emergency VoIP phone recommendation
 
 Hello,
 
 I am looking for recommendations to replace our aging outdoor emergency 
 phones. Ideally, I am looking for a wireless (Wi-Fi based) outdoor emergency 
 VoIP phone to replace our very old landline based outdoor phones. My initial 
 research has not produced any good candidates yet as well I was wondering if 
 anyone has had successfully deployed such a system at their location? Any 
 feedback would be very much appreciated.
 
 We use Aruba APs and Cisco Call Manager in our network.
 
 Regards,
 Edward Ip | ITS | Wireless Systems Administrator
 613 727 4723 | ext 7112
 Algonquin College | 1385 Woodroffe Avenue | Room C316 | Ottawa | Ontario | 
 K2G 1V8 | Canada
 www.algonquincollege.com http://www.algonquincollege.com/
 
 ** Participation and subscription information for this EDUCAUSE 
 Constituent Group discussion list can be found at 
 http://www.educause.edu/groups/ http://www.educause.edu/groups/.
 ** Participation and subscription information for this EDUCAUSE 
 Constituent Group discussion list can be found at 
 http://www.educause.edu/groups/ http://www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: [WIRELESS-LAN] HP is reportedly trying to buy Aruba Networks

[Philippe Hanset]

HP already acquired Colubris back in 2008…they have Wi-Fi.
I would say that it is the entire ecosystem that they care about!
(Airwave, ClearPass, ….)

Could be exciting for the switch business too (HP switches are affordable…if 
you add the Aruba software it becomes a nice integrated system)

Compete with Cisco all the way!

Philippe Hanset
www.eduroam.us



 On Feb 26, 2015, at 3:44 PM, Frank Sweetser f...@wpi.edu wrote:
 
 On 02/26/2015 02:23 PM, Thomas Carter wrote:
 I kept telling our Dell reps that Dell needs to buy into wireless and grab
 Aerohive or Ruckus. They would just mention the Aruba deal; we’ll see what
 happens with that.
 
 I do think this can be good for Aruba. I see it as this – Cisco is a company
 that does $50B revenue annually and spends $6B in RD. I know that’s not all
 wireless, but Aruba has $725M annual revenue with $170M RD. They need the
 financial backing to stay in second and maybe close the gap on Cisco. If
 integrated well, HP could have a compelling package with ProCurve and Aruba
 all managed under AirWave with some magic SDN sprinkled in there somewhere.
 
 But Aruba already has their own package with their MAS switches!
 
 My biggest fear is that HP is buying Aruba the wireless company, not Aruba 
 the client access company.  This would lead them to keeping the APs and 
 controllers, while putting all of the rest of the goodies that let us to 
 selecting them (Clearpass, Airwave's cross vendor capabilities, their 
 switches) in jeopardy of either being tossed outright or left hanging around 
 atrophying.
 
 --
 Frank Sweetser fs at wpi.edu|  For every problem, there is a solution that
 Manager of Network Operations   |  is simple, elegant, and wrong.
 Worcester Polytechnic Institute |   - HL Mencken
 
 **
 Participation and subscription information for this EDUCAUSE Constituent 
 Group discussion list can be found at http://www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.



signature.asc
Description: Message signed with OpenPGP using GPGMail

LTE-LAA...anyone?

[Philippe Hanset]

We could have dreamed that 5 GHz was this “clean” spectrum that all our users 
were going to move to and simplify our life a bit!

but wait...

the carriers have decided that they could use it too (ever heard of LTE-LAA?)

Why would carriers stay in their contained and expensive Licensed Spectrum when 
they could use the Unlicensed one…

https://gigaom.com/2015/01/05/ericsson-unleashes-lte-over-the-wi-fi-airwaves/

The theory is that LTE-LAA will play nice with Wi-Fi …. in theory!

Can you hear the pitch already?
Hello Mr CIO, we can take care of all your Wi-Fi needs for campus with a very 
reliable technology.
No upfront cost to you, no Help Desk to deal with. Just a minimal monthly fee 
for all you users that
are already our customers anyway. And we deal with DMCA...

LTE-LAA sounds like that very polite good looking neighbor that moves next door 
and that eventually steels your spouse!

Philippe

Philippe Hanset
www.anyroam.net




**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: [WIRELESS-LAN] Trying to get the Wi-Fi Alliance's Attention

[Philippe Hanset]

http://en.wikipedia.org/wiki/Extensible_Authentication_Protocol 
http://en.wikipedia.org/wiki/Extensible_Authentication_Protocol

read about UNAUTH-TLS …

Philippe Hanset
www.anyroam.net



 On Jan 23, 2015, at 3:30 PM, Frank Bulk frnk...@iname.com wrote:
 
 Isn’t the certificates thing being described something like EAP-TLS?
 
 Frank
 
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
 mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
 Sent: Friday, January 23, 2015 12:10 PM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
 mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] Trying to get the Wi-Fi Alliance's Attention
 
 Excellent thoughts, Joel. As I mentioned- the new certifications notion was 
 AN idea, not the solution to a hyper-complex problem. But your suggestion is 
 really interesting and sounds reasonable and powerful.
 
 Lee Badman
 Wireless/Network Architect
 ITS, Syracuse University
 315.443.3003
 (Blog: http://wirednot.wordpress.com http://wirednot.wordpress.com/)
 
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
 mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Coehoorn, Joel
 Sent: Friday, January 23, 2015 12:55 PM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
 mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] Trying to get the Wi-Fi Alliance's Attention
 
  does the enterprise wlan market need to figure out how to look more like a 
  consumer wlan? Is this a problem EDU's have created because of some desire 
  to provide a service that's more complex or invasive to use then it has to 
  be? Is there really a need to on-board devices and have them associate 
  using WPA2 Ent, or could we support the bulk of our users (especially 
  students) using something more consumer friendly?
 
 THIS. For a few years now I've been wishing for an encrypted wifi offering 
 that works much more like SSL does on the web. Divorce the encryption 
 features currently .1x from the authentication/authorization parts. Let me by 
 a certificate from someone like VeriSign or Digicert that everybody already 
 trusts, deploy it to may APs or controller, and if you trust them, you can 
 get an encrypted connection without needing to do anything different than if 
 you were using a public hotspot. It needs to be just that easy for end users. 
 No enrollment, no pre-shared key, nothing. All of the other 
 authorization/authentication things that I want to do (or not do, depending 
 on things like subnet, MAC/ACL list, etc) can be handled after the wifi link 
 terminates at the controller or AP.
 
 This is where the WiFi Alliance has the potential to help things. They can 
 push for inclusion of this ability in the 802.11 standard, and they can push 
 device makers to have better support for it. They're pull may be reduced or 
 wifi's early years, but it's not gone yet.
 
 
 
 
 Joel Coehoorn
 Director of Information Technology
 402.363.5603
 jcoeho...@york.edu mailto:jcoeho...@york.edu
 The mission of York College is to transform lives through Christ-centered 
 education and to equip students for lifelong service to God, family, and 
 society
 
 On Fri, Jan 23, 2015 at 11:39 AM, Jeffrey Sessler j...@scrippscollege.edu 
 mailto:j...@scrippscollege.edu wrote:
 I don't know Lee, in my mind is it the device maker's requirements to work in 
 both consumer and enterprise environment, or does the enterprise wlan market 
 need to figure out how to look more like a consumer wlan? Is this a problem 
 EDU's have created because of some desire to provide a service that's more 
 complex or invasive to use then it has to be? Is there really a need to 
 on-board devices and have them associate using WPA2 Ent, or could we support 
 the bulk of our users (especially students) using something more consumer 
 friendly?
 
 Take residential (dorm) wifi as an example. If you had a model with an open 
 or PSK-emulated wireless network coupled with location-based service 
 filtering, the user gets on with every device out there, and they can see 
 their chromecast, appletv, etc. and any others on that AP or 1 adjacent. 
 Pretty much gives you the consumer feel.
 
 Jeff
 
 
  On Thursday, January 22, 2015 at 11:47 AM, in message 
  432756068f5346b59e108b825efca...@ex13-mbx-10.ad.syr.edu 
  mailto:432756068f5346b59e108b825efca...@ex13-mbx-10.ad.syr.edu, Lee H 
  Badman lhbad...@syr.edu mailto:lhbad...@syr.edu wrote:
 I know self-promotion is in poor taste, but wanted to share this
 
 
 
 http://www.networkcomputing.com/wireless-infrastructure/the-case-for-wlan-interoperability/a/d-id/1318718?
  
 http://www.networkcomputing.com/wireless-infrastructure/the-case-for-wlan-interoperability/a/d-id/1318718?​
 
 
 
 and encourage anyone of like (or opposing) mind to add comments. I'm told 
 that the Alliance is at least reading along, FWIW.
 
 
 
 -Lee
 
 
 
 Lee H. Badman